intrusion detection system using snort & base (basic analysis and security engine) prepared by:...
TRANSCRIPT
![Page 1: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/1.jpg)
Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine)
Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine)
Prepared By: Tahira Farid &
Anitha Prahladachar Course: 60-564
Winter 2006
Prepared By: Tahira Farid &
Anitha Prahladachar Course: 60-564
Winter 2006
![Page 2: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/2.jpg)
2
OutlineOutline
• Introduction to BASE • IDS test-bed• Installing and Configuring Necessary
Prerequisites• Installing and Configuring BASE• Generating Signatures• Results• Acknowledgments• References
• Introduction to BASE • IDS test-bed• Installing and Configuring Necessary
Prerequisites• Installing and Configuring BASE• Generating Signatures• Results• Acknowledgments• References
![Page 3: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/3.jpg)
3
Introduction to BASEIntroduction to BASE
• Basic Analysis and Security Engine• Successor to ACID• Developed by Danyliw at the CERT Coordination
Center as part of the AirCERT (Automated Incident Reporting) project.
• Actively maintained and supported by a team of volunteers led by Kevin Johnson and Joel Esler.
• Basic Analysis and Security Engine• Successor to ACID• Developed by Danyliw at the CERT Coordination
Center as part of the AirCERT (Automated Incident Reporting) project.
• Actively maintained and supported by a team of volunteers led by Kevin Johnson and Joel Esler.
![Page 4: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/4.jpg)
4
Introduction to BASE (cont.)Introduction to BASE (cont.)
• Provides web front-end to query and analyze the alerts coming from a SNORT IDS system.
• Can search and process databases containing security events logged by SNORT.
• Written in PHP.• Has the ability to graphically display both layer-3
and layer-4 packet information.
• Provides web front-end to query and analyze the alerts coming from a SNORT IDS system.
• Can search and process databases containing security events logged by SNORT.
• Written in PHP.• Has the ability to graphically display both layer-3
and layer-4 packet information.
![Page 5: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/5.jpg)
5
Introduction to BASE (cont.)Introduction to BASE (cont.)
• Current Version is Base 1.2• Current search interface can query based on• Alert information
– Sensor– Alert group– Signature, classification & detection time
• Packet data information– Source/destination addresses– Ports– Packet payload/flags
• Current Version is Base 1.2• Current search interface can query based on• Alert information
– Sensor– Alert group– Signature, classification & detection time
• Packet data information– Source/destination addresses– Ports– Packet payload/flags
![Page 6: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/6.jpg)
6
Introduction to BASE (cont.)Introduction to BASE (cont.)
• Provides easy management of Alert Data• Administrator can categorize data into alert
groups, delete false positives or previously handled alerts.
• Export alert data to an email address for administrative notification.
• Support for user logins and roles, allowing an administrator to control what is seen through the web interface.
• Provides easy management of Alert Data• Administrator can categorize data into alert
groups, delete false positives or previously handled alerts.
• Export alert data to an email address for administrative notification.
• Support for user logins and roles, allowing an administrator to control what is seen through the web interface.
![Page 7: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/7.jpg)
7
BASE vs. ACIDBASE vs. ACID
• ACID – No longer maintained– Hasn’t been updated for 3 years
• BASE– BASE is actively updated and revised.– Has 200 bug fixes in it.– Faster bringing pages up– Provides more queries (i.e. today's unique
alerts, last 24/72 hours alert etc.)
• ACID – No longer maintained– Hasn’t been updated for 3 years
• BASE– BASE is actively updated and revised.– Has 200 bug fixes in it.– Faster bringing pages up– Provides more queries (i.e. today's unique
alerts, last 24/72 hours alert etc.)
![Page 8: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/8.jpg)
8
IDS test-bedIDS test-bed
Host B (Destination):
OS: Fedora Core 4
Software: Snort, BASE, Ethereal, MySQL, PHP, Apache
Host A (Source):
OS: Windows XP
Software: Ethereal, CommView
![Page 9: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/9.jpg)
9
Installing and Configuring Necessary PrerequisitesInstalling and Configuring Necessary Prerequisites
• In order for our IDS to function properly we install and configure the following components:– MySQL– Apache 2.2.0– php-4.4.2– httpd-2.2.0– AdOdb460– snort-2.4.3– pcre-5.0– PEAR Modules– base-1.2
• In order for our IDS to function properly we install and configure the following components:– MySQL– Apache 2.2.0– php-4.4.2– httpd-2.2.0– AdOdb460– snort-2.4.3– pcre-5.0– PEAR Modules– base-1.2
![Page 10: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/10.jpg)
10
MySQLMySQL
• 2 ways – Download from www.mysql.com– From Fedora Core4 installation CD Go to Desktop-system settings- Add/remove
programs – MySQLSelect following components:• MyODBC• Mod_auth_mysql• Mysql_devel• Mysql_server• Perl-DBD-MySQL• Php-mysql
• 2 ways – Download from www.mysql.com– From Fedora Core4 installation CD Go to Desktop-system settings- Add/remove
programs – MySQLSelect following components:• MyODBC• Mod_auth_mysql• Mysql_devel• Mysql_server• Perl-DBD-MySQL• Php-mysql
![Page 11: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/11.jpg)
11
Apache 2.2.0Apache 2.2.0
• Download Apache httpd server version 2.2.0 from http://httpd.apache.org
• To install:– ./configure– Make– Make install
• Download Apache httpd server version 2.2.0 from http://httpd.apache.org
• To install:– ./configure– Make– Make install
![Page 12: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/12.jpg)
12
PHP 4.4.2PHP 4.4.2
• Download PHP4.4.2 from http://www.php.net• Extract source code in “/usr/local/src”• Configure command:
– ./configure –with-mysql –with-apsx2 =/usr/local/apache2/bin/apxs –with-gd –with-zlib
• Make• Make install
• Download PHP4.4.2 from http://www.php.net• Extract source code in “/usr/local/src”• Configure command:
– ./configure –with-mysql –with-apsx2 =/usr/local/apache2/bin/apxs –with-gd –with-zlib
• Make• Make install
![Page 13: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/13.jpg)
13
Configure php.confConfigure php.conf
• In file /usr/local/apache2/conf/httpd.conf add line– Include conf.d/*.conf
• mkdir /usr/local/apache2/conf.d• “php.conf” in “conf.d”
– LoadModule php4_module modules /libphp4.so – <Files *.php>– SetOutputFilter PHP– SetInputFilter PHP– LimitRequestBody 9524288– </Files>– AddType application/x-httpd-php .php– AddType application/x-httpd-php-source .phps
– DirectoryIndex index.php
• In file /usr/local/apache2/conf/httpd.conf add line– Include conf.d/*.conf
• mkdir /usr/local/apache2/conf.d• “php.conf” in “conf.d”
– LoadModule php4_module modules /libphp4.so – <Files *.php>– SetOutputFilter PHP– SetInputFilter PHP– LimitRequestBody 9524288– </Files>– AddType application/x-httpd-php .php– AddType application/x-httpd-php-source .phps
– DirectoryIndex index.php
![Page 14: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/14.jpg)
14
ADOdbADOdb
• A performance-conscious database abstraction layer for PHP.
• BASE needs ADOdb to communicate with MySQL.
• Download adodb from http://unc.dl.sourceforge.net/sourceforge/adodb/adodb460.tgz
• Extract adodb in “usr/local/apache2/htdocs”
• A performance-conscious database abstraction layer for PHP.
• BASE needs ADOdb to communicate with MySQL.
• Download adodb from http://unc.dl.sourceforge.net/sourceforge/adodb/adodb460.tgz
• Extract adodb in “usr/local/apache2/htdocs”
![Page 15: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/15.jpg)
15
SNORTSNORT
• Create a dir “snortinstall”• Download & unpack from
http://www.snort.org/dl/snort2.4.3.tar.gz• Download & unpack from
http://umn.dl.sourceforge.net/sourceforge/pcre/pcre-5.0.tar.gz
• To install SNORT:– ./configure– Make– Make install
• To install PCRE(Perl Compatible Regular Expression):– ./configure– Make– Make install
• Create a dir “snortinstall”• Download & unpack from
http://www.snort.org/dl/snort2.4.3.tar.gz• Download & unpack from
http://umn.dl.sourceforge.net/sourceforge/pcre/pcre-5.0.tar.gz
• To install SNORT:– ./configure– Make– Make install
• To install PCRE(Perl Compatible Regular Expression):– ./configure– Make– Make install
![Page 16: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/16.jpg)
16
Configuring SNORTConfiguring SNORT
• Groupadd snort• Useradd –g snort snort• Create dir:
– /etc/snort– /etc/snort/rules– /var/log/snort
• Copy dir ‘rules’ from dir ‘snort2.3.0’ to ‘/etc/snort/rules’
• Groupadd snort• Useradd –g snort snort• Create dir:
– /etc/snort– /etc/snort/rules– /var/log/snort
• Copy dir ‘rules’ from dir ‘snort2.3.0’ to ‘/etc/snort/rules’
![Page 17: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/17.jpg)
17
Configuring snort.confConfiguring snort.conf
• var HOME_NET 10.2.2.0/32• var EXTERNAL_NET !$HOME_NET • var RULE_PATH /etc/snort/rules • output database: log, mysql, user =snort
password=snort dbname=snort host=localhost• output database: alert, mysql, user =snort
password=snort dbname=snort host=localhost
• var HOME_NET 10.2.2.0/32• var EXTERNAL_NET !$HOME_NET • var RULE_PATH /etc/snort/rules • output database: log, mysql, user =snort
password=snort dbname=snort host=localhost• output database: alert, mysql, user =snort
password=snort dbname=snort host=localhost
![Page 18: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/18.jpg)
18
Setting up database in MySQLSetting up database in MySQL
• Mysql• SET PASSWORD FOR root@localhost = PASSWORD
(‘passwd’);• Create database snort;• SET PASSWORD FOR snort@localhost=PASSWORD(‘pwd
in snort.conf’);• Grant CREATE,INSERT,SELECT,DELETE,UPDATE on
snort.* to snort@localhost;• Grant CREATE,INSERT,SELECT,DELETE,UPDATE on
snort.* to snort;
• Mysql• SET PASSWORD FOR root@localhost = PASSWORD
(‘passwd’);• Create database snort;• SET PASSWORD FOR snort@localhost=PASSWORD(‘pwd
in snort.conf’);• Grant CREATE,INSERT,SELECT,DELETE,UPDATE on
snort.* to snort@localhost;• Grant CREATE,INSERT,SELECT,DELETE,UPDATE on
snort.* to snort;
![Page 19: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/19.jpg)
19
To create tablesTo create tables
• Mysql –u root –p < ~/snortinstall/snort-4.3.0 /schemas /create_mysql snort
• Enter password: the mysql root password
• Mysql –u root –p < ~/snortinstall/snort-4.3.0 /schemas /create_mysql snort
• Enter password: the mysql root password
![Page 20: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/20.jpg)
20
To create tablesTo create tables
![Page 21: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/21.jpg)
21
PEAR ModulesPEAR Modules
• PEAR - PHP Extension and Application Repository
• BASE documentation recommends PEAR installation.
Commands for installation:• /usr/local/php/bin/pear install Image_Color• /usr/local/php/bin/pear install Log • /usr/local/php/bin/pear install Numbers_Roman• /usr/local/php/bin/pear install
http://pear.php.net/get/Numbers_Words-0.13.1.tgz
• /usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz
• PEAR - PHP Extension and Application Repository
• BASE documentation recommends PEAR installation.
Commands for installation:• /usr/local/php/bin/pear install Image_Color• /usr/local/php/bin/pear install Log • /usr/local/php/bin/pear install Numbers_Roman• /usr/local/php/bin/pear install
http://pear.php.net/get/Numbers_Words-0.13.1.tgz
• /usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz
![Page 22: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/22.jpg)
22
To start the ‘services’To start the ‘services’
• chkconfig httpd on• chkconfig mysqld on• service httpd start• service mysqld start• /usr/local/apache2/bin/apachectl –k start• snort –dev –l /var/log/snort –h 137.207.234.73/32
–c /etc/snort/snort.conf
• chkconfig httpd on• chkconfig mysqld on• service httpd start• service mysqld start• /usr/local/apache2/bin/apachectl –k start• snort –dev –l /var/log/snort –h 137.207.234.73/32
–c /etc/snort/snort.conf
![Page 23: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/23.jpg)
23
Configuring BASEConfiguring BASE
• Download BASE from http://sourceforge.net/project/showfiles.php?group_id=103348
• cp base-1.2.tar.gz /var/www/html/• cd /var/www/html• tar –xvzf base-1.2.tar.gz• cd /var/www/html/base/• cp base_conf.php.dist base_conf.php• cd\• cp /var/www/html/base-1.2
/usr/local/apache2/htdocs/
• Download BASE from http://sourceforge.net/project/showfiles.php?group_id=103348
• cp base-1.2.tar.gz /var/www/html/• cd /var/www/html• tar –xvzf base-1.2.tar.gz• cd /var/www/html/base/• cp base_conf.php.dist base_conf.php• cd\• cp /var/www/html/base-1.2
/usr/local/apache2/htdocs/
![Page 24: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/24.jpg)
24
Configuring BASE (cont.)Configuring BASE (cont.)
• Edit the base_conf.php file in /usr/local/apache2/htdocs/ – $BASE_urlpath = "/base";– $DBlib_path = "/usr/local/apache2/htdocs/adodb";– $DBtype = "mysql";– $alert_dbname = "snort";– $alert_host = "localhost";– $alert_port = "";– $alert_user = "snort";– $alert_password = "password_from_snort_conf";– $archive_dbname = "snort";– $archive_host = "localhost";– $archive_port = "";– $archive_user = "snort";– $archive_password = " password_from_snort_conf ";– $ChartLib_path = "/var/www/html/jpgraph-1.20.3/src";
• Edit the base_conf.php file in /usr/local/apache2/htdocs/ – $BASE_urlpath = "/base";– $DBlib_path = "/usr/local/apache2/htdocs/adodb";– $DBtype = "mysql";– $alert_dbname = "snort";– $alert_host = "localhost";– $alert_port = "";– $alert_user = "snort";– $alert_password = "password_from_snort_conf";– $archive_dbname = "snort";– $archive_host = "localhost";– $archive_port = "";– $archive_user = "snort";– $archive_password = " password_from_snort_conf ";– $ChartLib_path = "/var/www/html/jpgraph-1.20.3/src";
![Page 25: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/25.jpg)
25
Configuring BASE (cont.)Configuring BASE (cont.)
• Open a web browser• if the browser is on the localhost, type
http://localhost/base• if the browser is on another machine type
http://IP_Address/base to begin using the GUI to view and manage alerts.
• Open a web browser• if the browser is on the localhost, type
http://localhost/base• if the browser is on another machine type
http://IP_Address/base to begin using the GUI to view and manage alerts.
![Page 26: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/26.jpg)
26
Generating Signatures on Host AGenerating Signatures on Host A
Ethernet layer header
![Page 27: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/27.jpg)
27
ResultsResults
• Before sending signatures from HOST A, Run snort on HOST B• In Mysql check: select * from signature;
• Before sending signatures from HOST A, Run snort on HOST B• In Mysql check: select * from signature;
![Page 28: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/28.jpg)
28
Results (cont.)Results (cont.)
• In a web browser: http://137.207.234.73/base• In a web browser: http://137.207.234.73/base
![Page 29: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/29.jpg)
29
Results (cont.)Results (cont.)
![Page 30: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/30.jpg)
30
Results (cont.)Results (cont.)
• Unique Alerts• Unique Alerts
![Page 31: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/31.jpg)
31
Results (cont.)Results (cont.)
• Different links located to the left of each signature, attempts to connect to different signature databases to provide more detailed information about that particular signature.
• Different links located to the left of each signature, attempts to connect to different signature databases to provide more detailed information about that particular signature.
![Page 32: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/32.jpg)
32
Results (cont.)Results (cont.)
• Source/ Destination IP link brings up a summary
that includes:
• How many times that IP was logged as a source or destination
• First and last time that IP was logged
• Contains links to external web-based tools that provide DNS and Whois look up services.
• Source/ Destination IP link brings up a summary
that includes:
• How many times that IP was logged as a source or destination
• First and last time that IP was logged
• Contains links to external web-based tools that provide DNS and Whois look up services.
![Page 33: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/33.jpg)
33
Results (cont.)Results (cont.)
• Source/Destination Ports link displays a summary of
• ports, number of occurrences
• time first seen and time last seen.
• Each listed port number is a hyperlink to the SANS Internet Storm Center http://isc.sans.org for that port number.
• Source/Destination Ports link displays a summary of
• ports, number of occurrences
• time first seen and time last seen.
• Each listed port number is a hyperlink to the SANS Internet Storm Center http://isc.sans.org for that port number.
![Page 34: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/34.jpg)
34
Results (cont.)Results (cont.)
• Creating Alert Groups
• Group event information into user-defined categories for easy perusal.
• Creating Alert Groups
• Group event information into user-defined categories for easy perusal.
![Page 35: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/35.jpg)
35
Results (cont.)Results (cont.)
• Specify signatures for different AGs• Specify signatures for different AGs
![Page 36: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/36.jpg)
36
Results (cont.)Results (cont.)
• Graph from Alert Data• Graph from Alert Data
![Page 37: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/37.jpg)
37
Results (cont.)Results (cont.)
• Graph from Alert Detection Time to identify Periods of Heavy Activity
• Graph from Alert Detection Time to identify Periods of Heavy Activity
![Page 38: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/38.jpg)
38
Results (cont.)Results (cont.)
• The Search Function quickly searches through the database for certain criteria and present it in an ordered fashion.
• Allowable search criteria include Alert Group, Signature, and Alert Time. • The results can be ordered by timestamp, signature, source IP, or destination IP.
• The Search Function quickly searches through the database for certain criteria and present it in an ordered fashion.
• Allowable search criteria include Alert Group, Signature, and Alert Time. • The results can be ordered by timestamp, signature, source IP, or destination IP.
![Page 39: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/39.jpg)
39
Results (cont.)Results (cont.)
• User and Role Management• User and Role Management
![Page 40: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/40.jpg)
40
Results (cont.)Results (cont.)
• Email Alerts• Email Alerts
![Page 41: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/41.jpg)
41
AcknowledgementsAcknowledgements
• We would like to thank Dr.Aggarwal for giving us this opportunity to handle such an industry standard level project.
• We would also like to thank all other groups for giving us valuable suggestions throughout the project.
• We would like to thank Dr.Aggarwal for giving us this opportunity to handle such an industry standard level project.
• We would also like to thank all other groups for giving us valuable suggestions throughout the project.
![Page 42: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/42.jpg)
42
ReferencesReferences
• www.snort.org• www.sourceforge.net• http://www.rootsecure.net/content/downloads/
pdf/snort_install_guide_fedora4.pdf• http://www.sun.com/bigadmin/features/articles/
snort_base.html
• www.snort.org• www.sourceforge.net• http://www.rootsecure.net/content/downloads/
pdf/snort_install_guide_fedora4.pdf• http://www.sun.com/bigadmin/features/articles/
snort_base.html
![Page 43: Intrusion Detection System using SNORT & BASE (Basic Analysis and Security Engine) Prepared By: Tahira Farid & Anitha Prahladachar Course: 60-564 Winter](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e265503460f94b153ed/html5/thumbnails/43.jpg)
43
Thank You!!!!
Demo in Room 3144
Questions?
Thank You!!!!
Demo in Room 3144
Questions?
Tahira Farid ([email protected])
Anitha Prahladachar ([email protected])