Your SlideShare is downloading. ×

Sguil

4,920

Published on

Sguil presentation for Linux User Group (Singapore) 2004/4/7

Sguil presentation for Linux User Group (Singapore) 2004/4/7

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
4,920
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
102
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Network Security Analysis with SGUIL
      • Introduction to
      • Network Security Analysis
      • with
      • SGUIL
      • Linux User Group Singapore
      • Friday 7 th May 2004
      • By
      • Michael Boman
      • <michael.boman@boseco.com>
  • 2. What we will cover:
    • Benefits of running Snort + SGUIL
    • Alert flow in a Snort + SGUIL setup
    • SGUIL alert categories
    • Demo of SGUIL
    • Q & A
  • 3. Why Sguil?
    • Real-time alerting
    • Xwindow and Win32 “native” client (ie: not web based)
    • DB scheme optimized for fast analysis of alerts
    • Integrated passive fingerprinting, session transcript
    • Ability to work on an &quot;attack&quot; without an IDS alert
    • Categorization of events
    • Escalation of events
    • Accountability of analysts actions
    • Ability to watch specific sensors
  • 4. Software
    • Snort
      • NIDS engine
    • Barnyard
      • Output processor for Snort
    • MySQL
      • Alert storage medium
    • SANCP (optional)
      • Session logger
    • tcpdump, ethereal, tcpflow
      • Helper applications
    • TCL/TK (and various TCL modules)
      • The language of choice for SGUIL
  • 5. The Sguil Architecture
    • Detect Events of Interest on the network
    • Upload port scan and session statistics
    • Record all network traffic
    • Receive alerts and statistics from sensor
    • Send alerts and other data to consoles
    • Receive requests from consoles
    • Keep track of alert status
    • Analyze and categorize alerts
  • 6. Login to Sguil
    • Authenticate client to server
    • Optional SSL encryption of session
    • Password never sent over the network
    • Once authenticated, choose what sensors to receive alerts for
      • Currently no access control to limit what you are allowed to see
  • 7. Sguil Login Screen
  • 8. Sguil Sensor Selection
  • 9. Sguil Console Layout
    • 3 Areas
      • Alert list
      • Host lookup
      • Alert details
  • 10. Sguil Console Layout Time (UTC) Event pane(s) Signature viewer Event / port scan details Reverse DNS / WHOIS lookup System Messages / Console CHAT window. Alert tabs
  • 11. Sguil flow : Receiving IDS Alerts Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 12. Sguil RT Events Count Event ID Protocol Number 1 = ICMP 6 = TCP 17 = UDP Status
  • 13. Sguil flow : Getting Alert Details Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 14. Sguil Event Details
  • 15. Sguil Host Lookup
  • 16. Sguil flow : Collecting Portscan Data Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 17. Sguil flow : Getting Portscan Details Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 18. Sguil Portscan Event
  • 19. Sguil flow : Recording Network Traffic Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 20. Sguil flow : Getting Session Transcript
  • 21. Sguil Transcript
  • 22. Sguil flow : Getting PCAP data Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 23. Ethereal integration
  • 24. Sguil flow : Collecting Session Data Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 25. Sguil flow : Getting Session Details Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 26. Sguil Session Query
  • 27. Event Categories
    • 7 different categories
    • Less complicated compared to SANS severity ratings.
    • Designed for fast analysis and categorization.
      • Events are categorized using the F1-F7 function keys.
      • Shift + function-key cat's the alert with an comment.
      • F8 moves event to the “No Further Action Required” “category”.
      • F9 escalates the event. Comment why alert is escalated is mandatory.
  • 28. Category I : Root/Administrator Account Compromise
    • Unauthorized party gains 'root' or 'administrator' control on monitored system.
    • Window's SYSTEM account included.
    • Worms, automated tools or manual hacks does not matter.
  • 29. Category II: User Account Compromise
    • Unauthorized party gains control of any non-root or non-administrator account on monitored system.
    • Worms, automated tools or manual hacks does not matter.
  • 30. Category III: Attempted Account Compromise
    • Unauthorized party attempts to gain root/administrator or user level access on monitored system.
    • The attack fails for one of several reasons:
      • Target may be properly patched to reject the attack.
      • Attacker may find a vulnerable machine, but he may not be sufficiently skilled to execute the attack.
      • Target may be vulnerable to the attack, but its configuration prevents compromise.
      • Attack is targeted the wrong application (ie: IIS attack against Apache server). This would be a category III event because the intention was there.
  • 31. Category IV: Denial of Service
    • Attacker takes damaging action against the resources or processes of a target machine or network.
    • Denial of service attacks may consume
      • CPU cycles
      • Bandwidth
      • Hard drive space
      • User's time
      • Many other resources.
    • NOT limited to flood-like attacks (see “teardrop” and “WinNuke” attacks).
  • 32. Category V: Poor Security Practice or Policy Violation
    • When a condition which exposes the monitored host/network to unnecessary risk is detected.
    • Violations of company's security and/or Internet usage policy
      • P2P traffic
      • IM/IRC traffic
      • Pr0n surfing
      • Miss-configured anonymous FTP servers
      • Telnet sessions
      • etc.
  • 33. Category VI: Reconnaissance
    • Attacker attempts to learn about a target system or network.
    • Events include
      • Port scans
      • Enumeration of NetBIOS shares on Windows systems
      • Inquiries concerning the version of applications
      • Unauthorized DNS zone transfers
      • etc
    • Includes limited attempts to guess user names and passwords. Sustained, intense guessing of user names and passwords should be considered Category III events, even if unsuccessful.
  • 34. Category VII: Virus Activity
    • Client system becomes infected by a virus.
    • Viruses depend on one or both of the following conditions:
      • human interaction is required to propagate the virus;
      • the virus must attach itself to a 'host' file, such as an email message, Word document, or web page.
    • Worms are capable of propagating themselves without human interaction or host files. A compromise caused by a worm would qualify as a Category I or II event.
  • 35. Sguil Demo
    • Enough theory, let us get our hands dirty with the pig
  • 36. Future plans of SGUIL
    • Short to mid-term development plans
      • Sensor should not connect directly to database
      • SANCP will replace snort stream4 patch
    • Other SGUIL related developments
      • SGUIL-WEB, web based front end for SGUIL is being developed
      • LATEST NEWS: Sguil CD (ISO) for server / sensor installation released today (2004-05-07)
  • 37. What we have learned
    • The benefits of running Snort + SGUIL
      • Alerts are pushed to the console
      • Advanced features like session statistics and transcript exists
    • How the different parts of SGUIL works together
    • SGUIL alert categories
  • 38. Questions?
    • Got any questions? Now is the time to ask them!

×