Your SlideShare is downloading. ×
0
Intrusion Detection System using Snort & SAM 60-564: Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal P...
SNORT <ul><li>Snort is an Open Source IDS. </li></ul><ul><li>Other open source tools like MySQL database, PHP, Apache Web ...
Project Overview <ul><li>Test an IDS implemented with Snort, SAM & ACID. </li></ul>
SAM <ul><li>SAM (Snort Alert Monitor) is a platform independent Java based consol that gives a quick look at the snort ale...
Hardware & Network Configuration <ul><li>Configuration of the Attacker PC: </li></ul><ul><li>Pentium 4  2.8 GHz (Hyper thr...
Software List <ul><li>MySQL </li></ul><ul><li>Snort </li></ul><ul><li>Apache Web Server </li></ul><ul><li>PHP </li></ul><u...
Software List
MySQL installation <ul><li>  Create group and user for MySQL: </li></ul><ul><ul><li>[root@localhost root]# groupadd mysql ...
MySql installation <ul><ul><li>Start the MySQL server: </li></ul></ul><ul><ul><li>[root@localhost mysql]# bin/mysqld_safe ...
Snort installation <ul><li>  Create group and user for Snort: </li></ul><ul><ul><li>[root@localhost root]# groupadd snort ...
Snort installation <ul><li>create the database for Snort and set password for it:  </li></ul><ul><li>[root@localhost root]...
Snort installation <ul><li>Run the Snort create_mysql script to generate the appropriate tables in the database:  </li></u...
Apache WS installation <ul><li>Use the following set of commands to extract and install Apache Web Server:  </li></ul><ul>...
Installing PHP <ul><li>Use the following set of commands to extract and install PHP:  </li></ul><ul><li>[root@localhost ro...
Installing PHP <ul><li>create links for startup scripts so that the web server starts when you boot up in run levels 3 and...
Installing ACID <ul><li>Download and extract ACID: </li></ul><ul><li>[root@localhost htdocs]# cd /root </li></ul><ul><li>[...
Installing ACID <ul><li>Open a web browser to  http:// localhost/acid/acid_main.php  . Click on the Setup page link to con...
SNOT: packet generator <ul><li>SNOT compared to other packet generator. </li></ul><ul><li>Was specifically built to test I...
SNOT <ul><li>Install SNOT using the following commands: </li></ul><ul><li>[root@localhost root]# tar zxvf snot-0.92a.tar.g...
SNOT <ul><li>The following example generates 10 packets based on the rules located in the  rule.txt  file with the specifi...
SAM <ul><li>Download link: </li></ul><ul><li>http:// sourceforge.net/project/showfiles.php?group_id =59138&package_id=5515...
SAM <ul><li>After SAM is started it shows the following window: </li></ul>
SAM
SAM
SAM <ul><li>Creative ways of alerting people: </li></ul>
<ul><li>References: </li></ul><ul><li>Snort Web site:  http://www.snort.org/ </li></ul><ul><li>SAM Web site:  http:// free...
Upcoming SlideShare
Loading in...5
×

Intrusion Detection System using Snort

10,270

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
10,270
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
83
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Intrusion Detection System using Snort "

  1. 1. Intrusion Detection System using Snort & SAM 60-564: Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: S. Rahaman & A. Uddin Date: April 03, 2006
  2. 2. SNORT <ul><li>Snort is an Open Source IDS. </li></ul><ul><li>Other open source tools like MySQL database, PHP, Apache Web Server & plug-in like ACID can be used with Snort to provide a visual representation of intrusion data. </li></ul>
  3. 3. Project Overview <ul><li>Test an IDS implemented with Snort, SAM & ACID. </li></ul>
  4. 4. SAM <ul><li>SAM (Snort Alert Monitor) is a platform independent Java based consol that gives a quick look at the snort alerts from the mysql database. </li></ul><ul><li>SAM produces a high level overview (While ACID is great for digging the details of the attacks) </li></ul><ul><li>SAM monitors the MySQL database and gives audible alert if the given condition is met, for instance if the system was attacked 100 times in 5 minutes period. </li></ul><ul><li>can send email automatically to a person or a group whenever the threshold is reached </li></ul><ul><li>SAM does not replace ACID but rather it complements it. </li></ul>
  5. 5. Hardware & Network Configuration <ul><li>Configuration of the Attacker PC: </li></ul><ul><li>Pentium 4 2.8 GHz (Hyper threading enabled) </li></ul><ul><li>RAM 512 MB </li></ul><ul><li>Surecom EP-320X-R 100/10/M PCI Adapter </li></ul><ul><li>OS: Linux (Redhat Fedora Core ) </li></ul><ul><li>Configuration of Target PC: </li></ul><ul><li>Pentium 4 3.2 GHz (Hyper threading enabled) </li></ul><ul><li>RAM 1 GB </li></ul><ul><li>SIS 900-Based PCI Fast Ethernet Adapter </li></ul><ul><li>OS: Linux (Suse 10) </li></ul>
  6. 6. Software List <ul><li>MySQL </li></ul><ul><li>Snort </li></ul><ul><li>Apache Web Server </li></ul><ul><li>PHP </li></ul><ul><li>ADODB </li></ul><ul><li>JPGraph </li></ul><ul><li>ACID </li></ul><ul><li>SAM </li></ul><ul><li>SNOT </li></ul><ul><li>There are more…… </li></ul>
  7. 7. Software List
  8. 8. MySQL installation <ul><li> Create group and user for MySQL: </li></ul><ul><ul><li>[root@localhost root]# groupadd mysql </li></ul></ul><ul><ul><li>[root@localhost root]# useradd -g mysql MySql </li></ul></ul><ul><ul><li>Extract the archive: </li></ul></ul><ul><ul><li>[root@localhost root]# cd /usr/local </li></ul></ul><ul><ul><li>[root@localhost local]# tar zxvf /root/mysql-standard-4.1.18-pc-linux-gnu-i686 </li></ul></ul><ul><ul><li>[root@localhost local]# ln -s /usr/local/mysql-standard-4.1.18-pc-linux-gnu-i686/ mysql </li></ul></ul><ul><ul><li>Execute the mysql_install_db script and set directory access right: </li></ul></ul><ul><ul><li>[root@localhost local]# cd mysql </li></ul></ul><ul><ul><li>[root@localhost mysql]# scripts/mysql_install_db --user=MySql </li></ul></ul><ul><ul><li>[root@localhost mysql]# chown -R root . </li></ul></ul><ul><ul><li>[root@localhost mysql]# chown -R mysql data </li></ul></ul><ul><ul><li>[root@localhost mysql]# chgrp -R mysql . </li></ul></ul>
  9. 9. MySql installation <ul><ul><li>Start the MySQL server: </li></ul></ul><ul><ul><li>[root@localhost mysql]# bin/mysqld_safe --user=mysql & </li></ul></ul><ul><ul><li>Assign passwords to the local accounts for the database: </li></ul></ul><ul><li>shell> mysql -u root </li></ul><ul><li>mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('spider1'); </li></ul><ul><li>mysql> SET PASSWORD FOR 'root'@'host_name' = PASSWORD('spider1'); </li></ul>MySQL Installation guide says to assign password using the following commands, Which was not working for us: [root@localhost mysql]# ./bin/mysqladmin -u root password spider1 [root@localhost mysql]# ./bin/mysqladmin -u root -h hostname password spider1
  10. 10. Snort installation <ul><li> Create group and user for Snort: </li></ul><ul><ul><li>[root@localhost root]# groupadd snort </li></ul></ul><ul><ul><li>[root@localhost root]# useradd -g snort snort </li></ul></ul><ul><ul><li>Extract the archive: </li></ul></ul><ul><ul><li>[root@localhost local]# tar zxvf snort-2.4.3.tar.gz </li></ul></ul><ul><ul><li>Install Snort with MySQL support with the following command: </li></ul></ul><ul><li>[root@localhost snort-2.4.3]# ./configure </li></ul><ul><li>--with-mysql=/usr/local/mysql </li></ul><ul><li>[root@localhost snort-2.4.3]# make </li></ul><ul><li>[root@localhost snort-2.4.3]# make install </li></ul>Make was not working for us. We had to install zlib support and modify snort/src/makefile manually. – lz had to be added to LIBS variables.
  11. 11. Snort installation <ul><li>create the database for Snort and set password for it: </li></ul><ul><li>[root@localhost root]# /usr/local/mysql/bin/mysql -u root –p </li></ul><ul><li>mysql> create database snort; </li></ul><ul><li>mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password'); </li></ul><ul><li>Grant the access to the ‘snort’ user for the database: </li></ul><ul><li>mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost; </li></ul><ul><li>mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort; </li></ul>If the above command gives error, try the following command instead: mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost IDENTIFIED BY 'spider1’; mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort IDENTIFIED BY 'spider1’;
  12. 12. Snort installation <ul><li>Run the Snort create_mysql script to generate the appropriate tables in the database: </li></ul><ul><li>[root@localhost snort-2.2.x]# /usr/local/mysql/bin/mysql -u root -p < ./schemas/create_mysql snort </li></ul><ul><li>add this line in the snort.conf file to use MySql database: </li></ul><ul><li>output database: log, mysql, user=snort password=password dbname=snort host=localhost </li></ul>
  13. 13. Apache WS installation <ul><li>Use the following set of commands to extract and install Apache Web Server: </li></ul><ul><li>[root@localhost root]# tar zxvf httpd-2.0.55.tar.gz </li></ul><ul><li>[root@localhost root]# cd httpd-2.0.55 </li></ul><ul><li>[root@localhost httpd-2.0.55]# ./configure --prefix=/www --enable-so </li></ul><ul><li>[root@localhost httpd-2.0.55]# make </li></ul><ul><li>[root@localhost httpd-2.0.55]# make install </li></ul><ul><li>Then open a web browser and enter your IP address or &quot;localhost.&quot; You should see the default Apache web page. </li></ul>
  14. 14. Installing PHP <ul><li>Use the following set of commands to extract and install PHP: </li></ul><ul><li>[root@localhost root]# tar zxvf php-4.3.8.tar.gz </li></ul><ul><li>[root@localhost root]# cd php-4.3.8 </li></ul><ul><li>[root@localhost php-4.3.8]# ./configure --prefix=/www/php --with-apxs2= </li></ul><ul><li>/www/bin/apxs --with-config-filepath=/www/php --enable-sockets </li></ul><ul><li>--with-mysql=/usr/local/mysql --with-zlib-dir=/usr/local --with-gd </li></ul><ul><li>[root@localhost php-4.3.8]# make </li></ul><ul><li>[root@localhost php-4.3.8]# make install </li></ul><ul><li>[root@localhost php-4.3.8]# cp php.ini-dist /www/php/php.ini </li></ul><ul><li>Make the following modifications to the the /www/conf/httpd.conf file </li></ul><ul><li>Change the line: </li></ul><ul><li>DirectoryIndex index.html index.html.var </li></ul><ul><li>to: </li></ul><ul><li>DirectoryIndex index.php index.html index.html.var </li></ul><ul><li>Also, add the following line under the AddType section: </li></ul><ul><li>AddType application/x-httpd-php .php </li></ul>
  15. 15. Installing PHP <ul><li>create links for startup scripts so that the web server starts when you boot up in run levels 3 and 5 (run level 3 is full multiuser mode, and run level 5 is the X Window System): </li></ul><ul><li>[root@localhost conf]# cd /www/bin </li></ul><ul><li>[root@localhost bin]# cp apachectl /etc/init.d/httpd </li></ul><ul><li>[root@localhost bin]# cd /etc/init.d/rc3.d </li></ul><ul><li>[root@localhost rc3.d]# ln -s ../httpd S85httpd </li></ul><ul><li>[root@localhost rc3.d]# ln -s ../httpd K85httpd </li></ul><ul><li>[root@localhost rc3.d]# cd /etc/init.d/rc5.d </li></ul><ul><li>[root@localhost rc5.d]# ln -s ../httpd S85httpd </li></ul><ul><li>[root@localhost rc5.d]# ln -s ../httpd K85httpd </li></ul>
  16. 16. Installing ACID <ul><li>Download and extract ACID: </li></ul><ul><li>[root@localhost htdocs]# cd /root </li></ul><ul><li>[root@localhost root]# cp acid-0.9.6b23.tar.gz /www/htdocs </li></ul><ul><li>[root@localhost root]# cd /www/htdocs </li></ul><ul><li>[root@localhost htdocs]# tar zxvf acid-0.9.6b23.tar.gz </li></ul><ul><li>[root@localhost htdocs]# rm -rf acid-0.9.6b23.tar.gz </li></ul><ul><li>Make the following configuration changes in /www/htdocs/acid/acid_conf.php file : </li></ul><ul><li>$alert_dbname = &quot;snort&quot;; </li></ul><ul><li>$alert_host = &quot;localhost&quot;; </li></ul><ul><li>$alert_port = &quot;&quot;; </li></ul><ul><li>$alert_user = &quot;root&quot;; </li></ul><ul><li>$alert_password = &quot;newpassword&quot;; </li></ul><ul><li>$archive_dbname = &quot;snort&quot;; </li></ul><ul><li>$archive_host = &quot;localhost&quot;; </li></ul><ul><li>$archive_port = &quot;&quot;; </li></ul><ul><li>$archive_user = &quot;root&quot;; </li></ul><ul><li>$archive_password = &quot;newpassword&quot;; </li></ul><ul><li>$ChartLib_path = &quot;/www/htdocs/jpgraph-1.16/src&quot;; </li></ul>
  17. 17. Installing ACID <ul><li>Open a web browser to http:// localhost/acid/acid_main.php . Click on the Setup page link to continue. Next, click the button that says Create ACID AG. It will create four tables in the database. </li></ul>
  18. 18. SNOT: packet generator <ul><li>SNOT compared to other packet generator. </li></ul><ul><li>Was specifically built to test IDS. </li></ul><ul><li>It uses Snort rules files as its source of packet information. </li></ul><ul><li>It also randomizes information that is not contained in the rule to evade detection. </li></ul><ul><li>You can send all the packet at once or control the timing. </li></ul>
  19. 19. SNOT <ul><li>Install SNOT using the following commands: </li></ul><ul><li>[root@localhost root]# tar zxvf snot-0.92a.tar.gz </li></ul><ul><li>[root@localhost root]# cd snot-0.92a </li></ul><ul><li>[root@localhost snot-0.92a]# make </li></ul><ul><li>Then you can send attack from Snot using the following command line: </li></ul><ul><li>[root@localhost snot-0.92a]# ./snot </li></ul><ul><li>Usage: snot -r <rulefile> [-s <source IP>] [-d <dest IP>] </li></ul><ul><li>[-n <number of packets>] [-l <delay>] [-p] </li></ul>
  20. 20. SNOT <ul><li>The following example generates 10 packets based on the rules located in the rule.txt file with the specified source and destination addresses: </li></ul><ul><li>./snot -r ./rule.txt -s 192.168.1.1 -d 192.168.1.2 -n 10 </li></ul>
  21. 21. SAM <ul><li>Download link: </li></ul><ul><li>http:// sourceforge.net/project/showfiles.php?group_id =59138&package_id=55154&release_id=303573 </li></ul><ul><li>Installing SAM is as easy as extracting the downloaded file. </li></ul><ul><li>Then run SAM using the following command: </li></ul><ul><li>java –jar sam.jar </li></ul>NOTE: you must have Java Virtual Machine installed to run SAM.
  22. 22. SAM <ul><li>After SAM is started it shows the following window: </li></ul>
  23. 23. SAM
  24. 24. SAM
  25. 25. SAM <ul><li>Creative ways of alerting people: </li></ul>
  26. 26. <ul><li>References: </li></ul><ul><li>Snort Web site: http://www.snort.org/ </li></ul><ul><li>SAM Web site: http:// freesoftware.lookandfeel.com/sam/index.html </li></ul><ul><li>Intrusion Detection System: The Complete Documentation : http://www.l0t3k.org/security/tools/ids/ </li></ul><ul><li>O’Reilly Snort Cookbook, By Jacob Babbin, Simon Biles, Angela D. Orebaugh March 2005, ISBN: 0-596-00791-4 </li></ul><ul><li>Prentice Hall PTR Open Source Security Tools Practical Guide to Security Applications , By Tony Howlett , July 2004 </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×