NIDS with Snort and SnortSnarf - PowerPoint PPT Presentation

About This Presentation

Title:

NIDS with Snort and SnortSnarf

Description:

Attack Generation System (with root privilege) ... Use the down arrow to set the 'Execute Permissions:' to 'Scripts and Executables' ... – PowerPoint PPT presentation

Number of Views:1077

Avg rating:3.0/5.0

Slides: 20

Provided by: angel56

Category:

more less

Transcript and Presenter's Notes

Title: NIDS with Snort and SnortSnarf

1
NIDS with Snort and SnortSnarf By Muhammad
Hasan Course 60-564 Instructor Dr. A. K.
Aggarwal Winter, 2006
2
H/W and S/W Used (for Implementing and Testing
the NIDS) Testing System ( with root
privilege) Dell Dimension 4400 Pentium 4
machine with 1 NIC ,O/S WinXP Pro S/W WinPcap
3.1 MySQL Server 5.0 Microsoft IIS Web
Server 5.1 ActivePerl 5.6.1.638 WinDump
3.93 Snort 2.43 Win32 Binaries SnortSnarf
-050314.1 Attack Generation System (with root
privilege) Sony VAIO Pentium 4 Laptop with
Wireless NIC O/S WinXP Pro S/W WinPcap
3.04a Packet Excallibur 1.0.2 Ethereal
0.10.14 Router NETGEAR WGR614 v5 Router in
default promiscuous mode.
3

Environment Variable Settings
The Following paths are included in the PATH
variable
C\MySQL\bin
C\Perl\bin.
C\Windump
C\Snort\bin

Configuring Snort
Snort Installation Directory C\Snort
Install Snort Rules from Snort
Make a customized rule file name pro.rules
And place it in C\Snort\rules
Made the following changes in snort.conf file in
C\Snort\etc
Original var RULE_PATH ../rules
Change var RULE_PATH c\Snort\rules (The
Absolute location of the rules)Note Find the
entry for 'Preprocessor sfportscan' Original
sense_level low Change sense_level low
\

5
Configuring Snort (Cont.) Just below the changed
line above add logfile portscan.log Note
Just below ' output log_tcpdump tcpdump.log'
insert this next line output alert_fast
alert.ids Original include classification.confi
g Change include c\Snort\etc\classification.con
fig
6

Configuring Snort (Cont.)
Original include reference.config Change
include c\Snort\etc\reference.config Original
include threshold.conf Change include
c\Snort\etc\threshold.conf
Uncomment the following line for database logging
output database log, mysql, userroot
dbnamesnort hostlocalhost
Delete all the included default rules and include
the following
include RULE_PATH/pro.rules
Now save the file.

Configuring Snort (Cont.)
To Install Snort as a Windows Service type in
Command Prompt
snort /SERVICE /INSTALL -c c\snort\etc\snort.conf
-l c \Inetpub\wwwroot\log -U -K ascii i2
To Run Snort
Go to Control Panel -gt Administrative Tools -gt
Services.
From Service List select Snort and click
start.
To Stop Snort
Go to Control Panel -gt Administrative Tools -gt
Services.
From Service List select Snort and click stop.

Configuring Active Perl
Perl Installation Directory C\Perl
Download Perl Time Modules from
http//search.cpan.org/muir/Time-modules-2003.112
6/
And install them in c\perl\lib\time\
Installing Perl Database Supports
In the command prompt run the Perl Package
Manager by executing PPM command. This will be
the console screen while running ppm
C\Documents and Settings\Administratorgtppm

9
Configuring Active Perl ( Cont. ) PPMgt PPMgt
install DBI Install package 'DBI?' (y/N)
y . PPMgt install DBD-mysql Install
package 'DBD-mysql?' (y/N) y . PPMgt
install NET-MySQL Install package 'NET-MySQL?'
(y/N) y .
10

Configuring IIS
Default installation location c\Inetpub
Create a new directory named log under
c\Inetpub\wwwroot\
Create a new directory named cgi under
c\Inetpub\wwwroot\
Go to the Control Panel - gt 'Administrative
Tools', double click 'Internet
Information Services' applet.
Expand 'Servername (local computer),
Expand 'Web Sites' (if exists),
Left-click 'Default Web Site',
Right-click the 'cgi' folder (in the window on
the right),
Highlight and left-click 'Properties',
Left-click the 'Directories' tab, in the 'Local
Path' section
Left-click the Read and Write radio boxes making
them checked, in the 'Application Settings'

Configuring IIS ( Cont. )
Use the down arrow to set the 'Execute
Permissions' to 'Scripts and Executables',
Left-click the 'Yes' if a 'Security Warning' is
displayed, left-click 'Apply', left-click 'OK',
and finally
Exit the 'Internet Information Services' applet.

Configuring MySQL and Snort
MySQL installation Directory is C\MySQL
Start the Server
Open Command Prompt and type
mysqld console
Start the MySQL Command Interpreter
Open Command Prompt and type
mysql --userroot mysql

Configuring MySQL and Snort ( Cont. )
mysqlgt
Now create a database named snort using the
following SQL
command
mysqlgt CREATE DATABASE snort
Then open another console and run the following
command
C\Documents and Settings\Administratorgt mysql -D
snort -u root lt C\Snort\schemas\create_mysql

Configuring SnortSnarf
SnortSnarf installation Directory is
C\SnortSnarf-050314.1\
To Process the Snort Logs from the alert.ids
file create a batch file named 'starti.bat' and
place a shortcut to the desktop.
starti.bat
_at_ECHO OFF
c\snortsnarf-050314.1\snortsnarf.pl -win -d
c\inetpub\wwwroot\log -dns -db
c\snortsnarf-050314.1\ann-dir\annotation-base.xml
-cgidir http//localhost/cgi c\inetpub\wwwroot\l
og\alert.ids

15
Configuring SnortSnarf ( Cont. ) To Process the
Snort Logs from the mysql database create a batch
file named 'startdb.bat' and place a shortcut
to the desktop. startdb.bat _at_ECHO
OFF c\snortsnarf-050314.1\snortsnarf.pl
root_at_snort_at_localhost -win -d c\inetpub\wwwroot\
log -dns -db c\snortsnarf-050314.1\ann-dir\annota
tion-base.xml -cgidir http//localhost/cgi
16

Preparing the Attack
Used Packet Excalibur
Installation directory C\PackEx\
Very Easy to Use Graphical Interface for packet
generation.
Constructed the packets according to snort
signatures and rules for the 10 selected
signatures.
10 crafted packets are then added to a script
called pro located in C\PackEx\scripts\
Load the script and then run it.