WP4 Clearinghouse

WP4 Type 3 Statistics: IDS Sensor Userguide

Topics

• System description
• Requirements
• Sources
• Installation
• Setup
• Testing
• Troubleshooting
• Results
• Related documents

System description

POPPIX is a collection of security-related tools with a curses-based gui. It comes on a bootable Linux CD-ROM and is based upon a recent Knoppix distribution. Within eCSIRT.net it is used to deploy a number of intrusion detection sensors in order to monitor internet background noise (attacks, worms etc.). The monitored events are logged to a central server (using authenticated SSL connections) and are evaluated for generation of statistics. For this purpose the following services are provided:

• crypntp: a secure implementation of the network time protocol (NTP). This is to ensure that the logged events of all deployed sensors are using the same time. Source: http://www.ntp.org/
• honeyd: a honeypot daemon that is able to emulate some network services. The honeyd is used to actually answer connections so they are visible to the IDS sensor. Source: http://www.citi.umich.edu/u/provos/honeyd/
• pnids: prelude-nids, the network based sensor of the intrusion-detection-system PRELUDE. Source: http://www.prelude-ids.org

POPPIX is released under the GPL. Contributions are more than welcome.

Requirements

The POPPIX IDS sensor requires all of the following:

• i386 (or better) with a bootable CD-ROM device and a network interface
• direct internet access via TCP/IP (NAT will not work)
• 2 IP-addresses (1 to be attacked, 1 to communicate with the time-server, to log attack-data etc.)

Sources

There exists an ISO-image for the bootable CD. You may receive the image upon request. An initial image for a 1.44 MB floppy disk is mailed to the participating members.
Please keep this image as it contains all the keys and certificates necessary for the POPPIX IDS sensor to work.

Installation

The following steps are necessary to get a working POPPIX installation:

• Get the ISO-Image of the POPPIX-CDROM. Burn it on a CD.
• Get the floppy image with the keys, certificates and the configuration menues. Unpack it onto a floppy disk using any zip-utility at hand (on Unix systems it is usually "unzip").

Setup

• Set the hardware clock of the system to an approximately correct time. The configured ntp service will provide a very precise time a few minutes after startup, but messages logged before will have a wrong time stamp otherwise.
• Boot from CD. The floppy is not bootable. But once Linux has been started via the CD, it will look for the configuration menu and startup script on the floppy automatically. The floppy musn't be write-protected.
• If the automatic start-up of POPPIX from the floppy fails, log in as root, cd into /mnt/floppy and issue './start2.sh'.
• Once POPPIX has been started, you have to setup your specific network parameters via the menu Setup->Networks->Add.
• The IP-address to be given to the first interface (theoretically POPPIX supports as many as you like) has to be the address designated for communications.
• You don't have to activate any network-interface. This will be done automatically when leaving POPPIX.
• Unfortunately DHCP doesn't work (yet), eaven though if you might see it someplace.
• WLAN-interfaces are not supported.
• The next step is setting up the so called 'services' (e.g. honeyd, pnids, cryptntp).
• The defaults should be okay (i.e. each service should in deed be started etc.)
• Both prelude (aka pnids) as well as honeyd have to be told which IP-address to monitor or to emulate servers on respectively. You have to enter the same IP-address for pnids and honeyd. This IP has to be different from the communication-IP, mentioned above.
• After having setup everything, select 'Exit' from the main menu. POPPIX will ask you whether it should proceed to write configuration files, start the services etc. Remember, currently POPPIX will not touch your harddisk, if booted from CD. So don't be too shy.
• Make sure that your firewall does not block the services of the sensor. This means:
  • Enable all incoming traffic to the IP-address to be attacked.
  • Enable all outgoing traffic from the IP-address to be attacked.
  • Enable TCP traffic (incoming and outgoing) between the systems IP-address (any port) and the IDS manager ip5.pre-secure.de (port 5554).
  • Enable UDP traffic (incoming and outgoing) between the systems IP-address (any port) and the timeserver time.pre-secure.de (port 123).

Testing

If everything works well, you should be able to the following tests:

• Look into the log messages of the started processes on console /dev/tty8 (switch back and forth via ALT-F8 and ALT-F1). There should be some messages like the following:

  prelude-nids: - SSL authentication succeeded with Prelude Manager.
  prelude-nids: - Initializing packet capture.
  ...
  ntpd[380]: peer 212.12.41.19 event 'event_reach' (0x84) status 'unreach, conf, auth, 1 event, event_reach (0xe014)'
  ...
  ntpd[380]: time reset -5.017380 s.
  

• Point your webbrowser to the WWW-Frontend of the IDS (access limited to participating members). When the first attacks are reported, they will appear in the alert list. For better control you may select the filter for your own team and click on load.

Troubleshooting

If you have trouble to log in as user "root", keep in mind that POPPIX uses an american keyboard layout. If anything else goes wrong, you can have a look at:

• The file /tmp/pst.log, where you will find some information about what POPPIX is doing.
• Syslog. It's not logging to a real file, but to the virtual console /dev/tty8 (switch back and forth via STRG-F8 and STRG-F1). Currently syslog logs everything.

Results

Public statistics

On the basis of the collected data of all sensors some generic statistics are generated. These show results on the accumulated data of all sensors. The number of alerts of some main classes are displayed as well as some more complex statistics on the number of attacks per attacker and the number of sensors that were attacked by the same host.

The public statistics of the sensors can be found here.

Internal statistics

In contrast to the generalized public statistcs the charts of internal statistics retain the relation of the alerts to the single sensors. So each participating team is able to see the number of alerts logged by its own sensor.

Related Documents

• eCSIRT.net WP4 Clearinghouse Policy
• eCSIRT.net WP4 Statistics Type 1 Form
• eCSIRT.net WP4 Statistics Type 2 Form
• Generated public statistics

Revision History

• Release 1.0, December 2003      First Release

eCSIRT.net The European Computer Security Incident Response Team Network News | Sitemap | Imprint | Privacy Statement | Contact | Top Last changed: December 30, 2003 / JS Copyright © 2002-2003 by PRESECURE Consulting GmbH, Germany

Signed with PGP!