Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer & Network Forensics

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer & Network Forensics"— Presentation transcript:

1 91.580.203 Computer & Network Forensics
Xinwen Fu Tripwire Host Based Intrusion Detection System (HIDS)

2 Outline Introduction to Tripwire Installation of Tripwire
Scheduling Tripwire by Cron Dr. Xinwen Fu

3 Where is the HIDS on the Internet?
Dr. Xinwen Fu

4 Tripwire - Basic Functions
Monitor system files to find when an intruder has made changes to those files for malicious intent Monitor the file-systems to find if any of the files have been compromised by taking a “snapshot” of the file system and comparing that snapshot to an existing baseline These comparisons are called Integrity checks Integrity checks detect changes in critical system components and Tripwire generates a report on any change(s) that are detected Tripwire does not, however, generate real-time alerts upon an intrusion It does not help with Kernel Level Module (KLM) Rootkits Dr. Xinwen Fu

5 Tripwire Flavors The Tripwire software is a System Integrity Verifier (SIV) to validate the system security posture, and to assist in Security Auditing Tripwire Comes in three flavors: (1) Open Source Tripwire : text-based logging and command line to use (2) Tripwire for Servers (3) Tripwire Enterprise Can be used in a straight Windows, straight Unix, or homogeneous network Dr. Xinwen Fu

6 Key Tripwire Files There are a number of files used for managing these components: Configuration File Plaintext Configuration file: /etc/tripwire/twcfg.txt Signed Configuration file: /etc/tripwire/tw.cfg Policy File Plaintext policy file: /etc/tripwire/twpol.txt Signed policy file: /etc/tripwire/tw.pol Site Key file - /etc/tripwire/site.key Local Key file - /etc/tripwire/$HOSTNAME.local.key Database File - /var/lib/tripwire/$HOSTNAME.twd Report File - /var/lib/tripwire/$HOSTNAME-date-time.twr Dr. Xinwen Fu

7 Key Tripwire Files Configuration file -- stores system-specific information that controls Tripwire operations. The Configuration file should NOT be changed except through a Configuration Management Process Policy file -- specifies how Tripwire software monitors the system. This file consists of a list of rules which specify system objects (directories and files) to monitor, and describes which changes to the objects should be reported and which ones can be ignored Database file -- provides a snapshot of each host which is created by rules in the policy file in a known secure state. It is used as a baseline file to compare against the current state of the host to determine if any change has occurred Dr. Xinwen Fu

8 Key Tripwire Files (Cont.)
Report file -- records the changes detected during an integrity check that violate the rules in the Policy file Site Key File/Local Key file -- store public and private keys used to sign Tripwire files cryptographically prevent unauthorized modification Site key: sign Tripwire software configuration and policy files. Local key: signs Tripwire database files and may sign the Tripwire report files also To modify these files, you must provide the correct site or local passphrase/password. These passphrases must be kept in a safe place because if they are lost or forgotten, they can not be recovered Dr. Xinwen Fu

9 Tripwire Configuration and Mode of Operations
The following items for Tripwire are Pre-set and configured by The installer: Keys Policy and configuration A Tripwire baseline for each host Mode of Operations The System Administrator should schedule Tripwire to run during a “low time” of operations: Tripwire utilizes system resources that may considerably slow down system performance The System Administrator should not make any changes to the file system on any host unless they are valid changes and the change is clearly understood Dr. Xinwen Fu

10 Tripwire Work-Flow Diagram
How Tripwire works 2. An integrity check compares the baseline to the current state of the data to identify changes 1. Stores a baseline "snapshot" of the data tripwire 3.2. You examine changes and take appropriate action. This may include restoring changed data or updating the baseline 3.1. Reports a violation for each change Tripwire Work-Flow Diagram Dr. Xinwen Fu

11 How Tripwire works - 1 of 3 The installer configures Tripwire with customized Policy files to monitor the critical system resources on each host Based on the customized policy, Tripwire creates a baseline snapshot of each host in a known good state (after system build, configuration, and lockdown but before connecting to network) After the baseline is established, regular integrity checks are scheduled to run on each host, to monitor the hosts Dr. Xinwen Fu

12 How Tripwire works - 2 of 3 An integrity check compares the baseline to the current state of the data to identify changes Dr. Xinwen Fu

13 How Tripwire Works - 3 of 3 From Tripwire integrity check results:
Tripwire compares the current system state to the baseline on those file-system and rules specified in the Policy, and reports a violation for any change it detects A System Administrator examines the Tripwire report to evaluate changes to the system and investigate the cause of the change Dr. Xinwen Fu

14 How Tripwire Works - 3 of 3 (Cont.)
If changes are malicious or unauthorized after investigation, take appropriate measures, such as restoring changed files and reporting the incident If changes are authorized/approved after investigation, update the baseline database to include the changes so that Tripwire no longer detects them as violations The installer will furnish updated baseline database and policy file for authorized software patches and revisions. The System Administrator would not need to update the baseline database. Dr. Xinwen Fu

15 System Administrator's Tasks
Scheduling Tripwire to run Monitoring the integrity check Examining the Tripwire Reports Evaluating violations and investigating those violations Dr. Xinwen Fu

16 System Administrator's Tasks
Reporting any unauthorized change under site incident response policy and procedures, and taking corrective measures if necessary No authorized changes should be detected -- Some “false-positives” will occur if the site’s trusted personnel install patches/revisions. Software patches/revisions should also be provided on “gold-disk” which are pre-tested and installed by the installer. Updating the Tripwire policy and database files Dr. Xinwen Fu

17 Outline Introduction to Tripwire Installation of Tripwire
Scheduling Tripwire by Cron Dr. Xinwen Fu

18 Install tripwire-2.4.0.1 Install from source Install by yum
Get the software from tar jxvf tripwire src.tar.bz2 cd tripwire ./configure make ln -s contrib install # to remove some bug make install Then use the default configuration and policy, and build the site key and local key Install by yum yum install tripwire Dr. Xinwen Fu

19 Creating and Signing the Configuration File
After yum on Fedora Core 6, there exist only /etc/tripwire/twcfg.txt and /etc/tripwire/twpol.txt Initializing Keys Get into tripwire folder: cd /etc/tripwire Site key: twadmin -m G -S ./site.key Local key: twadmin –m G -L ./$HOSTNAME-local.key Sign files Sign configuration file twadmin --create-cfgfile -S site.key twcfg.txt Sign policy file twadmin --create-polfile -S site.key twpol.txt Dr. Xinwen Fu

20 Creating and Signing the Policy File
Do not leave the plain-text versions of the configuration and policy files on your hard drive Move them onto a floppy disk Or encrypt them using a utility such as GPG Ensure that the permissions of the signed files are set such that they are only readable/writable by root: chmod 0600 tw.cfg tw.pol Sign policy file and configuration file every time you change them Dr. Xinwen Fu

21 Manually Running a Tripwire Integrity Check
Initialize Tripwire database tripwire --init Check filesystem integrity and generate reports tripwire --check Check the report of the tripwire twprint -m r --twrfile /var/lib/tripwire/report/yourmachinename-date-time.twr | less Dr. Xinwen Fu

22 Examining and Evaluating Violations
Valid violations due to normal user activities Run an update based on the report (will be asked for local passphrase) tripwire --update --twrfile /var/lib/tripwire/report/yourmachinename-date-time.twr Valid violations due to normal system activities Examine the policy file, twpol.txt, and make the appropriate changes Update the database without a complete re-initialization. Note: make sure your database reflects the current status of the system based on the old policy tripwire --update-policy /usr/local/etc/twpol.txt Dr. Xinwen Fu

23 Create a New Baseline Database
Delete the baseline database rm /var/lib/tripwire/hostname.twd Create a new database tripwire --init Dr. Xinwen Fu

24 Tripwire Big Picture Install Tripwire and customize the policy file.
Section 19.3 Customizing Tripwire. Initialize the Tripwire database. Section 19.4 Initialize the Tripwire Database. Run a Tripwire integrity check. Section 19.5 Running an Integrity Check. Examine the Tripwire report file. Section Viewing Tripwire Reports. If unauthorized integrity violations occur, take appropriate security measures. Either replace the original files from backup copies, reinstall the program, or completely reinstall the operating system. If the file alterations are valid, verify and update the Tripwire database file. Edit Tripwire's database file to ignore those changes in subsequent reports. For more information, see Section 19.7 Updating the Tripwire Database. If the policy file fails verification, update the Tripwire policy file. Update the supplied policy file (/etc/tripwire/twpol.txt), regenerate a signed copy (/etc/tripwire/tw.pol), and update the Tripwire database. For more information, see Section 19.8 Updating the Tripwire Policy File. Dr. Xinwen Fu

25 Customize your Policy File
/etc/tripwire/twpol.txt Policy guide /usr/share/doc/tripwire /policyguide.txt Dr. Xinwen Fu

26 Outline Introduction to Tripwire Installation of Tripwire
Scheduling Tripwire by Cron Dr. Xinwen Fu

27 Run tripwire Checking Daily by Cron
The cron daemon: crond What time you want to run an application In the /etc directory you will probably find some sub directories called 'cron.hourly', 'cron.daily', 'cron.weekly' and 'cron.monthly' If you place a script into one of those directories it will be run either hourly, daily, weekly or monthly, depending on the name of the directory Dr. Xinwen Fu

28 More Flexible Cron /etc/crontab SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root HOME=/ # run-parts 01 * * * * root run-parts /etc/cron.hourly 02 4 * * * root run-parts /etc/cron.daily 22 4 * * 0 root run-parts /etc/cron.weekly * * root run-parts /etc/cron.monthly Dr. Xinwen Fu

29 Flexible Cron - How to Run a Script
minute hour dom month dow user cmd minute what minute of the hour the command will run on, and is between '0' and '59' hour what hour the command will run on, and is specified in the 24 hour clock, values must be between 0 and 23 (0 is midnight) dom the Day of Month, that you want the command run on, e.g. to run a command on the 19th of each month, the dom would be 19 month the month a specified command will run on, it may be specified numerically (0-12), or as the name of the month (e.g. May) dow the Day of Week that you want a command to be run on, it can also be numeric (0-7) or as the name of the day (e.g. sun) user the user who runs the command cmd This is the command that you want run. This field may contain multiple words or spaces Dr. Xinwen Fu

30 Examples of Running a Script
If you don't wish to specify a value for a field, just place a * in the field: means any Use the idea of Cross to explain a rule minute hour dom month dow user cmd 01 * * * * root echo "This command is run at one min past every hour" 17 8 * * * root echo "This command is run daily at 8:17 am" 17 20 * * * root echo "This command is run daily at 8:17 pm" 00 4 * * 0 root echo "This command is run at 4 am every Sunday" * 4 * * Sun root echo "So is this" * * root echo "This command is run 4:42 am every 1st of the month" 01 * * root echo "This command is run hourly on the 19th of July Dr. Xinwen Fu

31 Network Time Protocol Get NTP package if not installed
yum install ntp NTP is a protocol designed to synchronize the clocks of computers over a network NTP configuration file: /etc/ntp.conf …… server # local clock server # add this server fudge stratum 10 ……. Dr. Xinwen Fu

32 Using NTP Server to Synchronize Machines
Change File Permissions chown ntp:ntp /etc/ntp chown ntp:ntp /etc/ntp/* To get NTP configured to start at boot chkconfig ntpd on To start, stop and restart NTP after booting, follow these examples service ntpd start service ntpd stop service ntpd restart To test whether the NTP process is running pgrep ntpd Determining If NTP Is Synchronized Properly ntpq -p Dr. Xinwen Fu

33 NTP Troubleshooting Wild time difference between local machine and primary time server causes error (/var/log/messages) Run the ntpdate -u command to force instant time synchronization with its NTP servers ntpdate is not a daemon Run: service ntpd stop Run ntpdate three times: ntpdate -u Run: service ntpd restart Dr. Xinwen Fu

34 References Open Source Tripwire, Fedora Core tutorials, 2006, Tripwire on your Fedora Box, April 15, 2005, cogNiTioN, Newbie: Intro to cron, 30-Dec-99, Trevor Warren, Intrusion Detection Systems: Part II - Installing Tripwire, , Joey, Tripwire Setup Guide, September 19th, 2003, Intrusion Detection with Tripwire, The NTP Server, july 2005, Dr. Xinwen Fu

35 nmap - Network exploration tool and security scanner
Scan large networks to determine Which hosts are up What operating system the network unit uses What network services they are offering Support a large number of scanning techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, IP Protocol, and Null scan Dr. Xinwen Fu

36 Live Demo: Network mapper – nmap
Guess remote host OS nmap –sS –O Dr. Xinwen Fu

37 nmap Examples nmap -v scanme.nmap.org nmap -sS -O scanme.nmap.org/24
This option scans all reserved TCP ports on the machine scanme.nmap.org -v option enables verbose mode. nmap -sS -O scanme.nmap.org/24 -sS: Launches a stealth SYN scan against each machine that is up out of the 255 machines on class c network where scanme resides -O: It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection. Dr. Xinwen Fu

38 nmap Examples (Cont.) nmap -sV -p 22,53,110,143, : Launches host enumeration and a TCP scan at the first half of each of the 255 possible 8 bit subnets in the class B address space. -p 22,53,110,143,4564: This tests whether the systems run sshd, DNS, pop3d, imapd, or port 4564 -sV: For any of these ports found open, version detection is used to determine what application is running Dr. Xinwen Fu

39 Notes Cygwin conflicts with openssh Dr. Xinwen Fu

40 Assignment 5: Find Topology of IA Lab
Your group machine root password: forensics Internet Cisco Catalyst 29XX 24 Switch ialab.dsunix.net D-Link Hub Cisco Catalyst Switch Dr. Xinwen Fu

Download ppt "Computer & Network Forensics"

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
2004, Jei Tripwire An Intrusion Detection Tool Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei Tripwire An Intrusion Detection Tool Information Networking Security and Assurance Lab National Chung Cheng University.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
T RIP W IRE Karthik Mohanasundaram Wright State University.

T RIP W IRE Karthik Mohanasundaram Wright State University.
Linux Networking and Security Chapter 10 File Security.

Linux Networking and Security Chapter 10 File Security.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.

Similar presentations

Ads by Google