Transcript and Snort - University of Windsor

Simulation of IDS
by using
Activeworx Security Center (ASC)
and
Snort, MySQL, CommView
Presented by
Shamsul Wazed & Quazi Rahman
School of Computer Science
University of Windsor, On
March 29, 2006
Outline







March 29, 2006
Introduction
Snort
MySQL Server
CommView
Activeworx Security Center
IDS Simulation
Demonstration
2
Introduction
Intrusion Detection System (IDS)
Collect data from network traffic coming into a system
Tries to match it against known pattern of attack signatures
Blocked the matched data and logged detail of attack into
database
Snort
A very popular and open source IDS
Can be configured to run in Sniffer mode, Packet Logger
mode, Network IDS mode
A number of Snort Add-ons are available for monitoring Snort,
analyzing result and writing Snort rules
March 29, 2006
3
Introduction

Simulation of IDS
The following tools and OS are used in this Project
Snort : Intrusion Detection System
MySQL : Database Server
CommView : Packet Generator & Sniffer
Activeworx Security Center (ASC) : Snort’s Add-on
.Net Framework : Additional software for ASC Desktop
Windows XP : Operating System
March 29, 2006
4
Snort
March 29, 2006
5
Snort

WinPcap
WinPcap is required to be installed to access Snort
The latest WinPcap version is 3.1 for Windows
95/98/ME/NT4/2000/XP/2003
WinPcap is free and can be downloaded from
http://www.winpcap.org/install/default.htm
Download the executable file “winPcap_3_1.exe” of size
456 KB and run to install
March 29, 2006
6
Snort


Snort is an open source IDS
Can be configured to run in three modes:
Sniffer mode : Simply reads the packets off of the network and
displays them
./snort -vd
Packet Logger mode : Logs the packets to disk
./snort -dev -l c:\snort\log -h
192.168.1.100/24
Network IDS mode : Allows Snort to analyze network traffic for
matches against a user-defined rule set and performs several
actions
./snort -dev -l c:\snort\log -h
192.168.1.100/24 -c c:\snort\etc\snort.conf
March 29, 2006
7
Snort

Install Snort version 2.4.3, available at
http://www.snort.org/dl/binaries/win32/


Download the executable file “Snort-243Installer.exe” file of size 1.43 MB
Select “typical” installation that installs
Snort at C:\Snort directory.
March 29, 2006
8
Snort

Important files and their locations
Snort configuration file - C:\Snort\etc\snort.conf
Snort executable file - C:\Snort\bin\snort.exe
Snort log files are - C:\Snort\bin\log\alert.ids and
C:\Snort\bin\log\snort.log.<time>, and
Snort rules file (included project 10 rules only) C:\Snort\rules\local.rules
March 29, 2006
9
Snort

Snort Configuration :
The file Snort.conf has to be edited before running Snort
The following steps can be taken to create a custom
configuration  Set the variables for network
 Configure preprocessors
 Configure output plugins
 Add any runtime config directives
 Customize the rule set
March 29, 2006
10
Snort
We took the following steps to configure Snort

Set the HOME_NET variable as
var HOME_NET 192.168.1.100/24

Set the RULE_PATH variable as
var RULE_PATH c:\Snort\rules

Uncommented the following lines:
output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: snort.log
include c:\Snort\rules\classification.config
include c:\Snort\rules\reference.config
March 29, 2006
11
Snort



Changed the database format as output database: alert, mysql, user=root
password=wazed dbname=ids host=localhost
output database: log, mysql, user=root
password=wazed dbname=tcpdump host=localhost
Include the relevant rule sets (for this project) –
include $RULE_PATH/local.rules
Comment out all other include rules
March 29, 2006
12
MySQL Server
March 29, 2006
13
MySql Server

Download MySQL Database Server 5.0 from
http://dev.mysql.com/downloads/
March 29, 2006
14
MySql Server

Install MySQL Server
March 29, 2006
15
MySql Server

Configure MySql Server
March 29, 2006
16
MySql Server

Choose Detailed Configuration
March 29, 2006
17
MySql Server

Choose for Dedicated Server
March 29, 2006
18
MySql Server

Choose for Multifunctional Database
March 29, 2006
19
MySql Server

Configure Network support
March 29, 2006
20
MySql Server

Change root password
March 29, 2006
21
MySql Server

MySQL Connector/ODBC
ODBC is a standardized API that allows connections to SQL
database servers.
ODBC usually is used when database independence or
simultaneous access to different data sources is required.
MyODBC 3.51 (installed in this project) is a 32-bit ODBC
driver, also known as the MySQL ODBC 3.51 driver and it is
available for download from:
http://dev.mysql.com/downloads/connector/odbc/3.51.html
March 29, 2006
22
MySql Server

Using MySQL
Followings are some of the examples how to use the
different databases and tables using commands from
the DOS prompt :
C:\mysql\MySQL Server 5.0\bin>mysql -u root –p
Enter password: *****
Welcome to the MySQL monitor. Commands end with; or \g.
Your MySQL connection id is 18 to server version:
5.0.18-nt
Type 'help;' or '\h' for help. Type '\c' to clear the
buffer.
March 29, 2006
23
MySql Server

Using MySQL:
mysql> show databases;
+---------------------------+
| Database
|
+---------------------------+
| information_schema |
| aef
|
| aw_aef
|
| aw_asc
|
| aw_fw
|
| ids
|
| mysql
|
| sebek
|
| syslog
|
| tcpdump
|
| test
|
| vuln
|
+-------------------------+
12 rows in set (0.19 sec)
March 29, 2006
24
MySql Server

Using MySQL:
mysql> use ids;
Database changed
March 29, 2006
mysql> show tables;
+-------------------------+
| Tables_in_ids
|
+-------------------------+
| data
|
| detail
|
| encoding
|
| event
|
| icmphdr
|
| iphdr
|
| opt
|
| reference
|
| reference_system |
| schema
|
| sensor
|
| sig_class
|
| sig_reference
|
| signature
|
| tcphdr
|
| udphdr
|
+-------------------------+
16 rows in set (0.00 sec)
25
MySql Server

Using MySQL:
mysql> describe event;
+------------+--------------------+------+-------+---------+------+
| Field
| Type
| Null | Key | Default | Extra|
+------------+--------------------+------+-------+---------+------+
| sid
| int(10) unsigned | NO | PRI |
|
|
| cid
| int(10) unsigned | NO | PRI |
|
|
| signature | int(10) unsigned | NO | MUL |
|
|
| timestamp | datetime
| NO | MUL |
|
|
+------------+--------------------+------+-------+---------+-----+
4 rows in set (0.19 sec)
March 29, 2006
26
MySql Server

Using MySQL:
March 29, 2006
27
CommView
March 29, 2006
28
CommView

What is CommView
An application for capturing and analyzing network packets
It can save the captured packets to log files
It can generate ICMP, TCP and UDP packets of size
maximum 1.5 KB and can transmit at max 5,000 pkt/sec

Installation
System Requirement : Pentium II or higher, Windows
98/ME/2000/XP/2003, 128 MB RAM and 6 MB free disk
space
Download CommView 5.1 of 30 days trail version from
http://www.tamos.com/download/main/
March 29, 2006
29
CommView

2. Start
March 29, 2006
Latest IP Connections
1. Select Network Interface
30
CommView

Packets Analyzing
Payload Decoding
March 29, 2006
31
CommView

Packet Generating : Tools  Packet Generator
Source IP - Hex value
Source IP - Numeric value
(edit here)
TCP Packet
Default Packet Size
March 29, 2006
32
CommView

Packet Generating : Port number and Payload
Destination Port - Hex value
Added 5 Byte payload content
Destination Port - Numeric value
Press (Sigma) to correct
Packet Size 54 + 5
March 29, 2006
33
CommView

Packet Generating : Correct Checksum
Correct it by adding 5
Check (after pressing Sigma)
Data length changed into 5
Press to Send
March 29, 2006
34
Activeworx Security Senter (ASC)
March 29, 2006
35
Activeworx Security Center

Overview
ASC is an event management solution for Snort
It works with Snort 1.8 or newer
It supports for MySQL as well as Microsoft SQL
It allows us to view IDS data in different ways :
 Unique Views
 List Views
 Interactive Graphics and Charts
 Event Relationship Diagram
 Payload Decoders
March 29, 2006
36
Activeworx Security Center

Installation
System Requirement : Pentium 4 or later, Windows
2000/XP/2003, 512 MB RAM and 250 MB free disk
space
ASC version 2.6 components can be downloaded from
http://www.brighttools.com/support/download.html
Download the Microsoft Installer following files and run
 asc.desktop.msi, 55.7 MB
 asc.manager.msi, 51.1 MB
March 29, 2006
37
Activeworx Security Center

Databases
Two Different types of Databases
 Primary Database
 Event Databases
Log-on ASC Database Manager
Use the default Snort IDS database schema
Configure Primary Database
Use “Add Database Wizard” to create Event database
March 29, 2006
38
Activeworx Security Center

March 29, 2006
Databases (Primary Database)
39
Activeworx Security Center

March 29, 2006
Databases (Event Database)
40
Activeworx Security Center

March 29, 2006
Databases (Add User)
41
Activeworx Security Center

March 29, 2006
Databases (Check Connectivity)
42
Snort IDS Simulation & Testing
March 29, 2006
43
Snort IDS Simulation

Hardware Configuration
Target Machine : PC1 (OS : Windows XP)



Dell Celeron CPU 2
Processor - 2.4 GHz
RAM - 256 MB
Source Machine : PC2 (OS : Windows XP)



Dell Celeron CPU 2
Processor - 2.4 GHz
RAM - 256 MB
Router : TRENDnet wireless router


March 29, 2006
Speed – 108 Mbps
Compliant with IEEE 802.11 g
44
Snort IDS Simulation
From PC1 (192.168.1.100)

Run Snort
Run Snort from console by using the command
snort -c c:\snort\etc\snort.conf -h 192.168.1.100/24 -v -i2


Login & Run ASC Desktop
Run CommView (sniffer)
From PC2 (192.168.1.101)


Run CommView (sniffer)
Generate and Send
“Bad Packet”s to PC1
(by CommView Packet Generator)
March 29, 2006
45
Activeworx Security Center Desktop

March 29, 2006
IDS Events (Event Overview)
46
Activeworx Security Center Desktop

March 29, 2006
IDS Events (List Events)
47
Activeworx Security Center Desktop

March 29, 2006
IDS Events (List Events : Group by Sensor)
48
Activeworx Security Center Desktop

March 29, 2006
IDS Events (Event Information1 : sid 382)
49
Activeworx Security Center Desktop

March 29, 2006
IDS Events (Event Information2 : sid 683)
50
Activeworx Security Center Desktop

March 29, 2006
IDS Events (Event Reference1 : sid 382)
51
Activeworx Security Center Desktop

March 29, 2006
IDS Events (Graphs : Top 10 IDS Destination)
52
Activeworx Security Center Desktop

March 29, 2006
IDS Events (Reports : IDS Overview)
53
Demonstration

Please meet us @
Room # 3144
Lambton Tower
School of Computer Science
University of Windsor, On
1-519-253 3000 ext 4406
March 29, 2006
54