• Save
A Simple Network IDS
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

A Simple Network IDS

  • 480 views
Uploaded on

This is an old presentation I compiled for a final project.

This is an old presentation I compiled for a final project.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
480
On Slideshare
480
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • A need for network intrusion detection today
  • Created a self-contained demo NIDS on a laptop for the project.
  • Stuff that was used
  • Picture is the snort schema
  • Link gives a description of the vuln/exploit CVE – Common Vulnerabilities and Exploits Bugtraq – Common database of vulnerabilities and exploits ICAT – just an acronym…doesn’t stand for anything anymore hosted by NIST National Institute for Standards in Technology
  • Meta – Signature, time, sensor (Alert Group – ACID specific) IP – Source, Destination, IP Header info, FQDN (if DNS lookup available) TCP – Layer 4 information – TCP, UDP, ICMP sequence number Payload – the actual packet data
  • This project demonstrates a viable network IDS solution All of the software used was low-cost open source software – PRO Small learning curve - CON
  • Snort logs alerts to the MySQL database MySQL database is a relational database ACID reads the database and correlates it in an easily readable format.

Transcript

  • 1. 07/01/1307/01/13 11 A Simple Network IDSA Simple Network IDS Team Members:Team Members: Brian LappBrian Lapp Dominic ReresDominic Reres Bob WilsonBob Wilson Daniel CassieroDaniel Cassiero
  • 2. 207/01/13 CRISIS!CRISIS!
  • 3. 307/01/13 About the ProjectAbout the Project A demonstration of a simple IDS.A demonstration of a simple IDS. Can be used to secure and protect aCan be used to secure and protect a network.network. Policy enforcement.Policy enforcement. Snort Sensor IDS Console Relational Database
  • 4. 407/01/13 ImplementationImplementation Windows XP Professional with SP2Windows XP Professional with SP2 Snort version 2.3.2Snort version 2.3.2 MySQL database version 4.1MySQL database version 4.1 ACID v .9.6b23ACID v .9.6b23 All components installed on a laptop forAll components installed on a laptop for convenience.convenience.
  • 5. 507/01/13 Snort – The Open Source IDSSnort – The Open Source IDS Highly PortableHighly Portable (*NIX, BSD, Win32)(*NIX, BSD, Win32) Uses “Signatures”Uses “Signatures” Open SourceOpen Source
  • 6. 607/01/13 Snort - FlowSnort - Flow Monitors network traffic in promiscuousMonitors network traffic in promiscuous modemode Packet has signature matchPacket has signature match Event is logged to databaseEvent is logged to database Alert appears on ACID consoleAlert appears on ACID console
  • 7. 707/01/13 Snort – Data LoggingSnort – Data Logging Direct log fileDirect log file Database (MySQL,Database (MySQL, ORACLE, MSORACLE, MS SQL...)SQL...)
  • 8. 807/01/13 DataData Data captured from lab networkData captured from lab network Attached snort sensor directly to CRJ LabsAttached snort sensor directly to CRJ Labs
  • 9. 907/01/13 Snort LogSnort Log Log file format may be difficult to read.Log file format may be difficult to read. Sorting through events may be timeSorting through events may be time consuming.consuming.
  • 10. 1007/01/13 AAnalysisnalysis CConsole foronsole for IIntrusionntrusion DDatabasesatabases GUI Frontend forGUI Frontend for logged datalogged data Human readable atHuman readable at a glancea glance Utilize relationalUtilize relational data.data.
  • 11. 1107/01/13 SignaturesSignatures Link to signature description on consoleLink to signature description on console CVECVE BugtraqBugtraq SnortSnort
  • 12. 1207/01/13 Console AnalysisConsole Analysis Easy analysis with coded regionsEasy analysis with coded regions Simple example showing an Alert eventSimple example showing an Alert event
  • 13. 1307/01/13 Network IDS SolutionNetwork IDS Solution Open Source softwareOpen Source software  Freely available to the publicFreely available to the public OverheadOverhead  Configuration and setupConfiguration and setup  Learning curveLearning curve
  • 14. 1407/01/13 SummarySummary SnortSnort  Network Sensor IDSNetwork Sensor IDS  SignaturesSignatures MySQLMySQL  Relational DatabaseRelational Database ACIDACID  SO ConsoleSO Console  Incident AlertIncident Alert
  • 15. 1507/01/13 ResourcesResources SnortSnort  http://http://www.snort.orgwww.snort.org// ACIDACID  http://acidlab.sourceforge.net/http://acidlab.sourceforge.net/ MySQLMySQL  http://www.mysql.org/http://www.mysql.org/ Analysis Console for Intrusion Databases