SuStorID is an advanced Intrusion Detection System (IDS) for web services, based on machine learning. Its name comes from the term “Su Stori”, which in Sardinian language means “The Falcon”. It’s version is experimental, but demonstrates a number of interesting features, that can be readily exploited to detect and act against web attacks:
Last, but not least, SuStorID is free software, released under the GNU General Public License version 3!
Author: Igino Corona, Pattern Recognition and Applications Group, Dept. of Electrical and Electronic Engineering, University of Cagliari, Italy.
Download and extract SuStorID’s source code from the official repository.
from random import choice ''.join([choice('abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)') for i in range(50)])
paste the result for your SECRET_KEY in settings.py (initial value is empty).
Inside the main directory of the project digit
$ python manage.py syncdb
This will create all tables needed by SuStorID. Specify a username and a password for administration: these credentials will be necessary to manage SuStorID and visualize detection results. By default, SuStorID uses the SQLite database, however you may use any database supported by Django to enhance performances, or employ a client-server db infrastructure (e.g. through Postgres).$ python manage.py runserver
This will run the default Django server on the loopback interface (IP 127.0.0.1 and TCP port 8000). As any Django application, settings can be modified on settings.py. You may also change the web server to anyone supported by Django (e.g. Apache), to increase reliability and performances.
Currently SuStorID employs the Hidden Markov Model implementation by Alexandre Fayolle, Logilab, Paris, France. In order to speed up the training process it is suggested to build the related C extensions. SuStorID comes with shared libraries built from C extensions on Ubuntu 10.04 (32-bit Intel processor). If you are using another OS / Processor, it is suggested to re-build C extensions:
$ sudo apt-get install python-dev
$ python setup.py config $ python setup.py build
If necessary, install missing fortran/c compilers and headers (e.g. in Ubuntu this can be done by means of Synaptic).
Copy all dynamic libraries inside SuStorID/base/raw_models/hmm/
SuStorID may be easily coupled with modsecurity for:
NOTE: This guide assumes Ubuntu OS 10.04 (some steps may be valid, some other may change depending on the OS).
Download modsecurity for SuStorID source code from the official repository.
Install the required packages to build this code:
$ sudo apt-get install libc6-dev libc6 apache2 apache2-threaded-dev libxml2 libxml2-dev gcc libpcre3-dev
This command will highlight any other missing dependency: correct it by installing the related headers/libraries.
Get into the Apache2 folder, and digit
$ make $ sudo make install
If you don’t encounter errors, the dynamic loadable library /usr/lib/apache2/modules/mod_security2.so should be installed. It is necessary to load the mod_unique_id module of apache (thus we create a symbolic link inside the mods-enabled folder)$ sudo ln -s /etc/apache2/mods-available/unique_id.load /etc/apache2/mods-enabled/
Inside the sustorid_config directory of this project, digit$ sudo cp security2.load /etc/apache2/mods-available/ $ sudo ln -s /etc/apache2/mods-available/security2.load /etc/apache2/mods-enabled/ $ sudo mkdir /etc/apache2/modsecurity_conf $ sudo cp modsecurity_conf/mod_security.conf /etc/apache2/modsecurity_conf/
Make sure that the apache2 user (e.g. www-data) can read such files (check access permissions for such files).
This tells Apache to load the SuStorID configuration /etc/apache2/modsecurity_conf/mod_security.conf. Read the documentation in the Configuration of modsecurity for SuStorID section to correctly configure modsecurity for SuStorID. The default configuration enables the logging module only, that is, without active Intrusion Detection/Protection: the IDS has not been trained yet and needs some training data.
$ sudo /etc/init.d/apache2 restart
As soon as Apache restarts modsecurity for SuStorID will be activated.
modsecurity for SuStorID comes with three additional options (with respect to modsecurity options):
- IDServer: you should specify (space-separated) IP address and TCP port where SuStorID is listening to.
- IntrusionDetection: set to On to enable Intrusion Detection by SuStorID (in conjunction with modsecurity rules). Please note that this only works if SecRuleEngine On, because this tells modsecurity to actively counteract against detected threats.
- PostRequests: set to On to enable request forwarding, that is, to automatically send requests and responses to SuStorID (it is necessary to get sample requests for learning).
That’s it. Enjoy!
Have you got any problem? Did you find any bug? Would you like to send suggestions? Send me an email.
Are you a researcher working on web security? Feel free to contact me by mail igino <dot> corona <at> diee.unica.it to join the SuStorID development team. There are a number of improvements and additional features that we plan to develop in the future, towards a safer World Wide Web.
This project has been supported by a grant from Regione Autonoma della Sardegna awarded to Igino Corona, PO Sardegna FSE 2007-2013, L.R.7/2007 “Promotion of the scientific research and technological innovation in Sardinia”.