Assignments of day 1 in week #4

Network and Host Based Intrusion Detection System

Last Updated : Saturday, 29-Jun-2002 10:21:17 HKT

  1. Network Intrusion Detection System (NIDS)

    1. Install SNORT

      1. Down load the Snort-1.x source tar file or binary RPM from http://www.snort.org/

      2. Install it by 
         rpm -i snort-1.xx.i386.rpm
        or complie it from soruce source code.

      3. Edit the "preprocessor portscan-ignorehosts:" in /etc/snort/snort.conf as follow 
        preprocessor portscan-ignorehosts: [192.168.64.230/32,192.168.128.230/32,192.168.64.232/32,192.168.128.232/32]

      4. Start the snort by 
        /usr/sbin/snort -i eth0 -odDc /etc/snort/snort.conf

      5. "tail /var/log/messages" and "ps -ef|grep snort" to see if you can start the snort correctly

    2. Test your NIDS

      Repeat the stealth scan and buffer overflow exercises in day 1, 3 and 4 of week #2 again while you "tail -f /var/log/snort/alert". Can your NIDS detect these attack? What is the IP directory in /var/log/snort for? What do they record?

      Post all your finding on your web pages

    3. Reporting your NIDS statistic daily 

      1. cp /usr/local2/wsh/nids/snort_stat /usr/local/bin
cp /usr/local2/wsh/nids/snort_log_rotate /usr/local/bin


      2. mkdir /var/log/snortlog

      3. run "/usr/local2/wsh/nids/snort_stat" and see if there is any error messages and check if the snort can restart again 
        ps -ef|grep snort

      4. If everything work OK in step 3, review your statistic data in /var/log/snortlog/[date]/00.txt and 00.html. Post the 00.html on your web pages

      5. Set the daily report in crontab by

        Type "crontab -e" with the following line: 

        59 23 * * * /usr/local/bin/snort_log_rotate
        Type "crontab -l" to see if the crontab is set

      6. Now check your NIDS statistic daily. Post your finding on your web pages

  2. Host Based Intrusion Detection System

    1. Install Tripwire

      Tripwire allows; you to quickly identify changes occurring in a file system. It has a pretty simple concept. It takes checksums of all your important files; then later, you can check your files against the Tripwire database and determine if any change or tampering has occurred.

      1. In the /tmp directory, copy the following tripwire package from /usr/local2/pkg/tripwire :
        • Tripwire_221_for_Linux_x86.tar.gz
      2. Unpack the package : gzip -d -c Tripwire_221_for_Linux_x86.tar.gz | tar xvf -
      3. edit install.cfg to as follow :
        • change TWROOT="/usr/TSS" to TWROOT="/usr/local/TSS"
        • change TWEDITOR="/bin/vi" to TWEDITR="/usr/bin/pico" (do this if you are not familiar with vi and  want to use other editor)
      4. Install the software : ./install.sh install.cfg. The script will walk you throught the processes of setting passphrases and signing the Tripwire policy and configuration files
      5. Copy the plain text file evalpol.txt from /usr/local2/pkg/tripwire to the Tripwire policy directory (/usr/local/TSS/policy).

        6. For this workshop, you are going to replace the default policy file with a smaller evaluation policy file. The evaluation policy file contains only a few rules. For real use, you should edit the default policy file to suit the needs of your site.
      6. Because Tripwire software only reads binary, encrypted policy files, you must encrypt the plain-text policy file and install it as the current policy file. To encrypt the default policy file, type: ./twadmin --create-polfile ../policy/evalpol.txt from the Tripwire /bin directory (/usr/local/TSS/bin). All of the commands in this workshop assume that you are working from the Tripwire /bin directory.
      7. Enter your site passphrase. Tripwire software creates a new, encrypted policy file.
      8. From the Tripwire /bin directory run ./tripwire --init to initialize the tripwire database.

      9. Running a Integrity Check

        After you have generated the baseline database, you are ready to run an integrity check

        1. Run a basic integrity check : ./tripwire --check
        2. From the Tripwire /report directory, read the report by running : ../bin/twprint -m r --twrfile reportfilename
        3. Dump the output to your web pages

      10. Detecting violation

        To show you how Tripwire software detects file tampering, we'll create some violations. You will then be able to see the violations in a report file. Then we'll merge those violations back into the baseline database. This shows you how to accept system changes that are authorized.

        1. Open your /etc/hosts file, and add a comment like the last line in this example:

          2. 127.0.0.1 localhost.localdomain losthost
          XXX.XXX.XXX.XXX ntecxxx
          192.168.128.230 fortress
          #I added this comment to show a change in this file.
        2. Close and save this file.
        3. From the /usr/loca./TSS/bin directory, run another integrity check: ./tripwire --check --interactive
        4. Scroll the report, write the files have been reported change. Put the answer in /usr/local/apache_x/bin/htdocs/ids web page.
        5. DO NOT EXIT THE EDITOR YET

      11. Updating the Tripwire Database

        The Tripwire database file should always be an accurate snapshot of the authorized, current state of your system. To incorporate valid changes to the system (the addition of new software, for example), you can update the data in the Tripwire database without re-generating the entire database. To update the database file:

         

        1. Scroll back to the Object Summary section of the report. It contains the following lines:

          2. Remove the "x" from the adjacent box to prevent updating the database
          with the new values for this object.
          Modified:
          [x] "/etc"
          [x] "/etc/hosts"
          {x} "/etc/ntp" (may appear or not)
          [x] "/etc/ntp/drift" (may appear or not)
        2. To update the Tripwire database file to reflect the changes you made to your /etc/hosts file, leave each 'x' character in its ballot box.
        3. Exit out of your editor and DO NOT save the report file.
        4. Enter your local passphrase. The database file is updated and re-encrypted automatically.
        5. Run another integrity check (do not use the --interactive option) to verify that the information in the database has been updated. Since the data in the database file now matches the current state of the system, no violations will be reported.
        6. From the Tripwire /report directory, read the report by running : ../bin/twprint -m r --twrfile reportfilename
        7. Dump the output to your web pages

        You may found that tripwire may report files like /etc/ntp/drift has been changed everytimes you run the integrity check. It is because some files in your system is dynamic in nature so you need to customize the policy file to reflect the nature these files.

        For more information of tripwire, you can read the man pages of tripwire in /usr/local/TSS/man and go to the tripwire web page : http://www.tripwire.com

References: