December 7, 2010
Work Proposal The purpose of this work is: Explain a basic IDS Architecture and Topology Explain a more advanced IDS solution Install SNORT on the FEUP Ubuntu distribution and test some of its features Demonstrate SNORT trying: basic network access connections an external network vulnerability scanner Show how to create simple SNORT rules Provide a step-by-step installation manual to encourage other students to test it
What is Intrusion Detection? Intrusion detection is a set of techniques and methods that are used to detect suspicious activity both at the network and host level. Categoties: signature-based intrusion detection anomaly detectionsystems is primarily a rule-based IDS, however input plug-ins are present to detect anomalies in protocol headers.
www.draw-shapes..de Typical location for an intrusion detection system Internet Intranet Switch Modem Firewall IDS port mirroring example for Cisco Catalyst 6509 or 3750 #configure terminal (config)#monitor session 1 source interface GigabitEthernet x/x (config)#monitor session 1 destination interface GigabitEthernet x/x
www.draw-shapes..de Using 2 NICs - Stealth Interface Internet Intranet Switch Modem Firewall eth0 Private Isolated Network IDS eth1 Management Workstation
www.draw-shapes..de Adopted Solution Internet Intranet FEUP Switch Modem Firewall IDS running in a Virtual Machine Remote WEB Access and Vulnerability Scanner
What s SNORT? SNORT is an open source Network Intrusion Detection System. It s capable of performing real-time traffic analysis and packet logging on IP networks.
SNORT modes can be configured to run in three modes: Sniffer mode Packet Logger mode Network Intrusion Detection System (NIDS) mode
SNORT Components Network Packet Capture Module Packet Decoder Preprocessors Detection Engine Rulesets Logging and Alerting System Output Modules Output Alert or Log files / DB
Integration with other packages Base php Apache ADOdb Barnyard MySQL
Block diagram of a complete network intrusion detection system Intruder tries to attack hosts present on this network sensor captures the intruder s data and stores it in MySQL database using output plug-in MySQL database A user looking at intrusion data collected by through web browser Apache web server with PHP, GD Library
The Rule Heather alert tcp any any -> any any (msg: Sample alert ;) Header contains the following fields Action (log, alert) Protocol (ip, tcp, udp, icmp, any) Src IP & Port Dst IP & Port Direction operator ( ->, <> )
The Rule Heather alert tcp $ EXTERNAL NET any - > 192.168.3.0/24 80 (msg: Sample alert ;) Src or dst IP addresses can be: Variables ($HOME NET) Individual IP addresses CIDR blocks Lists ([192.168.3.12,192.168.3.9]) Ports can be Individual ports Port ranges (80:85, :1024, 1025:)
The Rule Body alert tcp any any -> any any (msg: Sample alert ) The body is usually the complex part Begins and ends with () Series of rule options (keywords, with optional parameters) separated by ;
The Rule Body Options Five types of options Metadata Payload detection Non-payload detection Post-detection Thresholding and suppression
The Rule Body Options - Metadata Metadata options provide snort with information about the rule itself or pass on information to the analyst Examples msg specifies the human-readable alert message reference includes a URL for more info classtype and priority give some idea about the type of attack and the severity of the event sid and rev uniquely identify the rule (including revisions & edits)
The Rule Body Options - Payload Detection Options Look inside the packet payload (not the packet headers) The meat of IDS! There are many options to fit many needs, but start with the basics content looks for a string of bytes nocase modified content, makes it case insensitive offset skips a certain number of bytes before searching pcre allows the use of Perl-compatible regular expressions (support must be compiled in)
Test Rule alert tcp any any <> any 80 (msg: Test web activity ; sid:1000001;)
BASE Screenshot
Prerequisites Pre compiled Modules mysql-server libpcap0.8-dev libmysqlclient16-dev bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libtool libpcre3-dev php-pear vim ssh g++ (required for the new libdnet) base
Prerequisites cont. Source Code Modules that need to be compiled adodb libdnet barnyard2
The SNORT package The SNORT package is comprised by the following modules: snort daq snort-rules
Configuration Files The following configuration files need some customization described on the attached instructions /etc/php5/apache2/php.ini /etc/snort/snort.conf /etc/snort/barnyard2.conf
Conclusion Very useful exercise. Refresh of IDS and other related networking security concepts Future work: Integrating an additional tool to automatically update firewall rules based on alerts generated by. (like Guardian)
Questions?