INTRUSION DETECTION SYSTEM Implementation of an all-in-one IDS machine Professor: Massimiliano...

INTRUSION DETECTION SYSTEMImplementation of an all-in-one IDS machine

Professor: Massimiliano Rak Student: Pasquale CirilloMatr.: A18/45

Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12

INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST

SUMMARY

2

• Objective• Security requirements• Intrusion Detection Systems

• IDS classification• Sensor Soft-Hardering• NIDS/IPS SNORT• Basic Analysis and Security Engine (BASE): SNORT WEB Interface• Honeypot Systems

• Honeypot classification• Nepenthes• Amun • SURFids• Antivirus Installation • Penetration Test

• Penetration Testing Software: Metasploit



Objective

3

• Implement a Distributed Intrusion Detection System based on the SURFcert IDS Project

• Install HoneyPot to support the IDS• Test the system

Assumptions• The Distributed Intrusion Detection System (D-IDS) considered is based

on a client-server approach where the client is called a sensor. These sensors often contain a honeypot and/or a passive analysis tool like Snort

• However, we refer to an All-In-One Machine to simplify the installation and the configuration of the tools



What is Security?

4

ISO 27001 AND ISO 27002 DEFINITIONInformation security is all about protecting and preservinginformation. It’s all about protecting and preserving theconfidentiality, integrity, authenticity, availability, and

reliability of information.

Secutity Objectives:• Ensure the application of the CIA Paradigm:

• Confidentiality: the information must be accessible only by the authorized users

• Integrity: the information must be modified only by the authorized users. All others unauthorized access must be blocked

• Availability: the information must be always available for the authorized users in the time and modes provided by the security policies



Security Area

5

BRUCE SCHENEIER DEFINITION (‘Secrets and Lies’)•Prevention: block any threat or attack •Detection: eventually the prevention fails, with the detection it seeks to control attacks in progress•Reaction: after detected an attack, it responds to attackers

Attack DefinitionAn attack is any attempt to destroy, expose, alter, disable, steal or gain

unauthorized access to or make unauthorized use of any tangible or intangible thing that has value to an organization

•Passive attack: the attacker attempts to learn or make use of information from the system but does not affect system resources •Active attack: the attacker attempts to alter system resources or affect their operation



IDS Definition

6

An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or

policy violations and produces reports to a Management Station

IDS Components• Sensors: one or more sensors are typically used to receive information

from the network or from controlled hosts • Console: is used to monitor the status of network and hosts• Engine: used to analyze the data collected by the sensors, provides to

detect possible intrusions• Database: the analysis engine is based on a database that stores the rules

used to identify security breaches



CIDF

7

• The Common Intrusion Detection Framework (CIDF) is an effort to develop protocols and application programming interfaces so that intrusion detection research projects can share information and resources and so that intrusion detection components can be reused in other systems

• Some of the ideas involved in CIDF have encouraged the creation of an Internet Engineering Task Force (IETF) working group, named the Intrusion Detection Working Group (IDWG)

CIDF Components• CIDF adopts a view of Intrusion Detection Systems in which they consist

of discrete components which communicate via message passing• The four kinds of components exchange data in the form of ‘generalized

intrusion detection objects (gidos)’ which are represented via a standard common format


INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TESTCIDF Components (Continue)

8

• Event generators (‘E-boxes’): the role of an event generator is to obtain events from the larger computational environment outside the intrusion detection system and provide them in the CIDF gido format to the rest of the system

• Event analyzers (‘A-boxes’): they receive gidos from other components, analyze them, and return new gidos (which presumably represent some kind of synthesis or summary of the input events)

• Event databases (‘D-boxes’): these components simply exist to give persistence to CIDF gidos

• Response units (‘R-boxes’): they consume gidos which direct them to carry out some kind of action on behalf of other CIDF components, and they carry out this action. This includes such things as killing processes, resetting connections, altering file permissions, etc



IDS Classification

9

Sources•NIDS – Network-Based IDS•HIDS – Host-Based IDS•Application-Based IDS•Hybrid IDS

Detection Mechanism•Misuse Detection•Anomaly Detection•Protocol Analysis

DIDS – Distributed IDSIPS – Intrusion Prevention System



NIDS (1/2)

10

Objective•Monitor a network segment

Functioning•Change the operating mode of the network interface by placing it in promiscuous mode in such a way as to be listening on every packet on the network segmet•Analyze all network traffic looking for a match with known attack signatures, or looking for statistically anomalous traffic



NIDS (2/2)

11

Detect•Buffer overflows, format string attacks, transmission of suspicious files•Port Scanning, SYN attacks or based on fragmentation of packets•Spoofed IP addresses

Disadvantages•Not be able to block the flow of packets in the presence of an attack•Inability to deal with encrypted traffic•Powerful HW to handle high volume of traffic•Problems with fragmented packets•Detect intrusions but do not know their results•Require considerable resources to keep logs•Frequent updating of signatures



HIDS

12

Objective•Monitor and analyze a single Host

Functioning•Analysis of system logs, audit logs, security logs, system call and the changes undergone by the file system•For each element are stored its attributes and performed a checksum calculation with hash functions. The data are compared with the checksum to detect an attack

Advantages•Understand if the attack was successful or not•Analyze cypher messages

Disadvantages•Subject of attacks



Application IDS

13

Objective•An application IDS will work solely with the application itself •They tend to be tailored to a specific product

Functioning•An IDS will report when anomalous activity is detected most usually using logs generated by the application

Hybrid IDS• Known as NNIDS (Network Node IDS) an Hybrid IDS is network-based

but installed on a single Host• Analyze the network traffic that is directed to themselves • Advantage: detect encrypted traffic before it can cause an intrusion into the

system



Misuse Detection

14

• To detect an intrusion, uses a pattern matching algorithms, which are the true engine of the IDS

• Signatures database constantly updated• Control all incoming packets looking for a match with the signatures

present in the database• Stateful Pattern Matching Analysis is used to detect an attack performed

with a string payload divided into multiple packets

Advantages• Low number of false alarms

Disadvantages• High computational load• New signatures are not recognized• Frequent updates of the database



Anomaly Detection

15

• Search abnormal behavior which differs from a system model which characterizes the correct operations

• Require a learning phase:• Self learning: the model is learned from examples• Programmed learning: require in-depth mathematic knowledge to

create models

Advantages• Very flexible technique since • Allow to detect unknown attacks

Disadvantages• High number of false alarms



Protocol Analysis

16

• Based on the control of the technical specifications of the protocols defined in the RFC

• Generate an alarm for each violation in the standard protocol: i.e.: SYN-FLOOD Attack

Advantages• Decrease the number of false alarms

Disadvantages• Management of ambiguity in RFC



DIDS

17

• Constituted by sensors and central monitor system• Sensor generates logs that track the attacks and sends they in the central

system• The central system collects the data and create a global repository• Communication between the sensors and central system provided with

encrypted VPN

Disadvantages• Sensor heterogeneity requires a standard communication interface• Inherits all the IDS sensors disadvantage



IPS

18

• Evolution of IDS • To achieve the ability to prevention, in addition to the normal capacity of

an IDS, the IPS implement instruments to block malicious traffic in real time

Capabilities• Block the intrusion through actions such as termination of a network

connection• Change the security policies when an attack is detected



System Architecture

19

All-in-one machine:IP: 192.168.0.20

Attacker:IP: 192.168.0.19

• All-in-one machine is constituded by a NIDS and two Honeypots that alternatively work. BASE and SurfnetIDS have been installed to provide a web interface to analyze the IDS logs

• On the attacker machine Metasploit Penetration Software has been used to perform a penetration test


INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TESTSensor Soft-Hardering (1/2)

20

• Set permission 500 on wget – curl – GET – links – ftp – telnet root@allinone:/# whereis wget curl GET links lynx ftp tftp telnetwget: /usr/bin/wget /usr/bin/X11/wget /usr/share/man/man1/wget.1.gzcurl: /usr/bin/curl /usr/bin/X11/curl /usr/share/man/man1/curl.1.gzGET: /usr/bin/GET /usr/bin/X11/GET /usr/share/man/man1/GET.1p.gzlinks: /usr/bin/links /usr/bin/X11/links /usr/share/man/man1/links.1.gzlynx:ftp: /usr/bin/ftp /usr/bin/X11/ftp /usr/share/man/man1/ftp.1.gztftp:telnet: /usr/bin/telnet /usr/bin/telnet.netkit /usr/bin/X11/telnet /usr/bin/X11/telnet.netkit

/usr/share/man/man1/telnet.1.gzroot@allinone:/# chmod 500 wget curl GET links ftp telnet.netkit

• Install RootKit Hunter and start scanRef.: http://www.lifelinux.com/how-to-install-rootkit-hunter/

• Install Fail2Ban script:root@allinone:/# apt-get install fail2ban


INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TESTSensor Soft-Hardering (2/2)

21

• Configure /etc/fail2ban/fail2ban.conf:Set log file as path /var/log/fail2ban.log

• and /etc/fail2ban/jail.conf:bantime = 3600[ssh]enabled = trueport = sshfilter = sshdlogpath = /var/log/auth.logmaxretry = 3



SNORT (1/3)

22

• Snort® is an open source network intrusion prevention and detection system (IDS/IPS)

• Combine the benefits of signature, protocol, and anomaly-based inspection

• Install Snort with mysql supportroot@allinone:/# apt-get install snort-mysql

• Configure /etc/snort/snort.conf# Setup the network addresses you are protectingipvar HOME_NET 192.168.0.20/32ipvar EXTERNAL_NET !$HOME_NET# List of the ports you run web servers onportvar HTTP_PORTS 80# List of ports you want to look for SHELLCODE onportvar SHELLCODE_PORTS !80# Path to your rules filesvar RULE_PATH /etc/snort/rules# Target-based IP defragmentationpreprocessor frag3_global: max_frags 65536…



SNORT (2/3)

23

...# Detect anomaliespreprocessor frag3_engine: policy linux detect_anomaliespreprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp nopreprocessor stream5_tcp: policy linux, use_static_footprint_sizes# HTTP normalization and anomaly detectionpreprocessor http_inspect: global iis_unicode_map unicode.map 1252preprocessor http_inspect_server: server default profile all ports { 80 8080 } oversize_dir_length

500# FTP/Telnet normalization and anomaly detectionpreprocessor ftp_telnet: global encrypted_traffic yes inspection_type statefulpreprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200# Portscan detectionpreprocessor sfportscan: proto { all } scan_type { all } memcap { 10000000 } sense_level { high }

logfile { pscan }# Database parametersoutput database: log, mysql, user=snort password=XXX dbname=snort host=localhost# Site specific rulesinclude $RULE_PATH/local.rulesinclude $RULE_PATH/badtraffic.rulesinclude $RULE_PATH/exploit.rules...



SNORT (3/3)

24

• Create Snort Databaseroot@allinone:/# mysql -u rootmysql>set password for root@localhost=password('PASSWD_ROOT');create database snort;grant insert,select on root.* to snort@localhost;set password for snort@localhost=password('PASSWD_SNORT');grant create,delete,insert,select,update on snort.* to snort@localhost;grant create,delete,insert,select,update on snort.* to snort;exit

• Download and import Snort DB schemeroot@allinone:/# mysql -u root -d snort -p < create_mysql

• Create init script in /etc/init.d#!/bin/sh -esnort -c /etc/snort/snort.conf -D -u snort -g snort -y

• Start SNORTroot@allinone:/# snort -c /etc/snort/snort.conf -D -u snort -g snort -y



BASE (1/2)

25

• BASE (Basic Analysis and Security Engine) is a web interface to perform analysis of intrusions that snort has detected on the network

• Download BASE and install it in the webserver webrootroot@allinone:/BASE/base-1.4.5# mkdir /var/www/baseroot@allinone:/BASE/base-1.4.5# mv * /var/www/base

• Install dependenciesroot@allinone:# apt-get install libphp-adodb php5-gd php-pearroot@allinone:# pear install Image_Colorroot@allinone:# pear install Image_Canvasalpharoot@allinone:# pear install Image_Graphalpha

• Download and Install AdoDB (database abstraction library for PHP)Ref.: http://adodb.sourceforge.net/



BASE (2/2)

26

• Configure base_config.phproot@allinone:/var/www/base# mv base_conf.php.dist base_config.php

$BASE_urlpath = "/base";$DBlib_path = "/var/www/adodb/ ";$DBtype = "mysql";$alert_dbname = "snort";$alert_host = "localhost";$alert_port = "";$alert_user = "snort";$alert_password = "passwd_snortdb";

• Add dynamic extensions in /etc/php5/apache2/php.iniextension=mysql.soextension=gd.so

• Restart Apache2 and Start BASE



Honeypot

27

Honeypot: ‘barattolo di miele’

What is an Honeypot?•HW or SW that works as bait or trap for potential hackers or malware•Provide services that are open and visible from internet and easy to break•Identify and analyze the attacks, intrusion techniques, the flaws of the system and the malicious code

Advantages•Quality and quantity of the information that it collects•Low number of false positives compared to IDS

Disadvantages•They may themselves be compromised and therefore can bring risks to the infrastructure that hosts them



Honeypot Classification

28

Scope•Production Honeypots: used to protect organizations in real production operating environments. They are implemented parallel to data networks or IT Infrastructures and are subject to constant attacks 24/7•Research Honeypots: are not implemented with the objective of protecting networks. They represent educational resources of demonstrative and research nature whose objective is centered towards studying all sorts of attack patterns and threats

Interaction Level•Low Interaction Honeypots: work exclusively emulating operating systems and services. The attacker’s activities are limited to the Honeypot’s level and quality of emulation•High Interaction Honeypots: constitute a complex solution because they involve the utilization of operating systems and real applications implemented in real hardware, without using emulation software


INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TESTConsiderations on the Honeypots

29

Advantages•Clean logs•Minimal resources when offers emulated services

The true value of a honeypot for a company is when it can be demonstrated that the security systems adopted have not been enough to keep out the bad

guys

Disadvantages•Cannot detect events that do not see them as recipients•It is a system designed to be attached, if not well configured and isolated can be a point of access for the attacker

•Disabling: the attacker disables the honeypot and / or changes the log files•Violation: the attacker is able to use the honeypot for making illegal activities



Nepenthes (1/4)

30

• Nepenthes is a low-interacion Honeypot and aversatile tool to collect malware

• It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities

• Install Nepenthesroot@allinone:/# apt-get install nepenthes

• Configure /etc/nepenthes/nepenthes.conf# need to add the the sqlhandler and log-surfnet lines// SQL handler "sqlhandlerpostgres.so", "", ""

// logging "logdownload.so", "log-download.conf", ""// "logirc.so", "log-irc.conf", "" // needs configuration "logsurfnet.so", "log-surfnet.conf", "" // needs configuration

…



Nepenthes (2/4)

31

…# Active preferred vulnerability modules"vulnbagle.so", "vulnbagle.conf", """vulndameware.so", "vulndameware.conf", """vulndcom.so", "vulndcom.conf", """vulnftpd.so", "vulnftpd.conf", """vulniis.so", "vulniis.conf", "" …

• Configure /etc/nepenthes/vulniis.confvulniis{ports ("443","8080");accepttimeout "30";};

• Modify /etc/nepenthes/log-surfnet.confserver "127.0.0.1"; // must be ip user "nepenthes";pass "password"; db "idsserver";



Nepenthes (3/4)

32

• Create init script in /etc/init.d#!/bin/shcheck=`ps -ef | grep -v grep | grep -v init.d | grep -v postgres | grep nepenthes | wc -l`echo "CHECK: $check"if [ $check != 0 ]; thenneppid=`ps -ef | grep -v grep | grep -v init.d | grep -v postgres | grep nepenthes | grep none | awk '{print $2}' | head -n1`echo "PID: $neppid"`kill -9 $neppid`fi/bin/nepenthes -u nepenthes -g nepenthes -l none -R -D --chroot=/etc/nepenthes

• Start Nepenthesroot@allinone:/bin/# nepenthes -u nepenthes -g nepenthes -l none -R -D --chroot=/ etc/nepenthes



Nepenthes (4/4)

33

• Attacker starts nmaproot@attacker:/home/attacker# nmap -sS -PN -v 192.168.0.20

Starting Nmap 5.21 ( http://nmap.org ) at 2012-12-07 23:23 CETInitiating ARP Ping Scan at 23:23Scanning 192.168.0.20 [1 port] Completed ARP Ping Scan at 23:23, 0.04s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 23:23Completed Parallel DNS resolution of 1 host. at 23:23, 0.04s elapsedInitiating SYN Stealth Scan at 23:23 Scanning 192.168.0.20 [1000 ports]Discovered open port 1025/tcp on 192.168.0.20Discovered open port 135/tcp on 192.168.0.20Discovered open port 445/tcp on 192.168.0.20Discovered open port 143/tcp on 192.168.0.20 Discovered open port 139/tcp on 192.168.0.20Discovered open port 80/tcp on 192.168.0.20Discovered open port 110/tcp on 192.168.0.20Discovered open port 443/tcp on 192.168.0.20Discovered open port 8080/tcp on 192.168.0.20 Discovered open port 993/tcp on 192.168.0.20Discovered open port 2105/tcp on 192.168.0.20Discovered open port 10000/tcp on 192.168.0.20Discovered open port 465/tcp on 192.168.0.20Discovered open port 3372/tcp on 192.168.0.20 Discovered open port 2107/tcp on 192.168.0.20…

Completed SYN Stealth Scan at 23:23, 1.17s elapsed (1000 total ports)Nmap scan report for 192.168.0.20Host is up (0.000094s latency).Not shown: 976 closed portsPORT STATE SERVICE21/tcp open ftp 22/tcp open ssh25/tcp open smtp42/tcp open nameserver80/tcp open http110/tcp open pop3135/tcp open msrpc139/tcp open netbios-ssn143/tcp open imap443/tcp open https 445/tcp open microsoft-ds465/tcp open smtps993/tcp open imaps995/tcp open pop3s1023/tcp open netvenuechat1025/tcp open NFS-or-IIS2103/tcp open zephyr-clt…



Amun (1/4)

34

• Amun is a low-interaction Python Honeypot • It has a modular implementation as Nepenthes:

• Amun Kernel• Request Handler• Vulnerability Modules• Shellcode Analyzer• Download Modules• Logging Modules

• Install Amun# need to install some more python modules (PostgreSQL adapter for the Python

programming # language)root@allinone:/# apt-get install python-psycopg2

# download the package from the subversion repository of Amuncd /opt/svn co https://amunhoney.svn.sourceforge.net/svnroot/amunhoney amunhoney cd /opt/amunhoney



Amun (2/4)

35

• Configure /opt/amunhoney/conf/amun.conf# if you also run other honeypot comment out the modules listening on the same ports### define ports for vulnerability modules ### (can be changed while running)

# You will also need to uncomment the modules in the vuln_modules section:vuln_modules: # vuln-ms08067, …

SurfidsIn the log_modules section uncomment the log-surfnet module:### define logging modules

log_modules: log-surfnet # log-syslog

Configure /opt/amunhoney/conf/log-surfnet.conf[Log-Surfnet] sensorIP: 127.0.0.1 …



Amun (3/4)

36

…PGHost: enter-ip-database PGPort: 5432 PGUser: nepenthes PGPass: enter-your-password PGDB: idsserver

# To download binaries to the normal surfids location:cd /opt/amunhoney/malware mv md5sum md5sum.orig ln -s /opt/surfnetids/binaries md5sum

# change the file /opt/amunhoney/submit_modules/submitmd5/submit_md5.py# modifyfilename = "malware/md5sum/%s.bin" % (md5hash) # infilename = "malware/md5sum/%s" % (md5hash)

• Start Amun./amun_server.py



Amun (4/4)

37

• Attacker starts nmaproot@attacker:/home/attacker# nmap -sS -PN -v 192.168.0.20

Starting Nmap 5.21 ( http://nmap.org ) at 2012-12-09 18:18 CETInitiating ARP Ping Scan at 18:18Scanning 192.168.0.20 [1 port]Completed ARP Ping Scan at 18:18, 0.01s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 18:18Completed Parallel DNS resolution of 1 host. at 18:18, 0.05s elapsedInitiating SYN Stealth Scan at 18:18Scanning 192.168.0.20 [1000 ports]Discovered open port 23/tcp on 192.168.0.20Discovered open port 443/tcp on 192.168.0.20Discovered open port 1025/tcp on 192.168.0.20Discovered open port 80/tcp on 192.168.0.20Discovered open port 8080/tcp on 192.168.0.20Discovered open port 587/tcp on 192.168.0.20Discovered open port 143/tcp on 192.168.0.20Discovered open port 110/tcp on 192.168.0.20Discovered open port 22/tcp on 192.168.0.20Discovered open port 139/tcp on 192.168.0.20Discovered open port 445/tcp on 192.168.0.20Discovered open port 554/tcp on 192.168.0.20Discovered open port 42/tcp on 192.168.0.20Discovered open port 1023/tcp on 192.168.0.20Discovered open port 1080/tcp on 192.168.0.20

Completed SYN Stealth Scan at 18:18, 1.31s elapsed (1000 total ports)Nmap scan report for 192.168.0.20Host is up (0.00028s latency).Not shown: 966 closed portsPORT STATE SERVICE21/tcp open ftp22/tcp open ssh23/tcp open telnet25/tcp open smtp42/tcp open nameserver80/tcp open http110/tcp open pop3135/tcp open msrpc139/tcp open netbios-ssn143/tcp open imap443/tcp open https445/tcp open microsoft-ds554/tcp open rtsp587/tcp open submission617/tcp open sco-dtmgr…



SURFIDS

38

• The SURFids is a Distributed Intrusion Detection framework

• It is based on the following rules:• The sensor should run out-of-the-box• The sensor should be completely passive and therefore maintenance

free• The D-IDS should not generate any false positive alerts• A sensor should be able to run in a standard LAN• Comparison of statistics generated by sensors and groups of sensors

should be possible

• The detection tools are installed on a central server (called tunnel server)• Distributed sensors connect to the tunnel server and tunnel all their layer 2

and higher traffic to the tunnel server• All information is presented to the users by a webinterface (logging server)



SURFIDS Components

39

Tunnel/Honeypot Server•The tunnel end-point on the server is called a tap device•Tap device is a virtual interface which delivers the traffic from the tunnel on the server. The tap device will receive an IP address from the client network address pool. This will make the server virtually present in the client network

Sensor•The only purpose of the sensor is to be a transparent bridge between the client network and the tunnel/honeypot server•The sensor manages the creation and destruction of the tunnel that is used to connect the tunnel/honeypot server to the client network

Logging Server•The logging server consists of two parts, the database and a web interface•The database is used to store the analysis information from the honeypot server. This information is presented to the users by a web interface



SURFIDS Installation (1/6)

40

• Logging Server Installation# add the SURFids key to your local key chainwget -q http://repo.ids.surfnet.nl/key.pub -O- | sudo apt-key add –

# create a file /etc/apt/sources.list.d/surfids.list with the content:deb http://repo.ids.surfnet.nl/surfnetids/ lenny main

# to start the SURFids logging server installation we use apt-getapt-get update apt-get install surfids-logserver sendmail sendmail-bin-Set database Host-Insert Admin database user-Create a postgresql user:

sudo -u postgres createuser -s -d -r -P <adminuser>-Set admin user password-Set database listening port-Set database name-Set SURFids database user and SURFids user password-Set nepethes, pof, argos user password-Download the latest GeoIP database




41

• Logging Server Configuration# configuration file is located at /etc/surfnetids/surfnetids-log.conf

####################### # Database connection # ####################### # User info for the logging user in the postgresql database $c_pgsql_pass = "enter_password_here"; $c_pgsql_user = "idslog";

# Postgresql database info $c_pgsql_host = "localhost"; $c_pgsql_dbname = "idsserver";# The port number where the postgresql database is running on $c_pgsql_port = "5432";

# Enable or disable the download option of binaries in the webinterface $c_download_binaries = 1;

####################### # GeoIP Location Info # ####################### # Enable GeoIP location database to enable source IP country identification. $c_geoip_enable = 1;…




42

…# The key used for the Googlemap API $c_googlemap_key = "enter_googlemap_key_here";

# Generate a GnuPG key used to sign mail-reports:gpg --gen-key# and insert the key in# Maillog GNUPG passphrase. $c_passphrase = "enter_gnupg_passphrase_here";

################# # Sandbox Email ################# # Settings needed to retrieve the Norman reports from the mailbox they were sent to # login credentials $c_mail_username = 'email_username'; $c_mail_password = 'email_pass';# mailhost and port $c_mail_mailhost = 'mailhost'; $c_mail_port = '995';

# replace the “enter_database_pass_here” text with the actual password needed for connecting with the database in /opt/surfnetids/webinterface/.htaccess




43

• Tunnel Server Installation# Add the Dapper repository in sources.list:deb http://ubuntu.mirror.cambrium.nl/ubuntu / hardy main universe

# to start the SURFids tunnel server installation we use apt-getapt-get update apt-get install surfids-tunnel

- Set OpenVPN key size- Insert attribute for certificates- Set Xinetd listening address- Set IP address of tunnel server that is accepting the OpenVPN connections- Set the password used by the sensor to communicate with the tunnel server

• Tunnel Server Configuration # configuration file is located at /etc/surfnetids/surfnetids-tn.conf

#################### # SURF IDS Options # #################### # The root directory for the SURF IDS files (no trailing forward slash). $c_surfidsdir = "/opt/surfnetids";

…




44

…

####################### # Database connection # ####################### # User info for the logging user in the postgresql database $c_pgsql_pass = "enter_password_here"; $c_pgsql_user = "idslog"; # Postgresql database info $c_pgsql_host = "enter_database_servername_here"; $c_pgsql_dbname = "idsserver"; # The port number where the postgresql database is running on. $c_pgsql_port = "5432";

################ # Mail logging # ################ # Maillog From: address. This is the email addres that appears in the From header. $c_from_address = 'enter_email_address_here'; # Maillog GNUPG passphrase. $c_passphrase = "enter_GNU_passphrase_here"; # Prefix for the subject of email reports $c_subject_prefix = "[SURF IDS] ";




45

• Add Local Static Sensor to SURFids databasecd /opt/surfnetids/logtools./localsensor.pl -p 192.168.0.20/opt/surfnetids/logtools/localsensor.pl -i eth0 -s Nepenthes -o Evil_Sensor

• Open the web interface available athttp://<logserver:80>/surfnetids/



AV Installation (1/3)

46

• Local scan of Suspicious Files with:• F-Prot• AVAST• ClamAV

• Create a Directorycd /optmkdir scannercd scanner

• Install ClamAVapt-get install unzip libwww-perlapt-get -y install clamavFreshclam

• Install F-Prot# Download fp-Linux.x86.32-ws.tar.gz from F-Prot official websitetar -xvf fp-Linux.x86.32-ws.tar.gzcd f-prot./install-f-prot.pl




47

• Install Avast# Download avast4workstation-1.3.0.tar.gz from AVAST official websitetar -xvf avast4workstation-1.3.0.tar.gz# Download avast4workstation_1.3.0-2_i386.deb from AVAST official websitedpkg -i avast4workstation_1.3.0-2_i386.debsysctl -w kernel.shmmax=100000000

# AVAST requires a free registration to work

• Configure /opt/surfnetids/scripts/scanbinaries.pl##################### Define scanners####################$scanners->{"F-Prot"} = {'cmd' => "/opt/scanner/f-prot/fpscan -v 2 --report --adware",'update' => "/opt/scanner/f-prot/fpupdate",'version' => "/opt/scanner/f-prot/fpscan --version | grep \"F-PROTAntivirus version\" | awk -F'(' '{print \$1}' | awk '{print \$NF}'",'batchmode' => 0,};…




48

…$scanners->{"AVAST"} = {'cmd' => "/opt/scanner/avast4workstation-1.3.0/bin/avast -n",'update' => "/opt/scanner/avast4workstation-1.3.0/bin/avast-update",'version' => "/opt/scanner/avast4workstation-1.3.0/bin/avast --version |head -n1 | awk -F\"avast \" '{print \$2}'",'batchmode' => 1,};$scanners->{"ClamAV"} = {'cmd' => "clamscan --no-summary",'update' => "freshclam",'version' => "clamscan --version | awk '{print \$2}' | awk -F\"/\"'{print \$1}'",'batchmode' => 0,};

• Add to crontab00,30 * * * * /opt/surfnetids/scripts/scanbinaries.pl >/dev/null



Metasploit: Penetration Test Software

49

• Metasploit® software helps security and IT professionals • Identify security issues, verify vulnerability mitigations, and manage

expert-driven security assessments

• Download from http://www.metasploit.com/download/ for FREE

• Install it on the attacker machine and test the all-in-one machine:• Discover open ports• Exploit target system (require registration)



Metasploit: Testing Nepenthes

50

VS+



Metasploit: Testing Nepenthes

51

VS+



Metasploit: Testing Amun

52

VS+



Metasploit: Testing Amun

53

VS+

INTRUSION DETECTION SYSTEM Implementation of an all-in-one IDS machine Professor: Massimiliano...

Documents

Transcript of INTRUSION DETECTION SYSTEM Implementation of an all-in-one IDS machine Professor: Massimiliano...