UNIX Systems Security I Tools Module 4

1
UNIX Systems Security I ToolsModule 4

• Instructor
• Victor Hazlewood, CISSP
• victor_at_reference-systems.com

1Q06 UNIX Security Tools Victor Hazlewood
2
Module 4

• Quiz
• Review of Network Intrusion Detection Systems
• Tool 8 snort
• Tool 9 Nessus vulnerability scanner

1Q06 UNIX Security Tools Victor Hazlewood
3
Quiz

• http//victor.hazlewood.comTools Quiz

1Q06 UNIX Security Tools Victor Hazlewood
4
NIDS

• Network Intrusion Detection SystemsA NIDS
  monitors traffic on a network segment and
  inspects the packets with a sensor application
  for a particular signature. The three types of
  signatures are
• string signatures
• port signatures
• header condition signatures
• http//www.sans.org/resources/idfaq/data_mining.ph
  p

1Q06 UNIX Security Tools Victor Hazlewood
5
NIDS

• Example NIDS
• Bro
• Snort

1Q06 UNIX Security Tools Victor Hazlewood
6
NIDS tools

• brohttp//bro-ids.org//
• snorthttp//www.snort.org/

1Q06 UNIX Security Tools Victor Hazlewood
7
Tool 12 snort

• Overviewreal time traffic analysis tool
• Websitehttp//www.snort.org
• DownloadsSourcehttp//www.snort.org/ -gt
  DownloadsSolaris packagehttp//www.sunfreeware.c
  om/

1Q06 UNIX Security Tools Victor Hazlewood
8
Tool 12 snort

• PrerequisitesRequires libgcc, libssl, and
  libpcap
• Installation from source
• Installation from Solaris package

1Q06 UNIX Security Tools Victor Hazlewood
9
Tool 12 snort

• Usage notemust use LD_LIBRARY_PATH env var
• UsageCan use as real time packet sniffersnort
  v snort dv filtersnort h net v filter
• Examplesnort h 199.105.30.0/24 v host
  199.105.30.108

1Q06 UNIX Security Tools Victor Hazlewood
10
Tool 12 snort

• UsageCan use as packet loggersnort b l dir
  v snort b l dir h net v filter
• Examplesnort b l dir filtersnort dv r
  snortfile moresnort dvX r snortfile more

1Q06 UNIX Security Tools Victor Hazlewood
11
Tool 12 snort sigs

• Signature databases
• http//www.snort.org
• http//www.whitehats.org/ids

1Q06 UNIX Security Tools Victor Hazlewood
12
Snort Exercise

• Install snort
• Install libgcc, libssl and libpcap as necessary
• Install snort from source
• Use snort to capture a telnet login session. See
  if you can capture a partners username and
  password

1Q06 UNIX Security Tools Victor Hazlewood
13
Nessus

• Nessus http//www.nessus.org/
• Remote and Local vulnerability scanning
• Database of security vulnerabilities
• Client/Server architecture
• Nessus Attack Scripting Language
• Attack updates available in 3 flavorsDirect
  Feed, Registered Feed, GPL

1Q06 UNIX Security Tools Victor Hazlewood