60-564 Presentation By Muhammad Hasan 1 NIDS with Snort and SnortSnarf By Muhammad Hasan Course :60-564 Instructor: Dr. A. K. Aggarwal Winter, 2006.

Slides:

Advertisements

Similar presentations

Technology ICT Virtual PC. Network Resources Microsoft Virtual PC Allows multiple Guest Operating Systems (Virtual Machines) run using the resources of.

Advertisements

Presentation Heading – font Arial

Web Application Server Apache Tomcat Downloading and Deployment Guide.

Installation of SNORT, APACHE, PHP, MYSQL and SnortReport.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

E.1 Eclipse. e.2 Installing Eclipse Download the eclipse.installation.exe from the course web site to your computer and execute it. Keep the destination.

Microsoft Windows Vista Chapter 6 Customizing Your Computer Using the Control Panel.

Introduction to Snort’s Working and configuration file

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.

Command Console Tutorial BCIS 3680 Enterprise Programming.

Performing Software Installation with Group Policy

How the web work Web Server Web browser DNS Server

Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

An Introduction to ASP.NET Web Pages 2 Module 1: Webmatrix Installation and Your First Web Site Tom Perkins.

Ch 8-3 Working with domains and Active Directory.

Microsoft ® Official Course Module 9 Configuring Applications.

Simulation of IDS by using Activeworx Security Center (ASC) and Snort, MySQL, CommView Presented by Shamsul Wazed & Quazi Rahman School of Computer Science.

E-Commerce LAB#1 Samia alblwi1E-Commerce ( IS412) 2011.

© 2008 The McGraw-Hill Companies, Inc. All rights reserved. M I C R O S O F T ® Preparing for Electronic Distribution Lesson 14.

Snort & IDScenter : Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: Tarik El Amsy, Lihua Duan Date: March 29, 2006.

One to One instructions Installing and configuring samba on Ubuntu Linux to enable Linux to share files and documents with Windows XP.

Please Dial in, class will begin shortly

Copyright© 2003 Avaya Inc. All rights reserved Upgrade to Communication Manager 2.0 with Migration to Linux 8.0 Purpose: This presentation was prepared.

IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.

Connecting to USF Network for Web Site SSH Secure Shell is the FTP program you will use to download your http files onto the USF server. To get the SSH.

CIM6400 CTNW (04/05) 1 CIM6400 CTNW Lesson 6 – More on Windows 2000.

Creating a Web Site to Gather Data and Conduct Research.

®® Microsoft Windows 7 for Power Users Tutorial 13 Using the Command-Line Environment.

SNORT Tutorial Sreekanth Malladi (modifying original by N. Youngworth)

Tutorial 121 Creating a New Web Forms Page You will find that creating Web Forms is similar to creating traditional Windows applications in Visual Basic.

Microsoft Windows Vista Chapter 1 Fundamentals of Using Microsoft Windows Vista.

Installing and Using Active Directory Written by Marc Zacharko.

Database-Driven Web Sites, Second Edition1 Chapter 5 WEB SERVERS.

FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Installation and Testing.

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,

How to configure DNS for a Windows 2000 domain? 1.Start the Install/Remove Programs Control Panel Applet (Start - Settings - Control Panel - Add/Remove.

Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.

Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.

Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.

Creating an Access Project* If you came to this presentation via a web browser, right-click and choose “Full Screen” before proceeding. Click mouse or.

Installing MySQL BCIS 3680 Enterprise Programming.

XP New Perspectives on Microsoft Office FrontPage 2003 Tutorial 7 1 Microsoft Office FrontPage 2003 Tutorial 8 – Integrating a Database with a FrontPage.

Module 8: Managing Software Distribution. Collections Packages Programs Advertisements Collections Packages Programs Advertisements How Software.

Apache, MySQL and PHP Installation and Configuration Chapter 2 MySQL Installation and Configuration.

MySQL Getting Started BCIS 3680 Enterprise Programming.

The Diagnostic Pathfinder System Introduction Getting Started.

Administering Groups Chapter Eight. Exam Objectives In this Chapter:  Plan a security group hierarchy based upon delegation requirements  Plan a security.

IS493 INFORMATION SECURITY TUTORIAL # 1 (S ) ASHRAF YOUSSEF.

Managing File Resource Using File Server Resource Manager Chapter 9 Advance Computer Network Lecture Sorn Pisey

Introducing Dreamweaver. Dreamweaver The web development application used to create web pages Part of the Adobe creative suite.

Remote Access Usages. Remote Desktop Remote desktop technology makes it possible to view another computer's desktop on your computer. This means you can.

FTP COMMANDS OBJECTIVES. General overview. Introduction to FTP server. Types of FTP users. FTP commands examples. FTP commands in action (example of use).

Integrity Check As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.

…the basics…. Wildland Fire Information and Technology Server Requirements ● Windows 7 Professional or Windows 2003/2008 Server ● Windows 8/10 (discussion)

1 Chapter Overview Using Group Objects Understanding Default Groups Creating Group Objects Managing Administrative Access.

(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)

Learn R Toolkit D Kelly O'DayInstall & SetupMod 1 - Setup: 1 Module 1 Installing & Setting Up R Do See & HearRead Learn PowerPoint must be in View Show.

Tomcat Setup BCIS 3680 Enterprise Programming. One-Click Tomcat Setup 2  This semester we’ll try to set up Tomcat with a PowerShell script.  Preparation.

Integrity Check As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.

Snort. Overview What ’ s snort? Snort architecture Snort components Detection engine and rules in snort Possible research works in snort.

INTERNET APPLICATIONS CPIT405 Install a web server and analyze packets.

MySQL Getting Started BCIS 3680 Enterprise Programming.

Windows Server 2003 { First Steps and Administration} Benedikt Riedel MCSE + Messaging

MySQL Installation Tarik Booker CS 122.

Dynamic Web Page A dynamic web page is a kind of web page that has been prepared with fresh information (content and/or layout), for each individual viewing.

Procedure for adding a Trusted Site

Presentation transcript:

Presentation By Muhammad Hasan 1 NIDS with Snort and SnortSnarf By Muhammad Hasan Course : Instructor: Dr. A. K. Aggarwal Winter, 2006

Presentation By Muhammad Hasan 2 H/W and S/W Used (for Implementing and Testing the NIDS) : Testing System ( with root privilege): Dell Dimension 4400 Pentium 4 machine with 1 NIC,O/S: WinXP Pro S/W:WinPcap 3.1 MySQL Server 5.0 Microsoft IIS Web Server 5.1 ActivePerl WinDump 3.93 Snort 2.43 Win32 Binaries SnortSnarf Attack Generation System (with root privilege) : Sony VAIO Pentium 4 Laptop with Wireless NIC O/S: WinXP Pro S/W: WinPcap 3.04a Packet Excallibur Ethereal Router: NETGEAR WGR614 v5 Router in default promiscuous mode.

Presentation By Muhammad Hasan 3 Environment Variable Settings : The Following paths are included in the $PATH variable : C:\MySQL\bin; C:\Perl\bin.; C:\Windump; C:\Snort\bin

Presentation By Muhammad Hasan 4 Configuring Snort Snort Installation Directory : C:\Snort Install Snort Rules from Snort Make a customized rule file name “pro.rules” And place it in : C:\Snort\rules Made the following changes in snort.conf file in C:\Snort\etc Original: var RULE_PATH../rules Change: var RULE_PATH c:\Snort\rules (The Absolute location of the rules) Note: Find the entry for 'Preprocessor sfportscan' Original: sense_level { low } Change: sense_level { low } \

Presentation By Muhammad Hasan 5 Configuring Snort (Cont.) Just below the changed line above add: logfile { portscan.log } Note: Just below '# output log_tcpdump: tcpdump.log ' insert this next line: output alert_fast: alert.ids Original: include classification.config Change: include c:\Snort\etc\classification.config

Presentation By Muhammad Hasan 6 Configuring Snort (Cont.) Original: include reference.config Change: include c:\Snort\etc\reference.config Original: # include threshold.conf Change: include c:\Snort\etc\threshold.conf Uncomment the following line for database logging : output database: log, mysql, user=root dbname=snort host=localhost Delete all the included default rules and include the following : include $RULE_PATH/pro.rules Now save the file.

Presentation By Muhammad Hasan 7 Configuring Snort (Cont.) To Install Snort as a Windows Service type in Command Prompt: snort /SERVICE /INSTALL -c c:\snort\etc\snort.conf -l c: \Inetpub\wwwroot\log -U -K ascii –i2 To Run Snort : Go to Control Panel -> Administrative Tools -> Services. From Service List select “Snort” and click start. To Stop Snort : Go to Control Panel -> Administrative Tools -> Services. From Service List select “Snort” and click stop.

Presentation By Muhammad Hasan 8 Configuring Active Perl Perl Installation Directory : C:\Perl Download Perl Time Modules from And install them in c:\perl\lib\time\ Installing Perl Database Supports: In the command prompt run the Perl Package Manager by executing PPM command. This will be the console screen while running ppm : C:\Documents and Settings\Administrator>ppm

Presentation By Muhammad Hasan 9 Configuring Active Perl ( Cont. ) PPM> PPM> install DBI Install package 'DBI?' (y/N): y …………………………………. PPM> install DBD-mysql Install package 'DBD-mysql?' (y/N): y ……………………………………. PPM> install NET-MySQL Install package 'NET-MySQL?' (y/N): y ……………………………………….

Presentation By Muhammad Hasan 10 Configuring IIS : Default installation location : c:\Inetpub Create a new directory named ‘log’ under c:\Inetpub\wwwroot\ Create a new directory named ‘cgi’ under c:\Inetpub\wwwroot\ Go to the ‘Control Panel’ - > 'Administrative Tools', double click 'Internet Information Services' applet. Expand 'Servername (local computer), Expand 'Web Sites' (if exists), Left-click 'Default Web Site', Right-click the 'cgi' folder (in the window on the right), Highlight and left-click 'Properties', Left-click the 'Directories' tab, in the 'Local Path:' section Left-click the Read and Write radio boxes making them checked, in the 'Application Settings'

Presentation By Muhammad Hasan 11 Configuring IIS ( Cont. ): Use the down arrow to set the 'Execute Permissions:' to 'Scripts and Executables', Left-click the 'Yes' if a 'Security Warning' is displayed, left-click 'Apply', left-click 'OK', and finally Exit the 'Internet Information Services' applet.

Presentation By Muhammad Hasan 12 Configuring MySQL and Snort MySQL installation Directory is C:\MySQL Start the Server : Open Command Prompt and type : mysqld –console Start the MySQL Command Interpreter : Open Command Prompt and type : mysql --user=root mysql

Presentation By Muhammad Hasan 13 Configuring MySQL and Snort ( Cont. ) mysql> Now create a database named ‘snort’ using the following SQL command : mysql> CREATE DATABASE snort; Then open another console and run the following command : C:\Documents and Settings\Administrator> mysql -D snort -u root < C:\Snort\schemas\create_mysql

Presentation By Muhammad Hasan 14 Configuring SnortSnarf: SnortSnarf installation Directory is C:\SnortSnarf \ To Process the Snort Logs from the alert.ids file create a batch file named 'starti.bat' and place a shortcut to the desktop. OFF c:\snortsnarf \snortsnarf.pl -win -d c:\inetpub\wwwroot\log -dns -db c:\snortsnarf \ann-dir\annotation-base.xml -cgidir c:\inetpub\wwwroot\log\alert.ids

Presentation By Muhammad Hasan 15 Configuring SnortSnarf ( Cont. ): To Process the Snort Logs from the mysql database create a batch file named : 'startdb.bat' and place a shortcut to the desktop. OFF c:\snortsnarf \snortsnarf.pl -win -d c:\inetpub\wwwroot\log -dns -db c:\snortsnarf \ann-dir\annotation- base.xml -cgidir

Presentation By Muhammad Hasan 16 Preparing the Attack : Used Packet Excalibur Installation directory : C:\PackEx\ Very Easy to Use Graphical Interface for packet generation. Constructed the packets according to snort signatures and rules for the 10 selected signatures. 10 crafted packets are then added to a script called ‘pro’ located in C:\PackEx\scripts\ Load the script and then run it.

Presentation By Muhammad Hasan 17 Testing the NIDS : Do the following steps sequentially : On the Testing Machine Run the database server Run Snort Run WinDump as sniffer with the following command : windump –i 2 On the Attacking Machine Run Ethereal to sniff Initiate Attack from Packet Excallibur

Presentation By Muhammad Hasan 18 Testing the NIDS ( Cont.) : On the Testing Machine: Run either ‘starti.bat’ if we want to generate html from the alert.ids file Or Run ‘startdb.bat’ if we want to generate html from the database logging Open a browser and at the addressbar type :

Presentation By Muhammad Hasan 19 DEMONSTRATION