HOST BASED INTRUSION

DETECTION SYSTEM

Using OSSEC and SGUIL.

Supervised by

Farahani Faranak

Submitted by

Venkateshwarlu Gurap

Student id: 19035867

Page | 1

CONTENTS

S.No. Chapter Page no

1. Introduction 8

1.1.1 General introduction 9

1.1.2 Existing system 10

1.1.3 Proposed system 11

1.1.4 Problem statement 12

1.1.5 Problem description 12

1.2 Aims and Objectives 13

1.3 Methodology 14

1.4 Structure of dissertation 16

2. Literature Review 17

2.1.1 Network Security 18

2.1.2 Intrusion detection systems (IDS) 19

2.1.3 Host based intrusion detection system (HIDS) 21

2.1.4 Network based intrusion detection system (NIDS) 22

2.1.5 Intrusion prevention systems (IPS) 23

2.1.6 Active security monitoring 24

2.1.7 NIDS vs. HIDS 25

2.2 HIDS and its categories 26

2.3 HIDS System Security & monitoring 28

2.4 Classification of HIDS based on functionality 29

2.5 Tools of HIDS and implementation 34

Page | 2

3. Requirement Analysis and Design 36

3.1 project analysis 37

3.2.1 Feasibility study 37

3.2.2Technical feasibility 38

3.2.3 Behavioral feasibility 38

3.2.4Economic feasibility 38

3.3 System requirements 41

3.4 Procedural design 42

3.5 Input /output design 44

4. Implementation 47

4.1 System Implementation 48

4.2 Installation & configuration (phase 3) 49

4.3 Integration of OSSEC with SGUIL (Phase 4) 53

5. Testing 57

5.1.1 Introduction to testing concepts 58

5.1.1 Source code testing 59

5.1.3 Module level testing 59

5.2.1 Levels of testing 59

5.2.2 Unit testing 60

5.2.3Integration testing 61

5.2.4System testing 61

5.3 Test plan 62

5.4 Test case Report 64

5.5 Test Report 67

6. Self-Evaluation 70

Page | 3

7. Discussion 73

8. Conclusion 75

9 Future work & Recommendations. 78

10. Bibliography 81

11. Appendices 87

Screen Shots 87

Commands 90

Page | 4

Figures

S.No Figure Page No2

1. Waterfall life cycle mode 15

2. General IDS system 20

3. HIDS implementation 21

4. NIDS implementation 23

5. NSM package details 34

6. OSSEC Package details 35

Page | 5

ACKNOWLEDGEMENT

Firstly, I thank my supervisor Farahani Faranak for her guidance in the project. She

guided me in every stage of my dissertation through her suggestions. Through each meeting

she directed me in a successful project path and gave me all the inputs what I needed for the

implementation and documentation of the project.

I consider myself to be very fortunate in receiving all the support and guidance

from the entire ACES faculty. I would like to thank my Course administrator Lucy Allen

and the Course leader Dr. Sameer Alkhyat for their guidance and support.

I am grateful to the Library staff at Sheffield Hallam University for their

outstanding support and responsiveness to my information needs.

Page | 6

ABSTRACT

Security is one of the major issues in the field of computing. From the beginning

they were continuous attempt to protect the integrity, confidentiality and availability of

data. It may be either a large organization or home PC, security is a primary issue. It

mainly compromises the several intrusion preventive measures taken by an organization or

even individual desktops to protect their systems. The intrusions into the systems are

broadly categorized into in two categories they are Network based and Host based

intrusions.

In this project we will be implementing an HIDS by integration of tools. It is

implemented by integration of two tools they are OSSEC and SGUIL. OSSEC is used as a

backend tool of HIDS and SGUIL is a graphical interface works in the front end. One of the

objectives of this project is to integrate both of these two tools to build an enhanced Host

based intrusion detection system (HIDS) i.e OSSEC HIDS

Here a significant point is that the tools (OSSEC, SGUIL etc.) and Operating

System used in this project are of open source. Here we will be implementing the OSSEC

HIDS locally.

This project is intended to assist the Network Administrator in managing and

monitoring the network (LAN).

Page | 7

INTRODUCTION

1.1.1 General Introduction:

Page | 8

(Laurie Zirkle, 2008)

“No one package will do everything, and the software should be tailored to the individual

computer that's being monitored.” Based on this idea, I wish to integrate two tools and

implement OSSEC HIDS with some enhanced features than the existing one.

The objective of the project is to build an enhanced OSSEC Host based Intrusion

detection system. Among the latest technology tools, I preferred the OSSEC and chosen to

integrate it with the SGUIL in the implementation of a HIDS (Host based Intrusion

Detection system).

OSSEC is powerful HIDS free software which lacks GUI and SQUIL is also open

source software which is compatible with these. This attempt is to develop a powerful host

based intrusion detection system with a good GUI.

This system performs HID based on log analysis, file integrity and window

registry monitoring. These features are very interesting when compared to other

software’s and it supports many other features which are not supported by other software’s.

From administrative point it would be very useful by implementing this in network.

1.1.2 Existing System

Page | 9

At basic level the issues of security are solved by using antivirus software's and

firewalls. Anti-virus software's are used to protect the computers from virus attacks and

firewalls are used to protect from stealing the private data. Similarly at large scale i.e. at

level of organizations we implement Intrusion Detection Systems (IDS) such as HIDS

(Host based IDS) and NIDS (network based IDS).

There are many existing HIDS software’s like OSSEC among them Tripwire and

Tiger such kind of software’s but these are not as efficient as OSSEC in terms of

scalability, reliability, flexibility and visualization.

The following features of OSSEC make it more powerful when compared to other HIDS.

Easy installation

Integrity of the system and walk file

Rootkit detection

Active response system

Optional web based graphical interface.

Optional central server

Page | 10

1.1.3 Proposed System

The proposal entitled as “HOST BASED INTRUSION DETECTION SYSTEM using

OSSEC and SGUIL” supports both as a local and client - server network with in the Intra-net.

In this project we will implement this in a local environment this can also be

implemented in the LAN (with a group of systems intra-net). OSSEC also monitors packets

and attempts to discover if a hacker /cracker is attempting to break into a system

The proposed system perform intrusions detection based on these features using

File integrity

Window registry monitoring

Log analysis.

Additional features

Integrity check daemon.

Rootkit detection engine.

Enabling active Response system.

Enable firewall drop response system.

Email-notification.

SMTP server.

These features enabled the administrator for high monitoring of systems. It is more

flexible because of its good visualization i.e., this system is capable of finding out the

intrusions through the above features in various systems that are connected within a network.

Page | 11

1.1.4 Problem statement:

The features proposed in proposal part of the system are not yet seen in single

software. So, this is an attempt to implement the HIDS with all the above features. That is

possible by integrating the two tools i.e. OSSEC and SGUIL. This makes the HIDS much

more powerful with extra feature to overcome the problems like proper visualization, email

notification and active response etc.

1.1.5 Problem description

From the beginning implicitly we were discussing about the issues of the

network security in LAN from administrator point of view. At present there are many

existing software which could provide all the feature which were mentioned in proposal

part of this project but there is no single software which could put all those feature in single

software.

OSSEC HIDS by default is powerful but its need to be customized with other

features such as graphical interface and flexibility. So this feature must be customized in

the current OSSEC HIDS using SGUIL.

Through this project I wish to integrate two tools that could solve the above

mentioned issue moreover this is also intended to easy the administrator task in

monitoring the network.

Page | 12

1.2 Aims and Objectives:

Aim:

Analyze the Host Based Intrusion Detection Systems and implement a HIDS by

integrating two tools i.e. OSSEC and SGUIL.

Objectives:

To identify the tools and analyze their HIDS implementation method.

Investigate on OSSEC, SGUIL then proceed with installation and configuration

Integration of these two tools and implementation of HIDS and testing.

To make the recommendations from the implementation and investigation.

In the project we shall not only discuss about the HIDS software’s that are involved but

we also discuss other issues of Network security varying from the desktop user to an

organization level implementation.

Any how this implementation is targeted only to the level of implementing in a LAN or it

can be tested for locally.

Page | 13

1.3 Methodology:

In terms of Software Engineering, methodology can be defined as a set of procedures

followed in project for the success of the project.

In general for these kinds of projects Methodology includes

Collection of data

Analyzing different approaches of implementation and there comparative study

Implementation

Method of approach

Data collected is Qualitative in nature.

Method of approach is Deductive in nature.

Software life cycle models (Implementation model):

It is an acceptable fact that the implementation of this project is not similar to

development of software coding but still we follow the software life cycle models. As this

project implementation has the similar features of the software life cycle models and

applicable in this case.

In short they are 4 stages in software life cycle. They are

Requirement

Design

Implementation

Testing.

Page | 14

General Life Cycle Model

Waterfall Model: (Deductive method )

Even a basic software life cycle model is applicable for this implementation but to

be precise I have chosen water fall life cycle model because this is quite apt for this

scenario.

(Raymond lewallen, 2005)

It has a simple sequence of phases and each phase has a set of well defined goals

and activities, the important contribution of the waterfall model is for management, it

enables management to track development progress. It is also referred as a linear-sequential

life cycle model.

Page | 15

Figure 1 Waterfall Life Cycle Model

Advantages

Simple and easy to use.

Easy to manage due to the rigidity of the model – each phase has specific deliverables and a

review process.

It is suitable for smaller projects where requirements are well understood

The software engineering methods of approach are apt for developing a customized

product applicable in this case.

The only reason for selecting this model for implementation is it is easy to implement

and gives a clear idea of the development process of the system.

1.4 Structure of the dissertation:

This dissertation involves a step by step process in integrating the tools of the HIDS

software i.e. SGUIL and OSSEC. Before that we study the issues of Network security from

Page | 16

administrative point of view and there concepts. Every part of the dissertation describes the

different issues of HIDS.

Dissertation consists of literature survey on the HIDS, which explains the necessity of

HIDS and its categories. Next we proceed to requirement specification, designing then we

go with the implementation (installation, configuration and integration) of tools, testing

procedure, self-evaluation, discussion, and finally the conclusion and future

recommendations with commands under the appendices

LITERATURE REVIEW

Page | 17

2.1.1 Network Security:

History:

Intrusion detection System (IDS) is one of the techniques followed in security

implementation. Network security is an integral part of computer networking, it involves

protocols, technologies, devices, tools, and techniques to secure data and mitigate threats.

The concept of Network security was emerged in 1960s but it was practically used in the

modern network by the end of 2000s.

Here in short I would like to tabulate the progress made in the field of Network security.

This information is correct as according to the cisco material on network security.

Year

S.No Year Technology

1 1984 IDS for Arpanet

2 1988 Packet filter firewall

3 1989 State full firewall from AT&T Bell Labs

4 1991 DEC SEAL Application layer firewall

5 1995 Net Ranger IDS

6 1997 Real secure IDS

Page | 18

7 1998 Snort IDS

8 1999 First IPS

9 2006 Cisco zone based policy firewall

2.1.2 Intrusion Detection System (IDS)

According to Intrusion Detection Systems Consortium (IDSC) Intrusion Detection

System (IDS) is defined as a type of security management system for computers and

networks.

An IDS is categorized in two types based on their mode of working. It gathers the

information and analyses it from various areas like inside the system or inside the network

to identify possible security breaches. The IDS which identifies threats within a computer

like DOs (attacks from within the organization) is termed as Host based IDS and the one

which identifies intrusions from outside (attacks from outside the organization) is termed

Network based IDS.

IDS uses vulnerability assessment (sometimes referred to as scanning), it is a kind

of technology developed to assess the security of a computer system or network.

Functions of Intrusion Detection System IDS

“Monitoring and analysing the user activities on system

Analysing system configuration files and their vulnerabilities

Page | 19

Assessing system and file integrity

Ability to recognize typical patterns of attacks

Analysis of abnormal activity patterns

Tracking user policy violations”…[1]

In simple an IDS can also be defined as a software, which is generally deployed on

sever and which either implements strategies of NIDS (ex: packet scanning) or HIDS (ex:

System log files and other files to check the integrity of the system).

It is installed to identify the intrusion in the system and the network (i.e. identifies

threats and alerts the administrator).

http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid198_gci295031,00.html

Figure 2 Intrusion Detection System

Installation

In general IDS (Intrusion Detection System) is placed between the outside local network

i.e. between the internet and Local network i.e. LAN. The above figure depicts the same

because it makes intrusion detection (using packet scanning, filtering) much easier. To be

precise it’s a kind of NIDS

Page | 20

2.1.3 Host based intrusion detection systems (HIDS):

A host based IDS perform a check at system logs and key system files to detect

malicious or suspicious applications in the system. Few HIDS are even capable of

analyzing firewall logs, Even it (HIDS) can be configured on routers via SYSLOG.

HIDS monitors the key system files for evidence of tampering and change in access

time, file size and an MD5 cryptographic checksum etc. The checksum is stored on sever

for future verification. Ex: Dragon Squire

Page | 21

Figure 3 Host based Intrusion Detection System

Installation

Host based Intrusion Detection system is generally installed on the server of the

Local Network i.e. LAN.

This favors the Network administrator in easy monitoring of systems in the

network.

2.1.4 Network intrusion detection system (NIDS):

A network -based intrusion detection system (NIDS) is deployed on a network

segment on standalone system in front of the firewall. It basically performs packet scanning

to identify the signature match with the determined one.

Port Scan is the most widely used concept in NIDS. NIDS not only performs port

scan on incoming traffic but it also performs on outgoing traffic and shell scripts. It also

monitors on identifying the number of TCP connection requests.

Page | 22

Figure 4 Network based Intrusion Detection system

Installation:

As said above it is installed in front of firewall which scans and filters the packets

that are by passed by the firewall. Hence this is going to increase the network security.

2.2.5 Intrusion prevention systems (IPS):

(Ciccarelli,Patrick;Faulkner,Christina, 2004)

Intrusion prevention systems are the extension of IDS as these are even capable of

blocking the packets which are malicious in nature. Unlike IDS IPS are placed in line,

which make them actively capable of blocking the traffic.

Cisco IPS is the most widely used Intrusion Prevention System as it is capable of

protecting from more than 30000 threats. Timely updates of signature from cisco make the

system more capable of stopping the emerging threats in internet.

Cisco IPS protects against increasingly sophisticated attacks like

“Directed attacks

Worms

Botnets

Malware

Application abuse “…[2]

Page | 23

2.2.6 Active security monitoring:

According to British telecommunications Active network security monitoring is about

identifying problems in the initial stage before they grow up to become an issue and avoid

unnecessary risk.

They are even few groups which install active burglar alarm systems and act as alarm

receiving center. One among such is Active security Monitoring Services Ltd formed in

1998.

Functionalities of Active security monitoring in the network

provides additional layers of defense

Supplies data that may have forensic utility.

Network monitoring ,network intrusion detection ,

Host based intrusion detection ,

Devices that are connected

syslog

SNMP logging.

Penetration and vulnerability testing monitors

Validates existing security controls.

Page | 24

2.2.7 NIDS and HIDS:

(Cole,Erie,Krutz,Ronald Conley, James w, 2005) Network based Intrusion Detection

Systems (NIDS) and Host based Intrusion Detection Systems (HIDS) are designed to alert

administrators when there is an attack network or system respectively. It may be either

inside system or even outside the systems.

NIDS is used for identifying threats from

outside and inside the network.

HIDS operate on the information collected

from individual computer systems ex log files

NIDSs is distributed and monitor traffic at

key chokepoints i.e. -network junctions

where different types of traffic merge

HIDS monitors and analyses activities on the

host at a at a higher level

NIDS uses saved libpcap formatted files and

capture live packets on the wire, and export

data in libpcap format.

Hids is the application or collection of

collection applications which are for

monitoring in the system

Justification:

From network administrator point both the NIDS and HIDS are recommended. It is an

acceptable fact that NIDSs is more powerful than HIDS but any anyhow it cannot replace

the functionalities of the HIDS. A combination of these two yields a good result in

improving the security.

Page | 25

2.2 HIDS and its categories:

As it was discussed earlier HIDS is similar to an antivirus installed in a system

which protects the system from various attacks internally in the network.

OSSEC is the one of the most powerful tools of HIDS It was one among the top 5 in

2006.

OSSEC is a GNU open source software which performs

Log analysis

integrity checking

Windows registry monitoring,

Root kit detection

time-based alerting

Active response.

OSSEC

(Daniel B. Cid, 2008)

Page | 26

It SUPPORTS almost all operating systems like Linux, OpenBSD, FreeBSD, Mac OS X,

Solaris and Windows. It has a centralized, cross-platform architecture allowing multiple

systems to be easily monitored and managed.

Tripwire

Open Source Tripwire is also a free software which act as an HIDS tool for security and

data integrity especially used for monitoring and alerting on specific file change(s) .

Tripwire detects changes to file system objects rather than identifying at network interface

level.

It employs cryptographic hashes to detect changes in a file

AIDE

It is also similar HIDS software which is used on many UNIX systems for root kit detection

and baseline control.

Samhain

This IDS is used on UNIX based networks for integrity check .It also supports central

monitoring as well as powerful (and new) stealth features to run undetected in memory,

using steganography.

Comparisons of OSSEC, TRIPWIRE, AIDE, SAMHAIN

Parameter OSSEC Tripwire AIDE SAMHAIN

Root kit

Detection

Yes no Yes No

Integrity check Yes Yes Yes yes

Time based Alert Yes Yes No No

Page | 27

Log analysis Yes Yes No No

Central

monitoring

Yes yes Yes Yes

Cross platform Yes no No No

Active response Yes No No No

2.3 HIDS System Security and Monitoring.

HIDS involves mainly system monitoring and communication traffic moving in and out of

the system, it performs integrity check of data and identify suspicious process.

According to SANs the HIDS can be mainly classified into two types they are

Host wrappers i.e. personal firewalls

Agent-based software.

Personal firewall:

Personal firewalls are configured to look on network packets, connection attempts, and

login attempts on the monitoring machine. It includes dial-in attempts or other non-network

related communication ports. EX: TCPWrappers for UNIX, Nuke Nabber for Windows.

“Personal firewalls can also detect software on the host attempting to connect to the

network “Ex WRQ's AtGuard.

Page | 28

The term system monitoring describes the use of a system that constantly monitors network

packets for slow or failing components and that notifies the network administrator in case

of outages via email, pager or other alarms. It is a subset of the functions involved in HIDS

A host-based agent monitors the accesses, changes to critical System files and user

privilege. Ex: AXENT from Symantec, Cyber Safe ISS and Tripwire.

2.4 Classification of HIDS based on functionality

Based on the functionality the HIDS can be broadly divided into 4 categories.

File system monitors

Log file analysers

Connection analysers

Kernel based IDSs

File system monitors

File system monitors performs a check based on a large number of parameters i.e. different characteristics like

Parameter Characters (features for tracing the intrusion

)

File Permissions Change in the permissions of the files and

directories

Page | 29

Ex : Detection of suid/sgid/sticky bits

Inode Existing file (un deleted file) referring to a

different inode.

Number of links Change in the number of hard links to file inode

Size If there is a sudden change in the file size.

Directory size Addition or deletion of files in the directory

Mtime, atime & ctime The change in Last modification time, Last

access time and Last time owner, permissions

etc. i.e. Mtime, atime and ctime respectively for

a file or directory.

Checksums Change in the hash of the file

Log Analysis

Log analysis mainly performs

Pattern matching

Pattern matching with correlation between events

Anomaly detection

Here I will be discussing about the functionalities of two tools that does the above job

Swatch is simple tool used for pattern matching

Sec is used for pattern matching with correlation between events

Swatch detects attacks by the following procedure.

Applying the regular expressions to log files.

Echo matching loglines to the terminal Swatch is running on.

Mailing an alert to a on the match.

Page | 30

Run the command when there is a detection which was defined.

Using write warning the logged user

Flood protection by throttling alerts.

Thresholds i.e. warning on limitations

Follow rotated log files.

Act only during the defined time-frame when there is pattern match.

Sec is similar to Swatch and it performs all the functions as what the Swatch does along

with that it adds the co-relation of events.

Functionalities of the SEC

Creation of context and addition of items to context on the match of a line.

Alias or unalias a context

Only match when a context exists.

Categorizing the multiple events of the same type into one..

Assignment of values to variables.

On a match based on the output of scripts performs the actions. The action is

different based on the output

Create events based on the current time and date.

Connection Analysis

Page | 31

Connection analysers monitor connections i.e. requests that are made to the system. This

includes unauthorised connections, port scans and other session and network connection.

The list is tabulated below

Connection Analyser detects based on these features here I would like to take the ex:

Scanlogd

Features under Connection analyser Description

Unauthorised TCP and UDP connections Scan long report this in system log file on

detect the connections to un authorized TCP

and UDP connection.

Portscan detection It also detects SYN, FIN and XMAS type of

Portscans

Flood protection It protect the system’s logfile from being

filled up

Port sentry This is a more advanced implementation

Port binding It binds to administratively selected ports

And also effectively prevents unauthorised

programs on the system from binding to

these ports

Host blocking It active blocks of an offending host. It is

possible by running a specific command to

block

Banner display Port sentry offers the option to display the

banner to the offender.

Page | 32

Kernel based IDS:

LIDS and IDSpbr are two software’s of the kernel based IDS. This are widely used IDs in

Linux. Here I would like to discuss the features of the LIDS and IDSpbr.

Functions of Kernel based IDS

Protect processes, blocking signals from unauthorized users.

Blocking network related tampering like change in firewall settings.

Prevent kernel module loading or unloading.

Prevent raw disk I/O.

Discovery the needed of ACLs.

Sending security alerts using SMTP.

Features of IDSpbr

Detecting the exploitation of stack or heap buffer-overflows by monitoring execve()

calls.

Page | 33

Identifying the exploitation of symbolic link race conditions or other insecure

symbolic link.

Identifies the local DOs attacks.

Killing processes that are involved in an attack.

Sending alerts using SMTP and writing to console or syslog.

Increasing the level of suspicion when the processes are more powerful i.e root

process or dangerous

Anomaly detection based on the order of system calls per process.

2.5 Tools of Implementation

NSMnow

NSM: is a package which acts like a platform in for integrating the OSSEC and SGUIL. By installation NSM all the other supporting packages get installed.

It act as a server to which all the other tools can be integrated even the tools of NIDS can be integrated with the NSMnow

On installation of NSMnow package it installs these packages by default at the time of installation

SGUIL.tk its a client application for SGUIL.

Wire shark its is a network monitoring tool

Mysql it is used as a database for this application

Page | 34

SGUILd is a server application for SGUIL

Snort is tool for detecting Network Intrusions

Snort_agent, pcap_agent, sancp_agent are used for addition of agent

Barnyard2 is also a supporting tool

NSM package

Figure 5 Details of NSM package.

The other tool we use in the project is the OSSEC which is shown below

Figure 6 Details of OSSEC

OSSEC is added as one of the sensors of the NSM and it is integrated with the SGUIL.

Page | 35

OSSEC

OSSEC is an open source (HIDS) with powerful correlation and analysis engine

with all the features mentioned in the 1.1.3.

It supports almost all the operating systems like Linux, Mac, windows openbsd,

centos, freebsd, Openbsd, etc.

It supports all the features mentioned in 1.1.2. It is even used in the ISP and

universities.

Trend micro is the organization behind this and even it offers enterprise class

commercial support.

Page | 36

Requirement Analysis and Design

3.1 Project Analysis:

The first phase of Requirement analysis is the system analysis. This is an important phase

in any project development. Analyses of the project demand to have an insight of each and

every phase involved in the project. The objective of analysis phase in this project is to

identify the requirements of the project and setting a plan for implementation, testing and

deployment.

As it was discussed earlier about the phases once again let’s have a glimpse on the phases

of the project

Requirement analysis

System design

Implementation

Testing

Page | 37

Inferences and maintenance

3.2 Feasibility Study:

The feasibility study is to find out how feasible the project is and to what extent the

proposed system can be developed in the real-time environment with the existing resources.

As every project has its own limitations and constraints a report is to be generated from the

project analysis. The feasibility report for this project is presented below.

In terms of technical, behavioral, economic and time constraints the following feasibility

report is generated.

Technical feasibility:

Technical feasibility report is generated from the technology that exists and the one

which is proposed in the system. In this we analyze the existing hardware and software

technologies and compare with proposed systems.

Page | 38

Project Technical feasibility

From the point of technical Feasibility it is flexible to implement in Ubuntu 8.04

and above versions is chosen.

The project will be feasible to implement in environment Linux Ubuntu 8.04 and

above version. If the version is above 9.10 i.e. 10.04 makes the installation bit

tedious.

Ubuntu is very feasible than Red hat Linux because it’s open source software and

has good Graphical user Interface which makes things easy.

Even there is a good support from OSSEC and SGUIL

There is a good availability of the .tar and .deb files for the SGUIL and OSSEC

software’s

Even there is a good availability of the support files for the installation of the

Behavioral feasibility:

Behavioral feasibility is studied to identify the acceptance by user for the changes

made to the system that facilitates the user to adapt to the changes made by introducing

the new software.

In simple these are features of understanding the system from end users

perspective.

Project behavioral feasibility:

From the point of administration side this project is widely accepted in usage. This

is going to introduce the new features which make the system administrative tasks

much easier and highly capable.

Page | 39

This can be highly acceptable from administrative perspective as it supports cross

platform architecture but at the same time it is an acceptable fact that it becomes

tedious job at times while installing and configuring these.

From the point of user there may be a small resistance because of the security

issues. this software blocks most of the administrative tasks which are protected

under privilege mode.

If there is lack of hardware support it may slow down the system performance.

Economic feasibility:

Economic feasibility can be defined as the feasibility of the existing and available

resources in implementing the project. It should specify the cost of extra hardware,

software requirement or any other requirement which is mandatory for the implementation.

It defines which are affordable in terms of cost. Maintenance and enhancements will also

affect financially.

In this project we are using each and every software from open source so, all of these are

available at free of cost. The OS: Ubuntu, OSSEC server and SGUIL server are of free of

cost as they are free software’s

The hardware is also the local systems from university if possible it may need a 3 systems

connected in LAN, All of these are easily available from university. Hence the

implementation of this project is very feasible.

Page | 40

3.3 System requirements

It defines the Hardware that is required for the implementation of this project.

Software requirements:

OSSEC 2.4.1 tar.gz

SGUIL 0.7.0 tar.gz

Operating System: Linux Ubuntu 8.04

Hardware specifications:

Intel Pentium IV Processor

Page | 41

Min of 512 MB RAM/Above

Min of 2GB Hard drive

3.4 Procedure of Implementation UNIX has lots of tools to perform intrusion detection based on the number of users we

improves the functionalities of implementation.

NO OF USER Things to be monitored and tools

Few users Connections from out side

Integrity of system

For a very large number of users Connectivity monitoring (tcp wrappers and last

log), log files ( sys log )

system and user log files (syslog)

process monitoring (losf)

disk usage monitoring (ftpd to log all file

transfers)

Page | 42

System auditing(audit)

http://staff.science.uva.nl/~delaat/snb-2004-2005/p19/report.pdf

According to the waterfall life cycle model we will be implementing this project in 5

phases.

Phase 1:

Requirement: We completed this part just in above section.

Phase 2:

Designing: As we are not building any software code. So, this phase has less significance in

this project.

Phase 3:

Installation:

It mainly includes the installation of the NSM software, OSSEC server,

SGUIL software and etc.

Configuration:

It includes the configuration of the OSSEC server and SGUIL server. If it is

deployed on a LAN network then it these must be configured for the network.

Unit Testing:

In this phase we perform Unit testing on Individual components.

Phase 4:

Integration:

In this phase the OSSEC HIDS is integrated with SGUIL.

System Testing:

Page | 43

Here we perform the entire system testing like Intrusion detection, OSSEC

functionalities, alerts, logs and other features of SGUIL.

Phase 5:

Monitoring:

After successful installation, configuration and testing, Monitoring is the

next phase where the functionalities like the intrusion detection and monitoring of the

systems is recorded or observed.

Action:

Action includes either blocking of the process or even the action may also

include either sending of the email or alerts to the administrator.

Maintenance

This is the final part of the project which includes the maintenance of the

system and other responses to the detection of the intrusion in the network.

3.5 Input output design

GUI Input

1. First, a window prompts the administrator to login into the SGUIL user interface

prompt. Where the user needs to enter his user name and password to authenticate

to the SGUIL server. The authentication form is shown below

Page | 44

figure 6: SGUIL authentication

After authenticating with the SGUIL server the user is directed to the SGUIL Graphical user interface. This is shown below.

Through this Graphical User Interface administrator can monitor the changes in all the system. He is also capable of performing few administrative tasks through GUI options.

Output

Page | 45

Figure SGUIL GUI output after authentication

Anyhow this is not as powerful as the command prompt because command prompt enables the administrator to have complete command on the target system,

Page | 46

Figure 7 output using command prompt.

In command prompt i.e. Both the input and out are displayed in the same terminal as this is on server side and it does not use GUI.

Page | 47

IMPLEMENTATION

4.1 System implementation

The Implementation phase of software development is concerned with translating

design specifications into source code.

But this is not applicable in this project because we are not writing any code more

over we will be just using the existing tools and integrate them to make highly capable

application. We test it to detect the intrusions in the system.

Page | 48

The first step of our implementation is the successful installation of OSSEC – server

and SGUIL on Linux Platforms.

In this chapter we will be implementing the phase 3 (Configuration and installation)

and phase 4(integration) of waterfall Life cycle model. The Phase 3 unit testing and Phase 4

system testing are implemented in the next chapter i.e. Testing.

4.2 Implementation and Configuration (phase 3 of waterfall LCM)

Installation of OSSEC

Download the latest version OSSEC OSSEC-hids-2.4.1.tar.gz

Cmd : wget http://www.OSSEC.net/files/OSSEC-hids-2.4.1.tar.gz

Extract the tar files using tar –xvf

Now change the directory to OSSEC

Install using the ./install.sh

Page | 49

Installation of NSM

Download the latest version of the NSMnow

Cmd wget < the down load link here >

Extract the tar files using the tar –xvf

Now change the directory to NSMnow

Install it using the installation file

./NSMnow -i

The process of installation may look to be very simple but it is the most difficult job

because it involves issues like conflicts of version and compatibility with other software’s,

availability of repositories, dependencies and broken packages.

The next step is the configurations of the OSSEC-server and SGUIL-server.

Configuration of OSSEC server

Pre-requirement: OSSEC needs the C compiler so it is suggested to install the gcc

compiler before you proceed

After the successful installation of OSSEC while configuration it prompts for the language

Type en for English

Type local for the server type while configuring as we will be using it on the local

system.

For all the location and paths it is preferable to use default paths

Prompt Y to Enable the Email notifications and enter the valid email ID

Prompt Y to enable SMTP server.

Prompt Y to enable Integrity check Demon

Page | 50

Prompt Y to enable Rootkit detection engine

Prompt Y to enable Active responses and also for firewall drop

Currently Prompt N to add more hosts

Finally to start the OSSEC server the following command is used

/var/OSSEC/bin/OSSEC-control start

Configuration of NSM i.e. SGUIL

Command Functionality

Set DBNAME SGUILdb sets the database name as SGUILdb

Set DBPASS password set the database password as password

Page | 51

Set DBHOST 127.0.0.1 as we are using the local systemas client so we

use 127.0.0.1 as the client i.e. host

Set DBPORT 3306 this is the port of MySQL db port

Set DB_USER SGUIL this sets the database user to SGUIL.

.

The following files are verified to for detection of intrusion this is used only

in case of terminal output. As we have SGUIL GUI we may not need these. From

administrative point of view these files are very useful.

/var/log/messages /var/log/auth.log /var/log/syslog /var/log/mail.info

Page | 52

By this we complete our second objective of the project i.e. installation and configuration

of OSSEC and SGUIL.

4.3 Integration of OSSEC with SGUIL (Phase 4 of Waterfall LCM)

This is one of our objectives in the project i.e. integration of OSSEC with SGUIL. This can

be achieved easily by usage of package NSM.

Before integrating the OSSEC with SGUIL we need to configure OSSEC and SGUIL

individual.

First I will demonstrate the individual configuration then we integrate these two.

NSM is a package which installs all the required components like MySQL, pcap, ncap tcl,

libcap and other things.

NSM by default also includes the SNORT which is an NIDS.

NSM treats these IDS as sensors and NSM act as a Platform where these IDS are installed

are added as sensors. More over NSM is also capable of installing SGUIL server.

All these are discussed in in Literature regarding NSM

So, now it’s time to add a sensor called OSSEC to the NSM platform.

Set the sensor name

Set eth0 for the OSSEC sensor

Set data path all to default

Set the server host to 192.168.1.1

Page | 53

Set the server database name as server_db1

Set database user as SGUIL

Set the default client password

Set the SGUIL client id to 127.0.0.1

Page | 54

Core part of integration

Command Functionality

Nsm It displays the list of sensors added to the nsm

Nsm_server_add Set the name server

Step 1. Type nsm_server_add and set the sever name as OSSEC

Step2. It prompt for the sensor name set it’s as what it was configured before i.e. in our

case it is sensor 1

Step 3 It prompts for the sensor port set it as 7777

Step 4 It prompts for client port 7778

Step 5 It prompt for initial client username set it as SGUIL

Step 6 It prompt for initial client password set it to password

Step 7 It prompts for the NSM administrative auto script type Y

Step 8 It prompts y/n for creation of server type Y.

Testing: the sensor can be tested by typing the ls command in the directory of nsm. It

should display the OSSEC sensor added to nsm

Final step of integration

Step 9. Move to the location /root/home/OSSEC_agent

Step 10.Execute the below command

./OSSEC_agent.tcl -o -c OSSEC_agent.conf -f /var/OSSEC/logs/alerts/alerts.log -p 1

Latter the run the file SGUIL client i.e. SGUIL.tk

On execution of the command above command it open the SGUIL interface connecting to

the SGUIL server and prompt for authentication the window is shown as below.

Page | 55

On authentication with SGUIL server it opens the SGUIL GUI with all the features enabled

in it.

Now it’s time to verify the NSM sensor list. i.e. (OSSEC is added to the sensor list

of NSM) and also to test the functionalities of individual components and integrated

components i.e. SGUIL and OSSEC. To verify the implementation of the project it has to

be tested using different types of testing methodologies.

Page | 56

TESTING

Page | 57

TESTING:

Introductions to Testing:

Testing is the process of finding bugs and errors in software. In other terms testing

can be defined as way intended to fail the system in maximum possible ways. This is to

ensure the reliability of software.

It can also be used to assess the functionality, implementation and even for

detecting the errors. Testing performs a very crucial role for ensuring the quality. The

results of testing are used later during maintenance.

5.1 Testing Objectives:

The main objective of testing is to uncover the errors, flaws, deviations and etc.

which may fail the system to work as per the requirement specification. Formally we can

say testing is a process of executing a program with intent of finding an error. Its

characteristics are:

A successful testing is one that uncovers the undiscovered error.

A good test case use one that has a high probability of finding an error.

The tests are inadequate to detect possibly present errors.

Testing confirms the quality and reliable standards

Page | 58

Following are the some of the testing methods applied for testing the project:

5.1 Testing

Source code testing

This examines the logic of the code i.e. system If we are getting the output

that is required by the user then we can say that the logic is perfect.

But this is not applicable in our case because in this project we not writing any

code but we will be just using the existing code.

Modules of testing

In this the error will be found at each individual module, it encourages the programmer to

find and rectify the errors without affecting the other modules.

5.2 Levels of Testing:

In order to uncover the errors present in the different phases we have the concept

of levels of testing.

Unit Testing:

Unit testing is aimed on the smallest unit of software i.e. the module or etc. A detailed

design and the process specification testing is used to uncover the errors with in the

module. All modules must be successful in the unit test before we proceed to Integration

testing.

Integration Testing:

An integration test is performed with a goal to test the integration emphasizing, on the

interface between modules.

Page | 59

This testing activity can be considered as testing the design i.e. testing module interactions.

System Testing:

Here the entire software system is tested. All the functionalities which were

mentioned in the requirement specification are tested. It is tested to see that it meets all the

requirements and functionalities of the system.

Acceptance Testing:

Acceptance testing is performed with realistic data of input to demonstrate the

satisfactory working level of the software. It is focused on the external behavior of the

system; the internal logic of program is not emphasized. Test cases should be selected

so that the largest number of attributes of an equivalence class is exercised at once. It is

the process of finding errors and missing operations and a complete verification to

determine whether the objectives are met and the user requirements are satisfied.

White Box Testing:

This is the unit testing method where a unit will be taken at a time and tested

thoroughly at a statement level to find the maximum possible errors. The white box testing

is also called Glass box testing.

Black Box Testing:

This testing method considers a module as a single unit and checks the unit at

interface and communication with other modules rather getting into details at statement

level. Here the module will be treated as a black box that will take some input and

generate output. Output for a given set of input combinations are forwarded to the other

module.

Let have a tabulated look of testing methods that are applicable in our project.

Page | 60

Test method In our Scenario

Module level testing In our case module level testing is applied on OSSEC

and SGUIL after their installation and configurations.

Unit testing In our case the unit testing is testing the individual

component like pcap, jcap, etc.

Integration Testing In our project Integration testing is performed after the

Integration of the OSSEC and SGUIL. Even after the

installation and configuration of NSM the integration

testing is performed.

System Testing System testing is performed after the complete

implementation of the project of the project.

Acceptance testing Acceptance testing is performed with all the possible values

and limitations of inputs but this is bit tedious job because

in our case it has a very wide range.

White box testing Here the unit can be termed as single individual component

like pcap, libcap etc. so, all these individual components are

to be tested.

Black box testing Black box testing is performed after the installation of

NSM and integration of OSSEC and SGUIL.

Page | 61

5.3 Test plan:

Testing begins with a plan to test and ends with acceptance testing. Test plan is a

General document for the entire project that defines the scope, approach and the

schedule of testing. It identifies the test it em for the entire testing process and the

person who is responsible for testing. The test planning can be done well

before the actual testing commences in parallel it can be done at coding and design

phases. These are the documents required to set a test plan.

Project plan

Requirements document

System design document

A test plan should contain the following:

Test unit specification

Features to be tested

Approaches for testing

Test deliverables

Schedule

Personal allocation

One of the most important activities of the test plan is to identify the test units.

Design of Test Plan for the project

In our case we begin with the Unit Test.

Page | 62

Step 1. We begin with the Unit testing and test individual components. This is after the

installation of NSM.

Step 2. Next we perform the Modular testing after the installation and configuration of

OSSEC and SGUIL

Step 3. Next we proceed with the integration testing after the integration of SGUIL and

OSSEC

Step 4. Finally we perform system testing after the implementation process and test the

entire system.

Step 5 after system testing we do the acceptance testing to figure out the possible inputs

that can be accepted by the system from user’s perspective.

Features to be tested:

In this scenario the features to be tested include.

The installed packages and their compatibility with each other.

The individual components and the availability of dependent repositories.

Functioning of individual components and their inter-dependency.

The characteristic specified by the requirements of design documents includes the

functionality, performance, design constraints and attributes.

Finally all the functional requirements specified in the requirements documents

have to be tested.

Approach for testing:

The approach for testing specifies the overall approach to be followed in

the current project. This is sometimes called Testing Criteria.

Page | 63

5.4 Test case report:

In the above I mentioned all the test cases that are used for testing.

The conditions that are to be tested along with the test cases and the testing

procedure is given below. Even the expected outputs are also shown.

Test cases have been selected for both valid and invalid inputs.

As this project is implemented on the local system on a single machine so everything is

tested on the same system. The application is tested on system with these steps and

conditions.

Test for hardware

As we install OS Ubuntu it requires a minimum of 256 mb ram, so before we

proceed it is necessary to have min of 256 MBram.

The system configuration can be seen in sys config file

Test for Network Connectivity

If the same project is installed on a group of systems in a network then it is necessary to test

on these.

NIC card is properly installed on each system connected in networks and ensure its

working.

The systems are properly connected in a network and connected to server system.

Page | 64

It can also be tested using ping command by pinging the system but in our case we

are using only the local system

Test for Phase 3 unit testing

We perform the unit testing in phase 3 of project life cycle development i. e after the

installation and configuration of the OSSEC and SGUIL as described in the installation

procedure.

In terminal type these command

Command for testing Test description

/var/OSSEC/bin/OSSEC-control start This initiates the OSSEC HIDS server and it

displays error if there is any failure in starting

the OSSEC server. The error can be traced from

the displayed error messages

/var/init.d/OSSEC status This command displays the status of all the

components of OSSEC

/var/init.d/SGUILd status This gives the status of all the components of

the SGUIL

If there is any failure in any of the individual component then we can debug it. This is unit

testing what we do in phase 3 of the project. The same is repeated with the individual

components of NSM package.

Then we perform the modular testing of on OSSEC and NSM as whole

For OSSEC it is tested by opening the config file in OSSEC diectory

OSSEC functions can also be testing by open the log files such as /OSSEC/var/log

If the system is in remote the admin can view the log files of remote by using cmd

Ssh root@ipaddress /OSSEC/var/log;

Page | 65

For NSM run the command </etc/init.d/NSMnow status > it displays the list of functioning

of all its components

After the integration of the OSSEC and SGUIL login into and check the individual

functionalites.

Test for Phase 4 (System Testing)

System testing is performed after the integration of OSSEC and SGUIL

.

Key points to be answered by this testing are

Was the integration of these two tools successful?

Does all the functionalities are met after the integration?

First question is answered by running the file SGUIL.tk from OSSEC. If it prompts for the SGUIL

authentication and if it is authenticated it implies that the tools were integrated properly.

The functionalities are tested in the after logging into SGUIL GUI.

In our project we couldn’t all the functionalities of the SGUIL GUI.

Page | 66

5.5 Test Report

Test ErrorIncorrect SGUIL database name Database not foundIncorrect SGUIL Database username or password

Incorrect username and password

Cannot find symbol The symbol is not instantiated correctly in that location

Incorrect Package usage Package not foundNIC incorrect details Cannot get details of the network

Test for Intrusion detection Intrusion detection is detected by viewing the alerts. Below are the few alerts generated in

the system when tested locally. Performing root check analysis

Page | 67

.

Detecting the of Intrusion and identifying through alerts, List of details, its path all other details of

Page | 68

Description of alerts is shown above

Page | 69

SELF EVALUATION

Page | 70

Self-Evaluation.

We have begun the project with the objective to install, configure and integrate

OSSEC and SGUIL.

Initially, in the methodology part the implementation was according to waterfall

model. The order of sequence has helped this project to achieve its goals. The

implementation methodologies and testing procedures were very useful for successful

implementation of the project. The test report is very informative and it is very self-

explanative which made the testing very easy and explains the different conditions to be

tested and requirements to be met.

I would like to comment that the results are good but it would be much better if I

would have implemented this in a lab. Because Lab enables me to install OSSEC in server

mode and it would be much more real time in nature. The representation of intrusion is

very much enhanced by using the SGUIL GUI.

This project even supports cross platform architecture and it was capable in identifying the

intrusions by root kit detection, file integrity check, file monitoring and alerting using email

and other notifications. It can even monitor network traffic and multiple hosts; it can

detect and even generate the reports of files being attacked, intrusion types and attack. The

output of the project is up to an acceptable level

Few points were newly introduced into document like testing through SSH and few others.

These are just the ideas from different papers which were incorporated in this

implementation. Any how these added few more feature to the project.

Page | 71

Achievements

The following are the achievements of the project.

Successful installation of OSSEC, NSM and their dependencies.

Successful configuration of OSSEC and NSM

Successful in addition of OSSEC as a sensor to NSM

Successful in integration of OSSEC with SGUIL

Detection of Intrusions

Generating the alerts

Remote access of system by administrator.

In the project the following issues were remained as unachieved because of the time

constraint.

Email notification alert on detection of Intrusion. This is because of SMTP server

issue.

Proper alerts on SGUIL GUI the only reason for this is the time constraint.

To be precise the output using SGUIL GUI remained achieved

But the project achieved all its basic goals i.e. the installation of OSSEC and SGUIL, their

configuration, integration and finally intrusion detection.

Page | 72

DISCUSSION

Page | 73

Discussion This project titled 'HOST BASED INTRUSION DETECTION SYSTEM '

or 'HIDS' was implemented as it was planned with few deviations in implementation. This

was implemented to an acceptable level which achieved the basic objectives and goals

discussed earlier in the introduction part.

It is a good option that we have chosen Linux Ubuntu 8.10 because it made the installation

and maintenance easier on server side. Implementation in Linux made the project bit real

time in nature.

Initially I started with Ubuntu 10.04 but because of its higher version it had the default

packages of higher version such as MySQL and its other related. This made a conflict when

I was installing package NSM then I downgrade to Ubuntu 8.10. Then it was quiet

compatible and easy in installation.

During the installation even they were issues with packages dependency but this was

resolved using few commands. NSM and OSSEC were successfully installed and

configured on the local system and finally these two tools were successfully integrated.

During the testing when GUI of SGUIL prompted for the authentication it failed. This issue

was unsolved and un-traceable but finally it was resolved by detecting the error at the port.

The functions of OSSEC and the Intrusion detection were very successful to the level of

expectance. This was confirmed after testing the /oosec/var.log. files

A new feature of remote execution is introduced from administrator point of view i.e.

enable the control of the remote system on detection of intrusion using the SSH command.

Finally the project was successful in achieving almost all the objectives mentioned in the

beginning of the project and all the requirement specifications which were stated in the

beginning of the project are achieved with slight deviations in the given constraints.

Page | 74

Limitations of the project.

These are few limitations of the project

As the size of the network increases so, the job of monitoring becomes difficult in handling.

Implementation and maintenance of this HIDS in a very large network becomes a tedious

from administrator point of view.

These kind of HIDS can only detect the intrusion rather than preventing unlike Intrusion

prevention system. These are not automated as Intrusion prevention systems.

Page | 75

CONCLUSION

Page | 76

Conclusion:

We were successful in identifying and analyzing the tools for implementation of

HIDS. OSSEC and SGUIL were successfully installed and configured as it was planned

according to our objectives by this we were successful in achieving the basic objectives of

the project.

OSSEC HIDS was implemented successful by the integration of OSSEC and

SQUIL following the procedures of waterfall Life cycle model. The results were up to an

acceptable level as it was of capable of detecting the Intrusions within the system based on

the parameters of OSSEC. It even achieved the objectives from administrator point of view

i.e. in monitoring the events, alerts, accessing the logs and controlling them.

Thus the project “HOST BASED INTRUSION DETECTION SYSTEM” with

OSSEC and SGUIL yielded a good result as we expected in the beginning. Even though

they were small deviations in few points which remained as unachieved but it is highly

acceptable because of the time constraint.

In short we achieved almost all the basic objectives what we have stated in 1.1.3.

Hence the project is successful.

Page | 77

Future work and recommendations

Page | 78

Scope for the future:

Implementation of HIDS was but still there are many features which can be incorporated

into that.

Even NIDS tools can be combined along with the HIDS. For example NSM by default has

SNORT a powerful NIDS tool. The integration of this with OSSEC may yield much more

powerful intrusion detection tool.

There are few limitations for these implementation i.e its maintenance in a bigger network

etc . For these kind of problems an alternate solution must be found.

This can be improved much more from the administrator point of view i. e high monitoring

based on other parameters and access on remote system.

As there are many situations in which the even the delay or the problem of network may

result in unwanted intrusion detection this can be better if alternate parameters are

considered for intrusion detection but its main drawback is its implementation is quiet

difficult.

Recommendations

Whatever be the application or tool that is being developed it should be developed in such

a way that it should be extended by the features of reliability, flexibility, easy in

installation and maintenance.

Features of the Linux and its architecture make it more powerful for implementation of

these kind of applications on server side and yield a much better result e.g.: the usage of ssh

Page | 79

in this application for remote access from administrator. It can even easy the job of

installation and maintenance.

It is an acceptable fact that SGUIL has good GUI but it can be even refined and much

more functionalities can be added ex ssh .

The features of Intrusion prevention system like response on detection of intrusion can be incorporated to these tools.

Page | 80

Bibliography

Page | 81

Laurie Zirkle,. (2-12-2008).

What is Hostbased Intrusion Detection System. Available: http://www.sans.org/

security-resources/idfaq/host_based.php. Last accessed 02-09-2010.

Raymond lewallen. (13-july-2005).software development life cycle model.Available:http://codebetter.com/blogs/Raymond

.lewallen/archive/2005/07/13/129114.aspxLast accessed 02-09-201

Ciccarelli,Patrick;Faulkner,Christina (2004).

Networking foundations . San Fransicso : Sybex books. 1-2.

ole,Erie,Krutz,Ronald Conley, James w (2005).

Network security bible . Indianapolis: IN: John Wiley &sons inc (US).

Pieter de Boer & Martin Pels. (4-Feb-2004).

Host-based Intrusion Detection Systems. 1.10 (1), 5-26.

chami. (19-june-2010).

OSSEC and SGUIL integration on cent os.

Available: http://nsmchami.wordpress.com/. Last accessed 02-09-2010.

Guy bruneau. (15-jan-2005).

SGUIL configuration and installation. , 1-7.

Available: http://www.whitehats.ca/downloads/ids/shadow-slack/docs/SGUIL.pdf

Page | 82

Daniel B cid. (2007). OSSEC HIDS. OSSEC-ottsec. 1 (1), 4-20.

Avaialable: http://www.OSSEC.net/OSSEC-docs/OSSEC-ottsec.pdf

Information security fundamentals by Peltier,Thomas

R ;Pelteir,Justin;Blackley,John A. Publication : Boca Raton,Fla CRC press,2005

Network security foundations by Streke,Matthew ,

Publication :san Francisco :Sybex books,2004

Network security bible by Cole,Erie,Krutz,Ronald Conley, James w,

Publication :Indianapolis ,IN: John Wiley &sons inc (US) 2005

Dictionary of information security by Robert Slade ,

Publication :Rockland ,MA,Syngress publishing inc.2006

Network security illustrated by Albanese ,Jason,

Publication :new York ,mcgraw hill professional 2004

Networking foundations by Ciccarelli,Patrick;Faulkner,Christina,

Publication:San Fransicso ,Sybex books,2004

Lecture notes in computer science ,image analysis and processing-ICIAP 2005

Network security published by Oreily media, march 2004

Page | 83

Web references

[1]. (11-march-2009). Intrusion Detection.

Available:http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid19 8_gci295031,00.html.Last accessed 02-09-2010.

(2009). Types of monitoring.

Available: http://www.activesecuritygroup.co.uk/monitoring.html

Last accessed 02-09-2010.

(2009). Managed secured monitoring.

Available: http://bt.counterpane.com/services-msm.html.

Last accessed 02-09-2010.

(2001). Network Based IDS.

Available: http://www.intrusion-detection-system-group.co.uk/index.htm .

Last accessed 02-09-2010.

(2001). Host Based IDS.

Available: http://www.intrusion-detection-system-group.co.uk/host.htm

Last accessed 02-09-2010.

OSSEC download by terend micro.

Available: http://www.OSSEC.net/main/downloads/.Last accessed 02-09-2010.

NSM download.

Page | 84

Available: http://www.securixlive.com/download/nsmnow/.

Last accessed 02-09-2010.

chami. (19-june-2010).

OSSEC and SGUIL integration on cent os.

Available: http://nsmchami.wordpress.com/. Last accessed 02-09-2010.

Alisha Cecil (2006). A Summary of Network Traffic Monitoring and Analysis.

Available:http://www.cs.wustl.edu/~jain/cse567-06/ftp/net_monitoring.pdf

Network monitoring. Available: http://en.wikipedia.org/wiki/Network_monitoring. Last

accessed 2nd Sep 2010.

Sax2 Network Intrusion Detection System. Available:

http://www.aeonity.com/devidhuang/pg/2. Last accessed 03 Sep 2010.

(2006). LAN/WAN Network Management. Available:

http://www.ontariosystems.net/OntarioForums/showthread.php?s=&t=3. Last accessed 01

Sep 2010.

Priya. (2006). Types of SDLC Models. Available: http://toostep.com/trends/types-of-sdlc-

models. Last accessed 01 Sep 2010.

Matthew J. Faulkner. Host Based Intrusion Detection Systems. Available:

http://webpages.uah.edu/~faulknmj/660%20tutorial.htm. Last accessed 25 Aug 2010.

A Kaminsky. Host Based Intrusion Detection Systems. Available:

http://www.wisegeek.com/what-is-network-security.htm. Last accessed 22 Aug 2010.

http://www.ieee.org/portal/site. Last accessed 03 Sep 2010.

Page | 85

Figures

Figure 1 Waterfall life cycle model

http://www.codebetter.com/blogs/raymond.lewallen/downloads/waterfalllModel.gif

Figure 2 IDS

http://www.cs.bham.ac.uk/~mdr/teaching/modules03/security/students/SS1/

handout/intrusion.png

Figure 3 HIDS

:http://www.windowsecurity.com/img/upl/image0061057828883689.jpg

Figure 4 NIDS

http://www.windowsecurity.com/img/upl/image0041057828849911.jpg

Figure 5 NSM package

http://nsmchami.files.wordpress.com/2010/06/ere3.jpg

Figure 6 OSSEC details

http://nsmchami.files.wordpress.com/2010/06/sses.jpg

Page | 86

Appendices

Screen shots

List of Log file that are useful for analyzing.

Page | 87

Logging into the remote system using ssh. This is used by the network administrator to monitor the remote systems of the network.

Page | 88

Here we are identifying the alerts on the remote system after logging into the remote system using ssh.

Page | 89

Commands

sudo apt-get install gcc // To install C C+++ i.e gcc compiler

sudo apt-get install mysql-server-5.0 // To install mysql-server-5.0

wget http://www.OSSEC.net/files/OSSEC-hids-2.4.1.tar.gz // to download OSSEC hids

tar -xvf OSSEC-hids-2.4.1.tar.gz // to unrar

cd OSSEC-hids-2.4.1 // to change directory to OSSEC

wget http://www.securixlive.com/download/nsmnow/NSMnow-1.6.2.tar.gz // download

./install.sh // installs OSSEC

NSMNOW

tar -xvf NSMnow-1.6.2.tar.gz

cd NSMnow-1.6.2

./install NSMnow -i

./NSMnow.log

restart

root@localhost nsm]# /etc/init.d/nsm restart

integrating OSSEC with SGUIL

cd OSSEC_agent

./OSSEC_agent.tcl -o -c OSSEC_agent.conf -f /var/OSSEC/logs/alerts/alerts.log -p 1

SGUIL.tk

Page | 90