Tuesday, March 11, 2008

Build an Intrusion Detection System

There is a large number of Intrusion Detection Software / Systems (IDS) out there for various operating platforms, all ranging in price and complexity. I have spent countless hours looking at hardware and software solutions for a Windows platform and found one product that stands out from the rest, SNORT.

SNORT is an open source Intrusion Detection Software / IDS that is now available for the Windows operating system. Listed in the table below is the information you'll need to get your Intrusion Detection Software up and running for next to nothing.

IDS Software

Windows XP
SNORT IDS (under binaries)
WinPcap (for packet capturing)
LiTe Sniffer (network traffic monitor
IDScenter (Snort front end)

Intrusion Detection

Let's get started! You're going to turn this PC into what is known as a bastion host, a computer (gateway) between an inside network and an outside network that has unnecessary services turned off.

01) Install your version of Windows (XP, etc). Do not install Internet Information Server (IIS) or Indexing - you can remove them later if you forget.

02) Apply all the service packs.

03) Disable NetBios over TCP

  • Right click on My Computer > Properties > Hardware > Device Manager.
  • Click on View > Show Hidden Devices.
  • Click on View > Devices by Connection.
  • Right click on NetBios over TCP/IP > Properties
  • Driver Tab > Type > Disabled.
  • Click OK.

04) Disable as many of the following services as possible:

  • Alerter
  • Computer Browser
  • DHCP Client
  • Distributed File System
  • Distributed Link Tracking Client
  • Distributed Link Tracking Server
  • Distributed Transaction Coordinator
  • DNS Client
  • Fax Service
  • File Replication
  • Indexing Service
  • Internet Connection Sharing
  • Intersite Messaging
  • Kerberos Key Distribution Center
  • License Logging Service
  • Messenger
  • Netmeeting Remote Desktop
  • Network DDE
  • Network DDE DSDM
  • Print Spooler
  • QoS RSVP
  • Remote Access Auto Connection Manager
  • Remote Access Connection Manager
  • Remote Registry Service
  • Removable Storage
  • Run as a Service
  • Server
  • Simple Mail Transport Protocol (SMTP)
  • Smart Card
  • Smart Card Helper
  • Task Scheduler
  • TCP/IP NetBios Helper Service
  • Telephony
  • Telnet
  • Uninterruptible Power Supply
  • Windows Time
  • Workstation

05) Install winPcap

06) Install Snort

07) Install LiTe Sniffer - start this program and watch for traffic. If you do not see traffic and you're on the switch, you'll need to tell your switch that the port you're connected to on this switch is a monitor port. A switch reduces traffic by keeping track of where information goes; if computer A sends information to Computer B and you are computer C, then you'll never see the information. The IDS system needs to see all the information (traffic) to correctly determine if a instruction attempt is being performed.

08) NOTE: You are at your own risk if you follow these instructions. Editing your registry is DANGEROUS and should be done with extreme caution. Follow these steps at your OWN risk.

  • 1. Get your device's hex value. ('snort -W' works for this)
  • 2. open Regedt32
  • 3. Navigate out to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    \Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
  • 4. Select the network card you wish to setup as the monitoring interface (this will be the {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} value).
  • 4a. Set IPAddress:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK)
  • 4b. Set SubnetMask:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK)
  • 4c. Set DefaultGateway:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK)
  • 5. Close the Registry Editor and reboot.
  • 6. In a command prompt, run 'ipconfig' to verify the interface does not have an IP bound to it.

If you do not receive an IP address listing from the interface you modified, you are good to go.

09) Install IDScenter

10) Configure your rules - This is the hard part (or should I say the time consuming part!). Out of the box, SNORT will record an incredible amount of information, much of which is unnecessary. You'll want to reconfigure your rules until the only information that is recorded is information you should be aware of. Visit the SNORT site and read up on rules for more information. It's not rocket science, just a little time consuming!

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)