Your SlideShare is downloading. ×
0
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Sguil
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sguil

4,933

Published on

Sguil presentation for Linux User Group (Singapore) 2004/4/7

Sguil presentation for Linux User Group (Singapore) 2004/4/7

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
4,933
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
102
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Network Security Analysis with SGUIL <ul><ul><li>Introduction to </li></ul></ul><ul><ul><li>Network Security Analysis </li></ul></ul><ul><ul><li>with </li></ul></ul><ul><ul><li>SGUIL </li></ul></ul><ul><ul><li>Linux User Group Singapore </li></ul></ul><ul><ul><li>Friday 7 th May 2004 </li></ul></ul><ul><ul><li>By </li></ul></ul><ul><ul><li>Michael Boman </li></ul></ul><ul><ul><li>&lt;michael.boman@boseco.com&gt; </li></ul></ul>
  • 2. What we will cover: <ul><li>Benefits of running Snort + SGUIL </li></ul><ul><li>Alert flow in a Snort + SGUIL setup </li></ul><ul><li>SGUIL alert categories </li></ul><ul><li>Demo of SGUIL </li></ul><ul><li>Q &amp; A </li></ul>
  • 3. Why Sguil? <ul><li>Real-time alerting </li></ul><ul><li>Xwindow and Win32 “native” client (ie: not web based) </li></ul><ul><li>DB scheme optimized for fast analysis of alerts </li></ul><ul><li>Integrated passive fingerprinting, session transcript </li></ul><ul><li>Ability to work on an &amp;quot;attack&amp;quot; without an IDS alert </li></ul><ul><li>Categorization of events </li></ul><ul><li>Escalation of events </li></ul><ul><li>Accountability of analysts actions </li></ul><ul><li>Ability to watch specific sensors </li></ul>
  • 4. Software <ul><li>Snort </li></ul><ul><ul><li>NIDS engine </li></ul></ul><ul><li>Barnyard </li></ul><ul><ul><li>Output processor for Snort </li></ul></ul><ul><li>MySQL </li></ul><ul><ul><li>Alert storage medium </li></ul></ul><ul><li>SANCP (optional) </li></ul><ul><ul><li>Session logger </li></ul></ul><ul><li>tcpdump, ethereal, tcpflow </li></ul><ul><ul><li>Helper applications </li></ul></ul><ul><li>TCL/TK (and various TCL modules) </li></ul><ul><ul><li>The language of choice for SGUIL </li></ul></ul>
  • 5. The Sguil Architecture <ul><li>Detect Events of Interest on the network </li></ul><ul><li>Upload port scan and session statistics </li></ul><ul><li>Record all network traffic </li></ul><ul><li>Receive alerts and statistics from sensor </li></ul><ul><li>Send alerts and other data to consoles </li></ul><ul><li>Receive requests from consoles </li></ul><ul><li>Keep track of alert status </li></ul><ul><li>Analyze and categorize alerts </li></ul>
  • 6. Login to Sguil <ul><li>Authenticate client to server </li></ul><ul><li>Optional SSL encryption of session </li></ul><ul><li>Password never sent over the network </li></ul><ul><li>Once authenticated, choose what sensors to receive alerts for </li></ul><ul><ul><li>Currently no access control to limit what you are allowed to see </li></ul></ul>
  • 7. Sguil Login Screen
  • 8. Sguil Sensor Selection
  • 9. Sguil Console Layout <ul><li>3 Areas </li></ul><ul><ul><li>Alert list </li></ul></ul><ul><ul><li>Host lookup </li></ul></ul><ul><ul><li>Alert details </li></ul></ul>
  • 10. Sguil Console Layout Time (UTC) Event pane(s) Signature viewer Event / port scan details Reverse DNS / WHOIS lookup System Messages / Console CHAT window. Alert tabs
  • 11. Sguil flow : Receiving IDS Alerts Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 12. Sguil RT Events Count Event ID Protocol Number 1 = ICMP 6 = TCP 17 = UDP Status
  • 13. Sguil flow : Getting Alert Details Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 14. Sguil Event Details
  • 15. Sguil Host Lookup
  • 16. Sguil flow : Collecting Portscan Data Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 17. Sguil flow : Getting Portscan Details Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 18. Sguil Portscan Event
  • 19. Sguil flow : Recording Network Traffic Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 20. Sguil flow : Getting Session Transcript
  • 21. Sguil Transcript
  • 22. Sguil flow : Getting PCAP data Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 23. Ethereal integration
  • 24. Sguil flow : Collecting Session Data Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 25. Sguil flow : Getting Session Details Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  • 26. Sguil Session Query
  • 27. Event Categories <ul><li>7 different categories </li></ul><ul><li>Less complicated compared to SANS severity ratings. </li></ul><ul><li>Designed for fast analysis and categorization. </li></ul><ul><ul><li>Events are categorized using the F1-F7 function keys. </li></ul></ul><ul><ul><li>Shift + function-key cat&apos;s the alert with an comment. </li></ul></ul><ul><ul><li>F8 moves event to the “No Further Action Required” “category”. </li></ul></ul><ul><ul><li>F9 escalates the event. Comment why alert is escalated is mandatory. </li></ul></ul>
  • 28. Category I : Root/Administrator Account Compromise <ul><li>Unauthorized party gains &apos;root&apos; or &apos;administrator&apos; control on monitored system. </li></ul><ul><li>Window&apos;s SYSTEM account included. </li></ul><ul><li>Worms, automated tools or manual hacks does not matter. </li></ul>
  • 29. Category II: User Account Compromise <ul><li>Unauthorized party gains control of any non-root or non-administrator account on monitored system. </li></ul><ul><li>Worms, automated tools or manual hacks does not matter. </li></ul>
  • 30. Category III: Attempted Account Compromise <ul><li>Unauthorized party attempts to gain root/administrator or user level access on monitored system. </li></ul><ul><li>The attack fails for one of several reasons: </li></ul><ul><ul><li>Target may be properly patched to reject the attack. </li></ul></ul><ul><ul><li>Attacker may find a vulnerable machine, but he may not be sufficiently skilled to execute the attack. </li></ul></ul><ul><ul><li>Target may be vulnerable to the attack, but its configuration prevents compromise. </li></ul></ul><ul><ul><li>Attack is targeted the wrong application (ie: IIS attack against Apache server). This would be a category III event because the intention was there. </li></ul></ul>
  • 31. Category IV: Denial of Service <ul><li>Attacker takes damaging action against the resources or processes of a target machine or network. </li></ul><ul><li>Denial of service attacks may consume </li></ul><ul><ul><li>CPU cycles </li></ul></ul><ul><ul><li>Bandwidth </li></ul></ul><ul><ul><li>Hard drive space </li></ul></ul><ul><ul><li>User&apos;s time </li></ul></ul><ul><ul><li>Many other resources. </li></ul></ul><ul><li>NOT limited to flood-like attacks (see “teardrop” and “WinNuke” attacks). </li></ul>
  • 32. Category V: Poor Security Practice or Policy Violation <ul><li>When a condition which exposes the monitored host/network to unnecessary risk is detected. </li></ul><ul><li>Violations of company&apos;s security and/or Internet usage policy </li></ul><ul><ul><li>P2P traffic </li></ul></ul><ul><ul><li>IM/IRC traffic </li></ul></ul><ul><ul><li>Pr0n surfing </li></ul></ul><ul><ul><li>Miss-configured anonymous FTP servers </li></ul></ul><ul><ul><li>Telnet sessions </li></ul></ul><ul><ul><li>etc. </li></ul></ul>
  • 33. Category VI: Reconnaissance <ul><li>Attacker attempts to learn about a target system or network. </li></ul><ul><li>Events include </li></ul><ul><ul><li>Port scans </li></ul></ul><ul><ul><li>Enumeration of NetBIOS shares on Windows systems </li></ul></ul><ul><ul><li>Inquiries concerning the version of applications </li></ul></ul><ul><ul><li>Unauthorized DNS zone transfers </li></ul></ul><ul><ul><li>etc </li></ul></ul><ul><li>Includes limited attempts to guess user names and passwords. Sustained, intense guessing of user names and passwords should be considered Category III events, even if unsuccessful. </li></ul>
  • 34. Category VII: Virus Activity <ul><li>Client system becomes infected by a virus. </li></ul><ul><li>Viruses depend on one or both of the following conditions: </li></ul><ul><ul><li>human interaction is required to propagate the virus; </li></ul></ul><ul><ul><li>the virus must attach itself to a &apos;host&apos; file, such as an email message, Word document, or web page. </li></ul></ul><ul><li>Worms are capable of propagating themselves without human interaction or host files. A compromise caused by a worm would qualify as a Category I or II event. </li></ul>
  • 35. Sguil Demo <ul><li>Enough theory, let us get our hands dirty with the pig </li></ul>
  • 36. Future plans of SGUIL <ul><li>Short to mid-term development plans </li></ul><ul><ul><li>Sensor should not connect directly to database </li></ul></ul><ul><ul><li>SANCP will replace snort stream4 patch </li></ul></ul><ul><li>Other SGUIL related developments </li></ul><ul><ul><li>SGUIL-WEB, web based front end for SGUIL is being developed </li></ul></ul><ul><ul><li>LATEST NEWS: Sguil CD (ISO) for server / sensor installation released today (2004-05-07) </li></ul></ul>
  • 37. What we have learned <ul><li>The benefits of running Snort + SGUIL </li></ul><ul><ul><li>Alerts are pushed to the console </li></ul></ul><ul><ul><li>Advanced features like session statistics and transcript exists </li></ul></ul><ul><li>How the different parts of SGUIL works together </li></ul><ul><li>SGUIL alert categories </li></ul>
  • 38. Questions? <ul><li>Got any questions? Now is the time to ask them! </li></ul>

×