Computer Security

Lab 2 - Security Analysis Tools

Daniel Black

z3084085


Disclaimer:

The views, opinions, and conclusions written within do not represent the Alice Springs Town Council (ASTC). All views and opinions are the author's only.

Part a: Security Analysis Tool Selection

Snort is a network intrusion detection system developed by Martin Roesch and team. It is available at http://www.snort.org. It performs its network intrusion detection function by listening on network interfaces for a number of defined patterns. These patterns define rules for activity such as: accessing “back doors”, distributed denial of service attacks, virus and worm traffic, and historical exploits in a number of software applications. As a front end to this Analysis Console for Incident Databases (ACID1) is a collection of web scripts that can be used to analyse Snort data captured in a database. Logsnorter2 is an additional tool that imports Cisco PIX firewall3 data into the Snort database.

The results from the risk analysis in Lab 14 indicated that malicious code penetrating the ASTC defences would have a serious impact on its operations. Snort will be able to detect known malicious code traveling through web and email traffic. The ATCS will be able to use Snort to quantify the outside threat from internet. This quantification can be used to justify countermeasure expenditure/time spent on items such as virus scanners, mail filters and firewall hardware.

Part b: Security Analysis Tool Installation and Use



Network overview

The intent of Snort is to provide a profile of the attempted intrusion from the internet. As such the detection component will be placed outside the PIX firewall. Database and web server will be placed within the protection of the Corporate Network (as below).

Internet ------ Router ------ Snort ---- Cisco Firewall ---- Public Network

+--------Corporate Network

|

+-- Snort db/ web server

Initially it is unknown how much CPU usage the Snort box will use for its applied rules. To prevent any degradation of traffic the Snort box will be a passive listener on the external network. To allow Snort alerts to be entered into the database the following rule must be entered into the Cisco Firewall's allowed rules.

Allow (snort box ip):any -> (snort db):5432



Hardware Installation

Select two x86 architecture machines. Installation is partly on line and should be installed on the protected side of the firewall to prevent potential compromise.

Before this process begins ensure that the rsync protocol is allowed through the firewall (tcp/873).

Gentoo Linux Installation

Gentoo was selected for performance as it is a compiled from source distribution. It has a reasonably good installation process that handles dependencies well.

The installation will follow http://www.gentoo.org/doc/en/gentoo-x86-install.xml with the following clarifications. If the hardware for both machines is at the same CPU level place the hard disks for both in the only machine and copy the file system over before the GRUB installation. Networking will need to be changed on the second machine before connection to the network.

Section 4. Optional Networking

Required information:

  1. Public access library network IP network address and mask:

  2. Staff IP network address and mask:

  3. Domain Name Server (DNS):

  4. Default Gateway:

  5. HTTP Proxy server (if any)

Code Listing 4.6 should be as follows

ifconfig eth0 xxx.xxx.xxx.xxx broadcast xxx.xxx.xxx.xxx netmask 255.255.0.0

route add -net default gw xxx.xxx.xxx.xxx

Code Listing 4.7 should look like:

domain astc.nt.gov.au

nameserver xxx.xxx.xxx.xxx

nameserver xxx.xxx.xxx.xxx

Code listing 4.8: Section

export http_proxy=”http://..........”

6. Filesystems, partitions and block devices

Disk partitioning will be as follows:

Partition

Size

Type

Devices

Boot partition

32 Megabytes

ext3

/dev/hda1

Swap partition

2 x Physical Memory

Linux swap

/dev/hda2

Root partition

Remainder of disk

ReiserFS

/dev/hda3

8. Stage tarballs and chroot

To obtain the maxium optimisation follow the stage 1 installation.

Code Listing 8.1

wget -c -T 30 -t 30 http://public.planetmirror.com/pub/gentoo/releases/x86/1.4/stages/x86/stage1-x86-1.4-20030806.tar.bz2



Follow code listing 8.3 and 8.4 as this will save download time/bandwidth.

Follow code listing 8.6 and select the mirror rsync://rsync.au.gentoo.org/gentoo-portage (aka Planet Mirror) interactively.

9. Getting the Current Portage Tree using sync

Follow code listing 9.1 to obtain the latest updates (includes security fixes)

10. Setting Gentoo optimizations (make.conf)

Set the CFLAGS and CXXFLAGS to contain the processor type and an “-O3” for optimization.

Select the following USE flags:

sse mmx – if supported by processor – check “cat /proc/cpuinfo” in the flags

as well as “apache2 crypt mysql postgres ssl perl php samba”

and “-x” to disable X support.

Uncomment PORTDIR_OVERLAY line.

16. Installing the kernel and system logger

Follow code listing 16.1: Emerging Kernel Sources – selecting gentoo-sources.

Follow the auto configuration ensuring that reiserfs is built in (not module)

In Code listing 16.8 select metalog and in 16.10 select vcron.

In the networking section select use the network setting defined earlier.

Select GRUB as a boot loader

After everything is selected perform a reboot

Future Development: Apply iptables rules to these machines.

Snort Configuration (2.0.1-r1)

On the Snort box only perform the following.

#env ACCEPT_KEYWORDS="~x86" emerge snort

Edit /etc/conf.d/snort and change the interfaces to “any”

Copy the /etc/snort/snort.conf.distrib to /etc/snort/snort.conf and make the following changes:

var HOME_NET any

var EXTERNAL_NET any

complete the *_SERVERS enties with the IP addresses of these servers.

Uncomment preprocessor portscan arpspoof conversation portscan2

output database: log, postgresql, user=snort_db_user dbname=snort password=5yetty host={HOSTNAME} port=5432

uncomment includes for backdoor web-attacks virus.rules multimedia.rules p2p.rules

# chmod go-rwx /etc/snort/snort.conf

To run snort on startup

#rc-update add snort default

edit /etc/init.d/snort so that the “need” line is “need net postgresql”

Debugging: look at /var/log/everything/current. A lot of fatal errors do not stop the startup script unfortunately. To force a restart of snort “rm /var/lib/init.d/started/snort; /etc/init.d/snort start”.

Future Development:

1. Use of stunnel to encrypt and authentificate links to the database.

2. emerge oinkmaster for rule updating scripts. Or alternately emerge snorticus.

Apache (2.0.47)

To install apache:

#emerge apache mod_ssl

edit /etc/conf.d/apache2 and add “-D SSL -D PHP4” to the APACHE2_OPTS line. Uncomment the line as well.

To make apache start at bootup:

# rc-update add apache2 default

# /etc/init.d/apache2 start

Debugging TIP: see /var/log/apache2/error_log and access_log

Postgresql (7.3.4)

#emerge postgresql

edit /etc/conf.d/postgres and add “-i” to the PGOPTS configuration line.

#rc-update add postgresql default

#usermod -s /bin/bash postgres

# ebuild /usr/porage/dev-db/postgresql/postgreql-7.3.4 config

# usermod -s /bin/bash postgres



Edit /var/lib/postgresql/data/pg_hba.conf to contain the following:

host snort snort_db_user {snort box ip) 255.255.255.255 password

#host snort snort_analyst {webserver} 255.255.255.255 password

host snort snort_analyst 127.0.0.1 255.255.255.255 password

#host snort snort_db_user 127.0.0.1 255.255.255.255 password



# /etc/init.d/postgres start

#su – postgres

> /usr/bin/createdb snort

> /usr/bin/zcat /usr/share/doc/snort-2.0.1-r1/contrib/snortdb-extra.gz | sed “s/^#/--/g” | /usr/bin/psql snort

> zcat /usr/share/doc/snort-2.0.1-r1/contrib/create_postgresql.gz | /usr/bin/psql snort

(below courtesy of http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_install.html)

> /usr/bin/psql snort

CREATE USER snort_db_user WITH UNENCRYPTED PASSWORD '5yetty';

GRANT SELECT ON detail, encoding, event, reference_system, schema,

sensor, sig_class, sig_reference, signature

TO snort_db_user;

GRANT INSERT ON data, event, icmphdr, iphdr, opt, reference,

reference_system, sensor, sig_class, sig_reference,

signature, tcphdr, udphdr

TO snort_db_user;

GRANT UPDATE ON reference_ref_id_seq, reference_system_ref_system_id_seq,

sensor_sid_seq, sig_class_sig_class_id_seq,

signature_sig_id_seq

TO snort_db_user;

CREATE USER snort_analyst WITH UNENCRYPTED PASSWORD '5p0rt';

GRANT CREATE ON DATABASE snort TO snort_analyst;



Debugging TIP: look at /var/lib/postgresql/data/postgresql.log

Further Development: Create certificates to allow authentificated SSL connections (http://www.phpfreaks.com/postgresqlmanual/page/ssl-tcp.html)

Connections to the database from the webserver are fairly safe and probably don't need SSL unless they get host separated.

Currently ACID (though adodb) and Snort don't appear to support SSL sessions. “emerge stunnel” and there may be able to set up a SSL connection that way.

For SSL authentification and encryption from host to server see: file:/usr/share/doc/postgresql-7.3.4/html/client-authentication.html on the local machine.

Acid (0.9.6b23)

#env ACCEPT_KEYWORDS=”~x86” emerge acid

should make https://[host]/acid refer to the interface to Snort data.

Edit file:/home/httpd/htdocs/acid/acid_conf.php

to ensure that database varables are correct.

$DBlib_path = "/usr/lib/php/adodb";

$DBtype = "postgres";

$alert_dbname = "snort";

$alert_host = "localhost";

$alert_port = "5432";

$alert_user = " snort_analyst";

$alert_password = "5p0rt";



$archive_dbname = "snort_archive";

$archive_host = "localhost";

$archive_port = "5432";

$archive_user = "snort_analyst";

$archive_password = "5p0rt";



$ChartLib_path = "/usr/lib/php/jgraph";

NOTE we haven't set up an “archive” yet – still looking for instructions (somewhere)



goto https://{your webserver}/acid/acid_db_setup.php) and select “Create ACID AG”.

As the postgres user in the “psql snort” command line interface issue the following.

REVOKE CREATE ON DATABASE snort FROM snort_analyst;

(from file:/usr/share/doc/acid-0.9.6_beta23/README.gz)

GRANT SELECT ON TABLE acid_ag,acid_ag_alert, acid_event,acid_ip_cache,data,detail,encoding, event, icmphdr,iphdr,opt,reference, reference_system, schema, sensor, sig_class,sig_reference, signature, tcphdr, udphdr TO snort_analyst;

GRANT INSERT,DELETE ON TABLE acid_ag,acid_ag_alert, acid_event,acid_ip_cache,data, event, icmphdr,iphdr,opt,reference, reference_system, sensor, sig_class,sig_reference, signature, tcphdr, udphdr TO snort_analyst;

GRANT DELETE ON TABLE sensor TO snort_analyst;

GRANT UPDATE ON TABLE acid_event,acid_ip_cache,reference, reference_system, sig_class,sig_reference, signature TO snort_analyst;

GRANT SELECT,UPDATE ON TABLE acid_ag_ag_id_seq, reference_ref_id_seq,reference_system_ref_system_id_seq,sensor_sid_seq,sig_class_sig_class_id_seq,signature_sig_id_seq TO snort_analyst;



Reference: This section was based off http://www.kellys.net/snort.

Further Development: Set access control to this area via authentificated https only.

Debugging TIP: in the file:/home/httpd/htdocs/acid/acid_conf.php there are a number of flags that can be set to enable debugging.

Other web scripts that may be of use are:

  1. Snort Report - http://www.circuitsmaximus.com/download.html

  2. Others available at http://www.snort.org/dl/contrib/data_analysis



1http://acidlab.sourceforge.net

2 http://www.snort.org/dl/contrib/other_logs/logsnorter-0.2.tar.gz

3Cisco, http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pix_pa.pdf

4Black, Daniel, 2003, Lab 1 -Risk Assessment of Alice Springs Town Council, submission to the Computer Security subject of ADFA postgraduate program 2003.