Snort的前端界面――IDScenter的介绍

Snort&IDScenter60-564:SecurityandPrivacyontheInternetInstructor:Dr.A.K.AggarwalPresentedBy:TarikElAmsy,LihuaDuanDate:March29,2006WhatisIDScenterIDScenterisbasicallyaGraphicalfront-endforSnortonWindowsplatforms(Recommended:WindowsNT4/2000/XP).IDScenterprovidesafriendlyinterfaceforSnortusers.WithsomeknowledgeofSnort,IDScenterwillhelpuserstodoconfigurationandprovidemanagementfeatures.FeaturesofIDScenterSnort1.7,1.8,1.9,and2.xSupportSnortconfigurationwizardOnlineupdatesofIDSrulesRuleseteditorforallSnortruleoptionsHTMLreportfromSQLbackendExecutionofprogramonattackdetectionGoodAlertingtoolsincludingmail,WindowseventlogandnormalDBlogging.ExperimentArchitectureandScenariosNIDSTargetAttackerRouterHubHomenetaddress172.16.1.0/24Externalnetaddress137.207.234.0/24NIDSserverconfigurationCPU:AMD64OpteronMemory:512MHardDisk:8GOperatingOperatingSystem:Windows2000AdvancedServer(Ser)IPAddress:172.16.1.1InstalledSoftware:Snort2.4.3IDScenter1.1RC4WinPcap3.1Ethereal0.10.14NIDSTargetserverconfigurationCPU:AMD64OpteronMemory:512MHardDisk:8GOperatingSystem:Windows2000AdvancedServer(Ser)IPAddress:172.16.1.2InstalledsoftwareEthereal0.10.14Winpcap3.0alpha4PacketExcalibur1.0.2(Packetgenerator)Webserver,TelNET,SNMP,FTP,etcTargetAttackerserverconfigurationCPU:AMD64OpteronMemory:512MHardDisk:8GOS:Windows2000ASIPAddress:137.207.234.252InstalledsoftwareWinpcap3.0alpha4PacketExcalibur1.0.2(Packetgenerator)Webserver,TelNET,SNMP,FTP,etc.AttackerInstallingWinPcapWinPcap(WindowsPacketCaptureLibrary)isapacket-capturedriver.Functionally,thismeansthatWinPcapgrabspacketsfromthenetworkwireandpitchesthemtoSnort,etherealandwindump.Download&runWinPcap_3_1_auto-installer.exetolocaldiskfrom®isusedbynetworkprofessionalsaroundtheworldfortroubleshooting,analysis,softwareandprotocoldevelopment,andeducation.Etherealisoneofthebestgraphicalpacketsniffer.ItsgraphicalinterfacemakesiteasytouseanditsbiglistoffeaturesmakeitverypowerfulinanalyzingnetworktrafficDownload&runethereal-setup-0.10.14.exeoranylatestversionfromEtherealwebsite://(msg:Rule4RPCportmaplistingTCP111;content:|000186A0|;reference:arachnids,428;sid:598;rev:11;classtype:rpc-portmap-decode;flow:to_server,established;)InstallingSnortDownloadSNORTver2.4.3Installdirectoryc:\snortDefaultloggingdatabaseoptionTotestInstallationandmakesureitisrunningC:\snort\bin\snort–vThiswillrunsnortinsniffermodeandyoushouldbeabletoseethepassingpacketsonthenetworkcapturedbySnort.InstallingIDScenterDownloadIDScenter.zip(1.1RC4,04.08.2003)from:\snort\etcfolderUseanytexteditortoeditthefollowingNetworksettingsPreprocessorsOutputsettingsRulessettingsConfiguringNetworksettingsSnortusevariablesinconfiguringtherules.Whenyoutype$andVariablename,thevalueofthisvariablewillbereplaced.ThisallowsyoutoadddifferentnetworkrangesandsubnetsandsimplifyruleseditingandcustomizationWeaddedthefollowingvariablestosnort.conffilevarHOME_NET172.16.1.0/24varEXTERNAL_NETanyvarDNS_SERVERS172.16.1.2/32varSMTP_SERVERS172.16.1.2/32varHTTP_SERVERS172.16.1.2/32varSQL_SERVERS172.16.1.2/32varTELNET_SERVERS172.16.1.2/32varHTTP_PORTS80varRULE_PATHc:\snort\rulesConfiguringPreprocessorsConfigureHttp_inspectpreprocessorThispreprocessorallowsnorttodecodeHttpwebtraffic&analyzeitforspecificURIcontents.Settinginsnort.conffilepreprocessorhttp_inspect:globaliis_unicode_mapunicode.map1252preprocessorhttp_inspect_server:serverdefaultprofileallports{80}ConfiguringOutputsettingsOutputingAlertstoafilebaselogcalledalert.idsSettinginsnort.conffileoutputalert_fast:alert.idsconfiglogdir:c:\snort\logConfiguringRulessettingsCreateafilecalledproject.rulesinc:\snort\rulesfolder.Thefilehasthe10selectedattacks.Removenormalrulefilesettingfromconfigfileandaddonlyproject.rules.Include$Rule_path/project.rulesSampleRulealerttcp$EXTERNAL_NETany-$HOME_NET111(msg:Rule4RPCportmaplistingTCP111;content:|000186A0|;reference:arachnids,428;sid:598;rev:11;classtype:rpc-portmap-decode;flow:to_server,established;)IDScenterConfigurationIDScenterconsistsofthefollowingmenusGeneralWizardsLogsAlerts...GeneralMenuClickonApplytoapplyaconfiguration/saveconfiguration(aftersettingalltheoptionsneededinIDScenter)StartSnort:StartsSnortinconsolemode/servicemodeViewalerts:openlogviewerTestsettings:Afterconfigurat