470 likes | 788 Views
Snort & IDScenter. 60-564: Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: Tarik El Amsy, Lihua Duan Date: March 29, 2006. What is IDScenter. IDScenter is basically a Graphical front-end for Snort on Windows platforms (Recommended: Windows NT4/2000/XP).
E N D
Snort & IDScenter 60-564: Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: Tarik El Amsy, Lihua Duan Date: March 29, 2006
What is IDScenter • IDScenter is basically a Graphical front-end for Snort on Windows platforms (Recommended: Windows NT4/2000/XP). • IDScenter provides a friendly interface for Snort users. • With some knowledge of Snort, IDScenter will help users to do configuration and provide management features.
Features of IDScenter • Snort 1.7, 1.8, 1.9, and 2.x Support • Snort configuration wizard • Online updates of IDS rules • Ruleset editor for all Snort rule options • HTML report from SQL backend • Execution of program on attack detection • Good Alerting tools including mail , Windows event log and normal DB logging.
Experiment Architecture and Scenarios Home net address 172.16.1.0 /24 Hub Router NIDS Target Attacker
NIDS server configuration • CPU: AMD64 Opteron • Memory: 512M • Hard Disk: 8 G Operating • Operating System: Windows 2000 Advanced Server (Ser) • IP Address: 172.16.1.1 • Installed Software: • Snort 2.4.3 • IDScenter 1.1 RC4 • WinPcap 3.1 • Ethereal 0.10.14 NIDS
Target server configuration • CPU: AMD64 Opteron • Memory: 512MHard • Disk: 8 G • Operating System: Windows 2000 Advanced Server (Ser) • IP Address: 172.16.1.2 • Installed software • Ethereal 0.10.14 • Winpcap 3.0 alpha 4 • Packet Excalibur 1.0.2 (Packet generator) • Web server, TelNET, SNMP, FTP, etc Target
Attacker server configuration • CPU: AMD64 Opteron • Memory: 512MHard • Disk: 8 G • OS: Windows 2000 AS • IP Address: 137.207.234.252 • Installed software • Winpcap 3.0 alpha 4 • Packet Excalibur 1.0.2 (Packet generator) • Web server, TelNET, SNMP, FTP, etc. Attacker
Installing WinPcap • WinPcap (Windows Packet Capture Library) is a packet-capture driver. Functionally, this means that WinPcap grabs packets from the network wire and pitches them to Snort, ethereal and windump. • Download & run WinPcap_3_1_auto-installer.exe to local disk from http://www.winpcap.org/install/default.htm • Should be installed on hosts NIDS Attacker Target
Installing Ethereal • Ethereal® is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. Ethereal is one of the best graphical packet sniffer. Its graphical interface makes it easy to use and its big list of features make it very powerful in analyzing network traffic • Download & run ethereal-setup-0.10.14.exe or any latest version from Ethereal website http://www.ethereal.com/download.html.
Installing Packet Excalibur • A multi-platform freeware, graphical and scriptable network packet engine with extensible text based protocol descriptions. • Needed to craft sample attack and generate these packets on the network during snort testing. • download Packet Excalibur Windows installer version 1.0.2 from http://www.securitybugware.org/excalibur/PacketExcalibur_1.0.2_win32.exe . • It will also install WinPcap 3.0a. Should be installed on Attacker Target
Packet Excalibur Demo alerttcp$EXTERNAL_NETany -> $HOME_NET111 (msg:"Rule 4 RPC portmap listing TCP 111"; content: "|00 01 86 A0|"; reference: arachnids,428; sid: 598; rev: 11; classtype: rpc-portmap-decode; flow: to_server,established;)
Installing Snort • Download SNORT ver 2.4.3 • Install directory c:\snort • Default logging database option To test Installation and make sure it is running C:\snort\bin\snort –v This will run snort in sniffer mode and you should be able to see the passing packets on the network captured by Snort.
Installing IDScenter • Download IDScenter.zip (1.1 RC4, 04.08.2003)fromhttp://www.engagesecurity.com/downloads/#IDScenter • Unzip the download file to obtain the setup.exe then run it to start simple and default installation.
Configuring Snort • Change the setting of Snort configuration file snort.conf under c:\snort\etc folder Use any text editor to edit the following • Network settings • Preprocessors • Output settings • Rules settings
Configuring Network settings • Snort use variables in configuring the rules. • When you type $ and Variable name, the value of this variable will be replaced. • This allows you to add different network ranges and subnets and simplify rules editing and customization • We added the following variables to snort.conf file var HOME_NET 172.16.1.0/24 var EXTERNAL_NET any var DNS_SERVERS 172.16.1.2/32 var SMTP_SERVERS 172.16.1.2/32 var HTTP_SERVERS 172.16.1.2/32 var SQL_SERVERS 172.16.1.2/32 var TELNET_SERVERS 172.16.1.2/32 var HTTP_PORTS 80 var RULE_PATH c:\snort\rules
Configuring Preprocessors • Configure Http_inspect preprocessor • This preprocessor allow snort to decode Http web traffic & analyze it for specific URI contents. • Setting in snort.conf file preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 }
Configuring Output settings • Outputing Alerts to a file base log called alert.ids • Setting in snort.conf file output alert_fast: alert.ids config logdir: c:\snort\log
ConfiguringRules settings • Create a file called project.rules in c:\snort\rules folder. • The file has the10 selected attacks. • Remove normal rule file setting from config file and add only project.rules. Include $Rule_path/project.rules • Sample Rule alerttcp$EXTERNAL_NETany -> $HOME_NET111 (msg:"Rule 4 RPC portmap listing TCP 111"; content: "|00 01 86 A0|"; reference: arachnids,428; sid: 598; rev: 11; classtype: rpc-portmap-decode; flow: to_server,established;)
IDScenter Configuration IDScenter consists of the following menus • General • Wizards • Logs • Alerts • ...
General Menu • Click on Apply to apply a configuration/save configuration (after setting all the options needed in IDScenter) • Start Snort: Starts Snort in console mode / service mode • View alerts: open log viewer • Test settings: After configuration you can test the settings by clicking on this button • Reload: Reload the configuration • Rest Alarm: Stop alarm sound
General Menu • There are two modes to setup Snort with IDScenter • Snort console mode • Snort service mode • The advantage of service mode is, that Snort can monitor your network constantly even when you're logged off
General / Configuration • Select snort version to run • Select Process priority • Select options (Service mode /snort console /auto restart ) • Select log folder path and file name
General / Snort Options • Set the configuration file.This is usally "Snort.conf" in the "etc" folder where Snort was installed (e.x. "C:\Snort\etc\snort.conf") • You can find a pattern in the configuration file by typing it into the editbox and click on the search button • You can set an external editor for editing Snort configuration file
General Activity Log • In this panel IDScenter displays events • You can enable/disable event logs • You can select which events are monitored • You can let automatically purge the activity log • Clear log: clear the logging entries
General/ Over View • In this panel IDScenter displays errors. If an error occurs when you click on apply, you'll be informed here. • An overview of the alert features activated is shown here • "Copy to clipboard": you can copy the Snort command-line into clipboard
Wizards Menu • Wizards Menu has several wizards which helps configuring snort. It has the following: • Network Variables wizard • Preprocessor Wizard • Output plugin Wizard • Rules/Signatures Wizard • Online Update Wizard
Wizards / Network Variables • Helps to set the variables used in rule files You can : • Add new variable • Edit and existing variable • Delete a variable
Wizards / Preprocessors • Here you can select and configure the preprocessors used by Snort • Stream4 and Frag2 Pane ( enable snort to defragment packets and perform stateful inspection) • Protocol Preprocessor Pane (different protocol decoders like HTTP decode , Telnet, RPC decod..etc) • PortScan Detection Pane • Miscellaneous Pane (ARP spoof and other unsupported preprocessors)
Wizards / Output Plugins • There are many small wizards in this panel which will help you to configure the output plugins of Snort.
Wizards / Rules Wizard • The ruleset wizard will help you maintain a good ruleset. This is the "include"-part of the Snort configuration file • Select first a classification configuration file ,by default: "classification.config" • Select the reference configuration file ,by default: "reference.config" • Activate/Deactivate the rule files you want to use by check/uncheck its box. • Open a ruleset in the ruleset editor: • Select a ruleset file • Click on "Ruleset editor"
Wizards / Rules Wizard • The ruleset editor lists all available rules in the file. • Add (and clone) new rules / delete rules • Edit a rule (Select a rule and click on "Add/edit rule" • Activate/Deactivate the rules you want to use • Import additional rules into the ruleset (in Snort 2.x syntax)Save the ruleset after modification
Rules Wizard / Editing a rule • The editor provides a front-end to all Snort 2.x rule features • It make it easier to understand and modify any rule • You can also access online information for that rule
Wizard/ Online Update • The online update wizard is a frontend for configurating Oinkmaster (by Andreas Östling) • If you want to use this feature, you should download EagleX package .
Logs/ Options Menu This will overwrite settings in snort configuration file if setExample: you set output plugin "alert_full: alert.ids"... and selected "Fast". In this case Snort will log using fast mode • Set the parameters (command-line parameters) of Snort . • Select the interface Snort should monitor if necessary
Logs / Log Rotation • Log rotationLog rotation will rotate the alert logs by compressing the files into a ZIP packages and move it to the Backup folder.
Alerts/ Detection • Alerts alarm will be on if the file/database has changed. • Select at least one alert detection mode • File alert detection mode (up to 10 files monitoring) • Add the files which should be monitored for changes (At least the alert log file set in main configuration panel should be set.) • MySQL alert detection
Alerts/ Notification • Alarm sound : Select a WAV file if you selected "Start alarm sound when an alert is logged“. • Program execution: IDScenter will execute this program if an alert was logged ( start a script that reconfigures your router, generate HTML pages of alert log using an external program.etc) • AutoBlock - Plugin system (example network Ice & Black Ice ). It allows you to block specific network traffic (mini firewall)
Alerts/ AlertMail • AlertMail can send administrator alerts by mail if Snort has detected an attack . • You can send a sample of the latest attacks in the email message as well as attachment of the log file.
Our Opinion • IDS Center is a very simple and easy to use configuration utility for snort. • It has very good graphical interface • Provide a lot of add on features for managing snort. • Provide a good Alerting features • It has some compatibility issues with latest snort version (especially Preprocessors and MySQL latest version) • It has no analysis features. • It still require good knowledge of snort IDS to configure.