INTRUSION DETECTION SYSTEM

1
INTRUSION DETECTION SYSTEM

• Implementation of an all-in-one IDS machine

Professor Massimiliano Rak
Student Pasquale CirilloMatr. A18/45
2
SUMMARY

• Objective
• Security requirements
• Intrusion Detection Systems
• IDS classification
• Sensor Soft-Hardering
• NIDS/IPS SNORT
• Basic Analysis and Security Engine (BASE) SNORT
  WEB Interface
• Honeypot Systems
• Honeypot classification
• Nepenthes
• Amun
• SURFids
• Antivirus Installation
• Penetration Test
• Penetration Testing Software Metasploit

3
Objective

• Implement a Distributed Intrusion Detection
  System based on the SURFcert IDS Project
• Install HoneyPot to support the IDS
• Test the system

Assumptions

• The Distributed Intrusion Detection System
  (D-IDS) considered is based on a client-server
  approach where the client is called a sensor.
  These sensors often contain a honeypot and/or a
  passive analysis tool like Snort
• However, we refer to an All-In-One Machine to
  simplify the installation and the configuration
  of the tools

4
What is Security?
ISO 27001 AND ISO 27002 DEFINITION Information
security is all about protecting and
preservinginformation. Its all about protecting
and preserving theconfidentiality, integrity,
authenticity, availability, andreliability of
information.
Secutity Objectives

• Ensure the application of the CIA Paradigm
• Confidentiality the information must be
  accessible only by the authorized users
• Integrity the information must be modified only
  by the authorized users. All others unauthorized
  access must be blocked
• Availability the information must be always
  available for the authorized users in the time
  and modes provided by the security policies

5
Security Area

• BRUCE SCHENEIER DEFINITION (Secrets and Lies)
• Prevention block any threat or attack
• Detection eventually the prevention fails, with
  the detection it seeks to control attacks in
  progress
• Reaction after detected an attack, it responds
  to attackers

Attack Definition

• An attack is any attempt to destroy, expose,
  alter, disable, steal or gain unauthorized
  access to or make unauthorized use of any
  tangible or intangible thing that has value to an
  organization
• Passive attack the attacker attempts to learn or
  make use of information from the system but does
  not affect system resources
• Active attack the attacker attempts to alter
  system resources or affect their operation

6
IDS Definition
An intrusion detection system (IDS) is a device
or software application that monitors network
and/or system activities for malicious activities
or policy violations and produces reports to a
Management Station
IDS Components

• Sensors one or more sensors are typically used
  to receive information from the network or from
  controlled hosts
• Console is used to monitor the status of network
  and hosts
• Engine used to analyze the data collected by the
  sensors, provides to detect possible intrusions
• Database the analysis engine is based on a
  database that stores the rules used to identify
  security breaches

7
CIDF

• The Common Intrusion Detection Framework (CIDF)
  is an effort to develop protocols and application
  programming interfaces so that intrusion
  detection research projects can share information
  and resources and so that intrusion detection
  components can be reused in other systems
• Some of the ideas involved in CIDF have
  encouraged the creation of an Internet
  Engineering Task Force (IETF) working group,
  named the Intrusion Detection Working Group (IDWG)

CIDF Components

• CIDF adopts a view of Intrusion Detection Systems
  in which they consist of discrete components
  which communicate via message passing
• The four kinds of components exchange data in the
  form of generalized intrusion detection objects
  (gidos) which are represented via a standard
  common format

8
CIDF Components (Continue)

• Event generators (E-boxes) the role of an
  event generator is to obtain events from the
  larger computational environment outside the
  intrusion detection system and provide them in
  the CIDF gido format to the rest of the system
• Event analyzers (A-boxes) they receive gidos
  from other components, analyze them, and return
  new gidos (which presumably represent some kind
  of synthesis or summary of the input events)
• Event databases (D-boxes) these components
  simply exist to give persistence to CIDF gidos
• Response units (R-boxes) they consume gidos
  which direct them to carry out some kind of
  action on behalf of other CIDF components, and
  they carry out this action. This includes such
  things as killing processes, resetting
  connections, altering file permissions, etc

9
IDS Classification

• Sources
• NIDS Network-Based IDS
• HIDS Host-Based IDS
• Application-Based IDS
• Hybrid IDS
• Detection Mechanism
• Misuse Detection
• Anomaly Detection
• Protocol Analysis
• DIDS Distributed IDS
• IPS Intrusion Prevention System

10
NIDS (1/2)

• Objective
• Monitor a network segment
• Functioning
• Change the operating mode of the network
  interface by placing it in promiscuous mode in
  such a way as to be listening on every packet on
  the network segmet
• Analyze all network traffic looking for a match
  with known attack signatures, or looking for
  statistically anomalous traffic

11
NIDS (2/2)

• Detect
• Buffer overflows, format string attacks,
  transmission of suspicious files
• Port Scanning, SYN attacks or based on
  fragmentation of packets
• Spoofed IP addresses
• Disadvantages
• Not be able to block the flow of packets in the
  presence of an attack
• Inability to deal with encrypted traffic
• Powerful HW to handle high volume of traffic
• Problems with fragmented packets
• Detect intrusions but do not know their results
• Require considerable resources to keep logs
• Frequent updating of signatures

12
HIDS

• Objective
• Monitor and analyze a single Host
• Functioning
• Analysis of system logs, audit logs, security
  logs, system call and the changes undergone by
  the file system
• For each element are stored its attributes and
  performed a checksum calculation with hash
  functions. The data are compared with the
  checksum to detect an attack
• Advantages
• Understand if the attack was successful or not
• Analyze cypher messages
• Disadvantages
• Subject of attacks

13
Application IDS

• Objective
• An application IDS will work solely with the
  application itself
• They tend to be tailored to a specific product
• Functioning
• An IDS will report when anomalous activity is
  detected most usually using logs generated by the
  application

Hybrid IDS

• Known as NNIDS (Network Node IDS) an Hybrid IDS
  is network-based but installed on a single Host
• Analyze the network traffic that is directed to
  themselves
• Advantage detect encrypted traffic before it can
  cause an intrusion into the system

14
Misuse Detection

• To detect an intrusion, uses a pattern matching
  algorithms, which are the true engine of the IDS
• Signatures database constantly updated
• Control all incoming packets looking for a match
  with the signatures present in the database
• Stateful Pattern Matching Analysis is used to
  detect an attack performed with a string payload
  divided into multiple packets
• Advantages
• Low number of false alarms
• Disadvantages
• High computational load
• New signatures are not recognized
• Frequent updates of the database

15
Anomaly Detection

• Search abnormal behavior which differs from a
  system model which characterizes the correct
  operations
• Require a learning phase
• Self learning the model is learned from examples
• Programmed learning require in-depth mathematic
  knowledge to create models
• Advantages
• Very flexible technique since
• Allow to detect unknown attacks
• Disadvantages
• High number of false alarms

16
Protocol Analysis

• Based on the control of the technical
  specifications of the protocols defined in the
  RFC
• Generate an alarm for each violation in the
  standard protocol i.e. SYN-FLOOD Attack
• Advantages
• Decrease the number of false alarms
• Disadvantages
• Management of ambiguity in RFC

17
DIDS

• Constituted by sensors and central monitor system
• Sensor generates logs that track the attacks and
  sends they in the central system
• The central system collects the data and create a
  global repository
• Communication between the sensors and central
  system provided with encrypted VPN
• Disadvantages
• Sensor heterogeneity requires a standard
  communication interface
• Inherits all the IDS sensors disadvantage

18
IPS

• Evolution of IDS
• To achieve the ability to prevention, in addition
  to the normal capacity of an IDS, the IPS
  implement instruments to block malicious traffic
  in real time
• Capabilities
• Block the intrusion through actions such as
  termination of a network connection
• Change the security policies when an attack is
  detected

19
System Architecture
All-in-one machine IP 192.168.0.20
Attacker IP 192.168.0.19

• All-in-one machine is constituded by a NIDS and
  two Honeypots that alternatively work. BASE and
  SurfnetIDS have been installed to provide a web
  interface to analyze the IDS logs
• On the attacker machine Metasploit Penetration
  Software has been used to perform a penetration
  test

20
Sensor Soft-Hardering (1/2)

• Set permission 500 on wget curl GET links
  ftp telnet
• root_at_allinone/ whereis wget curl GET links lynx
  ftp tftp telnet
• wget /usr/bin/wget /usr/bin/X11/wget
  /usr/share/man/man1/wget.1.gz
• curl /usr/bin/curl /usr/bin/X11/curl
  /usr/share/man/man1/curl.1.gz
• GET /usr/bin/GET /usr/bin/X11/GET
  /usr/share/man/man1/GET.1p.gz
• links /usr/bin/links /usr/bin/X11/links
  /usr/share/man/man1/links.1.gz
• lynx
• ftp /usr/bin/ftp /usr/bin/X11/ftp
  /usr/share/man/man1/ftp.1.gz
• tftp
• telnet /usr/bin/telnet /usr/bin/telnet.netkit
  /usr/bin/X11/telnet /usr/bin/X11/telnet.netkit
  /usr/share/man/man1/telnet.1.gz
• root_at_allinone/ chmod 500 wget curl GET links
  ftp telnet.netkit
• Install RootKit Hunter and start scan
• Ref. http//www.lifelinux.com/how-to-install-root
  kit-hunter/
• Install Fail2Ban script
• root_at_allinone/ apt-get install fail2ban

21
Sensor Soft-Hardering (2/2)

• Configure /etc/fail2ban/fail2ban.conf
• Set log file as path /var/log/fail2ban.log
• and /etc/fail2ban/jail.conf
• bantime 3600
• ssh
• enabled true
• port ssh
• filter sshd
• logpath /var/log/auth.log
• maxretry 3

22
SNORT (1/3)

• Snort is an open source network intrusion
  prevention and detection system (IDS/IPS)
• Combine the benefits of signature, protocol, and
  anomaly-based inspection
• Install Snort with mysql support
• root_at_allinone/ apt-get install snort-mysql
• Configure /etc/snort/snort.conf
• Setup the network addresses you are protecting
• ipvar HOME_NET 192.168.0.20/32
• ipvar EXTERNAL_NET !HOME_NET
• List of the ports you run web servers on
• portvar HTTP_PORTS 80
• List of ports you want to look for SHELLCODE on
• portvar SHELLCODE_PORTS !80
• Path to your rules files
• var RULE_PATH /etc/snort/rules
• Target-based IP defragmentation
• preprocessor frag3_global max_frags 65536

23
SNORT (2/3)

• ...
• Detect anomalies
• preprocessor frag3_engine policy linux
  detect_anomalies
• preprocessor stream5_global max_tcp 8192,
  track_tcp yes, track_udp no
• preprocessor stream5_tcp policy linux,
  use_static_footprint_sizes
• HTTP normalization and anomaly detection
• preprocessor http_inspect global iis_unicode_map
  unicode.map 1252
• preprocessor http_inspect_server server default
  profile all ports 80 8080 oversize_dir_length
  500
• FTP/Telnet normalization and anomaly detection
• preprocessor ftp_telnet global encrypted_traffic
  yes inspection_type stateful
• preprocessor ftp_telnet_protocol telnet
  normalize ayt_attack_thresh 200
• Portscan detection
• preprocessor sfportscan proto all scan_type
  all memcap 10000000 sense_level high
  logfile pscan
• Database parameters
• output database log, mysql, usersnort
  passwordXXX dbnamesnort hostlocalhost
• Site specific rules
• include RULE_PATH/local.rules
• include RULE_PATH/badtraffic.rules
• include RULE_PATH/exploit.rules

24
SNORT (3/3)

• Create Snort Database
• root_at_allinone/ mysql -u root
• mysqlgtset password for root_at_localhostpassword('PA
  SSWD_ROOT')
• create database snort
• grant insert,select on root. to snort_at_localhost
• set password for snort_at_localhostpassword('PASSWD_
  SNORT')
• grant create,delete,insert,select,update on
  snort. to snort_at_localhost
• grant create,delete,insert,select,update on
  snort. to snort
• exit
• Download and import Snort DB scheme
• root_at_allinone/ mysql -u root -d snort -p lt
  create_mysql
• Create init script in /etc/init.d
• !/bin/sh -e
• snort -c /etc/snort/snort.conf -D -u snort -g
  snort -y
• Start SNORT
• root_at_allinone/ snort -c /etc/snort/snort.conf
  -D -u snort -g snort -y

25
BASE (1/2)

• BASE (Basic Analysis and Security Engine) is a
  web interface to perform analysis of intrusions
  that snort has detected on the network
• Download BASE and install it in the webserver
  webroot
• root_at_allinone/BASE/base-1.4.5 mkdir
  /var/www/base
• root_at_allinone/BASE/base-1.4.5 mv
  /var/www/base
• Install dependencies
• root_at_allinone apt-get install libphp-adodb
  php5-gd php-pear
• root_at_allinone pear install Image_Color
• root_at_allinone pear install Image_Canvasalpha
• root_at_allinone pear install Image_Graphalpha
• Download and Install AdoDB (database abstraction
  library for PHP)
• Ref. http//adodb.sourceforge.net/

26
BASE (2/2)

• Configure base_config.php
• root_at_allinone/var/www/base mv
  base_conf.php.dist base_config.php
• BASE_urlpath "/base"
• DBlib_path "/var/www/adodb/ "
• DBtype "mysql"
• alert_dbname "snort"
• alert_host "localhost"
• alert_port ""
• alert_user "snort"
• alert_password "passwd_snortdb"
• Add dynamic extensions in /etc/php5/apache2/php.in
  i
• extensionmysql.so
• extensiongd.so
• Restart Apache2 and Start BASE

27
Honeypot

• Honeypot barattolo di miele
• What is an Honeypot?
• HW or SW that works as bait or trap for potential
  hackers or malware
• Provide services that are open and visible from
  internet and easy to break
• Identify and analyze the attacks, intrusion
  techniques, the flaws of the system and the
  malicious code
• Advantages
• Quality and quantity of the information that it
  collects
• Low number of false positives compared to IDS
• Disadvantages
• They may themselves be compromised and therefore
  can bring risks to the infrastructure that hosts
  them

28
Honeypot Classification

• Scope
• Production Honeypots used to protect
  organizations in real production operating
  environments. They are implemented parallel to
  data networks or IT Infrastructures and are
  subject to constant attacks 24/7
• Research Honeypots are not implemented with the
  objective of protecting networks. They represent
  educational resources of demonstrative and
  research nature whose objective is centered
  towards studying all sorts of attack patterns and
  threats
• Interaction Level
• Low Interaction Honeypots work exclusively
  emulating operating systems and services. The
  attackers activities are limited to the
  Honeypots level and quality of emulation
• High Interaction Honeypots constitute a complex
  solution because they involve the utilization of
  operating systems and real applications
  implemented in real hardware, without using
  emulation software

29
Considerations on the Honeypots

• Advantages
• Clean logs
• Minimal resources when offers emulated services
• The true value of a honeypot for a company is
  when it can be demonstrated that the security
  systems adopted have not been enough to keep out
  the bad guys
• Disadvantages
• Cannot detect events that do not see them as
  recipients
• It is a system designed to be attached, if not
  well configured and isolated can be a point of
  access for the attacker
• Disabling the attacker disables the honeypot and
  / or changes the log files
• Violation the attacker is able to use the
  honeypot for making illegal activities

30
Nepenthes (1/4)

• Nepenthes is a low-interacion Honeypot and
  aversatile tool to collect malware
• It acts passively by emulating known
  vulnerabilities and downloading malware trying to
  exploit these vulnerabilities
• Install Nepenthes
• root_at_allinone/ apt-get install nepenthes
• Configure /etc/nepenthes/nepenthes.conf
• need to add the the sqlhandler and log-surfnet
  lines
• // SQL handler
• "sqlhandlerpostgres.so", "",
  ""
• // logging
• "logdownload.so",
  "log-download.conf", ""
• // "logirc.so",
  "log-irc.conf", "" // needs
  configuration
• "logsurfnet.so",
  "log-surfnet.conf", "" // needs configuration

31
Nepenthes (2/4)

• Active preferred vulnerability modules
• "vulnbagle.so", "vulnbagle.conf", ""
• "vulndameware.so", "vulndameware.conf", ""
• "vulndcom.so", "vulndcom.conf", ""
• "vulnftpd.so", "vulnftpd.conf", ""
• "vulniis.so", "vulniis.conf", ""
• Configure /etc/nepenthes/vulniis.conf
• vulniis
• ports ("443","8080")
• accepttimeout "30"
• Modify /etc/nepenthes/log-surfnet.conf
• server "127.0.0.1" // must be ip
• user "nepenthes"

32
Nepenthes (3/4)

• Create init script in /etc/init.d
• !/bin/shcheckps -ef grep -v grep grep -v
  init.d grep -v postgres grep nepenthes wc
  -lecho "CHECK check"if check ! 0
  thenneppidps -ef grep -v grep grep -v
  init.d grep -v postgres grep nepenthes grep
  none awk 'print 2' head -n1echo "PID
  neppid"kill -9 neppidfi/bin/nepenthes -u
  nepenthes -g nepenthes -l none -R -D
  --chroot/etc/nepenthes
• Start Nepenthes
• root_at_allinone/bin/ nepenthes -u nepenthes -g
  nepenthes -l none -R -D --chroot/ etc/nepenthes

33
Nepenthes (4/4)

• Attacker starts nmap
• root_at_attacker/home/attacker nmap -sS -PN -v
  192.168.0.20
• Starting Nmap 5.21 ( http//nmap.org ) at
  2012-12-07 2323 CET
• Initiating ARP Ping Scan at 2323
• Scanning 192.168.0.20 1 port
• Completed ARP Ping Scan at 2323, 0.04s elapsed
  (1 total hosts)
• Initiating Parallel DNS resolution of 1 host. at
  2323
• Completed Parallel DNS resolution of 1 host. at
  2323, 0.04s elapsed
• Initiating SYN Stealth Scan at 2323
• Scanning 192.168.0.20 1000 ports
• Discovered open port 1025/tcp on 192.168.0.20
• Discovered open port 135/tcp on 192.168.0.20
• Discovered open port 445/tcp on 192.168.0.20
• Discovered open port 143/tcp on 192.168.0.20
• Discovered open port 139/tcp on 192.168.0.20
• Discovered open port 80/tcp on 192.168.0.20
• Discovered open port 110/tcp on 192.168.0.20
• Discovered open port 443/tcp on 192.168.0.20

Completed SYN Stealth Scan at 2323, 1.17s
elapsed (1000 total ports) Nmap scan report for
192.168.0.20 Host is up (0.000094s latency). Not
shown 976 closed ports PORT STATE
SERVICE 21/tcp open ftp 22/tcp open
ssh 25/tcp open smtp 42/tcp open
nameserver 80/tcp open http 110/tcp open
pop3 135/tcp open msrpc 139/tcp open
netbios-ssn 143/tcp open imap 443/tcp open
https 445/tcp open microsoft-ds 465/tcp
open smtps 993/tcp open imaps 995/tcp open
pop3s 1023/tcp open netvenuechat 1025/tcp open
NFS-or-IIS 2103/tcp open zephyr-clt
34
Amun (1/4)

• Amun is a low-interaction Python Honeypot
• It has a modular implementation as Nepenthes
• Amun Kernel
• Request Handler
• Vulnerability Modules
• Shellcode Analyzer
• Download Modules
• Logging Modules
• Install Amun
• need to install some more python modules
  (PostgreSQL adapter for the Python programming
  language)
• root_at_allinone/ apt-get install python-psycopg2
• download the package from the subversion
  repository of Amun
• cd /opt/
• svn co https//amunhoney.svn.sourceforge.net/svnro
  ot/amunhoney amunhoney
• cd /opt/amunhoney

35
Amun (2/4)

• Configure /opt/amunhoney/conf/amun.conf
• if you also run other honeypot comment out the
  modules listening on the same ports
• define ports for vulnerability modules
• (can be changed while running)
• You will also need to uncomment the modules in
  the vuln_modules section
• vuln_modules vuln-ms08067,
• Surfids
• In the log_modules section uncomment the
  log-surfnet module
• define logging modules
• log_modules log-surfnet
• log-syslog
• Configure /opt/amunhoney/conf/log-surfnet.conf
• Log-Surfnet
• sensorIP 127.0.0.1

36
Amun (3/4)

• PGHost enter-ip-database
• PGPort 5432
• PGUser nepenthes
• PGPass enter-your-password
• PGDB idsserver
• To download binaries to the normal surfids
  location
• cd /opt/amunhoney/malware
• mv md5sum md5sum.orig
• ln -s /opt/surfnetids/binaries md5sum
• change the file /opt/amunhoney/submit_modules/su
  bmitmd5/submit_md5.py
• modify
• filename "malware/md5sum/s.bin" (md5hash)
• in
• filename "malware/md5sum/s" (md5hash)
• Start Amun

37
Amun (4/4)

• Attacker starts nmap
• root_at_attacker/home/attacker nmap -sS -PN -v
  192.168.0.20
• Starting Nmap 5.21 ( http//nmap.org ) at
  2012-12-09 1818 CETInitiating ARP Ping Scan at
  1818Scanning 192.168.0.20 1 portCompleted
  ARP Ping Scan at 1818, 0.01s elapsed (1 total
  hosts)Initiating Parallel DNS resolution of 1
  host. at 1818Completed Parallel DNS resolution
  of 1 host. at 1818, 0.05s elapsedInitiating SYN
  Stealth Scan at 1818Scanning 192.168.0.20 1000
  portsDiscovered open port 23/tcp on
  192.168.0.20Discovered open port 443/tcp on
  192.168.0.20Discovered open port 1025/tcp on
  192.168.0.20Discovered open port 80/tcp on
  192.168.0.20Discovered open port 8080/tcp on
  192.168.0.20Discovered open port 587/tcp on
  192.168.0.20Discovered open port 143/tcp on
  192.168.0.20Discovered open port 110/tcp on
  192.168.0.20Discovered open port 22/tcp on
  192.168.0.20Discovered open port 139/tcp on
  192.168.0.20Discovered open port 445/tcp on
  192.168.0.20Discovered open port 554/tcp on
  192.168.0.20Discovered open port 42/tcp on
  192.168.0.20Discovered open port 1023/tcp on
  192.168.0.20Discovered open port 1080/tcp on
  192.168.0.20

Completed SYN Stealth Scan at 1818, 1.31s
elapsed (1000 total ports)Nmap scan report for
192.168.0.20Host is up (0.00028s latency).Not
shown 966 closed portsPORT STATE SERVICE21/tcp
open ftp22/tcp open ssh23/tcp open
telnet25/tcp open smtp42/tcp open
nameserver80/tcp open http110/tcp open
pop3135/tcp open msrpc139/tcp open
netbios-ssn143/tcp open imap443/tcp open
https445/tcp open microsoft-ds554/tcp open
rtsp587/tcp open submission617/tcp open
sco-dtmgr
38
SURFIDS

• The SURFids is a Distributed Intrusion Detection
  framework
• It is based on the following rules
• The sensor should run out-of-the-box
• The sensor should be completely passive and
  therefore maintenance free
• The D-IDS should not generate any false positive
  alerts
• A sensor should be able to run in a standard LAN
• Comparison of statistics generated by sensors and
  groups of sensors should be possible
• The detection tools are installed on a central
  server (called tunnel server)
• Distributed sensors connect to the tunnel server
  and tunnel all their layer 2 and higher traffic
  to the tunnel server
• All information is presented to the users by a
  webinterface (logging server)

39
SURFIDS Components

• Tunnel/Honeypot Server
• The tunnel end-point on the server is called a
  tap device
• Tap device is a virtual interface which delivers
  the traffic from the tunnel on the server. The
  tap device will receive an IP address from the
  client network address pool. This will make the
  server virtually present in the client network
• Sensor
• The only purpose of the sensor is to be a
  transparent bridge between the client network and
  the tunnel/honeypot server
• The sensor manages the creation and destruction
  of the tunnel that is used to connect the
  tunnel/honeypot server to the client network
• Logging Server
• The logging server consists of two parts, the
  database and a web interface
• The database is used to store the analysis
  information from the honeypot server. This
  information is presented to the users by a web
  interface

40
SURFIDS Installation (1/6)

• Logging Server Installation
• add the SURFids key to your local key chain
• wget -q http//repo.ids.surfnet.nl/key.pub -O-
  sudo apt-key add
• create a file /etc/apt/sources.list.d/surfids.li
  st with the content
• deb http//repo.ids.surfnet.nl/surfnetids/ lenny
  main
• to start the SURFids logging server
  installation we use apt-get
• apt-get update
• apt-get install surfids-logserver sendmail
  sendmail-bin
• Set database Host
• Insert Admin database user
• Create a postgresql user
• sudo -u postgres createuser -s -d -r -P
  ltadminusergt
• Set admin user password
• Set database listening port
• Set database name
• Set SURFids database user and SURFids user
  password
• Set nepethes, pof, argos user password

41
SURFIDS Installation (2/6)

• Logging Server Configuration
• configuration file is located at
  /etc/surfnetids/surfnetids-log.conf
• Database connection
  
• User info for the logging user in the
  postgresql database
• c_pgsql_pass "enter_password_here"
• c_pgsql_user "idslog"
• Postgresql database info
• c_pgsql_host "localhost"
• c_pgsql_dbname "idsserver"
• The port number where the postgresql database
  is running on
• c_pgsql_port "5432"
• Enable or disable the download option of
  binaries in the webinterface
• c_download_binaries 1
• GeoIP Location Info
  
• Enable GeoIP location database to enable source
  IP country identification.

42
SURFIDS Installation (3/6)
The key used for the Googlemap API
c_googlemap_key "enter_googlemap_key_here"
Generate a GnuPG key used to sign
mail-reports gpg --gen-key and insert the key
in Maillog GNUPG passphrase. c_passphrase
"enter_gnupg_passphrase_here"
Sandbox Email Settings
needed to retrieve the Norman reports from the
mailbox they were sent to login credentials
c_mail_username 'email_username'
c_mail_password 'email_pass' mailhost and
port c_mail_mailhost 'mailhost'
c_mail_port '995' replace the
enter_database_pass_here text with the actual
password needed for connecting with the database
in /opt/surfnetids/webinterface/.htaccess
43
SURFIDS Installation (4/6)

• Tunnel Server Installation
• Add the Dapper repository in sources.list
• deb http//ubuntu.mirror.cambrium.nl/ubuntu /
  hardy main universe
• to start the SURFids tunnel server installation
  we use apt-get
• apt-get update
• apt-get install surfids-tunnel
• Set OpenVPN key size
• Insert attribute for certificates
• Set Xinetd listening address
• Set IP address of tunnel server that is accepting
  the OpenVPN connections
• Set the password used by the sensor to
  communicate with the tunnel server
• Tunnel Server Configuration
• configuration file is located at
  /etc/surfnetids/surfnetids-tn.conf
• SURF IDS Options
  
• The root directory for the SURF IDS files (no
  trailing forward slash).
• c_surfidsdir "/opt/surfnetids"

44
SURFIDS Installation (5/6)
Database connection
User info for the
logging user in the postgresql database
c_pgsql_pass "enter_password_here"
c_pgsql_user "idslog" Postgresql database
info c_pgsql_host "enter_database_servername_h
ere" c_pgsql_dbname "idsserver" The port
number where the postgresql database is running
on. c_pgsql_port "5432"
Mail logging Maillog From
address. This is the email addres that appears in
the From header. c_from_address
'enter_email_address_here' Maillog GNUPG
passphrase. c_passphrase "enter_GNU_passphrase
_here" Prefix for the subject of email
reports c_subject_prefix "SURF IDS "
45
SURFIDS Installation (5/6)

• Add Local Static Sensor to SURFids database
• cd /opt/surfnetids/logtools
• ./localsensor.pl -p 192.168.0.20
• /opt/surfnetids/logtools/localsensor.pl -i eth0
  -s Nepenthes -o Evil_Sensor
• Open the web interface available at
• http//ltlogserver80gt/surfnetids/

46
AV Installation (1/3)

• Local scan of Suspicious Files with
• F-Prot
• AVAST
• ClamAV
• Create a Directory
• cd /opt
• mkdir scanner
• cd scanner
• Install ClamAV
• apt-get install unzip libwww-perl
• apt-get -y install clamav
• Freshclam
• Install F-Prot
• Download fp-Linux.x86.32-ws.tar.gz from F-Prot
  official website
• tar -xvf fp-Linux.x86.32-ws.tar.gz
• cd f-prot

47
AV Installation (2/3)

• Install Avast
• Download avast4workstation-1.3.0.tar.gz from
  AVAST official website
• tar -xvf avast4workstation-1.3.0.tar.gz
• Download avast4workstation_1.3.0-2_i386.deb
  from AVAST official website
• dpkg -i avast4workstation_1.3.0-2_i386.deb
• sysctl -w kernel.shmmax100000000
• AVAST requires a free registration to work
• Configure /opt/surfnetids/scripts/scanbinaries.pl
• Define scanners
• scanners-gt"F-Prot"
• 'cmd' gt "/opt/scanner/f-prot/fpscan -v 2
  --report --adware",
• 'update' gt "/opt/scanner/f-prot/fpupdate",
• 'version' gt "/opt/scanner/f-prot/fpscan
  --version grep \"F-PROT
• Antivirus version\" awk -F'(' 'print \1'
  awk 'print \NF'",
• 'batchmode' gt 0,

48
AV Installation (3/3)

• scanners-gt"AVAST"
• 'cmd' gt "/opt/scanner/avast4workstation-1.3.0/bin
  /avast -n",
• 'update' gt "/opt/scanner/avast4workstation-1.3.0/
  bin/avast-update",
• 'version' gt "/opt/scanner/avast4workstation-1.3.0
  /bin/avast --version
• head -n1 awk -F\"avast \" 'print \2'",
• 'batchmode' gt 1,
• scanners-gt"ClamAV"
• 'cmd' gt "clamscan --no-summary",
• 'update' gt "freshclam",
• 'version' gt "clamscan --version awk 'print
  \2' awk -F\"/\"
• 'print \1'",
• 'batchmode' gt 0,
• Add to crontab
• 00,30 /opt/surfnetids/scripts/scanbinaries
  .pl gt/dev/null

49
Metasploit Penetration Test Software

• Metasploit software helps security and IT
  professionals
• Identify security issues, verify vulnerability
  mitigations, and manage expert-driven security
  assessments
• Download from http//www.metasploit.com/download/
  for FREE
• Install it on the attacker machine and test the
  all-in-one machine
• Discover open ports
• Exploit target system (require registration)

50
Metasploit Testing Nepenthes
VS

51
Metasploit Testing Nepenthes
VS

52
Metasploit Testing Amun
VS

53
Metasploit Testing Amun
VS