Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis Console for Intrusion Databases Roy. Description ACID.

Similar presentations


Presentation on theme: "Analysis Console for Intrusion Databases Roy. Description ACID."— Presentation transcript:

1 Analysis Console for Intrusion Databases Roy

2 Description ACID

3 Objective n Setup ACID, MySQL, Snort n Super alert Analyzer n Performance Benchmarking of ACID

4 About ACID Query-builder and search interface Packet viewer (decoder) Alert management Chart and statistics generation Centralize control

5 System overview n ACID+Snort+MySQL ACID

6 Distributed IDS centralize control ACIDDB

7 Prerequisites n A database -Package: MySQL Version: 3.23.x+Version: 3.23.x+ Homepage: http://www.mysql.com/Homepage: http://www.mysql.com/http://www.mysql.com/ n A mechanism -Package: Snort Version: 1.7+Version: 1.7+ Homepage: http://www.snort.org/Homepage: http://www.snort.org/http://www.snort.org/ -Package: PHP Version: 4.0.4+Version: 4.0.4+ Homepage: http://www.php.net/Homepage: http://www.php.net/http://www.php.net/ n A web server -Package: Apache Server -Version: 1.3.*+ -Homepage: http://www.apache.org/ http://www.apache.org/ n PHP access database API -Package: ADODB Homepage: http://php.weblogs.com/adodb/Homepage: http://php.weblogs.com/adodb/http://php.weblogs.com/adodb/ -Package: PHPlot Homepage: http://www.phplot.comHomepage: http://www.phplot.comhttp://www.phplot.com -Package: JPGraph Homepage: http://www.aditus.nu/jpgraph/Homepage: http://www.aditus.nu/jpgraph/http://www.aditus.nu/jpgraph/ -Package: GD Homepage: http://www.boutell.com/gd/Homepage: http://www.boutell.com/gd/http://www.boutell.com/gd/

8 Install ACID and snort n Download ACID -http://www.andrew.cmu.edu/user/rdanyliw/ snort/snortacid.html n Decompress acid-0.9.6b23.tar.gz n Move ACID to your web directory

9 Setting up the database in MySQL n Create database n Create user and assign privilege n Create snort tables

10 Modify ACID config files n Edit acid_conf.php

11 Connect to sensor manager n Open http://192.168.1.101/acid/acid_conf.php

12 Setup snort output module n Edit /etc/snort/snort.conf

13 Test environment 三暝三日 …

14 Enjoy the results n Open http://192.168.1.101/acid/

15 More analysis n 5 most frequent alerts (alert listing) n 15 most frequent alerts (unique source) n Time profile of alerts n Last 24 hours n Last 72 hours

16 Performance Benchmarking of ACID (Page loading time) n Host: Intel Mobile 800Mhz, 256 MB RAM n OS: Linux 2.2.16-22 n Apache: 1.3.19 n PHP: 4.0.5 n MySQL: 3.23.32 n PostgreSQL:7.1.2 n DB schema: v102 n ACID: 0.9.6b10 - 0.9.6b13

17 I. Unique Alert Listing (acid_stat_alerts.php)

18 II. ACID Main page (acid_main.php)

19 Summary

20 Reference n Performance Benchmarking of ACID -http://www.andrew.cmu.edu/user/rdanyliw/ snort/perf/acid_perf.html n NIST Intrusion Detection System

21 Appendix A n Passive Ethernet Tap Traffic in Traffic out IDS http://www.snort.org/docs/tap/


Download ppt "Analysis Console for Intrusion Databases Roy. Description ACID."

Similar presentations


Ads by Google