A Simple Network IDS
- 1. 07/01/1307/01/13 11 A Simple Network IDSA Simple Network IDS Team Members:Team Members: Brian LappBrian Lapp Dominic ReresDominic Reres Bob WilsonBob Wilson Daniel CassieroDaniel Cassiero
- 3. 307/01/13 About the ProjectAbout the Project A demonstration of a simple IDS.A demonstration of a simple IDS. Can be used to secure and protect aCan be used to secure and protect a network.network. Policy enforcement.Policy enforcement. Snort Sensor IDS Console Relational Database
- 4. 407/01/13 ImplementationImplementation Windows XP Professional with SP2Windows XP Professional with SP2 Snort version 2.3.2Snort version 2.3.2 MySQL database version 4.1MySQL database version 4.1 ACID v .9.6b23ACID v .9.6b23 All components installed on a laptop forAll components installed on a laptop for convenience.convenience.
- 5. 507/01/13 Snort – The Open Source IDSSnort – The Open Source IDS Highly PortableHighly Portable (*NIX, BSD, Win32)(*NIX, BSD, Win32) Uses “Signatures”Uses “Signatures” Open SourceOpen Source
- 6. 607/01/13 Snort - FlowSnort - Flow Monitors network traffic in promiscuousMonitors network traffic in promiscuous modemode Packet has signature matchPacket has signature match Event is logged to databaseEvent is logged to database Alert appears on ACID consoleAlert appears on ACID console
- 7. 707/01/13 Snort – Data LoggingSnort – Data Logging Direct log fileDirect log file Database (MySQL,Database (MySQL, ORACLE, MSORACLE, MS SQL...)SQL...)
- 8. 807/01/13 DataData Data captured from lab networkData captured from lab network Attached snort sensor directly to CRJ LabsAttached snort sensor directly to CRJ Labs
- 9. 907/01/13 Snort LogSnort Log Log file format may be difficult to read.Log file format may be difficult to read. Sorting through events may be timeSorting through events may be time consuming.consuming.
- 10. 1007/01/13 AAnalysisnalysis CConsole foronsole for IIntrusionntrusion DDatabasesatabases GUI Frontend forGUI Frontend for logged datalogged data Human readable atHuman readable at a glancea glance Utilize relationalUtilize relational data.data.
- 11. 1107/01/13 SignaturesSignatures Link to signature description on consoleLink to signature description on console CVECVE BugtraqBugtraq SnortSnort
- 12. 1207/01/13 Console AnalysisConsole Analysis Easy analysis with coded regionsEasy analysis with coded regions Simple example showing an Alert eventSimple example showing an Alert event
- 13. 1307/01/13 Network IDS SolutionNetwork IDS Solution Open Source softwareOpen Source software Freely available to the publicFreely available to the public OverheadOverhead Configuration and setupConfiguration and setup Learning curveLearning curve
- 14. 1407/01/13 SummarySummary SnortSnort Network Sensor IDSNetwork Sensor IDS SignaturesSignatures MySQLMySQL Relational DatabaseRelational Database ACIDACID SO ConsoleSO Console Incident AlertIncident Alert
Editor's Notes
- #3: A need for network intrusion detection today
- #4: Created a self-contained demo NIDS on a laptop for the project.
- #5: Stuff that was used
- #9: Picture is the snort schema
- #12: Link gives a description of the vuln/exploit CVE – Common Vulnerabilities and Exploits Bugtraq – Common database of vulnerabilities and exploits ICAT – just an acronym…doesn’t stand for anything anymore hosted by NIST National Institute for Standards in Technology
- #13: Meta – Signature, time, sensor (Alert Group – ACID specific) IP – Source, Destination, IP Header info, FQDN (if DNS lookup available) TCP – Layer 4 information – TCP, UDP, ICMP sequence number Payload – the actual packet data
- #14: This project demonstrates a viable network IDS solution All of the software used was low-cost open source software – PRO Small learning curve - CON
- #15: Snort logs alerts to the MySQL database MySQL database is a relational database ACID reads the database and correlates it in an easily readable format.