Professional Special Subject – w5 log

This week i’ve understood that an out of the box deployment is never what you want. Especially for an NSM solution. Tunning Snort accordingly to your needs is the key to a succesfull deployment and to stopping attackers.

I’ve managed to place a SmoothSec running machine in a class, attached to a switch that will mirror all the traffic to it. The reason for this is to see how is it managing with traffic coming from more than 1-2 PCs and what kind of alerts does it generate. It is also a good testing ground for new rules. The following network diagram shows the system and how can i connect to the monitoring server. Continue reading “Professional Special Subject – w5 log”

Start your own business presentation by Ridha Shimi

We had a nice presentation today, done by a guest from Udvikling Fyn (Development Fyn). The guests name is Ridha Shimi and he is a business consultant. He ofered his consulting service for free for anybody thats thinking of starting his own business. I’m a tech guy but entrepreneurship is not something distant from my current education (Product Development and Techonolgy Integration) and its also something that i have interest in since i was in grade school.

Continue reading “Start your own business presentation by Ridha Shimi”

Snort tunning

It is basically useless to run great pieces of software if they are not configured according to user/system needs. An out of the box deployment of Snort will most likely be something that you don’t want. What you do want is to configure your deployment like you need to. Baisc Snort deployment issues:

  1. outdated rules
  2. “noisy” logs and alerts

Continue reading “Snort tunning”

Weekly database backup (compressed and encrypted)

I had the task of doing regular database backup on a server here at school and i needed some automatization. And encryption, of course, because there is a lot of info in database dumps including usernames and md5 hashed passwords and we don’t want that just laying around. That means that we have to leave phpmyadmin and do some command line stuff.

Continue reading “Weekly database backup (compressed and encrypted)”

Professional Special Subject – w4 log

Week4 was all about digging into how Snort works, Snort rules and IT security lecturing. I had some resources prepared for this, so i started reading on Snort Intrusion Detection and Prevention Toolkit by Jay Beale.

I’ve managed to understand the basics of Snort rules and to create my first rule. For IT security lecturing i’ve used some interesting IT Security/Networking resources that i came across. One of them is the 10 rules of information security.

On Snorby custom PDF generating, there wasn’t so much progress because of the lack of documentation.

Plan for next week:

  • dig more into Snorby custom PDF generating, i’ll probably have to do some hardcoding and i’ve never programmed in ruby+rails
  • make a list for what kind of rules in would need in my system
  • implement as many rules as posible

This is part of a series of blogposts that serve as my weekly log for my professional special subject project. It has documentation purposes and it is a nice way to present your work to the teachers. For further information about my work and what i’ve learned and did follow the inbound/outbound links within these posts.

Creating your first Snort rule

I’ve talked about understading the basics of a Snort rule before, now i’m going to create my first rule and add it to Snort.

Before making the rule, i started thinking about what i want and why i want it.

Short scenario – you are a copyright freak and you want to know when somebody on your network (maybe a school network) is trying to download something by accessing The Pirate Bay.

Based on the short scenario i want my rule to send an alert (generate an event) whenever somebody is accessing The Pirate Bay website or a group of related websites. This is definately not the best way to stop people from downloading stuff on your network, but it’s just a simple scenario that will help me create my first rule.

I fired up Wireshark to see how that packet would so that i know what options i can set for my rule. I used my IP and the HTTP protocol as filters so i’ll spot the packet faster. Continue reading “Creating your first Snort rule”

Basic understanding of Snort rules

An IDS, such as Snort, is practically useless without a strong and up-to-date set of rules of signatures. It is the same thing as running an antivirus with outdated virus signatures. You just think you are protected. I tried to understand what is rule and what is it composed of.

A rule or signature is basically a piece of text/code that describes a state and then an action that is to be performed if that state is true. Continue reading “Basic understanding of Snort rules”

Professional Special Subject – w3 log

Week 3 is also developing-related. As the ACIDBASE front-end for Snort proved to be useless and time-wasting for me and the project i’ve decided to try out other front-ends to see what i can do there. On the Snort blog there is a post with all kind of GUIs so i decided i should start from there.

I’ve decided on Snorby and other software required (pulledpork, barnyard2) to have a nice database-updating-GUI to Snort. It turned out that is way too much hastle to install each of them separatly ( you can read a walkthrough on this here ) so i decided to use something faster – a linux distro called SmoothSec that has all the tools that i was thinking and some others already deployed and ready to use. To understand how a network security monitoring system works, check out my other post.

I wouldn’t recommend for anybody to try installing/compiling/building them separately, regardless of the level of linux-know-how because it’s just too much time consuming and you’ll most likely stuck on issues related to linux distros, architecture, missing libraries, different library and software versions and so on.

My next plan is to:

  • set up a real test environment (that should have been done a week or 2 ago, but thats it)
  • dig into Snort rules and create my own rules based on my needs
  • dig into the Snorby code so that i can display the PDF reports that i want

This is part of a series of blogposts that serve as my weekly log for my professional special subject project. It has documentation purposes and it is a nice way to present your work to the teachers. For further information about my work and what i’ve learned and did follow the inbound/outbound links within these posts.