Professional Documents
Culture Documents
CONTENTS
1. Introduction ............................................................................. 4
5. Report .................................................................................. 16
6. Analyze ................................................................................. 28
2
SURFids User Manual / version 1.0
7. Configuration .......................................................................... 37
8. Administration ......................................................................... 43
Glossary ..................................................................................... 47
3
SURFids User Manual / version 1.0
1. INTRODUCTION
The SURFids web interface provides reports and analyses which enable you to
make appropriate action for optimal network security. This web application
will mainly be used by security officers and administrators.
At the back of this manual , you will find a glossary which explains specific IDS
related terms.
4
SURFids User Manual / version 1.0
2. SURFids OPERATION
2.1 In short
SURFids basically consists of:
5
SURFids User Manual / version 1.0
2.2 Sensors
SURFids examines the traffic on your network through sensors, which ar e
physically installed in your network. A sensor consists of a dedicated pc which
is booted from a USB stick provided by SURFnet.
The sensors in your network are passive sensors: their only function is to
build up a direct link between your network and the central IDS component,
through a VPN tunnel. So attacks on the sensor will be directed to the central
IDS component and analyzed by the honeypots.
Sensors support multiple VLAN, making it possible for one sensor to connect
up to 8 VLANs to the central IDS component, see Fig. 2.
The central IDS component manages the sensors and pushes updates to the
sensor if necessary. So the sensors in your network need very lit tle
maintenance on your part.
2.3 Honeypots
General
Two honeypots are running on the central IDS server: Nepenthes and Argos.
Honeypots are software applications which detect and identify malicious
attacks by simulating known and unknown vulnerabilities in Windows and
other applications.
6
SURFids User Manual / version 1.0
The honeypots on the IDS server are able to respond to numerous types of
attacks, aimed at different operating systems. The honeypots si mulate these
operating systems.
Nepenthes
This honeypot simulates numerous known vulnerabilities in Windows and in
various applications. It will try to download malware (malicious software code
which is offered during an attack) , so it can be analyzed.
Argos
Rather than simulate an operating system or application, this honeypot
actually is one, located in a safe environment. Unlike Nepenthes, Argos does
not base its responses on predefined scripts but utilizes buffer overflow
detection among other technologies to react authentically to both known an d
unknown attacks. In this way it surpasses Nepenthes in the detection of
malicious traffic.
Argos is only used to check traffic on a user defined set of IP addresses (see
section 7.4).
Characteristics compared
Nepenthes and Argos have different characteristics and are used for different
purposes. These characteristics are compared in the following table. You can
use this table to choose between Nepenthes and Argos.
Nepenthes Argos
7
SURFids User Manual / version 1.0
As mentioned, Nepenthes is used by default for attack detection. You can use
Argos for example in the following cases:
In the second case, the rogue DHCP is set to provide as default gateway an IP
address of a machine controlled by a n attacker. This attacker can see all the
traffic sent by the client to other networks.
8
SURFids User Manual / version 1.0
In the chapters following the application menu, these features are explained
in detail.
9
SURFids User Manual / version 1.0
3.2 Logging in
Once you have received a SURFids username and password (from SURFnet or
your security officer), you can log in on SURFids:
Fig. 3 Logging in
SURFids starts.
If you start SURFids for the first time, it is advisable to change the password
into a self-selected one. Proceed as follows:
10
SURFids User Manual / version 1.0
4. SURFids OVERVIEW
After logging in into SURFids, you will see the SURFids homepage:
Fig. 4 Homepage
From the menu bar, you can enter the various SURFids components:
11
SURFids User Manual / version 1.0
The time span selector enables you to set the time span over which you want
to see report information.
The time span setting is persistent for all information pages you
choose in SURFids. It does not return to its default value when you
open a new page.
- Click on the hours and minutes boxes to set the start time and finish
time.
12
SURFids User Manual / version 1.0
4.3 Attacks
This window displays the (possible) attacks that were detected by the SURFids
central component:
possible malicious attacks: all the connec tions that were logged by
Nepenthes, both harmless and malicious connections .
malware offered: attacks that have offered malware, which Nepenthes has
tried to download.
You can:
click on to see the details of the data in the ‘Statistics’ column. For an
explanation of this details window, see section 6.6.
13
SURFids User Manual / version 1.0
4.4 Exploits
This window displays the type of exploits that were detected by Nepenthes. An
exploit is a piece of software code which uses vulnerabilities in software
applications on operating systems, in order to gain unauthorised access to a
computer (network).
Click on the exploit name for additional inform ation on the exploit.
Click on to see the details of the data in the ‘Statistics’ column. For an
explanation of this details window, see section 6.6.
4.5 Attackers
Fig. 10 Attackers
In this box you can find the top 10 of attackers, ordered by the number of
attacks they have made during the period you have selected.
14
SURFids User Manual / version 1.0
Click on to see the details of the data in the ‘Total Hits’ column. For an
explanation of this details window, see section 6.6.
4.6 Ports
This window displays the top 10 of ports that were a ttacked in the period you
have selected.
Click on the port description name for additional information on the port.
Click on to see the details of the data in the ‘Total Hits’ column. For an
explanation of this details window, see section 6.6.
15
SURFids User Manual / version 1.0
5. REPORT
This chapter describes the tabs under the ‘Report’ menu item.
5.1 Ranking
Fig. 12 Ranking
This page compares malicious attack information of your sensors (right side of
the page) with that of all sensors connected to SURFids (left side of the
page). The following information is compared:
top 10 exploits
16
SURFids User Manual / version 1.0
The ‘Range’ column shows an overview of the IP-ranges in your own network.
The other columns show:
Unique source addresses that were attacked from this range. Click on
the number to see the source addresses and the number of attacks per
source address.
If the IP ranges shown on this page do not correspond with your own
IP ranges or if no IP ranges are displayed at all , please contact ids-
beheer@surfnet.nl.
17
SURFids User Manual / version 1.0
This map shows the approximate origins of malicious attacks (not possible
malicious attacks) on the sensors in your network. The IP address of the
attacker is converted into a geographical location, usi ng a geolocation
database. The location is plotted via Google Maps.
If more attacks come from one IP address, the colour indication on the map
changes.
18
SURFids User Manual / version 1.0
5.4 Traffic
These graphs show the network traffic through the VPN tunnel for every
sensor in your network.
You can:
click on each graph to see other time spans: weekly, monthly and yearly.
19
SURFids User Manual / version 1.0
This page gives the following ‘health status’ information of your servers, over
the last 24 hours:
CPU load
memory usage
network traffic
You can:
click on each graph to see other time spans: weekly, monthly and yearly.
20
SURFids User Manual / version 1.0
The central IDS server sniffs on your sensors and logs every protocol it
detects. Here you can view the protocol information (name and type number)
of the traffic on your sensors, to check for unusual protocols in your network.
Click on the sensor you want to view. The protocol information of that
sensor is displayed:
21
SURFids User Manual / version 1.0
5.7 Graphs
Here you can draw various graphs displaying in formation about your sensors.
1. In the ‘Actions’ bar, select the type of information you want to display:
2. Choose the sensor(s), the information to be displayed, the interval and the
plot type.
3. Use the period selector (see section 4.2) to set the time span.
22
SURFids User Manual / version 1.0
Fig. 20 Graph example, which is the result of the parameters chosen in Fig.
19.
5.8 My Reports
You can set up reports that contain the infor mation you specify. Reports can
be sent to you by e-mail, or you can use the RSS feed, so you are
automatically kept up-to-date on attacks in your network.
23
SURFids User Manual / version 1.0
Search results
The reports list also contains search queries that you have saved (see section
6.6). You can perform a search query by clicking on .
Add a report
1. In the ‘Actions’ bar, click on Add report.
SUBJ E C T
Report name, also the subject of the e-mail or RSS feed containing the report
information.
Tip: enter a meaningful name here, so that you can eas ily distinguish
your reports.
24
SURFids User Manual / version 1.0
MA IL P R IOR IT Y
The importance level the message gets in your mail box.
SE NS O RS
The sensors that are checked for this report.
RE P OR T T E MP LA T E
The basic type of information for your report (see page 27 for example
reports):
Sensor status: an alert when a sensor is down or failed tot start (with
sensor name, status).
ARP alert: an e-mail alert in case of ARP poisoning (with attacking MAC
address and attacked IP address) .
DHCP servers: an e-mail alert when a rogue DHCP server is detected (with
attacking MAC address).
For ‘Sensor status’, ‘ARP alert’ and ‘DHCP servers’, an e-mail is sent
immediately.
RE P OR T T YP E
Mail – summary: a summary of the report by e-mail
Mail – IDMEF detail: the report details by mail in IDMEF format, an XML
format dedicated to intrusion detection information
SE V ER IT Y
For the ‘All attacks’ and ‘Own ranges’ templat es: specification of the attack
type(s) you want in the report.
For the ‘Sensor status’ template: specification of the sensor status (es) you
want in the report.
25
SURFids User Manual / version 1.0
FR EQ U E NC Y
Reports from the ‘All attacks’ and ‘Own ranges’ templates can be sent to you:
every hour
every day
every week
when a threshold occurs, e.g. you want to receive a report if more than 20
attacks have occurred within one hour. For this example, fill in the
threshold options as follows:
- Threshold amount: 20
1. In the reports list, click on , login with your IDS username and password
and follow the instructions of your web browser.
2. In the reports list, right click on and copy the RSS link to your RSS
reader (e.g. Bloglines or Google Reader). Note that this reader must
support the login functionality.
Other actions
Click on the report name to edit the report properties.
In the edit mode, set the ‘Status’ field to ‘inactive’ to disable the report.
Set the status of all reports by clicking Enable all reports or Disable all
reports.
Click on Reset all timestamps to set all data in the ‘Last sent’ column to
‘never’. Reports will be sent again if applicable.
26
SURFids User Manual / version 1.0
Report examples
AL L AT TA CK S / OW N RA N G ES
Mailreport generated at 12-12-2007 00:00:02
SE NS O R S TA TU S
sensor1 is down!
sensor11 is down!
ARP A L ER T
ARP Poisoning attack detected on sensor11!
*.*.15.1 (aa:bb:cc:dd:ee:ff)!
D HC P S ERV ER S
Rogue DHCP server detected on sensor11!
27
SURFids User Manual / version 1.0
6. ANALYZE
This chapter describes the tabs under the ‘Analyze’ menu item.
6.1 Attacks
This window displays the (possible) attacks that were detected by the SURFids
central component:
malware offered: attacks that have offered malware, which Nepenthes has
tried to download.
You can:
click on to see the details of the data in the ‘Statistics’ column. For an
explanation of this details window, see section 6.6.
28
SURFids User Manual / version 1.0
6.2 Exploits
This window displays the type of exploits that were detected by Nepenthes. An
exploit is a piece of software code which uses vulnerabili ties in software
applications or operating systems, in order to gain unauthorised access to a
computer (network).
Click on to see the details of the data in the ‘Statistics’ column. For an
explanation of this details window, see section 6.6.
Attackers enter the network using exploits (see section 6.2). When the attack
offers malware (software code intended to damage or infiltrate a computer
system), Nepenthes extracts the following information:
29
SURFids User Manual / version 1.0
Click on to see the details of the data in the ‘Statistics’ column. For an
explanation of this details window, see section 6.6.
Click on the binary name (this is the MD5 sum of the malware) in the
‘Malware’ column to get detailed binary information, with the following
items:
B INAR Y IN F O
Binary ID, size, description, first seen date, last seen date.
30
SURFids User Manual / version 1.0
N ORM AN S AN DB O X AN D/ OR C WSA N DB O X R E SU LT
This report gives detailed information on the worm, such as the network
connections it makes and the registry changes it causes.
B INAR Y H IS T OR Y
The binary history shows when the malware was first detected and by which
virus scanner. It indicates how new the detected viruses are and gives, to
some extent, a review of the virus scanners you use.
In the example below, you can see that on January 25 th, only BitDefender
detected the binary as an SDBot. On January 29th, AntiVir also detected it,
whereas the other virus scanners did not detect the SDBot.
F IL E NA M ES U S ED
The various filenames that were used for this binary.
31
SURFids User Manual / version 1.0
You can view the ARP cache, for each sensor separately. The ARP cache shows
which MAC addresses are bound to specific IP addresses within the LAN where
the sensor is located.
You can set which MAC addresses must be monitored by the ARP poisoning
module. The gateway of your network is monitored by default.
Not all MAC addresses need to be monitored by the ARP poisoning module:
only crucial systems, like important servers or PCs that are known to be
hacked.
Click on Add to static list to add the MAC address to the list of MAC
addresses that are monitored by the ARP poisoning module. You can view
this list under Configuration > ARP (see section 7.2).
Click on Clear ARP cache to clear the MAC – IP address combinations that
were reported up to this moment.
32
SURFids User Manual / version 1.0
6.6 Search
You can search for specific attack information in the IDS database. You can
set up queries using destination address and port, source address and port
and severity value.
Use % as a wildcard, where applicable, e.g. enter ‘%.exe’ to search for all
file names containing ‘.exe’.
33
SURFids User Manual / version 1.0
as a PDF.
as a search template. In this case, the result is saved and can be viewed
under ‘My reports’ (see section 5.8). Enter a template title and the time
span to be saved with the result. Select Don’t save time span info, to
use the time span which is selected at the moment you view the search
result under ‘My reports’.
Other actions
Clear and change the search criteria in the ‘Criteria’ box.
Click in the ‘Severity’ column to see details of the attack. For detail
examples, see page 35.
Click on the source IP address for a whois query (RIPE, ARIN, APNI,
LACNIC, AFRINIC or KRNIC).
Click in the ‘Additional info’ column for more information on the attack.
34
SURFids User Manual / version 1.0
MA L IC IOU S A T TA CK - AR G O S
Argos has logged this attack under ID 1550 111091. The attack was related to
process number 212, and module services.exe. The operating system of the
Argos image was Windows 2000, and the image name was win2k.img.
The TCP and UDP ports that were open during the attack are also shown.
More information is stored at the Argos server and can be requested via ids-
beheer@surfnet.nl. Don not forget to mention the Argos ID and time stamp of
the attack.
MA L IC IOU S A T TA CK - N E P E N TH E S
This window shows the dialogue Nepenthes had used, i.e. the code Nepenthes
uses to detect attacks. In this case it was the DCOM dialogue, which indicates
that this malicious attack was a DCOM attack.
You can also see the shellcode handler that was used.
35
SURFids User Manual / version 1.0
MA LW AR E OFF ER E D
This windows shows the URL where to download the malware. You can see
that the tftp protocol is used if the malware is downloaded.
MA LW AR E D O WN L OA D ED
This window shows the download URL of the downloaded malware and the
MD5 hash of the malware. The link opens details of the downloaded malware.
36
SURFids User Manual / version 1.0
7. CONFIGURATION
This chapter describes the tabs under the ‘Configuration’ menu item.
- SSH on: enables the management service on the sensor (only for
administrators).
- SSH off: disables the management service on the sensor (only for
administrators).
- Ignore: ignores the sensor; sensor does not appear in status reports.
37
SURFids User Manual / version 1.0
Click on the sensor name or the label name to view sensor details (such as
IP addresses, MAC address on the server side, logging information) .
Note: for (VLAN) static sensors, you must enter the IP address. This is
not done automatically. Note that the IP address you enter here
cannot be identical to the address you configured on the sensor.
7.2 ARP
You can configure the ARP poisoning module, for each sensor separately. This
module checks for ARP poisoning attacks (see section 2.4 for more
information).
Select a sensor. The MAC addresses that are being monitored for ARP
poisoning, are displayed:
Enable/disable
In the ‘Actions’ box you can enable or disable the ARP poisoning module .
38
SURFids User Manual / version 1.0
3. Select ‘DHCP server’ if the MAC address must be monitored by the Rogue
DHCP server module, which checks for DHCP servers that are not
controlled by the network owner but by an attacker (see section 2.4 for
more information).
In the ‘Action’ box, you can now edit or delete the entry.
7.3 IP Exclusions
IP addresses that you trust at all times can be excluded from IDS checks, for
example your port scan machine. In the event that a machine in your network
often appears to be generating possible malicious traffic, check this machine.
If it proves to send legitimate traffic, you can add this machine to the IP
exclusions.
7.4 Argos
39
SURFids User Manual / version 1.0
In this window, you define these IP addresses. For example: you can redirect
the top 100 IP addresses that have sent possible malicious (but not
malicious) traffic, to all sensors in your network during the last 24 hours.
Sensor redirects
To add a sensor from which traffic must be redirected to Argos :
2. In the ‘Image name’ column, choose the OS image Argos must use.
Normally you will use the image based on your own OS. If you choose an
older OS, which is more vulnerable to attacks, attacks are more likely to
succeed.
- top 100 of all your sensors: the top 100 IP addresses that have sent
possible malicious traffic to all sensors in your network, but could not
be identified as ‘malicious’ by Nepenthes.
- top 100 of all sensors: the top 100 IP addresses that have sent
possible malicious traffic to all sensors in the SURFids network, but
could not be identified as ‘malicious’ by Nepenthes.
- top 100 sensor: the top 100 IP addresses that have sent possible
malicious traffic to this sensor, but could not be identified as
‘malicious’ by Nepenthes.
4. In the ‘Timespan’ column, choose the time s pan to narrow down the set of
IP addresses that are redirected to Argos.
5. Click on Add.
After setting a sensor redirect for the first time, it can take up to 1
hour before the redirect is effective.
Other actions:
40
SURFids User Manual / version 1.0
Redirect to ranges
You can also redirect specific IP ranges to an Argos image in the ‘Sensor
redirects’ list:
2. Click on Add.
After setting an IP range redirect for the first time, it can take up to 5
minutes before the redirect is effective.
You can configure the operating system images that run on the Argos server.
To add an image:
Enter a name for the new image. This name will appear in the ‘Argos’
menu under the ‘Image name’ column.
Enter the image name, i.e. the file name of the image on the Argos
server.
Enter the MAC address of the image (normally, you can leave this field
empty as it is filled with a random MAC address).
delete images.
41
SURFids User Manual / version 1.0
This window gives information on how the logging server is configured and
which versions of the virus scanners are used .
means ‘on’
means ‘off’.
42
SURFids User Manual / version 1.0
8. ADMINISTRATION
8.1 My Account
Fig. 44 My account
Enter the fields that you want to change for your account and click on Update
to confirm.
The ‘ Email signing’ and the ‘Access’ fields are explained below:
E MA IL S IG N I N G
E-mails from SURFids to you can be signed with a GPG key, a way to assure
you that the e-mail is actually sent by SURFnet.
ACC E SS: S E NS OR
0 – Read only access: you can only view sensor information.
1 – Remote control access: you can give commands to the sensor (e.g. to
reboot or change the sensor name).
2 – ARP & ARGOS access: you can configure Argos and the ARP poisoning
module.
43
SURFids User Manual / version 1.0
ACC E SS: US E R AD M IN
0 – No access: you cannot change accounts (not even your own).
8.2 Users
Fig. 45 Users
You can manage users in this domain if you have domain account rights.
Add user
1. Click on Add user.
Modify user
1. Click on [Modify] to edit a user.
Other actions
Click on [Delete] to delete a user.
44
SURFids User Manual / version 1.0
Fig. 46 Domains
Insert domain
You can insert a new domain, e.g. when a sensor has been moved.
Edit domain
1. Click on [Edit].
You can:
Add IP ranges to the domain, if this was not done automatically. These IP
ranges will be treated as your own. (see ‘Cross domain’, section 5.2)
45
SURFids User Manual / version 1.0
Set identifiers. Identifiers identify sensors and group them in the same
domain. These identifiers are added automatically.
Enter an identifier name and choose from the following identifier types:
- whois netname: is most commonly used. Sensors coming from this net
range will all be identified as the same domain, e.g. ‘SURFNET’.
- SOAP identifier (if enabled): uses a SOAP server to extract a name for
the domain. This SOAP feature is SURFnet specific.
46
SURFids User Manual / version 1.0
GLOSSARY
Rogue DHCP server A DHCP server which is not controlled by the network
owner. A rogue DHCP server can be a network device
(e.g. a router) unintentionally connected to the
network by a user, but it can also be used for
network attacks.
47