Advanced OSSEC Training: Integration Strategies for Open Source Security
Ossec Hids Print
-
Upload
venkatesh-gurap -
Category
Documents
-
view
307 -
download
8
Transcript of Ossec Hids Print
HOST BASED INTRUSION
DETECTION SYSTEM
Using OSSEC and SGUIL.
Supervised by
Farahani Faranak
Submitted by
Venkateshwarlu Gurap
Student id: 19035867
Page | 1
CONTENTS
S.No. Chapter Page no
1. Introduction 8
1.1.1 General introduction 9
1.1.2 Existing system 10
1.1.3 Proposed system 11
1.1.4 Problem statement 12
1.1.5 Problem description 12
1.2 Aims and Objectives 13
1.3 Methodology 14
1.4 Structure of dissertation 16
2. Literature Review 17
2.1.1 Network Security 18
2.1.2 Intrusion detection systems (IDS) 19
2.1.3 Host based intrusion detection system (HIDS) 21
2.1.4 Network based intrusion detection system (NIDS) 22
2.1.5 Intrusion prevention systems (IPS) 23
2.1.6 Active security monitoring 24
2.1.7 NIDS vs. HIDS 25
2.2 HIDS and its categories 26
2.3 HIDS System Security & monitoring 28
2.4 Classification of HIDS based on functionality 29
2.5 Tools of HIDS and implementation 34
Page | 2
3. Requirement Analysis and Design 36
3.1 project analysis 37
3.2.1 Feasibility study 37
3.2.2Technical feasibility 38
3.2.3 Behavioral feasibility 38
3.2.4Economic feasibility 38
3.3 System requirements 41
3.4 Procedural design 42
3.5 Input /output design 44
4. Implementation 47
4.1 System Implementation 48
4.2 Installation & configuration (phase 3) 49
4.3 Integration of OSSEC with SGUIL (Phase 4) 53
5. Testing 57
5.1.1 Introduction to testing concepts 58
5.1.1 Source code testing 59
5.1.3 Module level testing 59
5.2.1 Levels of testing 59
5.2.2 Unit testing 60
5.2.3Integration testing 61
5.2.4System testing 61
5.3 Test plan 62
5.4 Test case Report 64
5.5 Test Report 67
6. Self-Evaluation 70
Page | 3
7. Discussion 73
8. Conclusion 75
9 Future work & Recommendations. 78
10. Bibliography 81
11. Appendices 87
Screen Shots 87
Commands 90
Page | 4
Figures
S.No Figure Page No2
1. Waterfall life cycle mode 15
2. General IDS system 20
3. HIDS implementation 21
4. NIDS implementation 23
5. NSM package details 34
6. OSSEC Package details 35
Page | 5
ACKNOWLEDGEMENT
Firstly, I thank my supervisor Farahani Faranak for her guidance in the project. She
guided me in every stage of my dissertation through her suggestions. Through each meeting
she directed me in a successful project path and gave me all the inputs what I needed for the
implementation and documentation of the project.
I consider myself to be very fortunate in receiving all the support and guidance
from the entire ACES faculty. I would like to thank my Course administrator Lucy Allen
and the Course leader Dr. Sameer Alkhyat for their guidance and support.
I am grateful to the Library staff at Sheffield Hallam University for their
outstanding support and responsiveness to my information needs.
Page | 6
ABSTRACT
Security is one of the major issues in the field of computing. From the beginning
they were continuous attempt to protect the integrity, confidentiality and availability of
data. It may be either a large organization or home PC, security is a primary issue. It
mainly compromises the several intrusion preventive measures taken by an organization or
even individual desktops to protect their systems. The intrusions into the systems are
broadly categorized into in two categories they are Network based and Host based
intrusions.
In this project we will be implementing an HIDS by integration of tools. It is
implemented by integration of two tools they are OSSEC and SGUIL. OSSEC is used as a
backend tool of HIDS and SGUIL is a graphical interface works in the front end. One of the
objectives of this project is to integrate both of these two tools to build an enhanced Host
based intrusion detection system (HIDS) i.e OSSEC HIDS
Here a significant point is that the tools (OSSEC, SGUIL etc.) and Operating
System used in this project are of open source. Here we will be implementing the OSSEC
HIDS locally.
This project is intended to assist the Network Administrator in managing and
monitoring the network (LAN).
Page | 7
INTRODUCTION
1.1.1 General Introduction:
Page | 8
(Laurie Zirkle, 2008)
“No one package will do everything, and the software should be tailored to the individual
computer that's being monitored.” Based on this idea, I wish to integrate two tools and
implement OSSEC HIDS with some enhanced features than the existing one.
The objective of the project is to build an enhanced OSSEC Host based Intrusion
detection system. Among the latest technology tools, I preferred the OSSEC and chosen to
integrate it with the SGUIL in the implementation of a HIDS (Host based Intrusion
Detection system).
OSSEC is powerful HIDS free software which lacks GUI and SQUIL is also open
source software which is compatible with these. This attempt is to develop a powerful host
based intrusion detection system with a good GUI.
This system performs HID based on log analysis, file integrity and window
registry monitoring. These features are very interesting when compared to other
software’s and it supports many other features which are not supported by other software’s.
From administrative point it would be very useful by implementing this in network.
1.1.2 Existing System
Page | 9
At basic level the issues of security are solved by using antivirus software's and
firewalls. Anti-virus software's are used to protect the computers from virus attacks and
firewalls are used to protect from stealing the private data. Similarly at large scale i.e. at
level of organizations we implement Intrusion Detection Systems (IDS) such as HIDS
(Host based IDS) and NIDS (network based IDS).
There are many existing HIDS software’s like OSSEC among them Tripwire and
Tiger such kind of software’s but these are not as efficient as OSSEC in terms of
scalability, reliability, flexibility and visualization.
The following features of OSSEC make it more powerful when compared to other HIDS.
Easy installation
Integrity of the system and walk file
Rootkit detection
Active response system
Optional web based graphical interface.
Optional central server
Page | 10
1.1.3 Proposed System
The proposal entitled as “HOST BASED INTRUSION DETECTION SYSTEM using
OSSEC and SGUIL” supports both as a local and client - server network with in the Intra-net.
In this project we will implement this in a local environment this can also be
implemented in the LAN (with a group of systems intra-net). OSSEC also monitors packets
and attempts to discover if a hacker /cracker is attempting to break into a system
The proposed system perform intrusions detection based on these features using
File integrity
Window registry monitoring
Log analysis.
Additional features
Integrity check daemon.
Rootkit detection engine.
Enabling active Response system.
Enable firewall drop response system.
Email-notification.
SMTP server.
These features enabled the administrator for high monitoring of systems. It is more
flexible because of its good visualization i.e., this system is capable of finding out the
intrusions through the above features in various systems that are connected within a network.
Page | 11
1.1.4 Problem statement:
The features proposed in proposal part of the system are not yet seen in single
software. So, this is an attempt to implement the HIDS with all the above features. That is
possible by integrating the two tools i.e. OSSEC and SGUIL. This makes the HIDS much
more powerful with extra feature to overcome the problems like proper visualization, email
notification and active response etc.
1.1.5 Problem description
From the beginning implicitly we were discussing about the issues of the
network security in LAN from administrator point of view. At present there are many
existing software which could provide all the feature which were mentioned in proposal
part of this project but there is no single software which could put all those feature in single
software.
OSSEC HIDS by default is powerful but its need to be customized with other
features such as graphical interface and flexibility. So this feature must be customized in
the current OSSEC HIDS using SGUIL.
Through this project I wish to integrate two tools that could solve the above
mentioned issue moreover this is also intended to easy the administrator task in
monitoring the network.
Page | 12
1.2 Aims and Objectives:
Aim:
Analyze the Host Based Intrusion Detection Systems and implement a HIDS by
integrating two tools i.e. OSSEC and SGUIL.
Objectives:
To identify the tools and analyze their HIDS implementation method.
Investigate on OSSEC, SGUIL then proceed with installation and configuration
Integration of these two tools and implementation of HIDS and testing.
To make the recommendations from the implementation and investigation.
In the project we shall not only discuss about the HIDS software’s that are involved but
we also discuss other issues of Network security varying from the desktop user to an
organization level implementation.
Any how this implementation is targeted only to the level of implementing in a LAN or it
can be tested for locally.
Page | 13
1.3 Methodology:
In terms of Software Engineering, methodology can be defined as a set of procedures
followed in project for the success of the project.
In general for these kinds of projects Methodology includes
Collection of data
Analyzing different approaches of implementation and there comparative study
Implementation
Method of approach
Data collected is Qualitative in nature.
Method of approach is Deductive in nature.
Software life cycle models (Implementation model):
It is an acceptable fact that the implementation of this project is not similar to
development of software coding but still we follow the software life cycle models. As this
project implementation has the similar features of the software life cycle models and
applicable in this case.
In short they are 4 stages in software life cycle. They are
Requirement
Design
Implementation
Testing.
Page | 14
General Life Cycle Model
Waterfall Model: (Deductive method )
Even a basic software life cycle model is applicable for this implementation but to
be precise I have chosen water fall life cycle model because this is quite apt for this
scenario.
(Raymond lewallen, 2005)
It has a simple sequence of phases and each phase has a set of well defined goals
and activities, the important contribution of the waterfall model is for management, it
enables management to track development progress. It is also referred as a linear-sequential
life cycle model.
Page | 15
Figure 1 Waterfall Life Cycle Model
Advantages
Simple and easy to use.
Easy to manage due to the rigidity of the model – each phase has specific deliverables and a
review process.
It is suitable for smaller projects where requirements are well understood
The software engineering methods of approach are apt for developing a customized
product applicable in this case.
The only reason for selecting this model for implementation is it is easy to implement
and gives a clear idea of the development process of the system.
1.4 Structure of the dissertation:
This dissertation involves a step by step process in integrating the tools of the HIDS
software i.e. SGUIL and OSSEC. Before that we study the issues of Network security from
Page | 16
administrative point of view and there concepts. Every part of the dissertation describes the
different issues of HIDS.
Dissertation consists of literature survey on the HIDS, which explains the necessity of
HIDS and its categories. Next we proceed to requirement specification, designing then we
go with the implementation (installation, configuration and integration) of tools, testing
procedure, self-evaluation, discussion, and finally the conclusion and future
recommendations with commands under the appendices
LITERATURE REVIEW
Page | 17
2.1.1 Network Security:
History:
Intrusion detection System (IDS) is one of the techniques followed in security
implementation. Network security is an integral part of computer networking, it involves
protocols, technologies, devices, tools, and techniques to secure data and mitigate threats.
The concept of Network security was emerged in 1960s but it was practically used in the
modern network by the end of 2000s.
Here in short I would like to tabulate the progress made in the field of Network security.
This information is correct as according to the cisco material on network security.
Year
S.No Year Technology
1 1984 IDS for Arpanet
2 1988 Packet filter firewall
3 1989 State full firewall from AT&T Bell Labs
4 1991 DEC SEAL Application layer firewall
5 1995 Net Ranger IDS
6 1997 Real secure IDS
Page | 18
7 1998 Snort IDS
8 1999 First IPS
9 2006 Cisco zone based policy firewall
2.1.2 Intrusion Detection System (IDS)
According to Intrusion Detection Systems Consortium (IDSC) Intrusion Detection
System (IDS) is defined as a type of security management system for computers and
networks.
An IDS is categorized in two types based on their mode of working. It gathers the
information and analyses it from various areas like inside the system or inside the network
to identify possible security breaches. The IDS which identifies threats within a computer
like DOs (attacks from within the organization) is termed as Host based IDS and the one
which identifies intrusions from outside (attacks from outside the organization) is termed
Network based IDS.
IDS uses vulnerability assessment (sometimes referred to as scanning), it is a kind
of technology developed to assess the security of a computer system or network.
Functions of Intrusion Detection System IDS
“Monitoring and analysing the user activities on system
Analysing system configuration files and their vulnerabilities
Page | 19
Assessing system and file integrity
Ability to recognize typical patterns of attacks
Analysis of abnormal activity patterns
Tracking user policy violations”…[1]
In simple an IDS can also be defined as a software, which is generally deployed on
sever and which either implements strategies of NIDS (ex: packet scanning) or HIDS (ex:
System log files and other files to check the integrity of the system).
It is installed to identify the intrusion in the system and the network (i.e. identifies
threats and alerts the administrator).
http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid198_gci295031,00.html
Figure 2 Intrusion Detection System
Installation
In general IDS (Intrusion Detection System) is placed between the outside local network
i.e. between the internet and Local network i.e. LAN. The above figure depicts the same
because it makes intrusion detection (using packet scanning, filtering) much easier. To be
precise it’s a kind of NIDS
Page | 20
2.1.3 Host based intrusion detection systems (HIDS):
A host based IDS perform a check at system logs and key system files to detect
malicious or suspicious applications in the system. Few HIDS are even capable of
analyzing firewall logs, Even it (HIDS) can be configured on routers via SYSLOG.
HIDS monitors the key system files for evidence of tampering and change in access
time, file size and an MD5 cryptographic checksum etc. The checksum is stored on sever
for future verification. Ex: Dragon Squire
Page | 21
Figure 3 Host based Intrusion Detection System
Installation
Host based Intrusion Detection system is generally installed on the server of the
Local Network i.e. LAN.
This favors the Network administrator in easy monitoring of systems in the
network.
2.1.4 Network intrusion detection system (NIDS):
A network -based intrusion detection system (NIDS) is deployed on a network
segment on standalone system in front of the firewall. It basically performs packet scanning
to identify the signature match with the determined one.
Port Scan is the most widely used concept in NIDS. NIDS not only performs port
scan on incoming traffic but it also performs on outgoing traffic and shell scripts. It also
monitors on identifying the number of TCP connection requests.
Page | 22
Figure 4 Network based Intrusion Detection system
Installation:
As said above it is installed in front of firewall which scans and filters the packets
that are by passed by the firewall. Hence this is going to increase the network security.
2.2.5 Intrusion prevention systems (IPS):
(Ciccarelli,Patrick;Faulkner,Christina, 2004)
Intrusion prevention systems are the extension of IDS as these are even capable of
blocking the packets which are malicious in nature. Unlike IDS IPS are placed in line,
which make them actively capable of blocking the traffic.
Cisco IPS is the most widely used Intrusion Prevention System as it is capable of
protecting from more than 30000 threats. Timely updates of signature from cisco make the
system more capable of stopping the emerging threats in internet.
Cisco IPS protects against increasingly sophisticated attacks like
“Directed attacks
Worms
Botnets
Malware
Application abuse “…[2]
Page | 23
2.2.6 Active security monitoring:
According to British telecommunications Active network security monitoring is about
identifying problems in the initial stage before they grow up to become an issue and avoid
unnecessary risk.
They are even few groups which install active burglar alarm systems and act as alarm
receiving center. One among such is Active security Monitoring Services Ltd formed in
1998.
Functionalities of Active security monitoring in the network
provides additional layers of defense
Supplies data that may have forensic utility.
Network monitoring ,network intrusion detection ,
Host based intrusion detection ,
Devices that are connected
syslog
SNMP logging.
Penetration and vulnerability testing monitors
Validates existing security controls.
Page | 24
2.2.7 NIDS and HIDS:
(Cole,Erie,Krutz,Ronald Conley, James w, 2005) Network based Intrusion Detection
Systems (NIDS) and Host based Intrusion Detection Systems (HIDS) are designed to alert
administrators when there is an attack network or system respectively. It may be either
inside system or even outside the systems.
NIDS is used for identifying threats from
outside and inside the network.
HIDS operate on the information collected
from individual computer systems ex log files
NIDSs is distributed and monitor traffic at
key chokepoints i.e. -network junctions
where different types of traffic merge
HIDS monitors and analyses activities on the
host at a at a higher level
NIDS uses saved libpcap formatted files and
capture live packets on the wire, and export
data in libpcap format.
Hids is the application or collection of
collection applications which are for
monitoring in the system
Justification:
From network administrator point both the NIDS and HIDS are recommended. It is an
acceptable fact that NIDSs is more powerful than HIDS but any anyhow it cannot replace
the functionalities of the HIDS. A combination of these two yields a good result in
improving the security.
Page | 25
2.2 HIDS and its categories:
As it was discussed earlier HIDS is similar to an antivirus installed in a system
which protects the system from various attacks internally in the network.
OSSEC is the one of the most powerful tools of HIDS It was one among the top 5 in
2006.
OSSEC is a GNU open source software which performs
Log analysis
integrity checking
Windows registry monitoring,
Root kit detection
time-based alerting
Active response.
OSSEC
(Daniel B. Cid, 2008)
Page | 26
It SUPPORTS almost all operating systems like Linux, OpenBSD, FreeBSD, Mac OS X,
Solaris and Windows. It has a centralized, cross-platform architecture allowing multiple
systems to be easily monitored and managed.
Tripwire
Open Source Tripwire is also a free software which act as an HIDS tool for security and
data integrity especially used for monitoring and alerting on specific file change(s) .
Tripwire detects changes to file system objects rather than identifying at network interface
level.
It employs cryptographic hashes to detect changes in a file
AIDE
It is also similar HIDS software which is used on many UNIX systems for root kit detection
and baseline control.
Samhain
This IDS is used on UNIX based networks for integrity check .It also supports central
monitoring as well as powerful (and new) stealth features to run undetected in memory,
using steganography.
Comparisons of OSSEC, TRIPWIRE, AIDE, SAMHAIN
Parameter OSSEC Tripwire AIDE SAMHAIN
Root kit
Detection
Yes no Yes No
Integrity check Yes Yes Yes yes
Time based Alert Yes Yes No No
Page | 27
Log analysis Yes Yes No No
Central
monitoring
Yes yes Yes Yes
Cross platform Yes no No No
Active response Yes No No No
2.3 HIDS System Security and Monitoring.
HIDS involves mainly system monitoring and communication traffic moving in and out of
the system, it performs integrity check of data and identify suspicious process.
According to SANs the HIDS can be mainly classified into two types they are
Host wrappers i.e. personal firewalls
Agent-based software.
Personal firewall:
Personal firewalls are configured to look on network packets, connection attempts, and
login attempts on the monitoring machine. It includes dial-in attempts or other non-network
related communication ports. EX: TCPWrappers for UNIX, Nuke Nabber for Windows.
“Personal firewalls can also detect software on the host attempting to connect to the
network “Ex WRQ's AtGuard.
Page | 28
The term system monitoring describes the use of a system that constantly monitors network
packets for slow or failing components and that notifies the network administrator in case
of outages via email, pager or other alarms. It is a subset of the functions involved in HIDS
A host-based agent monitors the accesses, changes to critical System files and user
privilege. Ex: AXENT from Symantec, Cyber Safe ISS and Tripwire.
2.4 Classification of HIDS based on functionality
Based on the functionality the HIDS can be broadly divided into 4 categories.
File system monitors
Log file analysers
Connection analysers
Kernel based IDSs
File system monitors
File system monitors performs a check based on a large number of parameters i.e. different characteristics like
Parameter Characters (features for tracing the intrusion
)
File Permissions Change in the permissions of the files and
directories
Page | 29
Ex : Detection of suid/sgid/sticky bits
Inode Existing file (un deleted file) referring to a
different inode.
Number of links Change in the number of hard links to file inode
Size If there is a sudden change in the file size.
Directory size Addition or deletion of files in the directory
Mtime, atime & ctime The change in Last modification time, Last
access time and Last time owner, permissions
etc. i.e. Mtime, atime and ctime respectively for
a file or directory.
Checksums Change in the hash of the file
Log Analysis
Log analysis mainly performs
Pattern matching
Pattern matching with correlation between events
Anomaly detection
Here I will be discussing about the functionalities of two tools that does the above job
Swatch is simple tool used for pattern matching
Sec is used for pattern matching with correlation between events
Swatch detects attacks by the following procedure.
Applying the regular expressions to log files.
Echo matching loglines to the terminal Swatch is running on.
Mailing an alert to a on the match.
Page | 30
Run the command when there is a detection which was defined.
Using write warning the logged user
Flood protection by throttling alerts.
Thresholds i.e. warning on limitations
Follow rotated log files.
Act only during the defined time-frame when there is pattern match.
Sec is similar to Swatch and it performs all the functions as what the Swatch does along
with that it adds the co-relation of events.
Functionalities of the SEC
Creation of context and addition of items to context on the match of a line.
Alias or unalias a context
Only match when a context exists.
Categorizing the multiple events of the same type into one..
Assignment of values to variables.
On a match based on the output of scripts performs the actions. The action is
different based on the output
Create events based on the current time and date.
Connection Analysis
Page | 31
Connection analysers monitor connections i.e. requests that are made to the system. This
includes unauthorised connections, port scans and other session and network connection.
The list is tabulated below
Connection Analyser detects based on these features here I would like to take the ex:
Scanlogd
Features under Connection analyser Description
Unauthorised TCP and UDP connections Scan long report this in system log file on
detect the connections to un authorized TCP
and UDP connection.
Portscan detection It also detects SYN, FIN and XMAS type of
Portscans
Flood protection It protect the system’s logfile from being
filled up
Port sentry This is a more advanced implementation
Port binding It binds to administratively selected ports
And also effectively prevents unauthorised
programs on the system from binding to
these ports
Host blocking It active blocks of an offending host. It is
possible by running a specific command to
block
Banner display Port sentry offers the option to display the
banner to the offender.
Page | 32
Kernel based IDS:
LIDS and IDSpbr are two software’s of the kernel based IDS. This are widely used IDs in
Linux. Here I would like to discuss the features of the LIDS and IDSpbr.
Functions of Kernel based IDS
Protect processes, blocking signals from unauthorized users.
Blocking network related tampering like change in firewall settings.
Prevent kernel module loading or unloading.
Prevent raw disk I/O.
Discovery the needed of ACLs.
Sending security alerts using SMTP.
Features of IDSpbr
Detecting the exploitation of stack or heap buffer-overflows by monitoring execve()
calls.
Page | 33
Identifying the exploitation of symbolic link race conditions or other insecure
symbolic link.
Identifies the local DOs attacks.
Killing processes that are involved in an attack.
Sending alerts using SMTP and writing to console or syslog.
Increasing the level of suspicion when the processes are more powerful i.e root
process or dangerous
Anomaly detection based on the order of system calls per process.
2.5 Tools of Implementation
NSMnow
NSM: is a package which acts like a platform in for integrating the OSSEC and SGUIL. By installation NSM all the other supporting packages get installed.
It act as a server to which all the other tools can be integrated even the tools of NIDS can be integrated with the NSMnow
On installation of NSMnow package it installs these packages by default at the time of installation
SGUIL.tk its a client application for SGUIL.
Wire shark its is a network monitoring tool
Mysql it is used as a database for this application
Page | 34
SGUILd is a server application for SGUIL
Snort is tool for detecting Network Intrusions
Snort_agent, pcap_agent, sancp_agent are used for addition of agent
Barnyard2 is also a supporting tool
NSM package
Figure 5 Details of NSM package.
The other tool we use in the project is the OSSEC which is shown below
Figure 6 Details of OSSEC
OSSEC is added as one of the sensors of the NSM and it is integrated with the SGUIL.
Page | 35
OSSEC
OSSEC is an open source (HIDS) with powerful correlation and analysis engine
with all the features mentioned in the 1.1.3.
It supports almost all the operating systems like Linux, Mac, windows openbsd,
centos, freebsd, Openbsd, etc.
It supports all the features mentioned in 1.1.2. It is even used in the ISP and
universities.
Trend micro is the organization behind this and even it offers enterprise class
commercial support.
Page | 36
Requirement Analysis and Design
3.1 Project Analysis:
The first phase of Requirement analysis is the system analysis. This is an important phase
in any project development. Analyses of the project demand to have an insight of each and
every phase involved in the project. The objective of analysis phase in this project is to
identify the requirements of the project and setting a plan for implementation, testing and
deployment.
As it was discussed earlier about the phases once again let’s have a glimpse on the phases
of the project
Requirement analysis
System design
Implementation
Testing
Page | 37
Inferences and maintenance
3.2 Feasibility Study:
The feasibility study is to find out how feasible the project is and to what extent the
proposed system can be developed in the real-time environment with the existing resources.
As every project has its own limitations and constraints a report is to be generated from the
project analysis. The feasibility report for this project is presented below.
In terms of technical, behavioral, economic and time constraints the following feasibility
report is generated.
Technical feasibility:
Technical feasibility report is generated from the technology that exists and the one
which is proposed in the system. In this we analyze the existing hardware and software
technologies and compare with proposed systems.
Page | 38
Project Technical feasibility
From the point of technical Feasibility it is flexible to implement in Ubuntu 8.04
and above versions is chosen.
The project will be feasible to implement in environment Linux Ubuntu 8.04 and
above version. If the version is above 9.10 i.e. 10.04 makes the installation bit
tedious.
Ubuntu is very feasible than Red hat Linux because it’s open source software and
has good Graphical user Interface which makes things easy.
Even there is a good support from OSSEC and SGUIL
There is a good availability of the .tar and .deb files for the SGUIL and OSSEC
software’s
Even there is a good availability of the support files for the installation of the
Behavioral feasibility:
Behavioral feasibility is studied to identify the acceptance by user for the changes
made to the system that facilitates the user to adapt to the changes made by introducing
the new software.
In simple these are features of understanding the system from end users
perspective.
Project behavioral feasibility:
From the point of administration side this project is widely accepted in usage. This
is going to introduce the new features which make the system administrative tasks
much easier and highly capable.
Page | 39
This can be highly acceptable from administrative perspective as it supports cross
platform architecture but at the same time it is an acceptable fact that it becomes
tedious job at times while installing and configuring these.
From the point of user there may be a small resistance because of the security
issues. this software blocks most of the administrative tasks which are protected
under privilege mode.
If there is lack of hardware support it may slow down the system performance.
Economic feasibility:
Economic feasibility can be defined as the feasibility of the existing and available
resources in implementing the project. It should specify the cost of extra hardware,
software requirement or any other requirement which is mandatory for the implementation.
It defines which are affordable in terms of cost. Maintenance and enhancements will also
affect financially.
In this project we are using each and every software from open source so, all of these are
available at free of cost. The OS: Ubuntu, OSSEC server and SGUIL server are of free of
cost as they are free software’s
The hardware is also the local systems from university if possible it may need a 3 systems
connected in LAN, All of these are easily available from university. Hence the
implementation of this project is very feasible.
Page | 40
3.3 System requirements
It defines the Hardware that is required for the implementation of this project.
Software requirements:
OSSEC 2.4.1 tar.gz
SGUIL 0.7.0 tar.gz
Operating System: Linux Ubuntu 8.04
Hardware specifications:
Intel Pentium IV Processor
Page | 41
Min of 512 MB RAM/Above
Min of 2GB Hard drive
3.4 Procedure of Implementation UNIX has lots of tools to perform intrusion detection based on the number of users we
improves the functionalities of implementation.
NO OF USER Things to be monitored and tools
Few users Connections from out side
Integrity of system
For a very large number of users Connectivity monitoring (tcp wrappers and last
log), log files ( sys log )
system and user log files (syslog)
process monitoring (losf)
disk usage monitoring (ftpd to log all file
transfers)
Page | 42
System auditing(audit)
http://staff.science.uva.nl/~delaat/snb-2004-2005/p19/report.pdf
According to the waterfall life cycle model we will be implementing this project in 5
phases.
Phase 1:
Requirement: We completed this part just in above section.
Phase 2:
Designing: As we are not building any software code. So, this phase has less significance in
this project.
Phase 3:
Installation:
It mainly includes the installation of the NSM software, OSSEC server,
SGUIL software and etc.
Configuration:
It includes the configuration of the OSSEC server and SGUIL server. If it is
deployed on a LAN network then it these must be configured for the network.
Unit Testing:
In this phase we perform Unit testing on Individual components.
Phase 4:
Integration:
In this phase the OSSEC HIDS is integrated with SGUIL.
System Testing:
Page | 43
Here we perform the entire system testing like Intrusion detection, OSSEC
functionalities, alerts, logs and other features of SGUIL.
Phase 5:
Monitoring:
After successful installation, configuration and testing, Monitoring is the
next phase where the functionalities like the intrusion detection and monitoring of the
systems is recorded or observed.
Action:
Action includes either blocking of the process or even the action may also
include either sending of the email or alerts to the administrator.
Maintenance
This is the final part of the project which includes the maintenance of the
system and other responses to the detection of the intrusion in the network.
3.5 Input output design
GUI Input
1. First, a window prompts the administrator to login into the SGUIL user interface
prompt. Where the user needs to enter his user name and password to authenticate
to the SGUIL server. The authentication form is shown below
Page | 44
figure 6: SGUIL authentication
After authenticating with the SGUIL server the user is directed to the SGUIL Graphical user interface. This is shown below.
Through this Graphical User Interface administrator can monitor the changes in all the system. He is also capable of performing few administrative tasks through GUI options.
Output
Page | 45
Figure SGUIL GUI output after authentication
Anyhow this is not as powerful as the command prompt because command prompt enables the administrator to have complete command on the target system,
Page | 46
Figure 7 output using command prompt.
In command prompt i.e. Both the input and out are displayed in the same terminal as this is on server side and it does not use GUI.
Page | 47
IMPLEMENTATION
4.1 System implementation
The Implementation phase of software development is concerned with translating
design specifications into source code.
But this is not applicable in this project because we are not writing any code more
over we will be just using the existing tools and integrate them to make highly capable
application. We test it to detect the intrusions in the system.
Page | 48
The first step of our implementation is the successful installation of OSSEC – server
and SGUIL on Linux Platforms.
In this chapter we will be implementing the phase 3 (Configuration and installation)
and phase 4(integration) of waterfall Life cycle model. The Phase 3 unit testing and Phase 4
system testing are implemented in the next chapter i.e. Testing.
4.2 Implementation and Configuration (phase 3 of waterfall LCM)
Installation of OSSEC
Download the latest version OSSEC OSSEC-hids-2.4.1.tar.gz
Cmd : wget http://www.OSSEC.net/files/OSSEC-hids-2.4.1.tar.gz
Extract the tar files using tar –xvf
Now change the directory to OSSEC
Install using the ./install.sh
Page | 49
Installation of NSM
Download the latest version of the NSMnow
Cmd wget < the down load link here >
Extract the tar files using the tar –xvf
Now change the directory to NSMnow
Install it using the installation file
./NSMnow -i
The process of installation may look to be very simple but it is the most difficult job
because it involves issues like conflicts of version and compatibility with other software’s,
availability of repositories, dependencies and broken packages.
The next step is the configurations of the OSSEC-server and SGUIL-server.
Configuration of OSSEC server
Pre-requirement: OSSEC needs the C compiler so it is suggested to install the gcc
compiler before you proceed
After the successful installation of OSSEC while configuration it prompts for the language
Type en for English
Type local for the server type while configuring as we will be using it on the local
system.
For all the location and paths it is preferable to use default paths
Prompt Y to Enable the Email notifications and enter the valid email ID
Prompt Y to enable SMTP server.
Prompt Y to enable Integrity check Demon
Page | 50
Prompt Y to enable Rootkit detection engine
Prompt Y to enable Active responses and also for firewall drop
Currently Prompt N to add more hosts
Finally to start the OSSEC server the following command is used
/var/OSSEC/bin/OSSEC-control start
Configuration of NSM i.e. SGUIL
Command Functionality
Set DBNAME SGUILdb sets the database name as SGUILdb
Set DBPASS password set the database password as password
Page | 51
Set DBHOST 127.0.0.1 as we are using the local systemas client so we
use 127.0.0.1 as the client i.e. host
Set DBPORT 3306 this is the port of MySQL db port
Set DB_USER SGUIL this sets the database user to SGUIL.
.
The following files are verified to for detection of intrusion this is used only
in case of terminal output. As we have SGUIL GUI we may not need these. From
administrative point of view these files are very useful.
/var/log/messages /var/log/auth.log /var/log/syslog /var/log/mail.info
Page | 52
By this we complete our second objective of the project i.e. installation and configuration
of OSSEC and SGUIL.
4.3 Integration of OSSEC with SGUIL (Phase 4 of Waterfall LCM)
This is one of our objectives in the project i.e. integration of OSSEC with SGUIL. This can
be achieved easily by usage of package NSM.
Before integrating the OSSEC with SGUIL we need to configure OSSEC and SGUIL
individual.
First I will demonstrate the individual configuration then we integrate these two.
NSM is a package which installs all the required components like MySQL, pcap, ncap tcl,
libcap and other things.
NSM by default also includes the SNORT which is an NIDS.
NSM treats these IDS as sensors and NSM act as a Platform where these IDS are installed
are added as sensors. More over NSM is also capable of installing SGUIL server.
All these are discussed in in Literature regarding NSM
So, now it’s time to add a sensor called OSSEC to the NSM platform.
Set the sensor name
Set eth0 for the OSSEC sensor
Set data path all to default
Set the server host to 192.168.1.1
Page | 53
Set the server database name as server_db1
Set database user as SGUIL
Set the default client password
Set the SGUIL client id to 127.0.0.1
Page | 54
Core part of integration
Command Functionality
Nsm It displays the list of sensors added to the nsm
Nsm_server_add Set the name server
Step 1. Type nsm_server_add and set the sever name as OSSEC
Step2. It prompt for the sensor name set it’s as what it was configured before i.e. in our
case it is sensor 1
Step 3 It prompts for the sensor port set it as 7777
Step 4 It prompts for client port 7778
Step 5 It prompt for initial client username set it as SGUIL
Step 6 It prompt for initial client password set it to password
Step 7 It prompts for the NSM administrative auto script type Y
Step 8 It prompts y/n for creation of server type Y.
Testing: the sensor can be tested by typing the ls command in the directory of nsm. It
should display the OSSEC sensor added to nsm
Final step of integration
Step 9. Move to the location /root/home/OSSEC_agent
Step 10.Execute the below command
./OSSEC_agent.tcl -o -c OSSEC_agent.conf -f /var/OSSEC/logs/alerts/alerts.log -p 1
Latter the run the file SGUIL client i.e. SGUIL.tk
On execution of the command above command it open the SGUIL interface connecting to
the SGUIL server and prompt for authentication the window is shown as below.
Page | 55
On authentication with SGUIL server it opens the SGUIL GUI with all the features enabled
in it.
Now it’s time to verify the NSM sensor list. i.e. (OSSEC is added to the sensor list
of NSM) and also to test the functionalities of individual components and integrated
components i.e. SGUIL and OSSEC. To verify the implementation of the project it has to
be tested using different types of testing methodologies.
Page | 56
TESTING
Page | 57
TESTING:
Introductions to Testing:
Testing is the process of finding bugs and errors in software. In other terms testing
can be defined as way intended to fail the system in maximum possible ways. This is to
ensure the reliability of software.
It can also be used to assess the functionality, implementation and even for
detecting the errors. Testing performs a very crucial role for ensuring the quality. The
results of testing are used later during maintenance.
5.1 Testing Objectives:
The main objective of testing is to uncover the errors, flaws, deviations and etc.
which may fail the system to work as per the requirement specification. Formally we can
say testing is a process of executing a program with intent of finding an error. Its
characteristics are:
A successful testing is one that uncovers the undiscovered error.
A good test case use one that has a high probability of finding an error.
The tests are inadequate to detect possibly present errors.
Testing confirms the quality and reliable standards
Page | 58
Following are the some of the testing methods applied for testing the project:
5.1 Testing
Source code testing
This examines the logic of the code i.e. system If we are getting the output
that is required by the user then we can say that the logic is perfect.
But this is not applicable in our case because in this project we not writing any
code but we will be just using the existing code.
Modules of testing
In this the error will be found at each individual module, it encourages the programmer to
find and rectify the errors without affecting the other modules.
5.2 Levels of Testing:
In order to uncover the errors present in the different phases we have the concept
of levels of testing.
Unit Testing:
Unit testing is aimed on the smallest unit of software i.e. the module or etc. A detailed
design and the process specification testing is used to uncover the errors with in the
module. All modules must be successful in the unit test before we proceed to Integration
testing.
Integration Testing:
An integration test is performed with a goal to test the integration emphasizing, on the
interface between modules.
Page | 59
This testing activity can be considered as testing the design i.e. testing module interactions.
System Testing:
Here the entire software system is tested. All the functionalities which were
mentioned in the requirement specification are tested. It is tested to see that it meets all the
requirements and functionalities of the system.
Acceptance Testing:
Acceptance testing is performed with realistic data of input to demonstrate the
satisfactory working level of the software. It is focused on the external behavior of the
system; the internal logic of program is not emphasized. Test cases should be selected
so that the largest number of attributes of an equivalence class is exercised at once. It is
the process of finding errors and missing operations and a complete verification to
determine whether the objectives are met and the user requirements are satisfied.
White Box Testing:
This is the unit testing method where a unit will be taken at a time and tested
thoroughly at a statement level to find the maximum possible errors. The white box testing
is also called Glass box testing.
Black Box Testing:
This testing method considers a module as a single unit and checks the unit at
interface and communication with other modules rather getting into details at statement
level. Here the module will be treated as a black box that will take some input and
generate output. Output for a given set of input combinations are forwarded to the other
module.
Let have a tabulated look of testing methods that are applicable in our project.
Page | 60
Test method In our Scenario
Module level testing In our case module level testing is applied on OSSEC
and SGUIL after their installation and configurations.
Unit testing In our case the unit testing is testing the individual
component like pcap, jcap, etc.
Integration Testing In our project Integration testing is performed after the
Integration of the OSSEC and SGUIL. Even after the
installation and configuration of NSM the integration
testing is performed.
System Testing System testing is performed after the complete
implementation of the project of the project.
Acceptance testing Acceptance testing is performed with all the possible values
and limitations of inputs but this is bit tedious job because
in our case it has a very wide range.
White box testing Here the unit can be termed as single individual component
like pcap, libcap etc. so, all these individual components are
to be tested.
Black box testing Black box testing is performed after the installation of
NSM and integration of OSSEC and SGUIL.
Page | 61
5.3 Test plan:
Testing begins with a plan to test and ends with acceptance testing. Test plan is a
General document for the entire project that defines the scope, approach and the
schedule of testing. It identifies the test it em for the entire testing process and the
person who is responsible for testing. The test planning can be done well
before the actual testing commences in parallel it can be done at coding and design
phases. These are the documents required to set a test plan.
Project plan
Requirements document
System design document
A test plan should contain the following:
Test unit specification
Features to be tested
Approaches for testing
Test deliverables
Schedule
Personal allocation
One of the most important activities of the test plan is to identify the test units.
Design of Test Plan for the project
In our case we begin with the Unit Test.
Page | 62
Step 1. We begin with the Unit testing and test individual components. This is after the
installation of NSM.
Step 2. Next we perform the Modular testing after the installation and configuration of
OSSEC and SGUIL
Step 3. Next we proceed with the integration testing after the integration of SGUIL and
OSSEC
Step 4. Finally we perform system testing after the implementation process and test the
entire system.
Step 5 after system testing we do the acceptance testing to figure out the possible inputs
that can be accepted by the system from user’s perspective.
Features to be tested:
In this scenario the features to be tested include.
The installed packages and their compatibility with each other.
The individual components and the availability of dependent repositories.
Functioning of individual components and their inter-dependency.
The characteristic specified by the requirements of design documents includes the
functionality, performance, design constraints and attributes.
Finally all the functional requirements specified in the requirements documents
have to be tested.
Approach for testing:
The approach for testing specifies the overall approach to be followed in
the current project. This is sometimes called Testing Criteria.
Page | 63
5.4 Test case report:
In the above I mentioned all the test cases that are used for testing.
The conditions that are to be tested along with the test cases and the testing
procedure is given below. Even the expected outputs are also shown.
Test cases have been selected for both valid and invalid inputs.
As this project is implemented on the local system on a single machine so everything is
tested on the same system. The application is tested on system with these steps and
conditions.
Test for hardware
As we install OS Ubuntu it requires a minimum of 256 mb ram, so before we
proceed it is necessary to have min of 256 MBram.
The system configuration can be seen in sys config file
Test for Network Connectivity
If the same project is installed on a group of systems in a network then it is necessary to test
on these.
NIC card is properly installed on each system connected in networks and ensure its
working.
The systems are properly connected in a network and connected to server system.
Page | 64
It can also be tested using ping command by pinging the system but in our case we
are using only the local system
Test for Phase 3 unit testing
We perform the unit testing in phase 3 of project life cycle development i. e after the
installation and configuration of the OSSEC and SGUIL as described in the installation
procedure.
In terminal type these command
Command for testing Test description
/var/OSSEC/bin/OSSEC-control start This initiates the OSSEC HIDS server and it
displays error if there is any failure in starting
the OSSEC server. The error can be traced from
the displayed error messages
/var/init.d/OSSEC status This command displays the status of all the
components of OSSEC
/var/init.d/SGUILd status This gives the status of all the components of
the SGUIL
If there is any failure in any of the individual component then we can debug it. This is unit
testing what we do in phase 3 of the project. The same is repeated with the individual
components of NSM package.
Then we perform the modular testing of on OSSEC and NSM as whole
For OSSEC it is tested by opening the config file in OSSEC diectory
OSSEC functions can also be testing by open the log files such as /OSSEC/var/log
If the system is in remote the admin can view the log files of remote by using cmd
Ssh root@ipaddress /OSSEC/var/log;
Page | 65
For NSM run the command </etc/init.d/NSMnow status > it displays the list of functioning
of all its components
After the integration of the OSSEC and SGUIL login into and check the individual
functionalites.
Test for Phase 4 (System Testing)
System testing is performed after the integration of OSSEC and SGUIL
.
Key points to be answered by this testing are
Was the integration of these two tools successful?
Does all the functionalities are met after the integration?
First question is answered by running the file SGUIL.tk from OSSEC. If it prompts for the SGUIL
authentication and if it is authenticated it implies that the tools were integrated properly.
The functionalities are tested in the after logging into SGUIL GUI.
In our project we couldn’t all the functionalities of the SGUIL GUI.
Page | 66
5.5 Test Report
Test ErrorIncorrect SGUIL database name Database not foundIncorrect SGUIL Database username or password
Incorrect username and password
Cannot find symbol The symbol is not instantiated correctly in that location
Incorrect Package usage Package not foundNIC incorrect details Cannot get details of the network
Test for Intrusion detection Intrusion detection is detected by viewing the alerts. Below are the few alerts generated in
the system when tested locally. Performing root check analysis
Page | 67
.
Detecting the of Intrusion and identifying through alerts, List of details, its path all other details of
Page | 68
Description of alerts is shown above
Page | 69
SELF EVALUATION
Page | 70
Self-Evaluation.
We have begun the project with the objective to install, configure and integrate
OSSEC and SGUIL.
Initially, in the methodology part the implementation was according to waterfall
model. The order of sequence has helped this project to achieve its goals. The
implementation methodologies and testing procedures were very useful for successful
implementation of the project. The test report is very informative and it is very self-
explanative which made the testing very easy and explains the different conditions to be
tested and requirements to be met.
I would like to comment that the results are good but it would be much better if I
would have implemented this in a lab. Because Lab enables me to install OSSEC in server
mode and it would be much more real time in nature. The representation of intrusion is
very much enhanced by using the SGUIL GUI.
This project even supports cross platform architecture and it was capable in identifying the
intrusions by root kit detection, file integrity check, file monitoring and alerting using email
and other notifications. It can even monitor network traffic and multiple hosts; it can
detect and even generate the reports of files being attacked, intrusion types and attack. The
output of the project is up to an acceptable level
Few points were newly introduced into document like testing through SSH and few others.
These are just the ideas from different papers which were incorporated in this
implementation. Any how these added few more feature to the project.
Page | 71
Achievements
The following are the achievements of the project.
Successful installation of OSSEC, NSM and their dependencies.
Successful configuration of OSSEC and NSM
Successful in addition of OSSEC as a sensor to NSM
Successful in integration of OSSEC with SGUIL
Detection of Intrusions
Generating the alerts
Remote access of system by administrator.
In the project the following issues were remained as unachieved because of the time
constraint.
Email notification alert on detection of Intrusion. This is because of SMTP server
issue.
Proper alerts on SGUIL GUI the only reason for this is the time constraint.
To be precise the output using SGUIL GUI remained achieved
But the project achieved all its basic goals i.e. the installation of OSSEC and SGUIL, their
configuration, integration and finally intrusion detection.
Page | 72
DISCUSSION
Page | 73
Discussion This project titled 'HOST BASED INTRUSION DETECTION SYSTEM '
or 'HIDS' was implemented as it was planned with few deviations in implementation. This
was implemented to an acceptable level which achieved the basic objectives and goals
discussed earlier in the introduction part.
It is a good option that we have chosen Linux Ubuntu 8.10 because it made the installation
and maintenance easier on server side. Implementation in Linux made the project bit real
time in nature.
Initially I started with Ubuntu 10.04 but because of its higher version it had the default
packages of higher version such as MySQL and its other related. This made a conflict when
I was installing package NSM then I downgrade to Ubuntu 8.10. Then it was quiet
compatible and easy in installation.
During the installation even they were issues with packages dependency but this was
resolved using few commands. NSM and OSSEC were successfully installed and
configured on the local system and finally these two tools were successfully integrated.
During the testing when GUI of SGUIL prompted for the authentication it failed. This issue
was unsolved and un-traceable but finally it was resolved by detecting the error at the port.
The functions of OSSEC and the Intrusion detection were very successful to the level of
expectance. This was confirmed after testing the /oosec/var.log. files
A new feature of remote execution is introduced from administrator point of view i.e.
enable the control of the remote system on detection of intrusion using the SSH command.
Finally the project was successful in achieving almost all the objectives mentioned in the
beginning of the project and all the requirement specifications which were stated in the
beginning of the project are achieved with slight deviations in the given constraints.
Page | 74
Limitations of the project.
These are few limitations of the project
As the size of the network increases so, the job of monitoring becomes difficult in handling.
Implementation and maintenance of this HIDS in a very large network becomes a tedious
from administrator point of view.
These kind of HIDS can only detect the intrusion rather than preventing unlike Intrusion
prevention system. These are not automated as Intrusion prevention systems.
Page | 75
CONCLUSION
Page | 76
Conclusion:
We were successful in identifying and analyzing the tools for implementation of
HIDS. OSSEC and SGUIL were successfully installed and configured as it was planned
according to our objectives by this we were successful in achieving the basic objectives of
the project.
OSSEC HIDS was implemented successful by the integration of OSSEC and
SQUIL following the procedures of waterfall Life cycle model. The results were up to an
acceptable level as it was of capable of detecting the Intrusions within the system based on
the parameters of OSSEC. It even achieved the objectives from administrator point of view
i.e. in monitoring the events, alerts, accessing the logs and controlling them.
Thus the project “HOST BASED INTRUSION DETECTION SYSTEM” with
OSSEC and SGUIL yielded a good result as we expected in the beginning. Even though
they were small deviations in few points which remained as unachieved but it is highly
acceptable because of the time constraint.
In short we achieved almost all the basic objectives what we have stated in 1.1.3.
Hence the project is successful.
Page | 77
Future work and recommendations
Page | 78
Scope for the future:
Implementation of HIDS was but still there are many features which can be incorporated
into that.
Even NIDS tools can be combined along with the HIDS. For example NSM by default has
SNORT a powerful NIDS tool. The integration of this with OSSEC may yield much more
powerful intrusion detection tool.
There are few limitations for these implementation i.e its maintenance in a bigger network
etc . For these kind of problems an alternate solution must be found.
This can be improved much more from the administrator point of view i. e high monitoring
based on other parameters and access on remote system.
As there are many situations in which the even the delay or the problem of network may
result in unwanted intrusion detection this can be better if alternate parameters are
considered for intrusion detection but its main drawback is its implementation is quiet
difficult.
Recommendations
Whatever be the application or tool that is being developed it should be developed in such
a way that it should be extended by the features of reliability, flexibility, easy in
installation and maintenance.
Features of the Linux and its architecture make it more powerful for implementation of
these kind of applications on server side and yield a much better result e.g.: the usage of ssh
Page | 79
in this application for remote access from administrator. It can even easy the job of
installation and maintenance.
It is an acceptable fact that SGUIL has good GUI but it can be even refined and much
more functionalities can be added ex ssh .
The features of Intrusion prevention system like response on detection of intrusion can be incorporated to these tools.
Page | 80
Bibliography
Page | 81
Laurie Zirkle,. (2-12-2008).
What is Hostbased Intrusion Detection System. Available: http://www.sans.org/
security-resources/idfaq/host_based.php. Last accessed 02-09-2010.
Raymond lewallen. (13-july-2005).software development life cycle model.Available:http://codebetter.com/blogs/Raymond
.lewallen/archive/2005/07/13/129114.aspxLast accessed 02-09-201
Ciccarelli,Patrick;Faulkner,Christina (2004).
Networking foundations . San Fransicso : Sybex books. 1-2.
ole,Erie,Krutz,Ronald Conley, James w (2005).
Network security bible . Indianapolis: IN: John Wiley &sons inc (US).
Pieter de Boer & Martin Pels. (4-Feb-2004).
Host-based Intrusion Detection Systems. 1.10 (1), 5-26.
chami. (19-june-2010).
OSSEC and SGUIL integration on cent os.
Available: http://nsmchami.wordpress.com/. Last accessed 02-09-2010.
Guy bruneau. (15-jan-2005).
SGUIL configuration and installation. , 1-7.
Available: http://www.whitehats.ca/downloads/ids/shadow-slack/docs/SGUIL.pdf
Page | 82
Daniel B cid. (2007). OSSEC HIDS. OSSEC-ottsec. 1 (1), 4-20.
Avaialable: http://www.OSSEC.net/OSSEC-docs/OSSEC-ottsec.pdf
Information security fundamentals by Peltier,Thomas
R ;Pelteir,Justin;Blackley,John A. Publication : Boca Raton,Fla CRC press,2005
Network security foundations by Streke,Matthew ,
Publication :san Francisco :Sybex books,2004
Network security bible by Cole,Erie,Krutz,Ronald Conley, James w,
Publication :Indianapolis ,IN: John Wiley &sons inc (US) 2005
Dictionary of information security by Robert Slade ,
Publication :Rockland ,MA,Syngress publishing inc.2006
Network security illustrated by Albanese ,Jason,
Publication :new York ,mcgraw hill professional 2004
Networking foundations by Ciccarelli,Patrick;Faulkner,Christina,
Publication:San Fransicso ,Sybex books,2004
Lecture notes in computer science ,image analysis and processing-ICIAP 2005
Network security published by Oreily media, march 2004
Page | 83
Web references
[1]. (11-march-2009). Intrusion Detection.
Available:http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid19 8_gci295031,00.html.Last accessed 02-09-2010.
(2009). Types of monitoring.
Available: http://www.activesecuritygroup.co.uk/monitoring.html
Last accessed 02-09-2010.
(2009). Managed secured monitoring.
Available: http://bt.counterpane.com/services-msm.html.
Last accessed 02-09-2010.
(2001). Network Based IDS.
Available: http://www.intrusion-detection-system-group.co.uk/index.htm .
Last accessed 02-09-2010.
(2001). Host Based IDS.
Available: http://www.intrusion-detection-system-group.co.uk/host.htm
Last accessed 02-09-2010.
OSSEC download by terend micro.
Available: http://www.OSSEC.net/main/downloads/.Last accessed 02-09-2010.
NSM download.
Page | 84
Available: http://www.securixlive.com/download/nsmnow/.
Last accessed 02-09-2010.
chami. (19-june-2010).
OSSEC and SGUIL integration on cent os.
Available: http://nsmchami.wordpress.com/. Last accessed 02-09-2010.
Alisha Cecil (2006). A Summary of Network Traffic Monitoring and Analysis.
Available:http://www.cs.wustl.edu/~jain/cse567-06/ftp/net_monitoring.pdf
Network monitoring. Available: http://en.wikipedia.org/wiki/Network_monitoring. Last
accessed 2nd Sep 2010.
Sax2 Network Intrusion Detection System. Available:
http://www.aeonity.com/devidhuang/pg/2. Last accessed 03 Sep 2010.
(2006). LAN/WAN Network Management. Available:
http://www.ontariosystems.net/OntarioForums/showthread.php?s=&t=3. Last accessed 01
Sep 2010.
Priya. (2006). Types of SDLC Models. Available: http://toostep.com/trends/types-of-sdlc-
models. Last accessed 01 Sep 2010.
Matthew J. Faulkner. Host Based Intrusion Detection Systems. Available:
http://webpages.uah.edu/~faulknmj/660%20tutorial.htm. Last accessed 25 Aug 2010.
A Kaminsky. Host Based Intrusion Detection Systems. Available:
http://www.wisegeek.com/what-is-network-security.htm. Last accessed 22 Aug 2010.
http://www.ieee.org/portal/site. Last accessed 03 Sep 2010.
Page | 85
Figures
Figure 1 Waterfall life cycle model
http://www.codebetter.com/blogs/raymond.lewallen/downloads/waterfalllModel.gif
Figure 2 IDS
http://www.cs.bham.ac.uk/~mdr/teaching/modules03/security/students/SS1/
handout/intrusion.png
Figure 3 HIDS
:http://www.windowsecurity.com/img/upl/image0061057828883689.jpg
Figure 4 NIDS
http://www.windowsecurity.com/img/upl/image0041057828849911.jpg
Figure 5 NSM package
http://nsmchami.files.wordpress.com/2010/06/ere3.jpg
Figure 6 OSSEC details
http://nsmchami.files.wordpress.com/2010/06/sses.jpg
Page | 86
Appendices
Screen shots
List of Log file that are useful for analyzing.
Page | 87
Logging into the remote system using ssh. This is used by the network administrator to monitor the remote systems of the network.
Page | 88
Here we are identifying the alerts on the remote system after logging into the remote system using ssh.
Page | 89
Commands
sudo apt-get install gcc // To install C C+++ i.e gcc compiler
sudo apt-get install mysql-server-5.0 // To install mysql-server-5.0
wget http://www.OSSEC.net/files/OSSEC-hids-2.4.1.tar.gz // to download OSSEC hids
tar -xvf OSSEC-hids-2.4.1.tar.gz // to unrar
cd OSSEC-hids-2.4.1 // to change directory to OSSEC
wget http://www.securixlive.com/download/nsmnow/NSMnow-1.6.2.tar.gz // download
./install.sh // installs OSSEC
NSMNOW
tar -xvf NSMnow-1.6.2.tar.gz
cd NSMnow-1.6.2
./install NSMnow -i
./NSMnow.log
restart
root@localhost nsm]# /etc/init.d/nsm restart
integrating OSSEC with SGUIL
cd OSSEC_agent
./OSSEC_agent.tcl -o -c OSSEC_agent.conf -f /var/OSSEC/logs/alerts/alerts.log -p 1
SGUIL.tk
Page | 90