Simulation of IDS by using Activeworx Security Center (ASC) and Snort, MySQL, CommView

1
Simulation of IDSby usingActiveworx Security
Center (ASC)andSnort, MySQL, CommView

• Presented by
• Shamsul Wazed Quazi Rahman
• School of Computer Science
• University of Windsor, On
• March 29, 2006

2
Outline

• Introduction
• Snort
• MySQL Server
• CommView
• Activeworx Security Center
• IDS Simulation
• Demonstration

3
Introduction

• Intrusion Detection System (IDS)
• Collect data from network traffic coming into a
  system
• Tries to match it against known pattern of attack
  signatures
• Blocked the matched data and logged detail of
  attack into database
• Snort
• A very popular and open source IDS
• Can be configured to run in Sniffer mode, Packet
  Logger mode, Network IDS mode
• A number of Snort Add-ons are available for
  monitoring Snort, analyzing result and writing
  Snort rules

4
Introduction

• Simulation of IDS
• The following tools and OS are used in this
  Project
• Snort Intrusion Detection System
• MySQL Database Server
• CommView Packet Generator Sniffer
• Activeworx Security Center (ASC) Snorts Add-on
• .Net Framework Additional software for ASC
  Desktop
• Windows XP Operating System

5

• Snort

6
Snort

• WinPcap
• WinPcap is required to be installed to access
  Snort
• The latest WinPcap version is 3.1 for Windows
  95/98/ME/NT4/2000/XP/2003
• WinPcap is free and can be downloaded from
  http//www.winpcap.org/install/default.htm
• Download the executable file winPcap_3_1.exe of
  size 456 KB and run to install

7
Snort

• Snort is an open source IDS
• Can be configured to run in three modes
• Sniffer mode Simply reads the packets off of
  the network and displays them
• ./snort -vd
• Packet Logger mode Logs the packets to disk
• ./snort -dev -l c\snort\log -h
  192.168.1.100/24
• Network IDS mode Allows Snort to analyze
  network traffic for matches against a
  user-defined rule set and performs several
  actions
• ./snort -dev -l c\snort\log -h
  192.168.1.100/24 -c c\snort\etc\snort.conf

8
Snort

• Install Snort version 2.4.3, available at
  http//www.snort.org/dl/binaries/win32/
• Download the executable file Snort-243-Installer.
  exe file of size 1.43 MB
• Select typical installation that installs Snort
  at C\Snort directory.

9
Snort

• Important files and their locations
• Snort configuration file - C\Snort\etc\snort.conf
  
• Snort executable file - C\Snort\bin\snort.exe
• Snort log files are - C\Snort\bin\log\alert.ids
  and C\Snort\bin\log\snort.log.lttimegt, and
• Snort rules file (included project 10 rules only)
  - C\Snort\rules\local.rules

10
Snort

• Snort Configuration
• The file Snort.conf has to be edited before
  running Snort
• The following steps can be taken to create a
  custom configuration -
• Set the variables for network
• Configure preprocessors
• Configure output plugins
• Add any runtime config directives
• Customize the rule set

11
Snort

• We took the following steps to configure Snort
• Set the HOME_NET variable as
• var HOME_NET 192.168.1.100/24
• Set the RULE_PATH variable as
• var RULE_PATH c\Snort\rules
• Uncommented the following lines
• output alert_syslog LOG_AUTH LOG_ALERT
• output log_tcpdump snort.log
• include c\Snort\rules\classification.config
• include c\Snort\rules\reference.config

12
Snort

• Changed the database format as -
• output database alert, mysql, userroot
  passwordwazed dbnameids hostlocalhost
• output database log, mysql, userroot
  passwordwazed dbnametcpdump hostlocalhost
• Include the relevant rule sets (for this project)
  
• include RULE_PATH/local.rules
• Comment out all other include rules

13

• MySQL Server

14
MySql Server

• Download MySQL Database Server 5.0 from
• http//dev.mysql.com/downloads/

15
MySql Server

• Install MySQL Server

16
MySql Server

• Configure MySql Server

17
MySql Server

• Choose Detailed Configuration

18
MySql Server

• Choose for Dedicated Server

19
MySql Server

• Choose for Multifunctional Database

20
MySql Server

• Configure Network support

21
MySql Server

• Change root password

22
MySql Server

• MySQL Connector/ODBC
• ODBC is a standardized API that allows
  connections to SQL database servers.
• ODBC usually is used when database independence
  or simultaneous access to different data sources
  is required.
• MyODBC 3.51 (installed in this project) is a
  32-bit ODBC driver, also known as the MySQL ODBC
  3.51 driver and it is available for download
  from
• http//dev.mysql.com/downloads/connector/odbc
  /3.51.html

23
MySql Server

• Using MySQL
• Followings are some of the examples how to use
  the different databases and tables using commands
  from the DOS prompt

C\mysql\MySQL Server 5.0\bingtmysql -u root
p Enter password Welcome to the MySQL
monitor. Commands end with or \g. Your MySQL
connection id is 18 to server version
5.0.18-nt Type 'help' or '\h' for help. Type
'\c' to clear the buffer.
24
MySql Server

• Using MySQL

mysqlgt show databases --------------------------
- Database ----------------------
----- information_schema aef aw_aef
aw_asc aw_fw ids mysql
sebek syslog tcpdump test
vuln ------------------------- 12
rows in set (0.19 sec)
25
MySql Server

• Using MySQL

mysqlgt use ids Database changed
mysqlgt show tables -------------------------
Tables_in_ids -------------------------
data detail encoding
event icmphdr iphdr opt
reference
reference_system schema sensor
sig_class sig_reference
signature tcphdr
udphdr ------------------------- 16 rows in
set (0.00 sec)
26
MySql Server

• Using MySQL

mysqlgt describe event -------------------------
----------------------------------- Field
Type Null Key Default
Extra ---------------------------------------
--------------------- sid int(10)
unsigned NO PRI
cid int(10) unsigned NO PRI
signature int(10) unsigned NO
MUL timestamp
datetime NO MUL
-----------------------------------------
------------------ 4 rows in set (0.19 sec)
27
MySql Server

• Using MySQL

28

• CommView

29
CommView

• What is CommView
• An application for capturing and analyzing
  network packets
• It can save the captured packets to log files
• It can generate ICMP, TCP and UDP packets of size
  maximum 1.5 KB and can transmit at max 5,000
  pkt/sec
• Installation
• System Requirement Pentium II or higher,
  Windows 98/ME/2000/XP/2003, 128 MB RAM and 6 MB
  free disk space
• Download CommView 5.1 of 30 days trail version
  from http//www.tamos.com/download/main/

30
CommView

• Latest IP Connections

2. Start
1. Select Network Interface
31
CommView

• Packets Analyzing

Payload Decoding
32
CommView

• Packet Generating Tools ? Packet Generator

Source IP - Hex value (edit here)
Source IP - Numeric value
TCP Packet
Default Packet Size
33
CommView

• Packet Generating Port number and Payload

Destination Port - Hex value

Added 5 Byte payload content
Destination Port - Numeric value
Press (Sigma) to correct
Packet Size 54 5
34
CommView

• Packet Generating Correct Checksum

Correct it by adding 5
Check (after pressing Sigma)
Data length changed into 5
Press to Send
35

• Activeworx Security Senter (ASC)

36
Activeworx Security Center

• Overview
• ASC is an event management solution for Snort
• It works with Snort 1.8 or newer
• It supports for MySQL as well as Microsoft SQL
• It allows us to view IDS data in different ways
• Unique Views
• List Views
• Interactive Graphics and Charts
• Event Relationship Diagram
• Payload Decoders

37
Activeworx Security Center

• Installation
• System Requirement Pentium 4 or later, Windows
  2000/XP/2003, 512 MB RAM and 250 MB free disk
  space
• ASC version 2.6 components can be downloaded from
  
• http//www.brighttools.com/sup
  port/download.html
• Download the Microsoft Installer following files
  and run
• asc.desktop.msi, 55.7 MB
• asc.manager.msi, 51.1 MB

38
Activeworx Security Center

• Databases
• Two Different types of Databases
• Primary Database
• Event Databases
• Log-on ASC Database Manager
• Use the default Snort IDS database schema
• Configure Primary Database
• Use Add Database Wizard to create Event
  database

39
Activeworx Security Center

• Databases (Primary Database)

40
Activeworx Security Center

• Databases (Event Database)

41
Activeworx Security Center

• Databases (Add User)

42
Activeworx Security Center

• Databases (Check Connectivity)

43

• Snort IDS Simulation Testing

44
Snort IDS Simulation

• Hardware Configuration
• Target Machine PC1 (OS Windows XP)
• Dell Celeron CPU 2
• Processor - 2.4 GHz
• RAM - 256 MB
• Source Machine PC2 (OS Windows XP)
• Dell Celeron CPU 2
• Processor - 2.4 GHz
• RAM - 256 MB
• Router TRENDnet wireless router
• Speed 108 Mbps
• Compliant with IEEE 802.11 g

45
Snort IDS Simulation

• From PC1 (192.168.1.100)
• Run Snort
• Run Snort from console by using the command
• snort -c c\snort\etc\snort.conf -h
  192.168.1.100/24 -v -i2
• Login Run ASC Desktop
• Run CommView (sniffer)
• From PC2 (192.168.1.101)
• Run CommView (sniffer)
• Generate and Send
• Bad Packets to PC1
• (by CommView Packet Generator)

46
Activeworx Security Center Desktop

• IDS Events (Event Overview)

47
Activeworx Security Center Desktop

• IDS Events (List Events)

48
Activeworx Security Center Desktop

• IDS Events (List Events Group by Sensor)

49
Activeworx Security Center Desktop

• IDS Events (Event Information1 sid 382)

50
Activeworx Security Center Desktop

• IDS Events (Event Information2 sid 683)

51
Activeworx Security Center Desktop

• IDS Events (Event Reference1 sid 382)

52
Activeworx Security Center Desktop

• IDS Events (Graphs Top 10 IDS Destination)

53
Activeworx Security Center Desktop

• IDS Events (Reports IDS Overview)

54
Demonstration

• Please meet us _at_
• Room 3144
• Lambton Tower
• School of Computer Science
• University of Windsor, On
• 1-519-253 3000 ext 4406

Thank You