Title: Simulation of IDS by using Activeworx Security Center (ASC) and Snort, MySQL, CommView
1Simulation of IDSby usingActiveworx Security
Center (ASC)andSnort, MySQL, CommView
- Presented by
- Shamsul Wazed Quazi Rahman
- School of Computer Science
- University of Windsor, On
- March 29, 2006
2Outline
- Introduction
- Snort
- MySQL Server
- CommView
- Activeworx Security Center
- IDS Simulation
- Demonstration
3Introduction
- Intrusion Detection System (IDS)
- Collect data from network traffic coming into a
system - Tries to match it against known pattern of attack
signatures - Blocked the matched data and logged detail of
attack into database - Snort
- A very popular and open source IDS
- Can be configured to run in Sniffer mode, Packet
Logger mode, Network IDS mode - A number of Snort Add-ons are available for
monitoring Snort, analyzing result and writing
Snort rules -
4Introduction
- Simulation of IDS
- The following tools and OS are used in this
Project - Snort Intrusion Detection System
- MySQL Database Server
- CommView Packet Generator Sniffer
- Activeworx Security Center (ASC) Snorts Add-on
- .Net Framework Additional software for ASC
Desktop - Windows XP Operating System
5 6Snort
- WinPcap
- WinPcap is required to be installed to access
Snort - The latest WinPcap version is 3.1 for Windows
95/98/ME/NT4/2000/XP/2003 - WinPcap is free and can be downloaded from
http//www.winpcap.org/install/default.htm - Download the executable file winPcap_3_1.exe of
size 456 KB and run to install
7Snort
- Snort is an open source IDS
- Can be configured to run in three modes
- Sniffer mode Simply reads the packets off of
the network and displays them - ./snort -vd
- Packet Logger mode Logs the packets to disk
- ./snort -dev -l c\snort\log -h
192.168.1.100/24 - Network IDS mode Allows Snort to analyze
network traffic for matches against a
user-defined rule set and performs several
actions - ./snort -dev -l c\snort\log -h
192.168.1.100/24 -c c\snort\etc\snort.conf
8Snort
- Install Snort version 2.4.3, available at
http//www.snort.org/dl/binaries/win32/ - Download the executable file Snort-243-Installer.
exe file of size 1.43 MB - Select typical installation that installs Snort
at C\Snort directory.
9Snort
- Important files and their locations
- Snort configuration file - C\Snort\etc\snort.conf
- Snort executable file - C\Snort\bin\snort.exe
- Snort log files are - C\Snort\bin\log\alert.ids
and C\Snort\bin\log\snort.log.lttimegt, and - Snort rules file (included project 10 rules only)
- C\Snort\rules\local.rules
10Snort
- Snort Configuration
- The file Snort.conf has to be edited before
running Snort - The following steps can be taken to create a
custom configuration - - Set the variables for network
- Configure preprocessors
- Configure output plugins
- Add any runtime config directives
- Customize the rule set
11Snort
- We took the following steps to configure Snort
- Set the HOME_NET variable as
- var HOME_NET 192.168.1.100/24
- Set the RULE_PATH variable as
- var RULE_PATH c\Snort\rules
- Uncommented the following lines
- output alert_syslog LOG_AUTH LOG_ALERT
- output log_tcpdump snort.log
- include c\Snort\rules\classification.config
- include c\Snort\rules\reference.config
12Snort
- Changed the database format as -
- output database alert, mysql, userroot
passwordwazed dbnameids hostlocalhost - output database log, mysql, userroot
passwordwazed dbnametcpdump hostlocalhost - Include the relevant rule sets (for this project)
- include RULE_PATH/local.rules
- Comment out all other include rules
13 14MySql Server
- Download MySQL Database Server 5.0 from
- http//dev.mysql.com/downloads/
15MySql Server
16MySql Server
17MySql Server
- Choose Detailed Configuration
18MySql Server
- Choose for Dedicated Server
19MySql Server
- Choose for Multifunctional Database
20MySql Server
- Configure Network support
21MySql Server
22MySql Server
- MySQL Connector/ODBC
- ODBC is a standardized API that allows
connections to SQL database servers. - ODBC usually is used when database independence
or simultaneous access to different data sources
is required. - MyODBC 3.51 (installed in this project) is a
32-bit ODBC driver, also known as the MySQL ODBC
3.51 driver and it is available for download
from - http//dev.mysql.com/downloads/connector/odbc
/3.51.html
23MySql Server
- Using MySQL
- Followings are some of the examples how to use
the different databases and tables using commands
from the DOS prompt
C\mysql\MySQL Server 5.0\bingtmysql -u root
p Enter password Welcome to the MySQL
monitor. Commands end with or \g. Your MySQL
connection id is 18 to server version
5.0.18-nt Type 'help' or '\h' for help. Type
'\c' to clear the buffer.
24MySql Server
mysqlgt show databases --------------------------
- Database ----------------------
----- information_schema aef aw_aef
aw_asc aw_fw ids mysql
sebek syslog tcpdump test
vuln ------------------------- 12
rows in set (0.19 sec)
25MySql Server
mysqlgt use ids Database changed
mysqlgt show tables -------------------------
Tables_in_ids -------------------------
data detail encoding
event icmphdr iphdr opt
reference
reference_system schema sensor
sig_class sig_reference
signature tcphdr
udphdr ------------------------- 16 rows in
set (0.00 sec)
26MySql Server
mysqlgt describe event -------------------------
----------------------------------- Field
Type Null Key Default
Extra ---------------------------------------
--------------------- sid int(10)
unsigned NO PRI
cid int(10) unsigned NO PRI
signature int(10) unsigned NO
MUL timestamp
datetime NO MUL
-----------------------------------------
------------------ 4 rows in set (0.19 sec)
27MySql Server
28 29CommView
- What is CommView
- An application for capturing and analyzing
network packets - It can save the captured packets to log files
- It can generate ICMP, TCP and UDP packets of size
maximum 1.5 KB and can transmit at max 5,000
pkt/sec - Installation
- System Requirement Pentium II or higher,
Windows 98/ME/2000/XP/2003, 128 MB RAM and 6 MB
free disk space - Download CommView 5.1 of 30 days trail version
from http//www.tamos.com/download/main/
30CommView
2. Start
1. Select Network Interface
31CommView
Payload Decoding
32CommView
- Packet Generating Tools ? Packet Generator
Source IP - Hex value (edit here)
Source IP - Numeric value
TCP Packet
Default Packet Size
33CommView
- Packet Generating Port number and Payload
Destination Port - Hex value
Added 5 Byte payload content
Destination Port - Numeric value
Press (Sigma) to correct
Packet Size 54 5
34CommView
- Packet Generating Correct Checksum
Correct it by adding 5
Check (after pressing Sigma)
Data length changed into 5
Press to Send
35- Activeworx Security Senter (ASC)
36Activeworx Security Center
- Overview
- ASC is an event management solution for Snort
- It works with Snort 1.8 or newer
- It supports for MySQL as well as Microsoft SQL
- It allows us to view IDS data in different ways
- Unique Views
- List Views
- Interactive Graphics and Charts
- Event Relationship Diagram
- Payload Decoders
37Activeworx Security Center
- Installation
- System Requirement Pentium 4 or later, Windows
2000/XP/2003, 512 MB RAM and 250 MB free disk
space - ASC version 2.6 components can be downloaded from
- http//www.brighttools.com/sup
port/download.html - Download the Microsoft Installer following files
and run - asc.desktop.msi, 55.7 MB
- asc.manager.msi, 51.1 MB
38Activeworx Security Center
- Databases
- Two Different types of Databases
- Primary Database
- Event Databases
- Log-on ASC Database Manager
- Use the default Snort IDS database schema
- Configure Primary Database
- Use Add Database Wizard to create Event
database
39Activeworx Security Center
- Databases (Primary Database)
40Activeworx Security Center
- Databases (Event Database)
41Activeworx Security Center
42Activeworx Security Center
- Databases (Check Connectivity)
43- Snort IDS Simulation Testing
44Snort IDS Simulation
- Hardware Configuration
- Target Machine PC1 (OS Windows XP)
- Dell Celeron CPU 2
- Processor - 2.4 GHz
- RAM - 256 MB
- Source Machine PC2 (OS Windows XP)
- Dell Celeron CPU 2
- Processor - 2.4 GHz
- RAM - 256 MB
- Router TRENDnet wireless router
- Speed 108 Mbps
- Compliant with IEEE 802.11 g
45Snort IDS Simulation
- From PC1 (192.168.1.100)
- Run Snort
- Run Snort from console by using the command
- snort -c c\snort\etc\snort.conf -h
192.168.1.100/24 -v -i2 - Login Run ASC Desktop
- Run CommView (sniffer)
- From PC2 (192.168.1.101)
- Run CommView (sniffer)
- Generate and Send
- Bad Packets to PC1
- (by CommView Packet Generator)
46Activeworx Security Center Desktop
- IDS Events (Event Overview)
47Activeworx Security Center Desktop
48Activeworx Security Center Desktop
- IDS Events (List Events Group by Sensor)
49Activeworx Security Center Desktop
- IDS Events (Event Information1 sid 382)
50Activeworx Security Center Desktop
- IDS Events (Event Information2 sid 683)
51Activeworx Security Center Desktop
- IDS Events (Event Reference1 sid 382)
52Activeworx Security Center Desktop
- IDS Events (Graphs Top 10 IDS Destination)
53Activeworx Security Center Desktop
- IDS Events (Reports IDS Overview)
54Demonstration
- Please meet us _at_
- Room 3144
- Lambton Tower
- School of Computer Science
- University of Windsor, On
- 1-519-253 3000 ext 4406
Thank You