Embed Size (px)
Citation preview
IPLOG?A beginner's IDS for the WIN!v0.2
IPLOG, provides the beginner sysadmin with actionable
network intelligence, without the complexities of more advanced
IDS solutions.
The purpose of an IDS.Actionable & Timely Intelligence.● Open Source Solutions
– Suricata– TcpDump / Wireshark– SNORT– IPLOG
The Problems● Suricata.
– It exists, that's all I know about it.– If you know more about it, be ready for the Q & A!– Next point. :-)
● TcpDump / Wireshark.– Skills
● Can you read a pcap like a book?● Can you dissect TCP/IP in your head?● We are at a BSides, maybe some of you can.
– Speed● Can you do all the above at 10 MB/s?● Actionable? Yes. Timely? No.
The Problems ContdSNORT Complexity
● IDS - SNORT has LOTS of options.● Rule Management.
– Which set or sets?● Community.● ET.● VRT.● Custom.
– Which update solution?● Oinkmaster.● Pulled Pork.
The Problems ContdSNORT Complexity Contd
● Logs - Here comes LOTS of DATA!– Which DB?
● Mysql.● Postgresql.
– SNORT -> DB interface? - Barnyard2● A Web APP
– Web Server Deployment.– Web App Deployment.– Some Web Apps.
● BASE● Snorby● Sguil
The Problems ContdSNORT Contd
● Skills– Learn everything just mentioned.– Tune your rule sets to eliminate the noise.
● Speed.– Actionable? Yes.– Timely? Yes.
● After your rule set is tuned.● After you get current on the logs. :-)
A solution, IPLOG. What is IPLOG?
● Open Source Software.● Written by Ryan McCabe in 2000.● github.com/NathanGibbs3/iplog● Simple, but not tcpdump.
IPLOGWhat does it do.
● Connection Logging● Scan Detection
– TCP Port Scans.
– TCP SYN Scans.
– TCP null Scans.
– FIN Scans.
– TCP "Xmas" Scans.
– UDP Scans.
● Attack Detection– ICMP ping floods.
– UDP and ICMP "smurf" attacks.
– IP fragment attacks.
– Bogus TCP flags.
● NMAP Scan evasion. ( Experimental )
IPLOGLogging
● Syslog or text file● Log Sample
Jan 1 00:26:25 TCP: Bogus TCP flags set by 157.55.33.14:28256 (dest port 80)Jan 1 02:24:03 UDP: scan/flood detected [port 500] from 124.126.133.120 [port 500]Jan 1 02:24:10 ICMP: 194.187.150.110 time exceeded (udp: dest port 32887, source port 51413)Jan 1 02:24:44 ICMP: 196.200.48.10 time exceeded (tcp: dest port 63473, source port 47785)Jan 1 02:24:45 ICMP: 196.200.48.10 time exceeded (tcp: dest port 63473, source port 44733)Jan 1 02:25:09 UDP: scan/flood mode expired for 124.126.133.120 - received a total of 36 packets (14616 bytes).Jan 1 02:26:18 ICMP: echo from 129.82.138.44 (12 bytes)Jan 1 02:26:26 ICMP: 194.187.150.110 time exceeded (udp: dest port 51731, source port 51413)Jan 1 02:29:15 last message repeated 1 timesJan 1 02:29:15 TCP: ms-sql-s connection attempt from 115.239.226.51:6000Jan 1 02:30:26 UDP: dgram to isakmp from 124.126.133.120:500 (412 data bytes)Jan 1 02:30:26 UDP: dgram to isakmp from 124.126.133.120:500 (384 data bytes)
IPLOGMisc.
● Can filter out noise.
– Config Example.
# gtld Name Serversignore udp from 192.5.6.30 sport 53ignore udp from 192.12.94.30 sport 53ignore udp from 192.26.92.30 sport 53ignore udp from 192.31.80.30 sport 53ignore udp from 192.33.14.30 sport 53ignore udp from 192.35.51.30 sport 53
● A newer version of IPLOG. ( 2.2.5 )github.com/NathanGibbs3/iplog
Contact Information.● Email: [email protected]● Twitter: @Christ_Media● Linkedin: linkedin.com/in/nategibbs● Slideshare: slideshare.net/NathanGibbs3● GitHub: github.com/NathanGibbs3● Web Site: www.cmpublishers.com/oss
Thank You!● Jesus Christ.● Family & Friends.● BSides ROC.● Ryan McCabe.
Q & A
?
