Computer Security
Lab 2 - Security Analysis Tools
Daniel Black
z3084085
Disclaimer:
The views, opinions, and conclusions written within do not represent the Alice Springs Town Council (ASTC). All views and opinions are the author's only.
Snort is a network intrusion detection system developed by Martin Roesch and team. It is available at http://www.snort.org. It performs its network intrusion detection function by listening on network interfaces for a number of defined patterns. These patterns define rules for activity such as: accessing “back doors”, distributed denial of service attacks, virus and worm traffic, and historical exploits in a number of software applications. As a front end to this Analysis Console for Incident Databases (ACID1) is a collection of web scripts that can be used to analyse Snort data captured in a database. Logsnorter2 is an additional tool that imports Cisco PIX firewall3 data into the Snort database.
The results from the risk analysis in Lab 14 indicated that malicious code penetrating the ASTC defences would have a serious impact on its operations. Snort will be able to detect known malicious code traveling through web and email traffic. The ATCS will be able to use Snort to quantify the outside threat from internet. This quantification can be used to justify countermeasure expenditure/time spent on items such as virus scanners, mail filters and firewall hardware.
The intent of Snort is to provide a profile of the attempted intrusion from the internet. As such the detection component will be placed outside the PIX firewall. Database and web server will be placed within the protection of the Corporate Network (as below).
Internet ------ Router ------ Snort ---- Cisco Firewall ---- Public Network
+--------Corporate Network
|
+-- Snort db/ web server
Initially it is unknown how much CPU usage the Snort box will use for its applied rules. To prevent any degradation of traffic the Snort box will be a passive listener on the external network. To allow Snort alerts to be entered into the database the following rule must be entered into the Cisco Firewall's allowed rules.
Allow (snort box ip):any -> (snort db):5432
Select two x86 architecture machines. Installation is partly on line and should be installed on the protected side of the firewall to prevent potential compromise.
Before this process begins ensure that the rsync protocol is allowed through the firewall (tcp/873).
Gentoo was selected for performance as it is a compiled from source distribution. It has a reasonably good installation process that handles dependencies well.
The installation will follow http://www.gentoo.org/doc/en/gentoo-x86-install.xml with the following clarifications. If the hardware for both machines is at the same CPU level place the hard disks for both in the only machine and copy the file system over before the GRUB installation. Networking will need to be changed on the second machine before connection to the network.
Section 4. Optional Networking
Required information:
Public access library network IP network address and mask:
Staff IP network address and mask:
Domain Name Server (DNS):
Default Gateway:
HTTP Proxy server (if any)
Code Listing 4.6 should be as follows
ifconfig eth0 xxx.xxx.xxx.xxx broadcast xxx.xxx.xxx.xxx netmask 255.255.0.0
route add -net default gw xxx.xxx.xxx.xxx
Code Listing 4.7 should look like:
domain astc.nt.gov.au
nameserver xxx.xxx.xxx.xxx
nameserver xxx.xxx.xxx.xxx
Code listing 4.8: Section
export http_proxy=”http://..........”
6. Filesystems, partitions and block devices
Disk partitioning will be as follows:
Partition |
Size |
Type |
Devices |
---|---|---|---|
Boot partition |
32 Megabytes |
ext3 |
/dev/hda1 |
Swap partition |
2 x Physical Memory |
Linux swap |
/dev/hda2 |
Root partition |
Remainder of disk |
ReiserFS |
/dev/hda3 |
8. Stage tarballs and chroot
To obtain the maxium optimisation follow the stage 1 installation.
Code Listing 8.1
wget -c -T 30 -t 30 http://public.planetmirror.com/pub/gentoo/releases/x86/1.4/stages/x86/stage1-x86-1.4-20030806.tar.bz2
Follow code listing 8.3 and 8.4 as this will save download time/bandwidth.
Follow code listing 8.6 and select the mirror rsync://rsync.au.gentoo.org/gentoo-portage (aka Planet Mirror) interactively.
9. Getting the Current Portage Tree using sync
Follow code listing 9.1 to obtain the latest updates (includes security fixes)
10. Setting Gentoo optimizations (make.conf)
Set the CFLAGS and CXXFLAGS to contain the processor type and an “-O3” for optimization.
Select the following USE flags:
sse mmx – if supported by processor – check “cat /proc/cpuinfo” in the flags
as well as “apache2 crypt mysql postgres ssl perl php samba”
and “-x” to disable X support.
Uncomment PORTDIR_OVERLAY line.
16. Installing the kernel and system logger
Follow code listing 16.1: Emerging Kernel Sources – selecting gentoo-sources.
Follow the auto configuration ensuring that reiserfs is built in (not module)
In Code listing 16.8 select metalog and in 16.10 select vcron.
In the networking section select use the network setting defined earlier.
Select GRUB as a boot loader
After everything is selected perform a reboot
Future Development: Apply iptables rules to these machines.
On the Snort box only perform the following.
#env ACCEPT_KEYWORDS="~x86" emerge snort
Edit /etc/conf.d/snort and change the interfaces to “any”
Copy the /etc/snort/snort.conf.distrib to /etc/snort/snort.conf and make the following changes:
var HOME_NET any
var EXTERNAL_NET any
complete the *_SERVERS enties with the IP addresses of these servers.
Uncomment preprocessor portscan arpspoof conversation portscan2
output database: log, postgresql, user=snort_db_user dbname=snort password=5yetty host={HOSTNAME} port=5432
uncomment includes for backdoor web-attacks virus.rules multimedia.rules p2p.rules
# chmod go-rwx /etc/snort/snort.conf
To run snort on startup
#rc-update add snort default
edit /etc/init.d/snort so that the “need” line is “need net postgresql”
Debugging: look at /var/log/everything/current. A lot of fatal errors do not stop the startup script unfortunately. To force a restart of snort “rm /var/lib/init.d/started/snort; /etc/init.d/snort start”.
Future Development:
1. Use of stunnel to encrypt and authentificate links to the database.
2. emerge oinkmaster for rule updating scripts. Or alternately emerge snorticus.
To install apache:
#emerge apache mod_ssl
edit /etc/conf.d/apache2 and add “-D SSL -D PHP4” to the APACHE2_OPTS line. Uncomment the line as well.
To make apache start at bootup:
# rc-update add apache2 default
# /etc/init.d/apache2 start
Debugging TIP: see /var/log/apache2/error_log and access_log
#emerge postgresql
edit /etc/conf.d/postgres and add “-i” to the PGOPTS configuration line.
#rc-update add postgresql default
#usermod -s /bin/bash postgres
# ebuild /usr/porage/dev-db/postgresql/postgreql-7.3.4 config
# usermod -s /bin/bash postgres
Edit /var/lib/postgresql/data/pg_hba.conf to contain the following:
host snort snort_db_user {snort box ip) 255.255.255.255 password
#host snort snort_analyst {webserver} 255.255.255.255 password
host snort snort_analyst 127.0.0.1 255.255.255.255 password
#host snort snort_db_user 127.0.0.1 255.255.255.255 password
# /etc/init.d/postgres start
#su – postgres
> /usr/bin/createdb snort
> /usr/bin/zcat /usr/share/doc/snort-2.0.1-r1/contrib/snortdb-extra.gz | sed “s/^#/--/g” | /usr/bin/psql snort
> zcat /usr/share/doc/snort-2.0.1-r1/contrib/create_postgresql.gz | /usr/bin/psql snort
(below courtesy of http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_install.html)
> /usr/bin/psql snort
CREATE USER snort_db_user WITH UNENCRYPTED PASSWORD '5yetty';
GRANT SELECT ON detail, encoding, event, reference_system, schema,
sensor, sig_class, sig_reference, signature
TO snort_db_user;
GRANT INSERT ON data, event, icmphdr, iphdr, opt, reference,
reference_system, sensor, sig_class, sig_reference,
signature, tcphdr, udphdr
TO snort_db_user;
GRANT UPDATE ON reference_ref_id_seq, reference_system_ref_system_id_seq,
sensor_sid_seq, sig_class_sig_class_id_seq,
signature_sig_id_seq
TO snort_db_user;
CREATE USER snort_analyst WITH UNENCRYPTED PASSWORD '5p0rt';
GRANT CREATE ON DATABASE snort TO snort_analyst;
Debugging TIP: look at /var/lib/postgresql/data/postgresql.log
Further Development: Create certificates to allow authentificated SSL connections (http://www.phpfreaks.com/postgresqlmanual/page/ssl-tcp.html)
Connections to the database from the webserver are fairly safe and probably don't need SSL unless they get host separated.
Currently ACID (though adodb) and Snort don't appear to support SSL sessions. “emerge stunnel” and there may be able to set up a SSL connection that way.
For SSL authentification and encryption from host to server see: file:/usr/share/doc/postgresql-7.3.4/html/client-authentication.html on the local machine.
#env ACCEPT_KEYWORDS=”~x86” emerge acid
should make https://[host]/acid refer to the interface to Snort data.
Edit file:/home/httpd/htdocs/acid/acid_conf.php
to ensure that database varables are correct.
$DBlib_path = "/usr/lib/php/adodb";
$DBtype = "postgres";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "5432";
$alert_user = " snort_analyst";
$alert_password = "5p0rt";
$archive_dbname = "snort_archive";
$archive_host = "localhost";
$archive_port = "5432";
$archive_user = "snort_analyst";
$archive_password = "5p0rt";
$ChartLib_path = "/usr/lib/php/jgraph";
NOTE we haven't set up an “archive” yet – still looking for instructions (somewhere)
goto https://{your webserver}/acid/acid_db_setup.php) and select “Create ACID AG”.
As the postgres user in the “psql snort” command line interface issue the following.
REVOKE CREATE ON DATABASE snort FROM snort_analyst;
(from file:/usr/share/doc/acid-0.9.6_beta23/README.gz)
GRANT SELECT ON TABLE acid_ag,acid_ag_alert, acid_event,acid_ip_cache,data,detail,encoding, event, icmphdr,iphdr,opt,reference, reference_system, schema, sensor, sig_class,sig_reference, signature, tcphdr, udphdr TO snort_analyst;
GRANT INSERT,DELETE ON TABLE acid_ag,acid_ag_alert, acid_event,acid_ip_cache,data, event, icmphdr,iphdr,opt,reference, reference_system, sensor, sig_class,sig_reference, signature, tcphdr, udphdr TO snort_analyst;
GRANT DELETE ON TABLE sensor TO snort_analyst;
GRANT UPDATE ON TABLE acid_event,acid_ip_cache,reference, reference_system, sig_class,sig_reference, signature TO snort_analyst;
GRANT SELECT,UPDATE ON TABLE acid_ag_ag_id_seq, reference_ref_id_seq,reference_system_ref_system_id_seq,sensor_sid_seq,sig_class_sig_class_id_seq,signature_sig_id_seq TO snort_analyst;
Reference: This section was based off http://www.kellys.net/snort.
Further Development: Set access control to this area via authentificated https only.
Debugging TIP: in the file:/home/httpd/htdocs/acid/acid_conf.php there are a number of flags that can be set to enable debugging.
Other web scripts that may be of use are:
Snort Report - http://www.circuitsmaximus.com/download.html
Others available at http://www.snort.org/dl/contrib/data_analysis
4Black, Daniel, 2003, Lab 1 -Risk Assessment of Alice Springs Town Council, submission to the Computer Security subject of ADFA postgraduate program 2003.