Virtual Appliance Marketplace

Average user Rating:4 Customer Ratings (Login to rate)


SVIDS will afford any size organization to quickly and easily deploy a large scale intrusion detection system

Features

Collegiate:
No

One-line Description:
SVIDS will afford any size organization to quickly and easily deploy a large scale intrusion detection system

Filename:
Shadow.zip

Size Compressed:
212

Allocated Memory:
256

Username:
root

Password:
P@ssw0rd

VMware Tools Installed?:
No

Operating System:
Version 5.4 of the Slackware Linux distribution

Torrent?:
No

Applications:
Snort 2.4.4
Webmin 1.270
BarnYard 0.2.0
Sguil 0.6.1
OpenSSH 4.3p1

Description:
Shadow Virtual Intrusion Detection System (SVIDS) version 1.5.4
-Brad Causey
1. The Shadow Virtual IDS (SVIDS)* is a Virtualized port of Guy Bruneau’s Shadow Sensor (http://www.whitehats.ca/main/members/Seeker/seeker_shadow_IDS/seeker_sha...). *Pronounced “ess-vids”
Originally developed by Guy to provide an open source solution to enterprises for monitoring their network, SVIDS provides a hardware independent NIDS that can be easily deployed in a large, distributed environment. SVIDS is built on Version 5.4 of the Slackware Linux distribution and utilizes Snort, BarnYard, and Sguil. All original documentation is owned and maintained by Guy Bruneau of whitehats.ca. (Original documentation can be found in the “ShadowClient&DocsOrig” directory.)
This document will address the need for a Virtualized IDS in an organization.
When companies are searching for an IDS, cost will play a significant factor in the decision making process. The total cost of ownership (TCO) must be considered to accurately determine the budgetary effect of purchasing and maintaining an IDS. TCO can be minimized by deploying a virtual IDS solution. Because each Shadow IDS sensor is self-contained, there is no need for a centralized database. In addition, by virtualizing the IDS sensor, we can eliminate the need for expensive, specialized hardware. Updates can be delivered by a simple secure file copy or a total redeployment of the IDS virtual machine. The Snort definition files can be updated through the built-in oinkmaster script or downloaded to a central IDS image and redeployed. Because SVIDS can be monitored from a client that is operating system independent, it can be deployed and managed throughout any organization. SVIDS is managed through a web interface using WEBMIN, allowing any system with a browser that supports SSL to act as a centralized management control station. As required by any IDS, SVIDS is a securely developed platform that is designed to be invisible on the network. Allowing for only SSH, SSL, and TLS over TCL, SVIDS is secure enough to deploy in the most extreme internet or DMZ environment. By simply deploying basic, inexpensive hardware, you can rapidly deploy SVIDS across any size environment. Once in place, simply modify the startup script to match the local network and span a switch port. At this point SVIDS is up and running, reporting on intrusion attempts and malicious code in real time as it passes across your network.
Ultimately SVIDS will afford any size organization to quickly and easily deploy a large scale intrusion detection system at a very reasonable cost. With remote management, customization features and update capabilities, SVIDS affords anyone the ability to have an IDS system that rises to the challeng of protecting today’s sensitive data.
2. Installation summary and details can be found in: ShadowClient&DocsorigINSTALL.PDF
3. Quick Start Instructions:
Extract all files from the Shadow.zip archive.
Double click on the ShadowShadowVMother26xlinux.vmx file to open the Virtual Machine.
Click the “Start this virtual machine” button.
Accept any messages provided by the VMware software you are using.
Once the machine has booted, and is sitting at a login prompt, it is already actively capturing traffic from the host machines local network.
The management interface (eth0) is configured for the network 10.10.128 with a subnet mask of 255.255.255.0.
Log into SVIDS as Root with a password of P@ssw0rd.
Edit the startup scripts by performing the following:
Type vi /etc/rc.d/rc.local (enter)
Edit all entries of 10.10.128.1 to be replaced with the desired IP address (to edit, simply press the insert key on the keyboard and use the arrow keys to navigate)
Save and exit VI (to save and exit, simply press the esc key and type “:wq” without the quotes)
Type reboot (enter)
When SVIDS completes the reboot process, it will be collecting packets from the local network and is available for management via the management interface.
In order for SVIDS to accurately capture all network traffic on the local broadcast domain (subnet) you must install it on a host machine that has a physical cable plugged into a port on a switch that is spanned. This allows all traffic for the spanned ports to be sent to SVIDS. Alternately, you can use SVIDS to protect a virtual network such as is provided by most VMware products.
Access the webmin systems management interface by typing “https://:10000” without the quotes.
To setup the SVIDS monitoring client on a Windows machine, perform the following:
Install the sguil client:
Unpack “Client&Docssguil-client-0.6.1.tar.gz” in “C:sguil-0.6.1”
Install Windows Active TCL:
Install “Client&DocsActiveTcl8.4.13.0.261555-win32-ix86-threaded.exe” at “c:tcl”
Install Windows TLS libraries:
Unpack “Client&Docstls1.5.0-win32.zip” in “C:tcllib”
Install Ethereal for Windows:
Install “Client&Docsethereal-setup-0.99.0.exe” at “C:Ethereal”
Install Firefox for Windows
Install “Client&DocsFirefox Setup 1.5.0.3.exe” at “C:Firefox”
Modifications to the sguil.conf file in c:sguil-0.6.1clientsguil.conf (modified from Guy Bruneau’s original client install document, included in Client&DocsorigSGUIL.PDF)
# Change SERVERHOST to the correct IP or servername
set SERVERHOST 192.168.30.4
# Set up OpenSSL here (read ./doc/OPENSSL.README)
# 0=off 1=on
set OPENSSL 1
# win32 example
set ETHEREAL_PATH "c:/ethereal/ethereal.exe"
# win32 example (IE)
set BROWSER_PATH c:/progra~1/intern~1/iexplore.exe or
set BROWSER_PATH "c:/firefox/firefox.exe"
# Display a GMT clock in the upper righthand corner
# 1=on 0=off
set GMTCLOCK 1
# Mailserver to use for emailing alerts
set MAILSERVER mail.example.com
# Default From: address for emailing
set EMAIL_FROM foo@example.com
Note: The TLS libraries are used to encrypt the session between the Windows client and the database server.
Client Access to Database (modified from Guy Bruneau’s original client install document, included in Client&DocsorigSGUIL.PDF)
The client can access the database at this point by executing the sguil.tk. However, sguil.tk must be associated with the “wish application” before it will start.
c:sguil-0.6.1clientsguil.tk
Double click on the c:sguil-0.6.1clientsguil.tk file and type the ip address of the management interface. Leave the port as the default. Use the following credentials to log in:
Username: ids
Password: P@ssw0rd
3. Licensing information can be found at http://www.whitehats.ca/main/members/Seeker/seeker_shadow_IDS/seeker_sha...

Technical Specifications

Operating System:

Version 5.4 of the Slackware Linux distribution

VMware Tools installed: No

Size: 212MB

Allocated Memory (RAM): 256

Applications Installed:

Snort 2.4.4
Webmin 1.270
BarnYard 0.2.0
Sguil 0.6.1
OpenSSH 4.3p1

Virtual Appliance Account Information