Project ITS (IDS/IPS Setup) 10

Group:
Simon Arndal, David Herreborg and Georgi Petrov

Status 12/11-2010

Today it has been a bumpy ride through one dead end after the other. We tried to get php running on the tomcat 5.5 web server and changed, moved and inserted directory and files, modified any little possible thing. Uninstalled and re-installed again to get it working. Unfortunately we had to come up with an alternative solution in the end. The last and final presentation/demonstration will be delivered today with a system working in many ways. Maybe not all together but separate parts of it will work individually.

F Secure is antivirus software which has been installed on tomcat 5.5 machine. The reason why we chose this specific approach is because of the troubles we encountered with snort and its rules. Actually this piece of software is very aggressive and able to detect the exploit very fast and block it. Therefore this is a alternative to the complex snort, which we not so far has been able to find any rule which can actually prevent the exploit.   

Timeline (PROGRESS):

Done so far:

--> 27/10-2010 <--

- Hardware requirements fullfilled (except one missing NIC)

- Software required installed (open source programs used)

- pfSense installed (Router/firewall software)

- Apache and MySQL are up and running (Webserver and Database)

- phpMyAdmin installed and works (Graphical User Interface for the MySQL database)

- HSLAB HTTP Monitor Lite installed (Apache monitoring software)

- Set up HSLAB HTTP Monitor Lite.

- Done research about snort + snort together with pfSense.

- Presentation of work so far and basic idea. --> kl. 09:56

--> 28/10-2010 <--
- Network interface card has been inserted to the pfSense PC.
- Presentation of the progress and the setup of "Caps WebDesign" --> kl. 12:23

- Find another solution for monitoring the Apache server traffic internally (Simon)

- Make the Apache and MySQL more reliable (Simon)

- Add a Network Interface Card to the pfSense machine (David)

- Install snort package for pfSense (Georgi)

- Setup Weblog Expert Lite (Software that replaces the HSLAB) and it is working.

--> 01/11-2010 <--

- Add rules to the snort IPS system (Common task)

- Decide on whether pfSense is the right system for us to use (Common task)

- We have chosen to move on with pfSense and Snort together.

- Get snort to work probberaly

-->02/11-2010<--
- Tested where the snort was placed in the setup. (before the firewall)
- Figured out how the blocked function operates (update time)
- Proved that the setup is now reliable

-->03/11-2010<--
- Demonstration of the progress 09:05
- Search for common server vulnerbilities
- Search for metasploits
- Find interesting metaspoilts

-->05/11-2010<--
- Installed the Apache Tomcat web server version 5.5
- Find out what is metasploit

- Found a metasploit and tested with succes

- Demonstration was performed using the metasploit

-->08/11-2010<--
- Become more familiar with the exploits and cary out more tests.
- Agree of a concept we want to use realted to the intruders social engineering part

-->10/11-2010<--
- Encountered troubles with snort and its rules setup
         - Decided on a alternative prevention technique involving the software FSecure
- Installed FSecure software on Apache Tomcat Machine
- Did capturing of the different stages of the system
- Decided on the social engineering concept

         - Set up a internal mail server

         - Tested mail server with a PHP trick script containing a mail formular

-->12/11-2010<--
- Went through a shit load of toturials and tried to get php running on the tomcat webserver.
- Installed F secure on the tomcat machine
- Prepared demonstration
- adjusted the "CapDesign" concept

- Try different methods of using the Apache Tomcat exploit (eg. retrieve data)

- Prepare the final demonstration (The Director's Cut)

Demonstration:

- The 12th of November 2010

- Final result of the project. A guided journey through our well-done project containing both good and bad stories.