Snort and BASE
Two packages necessary for creating an effective open-source database areSnort and BASE (Basic Analysis Security Engine). BASE is built on the work of the defunct Analysis Console for Intrusion Databases (ACID) project.
As with many open-source applications, Snort is available as source code or as a binary install package for Linux or Windows. BASE, on the other hand, is operating system-independent. Therefore, both may be set up on either a Linux or Windows machine, with a similar amount of effort.
Creating an IDS using older computers and therefore focuses on building a Snort IDS on a Linux system, but the methods for installing on a Windows system are very similar. Because of how far Linux distributions have progressed, if you have installed Windows, you can install Snort on Linux with little difficulty.
Preparing the system
Deciding on placement of the IDS within the network is critical. The IDS machine must connect to a port that can see all traffic between the LAN and the Internet. This means either connecting to a mirrored switch port or a hub located between the Internet connection and the LAN. If a firewall and only one IDS sensor is used, the sensor should be placed between the firewall and the LAN.
Choosing the type of machine to use is dependent on the environment and the data desired. A Snort IDS setup can involve one or several independent machines, or many that report to a central database server. The faster the connection being monitored and the level of logging dictate the machine capabilities.
For a Linux install, a desktop computer that is several years old should suffice. Figure on a minimum of 256MB of RAM, a 20GB hard drive, a 600-MHz processor and a CD drive, all features of desktop machines made within the past few years.
For installing a base Linux operating system, a machine to create the installation CD is needed. A Windows box running Burn4Free (a freeware ISO burner) will work fine. In addition, the network parameters (IP address and such) and a network connection for the IDS machine should be determined prior to the Linux installation.
Download the Fedora 7 Live ISO image or a Linux distribution of choice. Fedora 7 Live is a minimal installation of the Fedora Linux distribution that can run on a single CD, and the following instructions focus on Fedora Live 7, but they can be easily adjusted for other distributions if desired. Burn the ISO image to a CD on the Windows machine.
On the IDS machine, install the CD and set the BIOS to boot off the CD (just like a Windows install). The machine will automatically run the Fedora 7 Live distribution with no user interaction. Let it run until it has automatically logged in to the graphical user interface with the default account.
Click on the Install to Hard Drive icon. Answer the questions as they appear; most are similar to what is presented in a Windows installation. When done, remove the CD and reboot the machine. The machine is now ready for installation of the software needed to run and administer the IDS.
The needed applications
Snort essentially works on pattern matching by comparing packets to signatures of known attacks. There are literally thousands of such signatures available. Think of Snort as an intelligent sniffer: It takes a continuous trace of inbound and outbound Internet traffic and analyzes the trace by comparing against the signature database in real time. To do this manually would be impossible.
If a packet matches a pattern in a selected signature, an alert is generated. Analyzing the alerts for meaningful data is no easy task, given the amount of data and its raw format presentation. Therefore, a method is needed to collect and provide for group analysis of the data.
This example uses MySQL as the database application, but Microsoft SQL Server or Oracle may be used for the alert database as well. While populating a well-formatted database with Snort information is necessary for categorizing information, as with sniffer analysis, the process of analyzing such a database is labor-intensive.
This is where BASE comes into play. It's a Web front end to the database that presents the Snort alert data. This provides the information a network orsecurity administrator needs to identify threats and enact controls to reduce the threats.
Other support applications needed include the Apache Web server, the GCCcompiler and the PHP HTML scripting language. An excellent guide for installation of a Snort/BASE IDS system and all related applications written by Patrick Harper and Nick Oliver is available at Internet Security Guru.com. Other documentation and user forums are available at the main Snort Web site.
From here, intrusion-detection data may be analyzed efficiently. BASE offers many data aggregation and presentation tools. For example, Figure 2 shows a summary of the number of alerts for a particular week.
Each alert can be analyzed individually or as a group, the majority of the alerts generated constituted false positives because the alerts were on regular traffic that may have had abnormal but perfectly harmless characteristics.
Building a functional IDS sensor is only the first step. Once installed, the IDS administrator should spend a significant amount of time exploring the alerts and capabilities of the system. One doesn't begin a major building project after setting up and operating a table saw for the first time, and such is the case with Snort/BASE.
As threats emerge, rules must be added to the system to match the signatures of those threats. Snort offers a subscription service for access to emerging rules for a minimal fee or free access to the same rules to registered users for 30 days after they are released to the subscription service. Oinkmaster is an excellent tool for updating rules regularly.
In addition, signatures may be created manually, or pass options may be added to signatures that are determined to produce an abundance of false positives. Determining if alerts are in fact normal network traffic or an actual threat is obviously necessary, as it would be foolish to disable a signature simply because it's producing many alerts. Other open-source tools such asMRTG, ntop and tcpdump, in conjunction with server and network equipmentlog analysis, can provide the data needed to streamline the IDS configuration
Snort can be deployed in a centrally managed distributed environment in which multiple sensors report back to a single database server. In large enterprisenetworks, this can be useful in correlating events as well as simply parsing information from multiple points on the network. It isn't uncommon to deploy Snort sensors at borders between security zones in a LAN, such as between administrative servers and local users.
A signature-based network IDS is simply a tool to enforce your company's security policy. Expecting that installing an IDS (or any single security solution, for that matter) will eliminate all threats is flirting with a false sense of security. However, delving into the world of open-source IDS is a path that can produce immediate and significant returns.
0 comments:
Post a Comment