07/01/1307/01/13 11
A Simple Network IDSA Simple Network IDS
Team Members:Team Members:
Brian LappBrian Lapp
Dominic Reres...
207/01/13
CRISIS!CRISIS!
307/01/13
About the ProjectAbout the Project
A demonstration of a simple IDS.A demonstration of a simple IDS.
Can be used ...
407/01/13
ImplementationImplementation
Windows XP Professional with SP2Windows XP Professional with SP2
Snort version 2.3....
507/01/13
Snort – The Open Source IDSSnort – The Open Source IDS
Highly PortableHighly Portable
(*NIX, BSD, Win32)(*NIX, B...
607/01/13
Snort - FlowSnort - Flow
Monitors network traffic in promiscuousMonitors network traffic in promiscuous
modemode...
707/01/13
Snort – Data LoggingSnort – Data Logging
Direct log fileDirect log file
Database (MySQL,Database (MySQL,
ORACLE,...
807/01/13
DataData
Data captured from lab networkData captured from lab network
Attached snort sensor directly to CRJ Labs...
907/01/13
Snort LogSnort Log
Log file format may be difficult to read.Log file format may be difficult to read.
Sorting th...
1007/01/13
AAnalysisnalysis CConsole foronsole for IIntrusionntrusion DDatabasesatabases
GUI Frontend forGUI Frontend for
...
1107/01/13
SignaturesSignatures
Link to signature description on consoleLink to signature description on console
CVECVE
Bu...
1207/01/13
Console AnalysisConsole Analysis
Easy analysis with coded regionsEasy analysis with coded regions
Simple exampl...
1307/01/13
Network IDS SolutionNetwork IDS Solution
Open Source softwareOpen Source software

Freely available to the pub...
1407/01/13
SummarySummary
SnortSnort

Network Sensor IDSNetwork Sensor IDS

SignaturesSignatures
MySQLMySQL

Relational...
1507/01/13
ResourcesResources
SnortSnort

http://http://www.snort.orgwww.snort.org//
ACIDACID

http://acidlab.sourceforg...
Upcoming SlideShare
Loading in...5
×

A Simple Network IDS

291

Published on

This is an old presentation I compiled for a final project.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
291
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • A need for network intrusion detection today
  • Created a self-contained demo NIDS on a laptop for the project.
  • Stuff that was used
  • Picture is the snort schema
  • Link gives a description of the vuln/exploit CVE – Common Vulnerabilities and Exploits Bugtraq – Common database of vulnerabilities and exploits ICAT – just an acronym…doesn’t stand for anything anymore hosted by NIST National Institute for Standards in Technology
  • Meta – Signature, time, sensor (Alert Group – ACID specific) IP – Source, Destination, IP Header info, FQDN (if DNS lookup available) TCP – Layer 4 information – TCP, UDP, ICMP sequence number Payload – the actual packet data
  • This project demonstrates a viable network IDS solution All of the software used was low-cost open source software – PRO Small learning curve - CON
  • Snort logs alerts to the MySQL database MySQL database is a relational database ACID reads the database and correlates it in an easily readable format.
  • A Simple Network IDS

    1. 1. 07/01/1307/01/13 11 A Simple Network IDSA Simple Network IDS Team Members:Team Members: Brian LappBrian Lapp Dominic ReresDominic Reres Bob WilsonBob Wilson Daniel CassieroDaniel Cassiero
    2. 2. 207/01/13 CRISIS!CRISIS!
    3. 3. 307/01/13 About the ProjectAbout the Project A demonstration of a simple IDS.A demonstration of a simple IDS. Can be used to secure and protect aCan be used to secure and protect a network.network. Policy enforcement.Policy enforcement. Snort Sensor IDS Console Relational Database
    4. 4. 407/01/13 ImplementationImplementation Windows XP Professional with SP2Windows XP Professional with SP2 Snort version 2.3.2Snort version 2.3.2 MySQL database version 4.1MySQL database version 4.1 ACID v .9.6b23ACID v .9.6b23 All components installed on a laptop forAll components installed on a laptop for convenience.convenience.
    5. 5. 507/01/13 Snort – The Open Source IDSSnort – The Open Source IDS Highly PortableHighly Portable (*NIX, BSD, Win32)(*NIX, BSD, Win32) Uses “Signatures”Uses “Signatures” Open SourceOpen Source
    6. 6. 607/01/13 Snort - FlowSnort - Flow Monitors network traffic in promiscuousMonitors network traffic in promiscuous modemode Packet has signature matchPacket has signature match Event is logged to databaseEvent is logged to database Alert appears on ACID consoleAlert appears on ACID console
    7. 7. 707/01/13 Snort – Data LoggingSnort – Data Logging Direct log fileDirect log file Database (MySQL,Database (MySQL, ORACLE, MSORACLE, MS SQL...)SQL...)
    8. 8. 807/01/13 DataData Data captured from lab networkData captured from lab network Attached snort sensor directly to CRJ LabsAttached snort sensor directly to CRJ Labs
    9. 9. 907/01/13 Snort LogSnort Log Log file format may be difficult to read.Log file format may be difficult to read. Sorting through events may be timeSorting through events may be time consuming.consuming.
    10. 10. 1007/01/13 AAnalysisnalysis CConsole foronsole for IIntrusionntrusion DDatabasesatabases GUI Frontend forGUI Frontend for logged datalogged data Human readable atHuman readable at a glancea glance Utilize relationalUtilize relational data.data.
    11. 11. 1107/01/13 SignaturesSignatures Link to signature description on consoleLink to signature description on console CVECVE BugtraqBugtraq SnortSnort
    12. 12. 1207/01/13 Console AnalysisConsole Analysis Easy analysis with coded regionsEasy analysis with coded regions Simple example showing an Alert eventSimple example showing an Alert event
    13. 13. 1307/01/13 Network IDS SolutionNetwork IDS Solution Open Source softwareOpen Source software  Freely available to the publicFreely available to the public OverheadOverhead  Configuration and setupConfiguration and setup  Learning curveLearning curve
    14. 14. 1407/01/13 SummarySummary SnortSnort  Network Sensor IDSNetwork Sensor IDS  SignaturesSignatures MySQLMySQL  Relational DatabaseRelational Database ACIDACID  SO ConsoleSO Console  Incident AlertIncident Alert
    15. 15. 1507/01/13 ResourcesResources SnortSnort  http://http://www.snort.orgwww.snort.org// ACIDACID  http://acidlab.sourceforge.net/http://acidlab.sourceforge.net/ MySQLMySQL  http://www.mysql.org/http://www.mysql.org/ Analysis Console for Intrusion Databases

    ×