Network Ids Ips Deployment Strategies 2143 1

8/11/2019 Network Ids Ips Deployment Strategies 2143 1

1/64

Interested in learningmore about security?

SANS Institute

InfoSec Reading RoomThis paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Network IDS & IPS Deployment StrategiesInformation systems are more capable today than ever before. Society increasingly relies on computingenvironments ranging from simple home networks, commonly attached to high speed Internet connections, to thelargest enterprise networks spanning the entire globe. Filling one's tax return, shopping online,banking online, or even reading news headlines posted on the Internet are all so convenient. This increasedreliance and convenience, coupled with the fact that attacks are concurrently becoming more p...

Copyright SANS InstituteAuthor Retains Full Rights

A D
http://www.sans.org/info/36923http://www.sans.org/info/36923http://www.sans.org/info/36914http://www.sans.org/info/36914http://www.sans.org/reading_room/images/click.php?id=463http://www.sans.org/info/36914http://www.sans.org/info/36909http://www.sans.org/info/36923


2/64

Network IDS & IPS Deployment Strategies


GSEC Gold Certification

Author: Nicholas Pappas, [email protected]

Adviser: Joel Esler

Accepted: April 2, 2008

Nicholas Pappas 1


3/64


Outline

1.Introduction........................................................................3

2.Network Intrusion Detection System (IDS ............................!

3.Network Intrusion Pre"ention System (IPS ...........................#

!.$ey Di%%erences etween IDS & IPS.......................................'

.Network Segregation & )rust *ones.....................................1+

,.-onnecting an IDS De"ice....................................................1

#.-onnecting an IPS De"ice.....................................................1

.IDS & IPS )uple Deployment.................................................2+

'.Practical /pplications and 0ses............................................2#

1+.-onclusions.......................................................................3+

11. e%erences.........................................................................33

12./ppendi / Step 4y Step uild o% an IDS5IPS....................3!

Nicholas Pappas 2


4/64


1.Introduction

In%ormation systems are more capa4le today than e"er 4e%ore. Society

increasingly relies on computing en"ironments ranging %rom simple home networks6

commonly attached to high speed Internet connections6 to the largest enterprise

networks spanning the entire glo4e. 7illing one8s ta return6 shopping online6

4anking online6 or e"en reading news headlines posted on the Internet are all so

con"enient. )his increased reliance and con"enience6 coupled with the %act that

attacks are concurrently 4ecoming more pre"alent has conse9uently ele"ated theneed to ha"e security controls in place to minimi:e risk as much as possi4le.

)his risk is o%ten ignored as many people mistakenly disregard the computing

power o% their home systems6 or small o%%ice networks. I% the risk is not completely

ignored6 system owners routinely deploy a network %irewall to protect we4 ser"ers6 or

email ser"ers and mistakenly %eel sa%e. )he con"enience o% conducting 4usiness o"er

the world wide we46 or communicating o"er email has made such ser"ices a prime

target %or automated attacks. ;ost network %irewalls control network access 4y

4locking tra%%ic 4ased on an IP address and port num4er. I% you ha"e an email ser"er

and wish %or it to communicate with systems e ternal to your network you will ha"e

to open port 2 (smtp ena4ling this e ternal communication. ut what happens

when an in4ound attack comes in o"er port 2 < =ithout ha"ing de"ices designed to

monitor the content o% this malicious tra%%ic the email ser"er is at the mercy o% such

an attack.

Nicholas Pappas 3


5/64


)his document introduces tools used to systematically monitor network

acti"ity and discusses the deployment strategies o% such systems. egardless o% the

si:e o% the network6 ha"ing the a4ility to monitor network acti"ity is a key

component o% de%ending in%ormation systems %rom attacks launched through "arious

networks as well as %inding internal systems that may not 4e con%igured correctly

resulting in e traneous tra%%ic a4sor4ing "alua4le network throughput. =e 4egin

with an introduction o% what network intrusion detection systems and intrusion

pre"ention systems are6 then discuss connecting and deploying such de"ices. )hepaper then concludes a%ter mentioning e amples utili:ing these systems in practical

en"ironments. )here is no single security measure su%%icient to independently

protect in%ormation systems. >a"ing a layered security architecture greatly reduces

risk to system users. ?ne in"alua4le layer is comprised o% network intrusion

detection systems.

2.Network Intrusion Detection System (IDS)

Network Intrusion Detection Systems (IDS monitor system 4eha"ior and alert

on potentially malicious network tra%%ic ( aker6 2++! . IDS can 4e set inline6 attached

to a spanning port o% a switch6 or make use o% a hu4 in place o% a switch. )he idea

here is to allow access to all packets you wish the IDS to monitor.

=hile copious amounts o% tra%%ic can 4e monitored6 the key is %or the system to

only alert on e"ents o% interest. =hen IDS raise an o"er a4undance o% alerts

use%ulness and trust in the system are reduced. =hen the system constantly gi"es

Nicholas Pappas !


6/64


%alse alarms6 alerts tend to not 4e taken seriously. ?n the other side o% the

spectrum6 i% the IDS rarely alerts on malicious tra%%ic6 it leads one to wonder i% it is

working at all. )uning an IDS is somewhat o% an art6 a 4alancing act 4etween %our

points o% concern. )hese %our points are true positi"es6 %alse positi"es6 true

negati"es and %alse negati"es. )a4le 1 shows their relationship

Table 1: Relationship of event categories.

)he ideal tuning o% an IDS ma imi:es instances o% e"ents categori:ed in the cells

with a shaded 4ackground. True positives occur when the system alerts on intrusion

attempts or other malicious acti"ity. 7alse negati"es are somewhat o% a null situation

4ut are important nonetheless. )he false negative is comprised o% the system %ailing

to alert on malicious tra%%ic. /t times many people ha"e trou4le remem4ering what

each o% the %our e"ent categories are. /n analogy helps.

Imagine the li%e cycle o% a schoolhouse %ire alarm. 0sing this analogy to

descri4e the %our categories is perhaps an easier method o% understanding the

distinctions. / true positi"e6 would then 4e analogous to a 4urning schoolhouse and

the alarm sounding. )his6 a%ter all6 is the intended purpose o% the schoolhouse %ire

alarm. )he %alse negati"e occurs when the schoolhouse has an actual %ire yet the %ire

Nicholas Pappas

P OS ITIVE NE GATIVE

T !E

" A# SE

)rue Positi"e3/lerted on

intrus ion attempt

)rue Negati"e3Not alerted on4enign acti"ity

7alse Positi"e3/lerted on

4enign acti"ity

7alse Negati"e3Not alerted on

intrus ion attempt


7/64


alarm remains silent@ alerting no one o% the %ire thus creating a danger to those

counting on success%ul operation o% the %ire alarm.

-ontinuing with this analogy6 the remaining conditions are as %ollows. =hen a

mischie"ous student pulls the alarm6 knowing no %ire e ists6 he5she presents a %alse

positi"e. )he alarm duti%ully goes o%% with the lack o% a %ire. Numerous occurrences

o% %alse positi"es and the seriousness o% the alarm is 4elittled and soon to 4e

ignored. 7inally the true negati"e relates to the alarm remaining silent while the

schoolhouse is not a%lame. )a4le 2 maps the conditions o% this analogy using a

similar %ormat used in )a4le 1.

Table 2: Relationships as they apply to the schoolhouse fire alarm analogy.

)uning an IDS is typically an ongoing task. )hreats and computing

en"ironments are e"erAchanging6 thus systems deployed to detect such threats must

adapt accordingly. Detecting malicious network acti"ity is an important piece o% an

o"erall security architecture6 4ut what can we do to de%end %rom detected attacksarris6 2++3 .

IDS and IPS are great tools to le"erage when de%ining6 monitoring6 auditing6

and en%orcing the circum%erence o% each circle. Deploying an IDS and5or IPS at each

o% the department circles pro"ides a means to monitor and 4lock attempts to "iolate

the policy o% the system. I% a system in the marketing department attempts to

directly access systems in the human relations department it might 4e a sign o% an

employee trying to surreptitiously gather payroll in%ormation or personnel %olders. I%

multiple systems6 %rom say the research and de"elopment department6 attempt to

access systems in the other three segments it may signal a worm or "irus attempting

to propagate throughout the enterprise network. oth cases o4"iously re9uire

immediate attention to a"oid potential compromise o% personnel data or sta4ility o%

Nicholas Pappas 12


14/64


systems enterpriseAwide. Such segregation o% a network in turn 4oosts the a4ility

%or response teams to isolate or 9uarantine system compromises6 while the :ones

not compromised continue conducting 4usiness.

Not only does network segregation lend itsel% to access control6 it also helps in

throughput management across a large network. Imagine a uni"ersity network

where multiple academic departments (e.g.6 /rts & Sciences6 School o% Bngineering

are collecti"ely connected to a single 4ack4one network. 7igure 2 depicts an

architecture where the 4ack4one network pro"ides conduit %rom one department to

another department as well as connecti"ity %or all departments to access the glo4al

Internet (i.e.6 Internet 1 and Internet 2 . Network sessions o"er the 4ack4one will

likely outnum4er sessions strictly within any single department network. ecause o%

this6 the 4ack4one will 4e 4est ser"ed with network e9uipment capa4le o% high le"els

o% throughput and low latency. >ardware capa4le o% 1+ Higa4it throughput is rather

e pensi"e6 perhaps too e pensi"e to e pect each department to purchase such

e9uipment %or their respecti"e segment o% the campus network. =ithout su%%ering

signi%icant per%ormance loss6 circuits connecting each department network to the

uni"ersity 4ack4one may 4e capa4le o% pro"iding 1 Higa4it throughput. 7ollowing

this model6 the local area networks (E/N within each department may 4e using 1++

;4 e9uipment. ?% course o"ertime all in%ormation technology assets will e"entually

re9uire an upgrade 4ut the theory 4ehind this model remains "alid.

Nicholas Pappas 13


15/64


Figure 2: Throughput capabilities of a sizable network.

-onsideration o% enterprise architecture is important when deploying IPS and

IDS. )he reason 4eing that many IPS and IDS will 4ecome 4ottlenecks or points o%

congestion when e pected to e%%iciently handle 1+ Higa4it throughput. It is unwise

Nicholas Pappas 1!


16/64


17/64


Figure : !"# on the edge of a network or zone.

Bach part in this illustration consists o% two ser"ers6 a workstation and an IDS

all connected to a piece o% network e9uipment attached to an uplink. )he ser"ers

and workstation are considered internal assets and the uplink leads to an e ternal

network. )he red lines represent connections 4eing utili:ed to monitor tra%%ic6 while

the 4lack dashed line represents a connection that may 4e used to manage the IDS

Nicholas Pappas 1,


18/64


remotely %rom a system in the internal network.

Part / o% 7igure 3 shows the IDS connected to either a hu4 or a switch capa4le

o% con%iguring a SP/N port. ?n some managed switches6 a SP/N port can 4e

con%igured to send6 C...all packets on the network to that port as well as their

ultimate destination ( aker6 2++! . =ith such a con%iguration6 an IDS inter%ace

4eing used to monitor tra%%ic could 4e connected to a switch yet 4e a4le to see all

tra%%ic passing through. / network hu4 intrinsically shares data passing through

itsel% to all o% its ports such that any system connected to the hu4 can see all tra%%ic

sourced %rom or destined to e"ery other system connected to the hu4. 0sing a hu4

may not 4e the 4est option since systems would 4e capa4le o% intercepting tra%%ic

not intentionally sent to them. =hen using either a hu4 or switch with SP/N port

capa4ilities6 the systems on the internal network are not at the mercy o% the IDS

ha"ing a system %ailure 4rining the network down. ;aking use o% a hu4 or switch

SP/N port is a common method o% connecting sensors.

)he use o% a network tap is represented in Part o% 7igure 36 which essentially

replicates data passed through the wire. Network taps are not commonly %ound in

typical computer networks 4ut may 4e purchased. )aps are handy when you need to

setup a hasty monitoring solution6 perhaps to trou4leshoot a pro4lem or temporarily

deploy an IDS. ?"erall6 a network tap is needed when the network does not ha"e

managed switches6 is not using hu4s6 or when putting an IDS inline is out o% the

9uestion.

Nicholas Pappas 1#


19/64


)he %inal portion6 Part - near the 4ottom o% 7igure 36 illustrates an IDS

connected inline. )his instance includes two connections6 shown in red6 with one

connected to the uplink port o% the switch6 and the second connected to the e ternal

network. In most cases6 this is not the 4est method to use 4ecause system %ailure o%

the IDS will pre"ent systems on the internal network %rom communicating with

e ternal systems. arely is this an ideal outcome6 either way it is certainly an option.

)he 4ene%it o% the inline con%iguration is a guarantee all packets will 4e seen 4y the

IDS. Packets are su4Gect to 4eing missed when an IDS is connected to a switch SP/Nport6 especially when that switch is 4usy processing a large 4urst o% tra%%ic.

Depending on the capa4ility o% an inline IDS6 a similar 4urst may lead to congestion

o% network throughput.

0tili:ing a management inter%ace is re9uired i% the analysis is to 4e done

remotely. It is possi4le to simply connect a key4oard and monitor directly to the IDS

and manage the system locally %rom its console. =hilst this may work %or a small

o%%ice6 in a large network this is typically not a "ia4le option. )he same applies %or

an IPS which is co"ered in the %ollowing section.

.%onnectin /n IPS De ice

Intrusion pre"ention systems are always connected inline. )his re9uirement

ena4les the IPS to drop select packets6 and de%end against an attack 4e%ore it takes

hold o% the internal network (>ansteen6 2++ . >ere again6 in 7igure !6 we ha"e red

lines showing the network links 4eing used to capture tra%%ic.

Nicholas Pappas 1


20/64


Figure $: !%# on the border of a network or zone.

)he management inter%ace6 shown with a 4lack dashed line6 is once again an option

4ut still commonly used to manage the system remotely. 0pdating signatures and

otherwise adapting the system to de%end against the latest threats is an ongoing

task. ecause o% this6 ha"ing an e%%icient means o% administering the de"ice is

important.

)he cons o% ha"ing a system connected inline ha"e 4een co"ered earlier in this

document. >owe"er6 some companies 4uild systems to address this %ailure

potential. 7or instance6 )ippingPoint )echnologies Inc. sells products named *ero

Power >igh /"aila4ility de"ices6 designed to pass tra%%ic e"en in the e"ent their IPS

loses electrical power. /s you can imagine6 during this type o% %ailure the IPS ispassing un%iltered tra%%ic@ much 4etter than dropping all network connecti"ity. /n

optimally con%igured IPS will 4lock unwanted tra%%ic and6 as a conse9uence6 when the

Nicholas Pappas 1'


21/64


IPS %ails the network will typically see an increase in acti"ity. Something %or network

engineers and intrusion analysts alike to consider when a signi%icant une plained

spike in network acti"ity is noticed on internal networks.

-onnecting an IPS is rather simple. /%ter reading this section6 you may wonder

what can 4e done to monitor tra%%ic when an IPS either %ails entirely6 or allows

malicious tra%%ic through@ perhaps %rom not 4eing strict enough. / layered approach

is introduced in the ne t section.

3.IDS , IPS Tu45e De45oyment

Prior to this section6 the paper has discussed %undamentals o% deploying an IDS

or IPS. Now we mo"e on to put these tools together6 constructing a layered approach

to network monitoring. -onnecting these de"ices appropriately is co"ered %irst6 we

then mo"e into the main point o% this document. 7rom a security perspecti"e this is

4y %ar the ideal deployment6 so let8s get started.

Setting the stage %or connecting 4oth an IDS and an IPS6 a router is introduced

4etween the two sensors as shown in 7igure . )o %ollow the e ample6 consider the

router as de%ining a trust :one 4oundary or a network 4order separating a local area

network (E/N %rom a wide area network (=/N . 7igure then shows the IPS on the

e ternal side o% the router6 with a management link (dashed line crossing o"er into

the internal network %or administration purposes. )he IDS is connected in an inline

%ashion 4ut6 as pre"iously mentioned6 the IDS does not ha"e to 4e inline and can 4e

Nicholas Pappas 2+


22/64


connected outAo%A4and which is illustrated 4elow in 7igure ,. )he IDS is

strategically placed on the internal side o% the router. /s 4e%ore6 4oth %igures show

red lines depicting connections used to gather data %or analysis and5or %iltering.

Figure &: !%# ' !"# connected inline.

=ith the e ception o% the management inter%ace connected to make remote

administration o% the sensors more con"enient6 the two network inter%ace cards (NI-

internal to the IPS and IDS (i.e.6 those connecting the IDS and IPS to the red links do

not re9uire IP addresses 4e assigned to them. In %act not ha"ing an IP address

assigned to these sensor NI-8s makes those inter%aces in"isi4le to other systems on

the network. -on"ersely the rationale 4ehind the reason why the management

inter%ace must ha"e an IP address assigned. )he inter%aces responsi4le %or collecting

data to 4e analy:ed then merely listen on the wire and pickup electrical impulses

representing data 4eing transmitted.

Nicholas Pappas 21


23/64


Figure (: !%# connected inline) !"# connected to spanning port.

Packets are only concerned with transporting data %rom source to destination.

)here%ore6 ha"ing two in"isi4le NI-8s con%igured as a 4ridge lea"es the data

untouched as packets tra"el %rom the %irst NI- to the second and carry on their merry

way. =hen unwanted tra%%ic passes o"er the in"isi4le IPS 4ridge6 the con"i"ial

Gourney is a4ruptly interrupted much like an insect innocently %lying a4out 4e%ore

4eing smashed against the windshield o% a car tra"eling at high speeds. 7or packets

the IPS is programmed to drop6 the in"isi4le 4ridge resem4les a thick sheet o% glass

una4le to 4e seen. )he sender o% the dropped packet recei"es no response6 and the

internal network ne"er processes the dropped packet. Such a scenario e cites

security pro%essionals charged with de%ending a network %rom attack.

)hat is until their Goy comes crashing down when the 4oss is una4le to

communicate with e ternal systems he or she needs to conduct legitimate 4usiness

with. =hen an IPS drops a legitimate packet6 it resem4les a %alse positi"e and is the

Nicholas Pappas 22


24/64


e%%ect o% an IPS 4eing too stringent. )o correct this6 the IPS needs to 4e tuned more

conser"ati"ely adhering to looser rules while analy:ing tra%%ic. =hen the IPS is

con%igured too conser"ati"ely6 we witness %alse negati"es as unwanted tra%%ic %reely

passes through. ?4"iously we ha"e a conundrum 4etween protecting the network6

and keeping 4usiness %lowing ha"ing 4oth li"e harmoniously ensures the

a%orementioned security sta%% remains employed.

)his is where the IDS comes in. Since the IDS is not responsi4le %or dropping

packets6 the security administrator can set the IDS to 4e "ery aggressi"e. =ith this

higher le"el o% sensiti"ity the IDS alerts when e"en the slightest a4normality is

present in the tra%%ic 4eing inspected. /%ter spending time going through

e traneous alerts the analyst then tunes the IDS to disregard tra%%ic "eri%ied to 4e

4enign. -on"ersely6 as the analyst %inds tra%%ic on the IDS posing a threat6 a rule or

signature is written and the IPS 4locks the threat. )his methodology allows analysts

the a4ility to analy:e tra%%ic and 4ecome %amiliar with a normal 4aseline o% tra%%ic

without interrupting legitimate data %low on the network. ?"ertime6 the diligent

analyst will ha"e a sensiti"e IDS gi"ing "ery %ew alerts6 as the IPS drops nearly 1++F

o% the unwanted tra%%ic. /ny 9uestiona4le tra%%ic not 4locked 4y the IPS the IDS then

alerts on6 prompting the analyst %or %urther in"estigation.

Nicholas Pappas 23


25/64


Figure *: "ata state diagram.

)he di%%erent states o% tra%%ic passed through this layered model are e hi4ited

in 7igure #. State 1 represents data that may or may not 4e legitimate. State 1 data

is considered neither good nor 4ad 4ecause it has not yet 4een analy:ed. State 2

data has 4een analy:ed and %iltered 4y the IPS. >owe"er 4ecause o% the issue

mentioned a4o"e6 it may 4e data the conser"ati"ely tuned IPS chose to pass 4ut

whose legitimacy is still 9uestiona4le. Data in state 3 has 4een %iltered 4y the IPS

and "eri%ied 4y the more aggressi"ely tuned IDS. ?% course any alerts %rom the IDS

during the "eri%ication process may re9uire %urther in"estigation 4y the analyst. 7or

now it is permitted to pass through. Perhaps the result o% a system not con%igured

properly on the internal network. ?% course it may also mean that a new rule needs

Nicholas Pappas 2!


26/64


to 4e implemented on the IPS to 4lock similar %uture attacks. )he outcome is a

multiAlayered approach to monitoring network tra%%ic passing through the 4oundary

o% a network or su4network.

)he main intent is to ha"e the IPS 4lock tra%%ic known to 4e unnecessary or

malicious6 while the IDS remains sensiti"e alerting on tra%%ic that may 4e di%%icult to

categori:e without risking termination o% legitimate communication. -onceptually6

the IPS is tuned somewhat conser"ati"ely and the IDS has a more aggressi"e tuning.

)he IDS also pro"ides a checks and 4alances o% its respecti"e IPS. Since the rules

implemented in the IPS also e ist in the IDS6 i% the IPS %ails the IDS will continue

monitoring. I% the IDS suddenly sends numerous alerts the IPS is most likely in %ailA

o"er mode or has witnessed a system crash. =ithout a layered approach6 tra%%ic

would pass through the network unmonitored until the IPS was 4rought online again.

/s shown in %igures and ,6 the IPS is deployed on the e ternal side o% the

router or network edge. )his allows the IPS to drop packets prior to them hitting the

router and pre"ents the router %rom ha"ing to process e traneous packets thus

lightening the load on the routers processor(s . It also pro"ides a means %or the

analyst to research tra%%ic Cin the wild 6 as well as seeing any pro4es and scans

coming %rom e ternal systems. I% a 4rute %orce attack is posed against the IPS6 the

router a"oids ha"ing to deal with such nonsense as the IPS acti"ely drops the attack

tra%%ic on the %loor. 0nsuccess%ul network reconnaissance attempts may 4e %ed into

a heuristic o% other security controls. Perhaps the organi:ation8s competition is in

Nicholas Pappas 2


27/64


the midst o% staging an attack. B"en a minimally tuned IPS would 4lock this tra%%ic6

4ut the analyst monitoring tra%%ic e ternal to his or her network can gain great

insight into the latest attacks and threat trends.

oth %igures show the IDS placement on the internal side o% the edge router.

)his is re9uired to see tra%%ic 4eing passed %rom or within the internal network.

Bspecially in the case where the internal network is using Network /ddress

)ranslation (N/) . Pinpointing internal systems using N/)8d IP addresses would 4e

impossi4le %rom the perspecti"e o% the IPS since it is on the outside. IDS placement

is critical when the analyst needs to track down internal systems sending unwanted

tra%%ic. Internal systems sending unwanted tra%%ic may 4e caused 4y a system not

con%igured correctly or possi4ly a compromised system attempting to propagate

"irus in%ection. Eikewise6 i% an internal employee is trans%erring data outside the

network6 the IDS placed internally will 4e a4le to see e actly where this data is

coming %rom and can 4e con%igured to report such acti"ity.

Deploying IDS and IPS in pairs is su4stantially 4ene%icial. >a"ing one without

the other will undou4tedly lea"e gaps in the monitoring o% network acti"ity6 or

possi4ly lead to am4iguous alerts showing the %ront end o% the N/)8d IP space rather

than detailing the speci%ic system responsi4le %or causing 9uestiona4le tra%%ic. )he

ne t section goes o"er some practical uses o% such a setup.

Nicholas Pappas 2,


28/64


6.Pr/ctic/5 A445ic/tions /nd !ses

0sing an IDS5IPS paired deployment %or researching tra%%ic hitting the e ternalside o% a network was 4rie%ly discussed in the pre"ious section. =hat was not

mentioned was the %act that ha"ing such a system on the e ternal side o% the

network can actually help other administrators world wide. -onsider sharing tra%%ic

pro%ile in%ormation with colla4orati"e groups such as the S/NS Internet Storm -enter

4y su4mitting acti"ity logs. ?r participate in the DSheild -ooperati"e Network

Security -ommunity. DSheild allows you to report malicious acti"ity while remaining

anonymous. ?%ten times6 system administrators do not know when their respecti"e

systems are wreaking ha"oc outside their network. =ith so many worms and other

automated attacks occurring on the Internet6 i% your system is 4eing threatened6

chances are other innocent systems are 4eing attacked in the same manner.

In organi:ations re9uired to test applications or care%ully e amine the e%%ect o%

new patches prior to 4eing applied to critical ser"ers6 it is good practice to setup a

test computing en"ironment. In such an en"ironment it is 4est to ensure tra%%ic is

not transmitted outside the test network >a"ing an IDS5IPS paired deployment on

the edge o% the test en"ironment allows you to pro"e no tra%%ic has le%t the

en"ironment (implement a dropAall rule on the IPS 6 as well as the a4ility to monitor

network acti"ity 4eing passed on the inside o% the test en"ironment. B"er wonder

what anomalous network tra%%ic6 i% any6 the latest prototype o% your company8s

product is causing< >ow is the latest operating system patch going to e%%ect your

Nicholas Pappas 2#


29/64


network< -learly the test en"ironment is an important piece o% modern in%ormation

technology shops.

7or in%ormation security pro%essionals attempting to e"ade IDS and IPS

detection a test case is "ery use%ul. ?nce such an indi"idual %eels they ha"e their IPS

and IDS con%igured Gust right6 they should seek a method to e"ade their

implementation. Eikewise with someone who thinks they can sneak in6 penetrating

the network unnoticed. )hey should then de"ise a method to 4lock their co"ert

attack. )his is an in"alua4le means to make e"en the smartest security pro%essional

more capa4le.

/s %ar as the lackhats go6 setting up a test case o% an IDS5IPS to launch

attacks against may 4e 4ene%icial in honing their cra%t. /s most security %olks know6

4eing an e%%ecti"e mem4er o% any security team in"ol"es routinely wearing a 4lack

hat (o%%ensi"e and then swapping it with that o% a lighter shade o% grey or white

(de%ensi"e @ not unlike centuries o% weapons de"elopment "ersus armor

de"elopment.

?utside the test en"ironment6 larger networks will %ind the administration o%

numerous IDS5IPS sensors deployed across their enterprise network a daunting task.

;aintaining multiple IDS5IPS pairings is 4est done 4y utili:ing a central data4ase to

store the data gathered. In this case the sensors merely collect data and send it up

to a centrali:ed data4ase. 7igure shows a high le"el "iew o% such an

implementation.

Nicholas Pappas 2


30/64


Figure +: "istributed infrastructure of !%#,!"# sensors feeding a centralized database.

It is important to note6 that each IDS5IPS pairing will ha"e their own security

policy or rule set. =hat applies to SegmentA1 may not apply to SegmentA2 and so

on. 7urthermore6 ha"ing the data sent to a centrali:ed location6 will minimi:e the

num4er o% highly skilled analysts the organi:ation has to train and keep on the

payroll. )his will o4"iously 4ring a4out the highest return on in"estment. ?n that

note6 ha"ing one instance o% data storage cuts down on the num4er o% re9uired

systems capa4le o% storing mass amounts o% data6 not to mention the systems

re9uired to conduct analysis on those large data stores. -entrali:ing analysis e%%ortsalso leads to a more consistent interpretation.

)he uses mentioned here are Gust a %ew o% the many. In reality the uses o%

Nicholas Pappas 2'


31/64


such a system are only limited to one8s imagination or task orders.

17.%onc5usions

/s with any security product designed to protect in%ormation systems and the

data they process6 there are limitations. I% the intrusion detection or pre"ention

system lacks rules cle"er enough to detect tra%%ic o% interest the system will neither

send alerts nor drop packets appropriately. $eeping your signatures updated and

maintaining other rules intended to %ind e actly what you want is an ongoing

endea"or.

/nother limitation is related to remediation o% issues %ound with a monitoring

system. )his is a task "ery di%%icult to automate. I% the organi:ation does not ha"e a

"ia4le means o% responding to incidents and remediation e%%orts6 4eing alerted on

such e"ents is useless. ?%ten times 4eing a4le to respond in a timely %ashion will

make the di%%erence 4etween an entire network "irus in%ection and limiting

compromises to the %ewest amount o% systems. /long those lines6 ignorance is 4liss.

=ithout response personnel to resol"e %indings the monitoring systems shed light

on6 the organi:ation 4ecomes increasingly lia4le %or knowing a4out a pro4lem 4ut

not acting on or resol"ing it. )hese systems are not magic6 they do re9uire

maintenance and will 4ene%it the organi:ation only when coupled with trusted

analysts and personnel to help with remediation e%%orts. )his remediation may

re9uire modi%ication o% system con%iguration or inAdepth in"estigations into system

compromises.

Nicholas Pappas 3+


32/64


Strategic placement o% the monitoring systems is crucial. I% you are trying to

capture tra%%ic local to your network6 you may 4e missing it i% you put it at the

network8s 4order. Eikewise i% you only ha"e one monitoring system6 and more than

one connection linking your local area network to e ternal networks. ?ne important

network de"ice you should 4e mind%ul o% when selecting the optimal placement o%

your IDS or IPS is a Jirtual Pri"ate Network (JPN concentrator. /s tra%%ic tra"els

through a JPN tunnel6 it is encrypted and the IDS or IPS will not 4e capa4le o%

conducting ade9uate analysis.

)here are an increasing num4er o% methods to e"ade intrusion detection.

=hile network intrusion detection and pre"ention systems are adapting to an e"er

changing en"ironment6 the methods o% e"asion are as well. =e must keep this in

mind when making a Gudgment call with respect to detecting an intrusion. ?ne

should not rely too hea"ily on IDS or IPS logs. 7eeling o"erly con%ident an intrusion

was a"oided simply 4ecause such acti"ity was not logged may 4e a costly mistake.

?n the other hand6 assuming the IDS or IPS is correctly classi%ying Cmalicious tra%%ic

when in %act the tra%%ic is legit should 4e a"oided as well. >a"ing an analyst skilled

in decoding packets will help minimi:e these mistakes (packet decoding is

introduced in the S/NS Security Bssentials curriculum . In short6 ha"ing too much

trust in any single security product is a recipe %or %ailure.

In conclusion6 deploying systems designed to monitor network acti"ity will

4ring a4out more awareness o% the "ery nature in how the respecti"e network

Nicholas Pappas 31


33/64


4eha"es6 and what threatens its intended %unction. )here is certainly not a shortage

o% malicious tra%%ic 4eing transmitted across the Internet. >a"ing a %irewall at the

edge o% a network is a nice piece o% hardware to ha"e protecting internal networks.

>owe"er6 in in%ormation security there are no sil"er 4ullets. Network %irewalls not

withstanding. It is crucial to ha"e a layered pre"enti"e strategy. De%ense in depth is

the only reasona4le tactic with such adapta4le threats 4eing constantly presented to

in%ormation systems.

Nicholas Pappas 32


34/64


35/64


12.A44endi8 A9 Ste4 :y Ste4 &ui5d o+ /n IDS;IPS

)he %ollowing steps ha"e 4een used to 4uild 4oth IDS and IPS capa4ilities on asingle system. )he su4Gect operating system used is ?pen SD. )he hardwareconsists o% an Intel 4ased computer with network inter%ace cards installed. )he%irst two cards 4uild an inline 4ridge and the second pair o% cards 4uilds a secondinline 4ridge. )he %i%th card is used %or remote management o% the system.?pen SD was chosen 4ecause o% their reputation in security and handling o% thenetwork stack. )he steps listed here pick up a%ter a 4ase install o% ?pen SD !.2(i3 , . 7or more in%ormation on how to install ?pen SD please see their we4 site(http 55www.open4sd.org5%a95%a9!.html .

=hile the author does not claim to 4e an ?pen SD guru6 these steps ha"e 4een"eri%ied to 4uild a 4aseline IDS5IPS and displays alerts "ia the asic /nalysis andSecurity Bngine ( /SB inter%ace. No 4enchmarking has 4een done on the prototypesystem6 and I would highly ad"ise not deploying the resulting system in a productionen"ironment without some thorough testing. )he prototype also may (does notha"e permissions to their most restricti"e setting. )his appendi was the result o%testing out concepts and ideas which were documented in the respecti"e paper andthus the intent o% this appendi is to sa"e the reader time in implementing a testcase to e plore the concepts shared. eading content is a good start 4ut6 %or many6ha"ing hands on e perience will 4e signi%icantly more 4ene%icial. So let8s getstarted...

Nicholas Pappas 3!


36/64


Gener/5 Out5ine9

1. /c9uire ?pen SD ports

2. Network Setup3. ;ySLE Installation

!. Snort Installation

. ?inkmaster Installation

,. arnyard Installation

#. Integration

. /SB Installation

'. aseline p%.con%

N?)B )he details listed 4elow ha"e commands input to the command line inter%aceshowing in red %ont . /ny output shown %rom commands6 or %ile contents will 4eshown in italic red font .

/ll commands pickup a%ter a 4ase install o% ?pen SD !.2 and assume the rootuser account is 4eing used. =here possi4le6 permissions were set appropriately %orthe en"ironment and daemons to run with nonAroot accounts upon completion o%

the install process. ;any o% the packages were installed %rom the ?pen SD portscollection. Mou may setup the partitions as you see %it. >owe"er6 please note thatyou must ha"e an ample amount o% space in your 5"ar partition as that is where thedata4ase will 4e stored. Kust as an e ample6 the prototype had 1+H o% memoryreser"ed %or the 5"ar partition.

Nicholas Pappas 3


37/64


Partitions and their si:es %or the prototype systemFilesystem #ize 6ount %oint,dev,wd


38/64


AA4egin %ile contentAAB ample command to use -JSup c"sup Ag AE 2 5etc5c"sAsup%ileDe%aults applica4le to all collectionsde%ault hostQc"sup.usa.open4sd.orgde%ault 4aseQ5usrde%ault pre%i Q5usrde%ault releaseQc"sde%ault tagQ?PBN SDO!O2de%ault delete useArelAsu%%ide%ault compress

-ollections?pen SDAportsAAend %ile contentAA

-ommit the %ollowing commands to download your collections %iles. )his will takesome time depending on your connection to the associated mirror.c"sup Ag AE 2 5etc5c"sAsup%ile

Mou should now ha"e ?pen SD8s ports in 5usr5ports.

Network Setu4

7irst determine how the system indenti%ies each network inter%ace card (NI- .i%con%ig

Some o% the output has 4een snipped %or 4re"ity. >owe"er6 the NI-8s are shown as

dc


39/64


40/64


7igure ' Protoype diagram.

Now that we know how to re%er to the NI-8s we need to create a %ile %or each. )o do

this6 commit the %ollowing commands6 while su4stituting proper identi%iers %or yourNI-8s. 7irst make sure these %iles don8t preAe ist (they must only ha"e the word RupRin them %or our purposes

rm 5etc5hostname.dc+rm 5etc5hostname.dc1rm 5etc5hostname.dc2rm 5etc5hostname.dc3

Ne t create the %iles to tell ?pen SD that we want them up with no IP address.

echo up 5etc5hostname.dc+echo up 5etc5hostname.dc1echo up 5etc5hostname.dc2echo up 5etc5hostname.dc3

Nicholas Pappas 3'


41/64


Now create two 4ridges. )he %irst 4ridge is intended to actually %ilter tra%%ic deemedmalicious or otherwise unwanted6 and the second is to "eri%y the %ilter.

echo Radd dc+R 5etc54ridgename.4ridge+echo Radd dc1R 5etc54ridgename.4ridge+echo RupR 5etc54ridgename.4ridge+

echo Radd dc2R 5etc54ridgename.4ridge1echo Radd dc3R 5etc54ridgename.4ridge1echo RupR 5etc54ridgename.4ridge1

=e should now see the %ollowing output %rom these commands

cat 5etc54ridgename.4ridge+add dc< add dc1up

cat 5etc54ridgename.4ridge1add dc2add dcup

e4oot the system 4y typing the %ollowing command

re4oot0pon 4oot completion you should ha"e the packets tra"eling o"er 4oth 4ridges.

Install these packages %or con"eniencecd 5usr5ports5net5wgetmake install

$yS=# Inst/55/tion

7irst check to see i% you already ha"e the re9uired package %ilesls 5usr5ports5packages5i3 ,5%tp5mys9lmys4l0client0&.


42/64


I% you ha"e these %iles already6 you can skip the ne t step6 otherwise do the%ollowing

cd 5usr5ports5data4ases5mys9lmake install

e%ore we install the ser"er we need to install the p AD DAmys9l package. )o dothat commit the %ollowing steps

cd 5usr5ports5data4ases5p AD DAmys9lmake install

?k now you should ha"e the re9uired package %iles.

cd 5usr5ports5packages5i3 ,5allpkgOadd mys9lAser"erA .+.! .tg:pkgOadd mys9lAclientA .+.! .tg:

Initial ;ySLE setup steps %or running on ?pen SD. 7irst create the de%ault data4ase

5usr5local54in5mys9lOinstallOd4

Increase the kernel limit o% open %iles 4y making the %ollowing modi%ication to5etc5sysctl.con%.

echo Rkern.ma %ilesQ!+',R 5etc5sysctl.con% )o automatically start ;ySLE during system 4oot append to 5etc5rc.local. Mou willha"e to edit the %ile at 5etc5rc.local in this case. /t the 4ottom o% the %ile6 add thecontents shown here./dded to start ;ySLE during 4oot.i% T A 5usr5local54in5mys9ldOsa%e U@ then su Ac mys9l root Ac 85usr5local54in5mys9ldOsa%e AAlogAerror 5de"5null 2 &1 &8 mkdir Ap 5"ar5run5mys9l

ln As 5"ar5www5"ar5run5mys9l5mys9l.sock 5"ar5run5mys9l5mys9l.sock echo An 8 mys9l8 sleep echo 8 done8%i

Nicholas Pappas !1


43/64


)o make the a4o"e entry into 5etc5rc.local work properly6 we8ll need to add to the5etc5login.con% and then re4uild the login.con%.d4 as descri4ed here7irst open 5etc5login.con% and add ;ySLE classmys9l V

open%ilesAcurQ1+2! Vopen%ilesAma Q2+! VtcQdaemon

)hen re4uild the login.con% withcapOmkd4 5etc5login.con%

7i some permissions issues so that we can get mys9ld started and set a password.mkdir Ap 5"ar5run5mys9lchown A Omys9l 5"ar5run5mys9l

;anually start the ;ySLE daemon %or purposes o% completing the install.su Ac mys9l root Ac 85usr5local54in5mys9ldOsa%e85usr5local54in5mys9ladmin Au root password 8secretApass85usr5local54in5mys9ladmin Au root Ah centaur.sciA%er.com password 8secretApass8

/t this time now ;ySLE is installed6 it8s now time to con%igure it speci%ically %or our

purposes. Shutdown the ;ySLE daemon.

mys9ladmin shutdown ApWenter ;ySLE root password

Ne t copy the con%iguration %ile we8ll 4e using.cp 5usr5local5share5mys9l5myAlarge.cn% 5etc5my.cn%

Now do some preparatory steps %or our my.cn% %ile.

mkdir Ap 5"ar5www5"ar5run5mys9lchown Omys9l.Omys9l 5"ar5www5"ar5run5mys9l

Ne t step is to con%igure the ;ySLE Daemon such that it inGects the socket in theproper location. )o do this we need to make two su4tle modi%ications. 7irst change

Nicholas Pappas !2


44/64


the client section in 5etc5my.cn% %rom this

TclientU

password Q yourOpasswordport Q 33+,socket Q 5"ar5run5mys9l5mys9l.sock

)o this

TclientUpassword Q yourOpasswordport Q 33+,socket Q 5"ar5www5"ar5run5mys9l5mys9l.sock

Eikewise6 the mys9ld section needs to 4e changed %rom this

)he ;ySLE ser"erTmys9ldUport Q 33+,socket Q 5"ar5run5mys9l5mys9l.sock

)o this

)he ;ySLE ser"erTmys9ldUport Q 33+,socket Q 5"ar5www5"ar5run5mys9l5mys9l.sock

Now when we %orce the Snort process into the chroot8d en"ironment it will 4e a4le toreach the mys9l.sock socket %ile. ?k time %or a re4oot to test the startup settings weha"e thus %ar. /%ter the system 4oots6 you should ha"e the ;ySLE ser"er running.-onnect to the ;ySLE ser"er with the %ollowingmys9l Au root Ap

Ne t we should tidy up a 4it.mys9l drop data4ase test@

Nicholas Pappas !3


45/64


Now we ha"e a clean slate. -heck %or something "ery similar to the %ollowing output.

mys9l show data4ases@

A00000000000000000000AB "atabase BA00000000000000000000AB informationCschema BB mys4l BA00000000000000000000A2 rows in set D


46/64


?k time to 4uild the snort data4ase.cd 5usr5ports5net5snort5wAsnortA2.,.+.2p1Amys9l5snortA2.,.+.25schemasmys9l Au root Ap

3nter password:Helcome to the 6y#78 monitor. ommands end with I or Jg.our 6y#78 connection id is #erver version: &.


47/64


mys9l show ta4les@

A000000000000000000AB TablesCinCsnort BA000000000000000000AB data BB detail BB encoding BB event BB icmphdr BB iphdr BB opt BB reference BB referenceCsystem BB schema BB sensor BB sigCclass BB sigCreference BB signature BB tcphdr BB udphdr BA000000000000000000A1( rows in set D


48/64


Oinkm/ster Inst/55/tion

Ne t we8ll install the ?inkmaster package to maintain our Snort rules %iles.un the Ymake installY %rom ports a%ter setting the 7E/J? en"ironment "aria4le4ack to null.

e port 7E/J? Qcd 5usr5ports5net5oinkmastermake install

Now you will pro4a4ly want to register with Snort to ha"e ?inkmaster keep yourrules up to date. egister at https 55www.snort.org5pu4A4in5register.cgi . >ere is asnippet %rom the oinkmaster.con% %ile which e plains this re9uirement.

AAstart o% snipAAM s of 6arch 2filename@M For e;ample) if your code is &a


49/64


snapshot02.(.tar.gz

Sa"e the %ile and then gi"e it a test 4y running ?inkmaster manually.cd 5etc5snort5rulesoinkmaster Ao .

Mou should now ha"e the rules %iles populated in the 5etc5snort5rules directory. )ocheck this list the %iles in that directory. Mou will see the %iles containing signaturesi% ?inkmaster is working properly.ls

)o learn more a4out ?inkmaster it is recommended that you read the

documentation6 speci%ically the B/D;B %ile located on this pagehttp 55oinkmaster.source%orge.net5readme.shtml

N?)B /t the time o% this writing6 there appears to 4e something wrong with thesynta o% the telnet rules so you may need to remo"e that rule or otherwise %i thesynta . )o remo"e the telnet rules you should modi%y your 5etc5snort.con% %ile 4ycommenting out the line including telnet.rules

-hangeinclude PR583C% T9,telnet.rulesSo that it looks likeM include PR583C% T9,telnet.rules

?k6 ?inkmaster is installed. Mou can use this program manually 4y using thecommands shown ne t. ?r you can setup a cronGo4 to do it %or you on a routine4asis.

cd 5etc5snort5rulesoinkmaster Ao .

&/rny/rd Inst/55/tion

arnyard is a nice program that takes uni%ied output %rom programs like Snortand inputs log or e"ent in%ormation into a use%ul %ormat. 7or this prototype6 we want

Nicholas Pappas !


50/64


arnyard to take the uni%ied output %rom Snort and insert it into the ;ySLE data4ase.cd 5usr5local5sharewget http 55www.snort.org5dl54arnyard54arnyardA+.2.+.tar.g:tar A ":% 4arnyardA+.2.+.tar.g:rm 4arnyardA+.2.+.tar.g:cd 4arnyardA+.2.+

)o pre"ent the loss o% ;ySLE connection(s . =e need to patch arnyard source4e%ore compiling it.cd 4arnyardA+.2.+

Now edit the %ile named Csrc5outputAplugins5opOacidOd4.c 4y adding the %ollowing Gust 4e%ore a line containing Rwhile(mys9lOping(mys9l ZQ + R

mys4l0@reconnect=1I

)he %inal %unction should look e actly like this

AAstart o% snipAAint 6ys4l3;ecute7ueryD6 #78 Gmys4l) char Gs4lEQ int mys4l3rrnoI int resultI whileDDresult = mys4lC4ueryDmys4l) s4lE = RC6!/C3RR RE Q ifDpv.verboseE 8og6essageDN6y#78 3RR RDSiE: Ss. borting 7ueryJnN) mys4lCerrnoDmys4lE) mys4lCerrorDmys4lEEI return resultI ifDDmys4l3rrno == RC#3RU3RC8 #TE BB Dmys4lBrrno QQ - OSB JB OH?NBOB ? [ 8og6essageDN8ost connection to 6y#78 server. ReconnectingJnNEI ,G 6y#78 reconnect line inserted to fi; the 6y#78 idle disconnect issue. G, mys4l0@reconnect=1I

Nicholas Pappas !'


51/64


whileDmys4lCpingDmys4lE =


52/64


Nvar 9 63C/3T V1O2.1(+.1.


53/64


output logCdumptoM output logCdump

-hangeconfig hostname: snorthostto re%lect your Snort sensor machine (which may "ery well 4e localhostconfig hostname: localhostNow ena4le the %ollowing output plugin linesMoutput alertCacidCdb: mys4l) sensorCid 1) database snort) server localhost) user rootM output logCacidCdb: mys4l) database snort) server localhost) user root) detail fullSuch that it looks similar to this (ensure you use the same password you set %or thesnort account in ;ySLEoutput alertCacidCdb: mys4l) sensorCid


54/64


-hangeoutput alertCfastto

M output alertCfast-hangeoutput logCdumptoM output logCdump-hangeconfig hostname: snorthostto re%lect your Snort sensor machine (which may "ery well 4e localhostconfig hostname: localhost

Now ena4le the %ollowing output plugin linesMoutput alertCacidCdb: mys4l) sensorCid 1) database snort) server localhost) user rootM output logCacidCdb: mys4l) database snort) server localhost) user root) detail full

Such that it looks similar to this (ensure you use the same password you set %or thesnort account in ;ySLEoutput alertCacidCdb: mys4l) sensorCid 1) database snort) server localhost) user snort)J

password secret0passoutput logCacidCdb: mys4l) database snort) server localhost) user snort) password Jsecret0password) detail full

?k you should now sa"e the 4arnyardA4ridge1.con% %ile

?nce again the only di%%erences 4etween 4arnyardA4ridge+.con% and4arnyardA4rdige1.con% are on the Rcon%ig inter%aceR line and the line starting withRoutput alertOacidOd4R where the id num4ers are either 8+8 or 818. Set permissions(need to protect the password contentchmod ,!+ 4arnyard .con%

-opy the maps o"er.cd 5usr5ports5net5snort5wAsnortA2.,.+.2p15snortA2.,.+.25etc5cp genAmsg.map 5etc5snort5cp sidAmsg.map 5etc5snort5

Nicholas Pappas 3


55/64


Insert the %ollowing into 5etc5rc.local6 this will startup 4oth instances o% Snort andarnyard. Please notice that this content goes 4elow the entry we made earlier %or;ySLE.

AAstart o% snipAA

M dded to start -arnyard on bridge < during boot after the db is up butM before #nort is brought up.if V 0; ,usr,local,bin,barnyard WI then ,usr,local,bin,barnyard 0" 0w barn.waldo0< 0c ,etc,snort,barnyard0bridge


56/64


7inally some minor steps 4e%ore we re4oot %or another test.mkdir 5"ar5snort5log54ridge+mkdir 5"ar5snort5log54ridge1touch 5etc5snort5rules5local.ruleschown A Osnort 5etc5snort

e4oot and hope %or the 4est. )his is a critical test. 0pon re4oot you should ha"etwo snort daemons running and their respecti"e 4arnyard8s should 4e insertinge"ents %ound into ;ySLE. Now you should check to make sure you ha"e snortrunning6 two o% them actualy.ps au \ grep snort

In the resulting output you should see two processes 4eing run 4y Osnort. I% notcheck the 5"ar5log5daemon log %or clues and make sure this is working a%ter are4oot. It may take a couple tries 4ut it8s crucial to ensure your system 4ootsappropriately.

&ASE Inst/55/tion

)o start the we4 inter%ace we need to make some changes to rc.con% and create anSSE cert. In your 5etc5rc.con% %ile change

MhttpdCflags=/ M for normal use: NN Dor N0"##8N after reading sslD+EEtohttpdCflags=0"##8 M for normal use: NN Dor N0"##8N after reading sslD+EE

-reate a sel%Asigned SSE certi%icate. 7or more in%ormation please read the %ollowingwe4 page http 55www.open4sd.org5%a95%a91+.html >))PS . =hile there are"alidation related issues with sel%Asigned certi%icates6 this should get your system upand running. I% you put this system into a production deployment6 you should reallyconsidering o4taining certi%icates %rom a trusted -erti%ying /uthority.

0ntil then6 commit the %ollowing steps to mo"e %orward.

Nicholas Pappas


57/64


58/64


cd 5usr5ports5con"erters5li4icon"make install

cd 5usr5ports5con"erters5recodemake install

cd 5usr5ports5graphics5ti%% make install

cd 5usr5ports5www5php!make install

N?)B Installing php! %rom ports takes a while.cd 5usr5ports5graphics5gdmake install

cd 5usr5ports5graphics5pngmake install

cd 5usr5ports5graphics5Gpeg

make install

cd 5usr5ports5packages5i3 ,5allpkgOadd php!ApearA!.!.1p2.tg:

/cti"ate P>P5usr5local5s4in5php s Ascp 5usr5local5share5e amples5php!5php.iniAdist 5"ar5www5con%5php.ini

?pen 5"ar5www5con%5httpd.con% with you %a"orite editor and uncomment the line/dd)ype application5 AhttpdAphp .phpso that it looks like this/dd)ype application5 AhttpdAphp .php

Nicholas Pappas #


59/64


60/64


pear install AAalldeps channel 55pear.php.net5Num4ersO=ordsA+.1 .+pear install AAalldeps channel 55pear.php.net5ImageOHraphA+.#.2cp Ar 5"ar5www5pear5Image 5"ar5www5pear5li45Image5

Install /D?Dcd 5"ar5www5htdocs5wget http 55super4Aeast.dl.source%orge.net5source%orge5adod45adod4!' a.tg:tar A ":% adod4!' a.tg:rm adod4!' a.tg:

Install KPHraphcd 5"ar5www5htdocs5

wget http 55hem.4red4and.net5Gpgraph5GpgraphA1.22.tar.g:tar A ":% GpgraphA1.22.tar.g:rm GpgraphA1.22.tar.g:

mkdir 5"ar5www5tmpchown A www 5"ar5www5tmp

Now is a good time to restart httpd5usr5s4in5apachectl stop

5usr5s4in5apachectl startssl

Now create the /-ID data4ase so that 4arnyard starts up success%ully. 7rom thetrusted network6 you need to open the link shown 4elow. ?pen a 4rowser and go tohttps 55Wyour IP 54ase54aseOd4Osetup.php

)hen click the 4utton la4eled R-reate /SB /HR in the RStatusR column. Now create auser 4y going to the we4 inter%ace and clicking on R/dministrationR and then click

R-reate a userR. /%ter %illing in the dialog 4o es6 choose the appropriate role andclick RSu4mit LueryR. Now make one last modi%ication to the %ile at5"ar5www5htdocs54ase54aseOcon%.php and change the %ollowing %rom

Nicholas Pappas '


61/64


P5seC uthC#ystem = owe"er there are a lot o% online resources andrecently a 4ook was pu4lished titled R)he ook o% P7R 4y Peter >ansteen. / greatresource to ha"e on hand. /lso a great introduction to P7 can 4e %ound athttp 55www.open4sd.org5%a95p%57or this setup. >ere is a snippet o% a 4aseline 5etc5p%.con% %ile. )his should help youunderstand how we are treating the two 4ridges (with Snort and running P7 on thenetwork inter%ace la4eled dc1 (your network card8s manu%acturer may ha"e adi%%erent la4el %or the inter%ace .

Nicholas Pappas ,+


62/64


AAstart o% snipAAM M #imple pf.conf file

M M #ee pf.confD&E and ,usr,share,pf for synta; and e;amples.MM 6 R #

M inboardCint: The internal side of the e;ternal bridgeM Hill be doing most of the filtering on this interfaceinboardCint = dc1

M mgtCint: The /! used for managing.M /eed to restrict as much as possible on this one.mgtCint = sis<

M ther interfaces:otherCint = NQ dc


63/64


M F!8T3R R583#MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM "efault deny policy

block allblock 4uick from >bruteforce@

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM Rules for the management interfaceMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM

pass 4uick on PmgtCint inet proto Q tcp) udp from Ptrusted to any port JQ ssh) domain) http) https keep state Dma;0src0conn 2


64/64

Last Updated: October 14th, 2012

Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by Location

SANS@ Grid Security Conference 2012 San Diego, CAUS Oct 16, 2012 - Oct 16, 2012 Live Event

SANS South Africa 2012 - Cape Town Cape Town, ZA Oct 26, 2012 - Oct 27, 2012 Live Event

SANS Chicago 2012 Chicago, ILUS Oct 27, 2012 - Nov 05, 2012 Live Event

SANS Bangalore 2012 Bangalore, IN Oct 29, 2012 - Nov 03, 2012 Live Event

SANS South Africa 2012 Johannesburg, ZA Oct 29, 2012 - Nov 06, 2012 Live Event

SANS Korea 2012 Seoul, KR Nov 05, 2012 - Nov 13, 2012 Live Event

FOR526 Beta Denver, COUS Nov 05, 2012 - Nov 09, 2012 Live Event

SANS Tokyo Autumn 2012 Tokyo, JP Nov 05, 2012 - Nov 10, 2012 Live Event

SANS San Diego 2012 San Diego, CAUS Nov 12, 2012 - Nov 17, 2012 Live Event

SANS Sydney 2012 Sydney, AU Nov 12, 2012 - Nov 20, 2012 Live Event

SANS London 2012 London, GB Nov 26, 2012 - Dec 03, 2012 Live Event

SANS San Antonio 2012 San Antonio, TXUS Nov 27, 2012 - Dec 02, 2012 Live Event

European SCADA and Process Control System Security Summit2012

Barcelona, ES Dec 05, 2012 - Dec 11, 2012 Live Event

SANS Cyber Defense Initiative 2012 Washington, DCUS Dec 07, 2012 - Dec 16, 2012 Live Event

SANS Egypt 2012 Cairo, EG Dec 08, 2012 - Dec 20, 2012 Live Event

Mobile Device Security Summit 2013 Anaheim, CAUS Jan 07, 2013 - Jan 14, 2013 Live Event

Virtualization and Cloud Computing Summit 2013 Anaheim, CAUS Jan 07, 2013 - Jan 14, 2013 Live Event

SEC528: SANS Training Program for the CompTIA New

Advanced Security Practitioner Certification

Washington, DCUS Jan 07, 2013 - Jan 11, 2013 Live Event

SANS Baltimore 2012 OnlineMDUS Oct 15, 2012 - Oct 20, 2012 Live Event

SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced
http://www.sans.org/info/36919http://www.sans.org/info/36919http://www.sans.org/link.php?id=29834http://www.sans.org/grid-sec-2012http://www.sans.org/link.php?id=29745http://www.sans.org/cape-town-2012http://www.sans.org/link.php?id=28769http://www.sans.org/chicago-2012http://www.sans.org/link.php?id=28136http://www.sans.org/bangalore-2012http://www.sans.org/link.php?id=28226http://www.sans.org/south-africa-2012http://www.sans.org/link.php?id=27034http://www.sans.org/korea-2012http://www.sans.org/link.php?id=30012http://www.sans.org/for526-beta-denver-2012http://www.sans.org/link.php?id=28759http://www.sans.org/tokyo-autumn-2012http://www.sans.org/link.php?id=27449http://www.sans.org/san-diego-2012http://www.sans.org/link.php?id=26299http://www.sans.org/sydney-2012http://www.sans.org/link.php?id=28001http://www.sans.org/london-2012http://www.sans.org/link.php?id=28734http://www.sans.org/san-antonio-2012http://www.sans.org/link.php?id=29524http://www.sans.org/link.php?id=29524http://www.sans.org/eu-scada-2012http://www.sans.org/link.php?id=24463http://www.sans.org/cyber-defense-initiative-2012http://www.sans.org/link.php?id=30317http://www.sans.org/egypt-2012http://www.sans.org/link.php?id=28905http://www.sans.org/mobile-device-security-summit-2013http://www.sans.org/link.php?id=28624http://www.sans.org/virtualization-cloud-summit-2013http://www.sans.org/link.php?id=30480http://www.sans.org/link.php?id=30480http://www.sans.org/sec528-beta-2013http://www.sans.org/link.php?id=26824http://www.sans.org/baltimore-2012http://www.sans.org/link.php?id=1032http://www.sans.org/ondemand/about.phphttp://www.sans.org/ondemand/about.phphttp://www.sans.org/link.php?id=1032http://www.sans.org/baltimore-2012http://www.sans.org/link.php?id=26824http://www.sans.org/sec528-beta-2013http://www.sans.org/link.php?id=30480http://www.sans.org/virtualization-cloud-summit-2013http://www.sans.org/link.php?id=28624http://www.sans.org/mobile-device-security-summit-2013http://www.sans.org/link.php?id=28905http://www.sans.org/egypt-2012http://www.sans.org/link.php?id=30317http://www.sans.org/cyber-defense-initiative-2012http://www.sans.org/link.php?id=24463http://www.sans.org/eu-scada-2012http://www.sans.org/link.php?id=29524http://www.sans.org/san-antonio-2012http://www.sans.org/link.php?id=28734http://www.sans.org/london-2012http://www.sans.org/link.php?id=28001http://www.sans.org/sydney-2012http://www.sans.org/link.php?id=26299http://www.sans.org/san-diego-2012http://www.sans.org/link.php?id=27449http://www.sans.org/tokyo-autumn-2012http://www.sans.org/link.php?id=28759http://www.sans.org/for526-beta-denver-2012http://www.sans.org/link.php?id=30012http://www.sans.org/korea-2012http://www.sans.org/link.php?id=27034http://www.sans.org/south-africa-2012http://www.sans.org/link.php?id=28226http://www.sans.org/bangalore-2012http://www.sans.org/link.php?id=28136http://www.sans.org/chicago-2012http://www.sans.org/link.php?id=28769http://www.sans.org/cape-town-2012http://www.sans.org/link.php?id=29745http://www.sans.org/grid-sec-2012http://www.sans.org/link.php?id=29834http://www.sans.org/info/36919

Documents

Network Ids Ips Deployment Strategies 2143 1