Snort & IDScenter

60-564: Security and Privacy on the Internet

Instructor: Dr. A. K. Aggarwal
Presented By: Tarik El Amsy, Lihua Duan
Date: March 29, 2006
 What is IDScenter
IDScenter is basically a Graphical front-
end for Snort on Windows platforms
(Recommended: Windows NT4/2000/XP).
IDScenter provides a friendly interface for
Snort users.
With some knowledge of Snort, IDScenter
will help users to do configuration and
provide management features.
 Features of IDScenter
Snort 1.7, 1.8, 1.9, and 2.x Support
• Snort configuration wizard
• Online updates of IDS rules
• Ruleset editor for all Snort rule options
• HTML report from SQL backend
Execution of program on attack detection
Good Alerting tools including mail , Windows
event log and normal DB logging.
 Experiment Architecture and Scenarios
Home net address
172.16.1.0 /24

Hub
Router

NIDS
External net address
137.207.234.0/24

Target
Attacker
 NIDS server configuration
CPU: AMD64 Opteron
Memory: 512M
Hard Disk: 8 G Operating
Operating System: Windows 2000
Advanced Server (Ser)
IP Address: 172.16.1.1
Installed Software:
 Snort 2.4.3 NIDS
 IDScenter 1.1 RC4
 WinPcap 3.1
 Ethereal 0.10.14
 Target server configuration
CPU: AMD64 Opteron
Memory: 512MHard
Disk: 8 G
Operating System: Windows 2000
Advanced Server (Ser)
IP Address: 172.16.1.2
Installed software
Ethereal 0.10.14 Target
Winpcap 3.0 alpha 4
Packet Excalibur 1.0.2 (Packet
generator)
Web server, TelNET, SNMP, FTP, etc
 Attacker server configuration
CPU: AMD64 Opteron
Memory: 512MHard
Disk: 8 G
OS: Windows 2000 AS
IP Address: 137.207.234.252
Installed software
Winpcap 3.0 alpha 4 Attacker
Packet Excalibur 1.0.2 (Packet
generator)
Web server, TelNET, SNMP, FTP,
etc.
 Installing WinPcap
WinPcap (Windows Packet Capture Library) is a packet-
capture driver. Functionally, this means that WinPcap
grabs packets from the network wire and pitches them to
Snort, ethereal and windump.

Download & run WinPcap_3_1_auto-installer.exe to local disk from

http://www.winpcap.org/install/default.htm

Should be installed on hosts NIDS Attacker Target

 Installing Ethereal
Ethereal® is used by network professionals around the
world for troubleshooting, analysis, software and
protocol development, and education. Ethereal is one
of the best graphical packet sniffer. Its graphical
interface makes it easy to use and its big list of
features make it very powerful in analyzing network
traffic

Download & run ethereal-setup-0.10.14.exe or any

latest version from Ethereal website http://
www.ethereal.com/download.html.
Installing Packet Excalibur
A multi-platform freeware, graphical and scriptable
network packet engine with extensible text based
protocol descriptions.
Needed to craft sample attack and generate these
packets on the network during snort testing.

download Packet Excalibur Windows installer version

1.0.2 from
http://www.securitybugware.org/excalibur/PacketExcalibur_
.
It will also install WinPcap 3.0a.
Should be installed on Attacker Target
Packet Excalibur Demo
alert tcp $EXTERNAL_NET any -> $HOME_NET 111
(msg:"Rule 4 RPC portmap listing TCP 111"; content:
"|00 01 86 A0|"; reference: arachnids,428; sid: 598;
rev: 11; classtype: rpc-portmap-decode; flow:
to_server,established;)
 Installing Snort
Download SNORT ver 2.4.3
Install directory c:\snort
Default logging database option

To test Installation and make sure it is running

C:\snort\bin\snort –v
This will run snort in sniffer mode and you should be able to see the
passing packets on the network captured by Snort.
 Installing IDScenter
Download IDScenter.zip (1.1 RC4, 04.08.2003) from
http://www.engagesecurity.com/downloads/#IDScenter

Unzip the download file to obtain the setup.exe then

run it to start simple and default installation.
 Configuring Snort
Change the setting of Snort configuration
file snort.conf under c:\snort\etc folder
Use any text editor to edit the following
 Network settings
 Preprocessors

Output settings
 Rules settings
 Configuring Network settings
Snort use variables in configuring the rules.
When you type $ and Variable name, the value of this variable will
be replaced.
This allows you to add different network ranges and subnets and
simplify rules editing and customization

We added the following variables to snort.conf file

var HOME_NET 172.16.1.0/24

var EXTERNAL_NET any
var DNS_SERVERS 172.16.1.2/32
var SMTP_SERVERS 172.16.1.2/32
var HTTP_SERVERS 172.16.1.2/32
var SQL_SERVERS 172.16.1.2/32
var TELNET_SERVERS 172.16.1.2/32
var HTTP_PORTS 80
var RULE_PATH c:\snort\rules
 Configuring Preprocessors
Configure Http_inspect preprocessor
This preprocessor allow snort to decode Http
web traffic & analyze it for specific URI contents.

Setting in snort.conf file

preprocessor http_inspect:
global iis_unicode_map unicode.map 1252

preprocessor http_inspect_server:
server default profile all ports { 80 }
 Configuring Output settings
Outputing Alerts to a file base log called
alert.ids

Setting in snort.conf file

output alert_fast: alert.ids

config logdir: c:\snort\log
 Configuring Rules settings
Create a file called project.rules in c:\snort\rules
folder.
The file has the10 selected attacks.
Remove normal rule file setting from config file
and add only project.rules.

Include $Rule_path/project.rules

Sample Rule
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"Rule 4
RPC portmap listing TCP 111"; content: "|00 01 86 A0|"; reference:
arachnids,428; sid: 598; rev: 11; classtype: rpc-portmap-decode; flow:
to_server,established;)
 IDScenter Configuration
IDScenter consists
of the following
menus
General
Wizards
Logs
Alerts
...
 General Menu
Click on Apply to apply a configuration/save configuration (after
setting all the options needed in IDScenter)
Start Snort: Starts Snort in console mode / service mode
View alerts: open log viewer
Test settings: After configuration you can test the settings by
clicking on this button
Reload: Reload the configuration
Rest Alarm: Stop alarm sound
 General Menu
There are two modes to setup Snort with IDScenter
Snort console mode
Snort service mode

The advantage of service mode is, that Snort can monitor your
network constantly even when you're logged off
 General / Configuration
Select snort version to run
Select Process priority
Select options (Service mode /snort console /auto restart )
Select log folder path and file name
 General / Snort Options
Set the configuration file.This is usally "Snort.conf" in the "etc" folder
where Snort was installed (e.x. "C:\Snort\etc\snort.conf")
You can find a pattern in the configuration file by typing it into the
editbox and click on the search button
You can set an external editor for editing Snort configuration file
 General Activity Log
In this panel IDScenter displays events
You can enable/disable event logs
You can select which events are monitored
You can let automatically purge the activity log
Clear log: clear the logging entries
 General/ Over View
In this panel IDScenter displays errors. If an error occurs
when you click on apply, you'll be informed here.
An overview of the alert features activated is shown here
"Copy to clipboard": you can copy the Snort command-
line into clipboard
 Wizards Menu
Wizards Menu has several wizards
which helps configuring snort. It has
the following:
Network Variables wizard
Preprocessor Wizard
Output plugin Wizard
Rules/Signatures Wizard
Online Update Wizard
 Wizards / Network Variables
Helps to set the variables used in rule files
You can :
 Add new variable
 Edit and existing variable
 Delete a variable
 Wizards / Preprocessors
Here you can select and configure the preprocessors used by Snort
 Stream4 and Frag2 Pane ( enable snort to defragment packets and
perform stateful inspection)
 Protocol Preprocessor Pane (different protocol decoders like HTTP
decode , Telnet, RPC decod..etc)
 PortScan Detection Pane
 Miscellaneous Pane (ARP spoof and other unsupported
preprocessors)
 Wizards / Output Plugins
There are many small wizards in this panel which will help you to
configure the output plugins of Snort.
 Wizards / Rules Wizard
The ruleset wizard will help you maintain a good ruleset. This is the "include"-part of
the Snort configuration file
Select first a classification configuration file ,by default: "classification.config"
Select the reference configuration file ,by default: "reference.config"
Activate/Deactivate the rule files you want to use by check/uncheck its box.
Open a ruleset in the ruleset editor:

Select a ruleset file

Click on "Ruleset editor"
 Wizards / Rules Wizard
The ruleset editor lists all available rules in the file.
Add (and clone) new rules / delete rules
Edit a rule (Select a rule and click on "Add/edit rule"
Activate/Deactivate the rules you want to use
Import additional rules into the ruleset (in Snort 2.x syntax)
Save the ruleset after modification
Rules Wizard / Editing a rule
The editor provides a front-end to all Snort 2.x rule features
It make it easier to understand and modify any rule
You can also access online information for that rule
 Wizard/ Online Update
The online update wizard is a frontend for configurating Oinkmaster
(by Andreas Östling)
If you want to use this feature, you should download EagleX
package .
 Logs/ Options Menu
This Set
will overwrite settings (command-line
the parameters in snort configuration file if set of Snort .
parameters)
Example: you set output plugin "alert_full: alert.ids"... and selected "Fast".
Select
In this the interface
case Snort Snort
will log using should
fast mode monitor if necessary
 Logs / Log Rotation
Log rotationLog rotation will rotate the alert logs by
compressing the files into a ZIP packages and move it to
the Backup folder.
 Alerts/ Detection
Alerts alarm will be on if the file/database has changed.
Select at least one alert detection mode
File alert detection mode (up to 10 files monitoring)
Add the files which should be monitored for changes (At least the alert log
file set in main configuration panel should be set.)
MySQL alert detection
 Alerts/ Notification
Alarm sound : Select a WAV file if you selected "Start alarm sound
when an alert is logged“.
Program execution: IDScenter will execute this program if an alert
was logged ( start a script that reconfigures your router, generate
HTML pages of alert log using an external program.etc)
AutoBlock - Plugin system (example network Ice & Black Ice ). It
allows you to block specific network traffic (mini firewall)
 Alerts/ AlertMail
AlertMail can send administrator alerts by mail if Snort has detected
an attack .
You can send a sample of the latest attacks in the email message
as well as attachment of the log file.
Example of received mail alert
 Our Opinion
IDS Center is a very simple and easy to use configuration utility for
snort.
It has very good graphical interface
Provide a lot of add on features for managing snort.
Provide a good Alerting features

It has some compatibility issues with latest snort version (especially

Preprocessors and MySQL latest version)
It has no analysis features.
It still require good knowledge of snort IDS to configure.