Presentation is loading. Please wait.

Presentation is loading. Please wait.

INTRUSION DETECTION SYSTEM Implementation of an all-in-one IDS machine Professor: Massimiliano RakStudent: Pasquale Cirillo Matr.: A18/45.

Similar presentations


Presentation on theme: "INTRUSION DETECTION SYSTEM Implementation of an all-in-one IDS machine Professor: Massimiliano RakStudent: Pasquale Cirillo Matr.: A18/45."— Presentation transcript:

1 INTRUSION DETECTION SYSTEM Implementation of an all-in-one IDS machine Professor: Massimiliano RakStudent: Pasquale Cirillo Matr.: A18/45

2 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SUMMARY 2 Objective Security requirements Intrusion Detection Systems IDS classification Sensor Soft-Hardering NIDS/IPS SNORT Basic Analysis and Security Engine (BASE): SNORT WEB Interface Honeypot Systems Honeypot classification Nepenthes Amun SURFids Antivirus Installation Penetration Test Penetration Testing Software: Metasploit

3 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Objective 3 Implement a Distributed Intrusion Detection System based on the SURFcert IDS Project Install HoneyPot to support the IDS Test the system Assumptions The Distributed Intrusion Detection System (D-IDS) considered is based on a client-server approach where the client is called a sensor. These sensors often contain a honeypot and/or a passive analysis tool like Snort However, we refer to an All-In-One Machine to simplify the installation and the configuration of the tools

4 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST What is Security? 4 ISO AND ISO DEFINITION Information security is all about protecting and preserving information. Its all about protecting and preserving the confidentiality, integrity, authenticity, availability, and reliability of information. Secutity Objectives: Ensure the application of the CIA Paradigm: Confidentiality: the information must be accessible only by the authorized users Integrity: the information must be modified only by the authorized users. All others unauthorized access must be blocked Availability: the information must be always available for the authorized users in the time and modes provided by the security policies

5 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Security Area 5 BRUCE SCHENEIER DEFINITION (Secrets and Lies) Prevention: block any threat or attack Detection: eventually the prevention fails, with the detection it seeks to control attacks in progress Reaction: after detected an attack, it responds to attackers Attack Definition An attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of any tangible or intangible thing that has value to an organization Passive attack: the attacker attempts to learn or make use of information from the system but does not affect system resources Active attack: the attacker attempts to alter system resources or affect their operation

6 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST IDS Definition 6 An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station IDS Components Sensors: one or more sensors are typically used to receive information from the network or from controlled hosts Console: is used to monitor the status of network and hosts Engine: used to analyze the data collected by the sensors, provides to detect possible intrusions Database: the analysis engine is based on a database that stores the rules used to identify security breaches

7 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST CIDF 7 The Common Intrusion Detection Framework (CIDF) is an effort to develop protocols and application programming interfaces so that intrusion detection research projects can share information and resources and so that intrusion detection components can be reused in other systems Some of the ideas involved in CIDF have encouraged the creation of an Internet Engineering Task Force (IETF) working group, named the Intrusion Detection Working Group (IDWG) CIDF Components CIDF adopts a view of Intrusion Detection Systems in which they consist of discrete components which communicate via message passing The four kinds of components exchange data in the form of generalized intrusion detection objects (gidos) which are represented via a standard common format

8 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST CIDF Components (Continue) 8 Event generators (E-boxes): the role of an event generator is to obtain events from the larger computational environment outside the intrusion detection system and provide them in the CIDF gido format to the rest of the system Event analyzers (A-boxes): they receive gidos from other components, analyze them, and return new gidos (which presumably represent some kind of synthesis or summary of the input events) Event databases (D-boxes): these components simply exist to give persistence to CIDF gidos Response units (R-boxes): they consume gidos which direct them to carry out some kind of action on behalf of other CIDF components, and they carry out this action. This includes such things as killing processes, resetting connections, altering file permissions, etc

9 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST IDS Classification 9 Sources NIDS – Network-Based IDS HIDS – Host-Based IDS Application-Based IDS Hybrid IDS Detection Mechanism Misuse Detection Anomaly Detection Protocol Analysis DIDS – Distributed IDS IPS – Intrusion Prevention System

10 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST NIDS (1/2) 10 Objective Monitor a network segment Functioning Change the operating mode of the network interface by placing it in promiscuous mode in such a way as to be listening on every packet on the network segmet Analyze all network traffic looking for a match with known attack signatures, or looking for statistically anomalous traffic

11 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST NIDS (2/2) 11 Detect Buffer overflows, format string attacks, transmission of suspicious files Port Scanning, SYN attacks or based on fragmentation of packets Spoofed IP addresses Disadvantages Not be able to block the flow of packets in the presence of an attack Inability to deal with encrypted traffic Powerful HW to handle high volume of traffic Problems with fragmented packets Detect intrusions but do not know their results Require considerable resources to keep logs Frequent updating of signatures

12 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST HIDS 12 Objective Monitor and analyze a single Host Functioning Analysis of system logs, audit logs, security logs, system call and the changes undergone by the file system For each element are stored its attributes and performed a checksum calculation with hash functions. The data are compared with the checksum to detect an attack Advantages Understand if the attack was successful or not Analyze cypher messages Disadvantages Subject of attacks

13 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Application IDS 13 Objective An application IDS will work solely with the application itself They tend to be tailored to a specific product Functioning An IDS will report when anomalous activity is detected most usually using logs generated by the application Hybrid IDS Known as NNIDS (Network Node IDS) an Hybrid IDS is network-based but installed on a single Host Analyze the network traffic that is directed to themselves Advantage: detect encrypted traffic before it can cause an intrusion into the system

14 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Misuse Detection 14 To detect an intrusion, uses a pattern matching algorithms, which are the true engine of the IDS Signatures database constantly updated Control all incoming packets looking for a match with the signatures present in the database Stateful Pattern Matching Analysis is used to detect an attack performed with a string payload divided into multiple packets Advantages Low number of false alarms Disadvantages High computational load New signatures are not recognized Frequent updates of the database

15 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Anomaly Detection 15 Search abnormal behavior which differs from a system model which characterizes the correct operations Require a learning phase: Self learning: the model is learned from examples Programmed learning: require in-depth mathematic knowledge to create models Advantages Very flexible technique since Allow to detect unknown attacks Disadvantages High number of false alarms

16 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Protocol Analysis 16 Based on the control of the technical specifications of the protocols defined in the RFC Generate an alarm for each violation in the standard protocol: i.e.: SYN-FLOOD Attack Advantages Decrease the number of false alarms Disadvantages Management of ambiguity in RFC

17 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST DIDS 17 Constituted by sensors and central monitor system Sensor generates logs that track the attacks and sends they in the central system The central system collects the data and create a global repository Communication between the sensors and central system provided with encrypted VPN Disadvantages Sensor heterogeneity requires a standard communication interface Inherits all the IDS sensors disadvantage

18 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST IPS 18 Evolution of IDS To achieve the ability to prevention, in addition to the normal capacity of an IDS, the IPS implement instruments to block malicious traffic in real time Capabilities Block the intrusion through actions such as termination of a network connection Change the security policies when an attack is detected

19 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST System Architecture 19 All-in-one machine: IP: Attacker: IP: All-in-one machine is constituded by a NIDS and two Honeypots that alternatively work. BASE and SurfnetIDS have been installed to provide a web interface to analyze the IDS logs On the attacker machine Metasploit Penetration Software has been used to perform a penetration test

20 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Sensor Soft-Hardering (1/2) 20 Set permission 500 on wget – curl – GET – links – ftp – telnet whereis wget curl GET links lynx ftp tftp telnet wget: /usr/bin/wget /usr/bin/X11/wget /usr/share/man/man1/wget.1.gz curl: /usr/bin/curl /usr/bin/X11/curl /usr/share/man/man1/curl.1.gz GET: /usr/bin/GET /usr/bin/X11/GET /usr/share/man/man1/GET.1p.gz links: /usr/bin/links /usr/bin/X11/links /usr/share/man/man1/links.1.gz lynx: ftp: /usr/bin/ftp /usr/bin/X11/ftp /usr/share/man/man1/ftp.1.gz tftp: telnet: /usr/bin/telnet /usr/bin/telnet.netkit /usr/bin/X11/telnet /usr/bin/X11/telnet.netkit /usr/share/man/man1/telnet.1.gz chmod 500 wget curl GET links ftp telnet.netkit Install RootKit Hunter and start scan Ref.: Install Fail2Ban script: apt-get install fail2ban

21 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Sensor Soft-Hardering (2/2) 21 Configure /etc/fail2ban/fail2ban.conf: Set log file as path /var/log/fail2ban.log and /etc/fail2ban/jail.conf: bantime = 3600 [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3

22 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SNORT (1/3) 22 Snort® is an open source network intrusion prevention and detection system (IDS/IPS) Combine the benefits of signature, protocol, and anomaly-based inspection Install Snort with mysql support apt-get install snort-mysql Configure /etc/snort/snort.conf # Setup the network addresses you are protecting ipvar HOME_NET /32 ipvar EXTERNAL_NET !$HOME_NET # List of the ports you run web servers on portvar HTTP_PORTS 80 # List of ports you want to look for SHELLCODE on portvar SHELLCODE_PORTS !80 # Path to your rules files var RULE_PATH /etc/snort/rules # Target-based IP defragmentation preprocessor frag3_global: max_frags …

23 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SNORT (2/3) # Detect anomalies preprocessor frag3_engine: policy linux detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no preprocessor stream5_tcp: policy linux, use_static_footprint_sizes # HTTP normalization and anomaly detection preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { } oversize_dir_length 500 # FTP/Telnet normalization and anomaly detection preprocessor ftp_telnet: global encrypted_traffic yes inspection_type stateful preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200 # Portscan detection preprocessor sfportscan: proto { all } scan_type { all } memcap { } sense_level { high } logfile { pscan } # Database parameters output database: log, mysql, user=snort password=XXX dbname=snort host=localhost # Site specific rules include $RULE_PATH/local.rules include $RULE_PATH/badtraffic.rules include $RULE_PATH/exploit.rules...

24 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SNORT (3/3) 24 Create Snort Database mysql -u root mysql>set password for create database snort; grant insert,select on root.* to set password for grant create,delete,insert,select,update on snort.* to grant create,delete,insert,select,update on snort.* to snort; exit Download and import Snort DB scheme mysql -u root -d snort -p < create_mysql Create init script in /etc/init.d #!/bin/sh -e snort -c /etc/snort/snort.conf -D -u snort -g snort -y Start SNORT snort -c /etc/snort/snort.conf -D -u snort -g snort -y

25 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST BASE (1/2) 25 BASE (Basic Analysis and Security Engine) is a web interface to perform analysis of intrusions that snort has detected on the network Download BASE and install it in the webserver webroot mkdir /var/www/base mv * /var/www/base Install dependencies apt-get install libphp-adodb php5-gd php-pear pear install Image_Color pear install Image_Canvasalpha pear install Image_Graphalpha Download and Install AdoDB (database abstraction library for PHP) Ref.:

26 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST BASE (2/2) 26 Configure base_config.php mv base_conf.php.dist base_config.php $BASE_urlpath = "/base"; $DBlib_path = "/var/www/adodb/ "; $DBtype = "mysql"; $alert_dbname = "snort"; $alert_host = "localhost"; $alert_port = ""; $alert_user = "snort"; $alert_password = "passwd_snortdb"; Add dynamic extensions in /etc/php5/apache2/php.ini extension=mysql.so extension=gd.so Restart Apache2 and Start BASE

27 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Honeypot 27 Honeypot: barattolo di miele What is an Honeypot? HW or SW that works as bait or trap for potential hackers or malware Provide services that are open and visible from internet and easy to break Identify and analyze the attacks, intrusion techniques, the flaws of the system and the malicious code Advantages Quality and quantity of the information that it collects Low number of false positives compared to IDS Disadvantages They may themselves be compromised and therefore can bring risks to the infrastructure that hosts them

28 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Honeypot Classification 28 Scope Production Honeypots: used to protect organizations in real production operating environments. They are implemented parallel to data networks or IT Infrastructures and are subject to constant attacks 24/7 Research Honeypots: are not implemented with the objective of protecting networks. They represent educational resources of demonstrative and research nature whose objective is centered towards studying all sorts of attack patterns and threats Interaction Level Low Interaction Honeypots: work exclusively emulating operating systems and services. The attackers activities are limited to the Honeypots level and quality of emulation High Interaction Honeypots: constitute a complex solution because they involve the utilization of operating systems and real applications implemented in real hardware, without using emulation software

29 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Considerations on the Honeypots 29 Advantages Clean logs Minimal resources when offers emulated services The true value of a honeypot for a company is when it can be demonstrated that the security systems adopted have not been enough to keep out the bad guys Disadvantages Cannot detect events that do not see them as recipients It is a system designed to be attached, if not well configured and isolated can be a point of access for the attacker Disabling: the attacker disables the honeypot and / or changes the log files Violation: the attacker is able to use the honeypot for making illegal activities

30 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Nepenthes (1/4) 30 Nepenthes is a low-interacion Honeypot and a versatile tool to collect malware It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities Install Nepenthes apt-get install nepenthes Configure /etc/nepenthes/nepenthes.conf # need to add the the sqlhandler and log-surfnet lines // SQL handler "sqlhandlerpostgres.so", "", "" // logging "logdownload.so", "log-download.conf", "" // "logirc.so", "log-irc.conf", "" // needs configuration "logsurfnet.so", "log-surfnet.conf", "" // needs configuration …

31 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Nepenthes (2/4) 31 … # Active preferred vulnerability modules "vulnbagle.so", "vulnbagle.conf", "" "vulndameware.so", "vulndameware.conf", "" "vulndcom.so", "vulndcom.conf", "" "vulnftpd.so", "vulnftpd.conf", "" "vulniis.so", "vulniis.conf", "" … Configure /etc/nepenthes/vulniis.conf vulniis { ports ("443","8080"); accepttimeout "30"; }; Modify /etc/nepenthes/log-surfnet.conf server " "; // must be ip user "nepenthes"; pass "password"; db "idsserver";

32 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Nepenthes (3/4) 32 Create init script in /etc/init.d #!/bin/sh check=`ps -ef | grep -v grep | grep -v init.d | grep -v postgres | grep nepenthes | wc -l` echo "CHECK: $check" if [ $check != 0 ]; then neppid=`ps -ef | grep -v grep | grep -v init.d | grep -v postgres | grep nepenthes | grep none | awk '{print $2}' | head -n1` echo "PID: $neppid" `kill -9 $neppid` fi /bin/nepenthes -u nepenthes -g nepenthes -l none -R -D --chroot=/etc/nepenthes Start Nepenthes nepenthes -u nepenthes -g nepenthes -l none -R -D --chroot=/ etc/nepenthes

33 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Nepenthes (4/4) 33 Attacker starts nmap nmap -sS -PN -v Starting Nmap 5.21 ( ) at :23 CET Initiating ARP Ping Scan at 23:23 Scanning [1 port] Completed ARP Ping Scan at 23:23, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 23:23 Completed Parallel DNS resolution of 1 host. at 23:23, 0.04s elapsed Initiating SYN Stealth Scan at 23:23 Scanning [1000 ports] Discovered open port 1025/tcp on Discovered open port 135/tcp on Discovered open port 445/tcp on Discovered open port 143/tcp on Discovered open port 139/tcp on Discovered open port 80/tcp on Discovered open port 110/tcp on Discovered open port 443/tcp on Discovered open port 8080/tcp on Discovered open port 993/tcp on Discovered open port 2105/tcp on Discovered open port 10000/tcp on Discovered open port 465/tcp on Discovered open port 3372/tcp on Discovered open port 2107/tcp on … Completed SYN Stealth Scan at 23:23, 1.17s elapsed (1000 total ports) Nmap scan report for Host is up ( s latency). Not shown: 976 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 42/tcp open nameserver 80/tcp open http 110/tcp open pop3 135/tcp open msrpc 139/tcp open netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp open microsoft-ds 465/tcp open smtps 993/tcp open imaps 995/tcp open pop3s 1023/tcp open netvenuechat 1025/tcp open NFS-or-IIS 2103/tcp open zephyr-clt …

34 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Amun (1/4) 34 Amun is a low-interaction Python Honeypot It has a modular implementation as Nepenthes: Amun Kernel Request Handler Vulnerability Modules Shellcode Analyzer Download Modules Logging Modules Install Amun # need to install some more python modules (PostgreSQL adapter for the Python programming # language) apt-get install python-psycopg2 # download the package from the subversion repository of Amun cd /opt/ svn co https://amunhoney.svn.sourceforge.net/svnroot/amunhoney amunhoney cd /opt/amunhoney

35 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Amun (2/4) 35 Configure /opt/amunhoney/conf/amun.conf # if you also run other honeypot comment out the modules listening on the same ports ### define ports for vulnerability modules ### (can be changed while running) # You will also need to uncomment the modules in the vuln_modules section: vuln_modules: # vuln-ms08067, … Surfids In the log_modules section uncomment the log-surfnet module: ### define logging modules log_modules: log-surfnet # log-syslog Configure /opt/amunhoney/conf/log-surfnet.conf [Log-Surfnet] sensorIP: …

36 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Amun (3/4) 36 … PGHost: enter-ip-database PGPort: 5432 PGUser: nepenthes PGPass: enter-your-password PGDB: idsserver # To download binaries to the normal surfids location: cd /opt/amunhoney/malware mv md5sum md5sum.orig ln -s /opt/surfnetids/binaries md5sum # change the file /opt/amunhoney/submit_modules/submitmd5/submit_md5.py # modify filename = "malware/md5sum/%s.bin" % (md5hash) # in filename = "malware/md5sum/%s" % (md5hash) Start Amun./amun_server.py

37 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Amun (4/4) 37 Attacker starts nmap nmap -sS -PN -v Starting Nmap 5.21 ( ) at :18 CET Initiating ARP Ping Scan at 18:18 Scanning [1 port] Completed ARP Ping Scan at 18:18, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 18:18 Completed Parallel DNS resolution of 1 host. at 18:18, 0.05s elapsed Initiating SYN Stealth Scan at 18:18 Scanning [1000 ports] Discovered open port 23/tcp on Discovered open port 443/tcp on Discovered open port 1025/tcp on Discovered open port 80/tcp on Discovered open port 8080/tcp on Discovered open port 587/tcp on Discovered open port 143/tcp on Discovered open port 110/tcp on Discovered open port 22/tcp on Discovered open port 139/tcp on Discovered open port 445/tcp on Discovered open port 554/tcp on Discovered open port 42/tcp on Discovered open port 1023/tcp on Discovered open port 1080/tcp on Completed SYN Stealth Scan at 18:18, 1.31s elapsed (1000 total ports) Nmap scan report for Host is up ( s latency). Not shown: 966 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 42/tcp open nameserver 80/tcp open http 110/tcp open pop3 135/tcp open msrpc 139/tcp open netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp open microsoft-ds 554/tcp open rtsp 587/tcp open submission 617/tcp open sco-dtmgr …

38 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS 38 The SURFids is a Distributed Intrusion Detection framework It is based on the following rules: The sensor should run out-of-the-box The sensor should be completely passive and therefore maintenance free The D-IDS should not generate any false positive alerts A sensor should be able to run in a standard LAN Comparison of statistics generated by sensors and groups of sensors should be possible The detection tools are installed on a central server (called tunnel server) Distributed sensors connect to the tunnel server and tunnel all their layer 2 and higher traffic to the tunnel server All information is presented to the users by a webinterface (logging server)

39 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS Components 39 Tunnel/Honeypot Server The tunnel end-point on the server is called a tap device Tap device is a virtual interface which delivers the traffic from the tunnel on the server. The tap device will receive an IP address from the client network address pool. This will make the server virtually present in the client network Sensor The only purpose of the sensor is to be a transparent bridge between the client network and the tunnel/honeypot server The sensor manages the creation and destruction of the tunnel that is used to connect the tunnel/honeypot server to the client network Logging Server The logging server consists of two parts, the database and a web interface The database is used to store the analysis information from the honeypot server. This information is presented to the users by a web interface

40 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS Installation (1/6) 40 Logging Server Installation # add the SURFids key to your local key chain wget -q -O- | sudo apt-key add – # create a file /etc/apt/sources.list.d/surfids.list with the content: deb lenny main # to start the SURFids logging server installation we use apt-get apt-get update apt-get install surfids-logserver sendmail sendmail-bin -Set database Host -Insert Admin database user -Create a postgresql user: sudo -u postgres createuser -s -d -r -P -Set admin user password -Set database listening port -Set database name -Set SURFids database user and SURFids user password -Set nepethes, pof, argos user password -Download the latest GeoIP database

41 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS Installation (2/6) 41 Logging Server Configuration # configuration file is located at /etc/surfnetids/surfnetids-log.conf ####################### # Database connection # ####################### # User info for the logging user in the postgresql database $c_pgsql_pass = "enter_password_here"; $c_pgsql_user = "idslog"; # Postgresql database info $c_pgsql_host = "localhost"; $c_pgsql_dbname = "idsserver"; # The port number where the postgresql database is running on $c_pgsql_port = "5432"; # Enable or disable the download option of binaries in the webinterface $c_download_binaries = 1; ####################### # GeoIP Location Info # ####################### # Enable GeoIP location database to enable source IP country identification. $c_geoip_enable = 1; …

42 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS Installation (3/6) 42 … # The key used for the Googlemap API $c_googlemap_key = "enter_googlemap_key_here"; # Generate a GnuPG key used to sign mail-reports: gpg --gen-key # and insert the key in # Maillog GNUPG passphrase. $c_passphrase = "enter_gnupg_passphrase_here"; ################# # Sandbox ################# # Settings needed to retrieve the Norman reports from the mailbox they were sent to # login credentials $c_mail_username = ' _username'; $c_mail_password = ' _pass'; # mailhost and port $c_mail_mailhost = 'mailhost'; $c_mail_port = '995'; # replace the enter_database_pass_here text with the actual password needed for connecting with the database in /opt/surfnetids/webinterface/.htaccess

43 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS Installation (4/6) 43 Tunnel Server Installation # Add the Dapper repository in sources.list: deb / hardy main universe # to start the SURFids tunnel server installation we use apt-get apt-get update apt-get install surfids-tunnel -Set OpenVPN key size -Insert attribute for certificates -Set Xinetd listening address -Set IP address of tunnel server that is accepting the OpenVPN connections -Set the password used by the sensor to communicate with the tunnel server Tunnel Server Configuration # configuration file is located at /etc/surfnetids/surfnetids-tn.conf #################### # SURF IDS Options # #################### # The root directory for the SURF IDS files (no trailing forward slash). $c_surfidsdir = "/opt/surfnetids"; …

44 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS Installation (5/6) 44 … ####################### # Database connection # ####################### # User info for the logging user in the postgresql database $c_pgsql_pass = "enter_password_here"; $c_pgsql_user = "idslog"; # Postgresql database info $c_pgsql_host = "enter_database_servername_here"; $c_pgsql_dbname = "idsserver"; # The port number where the postgresql database is running on. $c_pgsql_port = "5432"; ################ # Mail logging # ################ # Maillog From: address. This is the addres that appears in the From header. $c_from_address = 'enter_ _address_here'; # Maillog GNUPG passphrase. $c_passphrase = "enter_GNU_passphrase_here"; # Prefix for the subject of reports $c_subject_prefix = "[SURF IDS] ";

45 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS Installation (5/6) 45 Add Local Static Sensor to SURFids database cd /opt/surfnetids/logtools./localsensor.pl -p /opt/surfnetids/logtools/localsensor.pl -i eth0 -s Nepenthes -o Evil_Sensor Open the web interface available at /surfnetids/

46 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST AV Installation (1/3) 46 Local scan of Suspicious Files with: F-Prot AVAST ClamAV Create a Directory cd /opt mkdir scanner cd scanner Install ClamAV apt-get install unzip libwww-perl apt-get -y install clamav Freshclam Install F-Prot # Download fp-Linux.x86.32-ws.tar.gz from F-Prot official website tar -xvf fp-Linux.x86.32-ws.tar.gz cd f-prot./install-f-prot.pl

47 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST AV Installation (2/3) 47 Install Avast # Download avast4workstation tar.gz from AVAST official website tar -xvf avast4workstation tar.gz # Download avast4workstation_ _i386.deb from AVAST official website dpkg -i avast4workstation_ _i386.deb sysctl -w kernel.shmmax= # AVAST requires a free registration to work Configure /opt/surfnetids/scripts/scanbinaries.pl #################### # Define scanners #################### $scanners->{"F-Prot"} = { 'cmd' => "/opt/scanner/f-prot/fpscan -v 2 --report --adware", 'update' => "/opt/scanner/f-prot/fpupdate", 'version' => "/opt/scanner/f-prot/fpscan --version | grep \"F-PROT Antivirus version\" | awk -F'(' '{print \$1}' | awk '{print \$NF}'", 'batchmode' => 0, }; …

48 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST AV Installation (3/3) 48 … $scanners->{"AVAST"} = { 'cmd' => "/opt/scanner/avast4workstation-1.3.0/bin/avast -n", 'update' => "/opt/scanner/avast4workstation-1.3.0/bin/avast-update", 'version' => "/opt/scanner/avast4workstation-1.3.0/bin/avast --version | head -n1 | awk -F\"avast \" '{print \$2}'", 'batchmode' => 1, }; $scanners->{"ClamAV"} = { 'cmd' => "clamscan --no-summary", 'update' => "freshclam", 'version' => "clamscan --version | awk '{print \$2}' | awk -F\"/\" '{print \$1}'", 'batchmode' => 0, }; Add to crontab 00,30 * * * * /opt/surfnetids/scripts/scanbinaries.pl >/dev/null

49 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Metasploit: Penetration Test Software 49 Metasploit® software helps security and IT professionals Identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments Download from for FREE Install it on the attacker machine and test the all-in-one machine: Discover open ports Exploit target system (require registration)

50 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Metasploit: Testing Nepenthes 50 VS +

51 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Metasploit: Testing Nepenthes 51 VS +

52 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Metasploit: Testing Amun 52 VS +

53 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Metasploit: Testing Amun 53 VS +


Download ppt "INTRUSION DETECTION SYSTEM Implementation of an all-in-one IDS machine Professor: Massimiliano RakStudent: Pasquale Cirillo Matr.: A18/45."

Similar presentations


Ads by Google