Summer Internship Project Report on Open Source Intrusion Detection
Total Page:16
File Type:pdf, Size:1020Kb
Summer Internship Project Report On Open Source Intrusion Detection System Carried Out At IDRBT Hyderabad 29 th May 2014 to 30 th July 2014 Submitted By: Guided By: Sambit Sarkar Dr. N.P.Dhavale Roll No.: 114112079 Deputy General Manager B.Tech.: Production (2 nd year) IDRBT Hyderabad Indian Institute of Technology Acknowledgement It gives me immense pleasure in presenting my summer internship report. I would like to take this opportunity to express my deepest gratitude to the people, who would have contributed their valuable time for helping me to successfully complete this internship. With great pleasure and acknolodgement I extend my deep gratitude to Shri B. Sambamurthy, Director, IDRBT Hyderabad, for giving me opportunity to accomplish internship at this esteemed organization. It is my profound privilege to express my deep sense of gratitude to Dr. N.P.Dhavale, Deputy General Manager, IDRBT Hyderabad for his precious guidance, constructive encouragement and support throughout the development of the project. Without his help and guidence, it was really difficult to complete this project on time. I am also thankfull to the Shri V.S.Mahesh, Assistant General Manager, IDRBT Hyderabad, Shri E. Shrihari, Project Officer, IDRBT Hyderabad and Shri Sudhir Kumar Jha, Manager, IDRBT Hyderabad for their guidance and support. Finally, I would like to thank the Institute for Development and Research in Banking Technology Hyderabad for conducting such kind of training and I am also grateful to all the other people who have directly or indirectly helped me in my summer internship. Sambit Sarkar B.Tech. (2 nd year) Production Engineering National Institute Of Technology Trichy Certificate This is to verify that the summer internship project report entitled Open Source Intrusion Detection System submitted by Sambit Sarkar, B. Tech. (2 nd Year) in Production Engineering, National Institute of Technology Trichy to Institute for Development and Research in Banking Technology (IDRBT), Hyderabad is a record of bonafied work carried out by him under my supervision and guidance during 29 th May 2014 to 30 th July 2014. (Dr. N.P.Dhavale) Deputy General Manager, IDRBT Hyderabad Project Guide Contents 1. Introduction 1 2. Objectives 2 3. Tools Used 2 4. Architecture 7 5. Setup 9 6. Deliverables 16 Introduction An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization. Since commercial IDS' can be very very expensive, people who believe that internet security shouldn't be so expensive , have come up with Open Source alternatives for the commercial IDS'. Now most of these open source IDS' are free to use and the rules are also freely availabe but some are not. And by open source, I mean that anyone can look and meddle with the source code provided they play well with the GNU Public License and give the same freedom to others when they build something on it. Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS)[4] created by Martin Roesch in 1998.[5] Snort is now developed by Sourcefire, of which Roesch is the founder and CTO.[6] In 2009, Snort entered InfoWorld's Open Source Hall of Fame as one of the "greatest [pieces of] open source software of all time". It has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. These basic services have many purposes including application- aware triggered quality of service, to de-prioritize bulk traffic when latency-sensitive applications are in use. Snort when coupled with Barnyard2, BASE, LAMP and ADOdb becomes a really powerful NIDS which is very user friendly and easy to use. Objectives 1. Build an Open Source Network Intruion Detection System with Snort 2. Use Barnyard2 to inject snort's logs into a MySQL database 3. Use BASE and ADOdb to display the alerts in a GUI The purpose of the IDS is to log all the IPs connecting to the CA server. Tools Used 1. Snort: Snort's open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. These basic services have many purposes including application-aware triggered quality of service, to de-prioritize bulk traffic when latency-sensitive applications are in use. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans. Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified. 2. Barnyard2: Barnyard (now known only as Barnyard2) is an open sourced-based parsing program designed to retrieve logs written by Snort or Suricata i n the Unified2 format and convert and write them to a database. Unified2 is a special type of binary file format for IDS which softwares l ike barnyard2 parse to a recognizable format (mysql). The formats supported by Barnyard2 are: - MySQL - MSSQL - Oracle - PostgreSQL - SQLite Barnyard makes Snort's work easier by gethering, formatting and writing it to the database. If Snort was to write the logs to the database, it must send the alert to the database and wait for confirmation of a successful write. The situation is made worse if the database is on another server. This could lead to packet drops by snort. Snorts dumps the alerts in unified2 file format. This is very quick, since no processing needs to be performed on the data. Barnyard reads this file, formats the alert data, and write to the chosen output mechanism. The output mechanism can be the conventional Snort logfile, syslogs, comma-seperated-value formatted (CSV) file or a database server. Configuring Snort to run in unified2 file format is very simple. We just need to change the log_unified: in the snort.conf file according to our output format. 3. LAMP: LAMP stands for Linux Apache Mysql PHP. LAMP is an acronym for an archetypal model of web service solution stacks, originally consisting of largely interchangeable components: Linux, the Apache HTTP Server, the MySQL relational database management system, and the PHP programming language. As a solution stack, LAMP is suitable for building dynamic web sites and web applications. The LAMP model has since been adapted to other componentry, though typically consisting of free and open-source software. As an example, the equivalent installation on a Microsoft Windows operating system is known as WAMP. With the growing use of the archetypal LAMP, variations and retronyms appeared for other combinations of operating system, web server, database, and software language. For example the equivalent installation on a Microsoft Windows operating system is known as WAMP. An alternative running IIS in place of Apache called WIMP. Variants involving other operating systems include MAMP (Macintosh), SAMP (Solaris), FAMP (FreeBSD) and iAMP (iSeries). The web server or database management system also vary. LEMP is a version where Apache has been replaced with the more lightweight web server Nginx. A version where MySQL has been replaced by PostgreSQL is called LAPP, or sometimes by keeping the original acronym, LAMP (Linux / Apache / Middleware (Perl, PHP, Python, Ruby) / PostgreSQL). 4. BASE: Basic Analysis and Security Engine is a web interface that lets you view alerts generated by the software for intrusion detection Snort . The interface allows the classification of group alerts, display charts and alerts search by various criteria. BASIC is a program under GPL written in php and built on the ACID code. You can choose to install the program in French. 5. ADOdb: ADOdb is a database abstraction library for PHP and Python based on the same concept as Microsoft's ActiveX Data Objects. It allows developers to write applications in a fairly consistent way regardless of the underlying database system storing the information. The advantage is that the database system can be changed without re- writing every call to it in the application. ADOdb supports the following databases: ActiveX Data Objects DB2 Firebird Foxpro FrontBase Informix Interbase LDAP Microsoft Access Microsoft SQL Server MySQL Netezza Oracle PostgreSQL SAP DB SQLite Sybase Teradata Valentina generic ODBC and ODBTP ADOdb uses SQL. Since each database system implements SQL slightly differently, the developer will need to be aware of the database- specific features and functions to avoid if they want to maintain portability. ADOdb provides date conversion functions so that you can create dates in any format and insert them into your SQL in the correct format for your database; which is one step toward database system independent SQL.