This document provides an overview of intrusion detection systems (IDS) and Snort, an open source network-based IDS. It discusses the basic requirements, types (network-based, host-based, distributed), and approaches of IDS. It then focuses on Snort, describing its modes of operation, packet sniffing capabilities, and network intrusion detection. Key terms related to IDS are also defined. The document aims to introduce readers to IDS and Snort for monitoring network traffic and detecting intrusions and threats.
3. 3|Page
Abstract
Snort: Intrusion Detection System
Malicious network traffic (such as worms, hacking attempts, etc.) has certain patterns to it.You could monitor
your network traffic with a sniffer and look for this malicious traffic manually, but that would be an
impossible task. IDS (Intrusion Detection System) software which automates the process of sniffing,
examining, and upon finding something suspicious, alerting.
IDS have been called the burglar alarm of computer networks and are an important part of network perimeter
security. Without IDS you have no idea if someone is probing or attacking your servers (unless the attack is so
overwhelming that it results in a denial of service). Having this information can let you know if you need to
make some firewall changes or harden the OS on a particular server a bit more.
You may see the term IPS for Intrusion Prevention Systems which takes things one step further, having the
IDS adjust the firewall when it discovers something. Smart people disagree on the use of IPSs as it, in effect,
gives an attacker some control of your firewall.
Snort (www.snort.org) is the most widely-used IDS software application and it's open source and included
with Debian. There are two flavors of IDSs, host-based and network-based. Snort is a network-based IDS that
can monitor all of the traffic on a network link to look for suspicious traffic. Typically, a network-based IDS
is set up to monitor a DMZ or the internal network right behind the firewall so it alerts to any possible threats
that your firewall didn't catch.
There is a Web interface that works with Snort called BASE (Basic Analysis and Security Engine) which is
based on ACID (Analysis Console for Intrusion Databases) which we'll set up. BASE uses what's commonly
referred to as a LAMP server (Linux, Apache, MySQL, PHP) so we'll need to install those applications as
well.
3
4. 4|Page
Terminology
Alert/Alarm: A signal suggesting that a system has been or is being attacked.
True Positive: A legitimate attack which triggers an IDS to produce an alarm.
False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.
False Negative: A failure of an IDS to detect an actual attack.
True Negative: When no attack has taken place and no alarm is raised.
Noise: Data or interference that can trigger a false positive.
Site policy: Guidelines within an organization that control the rules and configurations of an IDS.
Site policy awareness: An IDS's ability to dynamically change its rules and configurations in response to
changing environmental activity.
Confidence value: A value an organization places on an IDS based on past performance and analysis to
help determine its ability to effectively identify an attack.
Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish
false positives from actual attacks.
Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information,
inflict harm or engage in other malicious activities.
Masquerader: A user who does not have the authority to a system, but tries to access the information as
an authorized user. They are generally outside users.
Misfeasor: They are commonly internal users and can be of two types:
1. An authorized user with limited permissions.
2. A user with full permissions and who misuses their powers.
Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being
captured.
4
5. 5|Page
SOFTWARE AND HARDWARE REQUIREMENTS
Software Specification:
OS :- Linux (Backtrack).
Snort :- As intrusion detection system.
BASE:- Basis analysis and security engine(Graphical detection Engine).
MySQL :- Database to log of alerts and intrusions.
PHP:- To setup up base on browser.
Pear packages:- To set Graphical environment on BASE.
Libpcap:- To set up network adapter on packet capture mode on
network.(Win cap in case of windows environment).
Ado dB:- To setup connectivity between BASE and mysql .
Apache: - To run the system as a server on network (having static IP address).
Static IP:- The machine running Snort must need a static IP , so that every time you connect to the internet,
you will get continuous alerts from from different machines.
Hardware Specification:
System Type : INTEL
Processor : Pentium 4
Processor Speed : 2.8 GHZ
Hard Disk : 40 GB
Memory Size : 128 MB
Cache Memory : 128 KB
Keyboard Type : 104 key‘s
Monitor Type : EGA/VGA
Monitor Manufacture : Microtek
Monitor Size : 15``
Mouse : Logitech 3 Buttons
Floppy Card : 1.44 MB
5
6. 6|Page
CHAPTER-1
INTRODUCTION
―An intrusion detection system monitors computer systems, looking for signs of intrusion
(unauthorized users) or misuse (authorized users overstepping their bounds).‖ (1) Intrusion Detection Systems
(IDS) can operate on a variety of different levels. Host-Bases IDSs reside on a host machine and execute
intrusion detection locally. Network-based Intrusion Detection Systems (NIDS) focus on network data flow.
The key to successfully identifying and preventing intrusion lies within the various techniques.―Using
intrusion detection methods, you can collect and use information from known types of attacks and find out if
someone is trying to attack your network or particular hosts.‖ IDSs have a series of steps that all need to be
completed before a system can be appropriately protected. These steps revolve around the data that is being
processed on the system being monitored. ―Data is collected by monitoring activities in the hosts or network.
The raw data is analyzed to classify activities as normal or suspicious. When a suspicious activity is
considered sufficiently serious, a response is triggered.‖
Actually Anintrusion detection system (IDS) is a device or software application that
monitors network and/or system activities for malicious activities or policy violations and produces reports to
a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor
expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on
identifying possible incidents, logging information about them, and reporting attempts. In addition,
organizations use IDPSes for other purposes, such as identifying problems with security policies,
documenting existing threats, and deterring individuals from violating security policies. IDPSes have become
a necessary addition to the security infrastructure of nearly every organization.IDPSes typically record
information related to observed events, notify security administrators of important observed events, and
produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from
succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing
the security environment (e.g., reconfiguring a firewall), or changing the attack‘s content. TheIntrusion
detection system(SNORT) is also a specialized tool that willparse and interpret network traffic or host
activities and perform real-timenetwork analysis and logging. This engine can manage number of network
ranges,activities,network traffics, port analysis, andfirewall and server logs on one system. This will happen
when a network activity, malicious content ,intrusions, port analysis activities etc. Matches to our rules and
signatures of our intrusion detection system.
6
7. 7|Page
Some of the monetary tools are used based on IDs, they are below:
Alert/Alarm: A signal suggesting that a system has been or is being attacked.
True Positive: A legitimate attack which triggers an IDS to produce an alarm.
False Positive: An event signalingan IDS to produce an alarm when no attack has taken place.
False Negative: A failure of an IDS to detect an actual attack.
True Negative: When no attack has taken place and no alarm is raised.
Noise: Data or interference that can trigger a false positive.
Site policy: Guidelines within an organization that control the rules and configurations of an IDS
Site policy awareness: An IDS's ability to dynamically change its rules and configurations in response
to changing environmental activity.
Confidence value: A value an organization places on an IDS based on past performance and analysis
to help determine its ability to effectively identify an attack.
Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to
distinguish false positives from actual attacks.
Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information,
inflict harm or engage in other malicious activities.
Masquerader: A user who does not have the authority to a system, but tries to access the information
as an authorized user. They are generally outside users.
Misfeasor: They are commonly internal users and can be of two types:
1. An authorized user with limited permissions.
2. A user with full permissions and who misuses their powers.
Clandestine user: A user who acts as a supervisor
7
8. 8|Page
CHAPTER-2
BASIC REQUIREMENTS:
The basic requirements used in IDSesare as follow as software wise and also hardware wise:
SOFTWARE AND HARDWARE REQUIREMENTS
Software Specification:
OS :- Linux (Backtrack).
Snort :- As intrusion detection system.
BASE:- Basis analysis and security engine(Graphical detection Engine).
MySQL :- Database to log of alerts and intrusions.
PHP:- To setup up base on browser.
Pear packages:- To set Graphical environment on BASE.
Libpcap:- To set up network adapter on packet capture mode on
network.(Win cap in case of windows environment).
Ado Db:- To setup connectivity between BASE and mysql .
Apache: - To run the system as a server on network (having static IP address).
Static IP:- The machine running Snort must need a static IP , so that every time you connect to the internet,
you will get continuous alerts from from different machines.
Hardware Specification:
System Type : INTEL
Processor : Pentium 4
Processor Speed : 2.8 GHZ
Hard Disk : 40 GB
Memory Size : 128 MB
Cache Memory : 128 KB
Keyboard Type : 104 key‘s
Monitor Type : EGA/VGA
Monitor Manufacture : Microtek
Monitor Size : 15``
Mouse : Logitech 3 Buttons
Floppy Card : 1.44 MB
8
9. 9|Page
CHAPTER-3
What is Intrusion:-
Intrusion is a malicious activity or programs or unauthorized systemwhich can enter into a network without
any invitation or identity .These intrusions try to gain access to the network clients or the network server
machines. Intrusions use services running on a system in order to successfully exploit the system and create an
account on the system. Once the attacker gains unauthorized access to the system , he can install rootkits or
backdoors to the system to gain further access to the system and use the system as bot to attack on other
machines over the world.
CHAPTER-4
INTRODUCTION TO IDS
Intrusion detection system(SNORT) is a specialized tool that willparse and interpret network traffic or host
activities and perform real-time network analysis and logging. This engine can manage number of network
ranges,activities,network traffics, port analysis, and firewall and server logs on one system.This will happen
when a network activity, malicious content ,intrusions, port analysis activities etc.matches to our rules and
signatures of our intrusion detection system.
Intrusion detection is the act of detecting unwanted traffic on a network or a device. An IDS can be a piece of
installed software or a physical appliance that monitors network traffic in order to detect unwanted activity
and events such as illegal and malicious traffic, traffic that violates security policy, and traffic that violates
acceptable use policies. Many IDS tools will also store a detected event in a log to be reviewed at a later date
or will combine events with other data to make decisions regarding policies or damage control. An IPS is a
type of IDS that can prevent or stop unwanted traffic. The IPS usually logs such events and related
information.
4.1Need of IDS and IPS:-
Snort as an IDS and IPS can perform real-time packet analysis andlogging on network. One of the powerful
features of snort is protocol analysis and content searching/matching and uses it to detect variety
of attacks such as buffer overflow , stealth port scans, SMB probes,OSfootprinting etc.
4.2IDS vs. Firewalls:-
Firewalls:-
Firewalls are the set of predefined rules and programs that canmonitor and filter every packet flowing through
the network.Firewalls are used over a network in order to protect the home
network resources from being accessed by the outside world(internet).Firewalls also works as a proxy server
for the home network. Every data coming from outside client first pass through the firewall and then given
access to the recourses. Firewall only works on well known ports and services such as: Trojan ports,
osfootprinting, somekind of malicious code detection etc. The network administrator can only use the
predefined set of programs and rules and cannot set up own.
9
10. 10 | P a g e
Firewalls have serious limitations:-
- Firewalls cannot prevent inside attacks from network.
- Cannot detect higher level attacks.
- No firewall provides protection against viruses.
- Firewall can‘t find other vulnerabilities which might allow hacker to
access internal network.
IDS(Snort):-
Snort IDS is a more powerful engine then Firewalls:-
- Snort Intrusion detection engine can be configured manually by the network administrators to write there
own rules for thenetwork.
- Snort engine can be set up for any any ports filtering ,packetfiltering and matching, sniffing and logging
data.
- Can prevent attacks from internal network users.
- Can generate instant alerts for various viruses , worms, Trojans ,backdoors etc. and log them.
- Administrator can rule to filter out and match every packet to the signatures defined on the network.
10
11. 11 | P a g e
CHAPTER-5
Technologies(TYPES OF IDS):
Several types of IDS technologies exist due to the variance of network configurations. Each type has
advantages and disadvantage in detection,configuration, and cost. Specific categories will be discussed in
detail in Section 3, Technologies.
1. Network-based intrusion system(NIDS).
2. Host-based intrusion system(HIDS).
3. Distributed intrusion system.
5.1 Network-Based intrusion system(NIDS):-
NIDS monitors the entire network perspective of the location where itis deployed .In this case, the NIDS must
operate in promiscuous mode in order to monitor all the network traffic(not only the data assigned for
particular NIC card). This is necessary to run the NIC card in promiscuous mode in order to protect the whole
network connections. A Network Intrusion Detection System (NIDS) is one common type of IDS that
analyses network traffic atall layers of the Open Systems Interconnection (OSI)model and makes decisions
about the purpose of the traffic, analyzing for suspicious activity. Most NIDSs are easy to deploy on a
network and can often view traffic from many systems at once. A term becoming more widely used by
vendors is ―Wireless Intrusion Prevention System‖ (WIPS) to describe a network device that monitors and
analyses the wireless radio spectrum in a network for intrusions and performs countermeasures. ―Network-
based ID involves looking at the packets on the network as they pass by some sensor.‖
(―http://www.sans.org/resources/idfaq/network_based.php‖) Packets are only of interest if they happen to
match a particular signature. There are three main types of signatures:
String signatures – Look for strings, or combinations of strings, that could potentially be an intrusion.
Signatures containing sensitive file names may cause an alarm.
Port signatures – Signatures that contain port numbers that are regularly attached (i.e. telnet (TCP port
23), FTP (TCP port 21/20), SUNRPC (TCP/UDP port 111), and IMAP (TCP port 143), or
communications that are utilizing ports that are not used may be reason for suspicion.
Header condition signatures – Signatures that contain illogical data or well known, dangerous content.
―The most famous example is Winnuke, where a packet is destined for a NetBIOS port and the Urgent
pointer, or Out Of Band pointer is set. This resulted in the "blue screen of death" for Windows
systems.‖ (―http://www.sans.org/resources/idfaq/network_based.php―)
The key to making this intrusion detection system successful lies within the placement. Sensors need to be in
a position that will exposed the sensors to the flow of network packets.
5.1.1 An Overview of the Open SystemsInterconnectionModel(OSI)
A NIDS is placed on a network to analyze traffic in search of unwanted or malicious events. Network traffic is
built on various layers; each layer delivers data from one point to another. The OSI model and transmission
control protocol(TCP)/IP model show how each layer stacks up. Within the TCP/IP model, the lowest link
layer controls how data flows on the wire, such as controlling voltages and the physical addresses of
hardware, like mandatory access control (MAC) addresses. The Internet layer controls address routing and
contains the IP stack. The transport layer controls
11
12. 12 | P a g e
data flow and checks data integrity. It includes theTCP and user datagram protocol (UDP). Lastly, the most
complicated but most familiar level is the application layer, which contains the traffic used by programs.
Application layer traffic includes the Web
(hypertext transfer protocol [HTTP]), file transfer protocol (FTP), email, etc. Most NIDSs detect unwanted
traffic at each layer, but concentrate mostly on the application layer.
Figure 1.1
NETWORK INTRUSION DETECTION SYSTEM
12
13. 13 | P a g e
5.2 Host-based intrusion detection system (HIDS):-
HIDS is a system that can be used on the host machine. In this case,the IDS will detect only the data coming
on the host machine and work on entire network. The NIC card works in non-promiscuous mode by default.
Another advantage of HIDS is, we can set different rule set for different hosts on the network.
Host-Based Intrusion Detection is accomplished by installing software on each individual local
system. These software modules, or agents, work on the client system to perform intrusion detection. This
can be accomplished using a variety of methods. One common method is to have the software agent monitor
the system logs, and look for irregular patterns. An example of this is when an agent watches for
unauthorized activities done by a user without adequate permissions. Essentially, the agent will keep a
running log of the users actions. If the users actions raise a red flag (meaning that the actions of the user are
suspicious), then the system administrator is able to backtrack the actions, and investigate why a particular
user was using the system in that way. Another effective method for Host-Based IDSs is to watch for
suspicious processes that are running. Sometimes a particular process name can mean trouble for system
administrator, depending upon its purpose. Protecting the integrity of the system files is another high priority
task for Host-Based IDSs. An IDS agent can take an inventory of system files, along with their permissions,
and report any changes to the set. The same auditing tactic can be used to watch user accounts. An IDS that
witnesses a users permissions being changed, or unauthorized user being created can indicate problems for a
systems administrator. All of these methods are classified as agent-based software, which makes up the
largest category of Host-Based IDSs. The other major category is the host wrappers/personal firewalls. ―Host
wrappers or personal firewalls can be configured to look at all network packets, connection attempts, or login
attempts to the monitored machine.‖ (http://www.sans.org/resources/idfaq/host_based.php) Examples of
these are dial-in attempts, non-network related communication ports, or software other software on the host
attempting to connect to the network. (―http://www.sans.org/resources/idfaq/host_based.php‖)
13
14. 14 | P a g e
Figure 1.2
HOST BASED INTRUSION DETECTION SYSTEM
Distributed intrusion detection system(DIDS):-
14
15. 15 | P a g e
DIDS is just a combination on NIDS and HIDS over a network.
FIGURE 1.3
Distributed intrusion detection system
15
16. 16 | P a g e
CHAPTER-6
Approaches
Just as with many other technologies today, no single approach is going to give appropriate protection.
Therefore, a combination of the two or more intrusion detection techniques should be applied. ―Within its
limitations, it is useful as one portion of a defensive posture, but should not be relied upon as a sole means of
protection.‖ (2) IDSs will never entirely replace the need for professional system administrators, mainly
because a large function of the IDS system is merely data collections. Although the IDS can provide some
help in data analysis, the need for human interaction/analysis will probably never go away. Not all-suspicious
behavior should be assumed to be malicious, and IDSs would do just that.
CHAPTER-7
The Need for Intrusion Detection Systems
A computer intrusion can be damaging in a variety of ways, depending on the intent of the intrusion.
If the intrusion amounts to a nuisance, then resources have to be expended to alleviate the problem. This
requires the system administrator to divert their attention away from business, and to focus on the annoyance.
Even if an intrusion isn‘t malicious, i.e. not damaging or theft related, the intrusion could bog down the
network, causing a loss of productivity among the employees. Intrusions that are aimed at theft are
particularly damaging to a company in terms of competition. Companies go to great lengths to protect their
Intellectual Property, since it can be such a large source of income and market share. If this information falls
into the wrong hands, i.e. the competition, then the company can suffer greatly due to lost revenue. Malicious
damages may come about by a hacker who intends to hurt a company by destroying data. This is the most
damaging type of an attack because it has a snowball effect. Not only does a company lose many records,
customer information, business contacts, etc., but they also take a huge hit in the productivity area. Until all
the information is restored, much of the staff cannot work efficiently. A company may also lose customers
due to the fact that the company has the target of a computer hacking. Customers tend to get very nervous
when they think that their personal data has the potential to fall into the wrongs hands.
March 11, 2005 - Pleasant Hill, California Computer Hacker from "Deceptive Duo" Guilty of
Intrusions into Government Computers and Defacing Websites ($70,000)
September 9, 2004 - Ex-Official Of Local Computer Consulting Firm Pleads Guilty To Computer
Attack Charge ($100,000)
August 23, 2004 - Former Employee Of A Massachusetts High-Technology Firm Charged With
Computer Hacking ($26,400)
July 28, 2004 - Vallejo Woman Admits To Embezzling More Than $875,035 - Not-For-Profit
Organization Victim Of Computer Fraud ($875,035)
July 21, 2004 - Florida Man Charged With Breaking Into Acxiom Computer Records - Intrusion and
Theft of Data Result in Loss of More than $7 Million ($7,000,000)
May 1, 2001 - Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison
($80,000,000)
from http://www.usdoj.gov/criminal/cybercrime/cccases.html
Many of the attacks listed above were done by ―insiders‖, which are people that had access to the
company‘s internal network. In the case of an insider attack, a firewall can provide little protection. A
common mistake occurs when companies assume that a firewall will protect them from hackers. One must
understand the limitations of a firewall:
16
17. 17 | P a g e
1. ―Not all access to the Internet occurs through the firewall. The firewall cannot mitigate risk associated
with connections it never sees.‖ (5)
2. ―Not all threat originates outside the firewall. Intrusion detection systems are part of the infrastructure
that is privy to the traffic on the internal network. Therefore, they will become even more important as
security infrastructures evolve.‖ (5)
7.1 IDS Location
The location of a Network Intrusion Detection System can be the deciding factor between success and failure.
The type of information collected can also vary greatly depending on where the IDS sensor is placed. For
example, in the figure below:
fromhttp://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_user_guide_chapter091
86a0080104f0c.html#145)
Sensor #1: This sensor monitors the communication between a protected network and the internet.
This is the most common type of protection that is practiced.
Sensor #2: This sensor monitors the communication between a protected network and remote
access servers.
Sensor #3: This sensor monitors the communication between internal sites.
Sensor #4: This sensor monitors the communication between a protected network and the extranet
connection with a business partner.
Having sensors at these various locations is necessary for complete coverage. Each sensor is strategically
placed to collect data that could be the site of an intrusion attempt. A sensor should be placed in front of the
firewall, so that the system administrator can start collecting data about the types of attacks that are being
attempted against the network. A sensor should also be placed to aid the firewall (at the firewall level) in
preventing attacks. In the event that an intrusion makes it past the firewall, another IDS agent should be there
to intercept/divert the intrusion, or at least log the event. Lastly, a sensor should be placed on the local
network for traffic that does no pass through the firewall. Statistics show that the most common type of
system misuse comes from ―insiders‖.
17
18. 18 | P a g e
7.2 Intrusion Tactics
Fending off potential attackers is must easier when the attack tactics are known. Listed below are the
common hacking tactics used by computer hackers:
Password cracking – Discovery of user‘s passwords.
Trojan horses - Malicious programs that are disguised as legitimate software
Interception of Communication - Gains unauthorized access or exceeds authorized access.
Spoofing - A program used by a cracker to trick a computer system into thinking it is being accessed
by an authorized user.
Packet Sniffer - A software or hardware tool that monitors data packets on a network. Generally used
to discover user passwords.
Hacking - Taking advantage of system weaknesses to gain access to resources or privileges
from Intrusion Detection Systems (IDS) Part I
(http://www.windowsecurity.com/articles/Intrusion_Detection_Systems_IDS_Part_I__network_intrusions_att
ack_symptoms_IDS_tasks_and_IDS_architecture.html)
These are just a few of the many types of attacks that a systems administrator may have to face. Due to the
vast size of today‘s networks, many companies are far more susceptible to attacks thanthey probably think.
Comfort can no longer be found by hiring experienced/over-priced system administrators to fend off all of
these attacks. Companies would go broke trying to compensate their resource pool of system administrators.
CHAPTER=8
Snort
Snort is a lightweight intrusion detection system. Martin Roesch, who was aiming at creating an open
source package that could rival the commercial systems, developed Snort in 1998. Snort has had incredible
success in the open source arena and has been established as a true competitor to commercial solutions.
8.1 Snort Modes of Operation
Snort has two main modes of operation. This first is a packet sniffer mode, which is similar to
tcpdump. Packets are stored in a log file, which allows for later analysis. The other mode of operation is a
Network Intrusion Detection System (NIDS). When Snort functional in this mode, rule sets are applied to
packets, which in turn, look for suspicious behavior. Both modes of operation are detailed below.
8.2 Packet Sniffer
Running Snort in packet sniffer mode will allow system administrators to collect and store packet data.
Snort can be configured to collect packet data in varying detail, depending on how much detail is required.
Although very similar to tcpdump, Snort does have features that extend beyond the capability of tcpdump.
―The major feature that Snort has which tcpdump does not is packet payload inspection. Snort decodes the
application layer of a packet and can be given rules to collect traffic that has specific data contained within its
application layer.‖ (http://www.snort.org/docs/lisapaper.txt) Snort also has a more readable display of the
packet data. One additional feature that Snort provides is that while logging to a file, Snort will still log in a
format that is compatible with tcpdump, so users can still use tcpdump for analysis.
18
19. 19 | P a g e
8.3 Network Intrusion Detection Mode
Running Snort in Network Intrusion Detection Mode is quite different than running in packet sniffer
mode. Network Intrusion Detection mode does not capture/log the network packets. Instead, it applies a set
of rules on each passing packet. The set of rules are managed by the system administrator and should reflect
common intrusion patterns. These patterns are a lot like virus definition files in that they show a list of
common packet patterns that generally indicate an intrusion or misuse of the system. No action is taken if the
packet does not meet one of the implemented rules. If a packet does match one of the rules, then the packet is
logged, and may also generate an alert. An alert is a notification to the system administrator that a
questionable packet has just been received (or send out) from a particular system.
8.4 Network Intrusion Detection Rules
The rules definition files can generally be found in the /opt/snort/etc/snort.conf and can be activated
with the ―-c‖ command line option. Snort rules contain two basic elements: a Rule Header and Rule Options.
The Rule Header is going to contain the criteria for packet matching. It also contains instructions on what
actions need to be taken in the event of a rule match. The Rule Options part will contain supplemental
information to be used for the matching criteria. An example of a rule is provided below:
alertip any any -> any any (msg: "IP Packet detected";)
In this example, an alert is generated every time as IP packet is detected, either sending of receiving. This is a
good rule to test Snort, but do not leave this rule in place. The particular rule has the ability to fill up a users
hard rive because of all the excessive logging.
8.5 Snort Rule Header
The rule header contains a lot of information that need to be broken down into different sections.
Below is a listing of the Snort Rule Header architecture:
Action Protocol Address Port Direction Address Port
Action: The action part of the rule determines the type of action taken when criteria are met and a
rule is exactly matched against a data packet.
Protocol: The protocol part is used to apply the rule on packets for a particular protocol only.
Address: The address parts define source and destination addresses.
Port: In case of TCP or UDP protocol, the port parts determine the source and destination ports of
a packet on which the rule is applied. In case of network layer protocols like IP and ICMP, port
numbers have no significance.
Direction: The direction part of the rule actually determines which address and port number is used
as source and which as destination.
8.6 Snort Rule Options
Snort Rule Options can be found within the set of parenthesis contain in a Snort Rule. Options generally
follow the format of having a keyword (i.e. ACK, CLASSTYPE, CONTENT, OFFSET, DEPTH, CONTENT-
LIST, DSIZE, FLAGS, FRAGBITS, ICMP_ID, ICMP_SEQ, ITYPE, ICODE, ID, IPOPTS, IP_PROTO,
LOGTO, MSG, PRIORITY, REACT, REFERENCE, RESP, REV, RPC, SAMEIP, SEQ, FLOW, SESSION,
SID, TAG, TOS, TTL, URICONTENT), followed by an argument. The options portion of the rules is capable
19
20. 20 | P a g e
of AND logical. The options supplement the rule header‘s matching criteria. With all of these option
available to the users, the search capability of Snort sets itself apart from the competition.
8.7 Snort Alerts
When a packet does meet the criteria of a rule, then Snort can either log the entry to a log file, or it can send
out an alert. Snort has a variety of alert modes, which are all detailed below:
Fast Mode (―-A fast‖) – This mode reports Timestamp, Alert message, Source and destination IP
addresses, and Source and destination ports. The actual packet is not logged while using this mode.
Full Mode (―-A full‖) – This mode reports the same information as in Fast Mode, but it also includes
the packet‘s header.
UNIX Socket Mode (―-A unsock‖) – This mode will allow a system administrator to send alerts to
other programs using a UNIX socket.
Alerts to Syslog (―-s‖) – This mode will store the alert is the syslog, which is where system level
events are recorded.
SNMP Mode – Alerts can also be sent as SNMP messages, where Network Management Systems can
help system administrators identify and correct the problem.
20
21. 21 | P a g e
CHAPTER-9
Configuring Snort as IDS:-
Installing Snort and BASE
Snort, the intrusion detection system, is a network monitor that watches traffic on the network and picks out
anomalies. Originally designed by Martin Roesch, Snort is known as one of the premier open source security
software suites in the world. The name is originally derived from Martin, who developed what he saw as a
packet sniffer. But he knew that the software could do much more than just sniff packets, so he came up with
Snort. It was not until much later that the Pig came into play at all.
A very important thing about Snort is its ability to be implemented into many different types of tools. One of
these tools is BASE, or the Base Analysis and Security Engine. BASE allows a user to set up a main system
for monitoring, most likely utilizing Snort, and view the output on a separate machine via an easy to navigate
and use web browser. All the information is stored in an easy to use format, with the ability to dig deeper into
the data. The one thing that is difficult in BASE is the setup. This includes many different aspects, including
installing, configuring, and running Snort. Following this, you have to set up a MySQL database, which can
be a feat in itself, and finally an Apache Web Server. So in all essence, this is the installing and configuring of
four major projects all in one. But once the final project is complete, it is quite a fantastic outcome.
To start off with, you have to install LAMP. Basically, LAMP stands for Linux Apache MySQL PHP. These
are some of the base services and programs needed for the project. Since we are building this project on an
Ubuntu 10.10 system, we will use
# tasksel install lamp-server
You may have to install tasksel, because it is not a base package installed by default. After that, you will have
most of the base tools you need for the system to run. When you install lamp, it will ask you plenty of
questions, including asking for what the password for the root user will be on the MySQL database. The point
of this software is to serve as the backbone for the software. LAMP uses Apache as the HTTP server for
ACID/BASE, so the user can easily interact with the data, and MySQL serves as the backend database to hold
the information.
After installing that, you have to set up the MySQL database for snort. This is easily done by running the
following commands:
# mysql –u root –p
mysql> create database snort;
mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE
TEMPORARY TABLES, LOCK TABLES ON snort.* TO ‗snort‘@‘localhost‘ IDENTIFIED BY ‗password‘;
mysql> FLUSH PRIVILEGES;
mysql> quit
What this does is create the database that Snort will use to store the network information in. Now, there is
another very important step, actually installing Snort. This is most easily done by installing it using apt-get
again:
# apt-get install snort-mysql
This will begin the installation. There again are a few more questions that need to be answered. One is to input
the network address for your local network. Included in this network address will be classless inter-domain
routing, or CIDR. If you are on a home network, this is most likely going to be /24. If working on a corporate
21
22. 22 | P a g e
network, check with the network administrator. After putting that in, the installation will ask if you want to
install a database. We already have set one up, so we aren‘t going to worry about that. So go ahead and put no.
The next part is to add in the table structure for the MySQL database used with Snort. Snort, when
downloaded, creates in a file called ―create_mysql.gz‖ that includes the tables needed to log data to a database
for MySQL. We are going to use this. The following commands are what are needed:
# cd /usr/share/doc/snort-mysql
# zcat create_mysql.gz | mysql –u snort –p snort
Insert your password…
# cd –
What this does is to change to the snort MySQL directory that has the ―create_mysql.gz‖ file. From there, we
add the contents of that file to the database we created called snort. Then we go back to the original directory
we were just in.
The next little thing that is needed is to add a comment to the snort.conf file in /etc/snort/ directory. It should
be on line 786, and looks about like this:
I want you to notice also that the password is in clear text, in the configuration file. That is, it shows it is
password. After you do that work, go ahead and start the Snort daemon. This is done with the following
command:
# /etc/init.d/snort start
Now, finally for the fun part. We get to install ACID/BASE. Go ahead and install acidbase from the command
line again:
# apt-get installacidbase
This will start the installation. Again, you will be asked a few questions. The first will ask if you want to
configure a database type for acidbase. Go ahead and say yes, then choose MySQL. You will have to enter a
password, so go ahead and put in the password you used for setting up LAMP at the very beginning. Give one
more user password, and your acid is set up.
Now you have to do a simple edit to your /etc/acidbase/apache.conf file:
What this does is to allow the local system to connect to the acidbase setup. My IP address on the machine is
192.168.146.164, with a subnet mask of 255.255.255.0, or /24 CIDR. After doing that, restart the Apache
server by typing:
# /etc/init.d/apache2 restart
22
23. 23 | P a g e
Snort :- Snort delivers the high performance engine. This engine consists of threat detection and prevention
components that work together to reassemble traffic, prevent evasions, detect threats, and output information
about these threats without creating false positives or missing legitimate threats. need to configure snort
We
manually in according to the needs of the network from the snort configuration file(snort.conf):-
FIGURE 2.1
SNORT.CONF
23
24. 24 | P a g e
Here we will set the network range for IDS . We can set it formultiple network ranges such as :
192.168.1.1/254 or
192.168.1.1/254,192.168.11.1/254 etc.
Set var HOME_NET any to: var HOME_NET 192.168.1.0/101
-
Set var EXTERNAL_NET any to: var EXTERNAL_NET !
-
$HOME_NET
After that , we will set snort engine for our rules. Use the same file(snort.conf) to use rules.
FIGURE 2.2
NETWORK RANGE
24
25. 25 | P a g e
Configure snort for any number of rules you want such as : -
Bad traffic , port scans, exploits, ftp, dos attacks
Syntax of Rules defining:-
Here's the general form of a Snort rule:
Action proto src_ipsrc_port direction dst_ipdst_port (options)
Example:-
activatetcp any any -> 192.168.1.21 22 (content:"/bin/sh";
activates:1; msg:"Possible SSH buffer overflow"; )
dynamictcp any any -> 192.168.1.21 22 (activated_by:1; count:100;)
Next step , is to install PHP and PHP extensions for BASE to work
properly(graphs, statics, bar graphs etc.).
The next step is to download ADODB to maintain connectivitybetween Snort BASE engine and
mysqldatabse.
Configure apache2 server to use mysql as backend database. We will set mysql extensions in apache2
configuration file.
25
27. 27 | P a g e
Finally, go to your web browser and go to http://localhost/acidbase to get to the website running. Sometimes
you may get an error, in which case you can go to http://localhost/acidbase/base_db_setup.php to set up the
different databases you may need. Your web server should look a little like this:
FIGURE 3.1
BASE
Now mine already has a few alerts, but the system is now up and running. Congratulations! Now run an nmap
scan on the system, and you‘ll start to see alerts start to really pop up.
Now we have to check weather the sn is working or not, this can be done by using a command :-
ort
Snort -c /etc/snort/snort.conf
27
29. 29 | P a g e
CHAPTER-10
What is IPS:-
An Intrusion Detection System (IDS) is a device or software application that monitors network and/or system
activities for malicious activities or policy violations and produces reports to a Management. IDPSs have
become a necessary addition to the security infrastructure of nearly every organization. Intrusion prevention
systems are considered extensions of intrusion detection systems because they both monitor network traffic
and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems,
intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are
detected.
10.1How IPS works:-
10.1.1Signature-based: compares known threat signatures to observed events to identify incidents.
• This is very effective at detecting known threats but largely ineffective at detecting unknown threats and
many variants on known threats.
• Signature-based detection cannot track and understand the state of complex communications, so it cannot
detect most attacks that comprise multiple events.
Examples:
• A telnet attempt with a username of ―admin‖, which is a violation of an organization‘s security policy.
• An e-mail with a subject of ―Download movies‖ and an attachment filename of *.exe, which are
characteristics of a known form of malware.
10.1.2Anomaly- Anomaly-based detection: sample network activity to compare to traffic that is known to
be normal.
• When measured activity is outside baseline parameters or clipping level, IDPS will trigger an alert.
• Anomaly-based detection can detect new types of attacks.
• Requires much more overhead and processing capacity than signature-based .
• May generate many false positives.
10.1.3Stateful protocol analysis: A key development in IDPS technologies was the use of protocol analyzers.
• Protocol analyzers can natively decode application-layer network protocols, like HTTP or FTP. Once the
protocols are fully decoded, the IPS analysis engine can evaluate different parts of theprotocol for anomalous
behaviour or exploits against predetermined profiles of generally accepted definitions of benign protocol
activity for each protocol state.
• Problems with this type include that it is often very difficult or impossible to develop completely accurate
models of protocols,it is very resource-intensive, and it cannot detect attacks that donot violate the
characteristics of generally acceptable protocol behaviour.
29
30. 30 | P a g e
CHAPTER-11
Challenges in IDS:
11.1Id scalability in large networks:
Many networks are large and can even contain a heterogeneous collection of thousands of devices. Sub-
components in a large network may communicate using different technologies and protocols. One challenge
for IDS devices deployed over a large network is for IDS components to be able to communicate across sub-
networks, sometimes through firewalls and gateways. On different parts of the network, network devices may
use different data formats and different protocols for communication. The IDS must be able to recognize the
different formats. The matter is further complicated if there are different trust relationships being enforced
within parts of the network. Finally, the IDS devices must be able to communicate across barriers between
parts of the network. However, opening up lines of communication can create more vulnerabilities in network
boundaries that attackers can exploit.
11.2 Vulnerabilities in Operating Systems
Many common operating systems are simply not designed to operate securely. Thus, malware often is written
to exploit discovered vulnerabilities in popular operating systems. Depending on the nature of the attack,
many times if an operating is compromised, it can be difficult for an IDS to recognize that the operating
system is no longer legitimate. Moving forward, operating systems must be designed to better support security
policies pertaining to authentication, access control,and encryption.
11.3 Signature-Based Detection
A common strategy for IDS in detecting intrusions isto memorize signatures of known attacks. The
inherent weakness in relying on signatures is that the signature patterns must be known first. New attacks are
often unrecognizable by popular IDS. Signature scan be masked as well. The ongoing race between new
attacks and detection systems has been a challenge
30
31. 31 | P a g e
CHAPTER-12
Conclusion:
Nothing is security in this world. Every new lock has every
new key. May be you have not, but someone have
definitely…………
Intrusion detection and prevention systems are important parts of a well-rounded securityinfrastructure. IDSs
are used in conjunction with other technologies (e.g., firewalls and routers), are part of procedures (e.g., log
reviews), and help enforce policies. Each of the IDS technologies—NIDS, WLAN IDS, NBAD, and HIDS—
are used together, correlating data from each device and making decisions based on what each type of IDS can
monitor. Although IDSs should be used as part of defense in depth (DiD), they should not be used alone.
Other techniques, procedures, and policies should be used to protect the network. IDSs have made significant
improvements in the past decade, but some concerns still plague our security administrators. These problems
will continue to be addressed as IDS technologies improve.
All the works are based on the education purposes and security audits.we are trying to solve and minimize the
mistakes,if mistakes are found then suggestion can be given to bikash.dash2012@gmail.com
31
32. 32 | P a g e
CHAPTER-13
IDS …………………………………….. 4
SNORT……………………………………..13
BASE ……………………………………..16
IPS …………………………………….. 24
32
33. 33 | P a g e
References
Amsterdam.(2010,1217).SnortIDS.Retrievedon05,2011,fromhttp://help.ubuntu.com/community/SnortI
DS
Install Snort and BASE. (n.d.). Retrieved April 14, 2011, from VladGH:
http://vladgh.com/blog/install-snort-and-base
Turnbull, J. (n.d.). Improving Snort performance with Barnyard. Retrieved April 18, 2011, from
TechTarget:
http://searchenterpriselinux.techtarget.com/tip/Improving-Snort-performance-
withBarnyard?ShortReg=1&mboxConv=searchEnterpriseLinux_RegActivate_Submit&
33