Transcript INTRUSION DETECTION SYSTEM

Intrusion Detection System using
SNORT & BASE (Basic Analysis and
Security Engine)
Prepared By:
Tahira Farid
&
Anitha Prahladachar
Course: 60-564
Winter 2006
2
Outline
• Introduction to BASE
• IDS test-bed
• Installing and Configuring Necessary
Prerequisites
• Installing and Configuring BASE
• Generating Signatures
• Results
• Acknowledgments
• References
3
Introduction to BASE
• Basic Analysis and Security Engine
• Successor to ACID
• Developed by Danyliw at the CERT Coordination
Center as part of the AirCERT (Automated
Incident Reporting) project.
• Actively maintained and supported by a team of
volunteers led by Kevin Johnson and Joel Esler.
4
Introduction to BASE (cont.)
• Provides web front-end to query and analyze the
alerts coming from a SNORT IDS system.
• Can search and process databases containing
security events logged by SNORT.
• Written in PHP.
• Has the ability to graphically display both layer-3
and layer-4 packet information.
5
Introduction to BASE (cont.)
• Current Version is Base 1.2
• Current search interface can query based on
• Alert information
– Sensor
– Alert group
– Signature, classification & detection time
• Packet data information
– Source/destination addresses
– Ports
– Packet payload/flags
6
Introduction to BASE (cont.)
• Provides easy management of Alert Data
• Administrator can categorize data into alert
groups, delete false positives or previously
handled alerts.
• Export alert data to an email address for
administrative notification.
• Support for user logins and roles, allowing an
administrator to control what is seen through
the web interface.
7
BASE vs. ACID
• ACID
– No longer maintained
– Hasn’t been updated for 3 years
• BASE
– BASE is actively updated and revised.
– Has 200 bug fixes in it.
– Faster bringing pages up
– Provides more queries (i.e. today's unique
alerts, last 24/72 hours alert etc.)
8
IDS test-bed
Host A (Source):
Host B (Destination):
OS: Windows XP
OS: Fedora Core 4
Software: Ethereal,
CommView
Software: Snort,
BASE, Ethereal,
MySQL, PHP, Apache
9
Installing and Configuring Necessary
Prerequisites
• In order for our IDS to function properly we
install and configure the following components:
–
–
–
–
–
–
–
–
–
MySQL
Apache 2.2.0
php-4.4.2
httpd-2.2.0
AdOdb460
snort-2.4.3
pcre-5.0
PEAR Modules
base-1.2
10
MySQL
• 2 ways
– Download from www.mysql.com
– From Fedora Core4 installation CD
Go to Desktop-system settings- Add/remove
programs – MySQL
Select following components:
• MyODBC
• Mod_auth_mysql
• Mysql_devel
• Mysql_server
• Perl-DBD-MySQL
• Php-mysql
11
Apache 2.2.0
• Download Apache httpd server version 2.2.0
from http://httpd.apache.org
• To install:
– ./configure
– Make
– Make install
12
PHP 4.4.2
• Download PHP4.4.2 from http://www.php.net
• Extract source code in “/usr/local/src”
• Configure command:
– ./configure –with-mysql –with-apsx2
=/usr/local/apache2/bin/apxs –with-gd –withzlib
• Make
• Make install
13
Configure php.conf
• In file /usr/local/apache2/conf/httpd.conf add line
– Include conf.d/*.conf
• mkdir /usr/local/apache2/conf.d
• “php.conf” in “conf.d”
–
–
–
–
–
–
–
–
LoadModule php4_module modules /libphp4.so
<Files *.php>
SetOutputFilter PHP
SetInputFilter PHP
LimitRequestBody 9524288
</Files>
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
– DirectoryIndex index.php
14
ADOdb
• A performance-conscious database abstraction
layer for PHP.
• BASE needs ADOdb to communicate with
MySQL.
• Download adodb from
http://unc.dl.sourceforge.net/sourceforge/adodb/
adodb460.tgz
• Extract adodb in “usr/local/apache2/htdocs”
15
SNORT
• Create a dir “snortinstall”
• Download & unpack from
http://www.snort.org/dl/snort2.4.3.tar.gz
• Download & unpack from
http://umn.dl.sourceforge.net/sourceforge/pcre/p
cre-5.0.tar.gz
• To install SNORT:
– ./configure
– Make
– Make install
• To install PCRE(Perl Compatible Regular Expression):
– ./configure
– Make
– Make install
16
Configuring SNORT
• Groupadd snort
• Useradd –g snort snort
• Create dir:
– /etc/snort
– /etc/snort/rules
– /var/log/snort
• Copy dir ‘rules’ from dir ‘snort2.3.0’ to
‘/etc/snort/rules’
17
Configuring snort.conf
•
•
•
•
var HOME_NET 10.2.2.0/32
var EXTERNAL_NET !$HOME_NET
var RULE_PATH /etc/snort/rules
output database: log, mysql, user =snort
password=snort dbname=snort host=localhost
• output database: alert, mysql, user =snort
password=snort dbname=snort host=localhost
18
Setting up database in MySQL
• Mysql
• SET PASSWORD FOR root@localhost = PASSWORD
(‘passwd’);
• Create database snort;
• SET PASSWORD FOR snort@localhost=PASSWORD(‘pwd
in snort.conf’);
• Grant CREATE,INSERT,SELECT,DELETE,UPDATE on
snort.* to snort@localhost;
• Grant CREATE,INSERT,SELECT,DELETE,UPDATE on
snort.* to snort;
19
To create tables
•
•
Mysql –u root –p < ~/snortinstall/snort-4.3.0 /schemas
/create_mysql snort
Enter password: the mysql root password
20
To create tables
21
PEAR Modules
• PEAR - PHP Extension and Application
Repository
• BASE documentation recommends PEAR
installation.
Commands for installation:
• /usr/local/php/bin/pear install Image_Color
• /usr/local/php/bin/pear install Log
• /usr/local/php/bin/pear install Numbers_Roman
• /usr/local/php/bin/pear install
http://pear.php.net/get/Numbers_Words-0.13.1.tgz
• /usr/local/php/bin/pear install
http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz
22
To start the ‘services’
•
•
•
•
•
•
chkconfig httpd on
chkconfig mysqld on
service httpd start
service mysqld start
/usr/local/apache2/bin/apachectl –k start
snort –dev –l /var/log/snort –h 137.207.234.73/32
–c /etc/snort/snort.conf
23
Configuring BASE
• Download BASE from
http://sourceforge.net/project/showfiles.php?gro
up_id=103348
• cp base-1.2.tar.gz /var/www/html/
• cd /var/www/html
• tar –xvzf base-1.2.tar.gz
• cd /var/www/html/base/
• cp base_conf.php.dist base_conf.php
• cd\
• cp /var/www/html/base-1.2
/usr/local/apache2/htdocs/
24
Configuring BASE (cont.)
• Edit the base_conf.php file in
/usr/local/apache2/htdocs/
–
–
–
–
–
–
–
–
–
–
–
–
–
–
$BASE_urlpath = "/base";
$DBlib_path = "/usr/local/apache2/htdocs/adodb";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "password_from_snort_conf";
$archive_dbname = "snort";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "snort";
$archive_password = " password_from_snort_conf ";
$ChartLib_path = "/var/www/html/jpgraph-1.20.3/src";
25
Configuring BASE (cont.)
• Open a web browser
• if the browser is on the localhost, type
http://localhost/base
• if the browser is on another machine type
http://IP_Address/base to begin using the GUI to
view and manage alerts.
26
Generating Signatures on Host A
Ethernet layer
header
27
Results
• Before sending signatures from HOST A, Run
snort on HOST B
• In Mysql check: select * from signature;
28
Results (cont.)
• In a web browser: http://137.207.234.73/base
29
Results (cont.)
30
Results (cont.)
• Unique Alerts
31
Results (cont.)
•
Different links located to the left of each signature, attempts to
connect to different signature databases to provide more
detailed information about that particular signature.
32
Results (cont.)
•
•
•
•
Source/ Destination IP link
brings up a summary
that includes:
How many times that IP was
logged as a source or
destination
First and last time that IP
was logged
Contains links to external
web-based tools that provide
DNS and Whois look up
services.
33
Results (cont.)
•
•
•
•
Source/Destination Ports link
displays a summary of
ports, number of
occurrences
time first seen and time last
seen.
Each listed port number is a
hyperlink to the SANS
Internet Storm Center
http://isc.sans.org for that
port number.
34
Results (cont.)
•
•
Creating Alert Groups
Group event information into user-defined categories for easy
perusal.
35
Results (cont.)
• Specify signatures for different AGs
36
Results (cont.)
•
Graph from Alert Data
37
Results (cont.)
• Graph from Alert Detection Time to identify Periods of Heavy
Activity
38
Results (cont.)
•
•
•
The Search Function quickly searches through the database for certain criteria and
present it in an ordered fashion.
Allowable search criteria include Alert Group, Signature, and Alert Time.
The results can be ordered by timestamp, signature, source IP, or destination IP.
39
Results (cont.)
•
User and Role Management
40
Results (cont.)
•
Email Alerts
41
Acknowledgements
• We would like to thank Dr.Aggarwal for giving us this
opportunity to handle such an industry standard level
project.
• We would also like to thank all other groups for giving us
valuable suggestions throughout the project.
42
References
• www.snort.org
• www.sourceforge.net
• http://www.rootsecure.net/content/downloads/pd
f/snort_install_guide_fedora4.pdf
• http://www.sun.com/bigadmin/features/articles/s
nort_base.html
43
Thank You!!!!
Demo in Room 3144
Questions?
Tahira Farid ([email protected])
Anitha Prahladachar ([email protected])