Download - A nalysis C onsole for I ntrusion D atabases
![Page 1: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/1.jpg)
AAnalysis nalysis CConsole for onsole for IIntrusion ntrusion DDatabases atabases
RoyRoy
![Page 2: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/2.jpg)
DescriptionDescription
ACID
![Page 3: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/3.jpg)
ObjectiveObjective
Setup ACID, MySQL, SnortSetup ACID, MySQL, Snort Super alert AnalyzerSuper alert Analyzer Performance Benchmarking of ACIDPerformance Benchmarking of ACID
![Page 4: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/4.jpg)
About ACIDAbout ACID
Query-builder and search interface
Packet viewer (decoder) Alert
management
Chart and statistics generation
Centralize control
![Page 5: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/5.jpg)
System overviewSystem overview
ACID+Snort+MySQLACID+Snort+MySQL
ACID
![Page 6: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/6.jpg)
Distributed IDS centralize controlDistributed IDS centralize control
ACID DB
![Page 7: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/7.jpg)
PrerequisitesPrerequisites A databaseA database
- Package: MySQL Package: MySQL • Version: 3.23.x+ Version: 3.23.x+ • Homepage: Homepage: http://www.mysql.com/http://www.mysql.com/
A mechanismA mechanism- Package: Snort Package: Snort
• Version: 1.7+ Version: 1.7+ • Homepage: Homepage: http://http://www.snort.orgwww.snort.org//
- Package: PHP Package: PHP • Version: 4.0.4+ Version: 4.0.4+ • Homepage: Homepage: http://http://www.php.netwww.php.net//
A web serverA web server- Package: Apache Server Package: Apache Server - Version: 1.3.*+ Version: 1.3.*+ - Homepage: Homepage: http://http://www.apache.orgwww.apache.org//
PHP access database APIPHP access database API- Package: ADODB Package: ADODB
• Homepage: Homepage: http://http://php.weblogs.com/adodbphp.weblogs.com/adodb//
- Package: PHPlot Package: PHPlot • Homepage: Homepage: http://http://www.phplot.comwww.phplot.com
- Package: JPGraph Package: JPGraph • Homepage: Homepage: http://http://www.aditus.nu/jpgraphwww.aditus.nu/jpgraph//
- Package: GD Package: GD • Homepage: Homepage: http://http://www.boutell.com/gdwww.boutell.com/gd//
![Page 8: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/8.jpg)
Install ACID and snortInstall ACID and snort
Download ACIDDownload ACID- http://www.andrew.cmu.edu/user/rdanyliw/http://www.andrew.cmu.edu/user/rdanyliw/
snort/snortacid.htmlsnort/snortacid.html Decompress acid-0.9.6b23.tar.gzDecompress acid-0.9.6b23.tar.gz
Move ACID to your web directoryMove ACID to your web directory
![Page 9: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/9.jpg)
Setting up the database in MySQLSetting up the database in MySQL
Create databaseCreate database
Create user and assign privilegeCreate user and assign privilege
Create snort tablesCreate snort tables
![Page 10: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/10.jpg)
Modify ACID config filesModify ACID config files
Edit acid_conf.phpEdit acid_conf.php
![Page 11: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/11.jpg)
Connect to sensor managerConnect to sensor manager
Open Open http://192.168.1.101/acid/acid_conf.phphttp://192.168.1.101/acid/acid_conf.php
![Page 12: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/12.jpg)
Setup snort output moduleSetup snort output module
Edit /etc/snort/snort.confEdit /etc/snort/snort.conf
![Page 13: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/13.jpg)
Test environmentTest environment
Internet
Name: ACID serverOS:LinuxIP:192.168.1.101Net Mask:255.255.255.0Gateway:192.168.1.2
Web Server: Apache 2.051SQL Server: MySQL 4.0.20Sensor: Snort 2.1.3Management: ACID 0.9.6 beta 23
Name: attacker1OS:WindowsIP:192.168.1.1Net Mask:255.255.255.0
Vulnerability Scanner: N-Sealth 5.2
三暝三日…
![Page 14: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/14.jpg)
Enjoy the resultsEnjoy the results
Open http://192.168.1.101/acid/Open http://192.168.1.101/acid/
![Page 15: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/15.jpg)
More analysisMore analysis
5 most frequent alerts (alert listing)5 most frequent alerts (alert listing) 15 most frequent alerts (unique source)15 most frequent alerts (unique source) Time profile of alertsTime profile of alerts Last 24 hoursLast 24 hours Last 72 hoursLast 72 hours
![Page 16: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/16.jpg)
Performance Benchmarking of Performance Benchmarking of ACID (Page loading time) ACID (Page loading time)
Host:Host: Intel Mobile 800Mhz, 256 MB RAM Intel Mobile 800Mhz, 256 MB RAM OS:OS: Linux 2.2.16-22 Linux 2.2.16-22 Apache:Apache: 1.3.19 1.3.19 PHP:PHP: 4.0.5 4.0.5 MySQL:MySQL: 3.23.32 3.23.32 PostgreSQL:PostgreSQL:7.1.27.1.2 DB schema:DB schema: v102 v102 ACID:ACID: 0.9.6b10 - 0.9.6b13 0.9.6b10 - 0.9.6b13
![Page 17: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/17.jpg)
I. Unique Alert Listing I. Unique Alert Listing (acid_stat_alerts.php) (acid_stat_alerts.php)
![Page 18: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/18.jpg)
II. ACID Main page (acid_main.pII. ACID Main page (acid_main.php) hp)
![Page 19: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/19.jpg)
SummarySummary
![Page 20: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/20.jpg)
ReferenceReference
Performance Benchmarking of ACIDPerformance Benchmarking of ACID- http://www.andrew.cmu.edu/user/rdanyliw/http://www.andrew.cmu.edu/user/rdanyliw/
snort/perf/acid_perf.htmlsnort/perf/acid_perf.html NIST Intrusion Detection SystemNIST Intrusion Detection System
![Page 21: A nalysis C onsole for I ntrusion D atabases](https://reader031.vdocument.in/reader031/viewer/2022032612/5681338d550346895d9a9602/html5/thumbnails/21.jpg)
Appendix AAppendix A
Passive Ethernet Tap Passive Ethernet Tap
Internet
IDS
Traffic in
Traffic out
IDS
http://www.snort.org/docs/tap/