Download
intrusion detection system using snort base basic analysis and security engine n.
Skip this Video
Loading SlideShow in 5 Seconds..
Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) PowerPoint Presentation
Download Presentation
Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine)

Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine)

847 Views Download Presentation
Download Presentation

Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine)

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter 2006

  2. Outline • Introduction to BASE • IDS test-bed • Installing and Configuring Necessary Prerequisites • Installing and Configuring BASE • Generating Signatures • Results • Acknowledgments • References

  3. Introduction to BASE • Basic Analysis and Security Engine • Successor to ACID • Developed by Danyliw at the CERT Coordination Center as part of the AirCERT (Automated Incident Reporting) project. • Actively maintained and supported by a team of volunteers led by Kevin Johnson and Joel Esler.

  4. Introduction to BASE (cont.) • Provides web front-end to query and analyze the alerts coming from a SNORT IDS system. • Can search and process databases containing security events logged by SNORT. • Written in PHP. • Has the ability to graphically display both layer-3 and layer-4 packet information.

  5. Introduction to BASE (cont.) • Current Version is Base 1.2 • Current search interface can query based on • Alert information • Sensor • Alert group • Signature, classification & detection time • Packet data information • Source/destination addresses • Ports • Packet payload/flags

  6. Introduction to BASE (cont.) • Provides easy management of Alert Data • Administrator can categorize data into alert groups, delete false positives or previously handled alerts. • Export alert data to an email address for administrative notification. • Support for user logins and roles, allowing an administrator to control what is seen through the web interface.

  7. BASE vs. ACID • ACID • No longer maintained • Hasn’t been updated for 3 years • BASE • BASE is actively updated and revised. • Has 200 bug fixes in it. • Faster bringing pages up • Provides more queries (i.e. today's unique alerts, last 24/72 hours alert etc.)

  8. IDS test-bed Host B (Destination): OS: Fedora Core 4 Software: Snort, BASE, Ethereal, MySQL, PHP, Apache Host A (Source): OS: Windows XP Software: Ethereal, CommView

  9. Installing and Configuring Necessary Prerequisites • In order for our IDS to function properly we install and configure the following components: • MySQL • Apache 2.2.0 • php-4.4.2 • httpd-2.2.0 • AdOdb460 • snort-2.4.3 • pcre-5.0 • PEAR Modules • base-1.2

  10. MySQL • 2 ways • Download from www.mysql.com • From Fedora Core4 installation CD Go to Desktop-system settings- Add/remove programs – MySQL Select following components: • MyODBC • Mod_auth_mysql • Mysql_devel • Mysql_server • Perl-DBD-MySQL • Php-mysql

  11. Apache 2.2.0 • Download Apache httpd server version 2.2.0 from http://httpd.apache.org • To install: • ./configure • Make • Make install

  12. PHP 4.4.2 • Download PHP4.4.2 from http://www.php.net • Extract source code in “/usr/local/src” • Configure command: • ./configure –with-mysql –with-apsx2 =/usr/local/apache2/bin/apxs –with-gd –with-zlib • Make • Make install

  13. Configure php.conf • In file /usr/local/apache2/conf/httpd.conf add line • Include conf.d/*.conf • mkdir /usr/local/apache2/conf.d • “php.conf” in “conf.d” • LoadModule php4_module modules /libphp4.so • <Files *.php> • SetOutputFilter PHP • SetInputFilter PHP • LimitRequestBody 9524288 • </Files> • AddType application/x-httpd-php .php • AddType application/x-httpd-php-source .phps • DirectoryIndex index.php

  14. ADOdb • A performance-conscious database abstraction layer for PHP. • BASE needs ADOdb to communicate with MySQL. • Download adodb from http://unc.dl.sourceforge.net/sourceforge/adodb/adodb460.tgz • Extract adodb in “usr/local/apache2/htdocs”

  15. SNORT • Create a dir “snortinstall” • Download & unpack from http://www.snort.org/dl/snort2.4.3.tar.gz • Download & unpack from http://umn.dl.sourceforge.net/sourceforge/pcre/pcre-5.0.tar.gz • To install SNORT: • ./configure • Make • Make install • To install PCRE(Perl Compatible Regular Expression): • ./configure • Make • Make install

  16. Configuring SNORT • Groupadd snort • Useradd –g snort snort • Create dir: • /etc/snort • /etc/snort/rules • /var/log/snort • Copy dir ‘rules’ from dir ‘snort2.3.0’ to ‘/etc/snort/rules’

  17. Configuring snort.conf • var HOME_NET 10.2.2.0/32 • var EXTERNAL_NET !$HOME_NET • var RULE_PATH /etc/snort/rules • output database: log, mysql, user =snort password=snort dbname=snort host=localhost • output database: alert, mysql, user =snort password=snort dbname=snort host=localhost

  18. Setting up database in MySQL • Mysql • SET PASSWORD FOR root@localhost = PASSWORD (‘passwd’); • Create database snort; • SET PASSWORD FOR snort@localhost=PASSWORD(‘pwd in snort.conf’); • Grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost; • Grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;

  19. To create tables • Mysql –u root –p < ~/snortinstall/snort-4.3.0 /schemas /create_mysql snort • Enter password: the mysql root password

  20. To create tables

  21. PEAR Modules • PEAR - PHP Extension and Application Repository • BASE documentation recommends PEAR installation. Commands for installation: • /usr/local/php/bin/pear install Image_Color • /usr/local/php/bin/pear install Log • /usr/local/php/bin/pear install Numbers_Roman • /usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz • /usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz

  22. To start the ‘services’ • chkconfig httpd on • chkconfig mysqld on • service httpd start • service mysqld start • /usr/local/apache2/bin/apachectl –k start • snort –dev –l /var/log/snort –h 137.207.234.73/32 –c /etc/snort/snort.conf

  23. Configuring BASE • Download BASE from http://sourceforge.net/project/showfiles.php?group_id=103348 • cp base-1.2.tar.gz /var/www/html/ • cd /var/www/html • tar –xvzf base-1.2.tar.gz • cd /var/www/html/base/ • cp base_conf.php.dist base_conf.php • cd\ • cp /var/www/html/base-1.2 /usr/local/apache2/htdocs/

  24. Configuring BASE (cont.) • Edit the base_conf.php file in /usr/local/apache2/htdocs/ • $BASE_urlpath = "/base"; • $DBlib_path = "/usr/local/apache2/htdocs/adodb"; • $DBtype = "mysql"; • $alert_dbname = "snort"; • $alert_host = "localhost"; • $alert_port = ""; • $alert_user = "snort"; • $alert_password = "password_from_snort_conf"; • $archive_dbname = "snort"; • $archive_host = "localhost"; • $archive_port = ""; • $archive_user = "snort"; • $archive_password = " password_from_snort_conf "; • $ChartLib_path = "/var/www/html/jpgraph-1.20.3/src";

  25. Configuring BASE (cont.) • Open a web browser • if the browser is on the localhost, type http://localhost/base • if the browser is on another machine type http://IP_Address/base to begin using the GUI to view and manage alerts.

  26. Ethernet layer header Generating Signatures on Host A

  27. Results • Before sending signatures from HOST A, Run snort on HOST B • In Mysql check: select * from signature;

  28. Results (cont.) • In a web browser: http://137.207.234.73/base

  29. Results (cont.)

  30. Results (cont.) • Unique Alerts

  31. Results (cont.) • Different links located to the left of each signature, attempts to connect to different signature databases to provide more detailed information about that particular signature.

  32. Results (cont.) • Source/ Destination IP link brings up a summary that includes: • How many times that IP was logged as a source or destination • First and last time that IP was logged • Contains links to external web-based tools that provide DNS and Whois look up services.

  33. Results (cont.) • Source/Destination Ports link displays a summary of • ports, number of occurrences • time first seen and time last seen. • Each listed port number is a hyperlink to the SANS Internet Storm Center http://isc.sans.org for that port number.

  34. Results (cont.) • Creating Alert Groups • Group event information into user-defined categories for easy perusal.

  35. Results (cont.) • Specify signatures for different AGs

  36. Results (cont.) • Graph from Alert Data

  37. Results (cont.) • Graph from Alert Detection Time to identify Periods of Heavy Activity

  38. Results (cont.) • The Search Function quickly searches through the database for certain criteria and present it in an ordered fashion. • Allowable search criteria include Alert Group, Signature, and Alert Time. • The results can be ordered by timestamp, signature, source IP, or destination IP.

  39. Results (cont.) • User and Role Management

  40. Results (cont.) • Email Alerts

  41. Acknowledgements • We would like to thank Dr.Aggarwal for giving us this opportunity to handle such an industry standard level project. • We would also like to thank all other groups for giving us valuable suggestions throughout the project.

  42. References • www.snort.org • www.sourceforge.net • http://www.rootsecure.net/content/downloads/pdf/snort_install_guide_fedora4.pdf • http://www.sun.com/bigadmin/features/articles/snort_base.html

  43. Thank You!!!! Demo in Room 3144 Questions? Tahira Farid(farid1@uwindsor.ca) Anitha Prahladachar(chikker@uwindsor.ca)