If you can't read please download the document
Upload
michael-boman
View
5.498
Download
0
Embed Size (px)
Citation preview
Network Security Analysis
with SGUIL
Introduction to
Network Security Analysis
with
SGUIL
Linux User Group Singapore
Friday 7th May 2004
By
Michael Boman
What we will cover:
Benefits of running Snort + SGUIL
Alert flow in a Snort + SGUIL setup
SGUIL alert categories
Demo of SGUIL
Q & A
Why Sguil?
Real-time alerting
Xwindow and Win32 native client (ie: not web based)
DB scheme optimized for fast analysis of alerts
Integrated passive fingerprinting, session transcript
Ability to work on an "attack" without an IDS alert
Categorization of events
Escalation of events
Accountability of analysts actions
Ability to watch specific sensors
Software
Snort
NIDS engine
Barnyard
Output processor for Snort
MySQL
Alert storage medium
SANCP (optional)
Session logger
tcpdump, ethereal, tcpflow
Helper applications
TCL/TK (and various TCL modules)
The language of choice for SGUIL
The Sguil Architecture
SensorConsoleServerDetect Events of Interest on the network
Upload port scan and session statistics
Record all network traffic
Receive alerts and statistics from sensor
Send alerts and other data to consoles
Receive requests from consoles
Keep track of alert status
Analyze and categorize alerts
Login to Sguil
Authenticate client to server
Optional SSL encryption of session
Password never sent over the network
Once authenticated, choose what sensors to receive alerts for
Currently no access control to limit what you are allowed to see
Sguil Login Screen
Sguil Sensor Selection
Sguil Console Layout
3 Areas
Alert list
Host lookup
Alert details
Sguil Console Layout
Time (UTC)
Event pane(s)
Signatureviewer
Event / port scan details
Reverse DNS / WHOIS lookup
System Messages / Console CHAT window.
Alert tabs
Sguil flow :
Receiving IDS Alerts
NetworkSensorSnort IDSBarnyardServersguildMySQLConsolesguil.tkxscriptdlog_packetssensor agent
Sguil RT Events
Count
Event ID
Protocol Number1 = ICMP6 = TCP17 = UDP
Status
Sguil flow :
Getting Alert Details
NetworkSensorSnort IDSBarnyardServersguildMySQLConsolesguil.tkxscriptdlog_packetssensor agent
Sguil Event Details
Sguil Host Lookup
Sguil flow :
Collecting Portscan Data
NetworkSensorSnort IDSBarnyardServersguildMySQLConsolesguil.tkxscriptdlog_packetssensor agent
Sguil flow :
Getting Portscan Details
NetworkSensorSnort IDSBarnyardServersguildMySQLConsolesguil.tkxscriptdlog_packetssensor agent
Sguil Portscan Event
Sguil flow :
Recording Network Traffic
NetworkSensorSnort IDSBarnyardServersguildMySQLConsolesguil.tkxscriptdlog_packetssensor agent
SSHSguil flow :
Getting Session Transcript
NetworkSensorSnort IDSBarnyardServersguildMySQLConsolesguil.tkxscriptdlog_packetssensor agent
Sguil Transcript
SSHSguil flow :
Getting PCAP data
NetworkSensorSnort IDSBarnyardServersguildMySQLConsolesguil.tkxscriptdlog_packetssensor agent
Ethereal integration
Sguil flow :
Collecting Session Data
NetworkSensorSnort IDSBarnyardServersguildMySQLConsolesguil.tkxscriptdlog_packetssensor agent
Sguil flow :
Getting Session Details
NetworkSensorSnort IDSBarnyardServersguildMySQLConsolesguil.tkxscriptdlog_packetssensor agent
Sguil Session Query
Event Categories
7 different categories
Less complicated compared to SANS severity ratings.
Designed for fast analysis and categorization.
Events are categorized using the F1-F7 function keys.
Shift + function-key cat's the alert with an comment.
F8 moves event to the No Further Action Required category.
F9 escalates the event. Comment why alert is escalated is mandatory.
Category I : Root/Administrator Account Compromise
Unauthorized party gains 'root' or 'administrator' control on monitored system.
Window's SYSTEM account included.
Worms, automated tools or manual hacks does not matter.
Category II: User Account Compromise
Unauthorized party gains control of any non-root or non-administrator account on monitored system.
Worms, automated tools or manual hacks does not matter.
Category III: Attempted Account Compromise
Unauthorized party attempts to gain root/administrator or user level access on monitored system.
The attack fails for one of several reasons:
Target may be properly patched to reject the attack.
Attacker may find a vulnerable machine, but he may not be sufficiently skilled to execute the attack.
Target may be vulnerable to the attack, but its configuration prevents compromise.
Attack is targeted the wrong application (ie: IIS attack against Apache server). This would be a category III event because the intention was there.
Category IV: Denial of Service
Attacker takes damaging action against the resources or processes of a target machine or network.
Denial of service attacks may consume
CPU cycles
Bandwidth
Hard drive space
User's time
Many other resources.
NOT limited to flood-like attacks (see teardrop and WinNuke attacks).
Category V: Poor Security Practice or Policy Violation
When a condition which exposes the monitored host/network to unnecessary risk is detected.
Violations of company's security and/or Internet usage policy
P2P traffic
IM/IRC traffic
Pr0n surfing
Miss-configured anonymous FTP servers
Telnet sessions
etc.
Category VI: Reconnaissance
Attacker attempts to learn about a target system or network.
Events include
Port scans
Enumeration of NetBIOS shares on Windows systems
Inquiries concerning the version of applications
Unauthorized DNS zone transfers
etc
Includes limited attempts to guess user names and passwords. Sustained, intense guessing of user names and passwords should be considered Category III events, even if unsuccessful.
Category VII: Virus Activity
Client system becomes infected by a virus.
Viruses depend on one or both of the following conditions:
human interaction is required to propagate the virus;
the virus must attach itself to a 'host' file, such as an email message, Word document, or web page.
Worms are capable of propagating themselves without human interaction or host files. A compromise caused by a worm would qualify as a Category I or II event.
Sguil Demo
Enough theory, let us get our hands dirty with the pig
Future plans of SGUIL
Short to mid-term development plans
Sensor should not connect directly to database
SANCP will replace snort stream4 patch
Other SGUIL related developments
SGUIL-WEB, web based front end for SGUIL is being developed
LATEST NEWS: Sguil CD (ISO) for server / sensor installation released today (2004-05-07)
What we have learned
The benefits of running Snort + SGUIL
Alerts are pushed to the console
Advanced features like session statistics and transcript exists
How the different parts of SGUIL works together
SGUIL alert categories
Questions?
Got any questions? Now is the time to ask them!
Click to edit the title text format
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline Level
Copyright 2004 Michael Boman. All Rights Reserved.