1 / 43

Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine)

Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine). Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter 2006. Outline. Introduction to BASE IDS test-bed

magdalene
Download Presentation

Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter 2006

  2. Outline • Introduction to BASE • IDS test-bed • Installing and Configuring Necessary Prerequisites • Installing and Configuring BASE • Generating Signatures • Results • Acknowledgments • References

  3. Introduction to BASE • Basic Analysis and Security Engine • Successor to ACID • Developed by Danyliw at the CERT Coordination Center as part of the AirCERT (Automated Incident Reporting) project. • Actively maintained and supported by a team of volunteers led by Kevin Johnson and Joel Esler.

  4. Introduction to BASE (cont.) • Provides web front-end to query and analyze the alerts coming from a SNORT IDS system. • Can search and process databases containing security events logged by SNORT. • Written in PHP. • Has the ability to graphically display both layer-3 and layer-4 packet information.

  5. Introduction to BASE (cont.) • Current Version is Base 1.2 • Current search interface can query based on • Alert information • Sensor • Alert group • Signature, classification & detection time • Packet data information • Source/destination addresses • Ports • Packet payload/flags

  6. Introduction to BASE (cont.) • Provides easy management of Alert Data • Administrator can categorize data into alert groups, delete false positives or previously handled alerts. • Export alert data to an email address for administrative notification. • Support for user logins and roles, allowing an administrator to control what is seen through the web interface.

  7. BASE vs. ACID • ACID • No longer maintained • Hasn’t been updated for 3 years • BASE • BASE is actively updated and revised. • Has 200 bug fixes in it. • Faster bringing pages up • Provides more queries (i.e. today's unique alerts, last 24/72 hours alert etc.)

  8. IDS test-bed Host B (Destination): OS: Fedora Core 4 Software: Snort, BASE, Ethereal, MySQL, PHP, Apache Host A (Source): OS: Windows XP Software: Ethereal, CommView

  9. Installing and Configuring Necessary Prerequisites • In order for our IDS to function properly we install and configure the following components: • MySQL • Apache 2.2.0 • php-4.4.2 • httpd-2.2.0 • AdOdb460 • snort-2.4.3 • pcre-5.0 • PEAR Modules • base-1.2

  10. MySQL • 2 ways • Download from www.mysql.com • From Fedora Core4 installation CD Go to Desktop-system settings- Add/remove programs – MySQL Select following components: • MyODBC • Mod_auth_mysql • Mysql_devel • Mysql_server • Perl-DBD-MySQL • Php-mysql

  11. Apache 2.2.0 • Download Apache httpd server version 2.2.0 from http://httpd.apache.org • To install: • ./configure • Make • Make install

  12. PHP 4.4.2 • Download PHP4.4.2 from http://www.php.net • Extract source code in “/usr/local/src” • Configure command: • ./configure –with-mysql –with-apsx2 =/usr/local/apache2/bin/apxs –with-gd –with-zlib • Make • Make install

  13. Configure php.conf • In file /usr/local/apache2/conf/httpd.conf add line • Include conf.d/*.conf • mkdir /usr/local/apache2/conf.d • “php.conf” in “conf.d” • LoadModule php4_module modules /libphp4.so • <Files *.php> • SetOutputFilter PHP • SetInputFilter PHP • LimitRequestBody 9524288 • </Files> • AddType application/x-httpd-php .php • AddType application/x-httpd-php-source .phps • DirectoryIndex index.php

  14. ADOdb • A performance-conscious database abstraction layer for PHP. • BASE needs ADOdb to communicate with MySQL. • Download adodb from http://unc.dl.sourceforge.net/sourceforge/adodb/adodb460.tgz • Extract adodb in “usr/local/apache2/htdocs”

  15. SNORT • Create a dir “snortinstall” • Download & unpack from http://www.snort.org/dl/snort2.4.3.tar.gz • Download & unpack from http://umn.dl.sourceforge.net/sourceforge/pcre/pcre-5.0.tar.gz • To install SNORT: • ./configure • Make • Make install • To install PCRE(Perl Compatible Regular Expression): • ./configure • Make • Make install

  16. Configuring SNORT • Groupadd snort • Useradd –g snort snort • Create dir: • /etc/snort • /etc/snort/rules • /var/log/snort • Copy dir ‘rules’ from dir ‘snort2.3.0’ to ‘/etc/snort/rules’

  17. Configuring snort.conf • var HOME_NET 10.2.2.0/32 • var EXTERNAL_NET !$HOME_NET • var RULE_PATH /etc/snort/rules • output database: log, mysql, user =snort password=snort dbname=snort host=localhost • output database: alert, mysql, user =snort password=snort dbname=snort host=localhost

  18. Setting up database in MySQL • Mysql • SET PASSWORD FOR root@localhost = PASSWORD (‘passwd’); • Create database snort; • SET PASSWORD FOR snort@localhost=PASSWORD(‘pwd in snort.conf’); • Grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost; • Grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;

  19. To create tables • Mysql –u root –p < ~/snortinstall/snort-4.3.0 /schemas /create_mysql snort • Enter password: the mysql root password

  20. To create tables

  21. PEAR Modules • PEAR - PHP Extension and Application Repository • BASE documentation recommends PEAR installation. Commands for installation: • /usr/local/php/bin/pear install Image_Color • /usr/local/php/bin/pear install Log • /usr/local/php/bin/pear install Numbers_Roman • /usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz • /usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz

  22. To start the ‘services’ • chkconfig httpd on • chkconfig mysqld on • service httpd start • service mysqld start • /usr/local/apache2/bin/apachectl –k start • snort –dev –l /var/log/snort –h 137.207.234.73/32 –c /etc/snort/snort.conf

  23. Configuring BASE • Download BASE from http://sourceforge.net/project/showfiles.php?group_id=103348 • cp base-1.2.tar.gz /var/www/html/ • cd /var/www/html • tar –xvzf base-1.2.tar.gz • cd /var/www/html/base/ • cp base_conf.php.dist base_conf.php • cd\ • cp /var/www/html/base-1.2 /usr/local/apache2/htdocs/

  24. Configuring BASE (cont.) • Edit the base_conf.php file in /usr/local/apache2/htdocs/ • $BASE_urlpath = "/base"; • $DBlib_path = "/usr/local/apache2/htdocs/adodb"; • $DBtype = "mysql"; • $alert_dbname = "snort"; • $alert_host = "localhost"; • $alert_port = ""; • $alert_user = "snort"; • $alert_password = "password_from_snort_conf"; • $archive_dbname = "snort"; • $archive_host = "localhost"; • $archive_port = ""; • $archive_user = "snort"; • $archive_password = " password_from_snort_conf "; • $ChartLib_path = "/var/www/html/jpgraph-1.20.3/src";

  25. Configuring BASE (cont.) • Open a web browser • if the browser is on the localhost, type http://localhost/base • if the browser is on another machine type http://IP_Address/base to begin using the GUI to view and manage alerts.

  26. Ethernet layer header Generating Signatures on Host A

  27. Results • Before sending signatures from HOST A, Run snort on HOST B • In Mysql check: select * from signature;

  28. Results (cont.) • In a web browser: http://137.207.234.73/base

  29. Results (cont.)

  30. Results (cont.) • Unique Alerts

  31. Results (cont.) • Different links located to the left of each signature, attempts to connect to different signature databases to provide more detailed information about that particular signature.

  32. Results (cont.) • Source/ Destination IP link brings up a summary that includes: • How many times that IP was logged as a source or destination • First and last time that IP was logged • Contains links to external web-based tools that provide DNS and Whois look up services.

  33. Results (cont.) • Source/Destination Ports link displays a summary of • ports, number of occurrences • time first seen and time last seen. • Each listed port number is a hyperlink to the SANS Internet Storm Center http://isc.sans.org for that port number.

  34. Results (cont.) • Creating Alert Groups • Group event information into user-defined categories for easy perusal.

  35. Results (cont.) • Specify signatures for different AGs

  36. Results (cont.) • Graph from Alert Data

  37. Results (cont.) • Graph from Alert Detection Time to identify Periods of Heavy Activity

  38. Results (cont.) • The Search Function quickly searches through the database for certain criteria and present it in an ordered fashion. • Allowable search criteria include Alert Group, Signature, and Alert Time. • The results can be ordered by timestamp, signature, source IP, or destination IP.

  39. Results (cont.) • User and Role Management

  40. Results (cont.) • Email Alerts

  41. Acknowledgements • We would like to thank Dr.Aggarwal for giving us this opportunity to handle such an industry standard level project. • We would also like to thank all other groups for giving us valuable suggestions throughout the project.

  42. References • www.snort.org • www.sourceforge.net • http://www.rootsecure.net/content/downloads/pdf/snort_install_guide_fedora4.pdf • http://www.sun.com/bigadmin/features/articles/snort_base.html

  43. Thank You!!!! Demo in Room 3144 Questions? Tahira Farid(farid1@uwindsor.ca) Anitha Prahladachar(chikker@uwindsor.ca)

More Related