Beruflich Dokumente
Kultur Dokumente
Hub
Router
NIDS
External net address
137.207.234.0/24
Target
Attacker
NIDS server configuration
CPU: AMD64 Opteron
Memory: 512M
Hard Disk: 8 G Operating
Operating System: Windows 2000
Advanced Server (Ser)
IP Address: 172.16.1.1
Installed Software:
Snort 2.4.3 NIDS
IDScenter 1.1 RC4
WinPcap 3.1
Ethereal 0.10.14
Target server configuration
CPU: AMD64 Opteron
Memory: 512MHard
Disk: 8 G
Operating System: Windows 2000
Advanced Server (Ser)
IP Address: 172.16.1.2
Installed software
Ethereal 0.10.14 Target
Winpcap 3.0 alpha 4
Packet Excalibur 1.0.2 (Packet
generator)
Web server, TelNET, SNMP, FTP, etc
Attacker server configuration
CPU: AMD64 Opteron
Memory: 512MHard
Disk: 8 G
OS: Windows 2000 AS
IP Address: 137.207.234.252
Installed software
Winpcap 3.0 alpha 4 Attacker
Packet Excalibur 1.0.2 (Packet
generator)
Web server, TelNET, SNMP, FTP,
etc.
Installing WinPcap
WinPcap (Windows Packet Capture Library) is a packet-
capture driver. Functionally, this means that WinPcap
grabs packets from the network wire and pitches them to
Snort, ethereal and windump.
preprocessor http_inspect:
global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server:
server default profile all ports { 80 }
Configuring Output settings
Outputing Alerts to a file base log called
alert.ids
Include $Rule_path/project.rules
Sample Rule
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"Rule 4
RPC portmap listing TCP 111"; content: "|00 01 86 A0|"; reference:
arachnids,428; sid: 598; rev: 11; classtype: rpc-portmap-decode; flow:
to_server,established;)
IDScenter Configuration
IDScenter consists
of the following
menus
General
Wizards
Logs
Alerts
...
General Menu
Click on Apply to apply a configuration/save configuration (after
setting all the options needed in IDScenter)
Start Snort: Starts Snort in console mode / service mode
View alerts: open log viewer
Test settings: After configuration you can test the settings by
clicking on this button
Reload: Reload the configuration
Rest Alarm: Stop alarm sound
General Menu
There are two modes to setup Snort with IDScenter
Snort console mode
Snort service mode
The advantage of service mode is, that Snort can monitor your
network constantly even when you're logged off
General / Configuration
Select snort version to run
Select Process priority
Select options (Service mode /snort console /auto restart )
Select log folder path and file name
General / Snort Options
Set the configuration file.This is usally "Snort.conf" in the "etc" folder
where Snort was installed (e.x. "C:\Snort\etc\snort.conf")
You can find a pattern in the configuration file by typing it into the
editbox and click on the search button
You can set an external editor for editing Snort configuration file
General Activity Log
In this panel IDScenter displays events
You can enable/disable event logs
You can select which events are monitored
You can let automatically purge the activity log
Clear log: clear the logging entries
General/ Over View
In this panel IDScenter displays errors. If an error occurs
when you click on apply, you'll be informed here.
An overview of the alert features activated is shown here
"Copy to clipboard": you can copy the Snort command-
line into clipboard
Wizards Menu
Wizards Menu has several wizards
which helps configuring snort. It has
the following:
Network Variables wizard
Preprocessor Wizard
Output plugin Wizard
Rules/Signatures Wizard
Online Update Wizard
Wizards / Network Variables
Helps to set the variables used in rule files
You can :
Add new variable
Edit and existing variable
Delete a variable
Wizards / Preprocessors
Here you can select and configure the preprocessors used by Snort
Stream4 and Frag2 Pane ( enable snort to defragment packets and
perform stateful inspection)
Protocol Preprocessor Pane (different protocol decoders like HTTP
decode , Telnet, RPC decod..etc)
PortScan Detection Pane
Miscellaneous Pane (ARP spoof and other unsupported
preprocessors)
Wizards / Output Plugins
There are many small wizards in this panel which will help you to
configure the output plugins of Snort.
Wizards / Rules Wizard
The ruleset wizard will help you maintain a good ruleset. This is the "include"-part of
the Snort configuration file
Select first a classification configuration file ,by default: "classification.config"
Select the reference configuration file ,by default: "reference.config"
Activate/Deactivate the rule files you want to use by check/uncheck its box.
Open a ruleset in the ruleset editor:
Select a ruleset file
Click on "Ruleset editor"
Wizards / Rules Wizard
The ruleset editor lists all available rules in the file.
Add (and clone) new rules / delete rules
Edit a rule (Select a rule and click on "Add/edit rule"
Activate/Deactivate the rules you want to use
Import additional rules into the ruleset (in Snort 2.x syntax)
Save the ruleset after modification
Rules Wizard / Editing a rule
The editor provides a front-end to all Snort 2.x rule features
It make it easier to understand and modify any rule
You can also access online information for that rule
Wizard/ Online Update
The online update wizard is a frontend for configurating Oinkmaster
(by Andreas Östling)
If you want to use this feature, you should download EagleX
package .
Logs/ Options Menu
This Set
will overwrite settings (command-line
the parameters in snort configuration file if set of Snort .
parameters)
Example: you set output plugin "alert_full: alert.ids"... and selected "Fast".
Select
In this the interface
case Snort Snort
will log using should
fast mode monitor if necessary
Logs / Log Rotation
Log rotationLog rotation will rotate the alert logs by
compressing the files into a ZIP packages and move it to
the Backup folder.
Alerts/ Detection
Alerts alarm will be on if the file/database has changed.
Select at least one alert detection mode
File alert detection mode (up to 10 files monitoring)
Add the files which should be monitored for changes (At least the alert log
file set in main configuration panel should be set.)
MySQL alert detection
Alerts/ Notification
Alarm sound : Select a WAV file if you selected "Start alarm sound
when an alert is logged“.
Program execution: IDScenter will execute this program if an alert
was logged ( start a script that reconfigures your router, generate
HTML pages of alert log using an external program.etc)
AutoBlock - Plugin system (example network Ice & Black Ice ). It
allows you to block specific network traffic (mini firewall)
Alerts/ AlertMail
AlertMail can send administrator alerts by mail if Snort has detected
an attack .
You can send a sample of the latest attacks in the email message
as well as attachment of the log file.
Example of received mail alert
Our Opinion
IDS Center is a very simple and easy to use configuration utility for
snort.
It has very good graphical interface
Provide a lot of add on features for managing snort.
Provide a good Alerting features