intrusion detection system using snort & base (basic analysis and security engine) prepared by:...
TRANSCRIPT
Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine)
Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine)
Prepared By: Tahira Farid &
Anitha Prahladachar Course: 60-564
Winter 2006
Prepared By: Tahira Farid &
Anitha Prahladachar Course: 60-564
Winter 2006
2
OutlineOutline
• Introduction to BASE • IDS test-bed• Installing and Configuring Necessary
Prerequisites• Installing and Configuring BASE• Generating Signatures• Results• Acknowledgments• References
• Introduction to BASE • IDS test-bed• Installing and Configuring Necessary
Prerequisites• Installing and Configuring BASE• Generating Signatures• Results• Acknowledgments• References
3
Introduction to BASEIntroduction to BASE
• Basic Analysis and Security Engine• Successor to ACID• Developed by Danyliw at the CERT Coordination
Center as part of the AirCERT (Automated Incident Reporting) project.
• Actively maintained and supported by a team of volunteers led by Kevin Johnson and Joel Esler.
• Basic Analysis and Security Engine• Successor to ACID• Developed by Danyliw at the CERT Coordination
Center as part of the AirCERT (Automated Incident Reporting) project.
• Actively maintained and supported by a team of volunteers led by Kevin Johnson and Joel Esler.
4
Introduction to BASE (cont.)Introduction to BASE (cont.)
• Provides web front-end to query and analyze the alerts coming from a SNORT IDS system.
• Can search and process databases containing security events logged by SNORT.
• Written in PHP.• Has the ability to graphically display both layer-3
and layer-4 packet information.
• Provides web front-end to query and analyze the alerts coming from a SNORT IDS system.
• Can search and process databases containing security events logged by SNORT.
• Written in PHP.• Has the ability to graphically display both layer-3
and layer-4 packet information.
5
Introduction to BASE (cont.)Introduction to BASE (cont.)
• Current Version is Base 1.2• Current search interface can query based on• Alert information
– Sensor– Alert group– Signature, classification & detection time
• Packet data information– Source/destination addresses– Ports– Packet payload/flags
• Current Version is Base 1.2• Current search interface can query based on• Alert information
– Sensor– Alert group– Signature, classification & detection time
• Packet data information– Source/destination addresses– Ports– Packet payload/flags
6
Introduction to BASE (cont.)Introduction to BASE (cont.)
• Provides easy management of Alert Data• Administrator can categorize data into alert
groups, delete false positives or previously handled alerts.
• Export alert data to an email address for administrative notification.
• Support for user logins and roles, allowing an administrator to control what is seen through the web interface.
• Provides easy management of Alert Data• Administrator can categorize data into alert
groups, delete false positives or previously handled alerts.
• Export alert data to an email address for administrative notification.
• Support for user logins and roles, allowing an administrator to control what is seen through the web interface.
7
BASE vs. ACIDBASE vs. ACID
• ACID – No longer maintained– Hasn’t been updated for 3 years
• BASE– BASE is actively updated and revised.– Has 200 bug fixes in it.– Faster bringing pages up– Provides more queries (i.e. today's unique
alerts, last 24/72 hours alert etc.)
• ACID – No longer maintained– Hasn’t been updated for 3 years
• BASE– BASE is actively updated and revised.– Has 200 bug fixes in it.– Faster bringing pages up– Provides more queries (i.e. today's unique
alerts, last 24/72 hours alert etc.)
8
IDS test-bedIDS test-bed
Host B (Destination):
OS: Fedora Core 4
Software: Snort, BASE, Ethereal, MySQL, PHP, Apache
Host A (Source):
OS: Windows XP
Software: Ethereal, CommView
9
Installing and Configuring Necessary PrerequisitesInstalling and Configuring Necessary Prerequisites
• In order for our IDS to function properly we install and configure the following components:– MySQL– Apache 2.2.0– php-4.4.2– httpd-2.2.0– AdOdb460– snort-2.4.3– pcre-5.0– PEAR Modules– base-1.2
• In order for our IDS to function properly we install and configure the following components:– MySQL– Apache 2.2.0– php-4.4.2– httpd-2.2.0– AdOdb460– snort-2.4.3– pcre-5.0– PEAR Modules– base-1.2
10
MySQLMySQL
• 2 ways – Download from www.mysql.com– From Fedora Core4 installation CD Go to Desktop-system settings- Add/remove
programs – MySQLSelect following components:• MyODBC• Mod_auth_mysql• Mysql_devel• Mysql_server• Perl-DBD-MySQL• Php-mysql
• 2 ways – Download from www.mysql.com– From Fedora Core4 installation CD Go to Desktop-system settings- Add/remove
programs – MySQLSelect following components:• MyODBC• Mod_auth_mysql• Mysql_devel• Mysql_server• Perl-DBD-MySQL• Php-mysql
11
Apache 2.2.0Apache 2.2.0
• Download Apache httpd server version 2.2.0 from http://httpd.apache.org
• To install:– ./configure– Make– Make install
• Download Apache httpd server version 2.2.0 from http://httpd.apache.org
• To install:– ./configure– Make– Make install
12
PHP 4.4.2PHP 4.4.2
• Download PHP4.4.2 from http://www.php.net• Extract source code in “/usr/local/src”• Configure command:
– ./configure –with-mysql –with-apsx2 =/usr/local/apache2/bin/apxs –with-gd –with-zlib
• Make• Make install
• Download PHP4.4.2 from http://www.php.net• Extract source code in “/usr/local/src”• Configure command:
– ./configure –with-mysql –with-apsx2 =/usr/local/apache2/bin/apxs –with-gd –with-zlib
• Make• Make install
13
Configure php.confConfigure php.conf
• In file /usr/local/apache2/conf/httpd.conf add line– Include conf.d/*.conf
• mkdir /usr/local/apache2/conf.d• “php.conf” in “conf.d”
– LoadModule php4_module modules /libphp4.so – <Files *.php>– SetOutputFilter PHP– SetInputFilter PHP– LimitRequestBody 9524288– </Files>– AddType application/x-httpd-php .php– AddType application/x-httpd-php-source .phps
– DirectoryIndex index.php
• In file /usr/local/apache2/conf/httpd.conf add line– Include conf.d/*.conf
• mkdir /usr/local/apache2/conf.d• “php.conf” in “conf.d”
– LoadModule php4_module modules /libphp4.so – <Files *.php>– SetOutputFilter PHP– SetInputFilter PHP– LimitRequestBody 9524288– </Files>– AddType application/x-httpd-php .php– AddType application/x-httpd-php-source .phps
– DirectoryIndex index.php
14
ADOdbADOdb
• A performance-conscious database abstraction layer for PHP.
• BASE needs ADOdb to communicate with MySQL.
• Download adodb from http://unc.dl.sourceforge.net/sourceforge/adodb/adodb460.tgz
• Extract adodb in “usr/local/apache2/htdocs”
• A performance-conscious database abstraction layer for PHP.
• BASE needs ADOdb to communicate with MySQL.
• Download adodb from http://unc.dl.sourceforge.net/sourceforge/adodb/adodb460.tgz
• Extract adodb in “usr/local/apache2/htdocs”
15
SNORTSNORT
• Create a dir “snortinstall”• Download & unpack from
http://www.snort.org/dl/snort2.4.3.tar.gz• Download & unpack from
http://umn.dl.sourceforge.net/sourceforge/pcre/pcre-5.0.tar.gz
• To install SNORT:– ./configure– Make– Make install
• To install PCRE(Perl Compatible Regular Expression):– ./configure– Make– Make install
• Create a dir “snortinstall”• Download & unpack from
http://www.snort.org/dl/snort2.4.3.tar.gz• Download & unpack from
http://umn.dl.sourceforge.net/sourceforge/pcre/pcre-5.0.tar.gz
• To install SNORT:– ./configure– Make– Make install
• To install PCRE(Perl Compatible Regular Expression):– ./configure– Make– Make install
16
Configuring SNORTConfiguring SNORT
• Groupadd snort• Useradd –g snort snort• Create dir:
– /etc/snort– /etc/snort/rules– /var/log/snort
• Copy dir ‘rules’ from dir ‘snort2.3.0’ to ‘/etc/snort/rules’
• Groupadd snort• Useradd –g snort snort• Create dir:
– /etc/snort– /etc/snort/rules– /var/log/snort
• Copy dir ‘rules’ from dir ‘snort2.3.0’ to ‘/etc/snort/rules’
17
Configuring snort.confConfiguring snort.conf
• var HOME_NET 10.2.2.0/32• var EXTERNAL_NET !$HOME_NET • var RULE_PATH /etc/snort/rules • output database: log, mysql, user =snort
password=snort dbname=snort host=localhost• output database: alert, mysql, user =snort
password=snort dbname=snort host=localhost
• var HOME_NET 10.2.2.0/32• var EXTERNAL_NET !$HOME_NET • var RULE_PATH /etc/snort/rules • output database: log, mysql, user =snort
password=snort dbname=snort host=localhost• output database: alert, mysql, user =snort
password=snort dbname=snort host=localhost
18
Setting up database in MySQLSetting up database in MySQL
• Mysql• SET PASSWORD FOR root@localhost = PASSWORD
(‘passwd’);• Create database snort;• SET PASSWORD FOR snort@localhost=PASSWORD(‘pwd
in snort.conf’);• Grant CREATE,INSERT,SELECT,DELETE,UPDATE on
snort.* to snort@localhost;• Grant CREATE,INSERT,SELECT,DELETE,UPDATE on
snort.* to snort;
• Mysql• SET PASSWORD FOR root@localhost = PASSWORD
(‘passwd’);• Create database snort;• SET PASSWORD FOR snort@localhost=PASSWORD(‘pwd
in snort.conf’);• Grant CREATE,INSERT,SELECT,DELETE,UPDATE on
snort.* to snort@localhost;• Grant CREATE,INSERT,SELECT,DELETE,UPDATE on
snort.* to snort;
19
To create tablesTo create tables
• Mysql –u root –p < ~/snortinstall/snort-4.3.0 /schemas /create_mysql snort
• Enter password: the mysql root password
• Mysql –u root –p < ~/snortinstall/snort-4.3.0 /schemas /create_mysql snort
• Enter password: the mysql root password
20
To create tablesTo create tables
21
PEAR ModulesPEAR Modules
• PEAR - PHP Extension and Application Repository
• BASE documentation recommends PEAR installation.
Commands for installation:• /usr/local/php/bin/pear install Image_Color• /usr/local/php/bin/pear install Log • /usr/local/php/bin/pear install Numbers_Roman• /usr/local/php/bin/pear install
http://pear.php.net/get/Numbers_Words-0.13.1.tgz
• /usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz
• PEAR - PHP Extension and Application Repository
• BASE documentation recommends PEAR installation.
Commands for installation:• /usr/local/php/bin/pear install Image_Color• /usr/local/php/bin/pear install Log • /usr/local/php/bin/pear install Numbers_Roman• /usr/local/php/bin/pear install
http://pear.php.net/get/Numbers_Words-0.13.1.tgz
• /usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz
22
To start the ‘services’To start the ‘services’
• chkconfig httpd on• chkconfig mysqld on• service httpd start• service mysqld start• /usr/local/apache2/bin/apachectl –k start• snort –dev –l /var/log/snort –h 137.207.234.73/32
–c /etc/snort/snort.conf
• chkconfig httpd on• chkconfig mysqld on• service httpd start• service mysqld start• /usr/local/apache2/bin/apachectl –k start• snort –dev –l /var/log/snort –h 137.207.234.73/32
–c /etc/snort/snort.conf
23
Configuring BASEConfiguring BASE
• Download BASE from http://sourceforge.net/project/showfiles.php?group_id=103348
• cp base-1.2.tar.gz /var/www/html/• cd /var/www/html• tar –xvzf base-1.2.tar.gz• cd /var/www/html/base/• cp base_conf.php.dist base_conf.php• cd\• cp /var/www/html/base-1.2
/usr/local/apache2/htdocs/
• Download BASE from http://sourceforge.net/project/showfiles.php?group_id=103348
• cp base-1.2.tar.gz /var/www/html/• cd /var/www/html• tar –xvzf base-1.2.tar.gz• cd /var/www/html/base/• cp base_conf.php.dist base_conf.php• cd\• cp /var/www/html/base-1.2
/usr/local/apache2/htdocs/
24
Configuring BASE (cont.)Configuring BASE (cont.)
• Edit the base_conf.php file in /usr/local/apache2/htdocs/ – $BASE_urlpath = "/base";– $DBlib_path = "/usr/local/apache2/htdocs/adodb";– $DBtype = "mysql";– $alert_dbname = "snort";– $alert_host = "localhost";– $alert_port = "";– $alert_user = "snort";– $alert_password = "password_from_snort_conf";– $archive_dbname = "snort";– $archive_host = "localhost";– $archive_port = "";– $archive_user = "snort";– $archive_password = " password_from_snort_conf ";– $ChartLib_path = "/var/www/html/jpgraph-1.20.3/src";
• Edit the base_conf.php file in /usr/local/apache2/htdocs/ – $BASE_urlpath = "/base";– $DBlib_path = "/usr/local/apache2/htdocs/adodb";– $DBtype = "mysql";– $alert_dbname = "snort";– $alert_host = "localhost";– $alert_port = "";– $alert_user = "snort";– $alert_password = "password_from_snort_conf";– $archive_dbname = "snort";– $archive_host = "localhost";– $archive_port = "";– $archive_user = "snort";– $archive_password = " password_from_snort_conf ";– $ChartLib_path = "/var/www/html/jpgraph-1.20.3/src";
25
Configuring BASE (cont.)Configuring BASE (cont.)
• Open a web browser• if the browser is on the localhost, type
http://localhost/base• if the browser is on another machine type
http://IP_Address/base to begin using the GUI to view and manage alerts.
• Open a web browser• if the browser is on the localhost, type
http://localhost/base• if the browser is on another machine type
http://IP_Address/base to begin using the GUI to view and manage alerts.
26
Generating Signatures on Host AGenerating Signatures on Host A
Ethernet layer header
27
ResultsResults
• Before sending signatures from HOST A, Run snort on HOST B• In Mysql check: select * from signature;
• Before sending signatures from HOST A, Run snort on HOST B• In Mysql check: select * from signature;
28
Results (cont.)Results (cont.)
• In a web browser: http://137.207.234.73/base• In a web browser: http://137.207.234.73/base
29
Results (cont.)Results (cont.)
30
Results (cont.)Results (cont.)
• Unique Alerts• Unique Alerts
31
Results (cont.)Results (cont.)
• Different links located to the left of each signature, attempts to connect to different signature databases to provide more detailed information about that particular signature.
• Different links located to the left of each signature, attempts to connect to different signature databases to provide more detailed information about that particular signature.
32
Results (cont.)Results (cont.)
• Source/ Destination IP link brings up a summary
that includes:
• How many times that IP was logged as a source or destination
• First and last time that IP was logged
• Contains links to external web-based tools that provide DNS and Whois look up services.
• Source/ Destination IP link brings up a summary
that includes:
• How many times that IP was logged as a source or destination
• First and last time that IP was logged
• Contains links to external web-based tools that provide DNS and Whois look up services.
33
Results (cont.)Results (cont.)
• Source/Destination Ports link displays a summary of
• ports, number of occurrences
• time first seen and time last seen.
• Each listed port number is a hyperlink to the SANS Internet Storm Center http://isc.sans.org for that port number.
• Source/Destination Ports link displays a summary of
• ports, number of occurrences
• time first seen and time last seen.
• Each listed port number is a hyperlink to the SANS Internet Storm Center http://isc.sans.org for that port number.
34
Results (cont.)Results (cont.)
• Creating Alert Groups
• Group event information into user-defined categories for easy perusal.
• Creating Alert Groups
• Group event information into user-defined categories for easy perusal.
35
Results (cont.)Results (cont.)
• Specify signatures for different AGs• Specify signatures for different AGs
36
Results (cont.)Results (cont.)
• Graph from Alert Data• Graph from Alert Data
37
Results (cont.)Results (cont.)
• Graph from Alert Detection Time to identify Periods of Heavy Activity
• Graph from Alert Detection Time to identify Periods of Heavy Activity
38
Results (cont.)Results (cont.)
• The Search Function quickly searches through the database for certain criteria and present it in an ordered fashion.
• Allowable search criteria include Alert Group, Signature, and Alert Time. • The results can be ordered by timestamp, signature, source IP, or destination IP.
• The Search Function quickly searches through the database for certain criteria and present it in an ordered fashion.
• Allowable search criteria include Alert Group, Signature, and Alert Time. • The results can be ordered by timestamp, signature, source IP, or destination IP.
39
Results (cont.)Results (cont.)
• User and Role Management• User and Role Management
40
Results (cont.)Results (cont.)
• Email Alerts• Email Alerts
41
AcknowledgementsAcknowledgements
• We would like to thank Dr.Aggarwal for giving us this opportunity to handle such an industry standard level project.
• We would also like to thank all other groups for giving us valuable suggestions throughout the project.
• We would like to thank Dr.Aggarwal for giving us this opportunity to handle such an industry standard level project.
• We would also like to thank all other groups for giving us valuable suggestions throughout the project.
42
ReferencesReferences
• www.snort.org• www.sourceforge.net• http://www.rootsecure.net/content/downloads/
pdf/snort_install_guide_fedora4.pdf• http://www.sun.com/bigadmin/features/articles/
snort_base.html
• www.snort.org• www.sourceforge.net• http://www.rootsecure.net/content/downloads/
pdf/snort_install_guide_fedora4.pdf• http://www.sun.com/bigadmin/features/articles/
snort_base.html
43
Thank You!!!!
Demo in Room 3144
Questions?
Thank You!!!!
Demo in Room 3144
Questions?
Tahira Farid ([email protected])
Anitha Prahladachar ([email protected])