1 Network Intrusion Detection System & Its Analyzer: Snort & ACID 60-564: Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented.

Slides:



Advertisements
Similar presentations
Web Center Certification Sitemap / Formatting Content Web Center Certification Training Intuit Financial Services University.
Advertisements

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.
Follow the instruction to install the PC Suite from the SD card: 1.Go to the settings -> SD Card & phone storage -> Enable the mass storage only mode 2.Connect.
UNIVERSITY OF EDUCATION BY H.M.ISHTIAQ RAFIQUE. Domain Name Structure.
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.
BASIC SKILLS AND TOOLS USING ACCESS
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
XP New Perspectives on Microsoft Office Word 2003 Tutorial 6 1 Microsoft Office Word 2003 Tutorial 6 – Creating Form Letters and Mailing Labels.
Introduction to HTML, XHTML, and CSS
Office 2003 Introductory Concepts and Techniques M i c r o s o f t Windows XP Project An Introduction to Microsoft Windows XP and Office 2003.
1 NatQuery 3/05 An End-User Perspective On Using NatQuery To Extract Data From ADABAS Presented by Treehouse Software, Inc.
Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.
Introduction Lesson 1 Microsoft Office 2010 and the Internet
Microsoft Office 2010 Basics and the Internet
Chapter 1: Introduction to Scaling Networks
Local Area Networks - Internetworking
School of Geography FACULTY OF ENVIRONMENT Working with Tables 1.
PEPS Weekly Data Extracts User Guide September 2006.
Microsoft Access.
XP New Perspectives on Introducing Microsoft Office 2003 Tutorial 1 1 Using Common Features of Microsoft Office 2003 Tutorial 1.
Microsoft Office Illustrated Fundamentals Unit C: Getting Started with Unit C: Getting Started with Microsoft Office 2010 Microsoft Office 2010.
Chapter 11: The X Window System Guide To UNIX Using Linux Third Edition.
Telemetry Modules Quick Start
Benchmark Series Microsoft Excel 2013 Level 2
Services Course Outlook Live Participant Guide.
4 Oracle Data Integrator First Project – Simple Transformations: One source, one target 3-1.
Services Course Windows Live SkyDrive Participant Guide.
Services Course Windows Live Spaces + Windows Live Writer Participant Guide.
Page 1 of 43 To the ETS – Bidding Query by Map Online Training Course Welcome This training module provides the procedures for using Query by Map for a.
1 How Do I Order From.decimal? Rev 05/04/09 This instructional training document may be updated at anytime. Please visit and check the.
Learning the Basics – Lesson 1
Macromedia Dreamweaver MX 2004 – Design Professional Dreamweaver GETTING STARTED WITH.
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
2004 EBSCO Publishing Presentation on EBSCOadmin.
® Microsoft Office 2010 Browser and Basics.
Services Course Windows Live SkyDrive Participant Guide.
What’s New in WatchGuard Dimension v1.2
© Ericsson Interception Management Systems, 2000 CELLNET Drop Administering IMS Database Module Objectives To add a network elements to the database.
A lesson approach © 2011 The McGraw-Hill Companies, Inc. All rights reserved. a lesson approach Microsoft® PowerPoint 2010 © 2011 The McGraw-Hill Companies,
© Paradigm Publishing, Inc Access 2010 Level 2 Unit 2Advanced Reports, Access Tools, and Customizing Access Chapter 8Integrating Access Data.
Use the buttons on the top to navigate through the presentation 1 PrevNext Menu.
Profile. 1.Open an Internet web browser and type into the web browser address bar. 2.You will see a web page similar to the one on.
South Dakota Library Network MetaLib User Interface South Dakota Library Network 1200 University, Unit 9672 Spearfish, SD © South Dakota.
TIDE Presentation Florida Standards Assessments 1 FSA Regional Trainings Updated 02/09/15.
What’s new in WebSpace Changes and improvements with Xythos 7.2 Effective June 24,
TCP/IP Protocol Suite 1 Chapter 18 Upon completion you will be able to: Remote Login: Telnet Understand how TELNET works Understand the role of NVT in.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.
Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Getting Started with Web Servers, PHP, and the Eclipse PDT Appendix I DAVID M. KROENKE and DAVID J. AUER DATABASE CONCEPTS, 6 th Edition.
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Simulation of IDS by using Activeworx Security Center (ASC) and Snort, MySQL, CommView Presented by Shamsul Wazed & Quazi Rahman School of Computer Science.
Penetration Testing Security Analysis and Advanced Tools: Snort.
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
SNORT Tutorial Sreekanth Malladi (modifying original by N. Youngworth)
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
1 Session 1: Introduction to PHP & MySQL iNET Academy Open Source Web Development.
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.
Presentation By Muhammad Hasan 1 NIDS with Snort and SnortSnarf By Muhammad Hasan Course : Instructor: Dr. A. K. Aggarwal Winter, 2006.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring Windows Server 2008 Printing.
David M. Kroenke and David J. Auer Database Processing Fundamentals, Design, and Implementation Appendix I: Getting Started with Web Servers, PHP and the.
INTERNET APPLICATIONS CPIT405 Install a web server and analyze packets.
COM621: Advanced Interactive Web Development Lecture 10 PHP and MySQL.
Snort – IDS / IPS.
Lab 2: Packet Capture & Traffic Analysis with Wireshark
Dynamic Web Page A dynamic web page is a kind of web page that has been prepared with fresh information (content and/or layout), for each individual viewing.
Presentation transcript:

1 Network Intrusion Detection System & Its Analyzer: Snort & ACID : Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: Ahmedur Rahman Zillur Rahman Lawangeen Khan Date: March 27, 2006

2 Table of Contents Introduction Test-bed Software Components Used Installation & Configuration Testing Acknowledgement References Demonstration

3 Introduction An Intrusion Detection System (or IDS) generally detects unwanted manipulations to systems. IDS is required to detect all types of malicious network traffic and computer usage that can't be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks. An IDS is composed of several components: –Sensors: generate security events –Console: monitor events and alerts and control the sensors –Engine: records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received.

4 Test-bed We have prepared a small network for our project with the followings: Laptop 1: Software Components: Windows XP Home WinPCap CommView (Packet Generator) Laptop 2: Software Components: Windows XP Professional IIS PHP ADODB MySQL WinPCap Snort ACID JPGraph Router: D-link Ethernet Broadband Router

5 Software Components Used WinPcap 3.1: –Industry-standard tool for link-layer network access in Windows environments. –Allows applications to capture and transmit network packets bypassing the protocol stack. –It includes kernel-level packet filtering, a network statistics engine and support for remote packet capture.

6 Software Components Used ADODB 4.72: –A database abstraction library for PHP and Python. –Allows developers to write applications in a fairly consistent way regardless of the underlying database storing the information Cont.

7 Software Components Used IIS 5.x: –A powerful Web server that provides a highly reliable, manageable, and scalable Web application infrastructure for all versions of Windows Server. –It helps organizations increase Web site and application availability while lowering system administration costs. PHP 4.3.9: –A widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML Cont.

8 Software Components Used MySQL 4.1: –Delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. –Intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a registered trademark of MySQL AB. Cont.

9 Software Components Used Snort 2.4.3: –Snort is a versatile, lightweight network IDS –Rules-based detection engine, which are editable and freely available –Capable of performing real-time traffic analysis, packet logging on IP networks. –Perform protocol analysis, content searching/matching. –It can be used to detect a variety of attacks and probes. Cont.

10 Software Components Used ACID 0.9.6b21: –The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by IDSs, firewalls, and network monitoring tools. –This console is very useful for viewing Snort alerts in many different ways. –You can search or view by source, destination, alert type, alerts times, port numbers and or protocols. –You can create alert groups and alerts and delete alerts all from this console. Cont.

11 Software Components Used JPGraph : –JpGraph is a Object-Oriented Graph creating library for PHP It is completely written in PHP and ready to be used in any PHP scripts. –The library can be used to create numerous types of graphs either on-line or written to a file. –ACID will use this JPGraph for creating bar, chart, pie graph to show us the alerts. Cont.

12 Software Components Used CommView 5.1: –Generate traffic reports in real time. –Import and export packets in hex and text formats. –Create your own plug-ins for decoding any protocol. –View detailed IP connections statistics: IP addresses, ports, sessions, etc. –Search for strings or hex data in captured packet contents. –Exchange data with your application over TCP/IP. –Capture loopback traffic. –We have used CommView in our project only as traffic generator. Cont.

13 Installation & Configuration MySQL Server 4.1 –Installation: Used windows installation wizard –Configuration: Configure my.ini Type: old_passwords in my.ini Uncomment the port = 3306 line Execute the following command at command prompt: –mysql> SET PASSWORD FOR – = OLD_PASSWORD('newpwd'); For our case we used: –mysql> SET PASSWORD FOR – = OLD_PASSWORD(snort);

14 Installation & Configuration PHP Version –Installation: Used windows installer wizard Following the wizard prompt will install PHP successfully –Configuration: Create a directory named extensions in PHP folder In php.ini file uncomment and write: –Extension_dir = C:\PHP\extensions –Uncomment: cgi.force_redirect = 0 Cont.

15 Installation & Configuration IIS Configuration: –Open the Internet Information Services Console –Expand the Server name –Expand Web Sites –Right Click on Default Web Site and Open Properties –Click on the Home Directory Tab –Click on Configuration near the bottom –Under Application mappings click on ADD –Browse to or type in C:\PHP\php.exe –Type.php for the Extension –Check the Script Engine Check box –Click on OK all the way out of Properties Cont.

16 Installation & Configuration Snort Installation: –MUST install WinPCap before Straight forward windows installation –Double-click the executable installation file. –The GNU Public License appears. Click the I Agree button. –In the Installation Options dialog box, click the appropriate boxes to select from among these options: –I do not plan to log to a database, or I am planning to log to one of the databases listed above. Choose this option if you are not using a database or if you are using MySQL or ODBC databases. Snort has built-in support for these databases, and here, we chose this option. –I need support for logging to Microsoft SQL Server. – I need support for logging to Oracle. Only choose this option if you plan to use Oracle database. –Next steps are simple and straight forward. Cont.

17 Installation & Configuration Configuring snort.conf –Correct: var RULE_PATH C:\Snort\rules –Database connection Uncomment the appropriate line according to the database For our case we uncommented and modified the following line: – output database: log, mysql, user=root password=snort dbname=snort host=localhost Cont.

18 Installation & Configuration Configuring snort.conf (Continued) –Find: include classification.config Replace with actual path: include C:\Snort\etc\classification.config –Find: include reference.config Replace with actual path: include C:\Snort\etc\reference.config –Create SNORT database Locate create_mysql file in C:\Snort\schemas Go to command line browse to mysqls bin and issue following command: –MySQL -u Snort -p Snort < C:\Snort\schemas\Create_MySql –This will create all tables for snort database to be used by ACID Cont.

19 Installation & Configuration Install ADODB –Download ADODB zip file extract it into C:\Inetpub\wwwroot\adodb Install JPGraph –Download JPGraph zip file extract it into C:\Inetpub\wwwroot\jpgraph Install CommView –Download zip file and extract it into C:\ –Double click on setup.exe and follow the installation wizard. Install ACID –Download acid-0.9.6b21.tar.gz and extract it into C:\Inetpub\wwwroot\acid Cont.

20 Installation & Configuration Configure acid_conf.php –Give appropriate DBlib path: $Dblib_path = C:\Inetpub\wwwroot\adodb; –Give appropriate Chartlib path: $Chartlib_path = C:\Inetpub\wwwroot\jpgraph \src; $chart_file_format = png; –Configure database: $Dbtype = mysql; $alert_dbname=snort; $alert_host=localhost; $alert_user=root; $alert_password=snort; $db_connect_method = 1; Cont.

21 Testing Step 1: Generate Packet in Laptop 1 –Open CommView –Go to Tools>Packet Generator. A window like below will open:

22 Testing - Select the type of packet (TCP/ UDP/ ICMP). - Write destination MAC, source MAC, dest IP, source IP. - Place contents of the packets after from Urgent Pointer - Calculate the total length. - Click on checksum button. If all checksums show correct then the packet is ready. - All information will have to be in hex format. Cont.

23 Testing - A sample packet with sid:356 is shown below: Cont.

24 Testing Step 2: Start SNORT: –Go to command prompt. Go to C:\Snort\bin –Give the following command: C:\Snort\bin>snort –dev –c C:\snort\etc\snort.conf –l C:\snort\log –i 2 It will be showing as below: Cont.

25 Testing Cont. We have used the following options for the above Snort Command to view: -c Use Rules File -d Dump the Application Layer -e Display the second layer header info -i Listen on interface -l Log to directory Step 3: Send Packet: –We can choose the packet sending options (like sending rate, how many times/ continuous etc). –Then press the Send button in CommView. Step 4: See at Snort: –Snort will show that it is getting packets continuously. When done press CTR+C –Snort screen will show that it has generated and logged alerts successfully.

26 Testing Cont.

27 Testing Step 5: ACID viewer: –Open the browser and type –It will take to the main page of ACID. There it will show that it has added all the alerts in the cache Cont.

28 Testing - View snapshot of alerts generated by ACID. Cont.

29 Testing - Click on Graph Alert Data. You can choose your options on how to view the graph. We have three options line, bar, pie. Cont.

30 Testing Cont.

31 Acknowledgement We would like to thank all groups for helping to configure different tools in different phases, specially Group#01 (Tahira Farid & Anitha Prahladachar) for their help in generating of packets using Commview. We would also like to thank Dr. Aggarwal to give us this industry standard real life project to implement.

32 References shtml shtml l l

33 Demonstration Laptop-1 Laptop-2 Router Win XP CommView Win XP Pro WinPCap Snort IIS PHP ADODB ACID JPgraph

34 Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.