ݺߣ

ݺߣShare a Scribd company logo

A Simple Network IDS

?
?
D
Daniel Cassiero

The document describes a simple network intrusion detection system consisting of Snort as the sensor, MySQL as the database, and ACID as the console interface. Snort monitors network traffic for signatures of attacks, logs events to the MySQL database. The ACID console provides a graphical interface for analyzing the logged data and generating alerts. The system was implemented on a Windows laptop with Snort, MySQL, and ACID to demonstrate a basic open source IDS solution.

1 of 15
07/01/1307/01/13 11 A Simple Network IDSA Simple Network IDS Team Members:Team Members: Brian LappBrian Lapp Dominic ReresDominic Reres Bob WilsonBob Wilson Daniel CassieroDaniel Cassiero
207/01/13 CRISIS!CRISIS!
307/01/13 About the ProjectAbout the Project A demonstration of a simple IDS.A demonstration of a simple IDS. Can be used to secure and protect aCan be used to secure and protect a network.network. Policy enforcement.Policy enforcement. Snort Sensor IDS Console Relational Database
407/01/13 ImplementationImplementation Windows XP Professional with SP2Windows XP Professional with SP2 Snort version 2.3.2Snort version 2.3.2 MySQL database version 4.1MySQL database version 4.1 ACID v .9.6b23ACID v .9.6b23 All components installed on a laptop forAll components installed on a laptop for convenience.convenience.
507/01/13 Snort C The Open Source IDSSnort C The Open Source IDS Highly PortableHighly Portable (*NIX, BSD, Win32)(*NIX, BSD, Win32) Uses SignaturesUses Signatures Open SourceOpen Source
607/01/13 Snort - FlowSnort - Flow Monitors network traffic in promiscuousMonitors network traffic in promiscuous modemode Packet has signature matchPacket has signature match Event is logged to databaseEvent is logged to database Alert appears on ACID consoleAlert appears on ACID console
707/01/13 Snort C Data LoggingSnort C Data Logging Direct log fileDirect log file Database (MySQL,Database (MySQL, ORACLE, MSORACLE, MS SQL...)SQL...)
807/01/13 DataData Data captured from lab networkData captured from lab network Attached snort sensor directly to CRJ LabsAttached snort sensor directly to CRJ Labs
907/01/13 Snort LogSnort Log Log file format may be difficult to read.Log file format may be difficult to read. Sorting through events may be timeSorting through events may be time consuming.consuming.
1007/01/13 AAnalysisnalysis CConsole foronsole for IIntrusionntrusion DDatabasesatabases GUI Frontend forGUI Frontend for logged datalogged data Human readable atHuman readable at a glancea glance Utilize relationalUtilize relational data.data.
1107/01/13 SignaturesSignatures Link to signature description on consoleLink to signature description on console CVECVE BugtraqBugtraq SnortSnort
1207/01/13 Console AnalysisConsole Analysis Easy analysis with coded regionsEasy analysis with coded regions Simple example showing an Alert eventSimple example showing an Alert event
1307/01/13 Network IDS SolutionNetwork IDS Solution Open Source softwareOpen Source software ? Freely available to the publicFreely available to the public OverheadOverhead ? Configuration and setupConfiguration and setup ? Learning curveLearning curve
1407/01/13 SummarySummary SnortSnort ? Network Sensor IDSNetwork Sensor IDS ? SignaturesSignatures MySQLMySQL ? Relational DatabaseRelational Database ACIDACID ? SO ConsoleSO Console ? Incident AlertIncident Alert
1507/01/13 ResourcesResources SnortSnort ? http://http://www.snort.orgwww.snort.org// ACIDACID ? http://acidlab.sourceforge.net/http://acidlab.sourceforge.net/ MySQLMySQL ? http://www.mysql.org/http://www.mysql.org/ Analysis Console for Intrusion Databases

More Related Content

A Simple Network IDS

Editor's Notes

  • #3: A need for network intrusion detection today
  • #4: Created a self-contained demo NIDS on a laptop for the project.
  • #5: Stuff that was used
  • #9: Picture is the snort schema
  • #12: Link gives a description of the vuln/exploit CVE C Common Vulnerabilities and Exploits Bugtraq C Common database of vulnerabilities and exploits ICAT C just an acronymdoesnt stand for anything anymore hosted by NIST National Institute for Standards in Technology
  • #13: Meta C Signature, time, sensor (Alert Group C ACID specific) IP C Source, Destination, IP Header info, FQDN (if DNS lookup available) TCP C Layer 4 information C TCP, UDP, ICMP sequence number Payload C the actual packet data
  • #14: This project demonstrates a viable network IDS solution All of the software used was low-cost open source software C PRO Small learning curve - CON
  • #15: Snort logs alerts to the MySQL database MySQL database is a relational database ACID reads the database and correlates it in an easily readable format.