Sguil

Network Security Analysis
with SGUIL

Introduction to

Network Security Analysis

with

SGUIL

Linux User Group Singapore

Friday 7th May 2004

By

Michael Boman

What we will cover:

Benefits of running Snort + SGUIL

Alert flow in a Snort + SGUIL setup

SGUIL alert categories

Demo of SGUIL

Q & A

Why Sguil?

Real-time alerting

Xwindow and Win32 native client (ie: not web based)

DB scheme optimized for fast analysis of alerts

Integrated passive fingerprinting, session transcript

Ability to work on an "attack" without an IDS alert

Categorization of events

Escalation of events

Accountability of analysts actions

Ability to watch specific sensors

Software

Snort

NIDS engine

Barnyard

Output processor for Snort

MySQL

Alert storage medium

SANCP (optional)

Session logger

tcpdump, ethereal, tcpflow

Helper applications

TCL/TK (and various TCL modules)

The language of choice for SGUIL

The Sguil Architecture

SensorConsoleServerDetect Events of Interest on the network

Upload port scan and session statistics

Record all network traffic

Receive alerts and statistics from sensor

Send alerts and other data to consoles

Receive requests from consoles

Keep track of alert status

Analyze and categorize alerts

Login to Sguil

Authenticate client to server

Optional SSL encryption of session

Password never sent over the network

Once authenticated, choose what sensors to receive alerts for

Currently no access control to limit what you are allowed to see

Sguil Login Screen

Sguil Sensor Selection

Sguil Console Layout

3 Areas

Alert list

Host lookup

Alert details

Sguil Console Layout

Time (UTC)

Event pane(s)

Signatureviewer

Event / port scan details

Reverse DNS / WHOIS lookup

System Messages / Console CHAT window.

Alert tabs

Sguil flow :
Receiving IDS Alerts

NetworkSensorSnort IDSBarnyardServersguildMySQLConsolesguil.tkxscriptdlog_packetssensor agent

Sguil RT Events

Count

Event ID

Protocol Number1 = ICMP6 = TCP17 = UDP

Status

Sguil flow :
Getting Alert Details


Sguil Event Details

Sguil Host Lookup

Sguil flow :
Collecting Portscan Data


Sguil flow :
Getting Portscan Details


Sguil Portscan Event

Sguil flow :
Recording Network Traffic


SSHSguil flow :
Getting Session Transcript


Sguil Transcript

SSHSguil flow :
Getting PCAP data


Ethereal integration

Sguil flow :
Collecting Session Data


Sguil flow :
Getting Session Details


Sguil Session Query

Event Categories

7 different categories

Less complicated compared to SANS severity ratings.

Designed for fast analysis and categorization.

Events are categorized using the F1-F7 function keys.

Shift + function-key cat's the alert with an comment.

F8 moves event to the No Further Action Required category.

F9 escalates the event. Comment why alert is escalated is mandatory.

Category I : Root/Administrator Account Compromise

Unauthorized party gains 'root' or 'administrator' control on monitored system.

Window's SYSTEM account included.

Worms, automated tools or manual hacks does not matter.

Category II: User Account Compromise

Unauthorized party gains control of any non-root or non-administrator account on monitored system.

Worms, automated tools or manual hacks does not matter.

Category III: Attempted Account Compromise

Unauthorized party attempts to gain root/administrator or user level access on monitored system.

The attack fails for one of several reasons:

Target may be properly patched to reject the attack.

Attacker may find a vulnerable machine, but he may not be sufficiently skilled to execute the attack.

Target may be vulnerable to the attack, but its configuration prevents compromise.

Attack is targeted the wrong application (ie: IIS attack against Apache server). This would be a category III event because the intention was there.

Category IV: Denial of Service

Attacker takes damaging action against the resources or processes of a target machine or network.

Denial of service attacks may consume

CPU cycles

Bandwidth

Hard drive space

User's time

Many other resources.

NOT limited to flood-like attacks (see teardrop and WinNuke attacks).

Category V: Poor Security Practice or Policy Violation

When a condition which exposes the monitored host/network to unnecessary risk is detected.

Violations of company's security and/or Internet usage policy

P2P traffic

IM/IRC traffic

Pr0n surfing

Miss-configured anonymous FTP servers

Telnet sessions

etc.

Category VI: Reconnaissance

Attacker attempts to learn about a target system or network.

Events include

Port scans

Enumeration of NetBIOS shares on Windows systems

Inquiries concerning the version of applications

Unauthorized DNS zone transfers

etc

Includes limited attempts to guess user names and passwords. Sustained, intense guessing of user names and passwords should be considered Category III events, even if unsuccessful.

Category VII: Virus Activity

Client system becomes infected by a virus.

Viruses depend on one or both of the following conditions:

human interaction is required to propagate the virus;

the virus must attach itself to a 'host' file, such as an email message, Word document, or web page.

Worms are capable of propagating themselves without human interaction or host files. A compromise caused by a worm would qualify as a Category I or II event.

Sguil Demo

Enough theory, let us get our hands dirty with the pig

Future plans of SGUIL

Short to mid-term development plans

Sensor should not connect directly to database

SANCP will replace snort stream4 patch

Other SGUIL related developments

SGUIL-WEB, web based front end for SGUIL is being developed

LATEST NEWS: Sguil CD (ISO) for server / sensor installation released today (2004-05-07)

What we have learned

The benefits of running Snort + SGUIL

Alerts are pushed to the console

Advanced features like session statistics and transcript exists

How the different parts of SGUIL works together

SGUIL alert categories

Questions?

Got any questions? Now is the time to ask them!

Click to edit the title text format

Click to edit the outline text format

Second Outline Level

Third Outline Level

Fourth Outline Level

Fifth Outline Level

Sixth Outline Level

Seventh Outline Level

Eighth Outline Level

Ninth Outline Level

Copyright 2004 Michael Boman. All Rights Reserved.

Technology

Sguil