1. Snort & IDScenter 60-564: Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: Tarik El Amsy, Lihua Duan Date: March 29, 2006

2. What is IDScenter IDScenter is basically a Graphical front- end for Snort on Windows platforms (Recommended: Windows NT4/2000/XP). IDScenter provides a friendly interface for Snort users. With some knowledge of Snort, IDScenter will help users to do configuration and provide management features.

3. Features of IDScenter Snort 1.7, 1.8, 1.9, and 2.x Support Snort configuration wizard Online updates of IDS rules Ruleset editor for all Snort rule options HTML report from SQL backend Execution of program on attack detection Good Alerting tools including mail, Windows event log and normal DB logging.

4. Experiment Architecture and Scenarios NIDS Target Attacker Router Hub Home net address 172.16.1.0 /24

5. NIDS server configuration CPU: AMD64 Opteron Memory: 512M Hard Disk: 8 G Operating Operating System: Windows 2000 Advanced Server (Ser) IP Address: 172.16.1.1 Installed Software: Snort 2.4.3 Snort 2.4.3 IDScenter 1.1 RC4 IDScenter 1.1 RC4 WinPcap 3.1 WinPcap 3.1 Ethereal 0.10.14 Ethereal 0.10.14 NIDS

6. Target server configuration CPU: AMD64 Opteron Memory: 512MHard Disk: 8 G Operating System: Windows 2000 Advanced Server (Ser) IP Address: 172.16.1.2 Installed software Ethereal 0.10.14 Winpcap 3.0 alpha 4 Packet Excalibur 1.0.2 (Packet generator) Web server, TelNET, SNMP, FTP, etc Target

7. Attacker server configuration CPU: AMD64 Opteron Memory: 512MHard Disk: 8 G OS: Windows 2000 AS IP Address: 137.207.234.252 Installed software Winpcap 3.0 alpha 4 Packet Excalibur 1.0.2 (Packet generator) Web server, TelNET, SNMP, FTP, etc. Attacker

8. Installing WinPcap WinPcap (Windows Packet Capture Library) is a packet- capture driver. Functionally, this means that WinPcap grabs packets from the network wire and pitches them to Snort, ethereal and windump. Download & run WinPcap_3_1_auto-installer.exe to local disk from http://www.winpcap.org/install/default.htm Download & run WinPcap_3_1_auto-installer.exe to local disk from http://www.winpcap.org/install/default.htm http://www.winpcap.org/install/default.htm Should be installed on hosts NIDSAttackerTarget

9. Installing Ethereal Ethereal® is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. Ethereal is one of the best graphical packet sniffer. Its graphical interface makes it easy to use and its big list of features make it very powerful in analyzing network traffic Download & run ethereal-setup-0.10.14.exe or any latest version from Ethereal website http://www.ethereal.com/download.html. http://www.ethereal.com/download.html

10. Installing Packet Excalibur A multi-platform freeware, graphical and scriptable network packet engine with extensible text based protocol descriptions. Needed to craft sample attack and generate these packets on the network during snort testing. download Packet Excalibur Windows installer version 1.0.2 from http://www.securitybugware.org/excalibur/PacketExcali bur_1.0.2_win32.exe. http://www.securitybugware.org/excalibur/PacketExcali bur_1.0.2_win32.exe http://www.securitybugware.org/excalibur/PacketExcali bur_1.0.2_win32.exe It will also install WinPcap 3.0a. AttackerTarget Should be installed on

11. Packet Excalibur Demo alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"Rule 4 RPC portmap listing TCP 111"; content: "|00 01 86 A0|"; reference: arachnids,428; sid: 598; rev: 11; classtype: rpc-portmap-decode; flow: to_server,established;)

12. Installing Snort Download SNORT ver 2.4.3 Install directory c:\snort Default logging database option To test Installation and make sure it is running C:\snort\bin\snort –v This will run snort in sniffer mode and you should be able to see the passing packets on the network captured by Snort.

13. Installing IDScenter Download IDScenter.zip (1.1 RC4, 04.08.2003) from http://www.engagesecurity.com/downloads/#IDScenter Unzip the download file to obtain the setup.exe then run it to start simple and default installation.

14. Configuring Snort Change the setting of Snort configuration file snort.conf under c:\snort\etc folder Use any text editor to edit the following Network settings Network settings Preprocessors Preprocessors Output settings Output settings Rules settings Rules settings

15. Configuring Network settings Snort use variables in configuring the rules. When you type $ and Variable name, the value of this variable will be replaced. This allows you to add different network ranges and subnets and simplify rules editing and customization We added the following variables to snort.conf file var HOME_NET 172.16.1.0/24 var EXTERNAL_NET any var DNS_SERVERS 172.16.1.2/32 var SMTP_SERVERS 172.16.1.2/32 var HTTP_SERVERS 172.16.1.2/32 var SQL_SERVERS 172.16.1.2/32 var TELNET_SERVERS 172.16.1.2/32 var HTTP_PORTS 80 var RULE_PATH c:\snort\rules

16. Configuring Preprocessors Configure Http_inspect preprocessor This preprocessor allow snort to decode Http web traffic & analyze it for specific URI contents. Setting in snort.conf file preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 }

17. Configuring Output settings Outputing Alerts to a file base log called alert.ids Outputing Alerts to a file base log called alert.ids Setting in snort.conf file output alert_fast: alert.ids config logdir: c:\snort\log

18. Configuring Rules settings Create a file called project.rules in c:\snort\rules folder. The file has the10 selected attacks. Remove normal rule file setting from config file and add only project.rules. Include $Rule_path/project.rules Sample Rule alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"Rule 4 RPC portmap listing TCP 111"; content: "|00 01 86 A0|"; reference: arachnids,428; sid: 598; rev: 11; classtype: rpc-portmap-decode; flow: to_server,established;) alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"Rule 4 RPC portmap listing TCP 111"; content: "|00 01 86 A0|"; reference: arachnids,428; sid: 598; rev: 11; classtype: rpc-portmap-decode; flow: to_server,established;)

19. IDScenter Configuration IDScenter consists of the following menus GeneralWizardsLogsAlerts...

20. General Menu Click on Apply to apply a configuration/save configuration (after setting all the options needed in IDScenter) Start Snort: Starts Snort in console mode / service mode View alerts: open log viewer Test settings: After configuration you can test the settings by clicking on this button Reload: Reload the configuration Rest Alarm: Stop alarm sound

21. General Menu There are two modes to setup Snort with IDScenter -Snort console mode -Snort service mode -The advantage of service mode is, that Snort can monitor your network constantly even when you're logged off

22. General / Configuration Select snort version to run Select Process priority Select options (Service mode /snort console /auto restart ) Select log folder path and file name

23. General / Snort Options Set the configuration file.This is usally "Snort.conf" in the "etc" folder where Snort was installed (e.x. "C:\Snort\etc\snort.conf") You can find a pattern in the configuration file by typing it into the editbox and click on the search button You can set an external editor for editing Snort configuration file

24. General Activity Log In this panel IDScenter displays events You can enable/disable event logs You can select which events are monitored You can let automatically purge the activity log Clear log: clear the logging entries

25. General/ Over View In this panel IDScenter displays errors. If an error occurs when you click on apply, you'll be informed here. An overview of the alert features activated is shown here "Copy to clipboard": you can copy the Snort command- line into clipboard

26. Wizards Menu Wizards Menu has several wizards which helps configuring snort. It has the following: Network Variables wizard Preprocessor Wizard Output plugin Wizard Rules/Signatures Wizard Online Update Wizard

27. Wizards / Network Variables Helps to set the variables used in rule files You can : Add new variable Add new variable Edit and existing variable Edit and existing variable Delete a variable Delete a variable

28. Wizards / Preprocessors Here you can select and configure the preprocessors used by Snort Stream4 and Frag2 Pane ( enable snort to defragment packets and perform stateful inspection) Stream4 and Frag2 Pane ( enable snort to defragment packets and perform stateful inspection) Protocol Preprocessor Pane (different protocol decoders like HTTP decode, Telnet, RPC decod..etc) Protocol Preprocessor Pane (different protocol decoders like HTTP decode, Telnet, RPC decod..etc) PortScan Detection Pane PortScan Detection Pane Miscellaneous Pane (ARP spoof and other unsupported preprocessors) Miscellaneous Pane (ARP spoof and other unsupported preprocessors)

29. Wizards / Output Plugins There are many small wizards in this panel which will help you to configure the output plugins of Snort.

30. Wizards / Rules Wizard The ruleset wizard will help you maintain a good ruleset. This is the "include"-part of the Snort configuration file Select first a classification configuration file,by default: "classification.config" Select the reference configuration file,by default: "reference.config" Activate/Deactivate the rule files you want to use by check/uncheck its box. Open a ruleset in the ruleset editor: Select a ruleset file Select a ruleset file Click on "Ruleset editor" Click on "Ruleset editor"

31. Wizards / Rules Wizard The ruleset editor lists all available rules in the file. Add (and clone) new rules / delete rules Edit a rule (Select a rule and click on "Add/edit rule" Activate/Deactivate the rules you want to use Import additional rules into the ruleset (in Snort 2.x syntax) Save the ruleset after modification

32. Rules Wizard / Editing a rule The editor provides a front-end to all Snort 2.x rule features It make it easier to understand and modify any rule You can also access online information for that rule

33. Wizard/ Online Update The online update wizard is a frontend for configurating Oinkmaster (by Andreas Östling) If you want to use this feature, you should download EagleX package.

34. Logs/ Options Menu Set the parameters (command-line parameters) of Snort. Select the interface Snort should monitor if necessary This will overwrite settings in snort configuration file if set Example: you set output plugin "alert_full: alert.ids"... and selected "Fast". In this case Snort will log using fast mode

35. Logs / Log Rotation Log rotationLog rotation will rotate the alert logs by compressing the files into a ZIP packages and move it to the Backup folder.

36. Alerts/ Detection Alerts alarm will be on if the file/database has changed. Select at least one alert detection mode File alert detection mode (up to 10 files monitoring) Add the files which should be monitored for changes (At least the alert log file set in main configuration panel should be set.) MySQL alert detection

37. Alerts/ Notification Alarm sound : Select a WAV file if you selected "Start alarm sound when an alert is logged“. Program execution: IDScenter will execute this program if an alert was logged ( start a script that reconfigures your router, generate HTML pages of alert log using an external program.etc) AutoBlock - Plugin system (example network Ice & Black Ice ). It allows you to block specific network traffic (mini firewall)

38. Alerts/ AlertMail AlertMail can send administrator alerts by mail if Snort has detected an attack. You can send a sample of the latest attacks in the email message as well as attachment of the log file.

39. Example of received mail alert

40. Our Opinion IDS Center is a very simple and easy to use configuration utility for snort. It has very good graphical interface Provide a lot of add on features for managing snort. Provide a good Alerting features It has some compatibility issues with latest snort version (especially Preprocessors and MySQL latest version) It has no analysis features. It still require good knowledge of snort IDS to configure.