Download presentation
Presentation is loading. Please wait.
Published byLogan Cox Modified over 9 years ago
1
Simulation of IDS by using Activeworx Security Center (ASC) and Snort, MySQL, CommView Presented by Shamsul Wazed & Quazi Rahman School of Computer Science University of Windsor, On March 29, 2006
2
2 Outline Introduction Snort MySQL Server CommView Activeworx Security Center IDS Simulation Demonstration
3
March 29, 20063 Introduction Intrusion Detection System (IDS) Collect data from network traffic coming into a system Tries to match it against known pattern of attack signatures Blocked the matched data and logged detail of attack into database Snort A very popular and open source IDS Can be configured to run in Sniffer mode, Packet Logger mode, Network IDS mode A number of Snort Add-ons are available for monitoring Snort, analyzing result and writing Snort rules
4
March 29, 20064 Introduction Simulation of IDS The following tools and OS are used in this Project Snort : Intrusion Detection System MySQL : Database Server CommView : Packet Generator & Sniffer Activeworx Security Center (ASC) : Snort’s Add-on.Net Framework : Additional software for ASC Desktop Windows XP : Operating System
5
March 29, 20065 Snort
6
March 29, 20066 Snort WinPcap WinPcap is required to be installed to access Snort The latest WinPcap version is 3.1 for Windows 95/98/ME/NT4/2000/XP/2003 WinPcap is free and can be downloaded from http://www.winpcap.org/install/default.htm http://www.winpcap.org/install/default.htm Download the executable file “winPcap_3_1.exe” of size 456 KB and run to install
7
March 29, 20067 Snort Snort is an open source IDS Can be configured to run in three modes: Sniffer mode : Simply reads the packets off of the network and displays them./snort -vd Packet Logger mode : Logs the packets to disk./snort -dev -l c:\snort\log -h 192.168.1.100/24 Network IDS mode : Allows Snort to analyze network traffic for matches against a user-defined rule set and performs several actions./snort -dev -l c:\snort\log -h 192.168.1.100/24 -c c:\snort\etc\snort.conf
8
March 29, 20068 Snort Install Snort version 2.4.3, available at http://www.snort.org/dl/binaries/win32/ Download the executable file “Snort-243- Installer.exe” file of size 1.43 MB Select “typical” installation that installs Snort at C:\Snort directory.
9
March 29, 20069 Snort Important files and their locations Snort configuration file - C:\Snort\etc\snort.conf Snort executable file - C:\Snort\bin\snort.exe Snort log files are - C:\Snort\bin\log\alert.ids and C:\Snort\bin\log\snort.log., and Snort rules file (included project 10 rules only) - C:\Snort\rules\local.rules
10
March 29, 200610 Snort Snort Configuration : The file Snort.conf has to be edited before running Snort The following steps can be taken to create a custom configuration - Set the variables for network Configure preprocessors Configure output plugins Add any runtime config directives Customize the rule set
11
March 29, 200611 Snort We took the following steps to configure Snort Set the HOME_NET variable as var HOME_NET 192.168.1.100/24 Set the RULE_PATH variable as var RULE_PATH c:\Snort\rules Uncommented the following lines: output alert_syslog: LOG_AUTH LOG_ALERT output log_tcpdump: snort.log include c:\Snort\rules\classification.config include c:\Snort\rules\reference.config
12
March 29, 200612 Snort Changed the database format as - output database: alert, mysql, user=root password=wazed dbname=ids host=localhost output database: log, mysql, user=root password=wazed dbname=tcpdump host=localhost Include the relevant rule sets (for this project) – include $RULE_PATH/local.rules Comment out all other include rules
13
March 29, 200613 MySQL Server
14
March 29, 200614 MySql Server Download MySQL Database Server 5.0 from http://dev.mysql.com/downloads/
15
March 29, 200615 MySql Server Install MySQL Server
16
March 29, 200616 MySql Server Configure MySql Server
17
March 29, 200617 MySql Server Choose Detailed Configuration
18
March 29, 200618 MySql Server Choose for Dedicated Server
19
March 29, 200619 MySql Server Choose for Multifunctional Database
20
March 29, 200620 MySql Server Configure Network support
21
March 29, 200621 MySql Server Change root password
22
March 29, 200622 MySql Server MySQL Connector/ODBC ODBC is a standardized API that allows connections to SQL database servers. ODBC usually is used when database independence or simultaneous access to different data sources is required. MyODBC 3.51 (installed in this project) is a 32-bit ODBC driver, also known as the MySQL ODBC 3.51 driver and it is available for download from: http://dev.mysql.com/downloads/connector/odbc/3.51.html
23
March 29, 200623 MySql Server Using MySQL Followings are some of the examples how to use the different databases and tables using commands from the DOS prompt : C:\mysql\MySQL Server 5.0\bin>mysql -u root –p Enter password: ***** Welcome to the MySQL monitor. Commands end with; or \g. Your MySQL connection id is 18 to server version: 5.0.18-nt Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
24
March 29, 200624 MySql Server Using MySQL: mysql> show databases; +---------------------------+ | Database | +---------------------------+ | information_schema | | aef | | aw_aef | | aw_asc | | aw_fw | | ids | | mysql | | sebek| | syslog | | tcpdump| | test | | vuln | +-------------------------+ 12 rows in set (0.19 sec)
25
March 29, 200625 MySql Server Using MySQL: mysql> use ids; Database changed mysql> show tables; +-------------------------+ | Tables_in_ids | +-------------------------+ | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +-------------------------+ 16 rows in set (0.00 sec)
26
March 29, 200626 MySql Server Using MySQL: mysql> describe event; +------------+--------------------+------+-------+---------+------+ | Field | Type | Null | Key | Default | Extra| +------------+--------------------+------+-------+---------+------+ | sid | int(10) unsigned | NO | PRI | | | | cid | int(10) unsigned | NO | PRI | | | | signature | int(10) unsigned | NO | MUL | | | | timestamp | datetime | NO | MUL | | | +------------+--------------------+------+-------+---------+-----+ 4 rows in set (0.19 sec)
27
March 29, 200627 MySql Server Using MySQL:
28
March 29, 200628 CommView
29
March 29, 200629 CommView What is CommView An application for capturing and analyzing network packets It can save the captured packets to log files It can generate ICMP, TCP and UDP packets of size maximum 1.5 KB and can transmit at max 5,000 pkt/sec Installation System Requirement : Pentium II or higher, Windows 98/ME/2000/XP/2003, 128 MB RAM and 6 MB free disk space Download CommView 5.1 of 30 days trail version from http://www.tamos.com/download/main/ http://www.tamos.com/download/main/
30
March 29, 200630 CommView Latest IP Connections 1. Select Network Interface 2. Start
31
March 29, 200631 CommView Packets Analyzing Payload Decoding
32
March 29, 200632 CommView Packet Generating : Tools Packet Generator TCP Packet Default Packet Size Source IP - Numeric value Source IP - Hex value (edit here)
33
March 29, 200633 CommView Packet Generating : Port number and Payload Packet Size 54 + 5 Destination Port - Numeric value Destination Port - Hex value Added 5 Byte payload content Press (Sigma) to correct
34
March 29, 200634 CommView Packet Generating : Correct Checksum Check (after pressing Sigma) Data length changed into 5 Correct it by adding 5 Press to Send
35
March 29, 200635 Activeworx Security Senter (ASC)
36
March 29, 200636 Activeworx Security Center Overview ASC is an event management solution for Snort It works with Snort 1.8 or newer It supports for MySQL as well as Microsoft SQL It allows us to view IDS data in different ways : Unique Views List Views Interactive Graphics and Charts Event Relationship Diagram Payload Decoders
37
March 29, 200637 Activeworx Security Center Installation System Requirement : Pentium 4 or later, Windows 2000/XP/2003, 512 MB RAM and 250 MB free disk space ASC version 2.6 components can be downloaded from http://www.brighttools.com/support/download.html Download the Microsoft Installer following files and run asc.desktop.msi, 55.7 MB asc.manager.msi, 51.1 MB
38
March 29, 200638 Activeworx Security Center Databases Two Different types of Databases Primary Database Event Databases Log-on ASC Database Manager Use the default Snort IDS database schema Configure Primary Database Use “Add Database Wizard” to create Event database
39
March 29, 200639 Activeworx Security Center Databases (Primary Database)
40
March 29, 200640 Databases (Event Database) Activeworx Security Center
41
March 29, 200641 Databases (Add User) Activeworx Security Center
42
March 29, 200642 Databases (Check Connectivity) Activeworx Security Center
43
March 29, 200643 Snort IDS Simulation & Testing
44
March 29, 200644 Hardware Configuration Target Machine : PC1 (OS : Windows XP) Dell Celeron CPU 2 Processor - 2.4 GHz RAM - 256 MB Source Machine : PC2 (OS : Windows XP) Dell Celeron CPU 2 Processor - 2.4 GHz RAM - 256 MB Router : TRENDnet wireless router Speed – 108 Mbps Compliant with IEEE 802.11 g Snort IDS Simulation
45
March 29, 200645 From PC1 (192.168.1.100) Run Snort Run Snort from console by using the command snort -c c:\snort\etc\snort.conf -h 192.168.1.100/24 -v -i2 Login & Run ASC Desktop Run CommView (sniffer) From PC2 (192.168.1.101) Run CommView (sniffer) Generate and Send “Bad Packet”s to PC1 (by CommView Packet Generator) Snort IDS Simulation
46
March 29, 200646 IDS Events (Event Overview) Activeworx Security Center Desktop
47
March 29, 200647 IDS Events (List Events) Activeworx Security Center Desktop
48
March 29, 200648 IDS Events (List Events : Group by Sensor) Activeworx Security Center Desktop
49
March 29, 200649 IDS Events (Event Information1 : sid 382) Activeworx Security Center Desktop
50
March 29, 200650 IDS Events (Event Information2 : sid 683) Activeworx Security Center Desktop
51
March 29, 200651 IDS Events (Event Reference1 : sid 382) Activeworx Security Center Desktop
52
March 29, 200652 IDS Events (Graphs : Top 10 IDS Destination) Activeworx Security Center Desktop
53
March 29, 200653 IDS Events (Reports : IDS Overview) Activeworx Security Center Desktop
54
March 29, 200654 Please meet us @ Room # 3144 Lambton Tower School of Computer Science University of Windsor, On 1-519-253 3000 ext 4406 Demonstration
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.