Snort & IDS Center
Download
Report
Transcript Snort & IDS Center
Snort & IDScenter
60-564: Security and Privacy on the Internet
Instructor: Dr. A. K. Aggarwal
Presented By: Tarik El Amsy, Lihua Duan
Date: March 29, 2006
What is IDScenter
IDScenter is basically a Graphical frontend for Snort on Windows platforms
(Recommended: Windows NT4/2000/XP).
IDScenter provides a friendly interface for
Snort users.
With some knowledge of Snort, IDScenter
will help users to do configuration and
provide management features.
Features of IDScenter
Snort 1.7, 1.8, 1.9, and 2.x Support
Snort configuration wizard
Online updates of IDS rules
Ruleset editor for all Snort rule options
HTML report from SQL backend
Execution of program on attack detection
Good Alerting tools including mail , Windows
event log and normal DB logging.
Experiment Architecture and Scenarios
Home net address
172.16.1.0 /24
Hub
Router
NIDS
External net address
137.207.234.0/24
Target
Attacker
NIDS server configuration
CPU: AMD64 Opteron
Memory: 512M
Hard Disk: 8 G Operating
Operating System: Windows 2000
Advanced Server (Ser)
IP Address: 172.16.1.1
Installed Software:
Snort 2.4.3
IDScenter 1.1 RC4
WinPcap 3.1
Ethereal 0.10.14
NIDS
Target server configuration
CPU: AMD64 Opteron
Memory: 512MHard
Disk: 8 G
Operating System: Windows 2000
Advanced Server (Ser)
IP Address: 172.16.1.2
Installed software
Ethereal 0.10.14
Winpcap 3.0 alpha 4
Packet Excalibur 1.0.2 (Packet
generator)
Web server, TelNET, SNMP, FTP, etc
Target
Attacker server configuration
CPU: AMD64 Opteron
Memory: 512MHard
Disk: 8 G
OS: Windows 2000 AS
IP Address: 137.207.234.252
Installed software
Winpcap 3.0 alpha 4
Packet Excalibur 1.0.2 (Packet
generator)
Web server, TelNET, SNMP, FTP, etc.
Attacker
Installing WinPcap
WinPcap (Windows Packet Capture Library) is a packetcapture driver. Functionally, this means that WinPcap
grabs packets from the network wire and pitches them to
Snort, ethereal and windump.
Download & run WinPcap_3_1_auto-installer.exe to local disk from
http://www.winpcap.org/install/default.htm
Should be installed on hosts
NIDS
Attacker
Target
Installing Ethereal
Ethereal® is used by network professionals around the
world for troubleshooting, analysis, software and
protocol development, and education. Ethereal is one
of the best graphical packet sniffer. Its graphical
interface makes it easy to use and its big list of
features make it very powerful in analyzing network
traffic
Download & run ethereal-setup-0.10.14.exe or any
latest version from Ethereal website
http://www.ethereal.com/download.html.
Installing Packet Excalibur
A multi-platform freeware, graphical and scriptable
network packet engine with extensible text based
protocol descriptions.
Needed to craft sample attack and generate these
packets on the network during snort testing.
download Packet Excalibur Windows installer version
1.0.2 from
http://www.securitybugware.org/excalibur/PacketExcali
bur_1.0.2_win32.exe .
It will also install WinPcap 3.0a.
Should be installed on
Attacker
Target
Packet Excalibur Demo
alert tcp $EXTERNAL_NET any -> $HOME_NET 111
(msg:"Rule 4 RPC portmap listing TCP 111"; content:
"|00 01 86 A0|"; reference: arachnids,428; sid: 598;
rev: 11; classtype: rpc-portmap-decode; flow:
to_server,established;)
Installing Snort
Download SNORT ver 2.4.3
Install directory c:\snort
Default logging database option
To test Installation and make sure it is running
C:\snort\bin\snort –v
This will run snort in sniffer mode and you should be able to see the
passing packets on the network captured by Snort.
Installing IDScenter
Download IDScenter.zip (1.1 RC4, 04.08.2003) from
http://www.engagesecurity.com/downloads/#IDScenter
Unzip the download file to obtain the setup.exe then
run it to start simple and default installation.
Configuring Snort
Change the setting of Snort configuration
file snort.conf under c:\snort\etc folder
Use any text editor to edit the following
Network settings
Preprocessors
Output settings
Rules settings
Configuring Network settings
Snort use variables in configuring the rules.
When you type $ and Variable name, the value of this variable will
be replaced.
This allows you to add different network ranges and subnets and
simplify rules editing and customization
We added the following variables to snort.conf file
var HOME_NET 172.16.1.0/24
var EXTERNAL_NET any
var DNS_SERVERS
172.16.1.2/32
var SMTP_SERVERS
172.16.1.2/32
var HTTP_SERVERS
172.16.1.2/32
var SQL_SERVERS
172.16.1.2/32
var TELNET_SERVERS 172.16.1.2/32
var HTTP_PORTS 80
var RULE_PATH c:\snort\rules
Configuring Preprocessors
Configure Http_inspect preprocessor
This preprocessor allow snort to decode Http
web traffic & analyze it for specific URI contents.
Setting in snort.conf file
preprocessor http_inspect:
global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server:
server default profile all ports { 80 }
Configuring Output settings
Outputing Alerts to a file base log called
alert.ids
Setting in snort.conf file
output alert_fast: alert.ids
config logdir: c:\snort\log
Configuring Rules settings
Create a file called project.rules in c:\snort\rules
folder.
The file has the10 selected attacks.
Remove normal rule file setting from config file
and add only project.rules.
Include $Rule_path/project.rules
Sample Rule
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"Rule 4
RPC portmap listing TCP 111"; content: "|00 01 86 A0|"; reference:
arachnids,428; sid: 598; rev: 11; classtype: rpc-portmap-decode; flow:
to_server,established;)
IDScenter Configuration
IDScenter consists
of the following
menus
General
Wizards
Logs
Alerts
...
General Menu
Click on Apply to apply a configuration/save configuration (after
setting all the options needed in IDScenter)
Start Snort: Starts Snort in console mode / service mode
View alerts: open log viewer
Test settings: After configuration you can test the settings by clicking
on this button
Reload: Reload the configuration
Rest Alarm: Stop alarm sound
General Menu
There are two modes to setup Snort with IDScenter
- Snort console mode
- Snort service mode
-
The advantage of service mode is, that Snort can monitor your
network constantly even when you're logged off
General / Configuration
Select snort version to run
Select Process priority
Select options (Service mode /snort console /auto restart )
Select log folder path and file name
General / Snort Options
Set the configuration file.This is usally "Snort.conf" in the "etc" folder
where Snort was installed (e.x. "C:\Snort\etc\snort.conf")
You can find a pattern in the configuration file by typing it into the
editbox and click on the search button
You can set an external editor for editing Snort configuration file
General Activity Log
In this panel IDScenter displays events
You can enable/disable event logs
You can select which events are monitored
You can let automatically purge the activity log
Clear log: clear the logging entries
General/ Over View
In this panel IDScenter displays errors. If an error occurs
when you click on apply, you'll be informed here.
An overview of the alert features activated is shown here
"Copy to clipboard": you can copy the Snort commandline into clipboard
Wizards Menu
Wizards Menu has several wizards
which helps configuring snort. It has
the following:
Network Variables wizard
Preprocessor Wizard
Output plugin Wizard
Rules/Signatures Wizard
Online Update Wizard
Wizards / Network Variables
Helps to set the variables used in rule files
You can :
Add new variable
Edit and existing variable
Delete a variable
Wizards / Preprocessors
Here you can select and configure the preprocessors used by Snort
Stream4 and Frag2 Pane ( enable snort to defragment packets and
perform stateful inspection)
Protocol Preprocessor Pane (different protocol decoders like HTTP
decode , Telnet, RPC decod..etc)
PortScan Detection Pane
Miscellaneous Pane (ARP spoof and other unsupported preprocessors)
Wizards / Output Plugins
There are many small wizards in this panel which will help you to
configure the output plugins of Snort.
Wizards / Rules Wizard
The ruleset wizard will help you maintain a good ruleset. This is the "include"-part of
the Snort configuration file
Select first a classification configuration file ,by default: "classification.config"
Select the reference configuration file ,by default: "reference.config"
Activate/Deactivate the rule files you want to use by check/uncheck its box.
Open a ruleset in the ruleset editor:
Select a ruleset file
Click on "Ruleset editor"
Wizards / Rules Wizard
The ruleset editor lists all available rules in the file.
Add (and clone) new rules / delete rules
Edit a rule (Select a rule and click on "Add/edit rule"
Activate/Deactivate the rules you want to use
Import additional rules into the ruleset (in Snort 2.x syntax)
Save the ruleset after modification
Rules Wizard / Editing a rule
The editor provides a front-end to all Snort 2.x rule features
It make it easier to understand and modify any rule
You can also access online information for that rule
Wizard/ Online Update
The online update wizard is a frontend for configurating Oinkmaster
(by Andreas Östling)
If you want to use this feature, you should download EagleX
package .
Logs/ Options Menu
This Set
will overwrite
settings (command-line
in snort configuration
file if set of Snort .
the parameters
parameters)
Example: you set output plugin "alert_full: alert.ids"... and selected "Fast".
Select the interface Snort should monitor if necessary
In this case Snort will log using fast mode
Logs / Log Rotation
Log rotationLog rotation will rotate the alert logs by
compressing the files into a ZIP packages and move it to
the Backup folder.
Alerts/ Detection
Alerts alarm will be on if the file/database has changed.
Select at least one alert detection mode
File alert detection mode (up to 10 files monitoring)
Add the files which should be monitored for changes (At least the alert log
file set in main configuration panel should be set.)
MySQL alert detection
Alerts/ Notification
Alarm sound : Select a WAV file if you selected "Start alarm sound
when an alert is logged“.
Program execution: IDScenter will execute this program if an alert
was logged ( start a script that reconfigures your router, generate
HTML pages of alert log using an external program.etc)
AutoBlock - Plugin system (example network Ice & Black Ice ). It
allows you to block specific network traffic (mini firewall)
Alerts/ AlertMail
AlertMail can send administrator alerts by mail if Snort has detected
an attack .
You can send a sample of the latest attacks in the email message as
well as attachment of the log file.
Example of received mail alert
Our Opinion
IDS Center is a very simple and easy to use configuration utility for
snort.
It has very good graphical interface
Provide a lot of add on features for managing snort.
Provide a good Alerting features
It has some compatibility issues with latest snort version (especially
Preprocessors and MySQL latest version)
It has no analysis features.
It still require good knowledge of snort IDS to configure.