Project: Intrusion Detection

1
PROJECT INTRUSION DETECTION

• Improving Your Security Skills

www.jayschulman.com info_at_jayschulman.com
2
Why This Project Is Important

• Unix/Linux Were installing our system on Linux
  so if youre not familiar with the operating
  system, youll get some exposure.
• Open Source Our toolset today is completely open
  source so youll get experience using an open
  source IDS platform.
• Cloud Im recommending you install this in the
  cloud. It will give you a relatively basic
  example of cloud computing.
• Threat Intelligence Youll be monitoring the
  internet. I actually dont recommend you run
  anything on your host so everything you see will
  be drive-by attacks. No specific reason, these
  are just the mass scanning types of attacks.
• Intrusion Detection Its a foundational
  component to information security. In the grand
  scheme of things, most organizations have it
  under control.

• Learning The Basics

3
Install The Cloud

• If you install it on your home internet, youre
  viewing a specific traffic pattern that I dont
  think is necessarily representative of the
  Internet. Most attackers know the IP blocks of
  cable and DSL modems. So the attacks theyre
  trying are geared toward home computing. For our
  exercise, I think seeing more commercial, service
  based attacks is a better view of the internet.
• For these types of experiments, I recommend
  DigitalOcean. Its the 5 cloud. Their lowest
  cost server is 5 a month and you get root access
  to the server. If you sign up here, youll
  actually get a 10 credit. So you can play
  around for two months. (Or run another
  experiment next month.)

4
Set Up DigitalOcean

• Each server is called a droplet. So well need
  to setup a droplet to get started. Click on
  Droplets and Create One.
• Give your droplet a name and select the 10 size.
  You can try to get it to run for 5 but you need
  more memory. Youre also welcome to use a bigger
  server. Youll see that the server will get
  pretty slow the more data you collect. But my
  goal here is not to give you a lightening fast
  experience but to give you an educational
  experience for a few bucks.

5
Select Image Location

• Choose any location. For our experiment, it
  would be interesting to compare what New York
  attacks look like compared to Frankfurt or
  Toronto. Its great to pick something close as
  it will be a bit faster, but really pick
  something that interests you from a threat
  intelligence perspective. I picked Singapore for
  my experiment and FYI it is slow from Chicago.
• Next select our image. If youre a Linux guru,
  pick anything youd like. If not, the examples
  below will assume youre running Ubuntu. There
  are a few checkboxes at the end. I checked IPv6
  for kicks as I am curious what attacks are coming
  on IPv6 versus IPv4. Again, education!
• Finally complete your setup. Youll be provided
  with your IP address and password in an e-mail
  and youll need to change it when you login.
  Your first setup is to login using a terminal
  program. The most used and most boring program
  is PuTTY.

6
Update Upgrade

• All of the commands will assume youre logged in
  as root. Which is a really bad idea. But this
  is an experiment and not the real world so such
  is life. In most trusted environments, youd
  want to login as a user and sudo to root. You
  wont see that here.
• I trust Ubuntus repositories but I dont always
  trust that the version I got is updated. So the
  following commands will update our server to the
  latest versions of all of the software running on
  it.

gt apt-get update gt apt-get upgrade
7
Install SNORT

• Our Intrusion Detection System will be Snort.
  Its the most documented and supported open
  source system out there and is relatively easy to
  install on Ubuntu.
• During the install, it will ask you for the
  protected subnet. Youll put your IP address of
  the DigitalOcean server.

gt apt-get install snort
8
Configure Rules

• A lot of interesting rules are turned off by
  default. Go to your favorite command line editor
  in Linux (vi, pico, etc) and edit
  /etc/snort/snort.conf.
• In this file, youll want to go WAY down to the
  end where there are tons of include lines that
  has a line for each ruleset. If you see a in
  front of the ruleset, its been disabled. Remove
  the to enable it. To start, turn as much as
  you want on. When it gets boring, turn it off
  and focus on what is interesting. See image on
  your right.

include RULE_PATH/web-misc.rules include
RULE_PATH/web-php.rules include
RULE_PATH/x11.rules include PREPROC_RULE_PATH/
preprocessor.rules include PREPROC_RULE_PATH/de
coder.rules include PREPROC_RULE_PATH/sensitive
-data.rules
9
Test SNORT

• You have the most basic version of snort
  installed. At this point, I want to make sure
  youre seeing Snort find attacks. So lets run a
  command (see image on right)
• If all goes well, you should start seeing alerts
  on your screen for attacks. So side note I did
  pick Singapore because, well, I thought Id see a
  ton of attacks. I dont really. So if you dont
  see any alerts pop up oops! Move on to the next
  step and move to your next level of learning.
  Just the fact that you got it looking for attacks
  is a success!

gtsnort -d -A console -u snort -g snort -c
/etc/snort/snort.conf -i eth0
10
PIVOT

• This is the point in time where you need to
  figure out what you want to learn next. Here are
  a couple of resources
• Build a web front end for Snort using Snorby
  http//blog.muhammadattique.com/installing-snorby-
  on-ubuntu-for-snort-with-barnyard2/
• Send all Snort alerts to a Database and use BASE
  as a front end http//computer-outlines.over-blog
  .com/article-nids-snort-barnyard2-apache2-base-wit
  h-ubuntu-14-04-lts-123532107.html

11
Are You Ready to Grow Your Security Career?

• Whether you're a seasoned security professional
  or trying to get into the field, I'll help you
  grow your career in security.
• SIGN UP NOW!