Intelligent adware blocker symantec

transcript

Intelligent Adware Blocker

By : - Sonal Kamble (B 3208528) - Chaitali Magdum (B 3208537) - Aditi Pantoji (B 3208546) - Prajakta Pednekar (B 3208550)

Sponsored by : Symantec Corporation

External Guide: Internal Guide: Mr. Vikram Saurabh Mr. Harshad Wadkar

04/12/23 1Intelligent Adware Blocker

04/12/23 Intelligent Adware Blocker 2

Project Problem Statement:

To develop Intelligent Adware Blocker

Project Problem Statement Description:•Pop-up blocking application sits between client and server.

•It sniffs the traffic and applies policies before rendering it to the client and the

client will not be aware about this.

•The policies applied should be based on predefined categories read by the

application from database and user defined policies can also be added to it.

•User defined policies can depend on certain predefined keywords and regular

expressions. Predefined categories like bank, pornography, social media etc.

Area/Domain: Internet Security

• Adware or advertising-supported software is any software package which automatically plays, displays or downloads advertisements to a computer.• Adware, by itself, is harmless however some adware may come with integrated spyware such as key loggers and other privacy-invasive software.

What is Adware ?

Need of Adware Blocker Application

• Adware Blocker application will be used to block Adware which can be in the form of Pop-up and Pop-under which we come across while accessing many websites.

• Pop-up and pop-under blocker which comes along with Browsers like Internet Explorer, Mozilla blocks all categories of pop-ups and pop-unders.

• There can be various categories like sports, news, shares, banking etc. So these pop-up and pop-under blocker will not provide facility of selecting which category of pop-up to allow and to deny.

• Hence to provide facility of category selection we require Adware Blocker.

Client Server

ServerClient

HTTP Request

HTTP Response

HTTP Response + Adware

Adware Blocker

HTTP Request HTTP Request

HTTP Response + Adware

HTTP Response

Ideal scenario

Actual scenario

Scenario in Project

Modes of Operation

IDS mode - Squid proxy server- Snort

IPS mode- Snort_inline

Bypass mode

Packet Flow diagram IDS mode

Intelligent Adware Blocker IDS Mode

Packet Flow diagram IPS mode

Intelligent Adware Blocker IPS Mode

Squid Proxy Server• Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher,

and HTTP data objects.

• Steps required to use Squid Downlad and Install Squid

Configure Squid

acl bad_pc src 172.16.32.48

acl good dstdomain .google.com

http_access allow good

http_access deny bad_pc

Restart squid service

Monitoring User Access The access information gets stored in the access.log file.

04/12/23 Intelligent Adware Blocker 11Back to previous slide

Transparent Squid Proxy• Modify Squid.conf http_port 3128 transparent• iptables -F• iptables -t nat -F

# set this system as a router for Rest of LAN• iptables --table nat --append POSTROUTING --out-interface eth1 -j

MASQUERADE• iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

# unlimited access to LAN• iptables -A INPUT -i eth0 -j ACCEPT• iptables -A OUTPUT -o eth0 -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy

• iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j ACCEPT

# if it is same system• iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-

port 3128

• Snort is a signature detection-based intrusion detection system (IDS) issues an alert when network traffic matches a signature in the dataset.

• Snort can be used as a packet sniffer to capture traffic from the network, as a packet logger to save packets to a file or database, or as an IDS.

Back to previous slide

Snort IDS mode

• IDS (Intrusion Detection System):-• An intrusion detection system (IDS) is a device or software application that

monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.

• Modes of Snort IDS:- Sniffer mode Packet logger mode NIDS mode

• Snort IDS rule generation alert tcp any 80 -> any any (content:”uim”; msg :“uim popup”; sid:1001;)

• Command to run snort in IDS mode snort –dev –i eth0 –l /var/log/snort –c /etc/snort/rules/ids.rules

• Report Generation IDS mode

Using Dom parser (ids.rules)

Snort IPS mode

• IPS (Intrusion Prevention System):

• The main functions of “intrusion prevention systems’’ are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity.

• To make snort work as IPS it has to be configured in either of the 3 modes:

1. Flexible response

2. Snort_inline

3. SnortSam

Back to previous slide

Snort_inline dependency packages

1. libipq

2. iptables-dev

3. libpcreflex

4. bison 1.2.1

5. Libpcap 0.7.2

6. Pcre

7. libdnet

8. libnet

9. libnet filter-queue-dev

10. dnet

Topology Required For Snort_Inline (IPS)

Steps to implement snort_inline• Implement Bridge.• Installation of required packages for snort_inline.• Install and Configure snort_inline with mysql facility.

• Apply Iptable rules:iptables –A INPUT –p icmp –j QUEUEiptables –A FORWARD –p tcp –dport 80 –j QUEUE

• Write rule in local.rules (Rule Generation) drop tcp any 80 -> any any (content :“google”; msg :“response from google”;

sid:1001;)

• Apply Snort_inline rule:snort_inline – dev –c /etc/snort_inline/rules/ips.rules -Q -l /var/log/snort_inline

• Report Generation IPS mode04/12/23 Intelligent Adware Blocker 21

(ips.rules)

(ips.rules)Using dom parser

Technologies used:

• JAVA ( servlet ) for application controller

•jsp ( java server pages) and HTML for frontend

•Java script (For form validations)

•Perl script ( To store entries of Squid’s access.log into database table )

•Shell script ( To start and stop Snort, Snort inline and Squid’s services )

( To apply iptables rules according to modes )

Operating System: Ubuntu 10.10

Requirements for developing the system• Hardware Desktop PC’s or Laptops with Intel Pentium based x86 processor Desktop PC with two NIC cards Hard line/Wired internet connection Switch(To implement Snort_inline)

• Software Snort (IDS) 2.8.52 with Mysql facility Snort_inline and its dependency packages Squid Proxy Server 2.7 MySQL_Server 5.1.49 MySQL_Client 5.1.49 Apache Tomcat 6.0.32 web server gcc 4.4.5 and gdb 7.2 to compile and debug code JDK 1.6 sed 4.2.1 Browser software (Mozilla Firefox, Chromium, Epiphany)

Requirements for using the system

• Hardware Desktop PC’s or Laptops with Intel Pentium based x86 processor Hard line/Wired internet connection

• Software Browser software (Mozilla Firefox, Chromium, Epiphany,

Internet Explorer) Operating system for client machine (Linux or windows) Operating system for server machine (Linux)

View Log

LogBook.xslx

http://cumminsit14symantec.blogspot.com

References

• Squid: the definitive guide - by Duane Wessel

• Snort: IDS and IPS toolkit - by Jay Beale, Andrew R. Baker

• Snort cookbook - by Angela Orebaugh, Simon Biles, Jacob Babbin

• Shell Scripting : Beginning Linux Programming by Neil Matthew and Richard Stones

• Bridge Configuration http://www.faqs.org/docs/Linux-HOWTO/Ethernet-Bridge-netfilter-HOWTO.html

• Iptables http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables

• Snort_inline• http://openmaniak.com/snort_tutorial_snort.php#ancre-manual

• http://support.avaya.com/css/P8/documents/003915688

AchievementFirst prize in Project Competition

Arranged by

THE INSTITUTION OF ELECTRONICS AND

TELECOMMUNICATION ENGINEERS (IETE).

Held on

16 th April 2011 at AISSMS college of engineering

Acknowledgement:

Mr. Vikram Saurabh (External guide)

Mr. Harshad Wadkar (Internal guide)

Mrs. Madhura Tokekar (HOD)

Mr. Makarand Velankar (Project Coordinator)

Mr. Shripad Tawade

Thank you…

Intelligent adware blocker symantec

Education