Home
Installation
Contents
1. Pr e Source IP addresses 8 Meis ka e Dest IP addresses 6 gt e Unique IP links 11 ICMP 49 e Source Ports 10 o TCP 8 UDP 3 Portscan Traffic 0 e Dest Ports 8 o TCP 7 UDP 1 e Search e Graph Alert data e Snapshot e Most recent Alerts any protocol TCP UDP ICMP e Most frequent 5 Alerts e Today s alerts unique listing IP sre dst e Last 24 Hours alerts unique listing IP src dst Most Frequent Source Ports any TCP UDP e Last 72 Hours alerts unique listing IP src dst e Most Frequent Destination Ports any TCP UDP e Most recent 15 Unique Alerts dant fun merit ME mdd mmm PEPA s DBManag FAA winmyso cx Command fig cid1 JPG By Analysis e View snapshot of alerts generated by ACID 37 y Results 15 Last TCP Microsoft Internet Explorer File Edit View Favorites Tools Help Qu O DAO Pave perme Que B25 WYO Address El http flocalhost acid acid_qry_main php new 18layer4 TCPecaller last_tcp8num_result_rows 18submit Last 20TCP Ni Bo Links gt riadobe YW 2 search 2 Uhr Bookmarks attempting to retrieve buttons from Yahoo Queried DB on Thu March 23 2006 23 44 06 Summary Statistics Sensors IP Criteria Unique Alerts classifications Unique addresses source destination _ Unique IP links Payload Criteria Source Port TCP UDP Destination Port TCP UDP Time profile of alerts Displaying 15 Last TCP i j Source Dest
2. se r i A 2 sax gt x 2 2 Search Favorites QU media Ez A i A LJ ey pp Address http localhost acidjacid_gry_main php new 1aayer4 TCP amp caller last_tcp amp num_result_rows 12submit Last 20TCP Adobe Y gt 2 Search 2 attempting to retrieve buttons from Yahoo Eso inks gt ws Displaying 15 Last TCP 0 3 709 arachNIDS snort FTP saint scan 2006 03 09 18 19 47 192 168 0 129 16 192 168 0 112 21 1 3 714 arachNIDS snort FTP saint scan 2006 03 09 18 19 47 192 168 0 129 16 192 168 0 112 21 2 3 713 arachNIDS snort FTP saint scan 2006 03 09 18 19 47 192 168 0 129 16 192 168 0 112 21 3 3 712 arachNIDS snort FTP saint scan 2006 03 09 18 19 47 192 168 0 129 16 192 168 0 112 21 4 3711 arachNIDS snort FTP saint scan 2006 03 09 18 19 47 192 168 0 129 16 192 168 0 112 21 5 3 710 arachNIDS snort FTP saint scan 2006 03 09 18 19 47 192 168 0 129 16 192 168 0 112 21 6 3 715 arachNIDS snort FTP saint scan 2006 03 09 18 19 47 192 168 0 129 16 192 168 0 112 21 7 3 702 arachNIDS snort FTP saint scan 2006 03 09 18 19 46 192 168 0 129 16 192 168 0 112 21 8 3 701 arachNIDS snort FTP saint scan 2006 0 18 19 46 192 168 0 129 16 192 168 0 112 21 9 3 700 arachNIDS snort FTP saint scan 2006 03 09 18 19 46 192 168 0 129 16 192 168 0 112 21 10 3 699 a
3. e Write destination MAC source MAC dest IP source IP e Place contents of the packets after from Urgent Pointer e Calculate the total length e Click on checksum button If all checksums show correct then the packet is ready e All information will have to be in hex format e A sample packet with sid 356 is shown below Send Packets via Realtek RTL8139 810x Family Fast Ethernet NIC Packet Scheduler Miniport BAX Templates ICMP TCP UDP Packet Generator Packet size 6 9 Continuously Packets per second J af time s Step 2 Start SNORT e Go to command prompt Go to C Snort bin e Give the following command C Snort bin gt snort dev c C snort etc snort conf I C snort log i2 The screenshot will be like below 34 C Snort etc snort conf Non RFC Compliant Characters NONE pc_decode arguments Ports to decode RPC on 111 32771 alert_fragments INACTIVE alert_large_fragments ACTIVE alert_incomplete alert_multiple_requ ACTIVE telnet_decode arguments Ports to decode telnet on 21 23 25 119 Portscan Detection Config Detect Protocol TCP UDP ICMP IP Detect Scan Typ portscan portsweep decoy_portscan distributed_portscan Sensitivity Leve Low Memcap Cin bytes 169000000 Number of Nodes 36966 25 691 compiled support for mysql odbc gt onfigured to use mysql user root database password is set database database name snort database host localh
4. ignatur mest Addres Andrade 0 3 9627 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 192 168 0 112 21 1 3 9615 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 192 168 0 112 21 2 3 9614 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 192 168 0 112 21 3 3 9613 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 192 168 0 112 21 4 3 9612 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 192 168 0 112 21 5 3 9611 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 192 168 0 112 21 6 3 9610 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 192 168 0 112 21 7 3 9609 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 192 168 0 112 21 8 3 9608 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 192 168 0 112 21 9 3 96 16 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 192 168 0 112 21 10 3 9617 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 192 168 0 112 21 11 3 9618 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 192 168 0 112 21 12 3 9626 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 19
5. Microsoft IIS 4 or higher C Microsoft IIS 6 or higher C Apache C Xitami C None or other server will configure the web server manually HYPERTEXT PREPROCESSOR Cancel Since our IIS version was 5 x we chose Microsoft IIS 4 or higher Then Click lt Next gt Then again a confirmation window will be shown and click lt Next gt to that window Then the following window will show the progress of the installation and when successfully completed the following window will be shown Installation complete x i PHP 4 3 9 has been successfully installed Press the OK button to exit this installation NT users may need to set appropriate permissions for the various php files and directories Usually IUSR_MachineN ame or the user your web server runs as will need read write access to the uploadtmp and session directories and execute access for php exe and phpdts dll 19 Click lt OK gt to finish the installation Testing the PHP To test the PHP we made a sample php file as follows e Open notepad e Type lt phpinfo gt e Save the file as info php e Place the file in C Inetpub wwwroot e Open the browser and type http localhost info php e Ifthe page shows something like below then the installation is successful phpinfo Opera Ly File Edit View Navigation Bookmarks Mail Chat Tools Window Help 8X BUY OPERA TODAY OPERA And make this banner go away softwa
6. The password of that user ChartLib_path C Inetpub wwwroot jpgraph 1 20 3 sre This is the entire path of the Jpgraph graphing library NOTE Be sure to use double quotation marks around each setting or ACID will not work Also keep in mind that your username and password should be different than what is provided in this example e Reboot your computer Acid Viewer Configuration e After rebooting browse to http localhost Acid Index html e You will receive an error the first time you run Acid e Click on Go to the Setup Page when this error appears e At the Setup Page click Create ACID AG to finish the configuration e Go to the http localhost Acid Index html website again The Acid Console 30 should successfully come up CommView Installation CommView is a powerful network monitor and analyzer designed for LAN administrators security professionals network programmers home users virtually anyone who wants a full picture of the traffic flowing through a PC or LAN segment Loaded with many user friendly features CommView combines performance and flexibility with an ease of use unmatched in the industry This application captures every packet on the wire to display important information such as a list of packets and network connections vital statistics protocol distribution charts and so on You can examine save filter import and export captured packets view protocol decodes down to the lowest la
7. This is the confirmation screen Review all choices and click lt Install gt to start the installation process m MySQL Server 4 1 Setup Wizard Installing MySQL Server 4 1 The program features you selected are being installed Screen 5 Progress Screen The installation process will now begin and all progress will be displayed Then a screen will be displayed for registration sign up purpose with MySQL We skipped that phase and clicked lt Skip gt jis MySQL Server 4 1 Setup Wizard Wizard Completed Setup has finished installing MySQL Server 4 1 Click Finish to exit the wizard IV Configure the MySQL Server now Use this option to generate an optimized MySQL config file setup a Windows service running on a dedicated port and to set the password for the root account lt Back Cancel Screen 6 Wizard Completed Screen The installation is now complete The checkbox for this configuration wizard is checked by default We made our selection and click lt Finish gt to continue The next section provides using the MySQL Server Instance Configuration Wizard MySQL Server Instance Configuration Wizard e Click lt Next gt to start the wizard e Typically choose the Detailed Configuration option Make your selection and click lt Next gt to continue e Since we will be doing mostly development we keep the default Developer Machine option Click lt Next gt to continue e We chose Multifunctional Da
8. alerts Put any IP Addresses or networks in this section that port scans should be ignored Note To uncomment simply remove the in front of preprocessor Configure Output Plugins Output Plugins allow Snort to support a large number of logging and alerting output capabilities These include logging to tcpdump files different types of databases text 25 files syslogs and alerting by WinPopUp messages and SNMP In this example we will only log to a MySQL database By default everything is commented out so you will need to uncomment the following line output database log MySQL user root password snort dbname snort host localhost NOTE Be sure not to confuse the MySql with MSSQL They look very similar so it s easy to uncomment out the wrong one log This will alert to the alert ids file MySQL This will alert to the MySQL database user This is the SQL user that has access to select insert update delete and create privileges to the MySQL database In this example we will use Snort password This is the password that has been created for the above user In this example we will use Snort dbname This is the name of the Snort database In this example we will use Snort host This is the name of the SQL Server In this example the SQL Server will be local so localhost will be used The following line will be found at the end of the Output Plugins section include classification config
9. 2 168 0 112 21 13 3 9625 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 192 168 0 112 21 14 3 9624 arachNIDS snort FTP passwd retrieval attempt 2006 03 23 23 42 05 192 168 0 126 1 192 168 0 112 21 Action action v Selected ALL on Screen Entire Query fanag FA G l laptopfig e Click on Graph Alert Data You can choose your options on how to view the graph We have three options line bar pie Z ACID Graph Alert Data Microsoft Internet Explorer File Edit View Favorites Tools Help ay O O ABO Duo fro Gun O E D Bo Address 48 http flocalhost acidfacid_graph_main php Doe m EJso Links gt Fiiadobe YF 2 Qh Bookmarks attempting to retrieve buttons from Yahoo ao Hot typ O art Beg day month year f day v month year Graph Alerts data source AG Loaded in O seconds 38 ACID Chart Source IP vs Number of Alerts 64 151 140 130 Mi92 168 0 1 m192 168 0 112 M192 168 0 126 M192 168 0 129 192 168 1 1 192 168 1 4 m192 168 1 6 Loaded in 1 seconds 3 DBManag cy lap Command 11 47 PM Below is shown another snapshot for sid 358 Sid 358 FTP saint attack Z ACID Query Results 15 Last TCP Microsoft Internet Explorer File Edit View Favorites Tools Help a
10. 306 e Type in the Username which will be Root because that is what we specified in the my ini file of MySql e Type in the Password which will be Sally because we also specified that in the my ini e Leave the Database name blank You are just configuring the server the database 13 will be created later e Click on Server then click on Save e Click on Link e Click on Test Link This checks to see if there is a MySql server running on port 3306 that can be attached to using the name Root with the password Sally e Click OK to the Connection Successful dialogue box e Exit Server Manager e Click Yes to Reload the Profile e On the left hand side expand Snort e Right Click on Databases e Click on Create e Type in Snort for the database name e Click OK You just created the Snort database that Snort will log to e For the Set privilege on Database use the pull down menu to choose Snort this allows the user that we just created to have access to the database that we also created e Click on OK e Puta check in the Create box as well this will allow Snort to log new alerts to the database e Click on Save then OK e Click on Close Close DBTools IIS Installation For this installation we needed the Windows XP Professional Installation CD ROM After inserting the CD when it pops up for the installation then we exit that window 14 Then START gt Control Panel gt Add or Remove Programs gt Add Remove W
11. 37 e http www andrew cmu edu user rdanyliw snort acid_config html e http www idevelopment info data MySQL DBA tips Installing WIN417_4 shtm l e http www andrew cmu edu user rdanyliw snort snortdb snortdb _install html e http www iis resources com modules AMS article php storyid 273 41
12. Change that line to include the entire path to the classification config like so include C Snort Rules Classification config The classification config is used to classify and prioritize alerts when they come in This can be tailored to your specific needs but in this example we will leave it as default Customize your Ruleset The last section of the Snort conf is used to customize the rulesets Here you will find text that looks similar tothis 26 include SRULE_PATH bad traffic rules include RULE_PATH exploit rules include SRULE_PATH scan rules This is only a small portion of the Ruleset section You will find many more like this in the Snort conf There are many default rules ready to be used or custom rules may be created These rules are located in the snort rules folder where you can get even more specific and detailed with alerts Depending on your specific network environment certain rules should be commented out to prevent false positives or extra traffic Under the Network Variables section above the Rule_Path was specified If you did not specify the Rule_Path above then the entire path would need to be typed in for each rule that is included This process could take up a lot of time For more understanding on rules and writing rules http www snort org docs writing_rules chap2 html tth_chAp2 is a great place to start It s very important that you do understand the rules and that you are able to customize them to fit yo
13. Course 03 60 564 Security and Privacy on the Internet Instructor Dr A K Aggarwal Project Snort Testing with Acid MySOL PHP IIS ADODB under Windows XP Submitted By Ahmedur Rahman Lawangeen Khan Zillur Rahman Due Date March 09 2006 Table of Contents NA seen cnvedecededsdeseuneseseecsesssecsendenedeces es seisten Eross 3 Installation E E SEE E EE EE E 3 WINPCAP Tas ti 4 VD ODE TASA AO dc TL 4 MySQL TostallatiO lt pida 5 DBTo0lS Tostado 12 IEA A A iad a a a aes 14 POP Triste ts nan ads tae tee arate asta eh Macha tocs Poh onc n toad Nae apd TE A EATE 15 PAPLOT TAO AAA AE a Nata elect ae case Neate eas 21 SNORT Insa Oi ha e A O aa 21 LESSONS A EBSA ccc Bos BUSA Res EN RE TE EES 27 JP Graph Installation enine aa a atten 28 ACP Tris tal aot a a e e dat a r aA 29 CommWVismLas talla A A E a Ranei 31 TESTING THE TOTAL SYSTE Mii 32 Preparing the TES DE sust its 32 AI A O 40 GA TNT 41 Introduction Intrusion Detection is strength of detecting inappropriate activity Security is a big issue for all networks in today s enterprise environment Many methods have been developed to secure the network infrastructure and communication over the Internet One relatively new method is intrusion detection methods which started appearing in the last few years Using intrusion detection methods you can collect and use information from known types of attacks and find out if someone is trying to attack your network or particula
14. ar DNS_SERVERS 10 20 30 100 24 10 20 30 101 24 Configuring this section will prevent false DNS related scan alarms At the bottom of the Network Variable section is a line that specifies where the RULE files are located Be sure to configure the entire path as shown or Snort may not start correctly var RULE_PATH C Snort Rules Configure Preprocessors Preprocessors provide for complex functions such as TCP stream reassembly IP defragging or HTTP request normalization Preprocessors are only called once per packet can directly manipulate packet data and even call the detection engine directly with their modified data The Snort conf file does a very good job at explaining the different preprocessors Martin Roesch also has good documentation on thePreprocessors in Chapter 2 of the Snort User s Manual found here http www snort org docs writing_rules chap2 html Preprocessors are great for catching specific alerts but can be very processor intensive in some cases The following preprocessors are enabled by default in the Snort conf preprocessor frag2 This preprocessor provides IP deframentation and detects fragmentation attacks preprocessor stream4 detect_scans This preprocessor generates alerts on detection of stealth portscans preprocessor stream4_reassemble This preprocessor reassembles traffic on specific ports and alerts on bad streams The default port list is 21 23 25 53 80 143 110 513 Click here for an explanation of the p
15. describe traffic that it should collect or pass and includes a detection engine utilizing a modular plug in architecture Snort has real time alerting capability as well incorporating alerting mechanisms for Syslog user specified files a UNIX socket or WinPopup messages to Windows clients using Samba s smbclient Snort has three primary uses It can be used as a straight packet sniffer like tcpdump or as a packet logger that is useful for network traffic debugging It can also be used as a full blown network intrusion detection system Snort logs packets in either tcpdump binary format or in Snort s decoded ASCII format to logging directories We have downloaded the snort version 2 4 3 from the following link http www snort org dl binaries win32 Snort_243 Installer exe To install snort 2 4 3 just double click on the Snort 243 _Installer exe file e Copy all of the Files that are the Rules type to C Snort Rules 21 e Change to the Contrib directory e Copy the Create_MySQL file to C Snort Then we have to configure the snort conf file located at C Snort etc according to our usage Configuring snort conf Snort conf is the configuration file that tells Snort what to do when it starts up There are four sections to the Snort conf file The four sections are Network Variables for your network Preprocessors Output plug ins and Rule set customization This file can be configured to monitor a specific IP a set of IPs o
16. e above snort configuration chapter has been taken from http www sans org rr whitepapers detection 362 php JPGraph Installation JpGraph is a Object Oriented Graph creating library for PHP gt 4 3 1 The library is completely written in PHP and ready to be used in any PHP scripts both CGI APXS CLI versions of PHP are supported The library can be used to create numerous types of graphs either on line or written to a file JpGraph makes 1t easy to draw both quick and dirty graphs with a minimum of code as well as complex graphs which requires a very fine grained control The library assigns context sensitive default values for most of the parameters which minimizes the learning curve ACID will use this JPGraph for creating bar chart pie graph to show us the alerts 28 We have downloaded the JPGraph version 1 20 3 from the following location http www aditus nu pgraph pdownload php After downloading the file we extracted it into C Inetpub wwwroot folder There is no configuration is needed for JPGraph ACID Installation The Analysis Console for Intrusion Databases ACID is a PHP based analysis engine to search and process a database of security events generated by various IDS s firewalls and network monitoring tools 12 This console is very useful for viewing Snort alerts in many different ways You can search or view by source destination alert type alerts times port numbers and or protocols You can c
17. ed ADODB version 4 72 ADOdb is a database abstraction library for PHP and Python based on the same concept as Microsoft s ActiveX Data Objects It allows developers to write applications in a fairly consistent way regardless of the underlying database storing the information The advantage is that the database can be changed without re writing every call to it in the application It is important to note that ADOdb uses SQL We downloaded the ADODB version 4 72 from the following link http prdownloads sourceforge net adodb adodb472 zip download We have downloaded the zip file and extracted it into Inetpub wwwroot folder It is extracted into the computer where Snort MySQL PHP ACID reside For this version we did not need to modify the adodb inc php file MySQL Installation For this project we have used MySQL Server version 4 1 The installation process is easy and windows installer is also available which we have used The download link of this installer was as follows http dev mysql com downloads mysql 4 1 html We have downloaded the windows installer from the webpage At first we have downloaded the zip file and extracted in C drive or you can choose any place Extracted it and then double clicked the setup exe file The following screen will appear 2 MySQL Server 4 1 Setup Wizard Welcome to the Setup Wizard for MySQL Server 4 1 The Setup Wizard will install MySQL Server 4 1 release 4 1 7 on your compute
18. f 255 255 255 0 24 bits configure the HOME NET section of the Snort conf like so var HOME_NET x x x 0 24 NOTE The IP Address x x x 1 and range x x x 0 would be actual IP Addresses and ranges the x s were for example purposes only For a better understanding of IP Addressing and Subnetting http www mcsefreak com subnetting htm has a very educational guide External Address range Change var EXTERNAL_NET any to var EXTERNAL NET SHOME_ NET This tells Snort that any IP Address other than those specified as HOME NET which has already been defined are external means not SMTP Servers Configure the SMTP section to var SMTP HOME_NET Setting specific IP Addresses for your mail servers in this section will reduce the number of false alerts but setting it to HOME_NET will set it to monitor what is specifed in the HOME_NET section Web Servers To configure your Web Servers set the variable to var HTTP_SERVERS HOME_NET for a large Network Again if you set this to be the IP Addresses of your Web Servers the number of false alerts will be minimized but you can set it to HOME_NET as well It may not be practical to type in the IP Addresses of 100 Web servers SQL Servers Configure the SQL Server section to be 23 var SQL_SERVERS SHOME_NET This works the same as the Web and SMTP server configuration You can specify the servers or just leave it as HOME_NET DNS Servers Configure the DNS Server Section to be v
19. indows Components gt Check the IIS service gt NEXT Then just following the installer prompt will successfully install the IIS in the computer Testing IIS To test the IIS we went to Control Panel gt Administrative Tools gt Services We have found that IIS Admin is started which means that it is working properly PHP Installation To download the PHP installer we followed the following link http ca php net get php 4 3 9 installer exe from a mirror Then we chose CA PHP NET as a mirror Choosing other mirror will also work Then click lt Run gt It will start the installer The following welcome screen will be shown 15 HYPERTEXT PREPROCESSOR Welcome to PHP 4 3 9 Setup program This program will install PHP 4 3 9 on your computer prod You may need to stop your web server before installation IS and FWS do not need to be stopped Click Cancel to quit Setup and then stop your web server if necessary Click Next to continue with the Setup program WARNING This program is protected by copyright law and international treaties Installer version number 1 0 28 Click lt Next gt License Agreement HYPERTEXT PREPROCESSOR Cancel Screen Welcome screen The PHP License version 3 0 Copyright c 1999 2002 The PHP Group All rights Redistribution and use in source and binary forms with or without modification is permitted provided that the following conditi
20. ng the SET PASSWORD statement and the OLD PASSWORD function mysql gt SET PASSWORD FOR gt some user a some host OLD PASSWORD newpwd For our case we used the following command mysql gt SET PASSWORD FOR gt root localhost OLD PASSWORD snort We also added the following line into my ini file old_passwords DBTools Installation We downloaded the DBTools Manager Professional 3 1 from the following link http www dbtools com br EN downloads downloads php file_id 9 12 DBTools Install DBTools is a WIN32 application to manage Database Server This program is great for people who do not like command line There aren t as many features as the Microsoft SQL GUI but it s the same basic idea It s very easy to use e Double Click on Setup exe that was downloaded from the DBTools website e Click Next to continue with the DBTools install e Click Yes again e Click Next on the license agreement e Select the destination directory or type in the path E Program Files DBTools1012 e Click Next e Select a Program Group e Click on Install e Click on Finish DBTools Configuration e Open the DBTools Manager e Click on Server Manager from Start Programs e Click on Server e Click on Add e In the Properties box put in the Server Name Anything will work here we 1l use Snort and Hostname localhost will work e Type in the Port Number that you will use here we will use 3
21. ons are met 1 Redistributions of source code must retain the above copyright v NOTICE By clicking 1 Agree below you agree to be bound by all the terms and conditions of the above License Agreement Carefully read the License Agreement before acceptina If you do not agree with any of the terms ond conditions click Cancel to cancel the setup process Screen License Agreement 16 Click lt I Agree gt to proceed SE Installation Type Please select the type of installation you require Standard Advanced HYPERTEXT PREPROCESSOR Check mark Standard and click lt Next gt to continue 17 E Choose Destination Location Setup will install PHP 4 3 9 in the following folder To install into a different folder click Browse and select another folder You can choose not to install PHP 4 3 9 by clicking Cancel to exit Setup HYPERTEXT PREPROCESSOR Destination Folder CAPHP Browse Click lt Next gt to install Mail Configuration a 3 Please enter the address of your SMTP server localhost Please enter the from address for the mail function me localhost com HYPERTEXT PREPROCESSOR 18 Click lt Next gt to continue E Server Type Please select the type of http server you wish to configure to run php C Microsoft PWS on Windows 9x or ME C Microsoft PWS on NT Workstation C Microsoft IIS 3 or lower
22. ort numbers _http www iana org assignments port numbers You can change this preprocessor to reassemble all ports by setting the port options with all This could be 24 very processor intensive depending on the amount of traffic and the performance of the Snort computer preprocessor http_decode 80 unicode cginull This preprocessor normalizes the HTTP requests by converting Unicode representations of characters into their ASCII equivalent and then passes them on to Snort to matching against the rules The unicode and cginull will prevent false alerts such as CGI Null Byte attacks and IIS Unicode attacks that are sometimes triggered by sites that use muiltbye characters preprocessor rpe_decode 111 This preprocessor normalizes RPC traffic on a given port numbers that RPC services are running on The 111 is the RPC service used by protocols for lookup preprocessor bo nobrute This preprocessor detects Back Orifice traffic The nobrute turns off the brute forcing of the key space of the protocol to find the Back Orifice traffic Performance can be severely impacted by turning on brute force preprocessor telnet_decode This preprocessor normalizes telnet and FTP traffic by reassembling the traffic into data that can be matched against the rules preprocessor portscan ignorehosts 0 0 0 0 You should uncomment this preprocessor line and configure it with the IP Addresses of the DNS Servers to prevent false DNS
23. ort will show that it is getting packets continuously When done press CTR C e Snort screen will show that it has generated and logged alerts successfully a O OO cx Command Prompt Breakdown by protocol CP 68 99 781 gt UDP 8 299 ICMP 6 868 gt ARP lt B BBB gt EAPOL 6 868 gt IPu6 lt B BBB gt ETHLOOP 6 868 gt IPX lt B BBB gt FRAG 6 868 gt SSS SS SS Ss 6 BBB gt tion Stats ALERTS 508 Stream Reassembly Stats TCP Packets Used 1000 C99 781 gt Stream Trackers 500 Stream flushes Segments used 36 Step 5 ACID viewer e Open the browser and type http localhost acid index html e It will take to the main page of ACID There it will show that it has added all the alerts in the cache E Analysis Console for Intrusion Databases ACID Microsoft Internet Explorer File Edit View Favorites Tools Help i Ax Q Back O z x a yo Search Sie Favortes media O B es is La e Address El http jflocalhost acidjacid_main php v SE Links gt PiAdobe Y 7 2 search 2 Wh Bookmarks attempting to retrieve buttons from Yahoo e Added 500 alert s to the Alert cache Queried on Thu March 23 2006 23 42 56 Database snort localhost schema version 106 Time window 2006 03 08 21 49 02 2006 03 23 23 42 05 Sensors 1 Traffic Profile by Protocol Unique Alerts 10 7 categories TCP 51 ici
24. ost Node unique name is PC NDeviceNNPF_ lt 6A44B679 9B9D 452D 88C7 BB2E207E1983C gt sensor name PC iDeviceNNPF_ lt 6A44B679 9B9D 452D 88C7 B02E207E183C gt sensor id 3 schema version 166 database using the log facility 48 Snort rules read 48 Option Chains linked into 6 Chain Headers O Dynamic rule AAA AA RARA ARA RA RARA ARA RARA AAA RARA RARA AAA thresholding conf ig memory cap 1048576 bytes a sa thresholding globall none none Rule application order gt activat ion gt dynamic gt drop gt alert gt pa Log directory C Snort log Initialization Complete gt Snort lt Version 2 4 3 ODBC MySQL FlexRESP WIN32 lt Build 26 gt By Martin Roesch amp The Snort Team http www snort org team html lt C gt Copyright 1998 2005 Sourcefire Inc NOTE Snort s default output has changed in ver The default logging mode is now PCAP use the old default logging mode Step 3 Send Packet AAA X cA d fig R O 11 2 e We can choose the packet sending options like sending rate how many times continuous etc e Then press the Send button in CommView 35 Send Packets via Realtek RTL8139 810x Family Fast Ethernet NIC Packet Scheduler Miniport uy vw 23 X Templates ICMP TCP Packet Generator Packet size 64 Stop Packets per second 100 500 time s 204 of 500 packets sent Step 4 See at Snort e Sn
25. r To continue click Next WARNING This program is protected by copyright law Screen 1 Welcome screen Click lt Next gt to start the installation wizard i MySQL Server 4 1 Setup Wizard Setup Type Choose the setup type that best suits your needs Screen 2 Setup Type Screen To install the Developer Components we will need to use the Custom setup type and click lt Next gt to continue ji MySQL Server 4 1 Setup Wizard Custom Setup Select the program features you want installed Click on an icon in the list below to change how a feature is installed Feature Description Various helpful commandline tools including the mysql command line shell MySQL Server Client Programs Documentation Developer Components ES v C Include Files Lib Files H E v Embedded Server o E v Benchmark Suite E y Scripts Examples This feature requires 28KB on your hard drive It has 3 of 4 subfeatures selected The subfeatures require 18MB on your hard drive Install to C Program Files MySQLiMySQL Server 4 11 Change Help lt Back Cancel Screen 3 Custom Setup Screen Within the Custom Setup screen select the Developer Components we would like to install and click lt Next gt to continue a MySQL Server 4 1 Setup Wizard Ready to Install the Program The wizard is ready to begin installation Screen 4 Confirmation Screen
26. r hosts In this document we have wrote about a IDS called Snort with its some other add ons as our course project work Installation For this project we had to install the following components e WinPcap e ADODB e MySQL e DBTools e JIS e PHP e PHPLot e SNORT e ACID e JPGraph e CommView WINPCAP Installation WinPcap is the industry standard tool for link layer network access in Windows environments it allows applications to capture and transmit network packets bypassing the protocol stack and has additional useful features including kernel level packet filtering a network statistics engine and support for remote packet capture WinPcap consists of a driver that extends the operating system to provide low level network access and a library that is used to easily access the low level network layers The driver allows the ability to capture raw packets and send them to Win32 platforms WinPcap installation is very straightforward At first we downloaded the exe file from the following link http www winpcap org install default htm For this project we have used WinPcap 3 1 version After downloading the exe file we followed the following steps e Double click on the exe file to run the setup e Click Next e Click on Yes to agree to the license agreement e Click Next on the information windows that says that WinPcap was correctly installed Click Finish e Reboot the computer ADODB Installation We have us
27. r a Network range HOME_NET is used for most of the Network Variables but putting in the specific IP address could be beneficial Putting in a specific IP Addresses is useful if you have a small network and know every Web Server SMTP Server and or SQL Server that you own and monitor This will help form the snort rules more towards your specific network setup and will generate less false positives NOTE Brackets are used when there is more than one IP Address or Network range specified The Snort conf is best viewed when opened with WordPad Right click on C Snort Snort conf while holding down the shift key then choosing Open with Choose Program and scroll down to WordPad then click OK Network Variables The Network Variable section defines the home address range external address range Web Servers Mail Servers and DNS Servers Home Address Range Home Address range will look like this in an unmodified Snort conf 22 var HOME_NET any var is the keyword for variable This setting will monitor your entire network by default To monitor a single host with an IP Address of x x x 1 change the any to x x x 1 32 The 32 represents how many bits are in the subnet mask Because this is monitoring the localhost the subnet is 255 255 255 255 If you are not getting any alerts you may want to check this section to be sure that the subnet mask is correct var HOME_NET x x x 1 32 To monitor the entire network x x x 0 with a subnet mask o
28. rachNIDS snort FTP saint scan 2006 03 09 18 19 46 192 168 0 129 16 192 168 0 112 21 11 3 703 arachNIDS snort FTP saint scan 2006 03 09 18 19 46 192 168 0 129 16 192 168 0 112 21 12 3 704 arachNIDS snort FTP saint scan 2006 03 09 18 19 46 192 168 0 129 16 192 168 0 112 21 13 3 705 arachNIDS snort FTP saint scan 2006 03 09 18 19 46 192 168 0 129 16 192 168 0 112 21 14 3 706 arachNIDS snort FTP saint scan 2006 03 09 18 19 46 192 168 0 129 16 192 168 0 112 21 Action action v Selected ALL on Screen Entire Query Loaded in O seconds ES l Done 4 Local intranet 39 Conclusion In this document we have tried to sketch a details view on how to implement SNORT with the add on ACID Hopefully this will help others in doing same kind of work in future Implementing the whole project was time consuming as we had to encounter various types of problems at different levels and we had to spend much time on debugging the problems However it was very interesting and we could learna lot from this project We have successfully checked 10 signatures sid 270 473 359 655 478 1458 1071 356 358 and 1755 on our implementation Since creating packets with each sid each time requires same process we have included only two samples in this paper However if you require any further information please do not hesitate to contact us anytime 40 References e http www securitydocs com library 17
29. re CJ Opera L Opera Community L Opera Web Mail a Price Comparison search a Amazon com search Ls wow schneier com blogfar esos CEE HAH G DH gt gt G 27 http localhostjinfo php BA Q ogle sea Ly 100 y a o gt Search i S Bookmarks es Mail 2 Build Date Contacts Server API D Virtual Directory Support Shae Configuration File php ini Path 37 PHP API Notes PHP Extension l A Zend Extension Transfers Debug Build S Thread Safety i Registered PHP Streams History This program makes use of the Zend Scripting Language Engine Links Zend Engine v1 3 0 Copyright c 1998 2004 Zend Technologies 4 Windows PHP Credits phpinfo Opera 20 PHPLOT Installation We downloaded PHPLOT from the following link http prdownloads sourceforge net phplot phplot 5 0rc 1 tar bz2 download The version we used here is 5 0rcl After downloading it we extracted it into C Inetpub wwwroot phplot PHPLOT is usually required for graphical information to be showed by ACID SNORT Installation Snort is a versatile lightweight network IDS capable of performing real time traffic analysis and packet logging on IP networks It can perform protocol analysis content searching matching It can be used to detect a variety of attacks and probes such as buffer overflows stealth port scans CGI Common Gateway Interface attacks SMB probes OS fingerprinting attempts and more Snort uses a flexible rules language to
30. reate alert groups and email alerts and delete alerts all from this console Just extract the zip file from the following link and place the extracted folder named acid in the right place http www andrew cmu edu rdanyliw snort acid 0 9 6b2 1 tar gz e Create a folder named Acid under the C Inetpub wwwroot folder e Unzip the acid 0 9 6b21 zip into this folder e Open and Edit the acid_conf php file with Wordpad Configuring acid _conf php e Make the following changes to the file to give it the needed Snort database information DBlib_path C Inetpub wwwroot ADODB This is the database abstraction library 29 variable alert_dbname snort This is the name of the Database that we created earlier in DBTools Manager alert_host localhost This is the name of the server Localhost will work alert_port 3306 This is the port number specified earlier in WinMySqlAdmin that MySql runs on Salert_user root This is the user that we created earlier in DBTools Manager alert_password snort This is the password that we created ealier in DBTools Manager archive_dbname snort This is the archive database Sarchive_host localhost The name of the server that has the archive database archive_port 3306 The port number that the archive database is listening on Sarchive_user root The user that has access to the archive database archive_password snort
31. tabase as our selection and clicked lt Next gt to continue e Click lt Next gt to continue 10 e We chose DSS OLAP as we don t need a heavy connection Click lt Next gt to continue e We kept the default port of 3306 Click lt Next gt to continue e We chose Standard Character Set and clicked lt Next gt to continue e We checked the box Install as Windows Service and clicked lt Next gt to continue e Check Modify Security Setting box and select a password for root In this case we selected snort as password e Click lt Execute gt and after that click lt Finish gt to complete the wizard Testing the Installation Ensure that the MySQL Software the MySQL Service is running and you have set up the initial MySQL grant tables containing the privileges that determine how users are allowed to connect to the server This is normally done with the when you configured the instance using the MySQL Server Instance Configuration Wizard For our tests we put the MySQL bin directory in the PATH environment variable PATH PATH C Program Files MySQL MySQL Server 4 1 bin MySQL Server Commands mysqlshow All Databases To test the mySQL setup execute the following command C gt mysqlshow u root p Enter password Databases 11 Configuring MySQL to use with Snort and ACID Reset the password to pre 4 1 style for each user that needs to use a pre 4 1 client program This can be done usi
32. u specific network for better security Save Snort conf Save and close the Snort conf That should complete the Snort installation customization Test Snort e Open up a command prompt e At the C Snort gt type snort W This will list all of the available network interfaces Here we ll use 2 since 2 is our Ethernet network adapter card e At the C Snort gt type snort v i2 This will start Snort in verbose mode and will listen on adapter 2 e Press Enter e Snort should start and you should see alerts similar to this 04 02 16 16 36 588218 x x x x 21472 gt x x x x 80 TCP TTL 126 TOS 0x0 1D 30854 IpLen 20 DymLen 40 DF e AK Seq 0x747D7EE0 Ack Ox866AE7FE Win 0x4470 TcpLen 20 27 NOTE The x x x x would be actual IP addresses If you receive and error verify that WinPcap is installed correctly or uninstall and reinstall it e Hold down the lt ertl gt and lt c gt keys on the keyboard to kill the instance of Snort e At the same prompt type in Snort c C Snort Snort conf 1 C Snort log i2 press Enter This will start Snort using the rules file C Snort Snort conf and will log to the directory C Snort Logs the traffic on network interface 1 e You should see something similar to this NOTE The blank space after sensor name would be the name of the host e Look in the log C Snort log for the log file that should be created named alert ids e Press lt Ctrl gt lt C gt to kill the process NOTE Th
33. yer with full analysis of over 70 widespread protocols We have downloaded CommView 5 1 from the following link http www download by net network and internet network monitoring 21450 commview dl html To install commview after extracting we just need to double click the exe file and it will guide us through windows installer wizard We downloaded this software in the another pc from which one we will be sending packets to the machine where snort acid mysql php reside 31 TESTING THE TOTAL SYSTEM Preparing the test bed Equipments 1 Laptop 1 Intel Centrino 1 5 Ghz 512 MB RAM 2MB L2 cache 60 GB hard disk Software installed e Windows XP home edition SP2 e CommView 5 1 2 Laptop 2 Pentium 4 1 5 GHz 256 MB RAM 60 GB hard drive Software installed e Windows XP Professional SP2 e MySQL Server 4 1 e DBTools Manager Professional 3 1 e PHP 4 3 9 e SNORT 2 4 3 e PHPLOT 5 0rcl e Jpgraph 1 20 3 e ACID 0 9 6b21 3 D link Ethernet Broadband Router model DI 740UP 32 Step 1 Generate Packet in Laptop 1 e Open CommView e Go to Tools gt Packet Generator A window like below will open NIC Packet Scheduler Miniport BAX o 00 00 00 G 00 o 00 e 0 2 00 00 0 o 09 00 BOGGS oa o 7 Templates ICMP TCP UDP Packet Generator Packet size 75 k Packets per second 5000 Gas 1 lt time s Y Y e Select the type of packet TCP UDP ICMP 33
Download Pdf Manuals
Related Search
Installation installation installation assistant installation directory installation folder installation media installation file installation art installation manager installation wizard installation assistant windows 11 installation solar power system installation made easy installation status report installation floater installation of mini split air conditioner installation solar panels installation definition installation status installation instructions installation file download installation guide installation manual installation has failed discord installation icon installation failed
Related Contents
User Manual Gifted _PT-BR_ TOMO 2 - Repositorio CISC 取扱説明書(PDF) Notice - Castorama Classroom Manager Workbook Service Handbook Waterclean 600 CD, LP/MP, PI Westinghouse 52-Inch Specification Sheet 取扱説明書 耳あな形補聴器 リアル Copyright © All rights reserved.
Failed to retrieve file