Base
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Base as PDF for free.
More details
- Words: 1,277
- Pages: 43
Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter 2006
2
Outline • Introduction to BASE • IDS test-bed • Installing and Configuring Necessary Prerequisites • Installing and Configuring BASE • Generating Signatures • Results • Acknowledgments • References
3
Introduction to BASE • Basic Analysis and Security Engine • Successor to ACID • Developed by Danyliw at the CERT Coordination Center as part of the AirCERT (Automated Incident Reporting) project. • Actively maintained and supported by a team of volunteers led by Kevin Johnson and Joel Esler.
4
Introduction to BASE (cont.) • Provides web front-end to query and analyze the alerts coming from a SNORT IDS system. • Can search and process databases containing security events logged by SNORT. • Written in PHP. • Has the ability to graphically display both layer-3 and layer-4 packet information.
5
Introduction to BASE (cont.) • Current Version is Base 1.2 • Current search interface can query based on • Alert information – Sensor – Alert group – Signature, classification & detection time • Packet data information – Source/destination addresses – Ports – Packet payload/flags
6
Introduction to BASE (cont.) • Provides easy management of Alert Data • Administrator can categorize data into alert groups, delete false positives or previously handled alerts. • Export alert data to an email address for administrative notification. • Support for user logins and roles, allowing an administrator to control what is seen through the web interface.
7
BASE vs. ACID • ACID – No longer maintained – Hasn’t been updated for 3 years • BASE – BASE is actively updated and revised. – Has 200 bug fixes in it. – Faster bringing pages up – Provides more queries (i.e. today's unique alerts, last 24/72 hours alert etc.)
8
IDS test-bed
Host A (Source):
Host B (Destination):
OS: Windows XP
OS: Fedora Core 4
Software: Ethereal, CommView
Software: Snort, BASE, Ethereal, MySQL, PHP, Apache
9
Installing and Configuring Necessary Prerequisites • In order for our IDS to function properly we install and configure the following components: – – – – – – – – –
MySQL Apache 2.2.0 php-4.4.2 httpd-2.2.0 AdOdb460 snort-2.4.3 pcre-5.0 PEAR Modules base-1.2
10
MySQL • 2 ways – Download from www.mysql.com – From Fedora Core4 installation CD Go to Desktop-system settings- Add/remove programs – MySQL Select following components: • MyODBC • Mod_auth_mysql • Mysql_devel • Mysql_server • Perl-DBD-MySQL • Php-mysql
11
Apache 2.2.0 • Download Apache httpd server version 2.2.0 from http://httpd.apache.org • To install: – ./configure – Make – Make install
12
PHP 4.4.2 • Download PHP4.4.2 from http://www.php.net • Extract source code in “/usr/local/src” • Configure command: – ./configure –with-mysql –with-apsx2 =/usr/local/apache2/bin/apxs –with-gd –withzlib • Make • Make install
13
Configure php.conf • In file /usr/local/apache2/conf/httpd.conf add line – Include conf.d/*.conf
• mkdir /usr/local/apache2/conf.d • “php.conf” in “conf.d” – – – – – – – –
LoadModule php4_module modules /libphp4.so SetOutputFilter PHP SetInputFilter PHP LimitRequestBody 9524288 AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps
– DirectoryIndex index.php
14
ADOdb • A performance-conscious database abstraction layer for PHP. • BASE needs ADOdb to communicate with MySQL. • Download adodb from http://unc.dl.sourceforge.net/sourceforge/adodb/ adodb460.tgz • Extract adodb in “usr/local/apache2/htdocs”
15
SNORT • Create a dir “snortinstall” • Download & unpack from http://www.snort.org/dl/snort2.4.3.tar.gz • Download & unpack from http://umn.dl.sourceforge.net/sourceforge/pcre/p cre-5.0.tar.gz • To install SNORT: – ./configure – Make – Make install
• To install PCRE(Perl Compatible Regular Expression): – ./configure – Make – Make install
16
Configuring SNORT • Groupadd snort • Useradd –g snort snort • Create dir: – /etc/snort – /etc/snort/rules – /var/log/snort • Copy dir ‘rules’ from dir ‘snort2.3.0’ to ‘/etc/snort/rules’
17
Configuring snort.conf • • • •
var HOME_NET 10.2.2.0/32 var EXTERNAL_NET !$HOME_NET var RULE_PATH /etc/snort/rules output database: log, mysql, user =snort password=snort dbname=snort host=localhost • output database: alert, mysql, user =snort password=snort dbname=snort host=localhost
18
Setting up database in MySQL • • • • • •
Mysql SET PASSWORD FOR root@localhost = PASSWORD (‘passwd’); Create database snort; SET PASSWORD FOR snort@localhost=PASSWORD(‘pwd in snort.conf’); Grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost; Grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
19
To create tables • •
Mysql –u root –p < ~/snortinstall/snort-4.3.0 /schemas /create_mysql snort Enter password: the mysql root password
20
To create tables
21
PEAR Modules • PEAR - PHP Extension and Application Repository • BASE documentation recommends PEAR installation. Commands for installation: • /usr/local/php/bin/pear install Image_Color • /usr/local/php/bin/pear install Log • /usr/local/php/bin/pear install Numbers_Roman • /usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
• /usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz
22
To start the ‘services’ • • • • • •
chkconfig httpd on chkconfig mysqld on service httpd start service mysqld start /usr/local/apache2/bin/apachectl –k start snort –dev –l /var/log/snort –h 137.207.234.73/32 –c /etc/snort/snort.conf
23
Configuring BASE • Download BASE from
• • • • • • •
http://sourceforge.net/project/showfiles.php?gro up_id=103348 cp base-1.2.tar.gz /var/www/html/ cd /var/www/html tar –xvzf base-1.2.tar.gz cd /var/www/html/base/ cp base_conf.php.dist base_conf.php cd\ cp /var/www/html/base-1.2 /usr/local/apache2/htdocs/
24
Configuring BASE (cont.) • Edit the base_conf.php file in /usr/local/apache2/htdocs/ – – – – – – – – – – – – – –
$BASE_urlpath = "/base"; $DBlib_path = "/usr/local/apache2/htdocs/adodb"; $DBtype = "mysql"; $alert_dbname = "snort"; $alert_host = "localhost"; $alert_port = ""; $alert_user = "snort"; $alert_password = "password_from_snort_conf"; $archive_dbname = "snort"; $archive_host = "localhost"; $archive_port = ""; $archive_user = "snort"; $archive_password = " password_from_snort_conf "; $ChartLib_path = "/var/www/html/jpgraph-1.20.3/src";
25
Configuring BASE (cont.) • Open a web browser • if the browser is on the localhost, type http://localhost/base • if the browser is on another machine type http://IP_Address/base to begin using the GUI to view and manage alerts.
26
Generating Signatures on Host A Ethernet layer header
27
Results • Before sending signatures from HOST A, Run snort on HOST B • In Mysql check: select * from signature;
28
Results (cont.) • In a web browser: http://137.207.234.73/base
29
Results (cont.)
30
Results (cont.) • Unique Alerts
31
Results (cont.) •
Different links located to the left of each signature, attempts to connect to different signature databases to provide more detailed information about that particular signature.
32
Results (cont.) •
•
• •
Source/ Destination IP link brings up a summary that includes: How many times that IP was logged as a source or destination First and last time that IP was logged Contains links to external web-based tools that provide DNS and Whois look up services.
33
Results (cont.) • • • •
Source/Destination Ports link displays a summary of ports, number of occurrences time first seen and time last seen. Each listed port number is a hyperlink to the SANS Internet Storm Center http://isc.sans.org for that port number.
34
Results (cont.) • •
Creating Alert Groups Group event information into user-defined categories for easy perusal.
35
Results (cont.) •
Specify signatures for different AGs
36
Results (cont.) •
Graph from Alert Data
37
Results (cont.) •
Graph from Alert Detection Time to identify Periods of Heavy Activity
38
Results (cont.) • • •
The Search Function quickly searches through the database for certain criteria and present it in an ordered fashion. Allowable search criteria include Alert Group, Signature, and Alert Time. The results can be ordered by timestamp, signature, source IP, or destination IP.
39
Results (cont.) •
User and Role Management
40
Results (cont.) •
Email Alerts
41
Acknowledgements •
•
We would like to thank Dr.Aggarwal for giving us this opportunity to handle such an industry standard level project. We would also like to thank all other groups for giving us valuable suggestions throughout the project.
42
References • www.snort.org • www.sourceforge.net • http://www.rootsecure.net/content/downloads/pd f/snort_install_guide_fedora4.pdf • http://www.sun.com/bigadmin/features/articles/s nort_base.html
43
Thank You!!!! Demo in Room 3144 Questions?
Tahira Farid ([email protected]) Anitha Prahladachar ([email protected])
2
Outline • Introduction to BASE • IDS test-bed • Installing and Configuring Necessary Prerequisites • Installing and Configuring BASE • Generating Signatures • Results • Acknowledgments • References
3
Introduction to BASE • Basic Analysis and Security Engine • Successor to ACID • Developed by Danyliw at the CERT Coordination Center as part of the AirCERT (Automated Incident Reporting) project. • Actively maintained and supported by a team of volunteers led by Kevin Johnson and Joel Esler.
4
Introduction to BASE (cont.) • Provides web front-end to query and analyze the alerts coming from a SNORT IDS system. • Can search and process databases containing security events logged by SNORT. • Written in PHP. • Has the ability to graphically display both layer-3 and layer-4 packet information.
5
Introduction to BASE (cont.) • Current Version is Base 1.2 • Current search interface can query based on • Alert information – Sensor – Alert group – Signature, classification & detection time • Packet data information – Source/destination addresses – Ports – Packet payload/flags
6
Introduction to BASE (cont.) • Provides easy management of Alert Data • Administrator can categorize data into alert groups, delete false positives or previously handled alerts. • Export alert data to an email address for administrative notification. • Support for user logins and roles, allowing an administrator to control what is seen through the web interface.
7
BASE vs. ACID • ACID – No longer maintained – Hasn’t been updated for 3 years • BASE – BASE is actively updated and revised. – Has 200 bug fixes in it. – Faster bringing pages up – Provides more queries (i.e. today's unique alerts, last 24/72 hours alert etc.)
8
IDS test-bed
Host A (Source):
Host B (Destination):
OS: Windows XP
OS: Fedora Core 4
Software: Ethereal, CommView
Software: Snort, BASE, Ethereal, MySQL, PHP, Apache
9
Installing and Configuring Necessary Prerequisites • In order for our IDS to function properly we install and configure the following components: – – – – – – – – –
MySQL Apache 2.2.0 php-4.4.2 httpd-2.2.0 AdOdb460 snort-2.4.3 pcre-5.0 PEAR Modules base-1.2
10
MySQL • 2 ways – Download from www.mysql.com – From Fedora Core4 installation CD Go to Desktop-system settings- Add/remove programs – MySQL Select following components: • MyODBC • Mod_auth_mysql • Mysql_devel • Mysql_server • Perl-DBD-MySQL • Php-mysql
11
Apache 2.2.0 • Download Apache httpd server version 2.2.0 from http://httpd.apache.org • To install: – ./configure – Make – Make install
12
PHP 4.4.2 • Download PHP4.4.2 from http://www.php.net • Extract source code in “/usr/local/src” • Configure command: – ./configure –with-mysql –with-apsx2 =/usr/local/apache2/bin/apxs –with-gd –withzlib • Make • Make install
13
Configure php.conf • In file /usr/local/apache2/conf/httpd.conf add line – Include conf.d/*.conf
• mkdir /usr/local/apache2/conf.d • “php.conf” in “conf.d” – – – – – – – –
LoadModule php4_module modules /libphp4.so
– DirectoryIndex index.php
14
ADOdb • A performance-conscious database abstraction layer for PHP. • BASE needs ADOdb to communicate with MySQL. • Download adodb from http://unc.dl.sourceforge.net/sourceforge/adodb/ adodb460.tgz • Extract adodb in “usr/local/apache2/htdocs”
15
SNORT • Create a dir “snortinstall” • Download & unpack from http://www.snort.org/dl/snort2.4.3.tar.gz • Download & unpack from http://umn.dl.sourceforge.net/sourceforge/pcre/p cre-5.0.tar.gz • To install SNORT: – ./configure – Make – Make install
• To install PCRE(Perl Compatible Regular Expression): – ./configure – Make – Make install
16
Configuring SNORT • Groupadd snort • Useradd –g snort snort • Create dir: – /etc/snort – /etc/snort/rules – /var/log/snort • Copy dir ‘rules’ from dir ‘snort2.3.0’ to ‘/etc/snort/rules’
17
Configuring snort.conf • • • •
var HOME_NET 10.2.2.0/32 var EXTERNAL_NET !$HOME_NET var RULE_PATH /etc/snort/rules output database: log, mysql, user =snort password=snort dbname=snort host=localhost • output database: alert, mysql, user =snort password=snort dbname=snort host=localhost
18
Setting up database in MySQL • • • • • •
Mysql SET PASSWORD FOR root@localhost = PASSWORD (‘passwd’); Create database snort; SET PASSWORD FOR snort@localhost=PASSWORD(‘pwd in snort.conf’); Grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost; Grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
19
To create tables • •
Mysql –u root –p < ~/snortinstall/snort-4.3.0 /schemas /create_mysql snort Enter password: the mysql root password
20
To create tables
21
PEAR Modules • PEAR - PHP Extension and Application Repository • BASE documentation recommends PEAR installation. Commands for installation: • /usr/local/php/bin/pear install Image_Color • /usr/local/php/bin/pear install Log • /usr/local/php/bin/pear install Numbers_Roman • /usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
• /usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz
22
To start the ‘services’ • • • • • •
chkconfig httpd on chkconfig mysqld on service httpd start service mysqld start /usr/local/apache2/bin/apachectl –k start snort –dev –l /var/log/snort –h 137.207.234.73/32 –c /etc/snort/snort.conf
23
Configuring BASE • Download BASE from
• • • • • • •
http://sourceforge.net/project/showfiles.php?gro up_id=103348 cp base-1.2.tar.gz /var/www/html/ cd /var/www/html tar –xvzf base-1.2.tar.gz cd /var/www/html/base/ cp base_conf.php.dist base_conf.php cd\ cp /var/www/html/base-1.2 /usr/local/apache2/htdocs/
24
Configuring BASE (cont.) • Edit the base_conf.php file in /usr/local/apache2/htdocs/ – – – – – – – – – – – – – –
$BASE_urlpath = "/base"; $DBlib_path = "/usr/local/apache2/htdocs/adodb"; $DBtype = "mysql"; $alert_dbname = "snort"; $alert_host = "localhost"; $alert_port = ""; $alert_user = "snort"; $alert_password = "password_from_snort_conf"; $archive_dbname = "snort"; $archive_host = "localhost"; $archive_port = ""; $archive_user = "snort"; $archive_password = " password_from_snort_conf "; $ChartLib_path = "/var/www/html/jpgraph-1.20.3/src";
25
Configuring BASE (cont.) • Open a web browser • if the browser is on the localhost, type http://localhost/base • if the browser is on another machine type http://IP_Address/base to begin using the GUI to view and manage alerts.
26
Generating Signatures on Host A Ethernet layer header
27
Results • Before sending signatures from HOST A, Run snort on HOST B • In Mysql check: select * from signature;
28
Results (cont.) • In a web browser: http://137.207.234.73/base
29
Results (cont.)
30
Results (cont.) • Unique Alerts
31
Results (cont.) •
Different links located to the left of each signature, attempts to connect to different signature databases to provide more detailed information about that particular signature.
32
Results (cont.) •
•
• •
Source/ Destination IP link brings up a summary that includes: How many times that IP was logged as a source or destination First and last time that IP was logged Contains links to external web-based tools that provide DNS and Whois look up services.
33
Results (cont.) • • • •
Source/Destination Ports link displays a summary of ports, number of occurrences time first seen and time last seen. Each listed port number is a hyperlink to the SANS Internet Storm Center http://isc.sans.org for that port number.
34
Results (cont.) • •
Creating Alert Groups Group event information into user-defined categories for easy perusal.
35
Results (cont.) •
Specify signatures for different AGs
36
Results (cont.) •
Graph from Alert Data
37
Results (cont.) •
Graph from Alert Detection Time to identify Periods of Heavy Activity
38
Results (cont.) • • •
The Search Function quickly searches through the database for certain criteria and present it in an ordered fashion. Allowable search criteria include Alert Group, Signature, and Alert Time. The results can be ordered by timestamp, signature, source IP, or destination IP.
39
Results (cont.) •
User and Role Management
40
Results (cont.) •
Email Alerts
41
Acknowledgements •
•
We would like to thank Dr.Aggarwal for giving us this opportunity to handle such an industry standard level project. We would also like to thank all other groups for giving us valuable suggestions throughout the project.
42
References • www.snort.org • www.sourceforge.net • http://www.rootsecure.net/content/downloads/pd f/snort_install_guide_fedora4.pdf • http://www.sun.com/bigadmin/features/articles/s nort_base.html
43
Thank You!!!! Demo in Room 3144 Questions?
Tahira Farid ([email protected]) Anitha Prahladachar ([email protected])
Related Documents
Base
December 2019 88
Base
May 2020 58
Base
June 2020 54
Base
October 2019 92
Base
December 2019 57
Base
October 2019 73More Documents from ""
Linux World Expo
December 2019 36
Iprouting
December 2019 35
Firewall Mode
December 2019 28
Base
December 2019 88
Snort Project
December 2019 44