Snort

1
Snort IDScenter

• 60-564 Security and Privacy on the Internet
• Instructor Dr. A. K. Aggarwal
• Presented By Tarik El Amsy, Lihua Duan
• Date March 29, 2006

2
What is IDScenter

• IDScenter is basically a Graphical front-end for
  Snort on Windows platforms (Recommended Windows
  NT4/2000/XP).
• IDScenter provides a friendly interface for Snort
  users.
• With some knowledge of Snort, IDScenter will help
  users to do configuration and provide management
  features.

3
Features of IDScenter

• Snort 1.7, 1.8, 1.9, and 2.x Support
• Snort configuration wizard
• Online updates of IDS rules
• Ruleset editor for all Snort rule options
• HTML report from SQL backend
• Execution of program on attack detection
• Good Alerting tools including mail , Windows
  event log and normal DB logging.

4
Experiment Architecture and Scenarios
Home net address 172.16.1.0 /24
Hub
Router
NIDS
Target
Attacker
5
NIDS server configuration

• CPU AMD64 Opteron
• Memory 512M
• Hard Disk 8 G Operating
• Operating System Windows 2000 Advanced Server
  (Ser)
• IP Address 172.16.1.1
• Installed Software
• Snort 2.4.3
• IDScenter 1.1 RC4
• WinPcap 3.1
• Ethereal 0.10.14

NIDS
6
Target server configuration

• CPU AMD64 Opteron
• Memory 512MHard
• Disk 8 G
• Operating System Windows 2000 Advanced Server
  (Ser)
• IP Address 172.16.1.2
• Installed software
• Ethereal 0.10.14
• Winpcap 3.0 alpha 4
• Packet Excalibur 1.0.2 (Packet generator)
• Web server, TelNET, SNMP, FTP, etc

Target
7
Attacker server configuration

• CPU AMD64 Opteron
• Memory 512MHard
• Disk 8 G
• OS Windows 2000 AS
• IP Address 137.207.234.252
• Installed software
• Winpcap 3.0 alpha 4
• Packet Excalibur 1.0.2 (Packet generator)
• Web server, TelNET, SNMP, FTP, etc.

Attacker
8
Installing WinPcap

• WinPcap (Windows Packet Capture Library) is a
  packet-capture driver. Functionally, this means
  that WinPcap grabs packets from the network wire
  and pitches them to Snort, ethereal and windump.
• Download run WinPcap_3_1_auto-installer.exe to
  local disk from http//www.winpcap.org/install/def
  ault.htm
• Should be installed on hosts

NIDS
Attacker
Target
9
Installing Ethereal

• Ethereal is used by network professionals around
  the world for troubleshooting, analysis, software
  and protocol development, and education. Ethereal
  is one of the best graphical packet sniffer. Its
  graphical interface makes it easy to use and its
  big list of features make it very powerful in
  analyzing network traffic
• Download run ethereal-setup-0.10.14.exe or any
  latest version from Ethereal website
  http//www.ethereal.com/download.html.

10
Installing Packet Excalibur

• A multi-platform freeware, graphical and
  scriptable network packet engine with extensible
  text based protocol descriptions.
• Needed to craft sample attack and generate these
  packets on the network during snort testing.
• download Packet Excalibur Windows installer
  version 1.0.2 from http//www.securitybugware.org/
  excalibur/PacketExcalibur_1.0.2_win32.exe .
• It will also install WinPcap 3.0a.

Attacker
Target
Should be installed on
11
Packet Excalibur Demo
alert tcp EXTERNAL_NET any -gt HOME_NET 111
(msg"Rule 4 RPC portmap listing TCP 111"
content "00 01 86 A0" reference
arachnids,428 sid 598 rev 11 classtype
rpc-portmap-decode flow to_server,established)
12
Installing Snort

• Download SNORT ver 2.4.3
• Install directory c\snort
• Default logging database option

To test Installation and make sure it is running
C\snort\bin\snort v This will run snort in
sniffer mode and you should be able to see the
passing packets on the network captured by Snort.
13
Installing IDScenter

• Download IDScenter.zip (1.1 RC4, 04.08.2003) from
  http//www.engagesecurity.com/downloads/IDScenter
  
• Unzip the download file to obtain the setup.exe
  then run it to start simple and default
  installation.

14
Configuring Snort

• Change the setting of Snort configuration file
  snort.conf under c\snort\etc folder
• Use any text editor to edit the following
• Network settings
• Preprocessors
• Output settings
• Rules settings

15
Configuring Network settings

• Snort use variables in configuring the rules.
• When you type and Variable name, the value of
  this variable will be replaced.
• This allows you to add different network ranges
  and subnets and simplify rules editing and
  customization
• We added the following variables to snort.conf
  file
• var HOME_NET 172.16.1.0/24
• var EXTERNAL_NET any
• var DNS_SERVERS 172.16.1.2/32
• var SMTP_SERVERS 172.16.1.2/32
• var HTTP_SERVERS 172.16.1.2/32
• var SQL_SERVERS 172.16.1.2/32
• var TELNET_SERVERS 172.16.1.2/32
• var HTTP_PORTS 80
• var RULE_PATH c\snort\rules

16
Configuring Preprocessors

• Configure Http_inspect preprocessor
• This preprocessor allow snort to decode Http web
  traffic analyze it for specific URI contents.
• Setting in snort.conf file
• preprocessor http_inspect
• global iis_unicode_map unicode.map 1252
• preprocessor http_inspect_server
• server default profile all ports 80

17
Configuring Output settings

• Outputing Alerts to a file base log called
  alert.ids
• Setting in snort.conf file
• output alert_fast alert.ids
• config logdir c\snort\log

18
Configuring Rules settings

• Create a file called project.rules in
  c\snort\rules folder.
• The file has the10 selected attacks.
• Remove normal rule file setting from config file
  and add only project.rules.
• Include Rule_path/project.rules
• Sample Rule
• alert tcp EXTERNAL_NET any -gt HOME_NET 111
  (msg"Rule 4 RPC portmap listing TCP 111"
  content "00 01 86 A0" reference
  arachnids,428 sid 598 rev 11 classtype
  rpc-portmap-decode flow to_server,established)

19
IDScenter Configuration

• IDScenter consists of the following menus
• General
• Wizards
• Logs
• Alerts
• ...

20
General Menu

• Click on Apply to apply a configuration/save
  configuration (after setting all the options
  needed in IDScenter)
• Start Snort Starts Snort in console mode /
  service mode
• View alerts open log viewer
• Test settings After configuration you can test
  the settings by clicking on this button
• Reload Reload the configuration
• Rest Alarm Stop alarm sound

21
General Menu

• There are two modes to setup Snort with IDScenter
• Snort console mode
• Snort service mode
• The advantage of service mode is, that Snort can
  monitor your network constantly even when you're
  logged off

22
General / Configuration

• Select snort version to run
• Select Process priority
• Select options (Service mode /snort console
  /auto restart )
• Select log folder path and file name

23
General / Snort Options

• Set the configuration file.This is usally
  "Snort.conf" in the "etc" folder where Snort was
  installed (e.x. "C\Snort\etc\snort.conf")
• You can find a pattern in the configuration file
  by typing it into the editbox and click on the
  search button
• You can set an external editor for editing Snort
  configuration file

24
General Activity Log

• In this panel IDScenter displays events
• You can enable/disable event logs
• You can select which events are monitored
• You can let automatically purge the activity log
• Clear log clear the logging entries

25
General/ Over View

• In this panel IDScenter displays errors. If an
  error occurs when you click on apply, you'll be
  informed here.
• An overview of the alert features activated is
  shown here
• "Copy to clipboard" you can copy the Snort
  command-line into clipboard

26
Wizards Menu

• Wizards Menu has several wizards which helps
  configuring snort. It has the following
• Network Variables wizard
• Preprocessor Wizard
• Output plugin Wizard
• Rules/Signatures Wizard
• Online Update Wizard

27
Wizards / Network Variables

• Helps to set the variables used in rule files
• You can
• Add new variable
• Edit and existing variable
• Delete a variable

28
Wizards / Preprocessors

• Here you can select and configure the
  preprocessors used by Snort
• Stream4 and Frag2 Pane ( enable snort to
  defragment packets and perform stateful
  inspection)
• Protocol Preprocessor Pane (different protocol
  decoders like HTTP decode , Telnet, RPC
  decod..etc)
• PortScan Detection Pane
• Miscellaneous Pane (ARP spoof and other
  unsupported preprocessors)

29
Wizards / Output Plugins

• There are many small wizards in this panel which
  will help you to configure the output plugins of
  Snort.

30
Wizards / Rules Wizard

• The ruleset wizard will help you maintain a good
  ruleset. This is the "include"-part of the Snort
  configuration file
• Select first a classification configuration file
  ,by default "classification.config"
• Select the reference configuration file ,by
  default "reference.config"
• Activate/Deactivate the rule files you want to
  use by check/uncheck its box.
• Open a ruleset in the ruleset editor
• Select a ruleset file
• Click on "Ruleset editor"

31
Wizards / Rules Wizard

• The ruleset editor lists all available rules in
  the file.
• Add (and clone) new rules / delete rules
• Edit a rule (Select a rule and click on "Add/edit
  rule"
• Activate/Deactivate the rules you want to use
• Import additional rules into the ruleset (in
  Snort 2.x syntax)Save the ruleset after
  modification

32
Rules Wizard / Editing a rule

• The editor provides a front-end to all Snort 2.x
  rule features
• It make it easier to understand and modify any
  rule
• You can also access online information for that
  rule

33
Wizard/ Online Update

• The online update wizard is a frontend for
  configurating Oinkmaster (by Andreas Östling)
• If you want to use this feature, you should
  download EagleX package .

34
Logs/ Options Menu
This will overwrite settings in snort
configuration file if setExample you set output
plugin "alert_full alert.ids"... and selected
"Fast". In this case Snort will log using fast
mode

• Set the parameters (command-line parameters) of
  Snort .
• Select the interface Snort should monitor if
  necessary

35
Logs / Log Rotation

• Log rotationLog rotation will rotate the alert
  logs by compressing the files into a ZIP packages
  and move it to the Backup folder.

36
Alerts/ Detection

• Alerts alarm will be on if the file/database has
  changed.
• Select at least one alert detection mode
• File alert detection mode (up to 10 files
  monitoring)
• Add the files which should be monitored for
  changes (At least the alert log file set in main
  configuration panel should be set.)
• MySQL alert detection

37
Alerts/ Notification

• Alarm sound Select a WAV file if you selected
  "Start alarm sound when an alert is logged.
• Program execution IDScenter will execute this
  program if an alert was logged ( start a script
  that reconfigures your router, generate HTML
  pages of alert log using an external program.etc)
• AutoBlock - Plugin system (example network Ice
  Black Ice ). It allows you to block specific
  network traffic (mini firewall)

38
Alerts/ AlertMail

• AlertMail can send administrator alerts by mail
  if Snort has detected an attack .
• You can send a sample of the latest attacks in
  the email message as well as attachment of the
  log file.

39
Example of received mail alert
40
Our Opinion

• IDS Center is a very simple and easy to use
  configuration utility for snort.
• It has very good graphical interface
• Provide a lot of add on features for managing
  snort.
• Provide a good Alerting features
• It has some compatibility issues with latest
  snort version (especially Preprocessors and MySQL
  latest version)
• It has no analysis features.
• It still require good knowledge of snort IDS to
  configure.