Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection System using Snort & SAM 60-564: Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: S. Rahaman & A.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Intrusion Detection System using Snort & SAM 60-564: Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: S. Rahaman & A."— Presentation transcript:

1 Intrusion Detection System using Snort & SAM 60-564: Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: S. Rahaman & A. Uddin Date: April 03, 2006

2 SNORT Snort is an Open Source IDS. Other open source tools like MySQL database, PHP, Apache Web Server & plug-in like ACID can be used with Snort to provide a visual representation of intrusion data.

3 Project Overview Test an IDS implemented with Snort, SAM & ACID.

4 SAM SAM (Snort Alert Monitor) is a platform independent Java based consol that gives a quick look at the snort alerts from the mysql database. SAM produces a high level overview (While ACID is great for digging the details of the attacks) SAM monitors the MySQL database and gives audible alert if the given condition is met, for instance if the system was attacked 100 times in 5 minutes period. can send email automatically to a person or a group whenever the threshold is reached SAM does not replace ACID but rather it complements it.

5 Hardware & Network Configuration Configuration of the Attacker PC: Pentium 4 2.8 GHz (Hyper threading enabled) RAM 512 MB Surecom EP-320X-R 100/10/M PCI Adapter OS: Linux (Redhat Fedora Core ) Configuration of Target PC: Pentium 4 3.2 GHz (Hyper threading enabled) RAM 1 GB SIS 900-Based PCI Fast Ethernet Adapter OS: Linux (Suse 10)

6 Software List MySQL Snort Apache Web Server PHP ADODB JPGraph ACID SAM SNOT There are more……

7 Software List

8 MySQL installation Create group and user for MySQL: [root@localhost root]# groupadd mysql [root@localhost root]# useradd -g mysql MySql Extract the archive: [root@localhost root]# cd /usr/local [root@localhost local]# tar zxvf /root/mysql-standard-4.1.18- pc-linux-gnu-i686 [root@localhost local]# ln -s /usr/local/mysql-standard- 4.1.18-pc-linux-gnu-i686/ mysql Execute the mysql_install_db script and set directory access right: [root@localhost local]# cd mysql [root@localhost mysql]# scripts/mysql_install_db --user=MySql [root@localhost mysql]# chown -R root. [root@localhost mysql]# chown -R mysql data [root@localhost mysql]# chgrp -R mysql.

9 MySql installation Start the MySQL server: [root@localhost mysql]# bin/mysqld_safe --user=mysql & Assign passwords to the local accounts for the database: shell> mysql -u root mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('spider1'); mysql> SET PASSWORD FOR 'root'@'host_name' = PASSWORD('spider1'); MySQL Installation guide says to assign password using the following commands, Which was not working for us: [root@localhost mysql]#./bin/mysqladmin -u root password spider1 [root@localhost mysql]#./bin/mysqladmin -u root -h hostname password spider1

10 Snort installation Create group and user for Snort: [root@localhost root]# groupadd snort [root@localhost root]# useradd -g snort snort Extract the archive: [root@localhost local]# tar zxvf snort-2.4.3.tar.gz Install Snort with MySQL support with the following command: [root@localhost snort-2.4.3]#./configure --with-mysql=/usr/local/mysql [root@localhost snort-2.4.3]# make [root@localhost snort-2.4.3]# make install Make was not working for us. We had to install zlib support and modify snort/src/makefile manually. –lz had to be added to LIBS variables.

11 Snort installation create the database for Snort and set password for it: [root@localhost root]# /usr/local/mysql/bin/mysql -u root –p mysql> create database snort; mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password'); Grant the access to the ‘snort’ user for the database: mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost; mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort; If the above command gives error, try the following command instead: mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost IDENTIFIED BY 'spider1’; mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort IDENTIFIED BY 'spider1’;

12 Snort installation Run the Snort create_mysql script to generate the appropriate tables in the database: [root@localhost snort-2.2.x]# /usr/local/mysql/bin/mysql -u root -p <./schemas/create_mysql snort add this line in the snort.conf file to use MySql database: output database: log, mysql, user=snort password=password dbname=snort host=localhost

13 Apache WS installation Use the following set of commands to extract and install Apache Web Server: [root@localhost root]# tar zxvf httpd-2.0.55.tar.gz [root@localhost root]# cd httpd-2.0.55 [root@localhost httpd-2.0.55]#./configure --prefix=/www - -enable-so [root@localhost httpd-2.0.55]# make [root@localhost httpd-2.0.55]# make install Then open a web browser and enter your IP address or "localhost." You should see the default Apache web page.

14 Installing PHP Use the following set of commands to extract and install PHP: [root@localhost root]# tar zxvf php-4.3.8.tar.gz [root@localhost root]# cd php-4.3.8 [root@localhost php-4.3.8]#./configure --prefix=/www/php --with-apxs2= /www/bin/apxs --with-config-filepath=/www/php --enable-sockets --with-mysql=/usr/local/mysql --with-zlib-dir=/usr/local --with-gd [root@localhost php-4.3.8]# make [root@localhost php-4.3.8]# make install [root@localhost php-4.3.8]# cp php.ini-dist /www/php/php.ini Make the following modifications to the the /www/conf/httpd.conf file Change the line: DirectoryIndex index.html index.html.var to: DirectoryIndex index.php index.html index.html.var Also, add the following line under the AddType section: AddType application/x-httpd-php.php

15 Installing PHP create links for startup scripts so that the web server starts when you boot up in run levels 3 and 5 (run level 3 is full multiuser mode, and run level 5 is the X Window System): [root@localhost conf]# cd /www/bin [root@localhost bin]# cp apachectl /etc/init.d/httpd [root@localhost bin]# cd /etc/init.d/rc3.d [root@localhost rc3.d]# ln -s../httpd S85httpd [root@localhost rc3.d]# ln -s../httpd K85httpd [root@localhost rc3.d]# cd /etc/init.d/rc5.d [root@localhost rc5.d]# ln -s../httpd S85httpd [root@localhost rc5.d]# ln -s../httpd K85httpd

16 Installing ACID Download and extract ACID: [root@localhost htdocs]# cd /root [root@localhost root]# cp acid-0.9.6b23.tar.gz /www/htdocs [root@localhost root]# cd /www/htdocs [root@localhost htdocs]# tar zxvf acid-0.9.6b23.tar.gz [root@localhost htdocs]# rm -rf acid-0.9.6b23.tar.gz Make the following configuration changes in /www/htdocs/acid/acid_conf.php file: $alert_dbname = "snort"; $alert_host = "localhost"; $alert_port = ""; $alert_user = "root"; $alert_password = "newpassword"; $archive_dbname = "snort"; $archive_host = "localhost"; $archive_port = ""; $archive_user = "root"; $archive_password = "newpassword"; $ChartLib_path = "/www/htdocs/jpgraph-1.16/src";

17 Installing ACID Open a web browser to http://localhost/acid/acid_main.php. Click on the Setup page link to continue. Next, click the button that says Create ACID AG. It will create four tables in the database.http://localhost/acid/acid_main.php

18 SNOT: packet generator SNOT compared to other packet generator. Was specifically built to test IDS. It uses Snort rules files as its source of packet information. It also randomizes information that is not contained in the rule to evade detection. You can send all the packet at once or control the timing.

19 SNOT Install SNOT using the following commands: [root@localhost root]# tar zxvf snot-0.92a.tar.gz [root@localhost root]# cd snot-0.92a [root@localhost snot-0.92a]# make Then you can send attack from Snot using the following command line: [root@localhost snot-0.92a]#./snot Usage: snot -r [-s ] [-d ] [-n ] [-l ] [-p]

20 SNOT The following example generates 10 packets based on the rules located in the rule.txt file with the specified source and destination addresses:./snot -r./rule.txt -s 192.168.1.1 -d 192.168.1.2 -n 10

21 SAM Download link: http://sourceforge.net/project/showfiles.php?group_id=59138&p ackage_id=55154&release_id=303573 Installing SAM is as easy as extracting the downloaded file. Then run SAM using the following command: java –jar sam.jar NOTE: you must have Java Virtual Machine installed to run SAM.

22 SAM After SAM is started it shows the following window:

23 SAM

24

25 Creative ways of alerting people:

26 References: Snort Web site: http://www.snort.org/http://www.snort.org/ SAM Web site: http://freesoftware.lookandfeel.com/sam/index.htmlhttp://freesoftware.lookandfeel.com/sam/index.html Intrusion Detection System: The Complete Documentation : http://www.l0t3k.org/security/tools/ids/ http://www.l0t3k.org/security/tools/ids/ O’Reilly Snort Cookbook, By Jacob Babbin, Simon Biles, Angela D. Orebaugh March 2005, ISBN: 0-596-00791-4 Prentice Hall PTR Open Source Security Tools Practical Guide to Security Applications, By Tony Howlett, July 2004

Download ppt "Intrusion Detection System using Snort & SAM 60-564: Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: S. Rahaman & A."

Similar presentations

1 Institutional Repository Workshop 1 – 3 April 2009 Presented by Leonard Daniels.

1 Institutional Repository Workshop 1 – 3 April 2009 Presented by Leonard Daniels.
MySQL Installation Guide. MySQL Downloading MySQL Installer.

MySQL Installation Guide. MySQL Downloading MySQL Installer.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
Web Application Server Apache Tomcat Downloading and Deployment Guide.

Web Application Server Apache Tomcat Downloading and Deployment Guide.
Copyright GeneGo 2000-2003 CONFIDENTIAL »« MetaCore TM (System requirements and installation) Systems Biology for Drug Discovery.

Copyright GeneGo CONFIDENTIAL »« MetaCore TM (System requirements and installation) Systems Biology for Drug Discovery.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Chapter Apache Installation on Linux. Acknowledgement The contribution made by Darrin Morison is acknowledged.

Chapter Apache Installation on Linux. Acknowledgement The contribution made by Darrin Morison is acknowledged.
Unauthorized Reproduction Prohibited SkyPoint Alarm Integration Add-On Using OnGuard Alarms to create events in SkyPoint Also called ‘SkyPoint V0’ CR4400.

Unauthorized Reproduction Prohibited SkyPoint Alarm Integration Add-On Using OnGuard Alarms to create events in SkyPoint Also called ‘SkyPoint V0’ CR4400.
Installation of SNORT, APACHE, PHP, MYSQL and SnortReport.

Installation of SNORT, APACHE, PHP, MYSQL and SnortReport.
PHP Programming with MySQL Slide 2-1 CHAPTER 2 Getting Started with PHP.

PHP Programming with MySQL Slide 2-1 CHAPTER 2 Getting Started with PHP.
Apache Installation by Jack Davis. Web Servers The Apache HTTP Server is the most widely used web server on the Internet. Apache is fast, free, and full-featured.

Apache Installation by Jack Davis. Web Servers The Apache HTTP Server is the most widely used web server on the Internet. Apache is fast, free, and full-featured.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Analysis Console for Intrusion Databases Roy. Description ACID.

Analysis Console for Intrusion Databases Roy. Description ACID.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from www.mandrake.com www.mandrake.com.

Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
XMAS installation instructions Windows Version: 1.0 4/22/2008.

XMAS installation instructions Windows Version: 1.0 4/22/2008.
Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.

Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.
Discovering SQL all rights reserved (c) 2010 agilitator.com INSTALLING MySQL 5.1 Community Server.

Discovering SQL all rights reserved (c) 2010 agilitator.com INSTALLING MySQL 5.1 Community Server.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.

SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.

Similar presentations

Ads by Google