Snort & IDScenterSnort & IDScenter60-564: Security and Privacy on the Internet60-564: Security and Privacy on the InternetInstructor: Dr. A. K. AggarwalInstructor: Dr. A. K. AggarwalPresented By: Tarik El Amsy, Presented By: Tarik El Amsy, Lihua Duan Lihua Duan Date: March 29, 2006Date: March 29, 2006

What is IDScenterWhat is IDScenter

IDScenter is basically a Graphical front-IDScenter is basically a Graphical front-end for Snort on Windows platforms end for Snort on Windows platforms (Recommended: Windows NT4/2000/XP).(Recommended: Windows NT4/2000/XP).

IDScenter provides a friendly interface for IDScenter provides a friendly interface for Snort users. Snort users.

With some knowledge of Snort, IDScenter With some knowledge of Snort, IDScenter will help users to do configuration and will help users to do configuration and provide management features.provide management features.

Features of IDScenter Features of IDScenter

Snort 1.7, 1.8, 1.9, and 2.x SupportSnort 1.7, 1.8, 1.9, and 2.x Support Snort configuration wizardSnort configuration wizard

Online updates of IDS rules Online updates of IDS rules Ruleset editor for all Snort rule optionsRuleset editor for all Snort rule options

HTML report from SQL backend HTML report from SQL backend Execution of program on attack detectionExecution of program on attack detectionGood Alerting tools including mail , Windows Good Alerting tools including mail , Windows

event log and normal DB logging. event log and normal DB logging.

Experiment Architecture and ScenariosExperiment Architecture and Scenarios

NIDS

Target

Attacker

Router

Hub

Home net address172.16.1.0 /24

External net address137.207.234.0/24

NIDS server configurationNIDS server configuration

CPU: AMD64 OpteronCPU: AMD64 Opteron

Memory: 512MMemory: 512M

Hard Disk: 8 G Operating Hard Disk: 8 G Operating

Operating System: Windows 2000 Operating System: Windows 2000 Advanced Server (Ser)Advanced Server (Ser)

IP Address: 172.16.1.1IP Address: 172.16.1.1

Installed Software:Installed Software: Snort 2.4.3Snort 2.4.3 IDScenter 1.1 RC4IDScenter 1.1 RC4 WinPcap 3.1WinPcap 3.1 Ethereal 0.10.14Ethereal 0.10.14

NIDS

Target server configurationTarget server configuration

CPU: AMD64 OpteronCPU: AMD64 Opteron

Memory: 512MHard Memory: 512MHard

Disk: 8 G Disk: 8 G

Operating System: Windows 2000 Operating System: Windows 2000 Advanced Server (Ser)Advanced Server (Ser)

IP Address: 172.16.1.2IP Address: 172.16.1.2

Installed softwareInstalled software

Ethereal 0.10.14Ethereal 0.10.14

Winpcap 3.0 alpha 4Winpcap 3.0 alpha 4

Packet Excalibur 1.0.2 (Packet Packet Excalibur 1.0.2 (Packet generator) generator)

Web server, TelNET, SNMP, FTP, etcWeb server, TelNET, SNMP, FTP, etc

Target

Attacker server configurationAttacker server configuration

CPU: AMD64 OpteronCPU: AMD64 OpteronMemory: 512MHard Memory: 512MHard Disk: 8 G Disk: 8 G OS: Windows 2000 ASOS: Windows 2000 ASIP Address: 137.207.234.252 IP Address: 137.207.234.252 Installed softwareInstalled softwareWinpcap 3.0 alpha 4Winpcap 3.0 alpha 4Packet Excalibur 1.0.2 (Packet Packet Excalibur 1.0.2 (Packet generator) generator) Web server, TelNET, SNMP, FTP, Web server, TelNET, SNMP, FTP, etc. etc.

Attacker

Installing WinPcapInstalling WinPcap

WinPcap (Windows Packet Capture Library) is a packet-WinPcap (Windows Packet Capture Library) is a packet-capture driver. Functionally, this means that WinPcap capture driver. Functionally, this means that WinPcap grabs packets from the network wire and pitches them to grabs packets from the network wire and pitches them to Snort, ethereal and windump.Snort, ethereal and windump.

Download & run Download & run WinPcap_3_1_auto-installer.exeWinPcap_3_1_auto-installer.exe to local disk from to local disk from

http://http://www.winpcap.org/install/default.htmwww.winpcap.org/install/default.htm

Should be installed on hostsShould be installed on hosts NIDS Attacker Target

Installing EtherealInstalling Ethereal

Ethereal® is used by network professionals around the Ethereal® is used by network professionals around the world for troubleshooting, analysis, software and world for troubleshooting, analysis, software and protocol development, and education. Ethereal is one protocol development, and education. Ethereal is one of the best graphical packet sniffer. Its graphical of the best graphical packet sniffer. Its graphical interface makes it easy to use and its big list of interface makes it easy to use and its big list of features make it very powerful in analyzing network features make it very powerful in analyzing network traffic traffic

Download & run Download & run ethereal-setup-0.10.14.exeethereal-setup-0.10.14.exe or any or any latest version from Ethereal website latest version from Ethereal website http://http://www.ethereal.com/download.htmlwww.ethereal.com/download.html. .

Installing Packet ExcaliburInstalling Packet Excalibur

A multi-platform freeware, graphical and scriptable A multi-platform freeware, graphical and scriptable network packet engine with extensible text based network packet engine with extensible text based protocol descriptions.protocol descriptions.

Needed to craft sample attack and generate these Needed to craft sample attack and generate these packets on the network during snort testing.packets on the network during snort testing.

download Packet Excalibur Windows installer version download Packet Excalibur Windows installer version 1.0.2 from 1.0.2 from http://www.securitybugware.org/excalibur/PacketExcalihttp://www.securitybugware.org/excalibur/PacketExcalibur_1.0.2_win32.exebur_1.0.2_win32.exe . .

It will also install WinPcap 3.0a.It will also install WinPcap 3.0a.Attacker TargetShould be installed on

Packet Excalibur DemoPacket Excalibur Demo

alertalert tcptcp $EXTERNAL_NET$EXTERNAL_NET anyany -> -> $HOME_NET$HOME_NET 111111 (msg:"Rule 4 RPC portmap listing TCP 111"; (msg:"Rule 4 RPC portmap listing TCP 111"; content: content: "|00 01 86 A0|";"|00 01 86 A0|"; reference: arachnids,428; sid: 598; reference: arachnids,428; sid: 598; rev: 11; classtype: rpc-portmap-decode; flow: rev: 11; classtype: rpc-portmap-decode; flow: to_server,established;)to_server,established;)

Installing SnortInstalling Snort

Download SNORT ver 2.4.3 Download SNORT ver 2.4.3

Install directory c:\snortInstall directory c:\snort

Default logging database optionDefault logging database option

To test Installation and make sure it is running To test Installation and make sure it is running C:\snort\bin\snort –vC:\snort\bin\snort –vThis will run snort in sniffer mode and you should be able to see the passing This will run snort in sniffer mode and you should be able to see the passing

packets on the network captured by Snort.packets on the network captured by Snort.

Installing IDScenterInstalling IDScenter

Download Download IDScenter.zipIDScenter.zip ( (1.1 RC4, 04.08.2003)1.1 RC4, 04.08.2003) fromfrom http://www.engagesecurity.com/downloads/#IDScenterhttp://www.engagesecurity.com/downloads/#IDScenter

Unzip the download file to obtain the Unzip the download file to obtain the setup.exesetup.exe then then run it to start simple and default installation.run it to start simple and default installation.

Configuring SnortConfiguring Snort

Change the setting of Snort configuration Change the setting of Snort configuration file snort.conf under c:\snort\etc folder file snort.conf under c:\snort\etc folder

Use any text editor to edit the followingUse any text editor to edit the following Network settings Network settings Preprocessors Preprocessors Output settingsOutput settings Rules settings Rules settings

Configuring Configuring Network settingsNetwork settingsSnort use variables in configuring the rules. Snort use variables in configuring the rules. When you type $ and Variable name, the value of this variable will When you type $ and Variable name, the value of this variable will be replaced. be replaced. This allows you to add different network ranges and subnets and This allows you to add different network ranges and subnets and simplify rules editing and customizationsimplify rules editing and customization

We added the following variables to snort.conf fileWe added the following variables to snort.conf file

var HOME_NET 172.16.1.0/24var HOME_NET 172.16.1.0/24var EXTERNAL_NET any var EXTERNAL_NET any var DNS_SERVERS 172.16.1.2/32var DNS_SERVERS 172.16.1.2/32var SMTP_SERVERS 172.16.1.2/32var SMTP_SERVERS 172.16.1.2/32var HTTP_SERVERS 172.16.1.2/32var HTTP_SERVERS 172.16.1.2/32var SQL_SERVERS 172.16.1.2/32var SQL_SERVERS 172.16.1.2/32var TELNET_SERVERS 172.16.1.2/32var TELNET_SERVERS 172.16.1.2/32var HTTP_PORTS 80var HTTP_PORTS 80var RULE_PATH c:\snort\rulesvar RULE_PATH c:\snort\rules

Configuring Configuring PreprocessorsPreprocessors

Configure Http_inspect preprocessorConfigure Http_inspect preprocessorThis preprocessor allow snort to decode Http This preprocessor allow snort to decode Http web traffic & analyze it for specific URI contents.web traffic & analyze it for specific URI contents.

Setting in snort.conf fileSetting in snort.conf file

preprocessor http_inspect: preprocessor http_inspect: global iis_unicode_map unicode.map 1252global iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: preprocessor http_inspect_server: server default profile all ports { 80 }server default profile all ports { 80 }

Configuring Configuring Output settingsOutput settings

Outputing Alerts to a file base log called Outputing Alerts to a file base log called alert.ids alert.ids

Setting in snort.conf fileSetting in snort.conf file

output alert_fast: alert.idsoutput alert_fast: alert.ids

config logdir: c:\snort\logconfig logdir: c:\snort\log

ConfiguringConfiguring Rules settingsRules settings

Create a file called project.rules in c:\snort\rules Create a file called project.rules in c:\snort\rules folder.folder.The file has the10 selected attacks. The file has the10 selected attacks. Remove normal rule file setting from config file Remove normal rule file setting from config file and add only project.rules.and add only project.rules.

Include $Rule_path/project.rulesInclude $Rule_path/project.rules

Sample RuleSample Rule alertalert tcptcp $EXTERNAL_NET$EXTERNAL_NET anyany -> -> $HOME_NET$HOME_NET 111111 (msg:"Rule 4 (msg:"Rule 4

RPC portmap listing TCP 111"; RPC portmap listing TCP 111"; content: "|00 01 86 A0|";content: "|00 01 86 A0|"; reference: reference: arachnids,428; sid: 598; rev: 11; classtype: rpc-portmap-decode; flow: arachnids,428; sid: 598; rev: 11; classtype: rpc-portmap-decode; flow: to_server,established;)to_server,established;)

IDScenter ConfigurationIDScenter Configuration

IDScenter consists IDScenter consists of the following of the following menusmenus

GeneralGeneral

WizardsWizards

LogsLogs

AlertsAlerts

......

General MenuGeneral Menu

Click on Click on ApplyApply to apply a configuration/save configuration (after to apply a configuration/save configuration (after setting all the options needed in IDScenter) setting all the options needed in IDScenter) Start Snort: Starts Snort in console mode / service mode Start Snort: Starts Snort in console mode / service mode View alerts: open log viewer View alerts: open log viewer Test settings: After configuration you can test the settings by Test settings: After configuration you can test the settings by clicking on this button clicking on this button Reload: Reload the configurationReload: Reload the configurationRest Alarm: Stop alarm sound Rest Alarm: Stop alarm sound

General MenuGeneral Menu

There are two modes to setup Snort with IDScenterThere are two modes to setup Snort with IDScenter- Snort console modeSnort console mode- Snort service modeSnort service mode

- The advantage of service mode is, that Snort can monitor your The advantage of service mode is, that Snort can monitor your network constantly even when you're logged offnetwork constantly even when you're logged off

General / ConfigurationGeneral / Configuration

Select snort version to runSelect snort version to run

Select Process prioritySelect Process priority

Select options (Service mode /snort console /auto restart )Select options (Service mode /snort console /auto restart )

Select log folder path and file nameSelect log folder path and file name

General / Snort OptionsGeneral / Snort OptionsSet the configuration file.This is usally "Snort.conf" in the "etc" folder Set the configuration file.This is usally "Snort.conf" in the "etc" folder where Snort was installed (e.x. "C:\Snort\etc\snort.conf") where Snort was installed (e.x. "C:\Snort\etc\snort.conf") You can find a pattern in the configuration file by typing it into the You can find a pattern in the configuration file by typing it into the editbox and click on the search button editbox and click on the search button You can set an external editor for editing Snort configuration file You can set an external editor for editing Snort configuration file

General Activity LogGeneral Activity LogIn this panel IDScenter displays events In this panel IDScenter displays events You can enable/disable event logsYou can enable/disable event logsYou can select which events are monitored You can select which events are monitored You can let automatically purge the activity log You can let automatically purge the activity log Clear log: clear the logging entries Clear log: clear the logging entries

General/ Over View General/ Over View In this panel IDScenter displays errors. If an error occurs In this panel IDScenter displays errors. If an error occurs when you click on apply, you'll be informed here. when you click on apply, you'll be informed here.

An overview of the alert features activated is shown here An overview of the alert features activated is shown here

"Copy to clipboard": you can copy the Snort command-"Copy to clipboard": you can copy the Snort command-line into clipboard line into clipboard

Wizards Menu Wizards Menu Wizards Menu has several wizards Wizards Menu has several wizards which helps configuring snort. It has which helps configuring snort. It has the following:the following:

Network Variables wizardNetwork Variables wizard

Preprocessor WizardPreprocessor Wizard

Output plugin WizardOutput plugin Wizard

Rules/Signatures WizardRules/Signatures Wizard

Online Update WizardOnline Update Wizard

Wizards / Network VariablesWizards / Network VariablesHelps to set the variables used in rule filesHelps to set the variables used in rule files

You can :You can : Add new variableAdd new variable Edit and existing variableEdit and existing variable Delete a variableDelete a variable

Wizards / PreprocessorsWizards / PreprocessorsHere you can select and configure the preprocessors used by Snort Here you can select and configure the preprocessors used by Snort

Stream4 and Frag2 Pane ( enable snort to defragment packets and Stream4 and Frag2 Pane ( enable snort to defragment packets and perform stateful inspection)perform stateful inspection)

Protocol Preprocessor Pane (different protocol decoders like HTTP Protocol Preprocessor Pane (different protocol decoders like HTTP decode , Telnet, RPC decod..etc)decode , Telnet, RPC decod..etc)

PortScan Detection Pane PortScan Detection Pane Miscellaneous Pane (ARP spoof and other unsupported preprocessors)Miscellaneous Pane (ARP spoof and other unsupported preprocessors)

Wizards / Output PluginsWizards / Output PluginsThere are many small wizards in this panel which will help you to There are many small wizards in this panel which will help you to configure the output plugins of Snort. configure the output plugins of Snort.

Wizards / Rules WizardWizards / Rules WizardThe ruleset wizard will help you maintain a good ruleset. This is the "include"-part of The ruleset wizard will help you maintain a good ruleset. This is the "include"-part of the Snort configuration filethe Snort configuration fileSelect first a classification configuration file ,by default: "classification.config" Select first a classification configuration file ,by default: "classification.config" Select the reference configuration file ,by default: "reference.config" Select the reference configuration file ,by default: "reference.config" Activate/Deactivate the rule files you want to use by check/uncheck its box.Activate/Deactivate the rule files you want to use by check/uncheck its box.Open a ruleset in the ruleset editor: Open a ruleset in the ruleset editor:

Select a ruleset file Select a ruleset file Click on "Ruleset editor"Click on "Ruleset editor"

Wizards / Rules WizardWizards / Rules WizardThe ruleset editor lists all available rules in the file.The ruleset editor lists all available rules in the file.Add (and clone) new rules / delete rules Add (and clone) new rules / delete rules Edit a rule (Select a rule and click on "Add/edit rule" Edit a rule (Select a rule and click on "Add/edit rule" Activate/Deactivate the rules you want to use Activate/Deactivate the rules you want to use Import additional rules into the ruleset (in Snort 2.x syntax)Import additional rules into the ruleset (in Snort 2.x syntax)Save the ruleset after modification Save the ruleset after modification

Rules Wizard / Editing a ruleRules Wizard / Editing a ruleThe editor provides a front-end to all Snort 2.x rule features The editor provides a front-end to all Snort 2.x rule features It make it easier to understand and modify any ruleIt make it easier to understand and modify any ruleYou can also access online information for that ruleYou can also access online information for that rule

Wizard/ Online UpdateWizard/ Online Update

The online update wizard is a frontend for configurating Oinkmaster The online update wizard is a frontend for configurating Oinkmaster (by Andreas Östling)(by Andreas Östling)

If you want to use this feature, you should download EagleX If you want to use this feature, you should download EagleX package .package .

Logs/ Options MenuLogs/ Options Menu

Set the parameters (command-line parameters) of Snort .Set the parameters (command-line parameters) of Snort .

Select the interface Snort should monitor if necessary Select the interface Snort should monitor if necessary

This will overwrite settings in snort configuration file if setThis will overwrite settings in snort configuration file if setExample: you set output plugin "alert_full: alert.ids"... and selected "Fast". Example: you set output plugin "alert_full: alert.ids"... and selected "Fast". In this case Snort will log using fast modeIn this case Snort will log using fast mode

Logs / Log RotationLogs / Log Rotation

Log rotationLog rotation will rotate the alert logs by Log rotationLog rotation will rotate the alert logs by compressing the files into a ZIP packages and move it to compressing the files into a ZIP packages and move it to the Backup folder.the Backup folder.

Alerts/ DetectionAlerts/ DetectionAlerts alarm will be on if the file/database has changed.Alerts alarm will be on if the file/database has changed.Select at least one alert detection mode Select at least one alert detection mode File alert detection mode (up to 10 files monitoring) File alert detection mode (up to 10 files monitoring) Add the files which should be monitored for changes (At least the alert log Add the files which should be monitored for changes (At least the alert log file set in main configuration panel should be set.)file set in main configuration panel should be set.)MySQL alert detection MySQL alert detection

Alerts/ NotificationAlerts/ NotificationAlarm sound : Select a WAV file if you selected "Start alarm sound when an Alarm sound : Select a WAV file if you selected "Start alarm sound when an alert is logged“.alert is logged“.Program execution: IDScenter will execute this program if an alert was Program execution: IDScenter will execute this program if an alert was logged ( start a script that reconfigures your router, generate HTML pages of logged ( start a script that reconfigures your router, generate HTML pages of alert log using an external program.etc)alert log using an external program.etc)AutoBlock - Plugin system (example network Ice & Black Ice ). It allows you AutoBlock - Plugin system (example network Ice & Black Ice ). It allows you to block specific network traffic (mini firewall)to block specific network traffic (mini firewall)

Alerts/ AlertMailAlerts/ AlertMailAlertMail can send administrator alerts by mail if Snort has detected AlertMail can send administrator alerts by mail if Snort has detected an attack .an attack .You can send a sample of the latest attacks in the email message You can send a sample of the latest attacks in the email message as well as attachment of the log file.as well as attachment of the log file.

Example of received mail alertExample of received mail alert

Our OpinionOur OpinionIDS Center is a very simple and easy to use configuration utility for snort.IDS Center is a very simple and easy to use configuration utility for snort.It has very good graphical interfaceIt has very good graphical interfaceProvide a lot of add on features for managing snort.Provide a lot of add on features for managing snort.Provide a good Alerting featuresProvide a good Alerting features

It has some compatibility issues with latest snort version (especially Preprocessors and MySQL latest version)It has some compatibility issues with latest snort version (especially Preprocessors and MySQL latest version)It has no analysis features.It has no analysis features.It still require good knowledge of snort IDS to configure. It still require good knowledge of snort IDS to configure.