Snort & Windows 2000 - 8BallNews.com€¦ · Leverage 2000's crypto capabilities ... Grab...
Transcript of Snort & Windows 2000 - 8BallNews.com€¦ · Leverage 2000's crypto capabilities ... Grab...
Snort & Windows 2000
A Practical GuideDavid Elfering
Based on paper by Michael Steele
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
ObjectiveWindows 2000
Flexible, enterprise readyLeverage 2000's crypto capabilities Distributed, economical, web based NIDS architectureWeb server
Either IIS or Apache will work
SnortFree & openIs this cats & dogs living together?
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
WinPcapDownload
http://netgroup-serv.polito.it/winpcap/install/
InstallSimple “click-n-shoot” operationFor problems see WinPcap FAQ
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
MySQL – InstallationDownload: http://www.mysql.comChoose "typical" as installation type
Note: Install from control panel on W2K ServerPassword?
Open WinMySQLAdminCreate "Start Menu" item
Located on my.ini Setup
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
MySQL – Create the DatabaseCreate & Configure SNORT database
Right Click MySQL icon in the system tray (select "show me")Select Database tab and "Create Database" to create "snort" database
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
MySQL – Setting PermissionsExecute C:\MySQL\bin\MySQL
Type "\u mysql;Type "grant INSERT,SELECT,CREATE,DELETE on snort.* to snort@localhost;"
Now type "\u mysql" then "show tables;" Now try "select * from user;"
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Snort-Download
Snort-win32 MySQL binaryGrab “Snortrules.tar.gz”Grab “Snort.conf”
-InstallCreate 3 Folders: "C:\Snort\" - "C:\Snort\Bin\" - "C:\Snort\Logs\"Install Snort into "C:\Snort\Bin" folder
This is a manual copy – no setup file needed
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Snort (2)Install the latest FULL set of rules and snort.conf fileEdit the snort.conf file
To reflect your HOME_NET
Remove # before “output database: log, mysql
Copy the file called "create_mysql" from the "contrib" folder of Unix tar
http://www.snort.org/Files/snort-1.7.tar.gz
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Snort Database CreationExecute it "C:\MySQL\Bin>MySQL -u snort snort < C:\MySQL\Bin\create_mysql“
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Snort – Finishing the SetupBe sure to “hard code” snort.conf rules
Should look like this:
Test SNORTC:\snort\bin\snort –c snort.conf –l c:\snort\logsShould fire up and log to MySQLIf you get no error messages, you’re ok!
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Snort – What You Should SeeNow test Snort
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Web Server TimeHow-to assumes IIS 5.0
May want to harden it a bit ☺Ships with Windows
Apache will work great tooFree, which is usually goodftp://httpd.apache.org/dist/httpd
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
PHP-Download: www.php.net/downloads.php
-Install-Create c:\usr and copy mibs directory in-Copy DLL's into winnt\system32 directory (avoid overwrites)-Copy php.ini-dist to server root (c:\) & rename tophp.ini
-Do not edit the php.ini file
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Make PHP ExecutableNow Add a new entry to IIS Application Mappings
Control Panel -> Administrative Tools -> Internet Services Manager -> Default Web SiteSelect right-click then properties
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
IIS – Adding PHP ExtensionUse the path to php.exe as the Executable, supply .php as the extension
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Final PHP InstallationLeave 'Method exclusions', blank, and check the Script engine checkbox
Put a .php file under your Web server's document root and check if it works
Voila!
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Checkpoint!Where are we at?
MySQL Installed & configured
SnortInstalled, configured & logging to database
PHPInstalled and tested
Now tackle ADODB & ACID
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Getting ACID & ADODBThis setup was on ACID 0.9.6b9
http://acidlab.sourceforge.net
ADODB version 1.11http://php.weblogs.com/adodb
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
ADODB & ACID Setup - 1Adds hooks between DB & web GUIDrop “ACID” into C:\inetpub\wwwrootDrop the “ADODB” directory into c:\Edit acid_conf.php in the acid folder
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Acid Setup PT-1Open Microsoft Management ConsoleRight click on your Web server node (will most probably appear as 'Default Web Server'), and select 'Properties'.Select 'Home Directory', click on the 'Configuration' button.
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Set ACID HomepageNow set ACID as the web root
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
ACID/ADODB Gotcha’s - 1Be sure to set this in acid_conf.php
Now open the web site in a browserhttp://127.0.0.1 if on Snort server
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Web Based Steps - 1Now we should see:
Not much farther to go!
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
ACID/ADODB Gotcha’s - 2Click on the “setup” link to get this:
Click “Create ACID AG”
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
ACID/ADODB Finishing UpNow we see
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Voila! An IDS is Born!
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Securing the ServerRestricting IP access to IISSetting up SSLSetting up Windows 2000 encryption
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Securing the IIS ServerIIS – Surely you’re kidding right?
My names not surely ☺
Only allow “authorized” usersRestrict IP addresses to web siteUse el-cheapo firewall
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Restricting IIS AccessHead to Control Panel/Administrative Tools/Administrative ToolsOpen “Internet Services Manager”
Right-click “Default Web Site” propertiesSelect “Directory Security” tabRemove “Anonymous Access”
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
IIS Address RestrictionsNow set IIS to only allow certain IP’s
Select “IP address and domain name restrictions”
Set this to be VERY restrictive
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Setting Up SSL EncryptionOnly log in using strong cryptoEasy to get a “test” certificateCertificate are cheap insurance
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Getting a CertificateVeriSign outlines the following steps:’
Confirm DomainObtain Proof of RightGenerate CSR (private key docs!)Submit CSRComplete ApplicationWait for ProcessingInstall your ID
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
IIS Certificate Step OneSelect Directory Security/Secure Communications/Server CertificateNow follow the wizard!
Create a new certificate (CSR)Prepare request now but send it laterUse longer key lengthsFill in organization info as requiredDrop the request on the drive
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
What is a CSR?Your web server’s CSR public key that you ask a certificate authority to “sign”Your server will produce a plain text block like this:
-----BEGIN CERTIFICATE REQUEST----MIIBujCCASMCAQAwejELMAkGA1UEBhMCQ0ExEzARBgNVBAgTClRFc3QgU3RhdGUxETAPBgNVBAcTCENvbG9yYWR0MRswGQYDVQQKExJDYW5hZGlhbiBUZXN0IE9yZy4xEjAQBgNVBAsTCU9VIE9mZmljZTESMBAGA1UEAxMJd3d3LmV4LmNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD5PIij2FNa+Zfk1OHtptspcSBkfkfZ3jFxYA6ypo3+YbQhO3PLTvNfQj9mhb0xWyvoNvL8Gnp1GUPgiw9GvRao603yHebgc2bioAKoTkWTmW+C8+Ka42wMVrgcW32rNYmDnDWOSBWWR1L1j1YkQBK1nQnQzV3U/h0mr+ASE/nV7wIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAAAhxY1dcw6P8cDEDG4UiwB0DOoQnFb3WYVl7d4+6lfOtKfuL/Ep0blLWXQoVpOICF3gfAF6wcAbeg5MtiWwTwvXRtJ2jszsZbpOuIt0WU1+cCYivxuTi18CQNQrsrD4s2ZJytkzDTAcz1Nmiuh93eqYw+kydUyRYlOMEIomNFIQ=
-----END CERTIFICATE REQUEST-----
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
IIS SSL Certificate Step TwoShould see “ “Free “test” certs available from Thawte
http://www.thawte.comPast the contents of “certreq.txt”
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Finishing Certificate InstallOther options for “test” certificate
Test duration can be up to 365 daysDon’t change any other settings
You should get this:
Now rerun “Server Certificate” wizardPaste the certificate contents via notepad to your hard drive for input to wizard
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Now Test It!Netscape and Explorer both give connection information
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Server Side Crypto SettingsWhat about governing crypto at the server?If we control the endpoint, then the battle tilts in our favorNetscape & IIS allow different degrees of control
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Require Strong Crypto!Set IIS to only allow strong SSL
Default Web Site Properties/Directory Security/Secure Communications/Edit
This disallows unencrypted logins
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
CheckpointAt this point we should
Have an operational Snort probeHave strongly encrypted access
Test the connectionhttps://insert.your.server.addressLogin using user/passwordTell browser to accept the certificate
It may complain, but ignore it ☺
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Cheap Firewall ProtectionWe will demo BlackIce
Simple setupThere are others
Sygate, Symantec, ZoneAlarm, etc.
BlackIce is simple, cheap and effective$40, a credit card and 20 minutes are all you need ☺
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Quick & Dirty BlackIceDo a normal install (click/shoot)Once running we’ll tweak two settings
Right-click BlackIce in service trayBring up properties and set Protection Level to paranoid
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Finishing BlackIce SetupUsing BlackIce to restrict clients
Right-click the BlackIce in the system traySelect “Advanced Firewall Settings”Now add specific addresses to allow
Once done, simply “ok” all changes
Snort & Windows 2000 by Dave Elfering - Based on article by Michael Steel
Finished Probe ResultsSnort up and runningSecure, web based GUIEconomical firewall protection