Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 18734 Details for
Bug 17740
The Analysis Console for Intrusion Databases (ACID)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
instructions that I prepared for someone else - may be of use
Lab2enhanced.html (text/html), 17.93 KB, created by
Daniel Black (RETIRED)
on 2003-10-04 06:58:22 UTC
(
hide
)
Description:
instructions that I prepared for someone else - may be of use
Filename:
MIME Type:
Creator:
Daniel Black (RETIRED)
Created:
2003-10-04 06:58:22 UTC
Size:
17.93 KB
patch
obsolete
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> ><HTML> ><HEAD> > <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=iso-8859-1"> > <TITLE></TITLE> > <META NAME="GENERATOR" CONTENT="OpenOffice.org 1.0.2 (Linux)"> > <META NAME="CREATED" CONTENT="20030902;20483800"> > <META NAME="CHANGED" CONTENT="20030909;14140800"> > <STYLE> > <!-- > @page { margin: 2cm } > P { margin-bottom: 0.21cm } > H1 { margin-bottom: 0.21cm } > H1.western { font-family: "Albany", sans-serif; font-size: 16pt } > H1.cjk { font-size: 16pt } > H1.ctl { font-size: 16pt } > H2 { margin-bottom: 0.21cm } > H2.western { font-family: "Albany", sans-serif; font-size: 14pt; font-style: italic } > H2.cjk { font-size: 14pt; font-style: italic } > H2.ctl { font-size: 14pt; font-style: italic } > TD P { margin-bottom: 0.21cm } > TH P { margin-bottom: 0.21cm; font-style: italic } > P.sdfootnote { margin-left: 0.5cm; text-indent: -0.5cm; margin-bottom: 0cm; font-size: 10pt } > A.sdfootnoteanc { font-size: 57% } > --> > </STYLE> ></HEAD> ><BODY LANG="en-US"> ><P STYLE="margin-bottom: 0cm">Computer Security</P> ><P STYLE="margin-bottom: 0cm">Lab 2 - Security Analysis Tools</P> ><P STYLE="margin-bottom: 0cm">Daniel Black</P> ><P STYLE="margin-bottom: 0cm">z3084085</P> ><P STYLE="margin-bottom: 0cm"><BR> ></P> ><P STYLE="margin-bottom: 0cm">Disclaimer:</P> ><P STYLE="margin-bottom: 0cm">The views, opinions, and conclusions >written within do not represent the Alice Springs Town Council >(ASTC). All views and opinions are the author's only.</P> ><H1 CLASS="western">Part a: Security Analysis Tool Selection</H1> ><P>Snort is a network intrusion detection system developed by Martin >Roesch and team. It is available at <A HREF="http://www.snort.org/">http://www.snort.org</A>. >It performs its network intrusion detection function by listening on >network interfaces for a number of defined patterns. These patterns >define rules for activity such as: accessing “back doors”, >distributed denial of service attacks, virus and worm traffic, and >historical exploits in a number of software applications. As a front >end to this Analysis Console for Incident Databases (ACID<A CLASS="sdfootnoteanc" NAME="sdfootnote1anc" HREF="#sdfootnote1sym"><SUP>1</SUP></A>) >is a collection of web scripts that can be used to analyse Snort data >captured in a database. Logsnorter<A CLASS="sdfootnoteanc" NAME="sdfootnote2anc" HREF="#sdfootnote2sym"><SUP>2</SUP></A> >is an additional tool that imports Cisco PIX firewall<A CLASS="sdfootnoteanc" NAME="sdfootnote3anc" HREF="#sdfootnote3sym"><SUP>3</SUP></A> >data into the Snort database.</P> ><P>The results from the risk analysis in Lab 1<A CLASS="sdfootnoteanc" NAME="sdfootnote4anc" HREF="#sdfootnote4sym"><SUP>4</SUP></A> >indicated that malicious code penetrating the ASTC defences would >have a serious impact on its operations. Snort will be able to detect >known malicious code traveling through web and email traffic. The >ATCS will be able to use Snort to quantify the outside threat from >internet. This quantification can be used to justify countermeasure >expenditure/time spent on items such as virus scanners, mail filters >and firewall hardware.</P> ><H1 CLASS="western">Part b: Security Analysis Tool Installation and >Use</H1> ><P><BR><BR> ></P> ><H2 CLASS="western">Network overview</H2> ><P>The intent of Snort is to provide a profile of the attempted >intrusion from the internet. As such the detection component will be >placed outside the PIX firewall. Database and web server will be >placed within the protection of the Corporate Network (as below).</P> ><P>Internet ------ Router ------ Snort ---- Cisco Firewall ---- >Public Network</P> ><P> > +--------Corporate Network</P> ><P> > |</P> ><P> > +-- Snort db/ web server</P> ><P>Initially it is unknown how much CPU usage the Snort box will use >for its applied rules. To prevent any degradation of traffic the >Snort box will be a passive listener on the external network. To >allow Snort alerts to be entered into the database the following rule >must be entered into the Cisco Firewall's allowed rules.</P> ><P>Allow (snort box ip):any -> (snort db):5432</P> ><P><BR><BR> ></P> ><H2 CLASS="western">Hardware Installation</H2> ><P>Select two x86 architecture machines. Installation is partly on >line and should be installed on the protected side of the firewall to >prevent potential compromise.</P> ><P>Before this process begins ensure that the rsync protocol is >allowed through the firewall (tcp/873).</P> ><H2 CLASS="western">Gentoo Linux Installation</H2> ><P>Gentoo was selected for performance as it is a compiled from >source distribution. It has a reasonably good installation process >that handles dependencies well.</P> ><P>The installation will follow ><A HREF="http://www.gentoo.org/doc/en/gentoo-x86-install.xml">http://www.gentoo.org/doc/en/gentoo-x86-install.xml</A> >with the following clarifications. If the hardware for both machines >is at the same CPU level place the hard disks for both in the only >machine and copy the file system over before the GRUB installation. >Networking will need to be changed on the second machine before >connection to the network.</P> ><P>Section 4. Optional Networking</P> ><P>Required information:</P> ><OL> > <LI><P>Public access library network IP network address and mask:</P> > <LI><P>Staff IP network address and mask:</P> > <LI><P>Domain Name Server (DNS):</P> > <LI><P>Default Gateway:</P> > <LI><P>HTTP Proxy server (if any)</P> ></OL> ><P>Code Listing 4.6 should be as follows</P> ><P>ifconfig eth0 <A HREF="http://xxx.xxx.xxx.xxx/">xxx.xxx.xxx.xxx</A> >broadcast <A HREF="xxx.xxx.xxx.xxx">xxx.xxx.xxx.xxx</A> netmask >255.255.0.0</P> ><P>route add -net default gw <A HREF="xxx.xxx.xxx.xxx">xxx.xxx.xxx.xxx</A></P> ><P>Code Listing 4.7 should look like:</P> ><P>domain <A HREF="http://astc.nt.gov.au/">astc.nt.gov.au</A></P> ><P>nameserver <A HREF="xxx.xxx.xxx.xxx">xxx.xxx.xxx.xxx</A></P> ><P>nameserver <A HREF="http://xxx.xxx.xxx.xxx/">xxx.xxx.xxx.xxx</A></P> ><P>Code listing 4.8: Section</P> ><P>export http_proxy=”http://..........”</P> ><P>6. Filesystems, partitions and block devices</P> ><P>Disk partitioning will be as follows:</P> ><TABLE WIDTH=100% BORDER=1 BORDERCOLOR="#000000" CELLPADDING=4 CELLSPACING=0> > <COL WIDTH=64*> > <COL WIDTH=64*> > <COL WIDTH=64*> > <COL WIDTH=64*> > <THEAD> > <TR VALIGN=TOP> > <TH WIDTH=25%> > <P>Partition</P> > </TH> > <TH WIDTH=25%> > <P>Size</P> > </TH> > <TH WIDTH=25%> > <P>Type</P> > </TH> > <TH WIDTH=25%> > <P>Devices</P> > </TH> > </TR> > </THEAD> > <TBODY> > <TR VALIGN=TOP> > <TD WIDTH=25%> > <P>Boot partition</P> > </TD> > <TD WIDTH=25%> > <P>32 Megabytes</P> > </TD> > <TD WIDTH=25%> > <P>ext3</P> > </TD> > <TD WIDTH=25%> > <P>/dev/hda1</P> > </TD> > </TR> > <TR VALIGN=TOP> > <TD WIDTH=25%> > <P>Swap partition</P> > </TD> > <TD WIDTH=25%> > <P>2 x Physical Memory</P> > </TD> > <TD WIDTH=25%> > <P>Linux swap</P> > </TD> > <TD WIDTH=25%> > <P>/dev/hda2</P> > </TD> > </TR> > <TR VALIGN=TOP> > <TD WIDTH=25%> > <P>Root partition</P> > </TD> > <TD WIDTH=25%> > <P>Remainder of disk</P> > </TD> > <TD WIDTH=25%> > <P>ReiserFS</P> > </TD> > <TD WIDTH=25%> > <P>/dev/hda3</P> > </TD> > </TR> > </TBODY> ></TABLE> ><P> ></P> ><P>8. Stage tarballs and chroot</P> ><P>To obtain the maxium optimisation follow the stage 1 installation.</P> ><P>Code Listing 8.1</P> ><P>wget -c -T 30 -t 30 >http://public.planetmirror.com/pub/gentoo/releases/x86/1.4/stages/x86/stage1-x86-1.4-20030806.tar.bz2</P> ><P><BR><BR> ></P> ><P>Follow code listing 8.3 and 8.4 as this will save download >time/bandwidth.</P> ><P>Follow code listing 8.6 and select the mirror ><A HREF="rsyncsync.au.gentoo.org/gentoo-portage">rsync://rsync.au.gentoo.org/gentoo-portage</A> >(aka Planet Mirror) interactively.</P> ><P>9. Getting the Current Portage Tree using sync</P> ><P>Follow code listing 9.1 to obtain the latest updates (includes >security fixes)</P> ><P>10. Setting Gentoo optimizations (make.conf)</P> ><P>Set the CFLAGS and CXXFLAGS to contain the processor type and an >“-O3” for optimization.</P> ><P>Select the following USE flags:</P> ><P>sse mmx – if supported by processor – check “cat >/proc/cpuinfo” in the flags</P> ><P>as well as “apache2 crypt mysql postgres ssl perl php samba”</P> ><P>and “-x” to disable X support.</P> ><P>Uncomment PORTDIR_OVERLAY line.</P> ><P>16. Installing the kernel and system logger</P> ><P>Follow code listing 16.1: Emerging Kernel Sources – >selecting gentoo-sources.</P> ><P>Follow the auto configuration ensuring that reiserfs is built in >(not module)</P> ><P>In Code listing 16.8 select metalog and in 16.10 select vcron.</P> ><P>In the networking section select use the network setting defined >earlier.</P> ><P>Select GRUB as a boot loader</P> ><P>After everything is selected perform a reboot</P> ><P>Future Development: Apply iptables rules to these machines.</P> ><H2 CLASS="western">Snort Configuration (2.0.1-r1)</H2> ><P>On the Snort box only perform the following.</P> ><P>#env ACCEPT_KEYWORDS="~x86" emerge snort</P> ><P>Edit /etc/conf.d/snort and change the interfaces to “any”</P> ><P>Copy the /etc/snort/snort.conf.distrib to /etc/snort/snort.conf >and make the following changes:</P> ><P>var HOME_NET any</P> ><P>var EXTERNAL_NET any</P> ><P>complete the *_SERVERS enties with the IP addresses of these >servers.</P> ><P>Uncomment preprocessor portscan arpspoof conversation portscan2</P> ><P>output database: log, postgresql, user=snort_db_user dbname=snort >password=5yetty host={HOSTNAME} port=5432 ></P> ><P>uncomment includes for backdoor web-attacks virus.rules >multimedia.rules p2p.rules</P> ><P># chmod go-rwx /etc/snort/snort.conf ></P> ><P>To run snort on startup</P> ><P>#rc-update add snort default</P> ><P>edit /etc/init.d/snort so that the “need” line is >“need net postgresql”</P> ><P>Debugging: look at /var/log/everything/current. A lot of fatal >errors do not stop the startup script unfortunately. To force a >restart of snort “rm /var/lib/init.d/started/snort; >/etc/init.d/snort start”.</P> ><P>Future Development:</P> ><P>1. Use of stunnel to encrypt and authentificate links to the >database.</P> ><P>2. emerge oinkmaster for rule updating scripts. Or alternately >emerge snorticus.</P> ><H2 CLASS="western">Apache (2.0.47)</H2> ><P>To install apache:</P> ><P>#emerge apache mod_ssl</P> ><P>edit /etc/conf.d/apache2 and add “-D SSL -D PHP4” to >the APACHE2_OPTS line. Uncomment the line as well.</P> ><P>To make apache start at bootup:</P> ><P># rc-update add apache2 default</P> ><P># /etc/init.d/apache2 start</P> ><P>Debugging TIP: see /var/log/apache2/error_log and access_log</P> ><H2 CLASS="western">Postgresql (7.3.4)</H2> ><P>#emerge postgresql</P> ><P>edit /etc/conf.d/postgres and add “-i” to the PGOPTS >configuration line.</P> ><P>#rc-update add postgresql default</P> ><P>#usermod -s /bin/bash postgres</P> ><P># ebuild /usr/porage/dev-db/postgresql/postgreql-7.3.4 config</P> ><P># usermod -s /bin/bash postgres</P> ><P><BR><BR> ></P> ><P>Edit /var/lib/postgresql/data/pg_hba.conf to contain the >following:</P> ><P>host snort snort_db_user {snort box ip) >255.255.255.255 password</P> ><P>#host snort snort_analyst {webserver} 255.255.255.255 > password</P> ><P>host snort snort_analyst 127.0.0.1 255.255.255.255 >password</P> ><P>#host snort snort_db_user 127.0.0.1 255.255.255.255 > password</P> ><P><BR><BR> ></P> ><P># /etc/init.d/postgres start</P> ><P>#su – postgres</P> ><P>> /usr/bin/createdb snort</P> ><P>> /usr/bin/zcat >/usr/share/doc/snort-2.0.1-r1/contrib/snortdb-extra.gz | sed >“s/^#/--/g” | /usr/bin/psql snort</P> ><P>> zcat >/usr/share/doc/snort-2.0.1-r1/contrib/create_postgresql.gz | >/usr/bin/psql snort</P> ><P>(below courtesy of ><A HREF="http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_install.html">http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_install.html</A>)</P> ><P>> /usr/bin/psql snort</P> ><P>CREATE USER snort_db_user WITH UNENCRYPTED PASSWORD '5yetty';</P> ><P>GRANT SELECT ON detail, encoding, event, reference_system, schema, ></P> ><P> sensor, sig_class, sig_reference, >signature ></P> ><P> TO snort_db_user;</P> ><P>GRANT INSERT ON data, event, icmphdr, iphdr, opt, reference,</P> ><P> reference_system, sensor, sig_class, >sig_reference, ></P> ><P> signature, tcphdr, udphdr ></P> ><P> TO snort_db_user;</P> ><P>GRANT UPDATE ON reference_ref_id_seq, >reference_system_ref_system_id_seq, ></P> ><P> sensor_sid_seq, >sig_class_sig_class_id_seq, ></P> ><P> signature_sig_id_seq ></P> ><P> TO snort_db_user;</P> ><P>CREATE USER snort_analyst WITH UNENCRYPTED PASSWORD '5p0rt';</P> ><P>GRANT CREATE ON DATABASE snort TO snort_analyst;</P> ><P><BR><BR> ></P> ><P>Debugging TIP: look at /var/lib/postgresql/data/postgresql.log</P> ><P>Further Development: Create certificates to allow authentificated >SSL connections >(<A HREF="http://www.phpfreaks.com/postgresqlmanual/page/ssl-tcp.html">http://www.phpfreaks.com/postgresqlmanual/page/ssl-tcp.html</A>)</P> ><P>Connections to the database from the webserver are fairly safe and >probably don't need SSL unless they get host separated.</P> ><P>Currently ACID (though adodb) and Snort don't appear to support >SSL sessions. “emerge stunnel” and there may be able to >set up a SSL connection that way. ></P> ><P>For SSL authentification and encryption from host to server see: ><A HREF="../../../../../usr/share/doc/postgresql-7.3.4/html/client-authentication.html">file:/usr/share/doc/postgresql-7.3.4/html/client-authentication.html</A> >on the local machine.</P> ><H2 CLASS="western">Acid (0.9.6b23)</H2> ><P>#env ACCEPT_KEYWORDS=”~x86” emerge acid</P> ><P>should make https://[host]/acid refer to the interface to Snort >data.</P> ><P>Edit <A HREF="../../../../httpd/htdocs/acid/acid_conf.php">file:/home/httpd/htdocs/acid/acid_conf.php</A></P> ><P>to ensure that database varables are correct. ></P> ><P>$DBlib_path = "/usr/lib/php/adodb";</P> ><P>$DBtype = "postgres";</P> ><P>$alert_dbname = "snort";</P> ><P>$alert_host = "localhost";</P> ><P>$alert_port = "5432";</P> ><P>$alert_user = " snort_analyst";</P> ><P>$alert_password = "5p0rt";</P> ><P><BR><BR> ></P> ><P>$archive_dbname = "snort_archive";</P> ><P>$archive_host = "localhost";</P> ><P>$archive_port = "5432";</P> ><P>$archive_user = "snort_analyst";</P> ><P>$archive_password = "5p0rt";</P> ><P><BR><BR> ></P> ><P>$ChartLib_path = "/usr/lib/php/jgraph";</P> ><P>NOTE we haven't set up an “archive” yet – still >looking for instructions (somewhere)</P> ><P><BR><BR> ></P> ><P>goto <A HREF="https://webserver/acid/acid_db_setup.php">https://{your >webserver}/acid/acid_db_setup.php</A>) and select “Create ACID >AG”.</P> ><P>As the postgres user in the “psql snort” command line >interface issue the following.</P> ><P>REVOKE CREATE ON DATABASE snort FROM snort_analyst;</P> ><P>(from <A HREF="../../../../../usr/share/doc/acid-0.9.6_beta23/README.gz">file:/usr/share/doc/acid-0.9.6_beta23/README.gz</A>)</P> ><P>GRANT SELECT ON TABLE acid_ag,acid_ag_alert, >acid_event,acid_ip_cache,data,detail,encoding, event, >icmphdr,iphdr,opt,reference, reference_system, schema, sensor, >sig_class,sig_reference, signature, tcphdr, udphdr TO snort_analyst;</P> ><P>GRANT INSERT,DELETE ON TABLE acid_ag,acid_ag_alert, >acid_event,acid_ip_cache,data, event, icmphdr,iphdr,opt,reference, >reference_system, sensor, sig_class,sig_reference, signature, tcphdr, >udphdr TO snort_analyst;</P> ><P>GRANT DELETE ON TABLE sensor TO snort_analyst;</P> ><P>GRANT UPDATE ON TABLE acid_event,acid_ip_cache,reference, >reference_system, sig_class,sig_reference, signature TO >snort_analyst;</P> ><P> GRANT SELECT,UPDATE ON TABLE acid_ag_ag_id_seq, >reference_ref_id_seq,reference_system_ref_system_id_seq,sensor_sid_seq,sig_class_sig_class_id_seq,signature_sig_id_seq > TO snort_analyst;</P> ><P><BR><BR> ></P> ><P>Reference: This section was based off <A HREF="http://www.kellys.net/snort">http://www.kellys.net/snort</A>.</P> ><P>Further Development: Set access control to this area via >authentificated https only.</P> ><P>Debugging TIP: in the <A HREF="../../../../httpd/htdocs/acid/acid_conf.php">file:/home/httpd/htdocs/acid/acid_conf.php</A> >there are a number of flags that can be set to enable debugging.</P> ><P>Other web scripts that may be of use are:</P> ><OL> > <LI><P>Snort Report - <A HREF="http://www.circuitsmaximus.com/download.html">http://www.circuitsmaximus.com/download.html</A></P> > <LI><P>Others available at > <A HREF="http://www.snort.org/dl/contrib/data_analysis">http://www.snort.org/dl/contrib/data_analysis</A></P> ></OL> ><P><BR><BR> ></P> ><DIV ID="sdfootnote1"> > <P CLASS="sdfootnote"><A CLASS="sdfootnotesym" NAME="sdfootnote1sym" HREF="#sdfootnote1anc">1</A><A HREF="http://acidlab.sourceforge.net/">http://acidlab.sourceforge.net > </A> > </P> ></DIV> ><DIV ID="sdfootnote2"> > <P CLASS="sdfootnote"><A CLASS="sdfootnotesym" NAME="sdfootnote2sym" HREF="#sdfootnote2anc">2</A> > <A HREF="http://www.snort.org/dl/contrib/other_logs/logsnorter-0.2.tar.gz">http://www.snort.org/dl/contrib/other_logs/logsnorter-0.2.tar.gz</A> > </P> ></DIV> ><DIV ID="sdfootnote3"> > <P CLASS="sdfootnote"><A CLASS="sdfootnotesym" NAME="sdfootnote3sym" HREF="#sdfootnote3anc">3</A>Cisco, > <A HREF="http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pix_pa.pdf">http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pix_pa.pdf</A></P> ></DIV> ><DIV ID="sdfootnote4"> > <P CLASS="sdfootnote"><A CLASS="sdfootnotesym" NAME="sdfootnote4sym" HREF="#sdfootnote4anc">4</A>Black, > Daniel, 2003, Lab 1 -Risk Assessment of Alice Springs Town Council, > submission to the Computer Security subject of ADFA postgraduate > program 2003.</P> ></DIV> ></BODY> ></HTML>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=iso-8859-1"> <TITLE></TITLE> <META NAME="GENERATOR" CONTENT="OpenOffice.org 1.0.2 (Linux)"> <META NAME="CREATED" CONTENT="20030902;20483800"> <META NAME="CHANGED" CONTENT="20030909;14140800"> <STYLE> <!-- @page { margin: 2cm } P { margin-bottom: 0.21cm } H1 { margin-bottom: 0.21cm } H1.western { font-family: "Albany", sans-serif; font-size: 16pt } H1.cjk { font-size: 16pt } H1.ctl { font-size: 16pt } H2 { margin-bottom: 0.21cm } H2.western { font-family: "Albany", sans-serif; font-size: 14pt; font-style: italic } H2.cjk { font-size: 14pt; font-style: italic } H2.ctl { font-size: 14pt; font-style: italic } TD P { margin-bottom: 0.21cm } TH P { margin-bottom: 0.21cm; font-style: italic } P.sdfootnote { margin-left: 0.5cm; text-indent: -0.5cm; margin-bottom: 0cm; font-size: 10pt } A.sdfootnoteanc { font-size: 57% } --> </STYLE> </HEAD> <BODY LANG="en-US"> <P STYLE="margin-bottom: 0cm">Computer Security</P> <P STYLE="margin-bottom: 0cm">Lab 2 - Security Analysis Tools</P> <P STYLE="margin-bottom: 0cm">Daniel Black</P> <P STYLE="margin-bottom: 0cm">z3084085</P> <P STYLE="margin-bottom: 0cm"><BR> </P> <P STYLE="margin-bottom: 0cm">Disclaimer:</P> <P STYLE="margin-bottom: 0cm">The views, opinions, and conclusions written within do not represent the Alice Springs Town Council (ASTC). All views and opinions are the author's only.</P> <H1 CLASS="western">Part a: Security Analysis Tool Selection</H1> <P>Snort is a network intrusion detection system developed by Martin Roesch and team. It is available at <A HREF="http://www.snort.org/">http://www.snort.org</A>. It performs its network intrusion detection function by listening on network interfaces for a number of defined patterns. These patterns define rules for activity such as: accessing “back doors”, distributed denial of service attacks, virus and worm traffic, and historical exploits in a number of software applications. As a front end to this Analysis Console for Incident Databases (ACID<A CLASS="sdfootnoteanc" NAME="sdfootnote1anc" HREF="#sdfootnote1sym"><SUP>1</SUP></A>) is a collection of web scripts that can be used to analyse Snort data captured in a database. Logsnorter<A CLASS="sdfootnoteanc" NAME="sdfootnote2anc" HREF="#sdfootnote2sym"><SUP>2</SUP></A> is an additional tool that imports Cisco PIX firewall<A CLASS="sdfootnoteanc" NAME="sdfootnote3anc" HREF="#sdfootnote3sym"><SUP>3</SUP></A> data into the Snort database.</P> <P>The results from the risk analysis in Lab 1<A CLASS="sdfootnoteanc" NAME="sdfootnote4anc" HREF="#sdfootnote4sym"><SUP>4</SUP></A> indicated that malicious code penetrating the ASTC defences would have a serious impact on its operations. Snort will be able to detect known malicious code traveling through web and email traffic. The ATCS will be able to use Snort to quantify the outside threat from internet. This quantification can be used to justify countermeasure expenditure/time spent on items such as virus scanners, mail filters and firewall hardware.</P> <H1 CLASS="western">Part b: Security Analysis Tool Installation and Use</H1> <P><BR><BR> </P> <H2 CLASS="western">Network overview</H2> <P>The intent of Snort is to provide a profile of the attempted intrusion from the internet. As such the detection component will be placed outside the PIX firewall. Database and web server will be placed within the protection of the Corporate Network (as below).</P> <P>Internet ------ Router ------ Snort ---- Cisco Firewall ---- Public Network</P> <P> +--------Corporate Network</P> <P> |</P> <P> +-- Snort db/ web server</P> <P>Initially it is unknown how much CPU usage the Snort box will use for its applied rules. To prevent any degradation of traffic the Snort box will be a passive listener on the external network. To allow Snort alerts to be entered into the database the following rule must be entered into the Cisco Firewall's allowed rules.</P> <P>Allow (snort box ip):any -> (snort db):5432</P> <P><BR><BR> </P> <H2 CLASS="western">Hardware Installation</H2> <P>Select two x86 architecture machines. Installation is partly on line and should be installed on the protected side of the firewall to prevent potential compromise.</P> <P>Before this process begins ensure that the rsync protocol is allowed through the firewall (tcp/873).</P> <H2 CLASS="western">Gentoo Linux Installation</H2> <P>Gentoo was selected for performance as it is a compiled from source distribution. It has a reasonably good installation process that handles dependencies well.</P> <P>The installation will follow <A HREF="http://www.gentoo.org/doc/en/gentoo-x86-install.xml">http://www.gentoo.org/doc/en/gentoo-x86-install.xml</A> with the following clarifications. If the hardware for both machines is at the same CPU level place the hard disks for both in the only machine and copy the file system over before the GRUB installation. Networking will need to be changed on the second machine before connection to the network.</P> <P>Section 4. Optional Networking</P> <P>Required information:</P> <OL> <LI><P>Public access library network IP network address and mask:</P> <LI><P>Staff IP network address and mask:</P> <LI><P>Domain Name Server (DNS):</P> <LI><P>Default Gateway:</P> <LI><P>HTTP Proxy server (if any)</P> </OL> <P>Code Listing 4.6 should be as follows</P> <P>ifconfig eth0 <A HREF="http://xxx.xxx.xxx.xxx/">xxx.xxx.xxx.xxx</A> broadcast <A HREF="xxx.xxx.xxx.xxx">xxx.xxx.xxx.xxx</A> netmask 255.255.0.0</P> <P>route add -net default gw <A HREF="xxx.xxx.xxx.xxx">xxx.xxx.xxx.xxx</A></P> <P>Code Listing 4.7 should look like:</P> <P>domain <A HREF="http://astc.nt.gov.au/">astc.nt.gov.au</A></P> <P>nameserver <A HREF="xxx.xxx.xxx.xxx">xxx.xxx.xxx.xxx</A></P> <P>nameserver <A HREF="http://xxx.xxx.xxx.xxx/">xxx.xxx.xxx.xxx</A></P> <P>Code listing 4.8: Section</P> <P>export http_proxy=”http://..........”</P> <P>6. Filesystems, partitions and block devices</P> <P>Disk partitioning will be as follows:</P> <TABLE WIDTH=100% BORDER=1 BORDERCOLOR="#000000" CELLPADDING=4 CELLSPACING=0> <COL WIDTH=64*> <COL WIDTH=64*> <COL WIDTH=64*> <COL WIDTH=64*> <THEAD> <TR VALIGN=TOP> <TH WIDTH=25%> <P>Partition</P> </TH> <TH WIDTH=25%> <P>Size</P> </TH> <TH WIDTH=25%> <P>Type</P> </TH> <TH WIDTH=25%> <P>Devices</P> </TH> </TR> </THEAD> <TBODY> <TR VALIGN=TOP> <TD WIDTH=25%> <P>Boot partition</P> </TD> <TD WIDTH=25%> <P>32 Megabytes</P> </TD> <TD WIDTH=25%> <P>ext3</P> </TD> <TD WIDTH=25%> <P>/dev/hda1</P> </TD> </TR> <TR VALIGN=TOP> <TD WIDTH=25%> <P>Swap partition</P> </TD> <TD WIDTH=25%> <P>2 x Physical Memory</P> </TD> <TD WIDTH=25%> <P>Linux swap</P> </TD> <TD WIDTH=25%> <P>/dev/hda2</P> </TD> </TR> <TR VALIGN=TOP> <TD WIDTH=25%> <P>Root partition</P> </TD> <TD WIDTH=25%> <P>Remainder of disk</P> </TD> <TD WIDTH=25%> <P>ReiserFS</P> </TD> <TD WIDTH=25%> <P>/dev/hda3</P> </TD> </TR> </TBODY> </TABLE> <P> </P> <P>8. Stage tarballs and chroot</P> <P>To obtain the maxium optimisation follow the stage 1 installation.</P> <P>Code Listing 8.1</P> <P>wget -c -T 30 -t 30 http://public.planetmirror.com/pub/gentoo/releases/x86/1.4/stages/x86/stage1-x86-1.4-20030806.tar.bz2</P> <P><BR><BR> </P> <P>Follow code listing 8.3 and 8.4 as this will save download time/bandwidth.</P> <P>Follow code listing 8.6 and select the mirror <A HREF="rsyncsync.au.gentoo.org/gentoo-portage">rsync://rsync.au.gentoo.org/gentoo-portage</A> (aka Planet Mirror) interactively.</P> <P>9. Getting the Current Portage Tree using sync</P> <P>Follow code listing 9.1 to obtain the latest updates (includes security fixes)</P> <P>10. Setting Gentoo optimizations (make.conf)</P> <P>Set the CFLAGS and CXXFLAGS to contain the processor type and an “-O3” for optimization.</P> <P>Select the following USE flags:</P> <P>sse mmx – if supported by processor – check “cat /proc/cpuinfo” in the flags</P> <P>as well as “apache2 crypt mysql postgres ssl perl php samba”</P> <P>and “-x” to disable X support.</P> <P>Uncomment PORTDIR_OVERLAY line.</P> <P>16. Installing the kernel and system logger</P> <P>Follow code listing 16.1: Emerging Kernel Sources – selecting gentoo-sources.</P> <P>Follow the auto configuration ensuring that reiserfs is built in (not module)</P> <P>In Code listing 16.8 select metalog and in 16.10 select vcron.</P> <P>In the networking section select use the network setting defined earlier.</P> <P>Select GRUB as a boot loader</P> <P>After everything is selected perform a reboot</P> <P>Future Development: Apply iptables rules to these machines.</P> <H2 CLASS="western">Snort Configuration (2.0.1-r1)</H2> <P>On the Snort box only perform the following.</P> <P>#env ACCEPT_KEYWORDS="~x86" emerge snort</P> <P>Edit /etc/conf.d/snort and change the interfaces to “any”</P> <P>Copy the /etc/snort/snort.conf.distrib to /etc/snort/snort.conf and make the following changes:</P> <P>var HOME_NET any</P> <P>var EXTERNAL_NET any</P> <P>complete the *_SERVERS enties with the IP addresses of these servers.</P> <P>Uncomment preprocessor portscan arpspoof conversation portscan2</P> <P>output database: log, postgresql, user=snort_db_user dbname=snort password=5yetty host={HOSTNAME} port=5432 </P> <P>uncomment includes for backdoor web-attacks virus.rules multimedia.rules p2p.rules</P> <P># chmod go-rwx /etc/snort/snort.conf </P> <P>To run snort on startup</P> <P>#rc-update add snort default</P> <P>edit /etc/init.d/snort so that the “need” line is “need net postgresql”</P> <P>Debugging: look at /var/log/everything/current. A lot of fatal errors do not stop the startup script unfortunately. To force a restart of snort “rm /var/lib/init.d/started/snort; /etc/init.d/snort start”.</P> <P>Future Development:</P> <P>1. Use of stunnel to encrypt and authentificate links to the database.</P> <P>2. emerge oinkmaster for rule updating scripts. Or alternately emerge snorticus.</P> <H2 CLASS="western">Apache (2.0.47)</H2> <P>To install apache:</P> <P>#emerge apache mod_ssl</P> <P>edit /etc/conf.d/apache2 and add “-D SSL -D PHP4” to the APACHE2_OPTS line. Uncomment the line as well.</P> <P>To make apache start at bootup:</P> <P># rc-update add apache2 default</P> <P># /etc/init.d/apache2 start</P> <P>Debugging TIP: see /var/log/apache2/error_log and access_log</P> <H2 CLASS="western">Postgresql (7.3.4)</H2> <P>#emerge postgresql</P> <P>edit /etc/conf.d/postgres and add “-i” to the PGOPTS configuration line.</P> <P>#rc-update add postgresql default</P> <P>#usermod -s /bin/bash postgres</P> <P># ebuild /usr/porage/dev-db/postgresql/postgreql-7.3.4 config</P> <P># usermod -s /bin/bash postgres</P> <P><BR><BR> </P> <P>Edit /var/lib/postgresql/data/pg_hba.conf to contain the following:</P> <P>host snort snort_db_user {snort box ip) 255.255.255.255 password</P> <P>#host snort snort_analyst {webserver} 255.255.255.255 password</P> <P>host snort snort_analyst 127.0.0.1 255.255.255.255 password</P> <P>#host snort snort_db_user 127.0.0.1 255.255.255.255 password</P> <P><BR><BR> </P> <P># /etc/init.d/postgres start</P> <P>#su – postgres</P> <P>> /usr/bin/createdb snort</P> <P>> /usr/bin/zcat /usr/share/doc/snort-2.0.1-r1/contrib/snortdb-extra.gz | sed “s/^#/--/g” | /usr/bin/psql snort</P> <P>> zcat /usr/share/doc/snort-2.0.1-r1/contrib/create_postgresql.gz | /usr/bin/psql snort</P> <P>(below courtesy of <A HREF="http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_install.html">http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_install.html</A>)</P> <P>> /usr/bin/psql snort</P> <P>CREATE USER snort_db_user WITH UNENCRYPTED PASSWORD '5yetty';</P> <P>GRANT SELECT ON detail, encoding, event, reference_system, schema, </P> <P> sensor, sig_class, sig_reference, signature </P> <P> TO snort_db_user;</P> <P>GRANT INSERT ON data, event, icmphdr, iphdr, opt, reference,</P> <P> reference_system, sensor, sig_class, sig_reference, </P> <P> signature, tcphdr, udphdr </P> <P> TO snort_db_user;</P> <P>GRANT UPDATE ON reference_ref_id_seq, reference_system_ref_system_id_seq, </P> <P> sensor_sid_seq, sig_class_sig_class_id_seq, </P> <P> signature_sig_id_seq </P> <P> TO snort_db_user;</P> <P>CREATE USER snort_analyst WITH UNENCRYPTED PASSWORD '5p0rt';</P> <P>GRANT CREATE ON DATABASE snort TO snort_analyst;</P> <P><BR><BR> </P> <P>Debugging TIP: look at /var/lib/postgresql/data/postgresql.log</P> <P>Further Development: Create certificates to allow authentificated SSL connections (<A HREF="http://www.phpfreaks.com/postgresqlmanual/page/ssl-tcp.html">http://www.phpfreaks.com/postgresqlmanual/page/ssl-tcp.html</A>)</P> <P>Connections to the database from the webserver are fairly safe and probably don't need SSL unless they get host separated.</P> <P>Currently ACID (though adodb) and Snort don't appear to support SSL sessions. “emerge stunnel” and there may be able to set up a SSL connection that way. </P> <P>For SSL authentification and encryption from host to server see: <A HREF="../../../../../usr/share/doc/postgresql-7.3.4/html/client-authentication.html">file:/usr/share/doc/postgresql-7.3.4/html/client-authentication.html</A> on the local machine.</P> <H2 CLASS="western">Acid (0.9.6b23)</H2> <P>#env ACCEPT_KEYWORDS=”~x86” emerge acid</P> <P>should make https://[host]/acid refer to the interface to Snort data.</P> <P>Edit <A HREF="../../../../httpd/htdocs/acid/acid_conf.php">file:/home/httpd/htdocs/acid/acid_conf.php</A></P> <P>to ensure that database varables are correct. </P> <P>$DBlib_path = "/usr/lib/php/adodb";</P> <P>$DBtype = "postgres";</P> <P>$alert_dbname = "snort";</P> <P>$alert_host = "localhost";</P> <P>$alert_port = "5432";</P> <P>$alert_user = " snort_analyst";</P> <P>$alert_password = "5p0rt";</P> <P><BR><BR> </P> <P>$archive_dbname = "snort_archive";</P> <P>$archive_host = "localhost";</P> <P>$archive_port = "5432";</P> <P>$archive_user = "snort_analyst";</P> <P>$archive_password = "5p0rt";</P> <P><BR><BR> </P> <P>$ChartLib_path = "/usr/lib/php/jgraph";</P> <P>NOTE we haven't set up an “archive” yet – still looking for instructions (somewhere)</P> <P><BR><BR> </P> <P>goto <A HREF="https://webserver/acid/acid_db_setup.php">https://{your webserver}/acid/acid_db_setup.php</A>) and select “Create ACID AG”.</P> <P>As the postgres user in the “psql snort” command line interface issue the following.</P> <P>REVOKE CREATE ON DATABASE snort FROM snort_analyst;</P> <P>(from <A HREF="../../../../../usr/share/doc/acid-0.9.6_beta23/README.gz">file:/usr/share/doc/acid-0.9.6_beta23/README.gz</A>)</P> <P>GRANT SELECT ON TABLE acid_ag,acid_ag_alert, acid_event,acid_ip_cache,data,detail,encoding, event, icmphdr,iphdr,opt,reference, reference_system, schema, sensor, sig_class,sig_reference, signature, tcphdr, udphdr TO snort_analyst;</P> <P>GRANT INSERT,DELETE ON TABLE acid_ag,acid_ag_alert, acid_event,acid_ip_cache,data, event, icmphdr,iphdr,opt,reference, reference_system, sensor, sig_class,sig_reference, signature, tcphdr, udphdr TO snort_analyst;</P> <P>GRANT DELETE ON TABLE sensor TO snort_analyst;</P> <P>GRANT UPDATE ON TABLE acid_event,acid_ip_cache,reference, reference_system, sig_class,sig_reference, signature TO snort_analyst;</P> <P> GRANT SELECT,UPDATE ON TABLE acid_ag_ag_id_seq, reference_ref_id_seq,reference_system_ref_system_id_seq,sensor_sid_seq,sig_class_sig_class_id_seq,signature_sig_id_seq TO snort_analyst;</P> <P><BR><BR> </P> <P>Reference: This section was based off <A HREF="http://www.kellys.net/snort">http://www.kellys.net/snort</A>.</P> <P>Further Development: Set access control to this area via authentificated https only.</P> <P>Debugging TIP: in the <A HREF="../../../../httpd/htdocs/acid/acid_conf.php">file:/home/httpd/htdocs/acid/acid_conf.php</A> there are a number of flags that can be set to enable debugging.</P> <P>Other web scripts that may be of use are:</P> <OL> <LI><P>Snort Report - <A HREF="http://www.circuitsmaximus.com/download.html">http://www.circuitsmaximus.com/download.html</A></P> <LI><P>Others available at <A HREF="http://www.snort.org/dl/contrib/data_analysis">http://www.snort.org/dl/contrib/data_analysis</A></P> </OL> <P><BR><BR> </P> <DIV ID="sdfootnote1"> <P CLASS="sdfootnote"><A CLASS="sdfootnotesym" NAME="sdfootnote1sym" HREF="#sdfootnote1anc">1</A><A HREF="http://acidlab.sourceforge.net/">http://acidlab.sourceforge.net </A> </P> </DIV> <DIV ID="sdfootnote2"> <P CLASS="sdfootnote"><A CLASS="sdfootnotesym" NAME="sdfootnote2sym" HREF="#sdfootnote2anc">2</A> <A HREF="http://www.snort.org/dl/contrib/other_logs/logsnorter-0.2.tar.gz">http://www.snort.org/dl/contrib/other_logs/logsnorter-0.2.tar.gz</A> </P> </DIV> <DIV ID="sdfootnote3"> <P CLASS="sdfootnote"><A CLASS="sdfootnotesym" NAME="sdfootnote3sym" HREF="#sdfootnote3anc">3</A>Cisco, <A HREF="http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pix_pa.pdf">http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pix_pa.pdf</A></P> </DIV> <DIV ID="sdfootnote4"> <P CLASS="sdfootnote"><A CLASS="sdfootnotesym" NAME="sdfootnote4sym" HREF="#sdfootnote4anc">4</A>Black, Daniel, 2003, Lab 1 -Risk Assessment of Alice Springs Town Council, submission to the Computer Security subject of ADFA postgraduate program 2003.</P> </DIV> </BODY> </HTML>
View Attachment As Raw
Actions:
View
Attachments on
bug 17740
:
17315
|
17316
|
17317
| 18734
