CHAPTER 1: INTRODUCTION

1.1 Introduction

Network Intrusion Detection System (NIDS) are methods of security

management for computers and networks. NIDS also monitors traffic on a network
looking for suspicious activity, which could be an attack or unauthorized activity.

A large NIDS server can be set up on a backbone network, to monitor all traffic;
or smaller systems can be set up to monitor traffic for a particular server, switch,
gateway or router.

In addition to monitoring incoming and outgoing network traffic, a NIDS server

can also scan system files looking for unauthorized activity and to maintain data and file
integrity. The NIDS server can also detect changes in the server core components.

The NIDS server can also be server a proactive role instead of a protective or
reactive function. Possible uses include scanning local firewalls or network servers for
potential exploits or for scanning live traffic to see what is actually going on.

Keep in mind that an NIDS server does not replace primary security such as
firewalls, encryption, and other authentication methods. The NIDS sever is a backup
network integrity device. Neither system (primary or security and NIDS server) should
replace common precaution (building physical security, corporate security policy, etc.).

1
1.2 Problem Statement

After making the review, we found that there is no system such as Network Intrusion
Detection System (NIDS) by getting the notification via e-mail are exists. So we
identified some of problems occur;

1.2.1 Network admin cannot identify the type of attack tries to penetrate the
network.

From the observation have made, the current system are not listing the
type of attack that tries to enter the network.

1.2.2 Network cannot detect the attemption of hacker to access the network by
using remote hacking tools.

The current system did not get the notification when anomalies packet
try to attack the network. Network admin need to check the reports
whether there is packet that tries to attack or not.

1.2.3 Network administrator hard to get notification when network being attacked
by anomaly packet.

Form the observation have made, network admin hard to get

notification because admin need to go the room where the server is
located and check the reports one by one.

1.3 Objective

To implement this project, there are many advantages that we can gain. To get all the
advantages, objectives of the project also must be achieved. The objectives are;

1.3.1 To generate a network intrusion detection system which is the system can
detect unhealthy anomaly packet out from the network.

2
1.3.2 To monitor server log files and look for suspicious traffic or usage patterns
that match a typical network compromise or a remote hacking attempt.

1.3.3 To develop a system that can notify the network administrator when a
network is received anomaly packet through Gmail.

3
1.4 Scope

Project scope is the part of project planning that involves determining and documenting
a list of specific project goals, tasks and cost. In other words, it is what needs to be
achieved and the work that must be done to deliver a project.

1.4.1 System Scope

1.4.1.1 Software
Ubuntu
- To build an operating system for the project.
Snort 3.0 Alpha 2
- To build an NIDS.
MySQL
- To store the data of the graph
Barnyard2
- An open source interpreter for Snort unified2 binary
output files. Its primary use is allowing Snort to write to
disk in an efficient manner and leaving the task of parsing
binary data into various formats.

Basic Analysis and Security Engine (BASE)

- Provides a web front-end and analyze the alerts coming
from a Snort IDS system.

iRedMail
- An open source full-featured mail server solution for
Linux/BSD, it provides basic features like unlimited
virtual mail accounts, POP3/IMAP/SMTP, AJAX
webmail.

1.4.1.2 Hardware
Desktop act like a server

4
1.4.2 Users Scope
The target of the users of this project is network administrator of
Ungku Omar Polytechnic. The user of this project must have full
authority to handle the network in Ungku Omar Polytechnic for making
any changes or solve the problems.

5
1.5 Methodology

This methodology is introduced about method and information from our project. They
here been many step used to complete this project starting from installing Ubuntu
operating system as a server, installing Snort 3.0 Alpha, configuring Snort, configure
email and testing this project.

1.6 Conclusion

This chapter includes background of the project, problem statement, objectives, scope
and methodology of the project. The background of the project is randomly talked about
the project that is Network Intrusion Detection System (NIDS) and also about the usage
of this system. Whereas the problem statement described in details on how to solve the
problem faced by network administrator. Next, the objectives of the project are focusing
on why this system is build and on what way it can be used. Scope of the project
explained about software and hardware that used to complete this project and also the
user scope is who can use this system. Lastly, methodology explained a bit of steps to
accomplish this Network Intrusion Detection System.

As NIDS technologies continue to evolve, they will more closely resemble their real
world counterparts. In the future, NIDS, firewalls, VPNs and related security
technologies will all come to interoperate to a much bigger degree. The current
generation of IDS (HIDS and NIDS) is quite effective already; as they continue to
improve they will become the backbone of the more flexible security systems we expect
to see in the not-distant future.

6
2.1 Introduction

Before the case study in network upgrade and improve is designed, some
information about this project and the components use is needed to examine. This
information is helpful to design a better network topology upgrade and improve. All of
the information can be found in the Internet, reference from books and so on. With the
theory provided, the analysis is easier to be done. Literature Review is an examined of
the relations between the hardware and software used in this project.

Each project needs a proof and motive to support decision. The best decision can
be made by the experiment and experience. Within the experiment, this project can be
done along with the planning, part and software than can be used. All of these can be
found from the Internet sources.

In other hand, Literature Review is important to examine some of the example of

the same case study where from this point, this help to design something that is more
better than other case study. The example of Literature Review is to study and testing
project, research for the best software used and the work step for the project to be done.
The result of the experiment can help to solve the problem or weakness of the project
case study. A development can be made according to the result of the experiment to
make a better and high quality case study

2.2 Previous Project from Internet

Based on some research, there is the same case study that had been done before by other
people where the project in Network design focusing on performanceand server
migration. The other case study use GNS3 software to simulate the network new design
and Vmware as virtual machine migration service.The network equipment in their case
study is cisco product.They redesign the current network topology to get a better
performance.

7
2.2.1 Type of Simulator

Gns3

Figure 2.2.1.1 : Gns3

In previous project from Internet, Gns3 is used as the simulator software to do a network
testing

Advantages:

a) Gns3 uses real IOS software to simulate the different virtual devices, so you
enjoy the new features of IOS with using new IOS in GNS3. Whereas the Packet
Tracer is software base simulator which only allows the limited commands which
are programed. Some of new commands may not works with Packet Tracer.

b) GNS3 supports devices and IOS of more vendors like Cisco, Juniper, Linux host
etc. as compare to Packet Tracer.

8
 HCL simulator

Figure 2.2.1.2 : HCL simulator

For this case study, HCL is used as simulator software for network testing

Advantages:

a) HCL (H3C Cloud Simulator) is an exciting drag and drop application that allows
user to simulate the Comware version 7 operating system. User can create a
virtual networking environment to include Comware v7 based routers and
switches. It enables user to keep their networking environment virtual or bridge
virtual environment to an external network using the TAP interface.

b) User can take packet capture with Wireshark between devices which user are
simulating in HCL.

9
2.2.2 Type of virtual machine

Vmware

Figure 2.2.2.1: Vmware

In previous case study from Internet Vmware is used as virtual machine for
system migration platform

Advantages:

a) Improve Datacenter Security Threats related to hacking, malware

viruses and even employee misuse of computing resources make security
an important consideration for every datacenter manager. Windows
Server 2008 R2 is equipped with powerful new security features designed
to keep datacenter and business safe from danger, both inside and out.

These platforms are necessarily out of date. Windows Server 2003, for
example entered its Extended Support phase in July of last year. That
means datacenter using this platform will not receive automatic security
updates. Migrating to a modem server platform is a necessary first step in
keeping your business more secure.

b) Transform Datacenter Technology landscape is changing as quickly and

as radically as any time in its history. Virtualization and cloud computing
10
 are receiving most of the press, but other technologies, including remote
access and branch connectivity, server security and even raw computing
performance are also moving forward rapidly. To keep business
competitive, consider transforming datacenter. For all the technologies
just mentioned, Windows Server 2008 R2 with SP1 enables to take full
advantage of virtualization and added security. Additionally, it can
discover new ways or manage the datacenter more efficiently for cost
savings.

c) Simplify Datacenter Management New advancements like

virtualization mean that server platforms need to upgrade and even
change their management features to keep pace and Windows Server
2008 R2 delivers on that requirement in abundance. In the Windows
Server 2008 R2 box user will discover a host on new management
capabilities unavailable in previous versions. Windows Server 2008
introduced server role, an easy way to dedicate a server instance a
particular task file and print, remote access, domain and more.
Windows Server 2008 R2 automatically activates only those features
required to perform that task. The result is more secure server, since
unnecessary services are not enabling. The feature also builds quickly and
assigns templates to specific server roles and workloads in case those
servers need to be rebuilt.

Ubuntu Server Edition

Figure 2.2.2.2: Ubuntu Server Edition

11
For our project, Ubuntu Server Edition acts as a server operating system.

Advantages:

a) Open source tools Arguably one of the biggest benefits of running

an open source product is the communication support. Ubuntu is no
different with a huge is self-supporting when it comes to bug-tracking
and Q & A. by running an open bug-tracking system anyone has the
power to run a bug report, help others with problems, or propose any
ideas they might have. Thats quite typical but this tracking system is
unique in that it has tightly integrated developer and translation tools
within a single website making it possible to create unique
relationships among users and developers. Ubuntu also has an open
policy rule wherein each process is discussed and published across the
wiki and all mailing lists.

b) No licensing or maintenance fees Another great benefit of an open

source product is the cost. Getting something this great for free has to
make even the greatest of skeptics giddy. In addition to an initial cost
of nil, the administrative and upgrade costs could actually lower stress
level. Upgrades are routine and scheduled, theres no need to worry
about when to upgrade that are reliable and fully controllable. In
addition, programs can be easily packaged and published to a local
repository as a separate manageable entity making future builds a
snap and less costly.

c) Database support Ubuntu provides database support for the

following:

a. MySQL
b. Postgresql
c. DB2 (Supported by IBM)
d. Oracle Database Express (community supported)

12
2.2.3 Third Party Software to Log Analysis

Snorby

Figure 2.2.3.1: Snorby

In previous project from Internet that have been researched Snorby is used to monitor
the network security

Snorby is a ruby on rails web application for network security monitoring that
interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan).
The basic fundamental concepts behind Snorby are simplicity, organization and power.
The project goal is to create a free, open source and highly competitive application for
network monitoring for both private and enterprise use.

Base

13
 Figure 2.2.3.2: Base

For our project, Base as Third Party Software is used to analysis log file in
system.

BASE is the Basic Analysis and Security Engine. It is based on the code from the
Analysis Console for Intrusion Database (ACID) project. This application
provides a web front-end to query and analyze the alerts coming from a Snort
IDS system.

CHAPTER 3: METHODOLOGY

3.1 Introduction

This chapter focuses on the matters related to the activities that have been carried out
such as the selection of methodology used throughout the development of this project.
Emphasis was given to how the project is implemented and specified the matters to be
taken in doing the research. The development of this project is conducted in two
semesters which are while in the semester five and semester six. The Gantt chart will be
attached to describe the whole activities done during the implementation of this project.
14
3.2 Research about the Methodology Used

The key model behind the network design process is known as the Network
Development Life Cycle (NDLC) as illustrated in Figure 3.2.1. The word cycle is the
key of descriptive term of the network development life cycle as it clearly illustrates the
continuous nature of the network development. A network designed from scratch
clearly has to start somewhere, namely with an analysis phase. Existing networks,
however, are constantly progressing from one phase to another within the network
development life cycle. For instance, the monitoring of 378 Chapter Ten/The Network
Development Life Cycle Information System Development Process Product or
Milestone Strategic business planning Network Development Life Cycle Simulation
prototyping Management Monitoring Implementation Design Analysis existing
networks would produce management and performance statistics perhaps using a
network management protocol such as SNMP. Qualified network analysis would then
analyze these performance statistics of this existing network. Design changes may or
may not be implemented based on the analysis of these performance statistics. As will be
described later in the chapter, network designs may be physical or logical in nature.
Physical network designs involve the arrangement and interconnection of the physical
network circuits and devices, whereas logical network designs involve configuration and
definition of services that will run over that physical network such as addressing
schemes, routing schemes, traffic prioritization, security and management. Many times,
proposed network design changes are first simulated using sophisticated network
simulation software packages or prototyped in a test environment, safely removed from
a companys production network, before being deployed or implemented.

15
 Figure 3.2.1 Network Development Life Cycle (NDLC)

3.2.1 Analysis

The main objective in this phase is to understand the need and problems faced by
network administrator. All system requirements for Network Intrusion Detection System
have collected. Some of the activities or task performed in this phase was carried out to
gather information on problem when a network administrator hard to get notification
when their network have been attack from hacker. Finally the information that gathered
is analyzed and implemented in the project.

The suitable hardware and software to implement the project are listed below:

Hardware
a) 1 PC act as a server
b) 1 additional network card for server

16
 c) 4 UTP cat6 Cable
d) 1 laptop as a client
e) 1 laptop as a hacker
f) 1 laptop as a database server
g) 1 8-port gigabit desktop switch

Software
a) Ubuntu Operating System
b) Snort 3.0 Alpha 2
c) BASE
d) E-mail Application

3.2.2 Design

Before start a project, the important things to do is to understand what are the system
needs to be developed and the extent of system interoperability when fully developed.
During this phase, the conception of the Network Intrusion Detection System has been
sketched. Server PC will be install and setup Snort 3.0 Alpha 2 it this phase. The
network diagram is designed based on the hardware that will be used for the project.
Microsoft Visio will be used for the designing process and will be centralized according
to the idea of the project.

17
 Figure 3.2.2.1 Network Design

3.2.3 Simulation and Prototyping

In this phase, form of a simulation is made with the help of special tools in the field of
network such as BOSON, PACKET, TRACERT, NETSIM and so on. It is intended to
look at the early performance of the network that will build and as the presentation
materials and sharing with the other teamwork. Yet due to limitations of the simulation
software, Microsoft VISIO tools are used to build a topology that will be designed.

18
3.2.4 Implementation

To implement the project, all the equipment that needed including hardware and
software must have first. After that, follow the design based on the network diagram that
had been designed. All configuration of Snort 3.0 Alpha 2 will be configured at this
phase. A e-mail also will configure to get notify for the network admin if there have any
attack of hacker or hacker try to enter the network.

3.2.5 Monitoring

After the implementation, monitoring phase is an important stage, so that the computer
and communications networks can be run in accordance with the wishes and goals
beginning from the user at the initial stage of analysis, it is necessary to monitoring
activities. Monitoring can be observed on:

a) Hardware infrastructure: to observe the conditions of reliability / reliability

systems which have been built (reliability = performance + availability +
security).

b) Noting the course packet data network (timing, latency, peek time, throughput).
c) The method used to observe the health of the network and communication
generally centralized or dispersed. The most frequent approach is the Network
Management, with this approach many device both locally and spread can be
monitored as a whole.

3.2.6 Management

To test or finalized the project, all the hardware and system must be functional correctly.
The NIDS server should work properly to detect an activity of hacker and alert it to the
network administrator when got anomaly packet entered the network. In management
and arrangement, one that is of particular concern policy is a problem. The policy needs
to be made to create/set system has been built and run properly can last a long time and

19
the elements reliability awake. In this phase, check rules that configure on Snort to make
sure the system run as expected.

3.3 Gantt Chart

Gantt Chart is a char which contain a series of horizontal lines that shows the amount of
work done or production completed in certain periods of time in relation to the amount
planned for those periods.

Below is the Gantt Chart of the project. Started with project identification where we are
divided into group and assign a supervisor. We also discuss about the project title. After
that, we have to prepare a proposal for the project. Once the supervisor approved the
proposal, we may proceed to other steps.

Activities W W W W W W W W W W W W W W W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Literature
review on
research study
Develop &
Submit
Project
Proposal
Develop &
Submit
Planning
Report
Making
analysis on the
project

Presentation 1

Design the
project

20
Presentation 2

Chart 3.3.1: Gantt chart

Activities W W W W W W W W W W W W W
16 17 18 19 20 21 22 23 24 25 26 27 28
Develop the
system

Testing the
system

Implement the
system

Final Project
Presentation
Figure 3.3.2 Gantt Chart

After the proposal being approved by the supervisor, planning for the project is started.
In this stage, the estimation time to complete the project, budget and do some research
on similar project are planned. Planning report will be prepared when the details of the
research are fixed. The report need to be submitted. Proceed to another step once the
supervisor approved the report.

3.4 Analysis

Next, survey for the analysis report was conducted. There were 40 respondents
are involved for the survey. The purpose of this survey is to ask the respondents opinion
about the project. Analysis report need to be prepared when the survey are done. The
report need to be approved by the supervisor before proceed to the next phase.

21
Figure 3.4.1: Questionnaire

22
Figure 3.4.2: Questionnaire

23
 CHAPTER 4: ANALYSIS AND DESIGN

4.1 Introduction

This chapter focuses on the analysis and design based on the system that we have been
develop.

Analysis phase is important phase in developing Network Intrusion Detection System.

By collecting the analysis for this project, we have been distributing a questionnaire to
30 respondents. Respondents are important to help in developing this project. From the
results collected, it can be improved from the previous project.

Design phase also identified the way of system operates; either used in terms of
hardware, software, and network infrastructure; interfaces, forms, reports, and databases
to be used. The project design report will show some design consisting of network
logical design and graphic user interface (GUI).

4.2 Questionnaire

Questionnaire is one of the ways to collect information. The questions in

questionnaire are simple, easy to understand and straight to the point. 30 questionnaires
were distributed to the network administrator.

24
Figure 4.2.1: Questionnaire

25
Figure 4.2.2: Questionnaire

26
4.3 Data

The data from the questionnaire will be collected and will be analyzed for implemented
this project. All the responses from the respondent either good or bad will be taken to
improve this project to be more efficient, commercial and generally accepted.

4.3.1 Section A

Question 1

Respondents according to gender

GENDER
MALE FEMALE

40%

60%

Chart 4.3.1.1 Question 1

The pie chart shows the respondents according to the gender. It can be
concluded that more than a half which is 60% of females took part in our survey
while another 40% of males took part.

27

Question 2

Respondents according to the position

POSITION
Network Administrator It Officer

33%

67%

Chart 4.3.1.2: Question 2

The pie chart shows the respondents according to the position. It can be
concluded that more than a half which is 67% of IT Officer took part while another 33%
of Network Administrators took part.

Question 3

Respondents who have heard about NIDS

Heard about NIDS

0%

100%

yes no

Chart 4.3.1.3: Question 3

28

The pie chart shows the respondents who have heard about NIDS. It can be
concluded that the number of respondents have heard about NIDS is 100%.
Question 4

Respondents who have used an NIDS

Used a NIDS
yes no

40%

60%

Chart 4.3.1.4: Question 4

The pie chart shows the respondents who have used a NIDS. It can be seen that
the number of respondents have used a NIDS is only 40% which is 12 respondents and
more than a half respondents who doesnt used NIDS which is 18 respondents.

Question 5

29

Type of NIDS tools that used by respondents

Type of NIDS tools

33% Snort
44%
Suricata
Others

23%

Chart 4.3.1.5: Question 5

The pie chart above show the types of NIDS tools that used by respondents. It
can be concluded that the number of respondents who that used Snort is a third which is
13 respondents. Then, the respondents that used Suricata is almost a quarter and
respondents who used others tools is more than a third which is 10 respondents such a
log system.

Question 6

Respondents that often the experience outage of service due to intrusion attempts

30


Frequency of experience outage of service

due to intrusionnever
attempts
0%
three times a week
or more
27%
once a week
40%

twice a week
33%

once a week twice a week three times a week or more never

Chart 4.3.1.6: Question 6

The pie chart shows the respondents that often experience outage of service due
to intrusion attempts. It can be seen the frequency of experience outage of service due to
intrusion attempts is 40% foe once a week which is 12 respondents. The frequency of
often for twice a week is a third which is 10 respondents. Then, for the frequency of
often for three times a week or more is only 8 respondents and nobody never have
experience outage of service due to intrusion attempts.

Question 7

The notify are used to the NIDS

31


Notify tools are used to the NIDS

Message
33%

Others E-mail
67% 0%

Email Telegram Others

Chart 4.3.1.7: Question 7

The pie chart above show the notify tools are used to the NIDS. It can be seen
that the notify tools are used to the NIDS IS 67% for Others which is 20 respondents
such as Ossim, Bro, Kismet and OpedDLP. Then, only 33% who used message as a
notify tools to the NIDS. There are no respondent of 30 respondents have used e-mail as
a notify tools to the NIDS.

Question 8

Respondents that familiar with E-mail

Familiar the E-mail

Yes

100% No

Chart 4.3.1.8: Question 8

The pie charts above show the respondents that familiar with e-mail. It can be
concluded that the number of respondents that familiar the e-mail is majority.
Question 9

32

Respondents who know IDS can connect with e-mail

Know about the IDS that can connected with e-mail

Yes No

Chart 4.3.1.9: Question 9

The pie chart above show the respondents who know IDS can connect with
email. It can be concluded that no respondent who know the IDS can connected with
email.

33
4.3.2 Section B

Question 11, 12, 13 and 14

The 10 of respondents is agree and 10 respondents strongly agree with the NIDS
can detect any anomaly packet in the network. No respondent is disagreeing with that
statement.

Then, all respondents is agree and strongly agree with by using e-mail to notify the
intrusion attempts is more simple and convenient.

There are 28 respondents is agree and only 2 respondents is strongly agree with the
network is more secure if NIDS is implemented.

After that, the 22 of respondents is agree and 8 respondents is strongly agree with NIDS
is fairly easy to implement. No respondent is totally disagreeing with that statement.

34
4.4 Project Design

Design phase also identified the way of system operates; either used in terms of
hardware, software, and network infrastructure; interfaces, forms, reports, and databases
to be used. The project design report will show some design consisting of network
physical design and graphic user interface (GUI).

4.4.1 Network Physical Design

Figure 4.3.1.1: Network physical design

35
4.4.2 Graphic User Interface (GUI)

Figure 4.3.2.1: BASE main page

Figure 4.3.2.2: BASE IP address result

36
Figure 4.3.2.3: iRedMail login page

Figure 4.3.2.4: iRedAdmin dashboard

37
Figure 4.3.2.5: Roundcube Login page

Figure 4.3.2.6: Roundcube inbox page

38
Figure 4.3.2.7: Gmail inbox

Figure 4.3.2.8: Snort alert

39
Figure 4.3.2.9: Local mail address

Figure 4.3.2.10: Snort alert

40
 CHAPTER 5: DEVELOPMENT AND TESTING

5.1 Introduction

The result from analysis and design will continue to the next phase which is
development and testing. In this phase, this is where testing is being done to see the
result of this project and to analyze whether the project had been achieved the objectives.
It will focus on system testing and hardware functionality. System testing are done in
this phases so that it would be easier to detect any problems and making troubleshooting
more easily. In testing part, system will be test in term of function and user acceptance
by developed of the system and in hardware functionality, hardware is test using the
system that have been build and program that have been entered to the hardware to see
either it is functional or not.

5.2 Snort Development

Snort is open network-source intrusion detection system (NIDS) has the ability to
perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.

To install Snort, it must follow the steps.

i. Download Data Acquisition library (DAQ)

41
 Figure 5.2.1 Downloading Data Acquisition Library (DAQ)

ii. Extract it and run ./configure, make and make install commands for DAQ
installation. However, DAQ required other tools therefore ./configure script
will generate following errors

Figure 5.2.2 Flex and Bison error

Figure 5.2.3 Libpcap error

iii. Therefore first install flex/bison and libcap before DAQ installation which is
shown in the figure.

42
 Figure 5.2.4 Installing Flex

Figure 5.2.5 Installation of Libpcap Development Library

iv. After installation of necessary tools, again run ./configure script which will
show following output.

43
 Figure 5.2.6 Script

Figure 5.2.7 Make install commands result

Figure 5.2.8 Make commands result

44
v. After successful installation of DAQ, Snort will start to install. Downloading
using wget is shown in the below figure.

Figure 5.2.9 Downloading Snort

vi. Extract compressed package

Figure 5.2.10 Extract compressed package command

vii. Create installation directory and set prefix parameter in the configure script. It
is also recommended to enable sourcefire flag for Packet Performance
Monitoring (PPM).

Figure 5.2.11 Sourcefire flag for Packet Performance Monitoring (PPM) commands

45
viii. Configure script generates error due to missing libpcre-dev , libdumbnet-dev
and zlib development libraries.

Figure 5.2.12 Error due to missing libpcre library

Figure 5.2.13 Error due to missing dnet (libdumbnet) library

Figure 5.2.14 Error due to missing zlib library

ix. Installation of all required development libraries is shown in the next

screenshots.

46
 Figure 5.2.15 Installing all required development libraries

Figure 5.3.16 Installing of all required development libraries

Figure 5.3.17 Installing all required development libraries

x. After installation of above required libraries for snort, again run the configure
scripts without any error.

Figure 5.2.18 Make command for compilation and installation of Snort

47
Figure 5.2.19 Make Install command for compilation and installation of Snort

48
xi. Finally snort running from /usr/local/snort/bin directory. Currently it is in
promisc mode (packet dump mode) of all traffic on eth0 interface.

Figure 5.2.20 Snort is running

Figure 5.2.21 Snort interface

49
xii. Copy rules and configuration under /etc/snort directory. Rules will be attached
at
Appendix A

Figure 5.2.22 Output of rules setting when success

Figure 5.2.23 Script from configuration file

Figure 5.2.24 Snort configuration for IDS proper working

50
 Figure 5.2.25 Rule path of Snort

Figure 5.2.26 Rule path of Snort

xiii. Download community rules and extact under /etc/snort/rules directory. Enable
community and emerging threats rules in snort.conf file.

Figure 5.2.27 Downloading community rules

51
 Figure 5.2.28 Enable community and emerging threats rules
xiv. Test the configuration

Figure 5.2.29 Snort installation done

5.3 SSMTP Development

i. Install the SSMTP package

Figure 5.3.1: Command installs SSMTP

ii. Edit the config file

52
 Figure 5.3.2: Command edit file

iii. Open the config file for editing

Figure 5.3.3: Edit config file

iv. Test send mail using SSMTP

Figure 5.3.4: Test SSMTP

53
5.4 BASE Test

Basic Analysis and Security Engine (BASE) is third party software used to analysis log
file in system. It is a web front-end to query and analyze the alerts coming from Snort
IDS system. BASE also shows graph of the result of the IDS.

Figure 5.4.1 BASE Interface

Figure 5.4.2 Search Function

54
5.5 iRedMail Development

iRedMail is a an open source full-featured mail server solution for Linux/BSD, it

provides basic features like unlimited virtual mail accounts, POP3/IMAP/SMTP, AJAX
webmail.

i. Install iRedMail package

Figure 5.5.1: Install iRedMail

ii. Start iRedMail

Figure 5.5.2: Start iRedMail

iii. Configure iRedMail

55
 Figure 5.5.3: iRedMail configuration

Figure 5.5.4: iRedMail configuration

iv. Choose web server

56
Figure 5.5.5: Web server selection

57
v. Choose database server

Figure 5.5.6: Database server selection

Figure 5.5.7: Server database root

vi. Setup virtual domain

58
 Figure 5.5.8: Set up domain name

Figure 5.5.9: Set up domain password

vii. Finalize configuration

59
 Figure 5.5.10: Configuration done

Figure 5.5.11: iRedMail configuration

viii. Access web admin to add user

60
 Figure 5.5.12: iRedMail login page

Figure 5.5.13: iRedAdmin dashboard

ix. Access email

61
Figure 5.5.14: Roundcube login page

Figure 5.5.15: Roundcube inbox page

62
5.6 Snort Test

i. Run snort packet capture mode (snort v)

Figure 5.6.1: Snort packet capture mode

ii. Send ping of death to snort IDS server to test detection

63
 Figure 5.6.2: Ping test

iii. Go to BASE to monitor traffic and IP address source of attacker

Figure 5.6.3: BASE main page

64
 Figure 5.6.4: BASE IP address result

iv. Access gmail to check snort alert notification

Figure 5.6.5: Gmail inbox

65
 Figure 5.6.6: Snort alert

v. Access local mail address to check notification

Figure 5.6.7: Local mail address

66
 Figure 5.6.8: Snort alert

Apart from use Gmail, our system also can alert local mail to send snort alert notification

CHAPTER 6: CONCLUSION AND SUGGESTION

6.1 Introduction

The conclusion at the end of this project is important. This is the last view of the project
documentation. It discusses and describes the achievement of the project in meeting its
objectives and scope as well as specified the advantages and benefits from the system.

Throughout this final year project, we were able to get knowledge and experience of
completing this project by our own. It is not only beneficial but at the same time students
will also get the experience no matter the project is functionally well or not because the
important things is the experience get from the project that may be will apply in future.

67
 In a given period for this final semester, we are able to complete our project in
accordance with the objectives. We also can identify closely on the use of a system,
software and hardware used and also how to test the system. While completing this
project, we also learnt how to master of another operating system which is Ubuntu.

In overall functionally of Network Intrusion Detection System (NIDS), this system

has successfully functioned where as it can overcome the problem that the admin faced.
This project included network and security field in one project.

6.2 Suggestion

There are some future plans for our system, Network Intrusion Detection System
(NIDS). We planned to expand our system to the other company so that they can easily
manage their network plus protect it from the unhealthy packet that try to enter the
network. Besides, we also planned to upgrade our system by adding Intrusion Protection
System (IPS) so it can act as a firewall to protect the anomaly packet from enter the
network.

6.3 Conclusion

As a conclusion, the Network Intrusion Detection System (NIDS) would be a simple

and convenience platform for the admin. Our system also implemented security that only
administrator can manage the network. Hopefully our system would be more efficient,
helpful and user friendly.

68
 REFERENCE

1. Disaster Recovery: Principle and Practice Pearson, published by Pearson

Education, website:
http://wps.prenhall.com/bp_security_2006_1/36/9363/2397144.cw/index.html
2. How to send email alerts from Ubuntu using ssmtp published by
www.HaveTheKnowHow.com, website:

http://www.havetheknowhow.com/Configure-the-server/Install-ssmtp.html
3. How to Install iRedMail Mail Server in Linux - http://www.unixmen.com/howto-
install-iredmail-mail-server-in-linux/

4. Send system email with Gmail and sSMTP Zack Reed, 2016, hosted by
LiquidWeb, website: http://zackreed.me/articles/39-send-system-email-
withgmail-and-ssmtp

5. Install Ubuntu on Oracle Virtual website:

http://linus.nci.nih.gov/bdge/installUbuntu.html

6. Installing Snort 2.9.7.x on Ubuntu Part 6: Installing BASE Noah Dietrich,

28.12.2014, website: http://sublimerobots.com/2014/12/installing-snort-part-6/
APPENDIX A

Questionnaire

69
Figure a.1: Questionnaire

70
Figure a.2: Questionnaire

APPENDIX B

71
 Coding

SNORT RULE

#!/bin/bash##PATH of source code of snort

snort_src="/home/test/Downloads/snort-2.9.7.3" echo "adding group and
user for snort..." groupadd snort &> /dev/null useradd snort -r -s
/sbin/nologin -d /var/log/snort -c snort_idps -g snort &>

/dev/null#snort configuration echo "Configuring

snort..."mkdir -p /etc/snort mkdir -p /etc/snort/rules
touch /etc/snort/rules/black_list.rules touch
/etc/snort/rules/white_list.rules touch
/etc/snort/rules/local.rules mkdir
/etc/snort/preproc_rules mkdir /var/log/snort mkdir
-p /usr/local/lib/snort_dynamicrules chmod -R 775
/etc/snort chmod -R 775 /var/log/snort chmod -R
775 /usr/local/lib/snort_dynamicrules chown -R
snort:snort /etc/snort chown -R snort:snort
/var/log/snort chown -R snort:snort
/usr/local/lib/snort_dynamicrules

###copy configuration and rules from etc directory under source code of snort
echo "copying from snort source to /etc/snort ....." echo $snort_src echo
"-------------" cp $snort_src/etc/*.conf* /etc/snort cp $snort_src/etc/*.map
/etc/snort##enable rules
sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf echo
"---DONE---"

ipvar HOME_NET 192.168.1.0/24 # LAN side ipvar

EXTERNAL_NET !$HOME_NET # WAN side

var RULE_PATH /etc/snort/rules # snort signature path var

72
SO_RULE_PATH /etc/snort/so_rules #rules in shared libraries var
PREPROC_RULE_PATH /etc/snort/preproc_rules # Preproces path var
WHITE_LIST_PATH /etc/snort/rules # dont scan var
BLACK_LIST_PATH /etc/snort/rules # Must scan include
$RULE_PATH/local.rules # file for custom rules

#snort -T -c /etc/snort/snort.conf
MYSQL

wget \ http://dev.mysql.com/get/Downloads/MySQL-4.1/mysql-4.1.13.tar.gz/\
from/http://mysql.mirrors.pair.com/

tar zxf mysql-4.1.13.tar.gz cd

mysql-4.1.13

LDFLAGS="-R/usr/local/lib" ./configure --prefix=/usr/local \

--with-openssl \
--without-docs \
--without-libgcc \ --with-
named-z-libs=z make

make install

73
SNORT

../configure --with-mysql=/usr/local --with-openssl=/usr/local

mysqladmin -u root -p create snort

mysql -u root -p < snort-2.3.3/schemas/create_mysql snort

mysql -u root -p snort

mysql> set PASSWORD FOR snort@localhost=PASSWORD('snort_user_password');

mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to
snort@localhost; mysql> flush privileges; mysql> exit

output database: log, mysql, dbname=snort user=snort password=snort host=localhost

output database: alert, mysql, dbname=snort user=snort password=snort host=localhost

snort -c /etc/snort.conf -g snort

echo "SELECT count(*) FROM event" | mysql -u root -p snort

PHP

LDFLAGS="-R/usr/local/lib" ./configure --prefix=/usr/local/php \

--enable-memory-limit=yes \
--with-apxs=/usr/local/sbin/apxs \
--with-gettext=/usr/local \
--with-exif \
--without-mm \

74
 --with-mysql=/usr/local \
--with-openssl=/usr/local \
--with-zlib \
--with-jpeg-dir=/usr/local \
--with-png-dir=/usr/local \
--with-exec-dir=/usr/local/php/libexec \
--enable-cli \
--enable-sockets make

make install

ADOdb

wget http://unc.dl.sourceforge.net/sourceforge/adodb/adodb465.tgz

PEAR MODULES

wget http://unc.dl.sourceforge.net/sourceforge/adodb/adodb465.tgz

PEAR MODULES
/usr/local/php/bin/pear install Image_Color
/usr/local/php/bin/pear install Log
/usr/local/php/bin/pear install Numbers_Roman
/usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
/usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz

75
BASE

cd /usr/local/apache/htdocs tar
zxf /path/to/base-1.1.3.tar.gz mv
base-1.1.3 base

mysql -u root -p < base/sql/create_base_tbls_mysql.sql snort

cd base cp base_conf.php.dist
base_conf.php

Variable Function Value

Full path to the ADOdb
$DBlib_path " /usr/local/share/adodb"
installation
$DBtype Type of database used " mysql"
Set to 1 to force users to
$Use_Auth_System 0
authenticate to use BASE
$BASE_urlpath The root URI of your site " /base"
$alert_dbname The alert database name " snort"
$alert_host The alert database server " localhost"
The port where the database
is stored

$alert_port (Leave blank if you're not ""

running MySQL on a network
socket.)

The username for the alert

$alert_user " snort"
database
The password for the
$alert_password " snort_user_password"

76
 username

<Directory /usr/local/apache/htdocs/base/>
Order Deny, Allow
Deny from All
Allow from 192.168.1.100
AuthType Basic
AuthName Access is restricted.
AuthUserFile /path/to/htpasswd/file require
valid-user

</Directory>

77
78
User Manual

79
On snort IDS server:

1) Run snort on packet capture mode. Command for this step is snort v

Figure 1: Snort packet capture mode

2) Go to base if there got any detection or packet capturing by snort. For BASE
graphic user interface we need insert IP address of snort IDS server on browser.
For example http://192.168.1.2/base.php

Figure 2: Assign IP address of IDS

80
Using GMAIL as notification

Go to gmail, where is snort IDS server have been configured to send an email to
gmail account as a notification if there got any detection or packet capturing.

1) Go to gmail and login into email which is already configure on snort IDS server.

Figure 3: Gmail login page

81
Figure 4: Gmail inbox

2) We can see root of our IDS send an notification

Figure 5: Snort alert

82
Using local mail such as iRedMail as a local mail to get notification on snort
detection

1) Go to mail server and identify IP address that server.

Figure 6: Identify IP address

2) Go to browser insert IP address of email server. For example http://192.168.1.5

and login with email and password. That email need to login which is according
to configuration on snort alert notification on IDS server.

83
 Figure 7: Roundcube login page

3) After login, we can see root of our IDS system send a notification get detection
of ping flood.

Figure 8: Roundcube Snort alert

84