Professional Documents
Culture Documents
Intrusion Detection System Using SNORT & BASE (Basic Analysis and Security Engine)
Intrusion Detection System Using SNORT & BASE (Basic Analysis and Security Engine)
Intrusion Detection System Using SNORT & BASE (Basic Analysis and Security Engine)
Prepared By:
Tahira Farid
&
Anitha Prahladachar
Course: 60-564
Winter 2006
2
Outline
• Introduction to BASE
• IDS test-bed
• Installing and Configuring Necessary
Prerequisites
• Installing and Configuring BASE
• Generating Signatures
• Results
• Acknowledgments
• References
3
Introduction to BASE
• ACID
– No longer maintained
– Hasn’t been updated for 3 years
• BASE
– BASE is actively updated and revised.
– Has 200 bug fixes in it.
– Faster bringing pages up
– Provides more queries (i.e. today's unique
alerts, last 24/72 hours alert etc.)
8
IDS test-bed
MySQL
• 2 ways
– Download from www.mysql.com
– From Fedora Core4 installation CD
Go to Desktop-system settings- Add/remove
programs – MySQL
Select following components:
• MyODBC
• Mod_auth_mysql
• Mysql_devel
• Mysql_server
• Perl-DBD-MySQL
• Php-mysql
11
Apache 2.2.0
• To install:
– ./configure
– Make
– Make install
12
PHP 4.4.2
Configure php.conf
ADOdb
SNORT
Configuring SNORT
• Groupadd snort
• Useradd –g snort snort
• Create dir:
– /etc/snort
– /etc/snort/rules
– /var/log/snort
• Copy dir ‘rules’ from dir ‘snort2.3.0’ to
‘/etc/snort/rules’
17
Configuring snort.conf
To create tables
• Mysql –u root –p < ~/snortinstall/snort-4.3.0 /schemas
/create_mysql snort
• Enter password: the mysql root password
20
To create tables
21
PEAR Modules
• chkconfig httpd on
• chkconfig mysqld on
• service httpd start
• service mysqld start
• /usr/local/apache2/bin/apachectl –k start
• snort –dev –l /var/log/snort –h 137.207.234.73/32
–c /etc/snort/snort.conf
23
Configuring BASE
http://sourceforge.net/project/showfiles.php?gro
up_id=103348
• cp base-1.2.tar.gz /var/www/html/
• cd /var/www/html
• tar –xvzf base-1.2.tar.gz
• cd /var/www/html/base/
• cp base_conf.php.dist base_conf.php
• cd\
• cp /var/www/html/base-1.2
/usr/local/apache2/htdocs/
24
Ethernet layer
header
27
Results
• Before sending signatures from HOST A, Run
snort on HOST B
• In Mysql check: select * from signature;
28
Results (cont.)
Results (cont.)
30
Results (cont.)
• Unique Alerts
31
Results (cont.)
• Different links located to the left of each signature, attempts to
connect to different signature databases to provide more
detailed information about that particular signature.
32
Results (cont.)
• Source/ Destination IP link
brings up a summary
that includes:
• How many times that IP was
logged as a source or
destination
• First and last time that IP
was logged
• Contains links to external
web-based tools that provide
DNS and Whois look up
services.
33
Results (cont.)
• Source/Destination Ports link
displays a summary of
• ports, number of
occurrences
• time first seen and time last
seen.
• Each listed port number is a
hyperlink to the SANS
Internet Storm Center
http://isc.sans.org for that
port number.
34
Results (cont.)
• Creating Alert Groups
• Group event information into user-defined categories for easy
perusal.
35
Results (cont.)
• Specify signatures for different AGs
36
Results (cont.)
• Graph from Alert Data
37
Results (cont.)
• Graph from Alert Detection Time to identify Periods of
Heavy Activity
38
Results (cont.)
• The Search Function quickly searches through the database for certain criteria and
present it in an ordered fashion.
• Allowable search criteria include Alert Group, Signature, and Alert Time.
• The results can be ordered by timestamp, signature, source IP, or destination IP.
39
Results (cont.)
• User and Role Management
40
Results (cont.)
• Email Alerts
41
Acknowledgements
• We would like to thank Dr.Aggarwal for giving us this
opportunity to handle such an industry standard level
project.
• We would also like to thank all other groups for giving us
valuable suggestions throughout the project.
42
References
• www.snort.org
• www.sourceforge.net
• http://www.rootsecure.net/content/downloads/pd
f/snort_install_guide_fedora4.pdf
• http://www.sun.com/bigadmin/features/articles/s
nort_base.html
43
Thank You!!!!
Demo in Room 3144
Questions?
Tahira Farid (farid1@uwindsor.ca)
Anitha Prahladachar (chikker@uwindsor.ca)