Snort idscenter
Download
1 / 40

Snort IDScenter - PowerPoint PPT Presentation


  • 163 Views
  • Uploaded on

Snort & IDScenter. 60-564: Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: Tarik El Amsy, Lihua Duan Date: March 29, 2006. What is IDScenter. IDScenter is basically a Graphical front-end for Snort on Windows platforms (Recommended: Windows NT4/2000/XP).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Snort IDScenter' - albert


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Snort idscenter

Snort & IDScenter

60-564: Security and Privacy on the Internet

Instructor: Dr. A. K. Aggarwal

Presented By: Tarik El Amsy, Lihua Duan

Date: March 29, 2006


What is idscenter
What is IDScenter

  • IDScenter is basically a Graphical front-end for Snort on Windows platforms (Recommended: Windows NT4/2000/XP).

  • IDScenter provides a friendly interface for Snort users.

  • With some knowledge of Snort, IDScenter will help users to do configuration and provide management features.


Features of idscenter
Features of IDScenter

  • Snort 1.7, 1.8, 1.9, and 2.x Support

  • Snort configuration wizard

  • Online updates of IDS rules

  • Ruleset editor for all Snort rule options

  • HTML report from SQL backend

  • Execution of program on attack detection

  • Good Alerting tools including mail , Windows event log and normal DB logging.


Experiment architecture and scenarios
Experiment Architecture and Scenarios

Home net address

172.16.1.0 /24

Hub

Router

NIDS

Target

Attacker


Nids server configuration
NIDS server configuration

  • CPU: AMD64 Opteron

  • Memory: 512M

  • Hard Disk: 8 G Operating

  • Operating System: Windows 2000 Advanced Server (Ser)

  • IP Address: 172.16.1.1

  • Installed Software:

    • Snort 2.4.3

    • IDScenter 1.1 RC4

    • WinPcap 3.1

    • Ethereal 0.10.14

NIDS


Target server configuration
Target server configuration

  • CPU: AMD64 Opteron

  • Memory: 512MHard

  • Disk: 8 G

  • Operating System: Windows 2000 Advanced Server (Ser)

  • IP Address: 172.16.1.2

  • Installed software

  • Ethereal 0.10.14

  • Winpcap 3.0 alpha 4

  • Packet Excalibur 1.0.2 (Packet generator)

  • Web server, TelNET, SNMP, FTP, etc

Target


Attacker server configuration
Attacker server configuration

  • CPU: AMD64 Opteron

  • Memory: 512MHard

  • Disk: 8 G

  • OS: Windows 2000 AS

  • IP Address: 137.207.234.252

  • Installed software

  • Winpcap 3.0 alpha 4

  • Packet Excalibur 1.0.2 (Packet generator)

  • Web server, TelNET, SNMP, FTP, etc.

Attacker


Installing winpcap
Installing WinPcap

  • WinPcap (Windows Packet Capture Library) is a packet-capture driver. Functionally, this means that WinPcap grabs packets from the network wire and pitches them to Snort, ethereal and windump.

  • Download & run WinPcap_3_1_auto-installer.exe to local disk from http://www.winpcap.org/install/default.htm

  • Should be installed on hosts

NIDS

Attacker

Target


Installing ethereal
Installing Ethereal

  • Ethereal® is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. Ethereal is one of the best graphical packet sniffer. Its graphical interface makes it easy to use and its big list of features make it very powerful in analyzing network traffic

  • Download & run ethereal-setup-0.10.14.exe or any latest version from Ethereal website http://www.ethereal.com/download.html.


Installing packet excalibur
Installing Packet Excalibur

  • A multi-platform freeware, graphical and scriptable network packet engine with extensible text based protocol descriptions.

  • Needed to craft sample attack and generate these packets on the network during snort testing.

  • download Packet Excalibur Windows installer version 1.0.2 from http://www.securitybugware.org/excalibur/PacketExcalibur_1.0.2_win32.exe .

  • It will also install WinPcap 3.0a.

Should be installed on

Attacker

Target


Packet excalibur demo
Packet Excalibur Demo

alerttcp$EXTERNAL_NETany -> $HOME_NET111 (msg:"Rule 4 RPC portmap listing TCP 111"; content: "|00 01 86 A0|"; reference: arachnids,428; sid: 598; rev: 11; classtype: rpc-portmap-decode; flow: to_server,established;)


Installing snort
Installing Snort

  • Download SNORT ver 2.4.3

  • Install directory c:\snort

  • Default logging database option

To test Installation and make sure it is running

C:\snort\bin\snort –v

This will run snort in sniffer mode and you should be able to see the passing packets on the network captured by Snort.


Installing idscenter
Installing IDScenter

  • Download IDScenter.zip (1.1 RC4, 04.08.2003)fromhttp://www.engagesecurity.com/downloads/#IDScenter

  • Unzip the download file to obtain the setup.exe then run it to start simple and default installation.


Configuring snort
Configuring Snort

  • Change the setting of Snort configuration file snort.conf under c:\snort\etc folder

    Use any text editor to edit the following

    • Network settings

    • Preprocessors

    • Output settings

    • Rules settings


Configuring network settings
Configuring Network settings

  • Snort use variables in configuring the rules.

  • When you type $ and Variable name, the value of this variable will be replaced.

  • This allows you to add different network ranges and subnets and simplify rules editing and customization

  • We added the following variables to snort.conf file

    var HOME_NET 172.16.1.0/24

    var EXTERNAL_NET any

    var DNS_SERVERS 172.16.1.2/32

    var SMTP_SERVERS 172.16.1.2/32

    var HTTP_SERVERS 172.16.1.2/32

    var SQL_SERVERS 172.16.1.2/32

    var TELNET_SERVERS 172.16.1.2/32

    var HTTP_PORTS 80

    var RULE_PATH c:\snort\rules


Configuring preprocessors
Configuring Preprocessors

  • Configure Http_inspect preprocessor

  • This preprocessor allow snort to decode Http web traffic & analyze it for specific URI contents.

  • Setting in snort.conf file

    preprocessor http_inspect:

    global iis_unicode_map unicode.map 1252

    preprocessor http_inspect_server:

    server default profile all ports { 80 }


Configuring output settings
Configuring Output settings

  • Outputing Alerts to a file base log called alert.ids

  • Setting in snort.conf file

    output alert_fast: alert.ids

    config logdir: c:\snort\log


Configuring rules settings
ConfiguringRules settings

  • Create a file called project.rules in c:\snort\rules folder.

  • The file has the10 selected attacks.

  • Remove normal rule file setting from config file and add only project.rules.

    Include $Rule_path/project.rules

  • Sample Rule

    alerttcp$EXTERNAL_NETany -> $HOME_NET111 (msg:"Rule 4 RPC portmap listing TCP 111"; content: "|00 01 86 A0|"; reference: arachnids,428; sid: 598; rev: 11; classtype: rpc-portmap-decode; flow: to_server,established;)


Idscenter configuration
IDScenter Configuration

IDScenter consists of the following menus

  • General

  • Wizards

  • Logs

  • Alerts

  • ...


General menu
General Menu

  • Click on Apply to apply a configuration/save configuration (after setting all the options needed in IDScenter)

  • Start Snort: Starts Snort in console mode / service mode

  • View alerts: open log viewer

  • Test settings: After configuration you can test the settings by clicking on this button

  • Reload: Reload the configuration

  • Rest Alarm: Stop alarm sound


General menu1
General Menu

  • There are two modes to setup Snort with IDScenter

  • Snort console mode

  • Snort service mode

  • The advantage of service mode is, that Snort can monitor your network constantly even when you're logged off


General configuration
General / Configuration

  • Select snort version to run

  • Select Process priority

  • Select options (Service mode /snort console /auto restart )

  • Select log folder path and file name


General snort options
General / Snort Options

  • Set the configuration file.This is usally "Snort.conf" in the "etc" folder where Snort was installed (e.x. "C:\Snort\etc\snort.conf")

  • You can find a pattern in the configuration file by typing it into the editbox and click on the search button

  • You can set an external editor for editing Snort configuration file


General activity log
General Activity Log

  • In this panel IDScenter displays events

  • You can enable/disable event logs

  • You can select which events are monitored

  • You can let automatically purge the activity log

  • Clear log: clear the logging entries


General over view
General/ Over View

  • In this panel IDScenter displays errors. If an error occurs when you click on apply, you'll be informed here.

  • An overview of the alert features activated is shown here

  • "Copy to clipboard": you can copy the Snort command-line into clipboard


Wizards menu
Wizards Menu

  • Wizards Menu has several wizards which helps configuring snort. It has the following:

  • Network Variables wizard

  • Preprocessor Wizard

  • Output plugin Wizard

  • Rules/Signatures Wizard

  • Online Update Wizard


Wizards network variables
Wizards / Network Variables

  • Helps to set the variables used in rule files

    You can :

    • Add new variable

    • Edit and existing variable

    • Delete a variable


Wizards preprocessors
Wizards / Preprocessors

  • Here you can select and configure the preprocessors used by Snort

    • Stream4 and Frag2 Pane ( enable snort to defragment packets and perform stateful inspection)

    • Protocol Preprocessor Pane (different protocol decoders like HTTP decode , Telnet, RPC decod..etc)

    • PortScan Detection Pane

    • Miscellaneous Pane (ARP spoof and other unsupported preprocessors)


Wizards output plugins
Wizards / Output Plugins

  • There are many small wizards in this panel which will help you to configure the output plugins of Snort.


Wizards rules wizard
Wizards / Rules Wizard

  • The ruleset wizard will help you maintain a good ruleset. This is the "include"-part of the Snort configuration file

  • Select first a classification configuration file ,by default: "classification.config"

  • Select the reference configuration file ,by default: "reference.config"

  • Activate/Deactivate the rule files you want to use by check/uncheck its box.

  • Open a ruleset in the ruleset editor:

    • Select a ruleset file

    • Click on "Ruleset editor"


Wizards rules wizard1
Wizards / Rules Wizard

  • The ruleset editor lists all available rules in the file.

  • Add (and clone) new rules / delete rules

  • Edit a rule (Select a rule and click on "Add/edit rule"

  • Activate/Deactivate the rules you want to use

  • Import additional rules into the ruleset (in Snort 2.x syntax)Save the ruleset after modification


Rules wizard editing a rule
Rules Wizard / Editing a rule

  • The editor provides a front-end to all Snort 2.x rule features

  • It make it easier to understand and modify any rule

  • You can also access online information for that rule


Wizard online update
Wizard/ Online Update

  • The online update wizard is a frontend for configurating Oinkmaster (by Andreas Östling)

  • If you want to use this feature, you should download EagleX package .


Logs options menu
Logs/ Options Menu

This will overwrite settings in snort configuration file if setExample: you set output plugin "alert_full: alert.ids"... and selected "Fast". In this case Snort will log using fast mode

  • Set the parameters (command-line parameters) of Snort .

  • Select the interface Snort should monitor if necessary


Logs log rotation
Logs / Log Rotation

  • Log rotationLog rotation will rotate the alert logs by compressing the files into a ZIP packages and move it to the Backup folder.


Alerts detection
Alerts/ Detection

  • Alerts alarm will be on if the file/database has changed.

  • Select at least one alert detection mode

  • File alert detection mode (up to 10 files monitoring)

  • Add the files which should be monitored for changes (At least the alert log file set in main configuration panel should be set.)

  • MySQL alert detection


Alerts notification
Alerts/ Notification

  • Alarm sound : Select a WAV file if you selected "Start alarm sound when an alert is logged“.

  • Program execution: IDScenter will execute this program if an alert was logged ( start a script that reconfigures your router, generate HTML pages of alert log using an external program.etc)

  • AutoBlock - Plugin system (example network Ice & Black Ice ). It allows you to block specific network traffic (mini firewall)


Alerts alertmail
Alerts/ AlertMail

  • AlertMail can send administrator alerts by mail if Snort has detected an attack .

  • You can send a sample of the latest attacks in the email message as well as attachment of the log file.



Our opinion
Our Opinion

  • IDS Center is a very simple and easy to use configuration utility for snort.

  • It has very good graphical interface

  • Provide a lot of add on features for managing snort.

  • Provide a good Alerting features

  • It has some compatibility issues with latest snort version (especially Preprocessors and MySQL latest version)

  • It has no analysis features.

  • It still require good knowledge of snort IDS to configure.