Академический Документы
Профессиональный Документы
Культура Документы
1.1 Introduction
A large NIDS server can be set up on a backbone network, to monitor all traffic;
or smaller systems can be set up to monitor traffic for a particular server, switch,
gateway or router.
The NIDS server can also be server a proactive role instead of a protective or
reactive function. Possible uses include scanning local firewalls or network servers for
potential exploits or for scanning live traffic to see what is actually going on.
Keep in mind that an NIDS server does not replace primary security such as
firewalls, encryption, and other authentication methods. The NIDS sever is a backup
network integrity device. Neither system (primary or security and NIDS server) should
replace common precaution (building physical security, corporate security policy, etc.).
1
1.2 Problem Statement
After making the review, we found that there is no system such as Network Intrusion
Detection System (NIDS) by getting the notification via e-mail are exists. So we
identified some of problems occur;
1.2.1 Network admin cannot identify the type of attack tries to penetrate the
network.
From the observation have made, the current system are not listing the
type of attack that tries to enter the network.
1.2.2 Network cannot detect the attemption of hacker to access the network by
using remote hacking tools.
The current system did not get the notification when anomalies packet
try to attack the network. Network admin need to check the reports
whether there is packet that tries to attack or not.
1.2.3 Network administrator hard to get notification when network being attacked
by anomaly packet.
1.3 Objective
To implement this project, there are many advantages that we can gain. To get all the
advantages, objectives of the project also must be achieved. The objectives are;
1.3.1 To generate a network intrusion detection system which is the system can
detect unhealthy anomaly packet out from the network.
2
1.3.2 To monitor server log files and look for suspicious traffic or usage patterns
that match a typical network compromise or a remote hacking attempt.
1.3.3 To develop a system that can notify the network administrator when a
network is received anomaly packet through Gmail.
3
1.4 Scope
Project scope is the part of project planning that involves determining and documenting
a list of specific project goals, tasks and cost. In other words, it is what needs to be
achieved and the work that must be done to deliver a project.
iRedMail
- An open source full-featured mail server solution for
Linux/BSD, it provides basic features like unlimited
virtual mail accounts, POP3/IMAP/SMTP, AJAX
webmail.
1.4.1.2 Hardware
Desktop act like a server
4
1.4.2 Users Scope
The target of the users of this project is network administrator of
Ungku Omar Polytechnic. The user of this project must have full
authority to handle the network in Ungku Omar Polytechnic for making
any changes or solve the problems.
5
1.5 Methodology
This methodology is introduced about method and information from our project. They
here been many step used to complete this project starting from installing Ubuntu
operating system as a server, installing Snort 3.0 Alpha, configuring Snort, configure
email and testing this project.
1.6 Conclusion
This chapter includes background of the project, problem statement, objectives, scope
and methodology of the project. The background of the project is randomly talked about
the project that is Network Intrusion Detection System (NIDS) and also about the usage
of this system. Whereas the problem statement described in details on how to solve the
problem faced by network administrator. Next, the objectives of the project are focusing
on why this system is build and on what way it can be used. Scope of the project
explained about software and hardware that used to complete this project and also the
user scope is who can use this system. Lastly, methodology explained a bit of steps to
accomplish this Network Intrusion Detection System.
As NIDS technologies continue to evolve, they will more closely resemble their real
world counterparts. In the future, NIDS, firewalls, VPNs and related security
technologies will all come to interoperate to a much bigger degree. The current
generation of IDS (HIDS and NIDS) is quite effective already; as they continue to
improve they will become the backbone of the more flexible security systems we expect
to see in the not-distant future.
6
2.1 Introduction
Before the case study in network upgrade and improve is designed, some
information about this project and the components use is needed to examine. This
information is helpful to design a better network topology upgrade and improve. All of
the information can be found in the Internet, reference from books and so on. With the
theory provided, the analysis is easier to be done. Literature Review is an examined of
the relations between the hardware and software used in this project.
Each project needs a proof and motive to support decision. The best decision can
be made by the experiment and experience. Within the experiment, this project can be
done along with the planning, part and software than can be used. All of these can be
found from the Internet sources.
Based on some research, there is the same case study that had been done before by other
people where the project in Network design focusing on performanceand server
migration. The other case study use GNS3 software to simulate the network new design
and Vmware as virtual machine migration service.The network equipment in their case
study is cisco product.They redesign the current network topology to get a better
performance.
7
2.2.1 Type of Simulator
Gns3
In previous project from Internet, Gns3 is used as the simulator software to do a network
testing
Advantages:
a) Gns3 uses real IOS software to simulate the different virtual devices, so you
enjoy the new features of IOS with using new IOS in GNS3. Whereas the Packet
Tracer is software base simulator which only allows the limited commands which
are programed. Some of new commands may not works with Packet Tracer.
b) GNS3 supports devices and IOS of more vendors like Cisco, Juniper, Linux host
etc. as compare to Packet Tracer.
8
HCL simulator
For this case study, HCL is used as simulator software for network testing
Advantages:
a) HCL (H3C Cloud Simulator) is an exciting drag and drop application that allows
user to simulate the Comware version 7 operating system. User can create a
virtual networking environment to include Comware v7 based routers and
switches. It enables user to keep their networking environment virtual or bridge
virtual environment to an external network using the TAP interface.
b) User can take packet capture with Wireshark between devices which user are
simulating in HCL.
9
2.2.2 Type of virtual machine
Vmware
In previous case study from Internet Vmware is used as virtual machine for
system migration platform
Advantages:
These platforms are necessarily out of date. Windows Server 2003, for
example entered its Extended Support phase in July of last year. That
means datacenter using this platform will not receive automatic security
updates. Migrating to a modem server platform is a necessary first step in
keeping your business more secure.
11
For our project, Ubuntu Server Edition acts as a server operating system.
Advantages:
a. MySQL
b. Postgresql
c. DB2 (Supported by IBM)
d. Oracle Database Express (community supported)
12
2.2.3 Third Party Software to Log Analysis
Snorby
In previous project from Internet that have been researched Snorby is used to monitor
the network security
Snorby is a ruby on rails web application for network security monitoring that
interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan).
The basic fundamental concepts behind Snorby are simplicity, organization and power.
The project goal is to create a free, open source and highly competitive application for
network monitoring for both private and enterprise use.
Base
13
Figure 2.2.3.2: Base
For our project, Base as Third Party Software is used to analysis log file in
system.
BASE is the Basic Analysis and Security Engine. It is based on the code from the
Analysis Console for Intrusion Database (ACID) project. This application
provides a web front-end to query and analyze the alerts coming from a Snort
IDS system.
CHAPTER 3: METHODOLOGY
3.1 Introduction
This chapter focuses on the matters related to the activities that have been carried out
such as the selection of methodology used throughout the development of this project.
Emphasis was given to how the project is implemented and specified the matters to be
taken in doing the research. The development of this project is conducted in two
semesters which are while in the semester five and semester six. The Gantt chart will be
attached to describe the whole activities done during the implementation of this project.
14
3.2 Research about the Methodology Used
The key model behind the network design process is known as the Network
Development Life Cycle (NDLC) as illustrated in Figure 3.2.1. The word cycle is the
key of descriptive term of the network development life cycle as it clearly illustrates the
continuous nature of the network development. A network designed from scratch
clearly has to start somewhere, namely with an analysis phase. Existing networks,
however, are constantly progressing from one phase to another within the network
development life cycle. For instance, the monitoring of 378 Chapter Ten/The Network
Development Life Cycle Information System Development Process Product or
Milestone Strategic business planning Network Development Life Cycle Simulation
prototyping Management Monitoring Implementation Design Analysis existing
networks would produce management and performance statistics perhaps using a
network management protocol such as SNMP. Qualified network analysis would then
analyze these performance statistics of this existing network. Design changes may or
may not be implemented based on the analysis of these performance statistics. As will be
described later in the chapter, network designs may be physical or logical in nature.
Physical network designs involve the arrangement and interconnection of the physical
network circuits and devices, whereas logical network designs involve configuration and
definition of services that will run over that physical network such as addressing
schemes, routing schemes, traffic prioritization, security and management. Many times,
proposed network design changes are first simulated using sophisticated network
simulation software packages or prototyped in a test environment, safely removed from
a companys production network, before being deployed or implemented.
15
Figure 3.2.1 Network Development Life Cycle (NDLC)
3.2.1 Analysis
The main objective in this phase is to understand the need and problems faced by
network administrator. All system requirements for Network Intrusion Detection System
have collected. Some of the activities or task performed in this phase was carried out to
gather information on problem when a network administrator hard to get notification
when their network have been attack from hacker. Finally the information that gathered
is analyzed and implemented in the project.
The suitable hardware and software to implement the project are listed below:
Hardware
a) 1 PC act as a server
b) 1 additional network card for server
16
c) 4 UTP cat6 Cable
d) 1 laptop as a client
e) 1 laptop as a hacker
f) 1 laptop as a database server
g) 1 8-port gigabit desktop switch
Software
a) Ubuntu Operating System
b) Snort 3.0 Alpha 2
c) BASE
d) E-mail Application
3.2.2 Design
Before start a project, the important things to do is to understand what are the system
needs to be developed and the extent of system interoperability when fully developed.
During this phase, the conception of the Network Intrusion Detection System has been
sketched. Server PC will be install and setup Snort 3.0 Alpha 2 it this phase. The
network diagram is designed based on the hardware that will be used for the project.
Microsoft Visio will be used for the designing process and will be centralized according
to the idea of the project.
17
Figure 3.2.2.1 Network Design
In this phase, form of a simulation is made with the help of special tools in the field of
network such as BOSON, PACKET, TRACERT, NETSIM and so on. It is intended to
look at the early performance of the network that will build and as the presentation
materials and sharing with the other teamwork. Yet due to limitations of the simulation
software, Microsoft VISIO tools are used to build a topology that will be designed.
18
3.2.4 Implementation
To implement the project, all the equipment that needed including hardware and
software must have first. After that, follow the design based on the network diagram that
had been designed. All configuration of Snort 3.0 Alpha 2 will be configured at this
phase. A e-mail also will configure to get notify for the network admin if there have any
attack of hacker or hacker try to enter the network.
3.2.5 Monitoring
After the implementation, monitoring phase is an important stage, so that the computer
and communications networks can be run in accordance with the wishes and goals
beginning from the user at the initial stage of analysis, it is necessary to monitoring
activities. Monitoring can be observed on:
b) Noting the course packet data network (timing, latency, peek time, throughput).
c) The method used to observe the health of the network and communication
generally centralized or dispersed. The most frequent approach is the Network
Management, with this approach many device both locally and spread can be
monitored as a whole.
3.2.6 Management
To test or finalized the project, all the hardware and system must be functional correctly.
The NIDS server should work properly to detect an activity of hacker and alert it to the
network administrator when got anomaly packet entered the network. In management
and arrangement, one that is of particular concern policy is a problem. The policy needs
to be made to create/set system has been built and run properly can last a long time and
19
the elements reliability awake. In this phase, check rules that configure on Snort to make
sure the system run as expected.
Gantt Chart is a char which contain a series of horizontal lines that shows the amount of
work done or production completed in certain periods of time in relation to the amount
planned for those periods.
Below is the Gantt Chart of the project. Started with project identification where we are
divided into group and assign a supervisor. We also discuss about the project title. After
that, we have to prepare a proposal for the project. Once the supervisor approved the
proposal, we may proceed to other steps.
Activities W W W W W W W W W W W W W W W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Literature
review on
research study
Develop &
Submit
Project
Proposal
Develop &
Submit
Planning
Report
Making
analysis on the
project
Presentation 1
Design the
project
20
Presentation 2
Testing the
system
Implement the
system
Final Project
Presentation
Figure 3.3.2 Gantt Chart
After the proposal being approved by the supervisor, planning for the project is started.
In this stage, the estimation time to complete the project, budget and do some research
on similar project are planned. Planning report will be prepared when the details of the
research are fixed. The report need to be submitted. Proceed to another step once the
supervisor approved the report.
3.4 Analysis
Next, survey for the analysis report was conducted. There were 40 respondents
are involved for the survey. The purpose of this survey is to ask the respondents opinion
about the project. Analysis report need to be prepared when the survey are done. The
report need to be approved by the supervisor before proceed to the next phase.
21
Figure 3.4.1: Questionnaire
22
Figure 3.4.2: Questionnaire
23
CHAPTER 4: ANALYSIS AND DESIGN
4.1 Introduction
This chapter focuses on the analysis and design based on the system that we have been
develop.
Design phase also identified the way of system operates; either used in terms of
hardware, software, and network infrastructure; interfaces, forms, reports, and databases
to be used. The project design report will show some design consisting of network
logical design and graphic user interface (GUI).
4.2 Questionnaire
24
Figure 4.2.1: Questionnaire
25
Figure 4.2.2: Questionnaire
26
4.3 Data
The data from the questionnaire will be collected and will be analyzed for implemented
this project. All the responses from the respondent either good or bad will be taken to
improve this project to be more efficient, commercial and generally accepted.
4.3.1 Section A
Question 1
GENDER
MALE FEMALE
40%
60%
The pie chart shows the respondents according to the gender. It can be
concluded that more than a half which is 60% of females took part in our survey
while another 40% of males took part.
27
Question 2
POSITION
Network Administrator It Officer
33%
67%
The pie chart shows the respondents according to the position. It can be
concluded that more than a half which is 67% of IT Officer took part while another 33%
of Network Administrators took part.
Question 3
100%
yes no
28
The pie chart shows the respondents who have heard about NIDS. It can be
concluded that the number of respondents have heard about NIDS is 100%.
Question 4
Used a NIDS
yes no
40%
60%
The pie chart shows the respondents who have used a NIDS. It can be seen that
the number of respondents have used a NIDS is only 40% which is 12 respondents and
more than a half respondents who doesnt used NIDS which is 18 respondents.
Question 5
29
Type of NIDS tools that used by respondents
33% Snort
44%
Suricata
Others
23%
The pie chart above show the types of NIDS tools that used by respondents. It
can be concluded that the number of respondents who that used Snort is a third which is
13 respondents. Then, the respondents that used Suricata is almost a quarter and
respondents who used others tools is more than a third which is 10 respondents such a
log system.
Question 6
Respondents that often the experience outage of service due to intrusion attempts
30
twice a week
33%
The pie chart shows the respondents that often experience outage of service due
to intrusion attempts. It can be seen the frequency of experience outage of service due to
intrusion attempts is 40% foe once a week which is 12 respondents. The frequency of
often for twice a week is a third which is 10 respondents. Then, for the frequency of
often for three times a week or more is only 8 respondents and nobody never have
experience outage of service due to intrusion attempts.
Question 7
31
Others E-mail
67% 0%
The pie chart above show the notify tools are used to the NIDS. It can be seen
that the notify tools are used to the NIDS IS 67% for Others which is 20 respondents
such as Ossim, Bro, Kismet and OpedDLP. Then, only 33% who used message as a
notify tools to the NIDS. There are no respondent of 30 respondents have used e-mail as
a notify tools to the NIDS.
Question 8
Yes
100% No
The pie charts above show the respondents that familiar with e-mail. It can be
concluded that the number of respondents that familiar the e-mail is majority.
Question 9
32
Respondents who know IDS can connect with e-mail
Yes No
The pie chart above show the respondents who know IDS can connect with
email. It can be concluded that no respondent who know the IDS can connected with
email.
33
4.3.2 Section B
The 10 of respondents is agree and 10 respondents strongly agree with the NIDS
can detect any anomaly packet in the network. No respondent is disagreeing with that
statement.
Then, all respondents is agree and strongly agree with by using e-mail to notify the
intrusion attempts is more simple and convenient.
There are 28 respondents is agree and only 2 respondents is strongly agree with the
network is more secure if NIDS is implemented.
After that, the 22 of respondents is agree and 8 respondents is strongly agree with NIDS
is fairly easy to implement. No respondent is totally disagreeing with that statement.
34
4.4 Project Design
Design phase also identified the way of system operates; either used in terms of
hardware, software, and network infrastructure; interfaces, forms, reports, and databases
to be used. The project design report will show some design consisting of network
physical design and graphic user interface (GUI).
35
4.4.2 Graphic User Interface (GUI)
36
Figure 4.3.2.3: iRedMail login page
37
Figure 4.3.2.5: Roundcube Login page
38
Figure 4.3.2.7: Gmail inbox
39
Figure 4.3.2.9: Local mail address
40
CHAPTER 5: DEVELOPMENT AND TESTING
5.1 Introduction
The result from analysis and design will continue to the next phase which is
development and testing. In this phase, this is where testing is being done to see the
result of this project and to analyze whether the project had been achieved the objectives.
It will focus on system testing and hardware functionality. System testing are done in
this phases so that it would be easier to detect any problems and making troubleshooting
more easily. In testing part, system will be test in term of function and user acceptance
by developed of the system and in hardware functionality, hardware is test using the
system that have been build and program that have been entered to the hardware to see
either it is functional or not.
Snort is open network-source intrusion detection system (NIDS) has the ability to
perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.
41
Figure 5.2.1 Downloading Data Acquisition Library (DAQ)
ii. Extract it and run ./configure, make and make install commands for DAQ
installation. However, DAQ required other tools therefore ./configure script
will generate following errors
iii. Therefore first install flex/bison and libcap before DAQ installation which is
shown in the figure.
42
Figure 5.2.4 Installing Flex
iv. After installation of necessary tools, again run ./configure script which will
show following output.
43
Figure 5.2.6 Script
44
v. After successful installation of DAQ, Snort will start to install. Downloading
using wget is shown in the below figure.
vii. Create installation directory and set prefix parameter in the configure script. It
is also recommended to enable sourcefire flag for Packet Performance
Monitoring (PPM).
Figure 5.2.11 Sourcefire flag for Packet Performance Monitoring (PPM) commands
45
viii. Configure script generates error due to missing libpcre-dev , libdumbnet-dev
and zlib development libraries.
46
Figure 5.2.15 Installing all required development libraries
x. After installation of above required libraries for snort, again run the configure
scripts without any error.
47
Figure 5.2.19 Make Install command for compilation and installation of Snort
48
xi. Finally snort running from /usr/local/snort/bin directory. Currently it is in
promisc mode (packet dump mode) of all traffic on eth0 interface.
49
xii. Copy rules and configuration under /etc/snort directory. Rules will be attached
at
Appendix A
50
Figure 5.2.25 Rule path of Snort
xiii. Download community rules and extact under /etc/snort/rules directory. Enable
community and emerging threats rules in snort.conf file.
51
Figure 5.2.28 Enable community and emerging threats rules
xiv. Test the configuration
52
Figure 5.3.2: Command edit file
53
5.4 BASE Test
Basic Analysis and Security Engine (BASE) is third party software used to analysis log
file in system. It is a web front-end to query and analyze the alerts coming from Snort
IDS system. BASE also shows graph of the result of the IDS.
54
5.5 iRedMail Development
55
Figure 5.5.3: iRedMail configuration
56
Figure 5.5.5: Web server selection
57
v. Choose database server
58
Figure 5.5.8: Set up domain name
59
Figure 5.5.10: Configuration done
60
Figure 5.5.12: iRedMail login page
61
Figure 5.5.14: Roundcube login page
62
5.6 Snort Test
63
Figure 5.6.2: Ping test
64
Figure 5.6.4: BASE IP address result
65
Figure 5.6.6: Snort alert
66
Figure 5.6.8: Snort alert
Apart from use Gmail, our system also can alert local mail to send snort alert notification
6.1 Introduction
The conclusion at the end of this project is important. This is the last view of the project
documentation. It discusses and describes the achievement of the project in meeting its
objectives and scope as well as specified the advantages and benefits from the system.
Throughout this final year project, we were able to get knowledge and experience of
completing this project by our own. It is not only beneficial but at the same time students
will also get the experience no matter the project is functionally well or not because the
important things is the experience get from the project that may be will apply in future.
67
In a given period for this final semester, we are able to complete our project in
accordance with the objectives. We also can identify closely on the use of a system,
software and hardware used and also how to test the system. While completing this
project, we also learnt how to master of another operating system which is Ubuntu.
6.2 Suggestion
There are some future plans for our system, Network Intrusion Detection System
(NIDS). We planned to expand our system to the other company so that they can easily
manage their network plus protect it from the unhealthy packet that try to enter the
network. Besides, we also planned to upgrade our system by adding Intrusion Protection
System (IPS) so it can act as a firewall to protect the anomaly packet from enter the
network.
6.3 Conclusion
68
REFERENCE
http://www.havetheknowhow.com/Configure-the-server/Install-ssmtp.html
3. How to Install iRedMail Mail Server in Linux - http://www.unixmen.com/howto-
install-iredmail-mail-server-in-linux/
4. Send system email with Gmail and sSMTP Zack Reed, 2016, hosted by
LiquidWeb, website: http://zackreed.me/articles/39-send-system-email-
withgmail-and-ssmtp
Questionnaire
69
Figure a.1: Questionnaire
70
Figure a.2: Questionnaire
APPENDIX B
71
Coding
SNORT RULE
###copy configuration and rules from etc directory under source code of snort
echo "copying from snort source to /etc/snort ....." echo $snort_src echo
"-------------" cp $snort_src/etc/*.conf* /etc/snort cp $snort_src/etc/*.map
/etc/snort##enable rules
sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf echo
"---DONE---"
72
SO_RULE_PATH /etc/snort/so_rules #rules in shared libraries var
PREPROC_RULE_PATH /etc/snort/preproc_rules # Preproces path var
WHITE_LIST_PATH /etc/snort/rules # dont scan var
BLACK_LIST_PATH /etc/snort/rules # Must scan include
$RULE_PATH/local.rules # file for custom rules
#snort -T -c /etc/snort/snort.conf
MYSQL
wget \ http://dev.mysql.com/get/Downloads/MySQL-4.1/mysql-4.1.13.tar.gz/\
from/http://mysql.mirrors.pair.com/
make install
73
SNORT
PHP
74
--with-mysql=/usr/local \
--with-openssl=/usr/local \
--with-zlib \
--with-jpeg-dir=/usr/local \
--with-png-dir=/usr/local \
--with-exec-dir=/usr/local/php/libexec \
--enable-cli \
--enable-sockets make
make install
ADOdb
wget http://unc.dl.sourceforge.net/sourceforge/adodb/adodb465.tgz
PEAR MODULES
wget http://unc.dl.sourceforge.net/sourceforge/adodb/adodb465.tgz
PEAR MODULES
/usr/local/php/bin/pear install Image_Color
/usr/local/php/bin/pear install Log
/usr/local/php/bin/pear install Numbers_Roman
/usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
/usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz
75
BASE
cd /usr/local/apache/htdocs tar
zxf /path/to/base-1.1.3.tar.gz mv
base-1.1.3 base
cd base cp base_conf.php.dist
base_conf.php
76
username
<Directory /usr/local/apache/htdocs/base/>
Order Deny, Allow
Deny from All
Allow from 192.168.1.100
AuthType Basic
AuthName Access is restricted.
AuthUserFile /path/to/htpasswd/file require
valid-user
</Directory>
77
78
User Manual
79
On snort IDS server:
1) Run snort on packet capture mode. Command for this step is snort v
2) Go to base if there got any detection or packet capturing by snort. For BASE
graphic user interface we need insert IP address of snort IDS server on browser.
For example http://192.168.1.2/base.php
80
Using GMAIL as notification
Go to gmail, where is snort IDS server have been configured to send an email to
gmail account as a notification if there got any detection or packet capturing.
1) Go to gmail and login into email which is already configure on snort IDS server.
81
Figure 4: Gmail inbox
82
Using local mail such as iRedMail as a local mail to get notification on snort
detection
83
Figure 7: Roundcube login page
3) After login, we can see root of our IDS system send a notification get detection
of ping flood.
84