1 / 19

NIDS with Snort and SnortSnarf By Muhammad Hasan Course :60-564 Instructor: Dr. A. K. Aggarwal Winter, 2006

NIDS with Snort and SnortSnarf By Muhammad Hasan Course :60-564 Instructor: Dr. A. K. Aggarwal Winter, 2006. H/W and S/W Used (for Implementing and Testing the NIDS) : Testing System ( with root privilege): Dell Dimension 4400 Pentium 4 machine with 1 NIC ,O/S: WinXP Pro

artemas
Télécharger la présentation

NIDS with Snort and SnortSnarf By Muhammad Hasan Course :60-564 Instructor: Dr. A. K. Aggarwal Winter, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NIDS with Snort and SnortSnarf By Muhammad Hasan Course :60-564 Instructor: Dr. A. K. Aggarwal Winter, 2006 60-564 Presentation By Muhammad Hasan

  2. H/W and S/W Used (for Implementing and Testing the NIDS) : Testing System ( with root privilege): Dell Dimension 4400 Pentium 4 machine with 1 NIC ,O/S: WinXP Pro S/W: WinPcap3.1 MySQL Server 5.0 Microsoft IIS Web Server 5.1 ActivePerl 5.6.1.638 WinDump 3.93 Snort 2.43 Win32 Binaries SnortSnarf -050314.1 Attack Generation System (with root privilege): Sony VAIO Pentium 4 Laptop with Wireless NIC O/S: WinXP Pro S/W: WinPcap3.04a Packet Excallibur 1.0.2 Ethereal 0.10.14 Router: NETGEAR WGR614 v5 Router in default promiscuous mode. 60-564 Presentation By Muhammad Hasan

  3. Environment Variable Settings : • The Following paths are included in the $PATH variable : • C:\MySQL\bin; • C:\Perl\bin.; • C:\Windump; • C:\Snort\bin 60-564 Presentation By Muhammad Hasan

  4. Configuring Snort • Snort Installation Directory : C:\Snort • Install Snort Rules from Snort • Make a customized rule file name “pro.rules” • And place it in : C:\Snort\rules • Made the following changes in snort.conf file in C:\Snort\etc • Original: var RULE_PATH ../rules • Change: var RULE_PATH c:\Snort\rules (The Absolute location of the rules)Note: Find the entry for 'Preprocessor sfportscan' Original: sense_level { low }Change: sense_level { low } \ 60-564 Presentation By Muhammad Hasan

  5. Configuring Snort (Cont.) Just below the changed line above add: logfile { portscan.log }Note: Just below '# output log_tcpdump: tcpdump.log' insert this next line: output alert_fast: alert.idsOriginal: include classification.configChange: include c:\Snort\etc\classification.config 60-564 Presentation By Muhammad Hasan

  6. Configuring Snort (Cont.) • Original: include reference.configChange: include c:\Snort\etc\reference.configOriginal: # include threshold.confChange: include c:\Snort\etc\threshold.conf • Uncomment the following line for database logging : • output database: log, mysql, user=root dbname=snort host=localhost • Delete all the included default rules and include the following : • include $RULE_PATH/pro.rules • Now save the file. 60-564 Presentation By Muhammad Hasan

  7. Configuring Snort (Cont.) • To Install Snort as a Windows Service type in Command Prompt: • snort /SERVICE /INSTALL -c c:\snort\etc\snort.conf -l c: \Inetpub\wwwroot\log -U -K ascii –i2 • To Run Snort : • Go to Control Panel -> Administrative Tools -> Services. • From Service List select “Snort” and click start. • To Stop Snort : • Go to Control Panel -> Administrative Tools -> Services. • From Service List select “Snort” and click stop. 60-564 Presentation By Muhammad Hasan

  8. Configuring Active Perl • Perl Installation Directory : C:\Perl • Download Perl Time Modules from http://search.cpan.org/~muir/Time-modules-2003.1126/ • And install them in c:\perl\lib\time\  • Installing Perl Database Supports: • In the command prompt run the Perl Package Manager by executing PPM command. This will be the console screen while running ppm : • C:\Documents and Settings\Administrator>ppm 60-564 Presentation By Muhammad Hasan

  9. Configuring Active Perl ( Cont. ) PPM> PPM> install DBI Install package 'DBI?' (y/N): y …………………………………. PPM> install DBD-mysql Install package 'DBD-mysql?' (y/N): y ……………………………………. PPM> install NET-MySQL Install package 'NET-MySQL?' (y/N): y ………………………………………. 60-564 Presentation By Muhammad Hasan

  10. Configuring IIS : • Default installation location : c:\Inetpub • Create a new directory named ‘log’ under c:\Inetpub\wwwroot\ • Create a new directory named ‘cgi’ under c:\Inetpub\wwwroot\ • Go to the ‘Control Panel’ - > 'Administrative Tools', double click 'Internet Information Services' applet. • Expand 'Servername (local computer), • Expand 'Web Sites' (if exists), • Left-click 'Default Web Site', • Right-click the 'cgi' folder (in the window on the right), • Highlight and left-click 'Properties', • Left-click the 'Directories' tab, in the 'Local Path:' section • Left-click the Read and Write radio boxes making them checked, in the 'Application Settings' 60-564 Presentation By Muhammad Hasan

  11. Configuring IIS ( Cont. ): • Use the down arrow to set the 'Execute Permissions:' to 'Scripts and Executables', • Left-click the 'Yes' if a 'Security Warning' is displayed, left-click 'Apply', left-click 'OK', and finally • Exit the 'Internet Information Services' applet. 60-564 Presentation By Muhammad Hasan

  12. Configuring MySQL and Snort • MySQL installation Directory is C:\MySQL • Start the Server : • Open Command Prompt and type : • mysqld –console • Start the MySQL Command Interpreter : • Open Command Prompt and type : • mysql --user=root mysql 60-564 Presentation By Muhammad Hasan

  13. Configuring MySQL and Snort ( Cont. ) • mysql> • Now create a database named ‘snort’ using the following SQL command : • mysql>CREATE DATABASE snort; • Then open another console and run the following command : • C:\Documents and Settings\Administrator> mysql -D snort -u root < C:\Snort\schemas\create_mysql 60-564 Presentation By Muhammad Hasan

  14. Configuring SnortSnarf: • SnortSnarf installation Directory is C:\SnortSnarf-050314.1\ • To Process the Snort Logs from the alert.ids filecreate a batch file named 'starti.bat' and place a shortcut to the desktop. • starti.bat: • @ECHO OFF • c:\snortsnarf-050314.1\snortsnarf.pl -win -d c:\inetpub\wwwroot\log -dns -db c:\snortsnarf-050314.1\ann-dir\annotation-base.xml -cgidir http://localhost/cgi c:\inetpub\wwwroot\log\alert.ids 60-564 Presentation By Muhammad Hasan

  15. Configuring SnortSnarf ( Cont. ): To Process the Snort Logs from the mysql databasecreate a batch file named : 'startdb.bat' and place a shortcut to the desktop. startdb.bat: @ECHO OFF c:\snortsnarf-050314.1\snortsnarf.pl root:@snort@localhost -win -d c:\inetpub\wwwroot\log -dns -db c:\snortsnarf-050314.1\ann-dir\annotation-base.xml -cgidir http://localhost/cgi 60-564 Presentation By Muhammad Hasan

  16. Preparing the Attack : • Used Packet Excalibur • Installation directory : C:\PackEx\ • Very Easy to Use Graphical Interface for packet generation. • Constructed the packets according to snort signatures and rules for the 10 selected signatures. • 10 crafted packets are then added to a script called ‘pro’ located in C:\PackEx\scripts\ • Load the script and then run it. 60-564 Presentation By Muhammad Hasan

  17. Testing the NIDS : Do the following steps sequentially : On the Testing Machine • Run the database server • Run Snort • Run WinDump as sniffer with the following command : • windump –i 2 • On the Attacking Machine • Run Ethereal to sniff • Initiate Attack from Packet Excallibur 60-564 Presentation By Muhammad Hasan

  18. Testing the NIDS ( Cont.) : • On the Testing Machine: • Run either ‘starti.bat’ if we want to generate html from the alert.ids file • Or Run ‘startdb.bat’ if we want to generate html from the database logging • Open a browser and at the addressbar type : • http://localhost/log/index.html 60-564 Presentation By Muhammad Hasan

  19. DEMONSTRATION 60-564 Presentation By Muhammad Hasan

More Related