Simulation of IDS by using Activeworx Security Center (ASC) and Snort, MySQL, CommView Presented by Shamsul Wazed & Quazi Rahman School of Computer Science.

Slides:

Advertisements

Similar presentations

1 Network Intrusion Detection System & Its Analyzer: Snort & ACID : Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented.

Advertisements

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Introduction to Network Analysis and Sniffer Pro

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Lesson 15 – INSTALL AND SET UP NETWARE 5.1. Understanding NetWare 5.1 Preparing for installation Installing NetWare 5.1 Configuring NetWare 5.1 client.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

Introduction to Snort’s Working and configuration file

Lesson 5-Accessing Networks. Overview Introduction to Windows XP Professional. Introduction to Novell Client. Introduction to Red Hat Linux workstation.

11 MONITORING MICROSOFT WINDOWS SERVER 2003 Chapter 3.

Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.

INTRUSION DETECTION SYSTEM

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-1 Chapter 16 Enterprise Intrusion Detection System Monitoring and Reporting.

Snort & IDScenter : Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: Tarik El Amsy, Lihua Duan Date: March 29, 2006.

Acceleratio Ltd. is a software development company based in Zagreb, Croatia, founded in We create innovative software solutions for SharePoint,

Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>>

Hands-On Microsoft Windows Server 2008

Penetration Testing Security Analysis and Advanced Tools: Snort.

1 Working with MS SQL Server. 2 Objectives You will be able to Use Visual Studio for GUI based interactive access to a Microsoft SQL Server database.

Session 5: Working with MySQL iNET Academy Open Source Web Development.

COEN 252 Computer Forensics

PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.

IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.

Intrusion Detection: Snort. Basics: History Snort was developed in 1998 by Martin Roesch. It was intended to be an open-source technology, and remains.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

COEN 252 Computer Forensics Collecting Network-based Evidence.

SNORT Tutorial Sreekanth Malladi (modifying original by N. Youngworth)

Honeypot and Intrusion Detection System

Module 7: Fundamentals of Administering Windows Server 2008.

Network Management Tool Amy Auburger. 2 Product Overview Made by Ipswitch Affordable alternative to expensive & complicated Network Management Systems.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.

COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.

SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.

Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.

Cs490ns - cotter1 Snort Intrusion Detection System

Intrusion Detection System (Snort & Barnyard) : Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: Vic Ho & Kashif.

Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

Network Security: Lab#5 Port Scanners and Intrusion Detection System

Agilent Technologies Copyright 1999 H7211A+221 v Capture Filters, Logging, and Subnets: Module Objectives Create capture filters that control whether.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.

1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.

Presentation By Muhammad Hasan 1 NIDS with Snort and SnortSnarf By Muhammad Hasan Course : Instructor: Dr. A. K. Aggarwal Winter, 2006.

What is MySQL? MySQL is a relational database management system (RDBMS) based on SQL (Structured Query Language). First released in January, Many.

Greg Steen.  What is Snort?  Snort purposes  Where can it be used?

Snort. Overview What ’ s snort? Snort architecture Snort components Detection engine and rules in snort Possible research works in snort.

Troubleshooting Workflow 8 Raymond Cruz, Software Support Engineer.

9 Copyright © 2004, Oracle. All rights reserved. Getting Started with Oracle Migration Workbench.

Windows Server 2003 { First Steps and Administration} Benedikt Riedel MCSE + Messaging

SAP Business One 9.0 integration for SAP NetWeaver Installation and Technical Configuration 2013 March.

Snort – IDS / IPS.

Lab 2: Packet Capture & Traffic Analysis with Wireshark

Traffic Analysis with Ethereal

Chapter 8 Working with Databases and MySQL

LAB 9 – INTRUSION DETECTION AND PREVENTION SYSTEMS

Presentation transcript:

Simulation of IDS by using Activeworx Security Center (ASC) and Snort, MySQL, CommView Presented by Shamsul Wazed & Quazi Rahman School of Computer Science University of Windsor, On March 29, 2006

2 Outline  Introduction  Snort  MySQL Server  CommView  Activeworx Security Center  IDS Simulation  Demonstration

March 29, Introduction  Intrusion Detection System (IDS) Collect data from network traffic coming into a system Tries to match it against known pattern of attack signatures Blocked the matched data and logged detail of attack into database  Snort A very popular and open source IDS Can be configured to run in Sniffer mode, Packet Logger mode, Network IDS mode A number of Snort Add-ons are available for monitoring Snort, analyzing result and writing Snort rules

March 29, Introduction  Simulation of IDS The following tools and OS are used in this Project Snort : Intrusion Detection System MySQL : Database Server CommView : Packet Generator & Sniffer Activeworx Security Center (ASC) : Snort’s Add-on.Net Framework : Additional software for ASC Desktop Windows XP : Operating System

March 29, Snort

March 29, Snort  WinPcap WinPcap is required to be installed to access Snort The latest WinPcap version is 3.1 for Windows 95/98/ME/NT4/2000/XP/2003 WinPcap is free and can be downloaded from Download the executable file “winPcap_3_1.exe” of size 456 KB and run to install

March 29, Snort  Snort is an open source IDS  Can be configured to run in three modes: Sniffer mode : Simply reads the packets off of the network and displays them./snort -vd Packet Logger mode : Logs the packets to disk./snort -dev -l c:\snort\log -h /24 Network IDS mode : Allows Snort to analyze network traffic for matches against a user-defined rule set and performs several actions./snort -dev -l c:\snort\log -h /24 -c c:\snort\etc\snort.conf

March 29, Snort  Install Snort version 2.4.3, available at  Download the executable file “Snort-243- Installer.exe” file of size 1.43 MB  Select “typical” installation that installs Snort at C:\Snort directory.

March 29, Snort  Important files and their locations Snort configuration file - C:\Snort\etc\snort.conf Snort executable file - C:\Snort\bin\snort.exe Snort log files are - C:\Snort\bin\log\alert.ids and C:\Snort\bin\log\snort.log., and Snort rules file (included project 10 rules only) - C:\Snort\rules\local.rules

March 29, Snort  Snort Configuration : The file Snort.conf has to be edited before running Snort The following steps can be taken to create a custom configuration - Set the variables for network Configure preprocessors Configure output plugins Add any runtime config directives Customize the rule set

March 29, Snort We took the following steps to configure Snort Set the HOME_NET variable as var HOME_NET /24 Set the RULE_PATH variable as var RULE_PATH c:\Snort\rules Uncommented the following lines: output alert_syslog: LOG_AUTH LOG_ALERT output log_tcpdump: snort.log include c:\Snort\rules\classification.config include c:\Snort\rules\reference.config

March 29, Snort Changed the database format as - output database: alert, mysql, user=root password=wazed dbname=ids host=localhost output database: log, mysql, user=root password=wazed dbname=tcpdump host=localhost Include the relevant rule sets (for this project) – include $RULE_PATH/local.rules Comment out all other include rules

March 29, MySQL Server

March 29, MySql Server  Download MySQL Database Server 5.0 from

March 29, MySql Server  Install MySQL Server

March 29, MySql Server  Configure MySql Server

March 29, MySql Server  Choose Detailed Configuration

March 29, MySql Server  Choose for Dedicated Server

March 29, MySql Server  Choose for Multifunctional Database

March 29, MySql Server  Configure Network support

March 29, MySql Server  Change root password

March 29, MySql Server  MySQL Connector/ODBC ODBC is a standardized API that allows connections to SQL database servers. ODBC usually is used when database independence or simultaneous access to different data sources is required. MyODBC 3.51 (installed in this project) is a 32-bit ODBC driver, also known as the MySQL ODBC 3.51 driver and it is available for download from:

March 29, MySql Server  Using MySQL Followings are some of the examples how to use the different databases and tables using commands from the DOS prompt : C:\mysql\MySQL Server 5.0\bin>mysql -u root –p Enter password: ***** Welcome to the MySQL monitor. Commands end with; or \g. Your MySQL connection id is 18 to server version: nt Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

March 29, MySql Server  Using MySQL: mysql> show databases; | Database | | information_schema | | aef | | aw_aef | | aw_asc | | aw_fw | | ids | | mysql | | sebek| | syslog | | tcpdump| | test | | vuln | rows in set (0.19 sec)

March 29, MySql Server  Using MySQL: mysql> use ids; Database changed mysql> show tables; | Tables_in_ids | | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | rows in set (0.00 sec)

March 29, MySql Server  Using MySQL: mysql> describe event; | Field | Type | Null | Key | Default | Extra| | sid | int(10) unsigned | NO | PRI | | | | cid | int(10) unsigned | NO | PRI | | | | signature | int(10) unsigned | NO | MUL | | | | timestamp | datetime | NO | MUL | | | rows in set (0.19 sec)

March 29, MySql Server  Using MySQL:

March 29, CommView

March 29, CommView  What is CommView An application for capturing and analyzing network packets It can save the captured packets to log files It can generate ICMP, TCP and UDP packets of size maximum 1.5 KB and can transmit at max 5,000 pkt/sec  Installation System Requirement : Pentium II or higher, Windows 98/ME/2000/XP/2003, 128 MB RAM and 6 MB free disk space Download CommView 5.1 of 30 days trail version from

March 29, CommView  Latest IP Connections 1. Select Network Interface 2. Start

March 29, CommView  Packets Analyzing Payload Decoding

March 29, CommView  Packet Generating : Tools  Packet Generator TCP Packet Default Packet Size Source IP - Numeric value Source IP - Hex value (edit here)

March 29, CommView  Packet Generating : Port number and Payload Packet Size Destination Port - Numeric value Destination Port - Hex value Added 5 Byte payload content Press (Sigma) to correct

March 29, CommView  Packet Generating : Correct Checksum Check (after pressing Sigma) Data length changed into 5 Correct it by adding 5 Press to Send

March 29, Activeworx Security Senter (ASC)

March 29, Activeworx Security Center  Overview ASC is an event management solution for Snort It works with Snort 1.8 or newer It supports for MySQL as well as Microsoft SQL It allows us to view IDS data in different ways : Unique Views List Views Interactive Graphics and Charts Event Relationship Diagram Payload Decoders

March 29, Activeworx Security Center  Installation System Requirement : Pentium 4 or later, Windows 2000/XP/2003, 512 MB RAM and 250 MB free disk space ASC version 2.6 components can be downloaded from Download the Microsoft Installer following files and run asc.desktop.msi, 55.7 MB asc.manager.msi, 51.1 MB

March 29, Activeworx Security Center  Databases Two Different types of Databases Primary Database Event Databases Log-on ASC Database Manager Use the default Snort IDS database schema Configure Primary Database Use “Add Database Wizard” to create Event database

March 29, Activeworx Security Center  Databases (Primary Database)

March 29,  Databases (Event Database) Activeworx Security Center

March 29,  Databases (Add User) Activeworx Security Center

March 29,  Databases (Check Connectivity) Activeworx Security Center

March 29, Snort IDS Simulation & Testing

March 29,  Hardware Configuration Target Machine : PC1 (OS : Windows XP) Dell Celeron CPU 2 Processor GHz RAM MB Source Machine : PC2 (OS : Windows XP) Dell Celeron CPU 2 Processor GHz RAM MB Router : TRENDnet wireless router Speed – 108 Mbps Compliant with IEEE g Snort IDS Simulation

March 29, From PC1 ( )  Run Snort Run Snort from console by using the command snort -c c:\snort\etc\snort.conf -h /24 -v -i2  Login & Run ASC Desktop  Run CommView (sniffer) From PC2 ( )  Run CommView (sniffer)  Generate and Send “Bad Packet”s to PC1 (by CommView Packet Generator) Snort IDS Simulation

March 29,  IDS Events (Event Overview) Activeworx Security Center Desktop

March 29,  IDS Events (List Events) Activeworx Security Center Desktop

March 29,  IDS Events (List Events : Group by Sensor) Activeworx Security Center Desktop

March 29,  IDS Events (Event Information1 : sid 382) Activeworx Security Center Desktop

March 29,  IDS Events (Event Information2 : sid 683) Activeworx Security Center Desktop

March 29,  IDS Events (Event Reference1 : sid 382) Activeworx Security Center Desktop

March 29,  IDS Events (Graphs : Top 10 IDS Destination) Activeworx Security Center Desktop

March 29,  IDS Events (Reports : IDS Overview) Activeworx Security Center Desktop

March 29,  Please meet Room # 3144 Lambton Tower School of Computer Science University of Windsor, On ext 4406 Demonstration