Presentation is loading. Please wait.

Presentation is loading. Please wait.

Simulation of IDS by using Activeworx Security Center (ASC) and Snort, MySQL, CommView Presented by Shamsul Wazed & Quazi Rahman School of Computer Science.

Similar presentations


Presentation on theme: "Simulation of IDS by using Activeworx Security Center (ASC) and Snort, MySQL, CommView Presented by Shamsul Wazed & Quazi Rahman School of Computer Science."— Presentation transcript:

1 Simulation of IDS by using Activeworx Security Center (ASC) and Snort, MySQL, CommView Presented by Shamsul Wazed & Quazi Rahman School of Computer Science University of Windsor, On March 29, 2006

2 2 Outline  Introduction  Snort  MySQL Server  CommView  Activeworx Security Center  IDS Simulation  Demonstration

3 March 29, 20063 Introduction  Intrusion Detection System (IDS) Collect data from network traffic coming into a system Tries to match it against known pattern of attack signatures Blocked the matched data and logged detail of attack into database  Snort A very popular and open source IDS Can be configured to run in Sniffer mode, Packet Logger mode, Network IDS mode A number of Snort Add-ons are available for monitoring Snort, analyzing result and writing Snort rules

4 March 29, 20064 Introduction  Simulation of IDS The following tools and OS are used in this Project Snort : Intrusion Detection System MySQL : Database Server CommView : Packet Generator & Sniffer Activeworx Security Center (ASC) : Snort’s Add-on.Net Framework : Additional software for ASC Desktop Windows XP : Operating System

5 March 29, 20065 Snort

6 March 29, 20066 Snort  WinPcap WinPcap is required to be installed to access Snort The latest WinPcap version is 3.1 for Windows 95/98/ME/NT4/2000/XP/2003 WinPcap is free and can be downloaded from http://www.winpcap.org/install/default.htm http://www.winpcap.org/install/default.htm Download the executable file “winPcap_3_1.exe” of size 456 KB and run to install

7 March 29, 20067 Snort  Snort is an open source IDS  Can be configured to run in three modes: Sniffer mode : Simply reads the packets off of the network and displays them./snort -vd Packet Logger mode : Logs the packets to disk./snort -dev -l c:\snort\log -h 192.168.1.100/24 Network IDS mode : Allows Snort to analyze network traffic for matches against a user-defined rule set and performs several actions./snort -dev -l c:\snort\log -h 192.168.1.100/24 -c c:\snort\etc\snort.conf

8 March 29, 20068 Snort  Install Snort version 2.4.3, available at http://www.snort.org/dl/binaries/win32/  Download the executable file “Snort-243- Installer.exe” file of size 1.43 MB  Select “typical” installation that installs Snort at C:\Snort directory.

9 March 29, 20069 Snort  Important files and their locations Snort configuration file - C:\Snort\etc\snort.conf Snort executable file - C:\Snort\bin\snort.exe Snort log files are - C:\Snort\bin\log\alert.ids and C:\Snort\bin\log\snort.log., and Snort rules file (included project 10 rules only) - C:\Snort\rules\local.rules

10 March 29, 200610 Snort  Snort Configuration : The file Snort.conf has to be edited before running Snort The following steps can be taken to create a custom configuration - Set the variables for network Configure preprocessors Configure output plugins Add any runtime config directives Customize the rule set

11 March 29, 200611 Snort We took the following steps to configure Snort Set the HOME_NET variable as var HOME_NET 192.168.1.100/24 Set the RULE_PATH variable as var RULE_PATH c:\Snort\rules Uncommented the following lines: output alert_syslog: LOG_AUTH LOG_ALERT output log_tcpdump: snort.log include c:\Snort\rules\classification.config include c:\Snort\rules\reference.config

12 March 29, 200612 Snort Changed the database format as - output database: alert, mysql, user=root password=wazed dbname=ids host=localhost output database: log, mysql, user=root password=wazed dbname=tcpdump host=localhost Include the relevant rule sets (for this project) – include $RULE_PATH/local.rules Comment out all other include rules

13 March 29, 200613 MySQL Server

14 March 29, 200614 MySql Server  Download MySQL Database Server 5.0 from http://dev.mysql.com/downloads/

15 March 29, 200615 MySql Server  Install MySQL Server

16 March 29, 200616 MySql Server  Configure MySql Server

17 March 29, 200617 MySql Server  Choose Detailed Configuration

18 March 29, 200618 MySql Server  Choose for Dedicated Server

19 March 29, 200619 MySql Server  Choose for Multifunctional Database

20 March 29, 200620 MySql Server  Configure Network support

21 March 29, 200621 MySql Server  Change root password

22 March 29, 200622 MySql Server  MySQL Connector/ODBC ODBC is a standardized API that allows connections to SQL database servers. ODBC usually is used when database independence or simultaneous access to different data sources is required. MyODBC 3.51 (installed in this project) is a 32-bit ODBC driver, also known as the MySQL ODBC 3.51 driver and it is available for download from: http://dev.mysql.com/downloads/connector/odbc/3.51.html

23 March 29, 200623 MySql Server  Using MySQL Followings are some of the examples how to use the different databases and tables using commands from the DOS prompt : C:\mysql\MySQL Server 5.0\bin>mysql -u root –p Enter password: ***** Welcome to the MySQL monitor. Commands end with; or \g. Your MySQL connection id is 18 to server version: 5.0.18-nt Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

24 March 29, 200624 MySql Server  Using MySQL: mysql> show databases; +---------------------------+ | Database | +---------------------------+ | information_schema | | aef | | aw_aef | | aw_asc | | aw_fw | | ids | | mysql | | sebek| | syslog | | tcpdump| | test | | vuln | +-------------------------+ 12 rows in set (0.19 sec)

25 March 29, 200625 MySql Server  Using MySQL: mysql> use ids; Database changed mysql> show tables; +-------------------------+ | Tables_in_ids | +-------------------------+ | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +-------------------------+ 16 rows in set (0.00 sec)

26 March 29, 200626 MySql Server  Using MySQL: mysql> describe event; +------------+--------------------+------+-------+---------+------+ | Field | Type | Null | Key | Default | Extra| +------------+--------------------+------+-------+---------+------+ | sid | int(10) unsigned | NO | PRI | | | | cid | int(10) unsigned | NO | PRI | | | | signature | int(10) unsigned | NO | MUL | | | | timestamp | datetime | NO | MUL | | | +------------+--------------------+------+-------+---------+-----+ 4 rows in set (0.19 sec)

27 March 29, 200627 MySql Server  Using MySQL:

28 March 29, 200628 CommView

29 March 29, 200629 CommView  What is CommView An application for capturing and analyzing network packets It can save the captured packets to log files It can generate ICMP, TCP and UDP packets of size maximum 1.5 KB and can transmit at max 5,000 pkt/sec  Installation System Requirement : Pentium II or higher, Windows 98/ME/2000/XP/2003, 128 MB RAM and 6 MB free disk space Download CommView 5.1 of 30 days trail version from http://www.tamos.com/download/main/ http://www.tamos.com/download/main/

30 March 29, 200630 CommView  Latest IP Connections 1. Select Network Interface 2. Start

31 March 29, 200631 CommView  Packets Analyzing Payload Decoding

32 March 29, 200632 CommView  Packet Generating : Tools  Packet Generator TCP Packet Default Packet Size Source IP - Numeric value Source IP - Hex value (edit here)

33 March 29, 200633 CommView  Packet Generating : Port number and Payload Packet Size 54 + 5 Destination Port - Numeric value Destination Port - Hex value Added 5 Byte payload content Press (Sigma) to correct

34 March 29, 200634 CommView  Packet Generating : Correct Checksum Check (after pressing Sigma) Data length changed into 5 Correct it by adding 5 Press to Send

35 March 29, 200635 Activeworx Security Senter (ASC)

36 March 29, 200636 Activeworx Security Center  Overview ASC is an event management solution for Snort It works with Snort 1.8 or newer It supports for MySQL as well as Microsoft SQL It allows us to view IDS data in different ways : Unique Views List Views Interactive Graphics and Charts Event Relationship Diagram Payload Decoders

37 March 29, 200637 Activeworx Security Center  Installation System Requirement : Pentium 4 or later, Windows 2000/XP/2003, 512 MB RAM and 250 MB free disk space ASC version 2.6 components can be downloaded from http://www.brighttools.com/support/download.html Download the Microsoft Installer following files and run asc.desktop.msi, 55.7 MB asc.manager.msi, 51.1 MB

38 March 29, 200638 Activeworx Security Center  Databases Two Different types of Databases Primary Database Event Databases Log-on ASC Database Manager Use the default Snort IDS database schema Configure Primary Database Use “Add Database Wizard” to create Event database

39 March 29, 200639 Activeworx Security Center  Databases (Primary Database)

40 March 29, 200640  Databases (Event Database) Activeworx Security Center

41 March 29, 200641  Databases (Add User) Activeworx Security Center

42 March 29, 200642  Databases (Check Connectivity) Activeworx Security Center

43 March 29, 200643 Snort IDS Simulation & Testing

44 March 29, 200644  Hardware Configuration Target Machine : PC1 (OS : Windows XP) Dell Celeron CPU 2 Processor - 2.4 GHz RAM - 256 MB Source Machine : PC2 (OS : Windows XP) Dell Celeron CPU 2 Processor - 2.4 GHz RAM - 256 MB Router : TRENDnet wireless router Speed – 108 Mbps Compliant with IEEE 802.11 g Snort IDS Simulation

45 March 29, 200645 From PC1 (192.168.1.100)  Run Snort Run Snort from console by using the command snort -c c:\snort\etc\snort.conf -h 192.168.1.100/24 -v -i2  Login & Run ASC Desktop  Run CommView (sniffer) From PC2 (192.168.1.101)  Run CommView (sniffer)  Generate and Send “Bad Packet”s to PC1 (by CommView Packet Generator) Snort IDS Simulation

46 March 29, 200646  IDS Events (Event Overview) Activeworx Security Center Desktop

47 March 29, 200647  IDS Events (List Events) Activeworx Security Center Desktop

48 March 29, 200648  IDS Events (List Events : Group by Sensor) Activeworx Security Center Desktop

49 March 29, 200649  IDS Events (Event Information1 : sid 382) Activeworx Security Center Desktop

50 March 29, 200650  IDS Events (Event Information2 : sid 683) Activeworx Security Center Desktop

51 March 29, 200651  IDS Events (Event Reference1 : sid 382) Activeworx Security Center Desktop

52 March 29, 200652  IDS Events (Graphs : Top 10 IDS Destination) Activeworx Security Center Desktop

53 March 29, 200653  IDS Events (Reports : IDS Overview) Activeworx Security Center Desktop

54 March 29, 200654  Please meet us @ Room # 3144 Lambton Tower School of Computer Science University of Windsor, On 1-519-253 3000 ext 4406 Demonstration


Download ppt "Simulation of IDS by using Activeworx Security Center (ASC) and Snort, MySQL, CommView Presented by Shamsul Wazed & Quazi Rahman School of Computer Science."

Similar presentations


Ads by Google