Network Security Analysis with SGUIL <ul><ul><li>Introduction to </li></ul></ul><ul><ul><li>Network Security Analysis </li...
What we will cover: <ul><li>Benefits of running Snort + SGUIL </li></ul><ul><li>Alert flow in a Snort + SGUIL setup </li><...
Why Sguil? <ul><li>Real-time alerting </li></ul><ul><li>Xwindow and Win32 “native” client (ie:  not  web based) </li></ul>...
Software <ul><li>Snort </li></ul><ul><ul><li>NIDS engine </li></ul></ul><ul><li>Barnyard </li></ul><ul><ul><li>Output proc...
The Sguil Architecture <ul><li>Detect Events of Interest on the network </li></ul><ul><li>Upload port scan and session sta...
Login to Sguil <ul><li>Authenticate client to server </li></ul><ul><li>Optional SSL encryption of session </li></ul><ul><l...
Sguil Login Screen
Sguil Sensor Selection
Sguil Console Layout <ul><li>3 Areas </li></ul><ul><ul><li>Alert list </li></ul></ul><ul><ul><li>Host lookup </li></ul></u...
Sguil Console Layout Time (UTC) Event pane(s) Signature viewer Event / port scan details Reverse DNS / WHOIS lookup System...
Sguil flow : Receiving IDS Alerts Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_pack...
Sguil RT Events Count Event ID Protocol Number 1 = ICMP 6 = TCP 17 = UDP Status
Sguil flow : Getting Alert Details Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_pac...
Sguil Event Details
Sguil Host Lookup
Sguil flow : Collecting Portscan Data Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_...
Sguil flow : Getting Portscan Details Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_...
Sguil Portscan Event
Sguil flow : Recording Network Traffic Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log...
Sguil flow : Getting Session Transcript
Sguil Transcript
Sguil flow : Getting PCAP data Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets...
Ethereal integration
Sguil flow : Collecting Session Data Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_p...
Sguil flow : Getting Session Details Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_p...
Sguil Session Query
Event Categories <ul><li>7 different categories </li></ul><ul><li>Less complicated compared to SANS severity ratings. </li...
Category I : Root/Administrator Account Compromise <ul><li>Unauthorized party gains 'root' or 'administrator' control on m...
Category II: User Account Compromise <ul><li>Unauthorized party gains control of any non-root or non-administrator account...
Category III: Attempted Account Compromise <ul><li>Unauthorized party attempts to gain root/administrator or user level ac...
Category IV: Denial of Service <ul><li>Attacker takes damaging action against the resources or processes of a target machi...
Category V: Poor Security Practice or Policy Violation <ul><li>When a condition which exposes the monitored host/network t...
Category VI: Reconnaissance <ul><li>Attacker attempts to learn about a target system or network. </li></ul><ul><li>Events ...
Category VII: Virus Activity <ul><li>Client system becomes infected by a virus. </li></ul><ul><li>Viruses depend on one or...
Sguil Demo <ul><li>Enough theory, let us get our hands dirty with the pig </li></ul>
Future plans of SGUIL <ul><li>Short to mid-term development plans </li></ul><ul><ul><li>Sensor should not connect directly...
What we have learned <ul><li>The benefits of running Snort + SGUIL </li></ul><ul><ul><li>Alerts are pushed to the console ...
Questions? <ul><li>Got any questions? Now is the time to ask them! </li></ul>
Upcoming SlideShare
Loading in …5
×

Sguil

5,554 views

Published on

Sguil presentation for Linux User Group (Singapore) 2004/4/7

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Sguil

  1. 1. Network Security Analysis with SGUIL <ul><ul><li>Introduction to </li></ul></ul><ul><ul><li>Network Security Analysis </li></ul></ul><ul><ul><li>with </li></ul></ul><ul><ul><li>SGUIL </li></ul></ul><ul><ul><li>Linux User Group Singapore </li></ul></ul><ul><ul><li>Friday 7 th May 2004 </li></ul></ul><ul><ul><li>By </li></ul></ul><ul><ul><li>Michael Boman </li></ul></ul><ul><ul><li><michael.boman@boseco.com> </li></ul></ul>
  2. 2. What we will cover: <ul><li>Benefits of running Snort + SGUIL </li></ul><ul><li>Alert flow in a Snort + SGUIL setup </li></ul><ul><li>SGUIL alert categories </li></ul><ul><li>Demo of SGUIL </li></ul><ul><li>Q & A </li></ul>
  3. 3. Why Sguil? <ul><li>Real-time alerting </li></ul><ul><li>Xwindow and Win32 “native” client (ie: not web based) </li></ul><ul><li>DB scheme optimized for fast analysis of alerts </li></ul><ul><li>Integrated passive fingerprinting, session transcript </li></ul><ul><li>Ability to work on an &quot;attack&quot; without an IDS alert </li></ul><ul><li>Categorization of events </li></ul><ul><li>Escalation of events </li></ul><ul><li>Accountability of analysts actions </li></ul><ul><li>Ability to watch specific sensors </li></ul>
  4. 4. Software <ul><li>Snort </li></ul><ul><ul><li>NIDS engine </li></ul></ul><ul><li>Barnyard </li></ul><ul><ul><li>Output processor for Snort </li></ul></ul><ul><li>MySQL </li></ul><ul><ul><li>Alert storage medium </li></ul></ul><ul><li>SANCP (optional) </li></ul><ul><ul><li>Session logger </li></ul></ul><ul><li>tcpdump, ethereal, tcpflow </li></ul><ul><ul><li>Helper applications </li></ul></ul><ul><li>TCL/TK (and various TCL modules) </li></ul><ul><ul><li>The language of choice for SGUIL </li></ul></ul>
  5. 5. The Sguil Architecture <ul><li>Detect Events of Interest on the network </li></ul><ul><li>Upload port scan and session statistics </li></ul><ul><li>Record all network traffic </li></ul><ul><li>Receive alerts and statistics from sensor </li></ul><ul><li>Send alerts and other data to consoles </li></ul><ul><li>Receive requests from consoles </li></ul><ul><li>Keep track of alert status </li></ul><ul><li>Analyze and categorize alerts </li></ul>
  6. 6. Login to Sguil <ul><li>Authenticate client to server </li></ul><ul><li>Optional SSL encryption of session </li></ul><ul><li>Password never sent over the network </li></ul><ul><li>Once authenticated, choose what sensors to receive alerts for </li></ul><ul><ul><li>Currently no access control to limit what you are allowed to see </li></ul></ul>
  7. 7. Sguil Login Screen
  8. 8. Sguil Sensor Selection
  9. 9. Sguil Console Layout <ul><li>3 Areas </li></ul><ul><ul><li>Alert list </li></ul></ul><ul><ul><li>Host lookup </li></ul></ul><ul><ul><li>Alert details </li></ul></ul>
  10. 10. Sguil Console Layout Time (UTC) Event pane(s) Signature viewer Event / port scan details Reverse DNS / WHOIS lookup System Messages / Console CHAT window. Alert tabs
  11. 11. Sguil flow : Receiving IDS Alerts Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  12. 12. Sguil RT Events Count Event ID Protocol Number 1 = ICMP 6 = TCP 17 = UDP Status
  13. 13. Sguil flow : Getting Alert Details Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  14. 14. Sguil Event Details
  15. 15. Sguil Host Lookup
  16. 16. Sguil flow : Collecting Portscan Data Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  17. 17. Sguil flow : Getting Portscan Details Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  18. 18. Sguil Portscan Event
  19. 19. Sguil flow : Recording Network Traffic Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  20. 20. Sguil flow : Getting Session Transcript
  21. 21. Sguil Transcript
  22. 22. Sguil flow : Getting PCAP data Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  23. 23. Ethereal integration
  24. 24. Sguil flow : Collecting Session Data Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  25. 25. Sguil flow : Getting Session Details Network Sensor Snort IDS Barnyard Server sguild MySQL Console sguil.tk xscriptd log_packets sensor agent
  26. 26. Sguil Session Query
  27. 27. Event Categories <ul><li>7 different categories </li></ul><ul><li>Less complicated compared to SANS severity ratings. </li></ul><ul><li>Designed for fast analysis and categorization. </li></ul><ul><ul><li>Events are categorized using the F1-F7 function keys. </li></ul></ul><ul><ul><li>Shift + function-key cat's the alert with an comment. </li></ul></ul><ul><ul><li>F8 moves event to the “No Further Action Required” “category”. </li></ul></ul><ul><ul><li>F9 escalates the event. Comment why alert is escalated is mandatory. </li></ul></ul>
  28. 28. Category I : Root/Administrator Account Compromise <ul><li>Unauthorized party gains 'root' or 'administrator' control on monitored system. </li></ul><ul><li>Window's SYSTEM account included. </li></ul><ul><li>Worms, automated tools or manual hacks does not matter. </li></ul>
  29. 29. Category II: User Account Compromise <ul><li>Unauthorized party gains control of any non-root or non-administrator account on monitored system. </li></ul><ul><li>Worms, automated tools or manual hacks does not matter. </li></ul>
  30. 30. Category III: Attempted Account Compromise <ul><li>Unauthorized party attempts to gain root/administrator or user level access on monitored system. </li></ul><ul><li>The attack fails for one of several reasons: </li></ul><ul><ul><li>Target may be properly patched to reject the attack. </li></ul></ul><ul><ul><li>Attacker may find a vulnerable machine, but he may not be sufficiently skilled to execute the attack. </li></ul></ul><ul><ul><li>Target may be vulnerable to the attack, but its configuration prevents compromise. </li></ul></ul><ul><ul><li>Attack is targeted the wrong application (ie: IIS attack against Apache server). This would be a category III event because the intention was there. </li></ul></ul>
  31. 31. Category IV: Denial of Service <ul><li>Attacker takes damaging action against the resources or processes of a target machine or network. </li></ul><ul><li>Denial of service attacks may consume </li></ul><ul><ul><li>CPU cycles </li></ul></ul><ul><ul><li>Bandwidth </li></ul></ul><ul><ul><li>Hard drive space </li></ul></ul><ul><ul><li>User's time </li></ul></ul><ul><ul><li>Many other resources. </li></ul></ul><ul><li>NOT limited to flood-like attacks (see “teardrop” and “WinNuke” attacks). </li></ul>
  32. 32. Category V: Poor Security Practice or Policy Violation <ul><li>When a condition which exposes the monitored host/network to unnecessary risk is detected. </li></ul><ul><li>Violations of company's security and/or Internet usage policy </li></ul><ul><ul><li>P2P traffic </li></ul></ul><ul><ul><li>IM/IRC traffic </li></ul></ul><ul><ul><li>Pr0n surfing </li></ul></ul><ul><ul><li>Miss-configured anonymous FTP servers </li></ul></ul><ul><ul><li>Telnet sessions </li></ul></ul><ul><ul><li>etc. </li></ul></ul>
  33. 33. Category VI: Reconnaissance <ul><li>Attacker attempts to learn about a target system or network. </li></ul><ul><li>Events include </li></ul><ul><ul><li>Port scans </li></ul></ul><ul><ul><li>Enumeration of NetBIOS shares on Windows systems </li></ul></ul><ul><ul><li>Inquiries concerning the version of applications </li></ul></ul><ul><ul><li>Unauthorized DNS zone transfers </li></ul></ul><ul><ul><li>etc </li></ul></ul><ul><li>Includes limited attempts to guess user names and passwords. Sustained, intense guessing of user names and passwords should be considered Category III events, even if unsuccessful. </li></ul>
  34. 34. Category VII: Virus Activity <ul><li>Client system becomes infected by a virus. </li></ul><ul><li>Viruses depend on one or both of the following conditions: </li></ul><ul><ul><li>human interaction is required to propagate the virus; </li></ul></ul><ul><ul><li>the virus must attach itself to a 'host' file, such as an email message, Word document, or web page. </li></ul></ul><ul><li>Worms are capable of propagating themselves without human interaction or host files. A compromise caused by a worm would qualify as a Category I or II event. </li></ul>
  35. 35. Sguil Demo <ul><li>Enough theory, let us get our hands dirty with the pig </li></ul>
  36. 36. Future plans of SGUIL <ul><li>Short to mid-term development plans </li></ul><ul><ul><li>Sensor should not connect directly to database </li></ul></ul><ul><ul><li>SANCP will replace snort stream4 patch </li></ul></ul><ul><li>Other SGUIL related developments </li></ul><ul><ul><li>SGUIL-WEB, web based front end for SGUIL is being developed </li></ul></ul><ul><ul><li>LATEST NEWS: Sguil CD (ISO) for server / sensor installation released today (2004-05-07) </li></ul></ul>
  37. 37. What we have learned <ul><li>The benefits of running Snort + SGUIL </li></ul><ul><ul><li>Alerts are pushed to the console </li></ul></ul><ul><ul><li>Advanced features like session statistics and transcript exists </li></ul></ul><ul><li>How the different parts of SGUIL works together </li></ul><ul><li>SGUIL alert categories </li></ul>
  38. 38. Questions? <ul><li>Got any questions? Now is the time to ask them! </li></ul>

×