1. IPLOG?
A beginner's IDS for the WIN!
IPLOG, provides the beginner
sysadmin with actionable
network intelligence, without the
complexities of more advanced
IDS solutions.
2. Actionable & Timely Intel.
The sole purpose of IDS.
● Open Source Solutions
– Suricata
– TcpDump / Wireshark
– SNORT
– IPLOG
3. The Problems
● Suricata.
– It exists, that's all I know about it.
– If you know more about it, be ready for the Q & A!
– Next point. :-)
● TcpDump / Wireshark.
– Skills
● Can you read a pcap like a book?
● Can you dissect TCP/IP in your head?
● We are at a BSides, maybe some of you can.
– Speed
● Can you do all the above at 10 MB/s?
● Actionable? Yes. Timely? No.
4. The Problems Contd
SNORT Complexity
● IDS - SNORT has LOTS of options.
● Rule Management.
– Which set or sets?
● Community.
● ET.
● VRT.
● Custom.
– Which update solution?
● Oinkmaster.
● Pulled Pork.
5. The Problems Contd
SNORT Complexity Contd
● Logs - Here comes LOTS of DATA!
– Which DB?
● Mysql.
● Postgresql.
– SNORT -> DB interface? - Barnyard2
● A Web APP
– Web Server Deployment.
– Web App Deployment.
– Some Web Apps.
● BASE
● Snorby
● Sguil
6. The Problems Contd
SNORT Contd
● Skills
– Learn everything just mentioned.
– Tune your rule sets to eliminate the noise.
● Speed.
– Actionable? Yes.
– Timely? Yes.
● After your rule set is tuned.
● After you get current on the logs. :-)
7. A solution, IPLOG.
What is IPLOG?
● Open Source Software.
● Written by Ryan McCabe in 2000.
● http://ojnk.sourceforge.net
● Simple, but not tcpdump.
8. IPLOG
What does it do.
● Connection Logging
● Scan Detection
– TCP Port Scans.
– TCP SYN Scans.
– TCP null Scans.
– FIN Scans.
– TCP "Xmas" Scans.
– UDP Scans.
● Attack Detection
– ICMP ping floods.
– UDP and ICMP
"smurf" attacks.
– IP fragment attacks.
– Bogus TCP flags.
● NMAP Scan evasion.
( Experimental )
9. IPLOG
Logging
● Syslog or text file
● Log Sample
Jan 1 00:26:25 TCP: Bogus TCP flags set by 157.55.33.14:28256 (dest port 80)
Jan 1 02:24:03 UDP: scan/flood detected [port 500] from 124.126.133.120 [port 500]
Jan 1 02:24:10 ICMP: 194.187.150.110 time exceeded (udp: dest port 32887, source port 51413)
Jan 1 02:24:44 ICMP: 196.200.48.10 time exceeded (tcp: dest port 63473, source port 47785)
Jan 1 02:24:45 ICMP: 196.200.48.10 time exceeded (tcp: dest port 63473, source port 44733)
Jan 1 02:25:09 UDP: scan/flood mode expired for 124.126.133.120 - received a total of 36 packets
(14616 bytes).
Jan 1 02:26:18 ICMP: echo from 129.82.138.44 (12 bytes)
Jan 1 02:26:26 ICMP: 194.187.150.110 time exceeded (udp: dest port 51731, source port 51413)
Jan 1 02:29:15 last message repeated 1 times
Jan 1 02:29:15 TCP: ms-sql-s connection attempt from 115.239.226.51:6000
Jan 1 02:30:26 UDP: dgram to isakmp from 124.126.133.120:500 (412 data bytes)
Jan 1 02:30:26 UDP: dgram to isakmp from 124.126.133.120:500 (384 data bytes)
10. IPLOG
Misc.
● Can filter out noise.
– Config Example.
# gtld Name Servers
ignore udp from 192.5.6.30 sport 53
ignore udp from 192.12.94.30 sport 53
ignore udp from 192.26.92.30 sport 53
ignore udp from 192.31.80.30 sport 53
ignore udp from 192.33.14.30 sport 53
ignore udp from 192.35.51.30 sport 53
● A newer version of IPLOG. ( 2.2.5 )
http://www.cmpublishers.com/oss