Embed Size (px)
Citation preview
Simulation of IDSby using
Activeworx Security Center (ASC)and
Snort, MySQL, CommView
Presented byShamsul Wazed & Quazi Rahman
School of Computer ScienceUniversity of Windsor, On
March 29, 2006
March 29, 2006 2
Outline
Introduction Snort MySQL Server CommView Activeworx Security Center IDS Simulation Demonstration
March 29, 2006 3
Introduction
Intrusion Detection System (IDS)Collect data from network traffic coming into a system Tries to match it against known pattern of attack signaturesBlocked the matched data and logged detail of attack into database
SnortA very popular and open source IDSCan be configured to run in Sniffer mode, Packet Logger mode, Network IDS modeA number of Snort Add-ons are available for monitoring Snort, analyzing result and writing Snort rules
March 29, 2006 4
Introduction
Simulation of IDS
The following tools and OS are used in this Project
Snort : Intrusion Detection System
MySQL : Database Server
CommView : Packet Generator & Sniffer
Activeworx Security Center (ASC) : Snort’s Add-on
.Net Framework : Additional software for ASC Desktop
Windows XP : Operating System
March 29, 2006 5
Snort
March 29, 2006 6
Snort
WinPcap
WinPcap is required to be installed to access Snort
The latest WinPcap version is 3.1 for Windows 95/98/ME/NT4/2000/XP/2003
WinPcap is free and can be downloaded from http://www.winpcap.org/install/default.htm
Download the executable file “winPcap_3_1.exe” of size 456 KB and run to install
March 29, 2006 7
Snort
Snort is an open source IDS Can be configured to run in three modes:
Sniffer mode : Simply reads the packets off of the network and displays them
./snort -vdPacket Logger mode : Logs the packets to disk
./snort -dev -l c:\snort\log -h 192.168.1.100/24Network IDS mode : Allows Snort to analyze network traffic for matches against a user-defined rule set and performs several actions
./snort -dev -l c:\snort\log -h 192.168.1.100/24 -c c:\snort\etc\snort.conf
March 29, 2006 8
Snort
Install Snort version 2.4.3, available at http://www.snort.org/dl/binaries/win32/
Download the executable file “Snort-243-Installer.exe” file of size 1.43 MB
Select “typical” installation that installs Snort at C:\Snort directory.
March 29, 2006 9
Snort
Important files and their locations
Snort configuration file - C:\Snort\etc\snort.conf
Snort executable file - C:\Snort\bin\snort.exe
Snort log files are - C:\Snort\bin\log\alert.ids and C:\Snort\bin\log\snort.log.<time>, and
Snort rules file (included project 10 rules only) - C:\Snort\rules\local.rules
March 29, 2006 10
Snort
Snort Configuration :
The file Snort.conf has to be edited before running Snort
The following steps can be taken to create a custom configuration - Set the variables for network Configure preprocessors Configure output plugins Add any runtime config directives Customize the rule set
March 29, 2006 11
Snort
We took the following steps to configure Snort Set the HOME_NET variable as
var HOME_NET 192.168.1.100/24 Set the RULE_PATH variable as
var RULE_PATH c:\Snort\rules Uncommented the following lines:
output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: snort.log
include c:\Snort\rules\classification.config
include c:\Snort\rules\reference.config
March 29, 2006 12
Snort
Changed the database format as - output database: alert, mysql, user=root
password=wazed dbname=ids host=localhost output database: log, mysql, user=root
password=wazed dbname=tcpdump host=localhost
Include the relevant rule sets (for this project) – include $RULE_PATH/local.rules
Comment out all other include rules
March 29, 2006 13
MySQL Server
March 29, 2006 14
MySql Server
Download MySQL Database Server 5.0 fromhttp://dev.mysql.com/downloads/
March 29, 2006 15
MySql Server
Install MySQL Server
March 29, 2006 16
MySql Server
Configure MySql Server
March 29, 2006 17
MySql Server
Choose Detailed Configuration
March 29, 2006 18
MySql Server
Choose for Dedicated Server
March 29, 2006 19
MySql Server
Choose for Multifunctional Database
March 29, 2006 20
MySql Server
Configure Network support
March 29, 2006 21
MySql Server
Change root password
March 29, 2006 22
MySql Server
MySQL Connector/ODBC
ODBC is a standardized API that allows connections to SQL database servers.
ODBC usually is used when database independence or simultaneous access to different data sources is required.
MyODBC 3.51 (installed in this project) is a 32-bit ODBC driver, also known as the MySQL ODBC 3.51 driver and it is available for download from:
http://dev.mysql.com/downloads/connector/odbc/3.51.html
March 29, 2006 23
MySql Server
Using MySQLFollowings are some of the examples how to use the different databases and tables using commands from the DOS prompt :
C:\mysql\MySQL Server 5.0\bin>mysql -u root –p
Enter password: *****
Welcome to the MySQL monitor. Commands end with; or \g.
Your MySQL connection id is 18 to server version: 5.0.18-nt
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
March 29, 2006 24
MySql Server
Using MySQL:
mysql> show databases;+---------------------------+| Database |+---------------------------+| information_schema || aef || aw_aef || aw_asc || aw_fw || ids || mysql || sebek || syslog || tcpdump || test || vuln |+-------------------------+12 rows in set (0.19 sec)
March 29, 2006 25
MySql Server
Using MySQL:
mysql> use ids;Database changed
mysql> show tables;+-------------------------+| Tables_in_ids |+-------------------------+| data || detail || encoding || event || icmphdr || iphdr || opt || reference || reference_system || schema || sensor || sig_class || sig_reference || signature || tcphdr || udphdr |+-------------------------+16 rows in set (0.00 sec)
March 29, 2006 26
MySql Server
Using MySQL:
mysql> describe event;+------------+--------------------+------+-------+---------+------+| Field | Type | Null | Key | Default | Extra|+------------+--------------------+------+-------+---------+------+| sid | int(10) unsigned | NO | PRI | | || cid | int(10) unsigned | NO | PRI | | || signature | int(10) unsigned | NO | MUL | | || timestamp | datetime | NO | MUL | | |+------------+--------------------+------+-------+---------+-----+4 rows in set (0.19 sec)
March 29, 2006 27
MySql Server
Using MySQL:
March 29, 2006 28
CommView
March 29, 2006 29
CommView
What is CommViewAn application for capturing and analyzing network packets It can save the captured packets to log filesIt can generate ICMP, TCP and UDP packets of size maximum 1.5 KB and can transmit at max 5,000 pkt/sec
InstallationSystem Requirement : Pentium II or higher, Windows 98/ME/2000/XP/2003, 128 MB RAM and 6 MB free disk spaceDownload CommView 5.1 of 30 days trail version from http://www.tamos.com/download/main/
March 29, 2006 30
CommView
Latest IP Connections
1. Select Network Interface2. Start
March 29, 2006 31
CommView
Packets Analyzing
Payload Decoding
March 29, 2006 32
CommView
Packet Generating : Tools Packet Generator
TCP Packet
Default Packet Size
Source IP - Numeric value
Source IP - Hex value
(edit here)
March 29, 2006 33
CommView
Packet Generating : Port number and Payload
Packet Size 54 + 5
Destination Port - Numeric value
Destination Port - Hex value Added 5 Byte payload content
Press (Sigma) to correct
March 29, 2006 34
CommView
Packet Generating : Correct Checksum
Check (after pressing Sigma)
Data length changed into 5
Correct it by adding 5
Press to Send
March 29, 2006 35
Activeworx Security Senter (ASC)
March 29, 2006 36
Activeworx Security Center
OverviewASC is an event management solution for Snort
It works with Snort 1.8 or newer
It supports for MySQL as well as Microsoft SQL
It allows us to view IDS data in different ways : Unique Views List Views Interactive Graphics and Charts Event Relationship Diagram Payload Decoders
March 29, 2006 37
Activeworx Security Center
Installation
System Requirement : Pentium 4 or later, Windows 2000/XP/2003, 512 MB RAM and 250 MB free disk space
ASC version 2.6 components can be downloaded from http://www.brighttools.com/support/download.html
Download the Microsoft Installer following files and run asc.desktop.msi, 55.7 MB asc.manager.msi, 51.1 MB
March 29, 2006 38
Activeworx Security Center
Databases
Two Different types of Databases Primary Database Event Databases
Log-on ASC Database Manager
Use the default Snort IDS database schema
Configure Primary Database
Use “Add Database Wizard” to create Event database
March 29, 2006 39
Activeworx Security Center
Databases (Primary Database)
March 29, 2006 40
Databases (Event Database)
Activeworx Security Center
March 29, 2006 41
Databases (Add User)
Activeworx Security Center
March 29, 2006 42
Databases (Check Connectivity)
Activeworx Security Center
March 29, 2006 43
Snort IDS Simulation & Testing
March 29, 2006 44
Hardware Configuration Target Machine : PC1 (OS : Windows XP)
Dell Celeron CPU 2 Processor - 2.4 GHz RAM - 256 MB
Source Machine : PC2 (OS : Windows XP) Dell Celeron CPU 2 Processor - 2.4 GHz RAM - 256 MB
Router : TRENDnet wireless router Speed – 108 Mbps Compliant with IEEE 802.11 g
Snort IDS Simulation
March 29, 2006 45
From PC1 (192.168.1.100) Run Snort
Run Snort from console by using the command
snort -c c:\snort\etc\snort.conf -h 192.168.1.100/24 -v -i2 Login & Run ASC Desktop Run CommView (sniffer)
From PC2 (192.168.1.101) Run CommView (sniffer) Generate and Send
“Bad Packet”s to PC1
(by CommView Packet Generator)
Snort IDS Simulation
March 29, 2006 46
IDS Events (Event Overview)
Activeworx Security Center Desktop
March 29, 2006 47
IDS Events (List Events)
Activeworx Security Center Desktop
March 29, 2006 48
IDS Events (List Events : Group by Sensor)
Activeworx Security Center Desktop
March 29, 2006 49
IDS Events (Event Information1 : sid 382)
Activeworx Security Center Desktop
March 29, 2006 50
IDS Events (Event Information2 : sid 683)
Activeworx Security Center Desktop
March 29, 2006 51
IDS Events (Event Reference1 : sid 382)
Activeworx Security Center Desktop
March 29, 2006 52
IDS Events (Graphs : Top 10 IDS Destination)
Activeworx Security Center Desktop
March 29, 2006 53
IDS Events (Reports : IDS Overview)
Activeworx Security Center Desktop
March 29, 2006 54
Please meet us @
Room # 3144
Lambton Tower
School of Computer Science
University of Windsor, On
1-519-253 3000 ext 4406
Demonstration
