Summer Internship

Project Report

On

Open Source Intrusion Detection System

Carried Out At

IDRBT Hyderabad

29 th May 2014 to 30 th July 2014

Submitted By: Guided By: Sambit Sarkar Dr. N.P.Dhavale Roll No.: 114112079 Deputy General Manager

B.Tech.: Production (2 nd year) IDRBT Hyderabad Indian Institute of Technology Acknowledgement

It gives me immense pleasure in presenting my summer internship report. I would like to take this opportunity to express my deepest gratitude to the people, who would have contributed their valuable time for helping me to successfully complete this internship.

With great pleasure and acknolodgement I extend my deep gratitude to Shri B. Sambamurthy, Director, IDRBT Hyderabad, for giving me opportunity to accomplish internship at this esteemed organization.

It is my profound privilege to express my deep sense of gratitude to Dr. N.P.Dhavale, Deputy General Manager, IDRBT Hyderabad for his precious guidance, constructive encouragement and support throughout the development of the project. Without his help and guidence, it was really difficult to complete this project on time.

I am also thankfull to the Shri V.S.Mahesh, Assistant General Manager, IDRBT Hyderabad, Shri E. Shrihari, Project Officer, IDRBT Hyderabad and Shri Sudhir Kumar Jha, Manager, IDRBT Hyderabad for their guidance and support.

Finally, I would like to thank the Institute for Development and Research in Banking Technology Hyderabad for conducting such kind of training and I am also grateful to all the other people who have directly or indirectly helped me in my summer internship.

Sambit Sarkar B.Tech. (2 nd year) Production Engineering National Institute Of Technology Trichy

Certificate

This is to verify that the summer internship project report entitled Open Source Intrusion Detection System submitted by Sambit Sarkar, B. Tech. (2 nd Year) in Production Engineering, National Institute of Technology Trichy to Institute for Development and Research in Banking Technology (IDRBT), Hyderabad is a record of bonafied work carried out by him under my supervision and guidance during 29 th May 2014 to 30 th July 2014.

(Dr. N.P.Dhavale) Deputy General Manager, IDRBT Hyderabad Project Guide

Contents

1. Introduction 1 2. Objectives 2 3. Tools Used 2 4. Architecture 7 5. Setup 9 6. Deliverables 16

Introduction

An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization.

Since commercial IDS' can be very very expensive, people who believe that internet security shouldn't be so expensive , have come up with Open Source alternatives for the commercial IDS'. Now most of these open source IDS' are free to use and the rules are also freely availabe but some are not. And by open source, I mean that anyone can look and meddle with the source code provided they play well with the GNU Public License and give the same freedom to others when they build something on it.

Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS)[4] created by Martin Roesch in 1998.[5] Snort is now developed by Sourcefire, of which Roesch is the founder and CTO.[6] In 2009, Snort entered InfoWorld's Open Source Hall of Fame as one of the "greatest [pieces of] open source software of all time". It has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. These basic services have many purposes including application- aware triggered quality of service, to de-prioritize bulk traffic when latency-sensitive applications are in use.

Snort when coupled with Barnyard2, BASE, LAMP and ADOdb becomes a really powerful NIDS which is very user friendly and easy to use.

Objectives

1. Build an Open Source Network Intruion Detection System with Snort 2. Use Barnyard2 to inject snort's logs into a MySQL database 3. Use BASE and ADOdb to display the alerts in a GUI

The purpose of the IDS is to log all the IPs connecting to the CA server.

Tools Used

1. Snort: Snort's open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. These basic services have many purposes including application-aware triggered quality of service, to de-prioritize bulk traffic when latency-sensitive applications are in use.

The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified.

2. Barnyard2: Barnyard (now known only as Barnyard2) is an open sourced-based parsing program designed to retrieve logs written by Snort or Suricata i n the Unified2 format and convert and write them to a database.

Unified2 is a special type of binary file format for IDS which softwares l ike barnyard2 parse to a recognizable format ().

The formats supported by Barnyard2 are: - MySQL - MSSQL - Oracle - PostgreSQL - SQLite

Barnyard makes Snort's work easier by gethering, formatting and writing it to the database. If Snort was to write the logs to the database, it must send the alert to the database and wait for confirmation of a successful write. The situation is made worse if the database is on another server. This could lead to packet drops by snort.

Snorts dumps the alerts in unified2 file format. This is very quick, since no processing needs to be performed on the data. Barnyard reads this file, formats the alert data, and write to the chosen output mechanism. The output mechanism can be the conventional Snort logfile, syslogs, comma-seperated-value formatted (CSV) file or a database server.

Configuring Snort to run in unified2 file format is very simple. We just need to change the log_unified: in the snort.conf file according to our output format.

3. LAMP: LAMP stands for Linux Apache Mysql PHP. LAMP is an acronym for an archetypal model of web service solution stacks, originally consisting of largely interchangeable components: Linux, the Apache HTTP Server, the MySQL relational database management system, and the PHP programming language. As a solution stack, LAMP is suitable for building dynamic web sites and web applications.

The LAMP model has since been adapted to other componentry, though typically consisting of free and open-source software. As an example, the equivalent installation on a Microsoft Windows operating system is known as WAMP.

With the growing use of the archetypal LAMP, variations and retronyms appeared for other combinations of operating system, web server, database, and software language. For example the equivalent installation on a Microsoft Windows operating system is known as WAMP. An alternative running IIS in place of Apache called WIMP. Variants involving other operating systems include MAMP (Macintosh), SAMP (Solaris), FAMP (FreeBSD) and iAMP (iSeries).

The web server or database management system also vary. LEMP is a version where Apache has been replaced with the more lightweight web server Nginx. A version where MySQL has been replaced by PostgreSQL is called LAPP, or sometimes by keeping the original acronym, LAMP (Linux / Apache / Middleware (Perl, PHP, Python, Ruby) / PostgreSQL).

4. BASE: Basic Analysis and Security Engine is a web interface that lets you view alerts generated by the software for intrusion detection Snort . The interface allows the classification of group alerts, display charts and alerts search by various criteria. BASIC is a program under GPL written in and built on the ACID code. You can choose to install the program in French.

5. ADOdb: ADOdb is a database abstraction library for PHP and Python based on the same concept as Microsoft's ActiveX Data Objects. It allows developers to write applications in a fairly consistent way regardless of the underlying database system storing the information. The advantage is that the database system can be changed without re- writing every call to it in the application. ADOdb supports the following databases: ActiveX Data Objects DB2 Firebird Foxpro FrontBase Informix LDAP Microsoft SQL Server MySQL Netezza Oracle PostgreSQL SAP DB SQLite Sybase Teradata Valentina generic ODBC and ODBTP

ADOdb uses SQL. Since each database system implements SQL slightly differently, the developer will need to be aware of the database- specific features and functions to avoid if they want to maintain portability. ADOdb provides date conversion functions so that you can create dates in any format and insert them into your SQL in the correct format for your database; which is one step toward database system independent SQL.

A null value, null can be replaced with the ADOdb variable that contains the correct SQL definition for null and the check for null will work in every database.

6. PulledPork: PulledPork is a rule manager for Snort and Suricata. It will help automatizing the process of downloading and installing/updating your VRT Snort rules, SharedObject rules or Emerging Threats rules.

Pulledpork features include:

Automatic rule downloads using your Oinkcode MD5 verification prior to downloading new rulesets Full handling of Shared Object (SO) rules Generation of so_rule stub files Modification of ruleset state (disabling rules, etc) The project is run by JJ Cummings of Sourcefire.

In order to get the rules using Pulledpork an oinkcode is required . This code will be generated automatically when we register to www.snort.org . Once we put the oinkcode in the pulledpork.conf file we can start pulled pork to download the latest rules.

Architecture

We can see from the give nnetwork diagram that the IDS has to be connected at a place where it can see all the traffic coming to the systems it is monitoring. The IDS will be connected to a hub or a switch with port mirroring enabled. This way whenever any packet comes to any of the protected system, Snort will be able to receive the packet without causing any havoc to the network.

The IDS will be a linux OS (Ubuntu 14.04) and will have Snort, Barnyard2, LAMP, BASE, ADOdb, pulledpork and other libraries installed. We will be connecting to the IDS from the Analyst System via SSH. For looking at BASE, we will be opening a browser in the Analyst System and going to http://IDS's_IP/base/index.php .

For security reasons the analyst systems and the IDS should be in a private network. The figure below depicts the network diagram.

Setup The following are screen shots of the web site which contains the install guide and documentation.

Deliverables

1. Snort IDS set up has put in testing and production for the CA server 2. The incoming IP addresses have been logged and shown in BASE

The following are screen shots of the IDS in action.

Remote login to IDS:

Initializing Snort

Snort logging:

Barnyard2 Initializing

Barnyard2 writing to database

BASE Alerts