The document describes a simple network intrusion detection system consisting of Snort as the sensor, MySQL as the database, and ACID as the console interface. Snort monitors network traffic for signatures of attacks, logs events to the MySQL database. The ACID console provides a graphical interface for analyzing the logged data and generating alerts. The system was implemented on a Windows laptop with Snort, MySQL, and ACID to demonstrate a basic open source IDS solution.

1. 07/01/1307/01/13 11
A Simple Network IDSA Simple Network IDS
Team Members:Team Members:
Brian LappBrian Lapp
Dominic ReresDominic Reres
Bob WilsonBob Wilson
Daniel CassieroDaniel Cassiero

2. 207/01/13
CRISIS!CRISIS!

3. 307/01/13
About the ProjectAbout the Project
A demonstration of a simple IDS.A demonstration of a simple IDS.
Can be used to secure and protect aCan be used to secure and protect a
network.network.
Policy enforcement.Policy enforcement.
Snort Sensor
IDS Console
Relational Database

4. 407/01/13
ImplementationImplementation
Windows XP Professional with SP2Windows XP Professional with SP2
Snort version 2.3.2Snort version 2.3.2
MySQL database version 4.1MySQL database version 4.1
ACID v .9.6b23ACID v .9.6b23
All components installed on a laptop forAll components installed on a laptop for
convenience.convenience.

5. 507/01/13
Snort – The Open Source IDSSnort – The Open Source IDS
Highly PortableHighly Portable
(*NIX, BSD, Win32)(*NIX, BSD, Win32)
Uses “Signatures”Uses “Signatures”
Open SourceOpen Source

6. 607/01/13
Snort - FlowSnort - Flow
Monitors network traffic in promiscuousMonitors network traffic in promiscuous
modemode
Packet has signature matchPacket has signature match
Event is logged to databaseEvent is logged to database
Alert appears on ACID consoleAlert appears on ACID console

7. 707/01/13
Snort – Data LoggingSnort – Data Logging
Direct log fileDirect log file
Database (MySQL,Database (MySQL,
ORACLE, MSORACLE, MS
SQL...)SQL...)

8. 807/01/13
DataData
Data captured from lab networkData captured from lab network
Attached snort sensor directly to CRJ LabsAttached snort sensor directly to CRJ Labs

9. 907/01/13
Snort LogSnort Log
Log file format may be difficult to read.Log file format may be difficult to read.
Sorting through events may be timeSorting through events may be time
consuming.consuming.

10. 1007/01/13
AAnalysisnalysis CConsole foronsole for IIntrusionntrusion DDatabasesatabases
GUI Frontend forGUI Frontend for
logged datalogged data
Human readable atHuman readable at
a glancea glance
Utilize relationalUtilize relational
data.data.

11. 1107/01/13
SignaturesSignatures
Link to signature description on consoleLink to signature description on console
CVECVE
BugtraqBugtraq
SnortSnort

12. 1207/01/13
Console AnalysisConsole Analysis
Easy analysis with coded regionsEasy analysis with coded regions
Simple example showing an Alert eventSimple example showing an Alert event

13. 1307/01/13
Network IDS SolutionNetwork IDS Solution
Open Source softwareOpen Source software

Freely available to the publicFreely available to the public
OverheadOverhead

Configuration and setupConfiguration and setup

Learning curveLearning curve

14. 1407/01/13
SummarySummary
SnortSnort

Network Sensor IDSNetwork Sensor IDS

SignaturesSignatures
MySQLMySQL

Relational DatabaseRelational Database
ACIDACID

SO ConsoleSO Console

Incident AlertIncident Alert

15. 1507/01/13
ResourcesResources
SnortSnort

http://http://www.snort.orgwww.snort.org//
ACIDACID

http://acidlab.sourceforge.net/http://acidlab.sourceforge.net/
MySQLMySQL

http://www.mysql.org/http://www.mysql.org/
Analysis Console for Intrusion Databases