Documentation for SAM

Prerequisites

  • Snort set up and logging to a MySQL database.
  • Access to the MySQL database (username/password) where SAM is logging.
  • Java Virtual Machine (1.3+) installed where SAM will run.

Installation

  1. Download the binary version with a compression type that your computer can understand (ie. *.zip for windows and *.tar.gz for *nix including Mac OS X).
  2. Unzip or untar the binary version where you want the application to reside.

Configuration

  1. Navigate to the directory where you uncompressed SAM.
  2. From the SAM base directory go to the conf directory.
  3. Inside the conf directory open up the 'sam.properties' file in your favorite text editor.
  4. Make any necassary changes to this file. The items you will be most interested in initially are probably the email variables (email.host, email.from, email.to, email.active). By default these variables are set up for lookandfeel new media and for email alerts to not be emailed. Change the values to reflect your environment. You can also put multiple email addresses in the email.to variable by seperating them with commas. Please make sure there are no spaces between each email address. Also, make sure you change 'email.active=false' to 'email.active=true' so that SAM will send emails. SAM only sends email alerts upon going red (alertlevel.high). This will be a configurable option in the future. Alertlevel.high and alertlevel.medium are the variables that control how many alerts in a 5 minute period it takes to go to medium alert level and high alert level. The remaining variable 'mainpanel.refresh=3' is the number of minutes to wait before refreshing the main display (Stoplight, graphs, etc). This should be a number between 1 & 5 although this isn't enforced (yet).

Running

  1. After the installation and configuration steps have been completed navigate to SAM's base directory.
  2. If your machine supports executable jar files you should be able to double click the jar file and SAM will start. If your machine does not support executable jar files then open a command prompt, cd into the sam directory and execute the following command:
        java -jar sam.jar (if java is not in your classpath enter the full path to java)
  3. After SAM is started you should see two windows. The top window is where you will need to provide the database connection info. The lower and larger window is the main SAM window which will not become active until you provide the proper login credentials for the database. To login you need the following information.
  1. Database <- This is where you will select the type of database you are connecting to. Currently only MySQL is implemented although there may be other choices.
  2. Hostname <- The hostname of the machine where the snort database resides.
  3. Database Name <- The Database name that was used when the Snort database was setup.
  4. Username <- A username that has read access to the Snort database.
  5. Password <- The password for the username entered above.
  1. After you have sucessfully logged in you should see the words Database Connected at the bottom of the main screen and in a few seconds (depending on the speed of your database) you should see the stoplight change colors and all of the windows should be populated. If something goes wrong click on the 'SAM log' tab for hints as to what might be wrong.