Your SlideShare is downloading. ×
Intrusion Detection System
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Intrusion Detection System

30,251
views

Published on

ids&ips technique is used to capture logs,sessions,port no,trojans,and malicious activity on the networkand servers.here u can get detailed about ids and ips techniques

ids&ips technique is used to capture logs,sessions,port no,trojans,and malicious activity on the networkand servers.here u can get detailed about ids and ips techniques

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
30,251
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
512
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 1|Page INTRUSION DETECTION SYSTEMBy BikashDash(White-hat) ContentsChapter No Title Page No1 Introduction 12 Basic Requirements 33 What is intrusion 44 Introduction to IDS 4 4.1 Need of IDS &IPS 4 4.2 IDS VS Firewall 45 Types Of IDS 6 5.1 Network –based Intrusion Detection System 6 5.2 Host based intrusion detection system 8 5.3 Distributed Intrusion Detection System 106 Approaches 117 The need of IDS 118 SNORT 13 8.1 SNORT MODES OF OPERATION 13 8.2 Packet sniffers 13 8.3 Network intrusion detection mode 14 8.4 Network rules 14 8.5 Snort rule header 149 Configuring snort as ids 1610 What is ips? 2411 Challenges in ids 2512 Conclusion 2613 Appendices 27 2814 Reference 1
  • 2. 2|Page 2
  • 3. 3|Page Abstract Snort: Intrusion Detection SystemMalicious network traffic (such as worms, hacking attempts, etc.) has certain patterns to it.You could monitoryour network traffic with a sniffer and look for this malicious traffic manually, but that would be animpossible task. IDS (Intrusion Detection System) software which automates the process of sniffing,examining, and upon finding something suspicious, alerting.IDS have been called the burglar alarm of computer networks and are an important part of network perimetersecurity. Without IDS you have no idea if someone is probing or attacking your servers (unless the attack is sooverwhelming that it results in a denial of service). Having this information can let you know if you need tomake some firewall changes or harden the OS on a particular server a bit more.You may see the term IPS for Intrusion Prevention Systems which takes things one step further, having theIDS adjust the firewall when it discovers something. Smart people disagree on the use of IPSs as it, in effect,gives an attacker some control of your firewall.Snort (www.snort.org) is the most widely-used IDS software application and its open source and includedwith Debian. There are two flavors of IDSs, host-based and network-based. Snort is a network-based IDS thatcan monitor all of the traffic on a network link to look for suspicious traffic. Typically, a network-based IDSis set up to monitor a DMZ or the internal network right behind the firewall so it alerts to any possible threatsthat your firewall didnt catch.There is a Web interface that works with Snort called BASE (Basic Analysis and Security Engine) which isbased on ACID (Analysis Console for Intrusion Databases) which well set up. BASE uses whats commonlyreferred to as a LAMP server (Linux, Apache, MySQL, PHP) so well need to install those applications aswell. 3
  • 4. 4|PageTerminology Alert/Alarm: A signal suggesting that a system has been or is being attacked. True Positive: A legitimate attack which triggers an IDS to produce an alarm. False Positive: An event signaling an IDS to produce an alarm when no attack has taken place. False Negative: A failure of an IDS to detect an actual attack. True Negative: When no attack has taken place and no alarm is raised. Noise: Data or interference that can trigger a false positive. Site policy: Guidelines within an organization that control the rules and configurations of an IDS. Site policy awareness: An IDSs ability to dynamically change its rules and configurations in response to changing environmental activity. Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack. Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks. Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities. Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users. Misfeasor: They are commonly internal users and can be of two types: 1. An authorized user with limited permissions. 2. A user with full permissions and who misuses their powers. Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured. 4
  • 5. 5|PageSOFTWARE AND HARDWARE REQUIREMENTSSoftware Specification:OS :- Linux (Backtrack).Snort :- As intrusion detection system.BASE:- Basis analysis and security engine(Graphical detection Engine).MySQL :- Database to log of alerts and intrusions.PHP:- To setup up base on browser.Pear packages:- To set Graphical environment on BASE.Libpcap:- To set up network adapter on packet capture mode onnetwork.(Win cap in case of windows environment).Ado dB:- To setup connectivity between BASE and mysql .Apache: - To run the system as a server on network (having static IP address).Static IP:- The machine running Snort must need a static IP , so that every time you connect to the internet,you will get continuous alerts from from different machines.Hardware Specification: System Type : INTEL Processor : Pentium 4 Processor Speed : 2.8 GHZ Hard Disk : 40 GB Memory Size : 128 MB Cache Memory : 128 KB Keyboard Type : 104 key‘s Monitor Type : EGA/VGA Monitor Manufacture : Microtek Monitor Size : 15`` Mouse : Logitech 3 Buttons Floppy Card : 1.44 MB 5
  • 6. 6|PageCHAPTER-1 INTRODUCTION ―An intrusion detection system monitors computer systems, looking for signs of intrusion(unauthorized users) or misuse (authorized users overstepping their bounds).‖ (1) Intrusion Detection Systems(IDS) can operate on a variety of different levels. Host-Bases IDSs reside on a host machine and executeintrusion detection locally. Network-based Intrusion Detection Systems (NIDS) focus on network data flow.The key to successfully identifying and preventing intrusion lies within the various techniques.―Usingintrusion detection methods, you can collect and use information from known types of attacks and find out ifsomeone is trying to attack your network or particular hosts.‖ IDSs have a series of steps that all need to becompleted before a system can be appropriately protected. These steps revolve around the data that is beingprocessed on the system being monitored. ―Data is collected by monitoring activities in the hosts or network.The raw data is analyzed to classify activities as normal or suspicious. When a suspicious activity isconsidered sufficiently serious, a response is triggered.‖ Actually Anintrusion detection system (IDS) is a device or software application thatmonitors network and/or system activities for malicious activities or policy violations and produces reports toa Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required norexpected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused onidentifying possible incidents, logging information about them, and reporting attempts. In addition,organizations use IDPSes for other purposes, such as identifying problems with security policies,documenting existing threats, and deterring individuals from violating security policies. IDPSes have becomea necessary addition to the security infrastructure of nearly every organization.IDPSes typically recordinformation related to observed events, notify security administrators of important observed events, andproduce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it fromsucceeding. They use several response techniques, which involve the IDPS stopping the attack itself, changingthe security environment (e.g., reconfiguring a firewall), or changing the attack‘s content. TheIntrusiondetection system(SNORT) is also a specialized tool that willparse and interpret network traffic or hostactivities and perform real-timenetwork analysis and logging. This engine can manage number of networkranges,activities,network traffics, port analysis, andfirewall and server logs on one system. This will happenwhen a network activity, malicious content ,intrusions, port analysis activities etc. Matches to our rules andsignatures of our intrusion detection system. 6
  • 7. 7|Page Some of the monetary tools are used based on IDs, they are below: Alert/Alarm: A signal suggesting that a system has been or is being attacked. True Positive: A legitimate attack which triggers an IDS to produce an alarm. False Positive: An event signalingan IDS to produce an alarm when no attack has taken place. False Negative: A failure of an IDS to detect an actual attack. True Negative: When no attack has taken place and no alarm is raised. Noise: Data or interference that can trigger a false positive. Site policy: Guidelines within an organization that control the rules and configurations of an IDS Site policy awareness: An IDSs ability to dynamically change its rules and configurations in response to changing environmental activity. Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack. Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks. Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities. Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users. Misfeasor: They are commonly internal users and can be of two types: 1. An authorized user with limited permissions. 2. A user with full permissions and who misuses their powers. Clandestine user: A user who acts as a supervisor 7
  • 8. 8|Page CHAPTER-2BASIC REQUIREMENTS:The basic requirements used in IDSesare as follow as software wise and also hardware wise:SOFTWARE AND HARDWARE REQUIREMENTSSoftware Specification:OS :- Linux (Backtrack).Snort :- As intrusion detection system.BASE:- Basis analysis and security engine(Graphical detection Engine).MySQL :- Database to log of alerts and intrusions.PHP:- To setup up base on browser.Pear packages:- To set Graphical environment on BASE.Libpcap:- To set up network adapter on packet capture mode onnetwork.(Win cap in case of windows environment).Ado Db:- To setup connectivity between BASE and mysql .Apache: - To run the system as a server on network (having static IP address).Static IP:- The machine running Snort must need a static IP , so that every time you connect to the internet,you will get continuous alerts from from different machines.Hardware Specification: System Type : INTEL Processor : Pentium 4 Processor Speed : 2.8 GHZ Hard Disk : 40 GB Memory Size : 128 MB Cache Memory : 128 KB Keyboard Type : 104 key‘s Monitor Type : EGA/VGA Monitor Manufacture : Microtek Monitor Size : 15`` Mouse : Logitech 3 Buttons Floppy Card : 1.44 MB 8
  • 9. 9|Page CHAPTER-3What is Intrusion:-Intrusion is a malicious activity or programs or unauthorized systemwhich can enter into a network withoutany invitation or identity .These intrusions try to gain access to the network clients or the network servermachines. Intrusions use services running on a system in order to successfully exploit the system and create anaccount on the system. Once the attacker gains unauthorized access to the system , he can install rootkits orbackdoors to the system to gain further access to the system and use the system as bot to attack on othermachines over the world. CHAPTER-4 INTRODUCTION TO IDSIntrusion detection system(SNORT) is a specialized tool that willparse and interpret network traffic or hostactivities and perform real-time network analysis and logging. This engine can manage number of networkranges,activities,network traffics, port analysis, and firewall and server logs on one system.This will happenwhen a network activity, malicious content ,intrusions, port analysis activities etc.matches to our rules andsignatures of our intrusion detection system.Intrusion detection is the act of detecting unwanted traffic on a network or a device. An IDS can be a piece ofinstalled software or a physical appliance that monitors network traffic in order to detect unwanted activityand events such as illegal and malicious traffic, traffic that violates security policy, and traffic that violatesacceptable use policies. Many IDS tools will also store a detected event in a log to be reviewed at a later dateor will combine events with other data to make decisions regarding policies or damage control. An IPS is atype of IDS that can prevent or stop unwanted traffic. The IPS usually logs such events and relatedinformation.4.1Need of IDS and IPS:-Snort as an IDS and IPS can perform real-time packet analysis andlogging on network. One of the powerfulfeatures of snort is protocol analysis and content searching/matching and uses it to detect varietyof attacks such as buffer overflow , stealth port scans, SMB probes,OSfootprinting etc.4.2IDS vs. Firewalls:-Firewalls:-Firewalls are the set of predefined rules and programs that canmonitor and filter every packet flowing throughthe network.Firewalls are used over a network in order to protect the homenetwork resources from being accessed by the outside world(internet).Firewalls also works as a proxy serverfor the home network. Every data coming from outside client first pass through the firewall and then givenaccess to the recourses. Firewall only works on well known ports and services such as: Trojan ports,osfootprinting, somekind of malicious code detection etc. The network administrator can only use thepredefined set of programs and rules and cannot set up own. 9
  • 10. 10 | P a g eFirewalls have serious limitations:-- Firewalls cannot prevent inside attacks from network.- Cannot detect higher level attacks.- No firewall provides protection against viruses.- Firewall can‘t find other vulnerabilities which might allow hacker toaccess internal network.IDS(Snort):-Snort IDS is a more powerful engine then Firewalls:-- Snort Intrusion detection engine can be configured manually by the network administrators to write thereown rules for thenetwork.- Snort engine can be set up for any any ports filtering ,packetfiltering and matching, sniffing and loggingdata.- Can prevent attacks from internal network users.- Can generate instant alerts for various viruses , worms, Trojans ,backdoors etc. and log them.- Administrator can rule to filter out and match every packet to the signatures defined on the network. 10
  • 11. 11 | P a g e CHAPTER-5Technologies(TYPES OF IDS):Several types of IDS technologies exist due to the variance of network configurations. Each type hasadvantages and disadvantage in detection,configuration, and cost. Specific categories will be discussed indetail in Section 3, Technologies.1. Network-based intrusion system(NIDS).2. Host-based intrusion system(HIDS).3. Distributed intrusion system.5.1 Network-Based intrusion system(NIDS):-NIDS monitors the entire network perspective of the location where itis deployed .In this case, the NIDS mustoperate in promiscuous mode in order to monitor all the network traffic(not only the data assigned forparticular NIC card). This is necessary to run the NIC card in promiscuous mode in order to protect the wholenetwork connections. A Network Intrusion Detection System (NIDS) is one common type of IDS thatanalyses network traffic atall layers of the Open Systems Interconnection (OSI)model and makes decisionsabout the purpose of the traffic, analyzing for suspicious activity. Most NIDSs are easy to deploy on anetwork and can often view traffic from many systems at once. A term becoming more widely used byvendors is ―Wireless Intrusion Prevention System‖ (WIPS) to describe a network device that monitors andanalyses the wireless radio spectrum in a network for intrusions and performs countermeasures. ―Network-based ID involves looking at the packets on the network as they pass by some sensor.‖(―http://www.sans.org/resources/idfaq/network_based.php‖) Packets are only of interest if they happen tomatch a particular signature. There are three main types of signatures: String signatures – Look for strings, or combinations of strings, that could potentially be an intrusion. Signatures containing sensitive file names may cause an alarm. Port signatures – Signatures that contain port numbers that are regularly attached (i.e. telnet (TCP port 23), FTP (TCP port 21/20), SUNRPC (TCP/UDP port 111), and IMAP (TCP port 143), or communications that are utilizing ports that are not used may be reason for suspicion. Header condition signatures – Signatures that contain illogical data or well known, dangerous content. ―The most famous example is Winnuke, where a packet is destined for a NetBIOS port and the Urgent pointer, or Out Of Band pointer is set. This resulted in the "blue screen of death" for Windows systems.‖ (―http://www.sans.org/resources/idfaq/network_based.php―)The key to making this intrusion detection system successful lies within the placement. Sensors need to be ina position that will exposed the sensors to the flow of network packets.5.1.1 An Overview of the Open SystemsInterconnectionModel(OSI)A NIDS is placed on a network to analyze traffic in search of unwanted or malicious events. Network traffic isbuilt on various layers; each layer delivers data from one point to another. The OSI model and transmissioncontrol protocol(TCP)/IP model show how each layer stacks up. Within the TCP/IP model, the lowest linklayer controls how data flows on the wire, such as controlling voltages and the physical addresses ofhardware, like mandatory access control (MAC) addresses. The Internet layer controls address routing andcontains the IP stack. The transport layer controls 11
  • 12. 12 | P a g edata flow and checks data integrity. It includes theTCP and user datagram protocol (UDP). Lastly, the mostcomplicated but most familiar level is the application layer, which contains the traffic used by programs.Application layer traffic includes the Web(hypertext transfer protocol [HTTP]), file transfer protocol (FTP), email, etc. Most NIDSs detect unwantedtraffic at each layer, but concentrate mostly on the application layer. Figure 1.1 NETWORK INTRUSION DETECTION SYSTEM 12
  • 13. 13 | P a g e5.2 Host-based intrusion detection system (HIDS):-HIDS is a system that can be used on the host machine. In this case,the IDS will detect only the data comingon the host machine and work on entire network. The NIC card works in non-promiscuous mode by default.Another advantage of HIDS is, we can set different rule set for different hosts on the network. Host-Based Intrusion Detection is accomplished by installing software on each individual localsystem. These software modules, or agents, work on the client system to perform intrusion detection. Thiscan be accomplished using a variety of methods. One common method is to have the software agent monitorthe system logs, and look for irregular patterns. An example of this is when an agent watches forunauthorized activities done by a user without adequate permissions. Essentially, the agent will keep arunning log of the users actions. If the users actions raise a red flag (meaning that the actions of the user aresuspicious), then the system administrator is able to backtrack the actions, and investigate why a particularuser was using the system in that way. Another effective method for Host-Based IDSs is to watch forsuspicious processes that are running. Sometimes a particular process name can mean trouble for systemadministrator, depending upon its purpose. Protecting the integrity of the system files is another high prioritytask for Host-Based IDSs. An IDS agent can take an inventory of system files, along with their permissions,and report any changes to the set. The same auditing tactic can be used to watch user accounts. An IDS thatwitnesses a users permissions being changed, or unauthorized user being created can indicate problems for asystems administrator. All of these methods are classified as agent-based software, which makes up thelargest category of Host-Based IDSs. The other major category is the host wrappers/personal firewalls. ―Hostwrappers or personal firewalls can be configured to look at all network packets, connection attempts, or loginattempts to the monitored machine.‖ (http://www.sans.org/resources/idfaq/host_based.php) Examples ofthese are dial-in attempts, non-network related communication ports, or software other software on the hostattempting to connect to the network. (―http://www.sans.org/resources/idfaq/host_based.php‖) 13
  • 14. 14 | P a g e Figure 1.2 HOST BASED INTRUSION DETECTION SYSTEMDistributed intrusion detection system(DIDS):- 14
  • 15. 15 | P a g eDIDS is just a combination on NIDS and HIDS over a network. FIGURE 1.3 Distributed intrusion detection system 15
  • 16. 16 | P a g e CHAPTER-6Approaches Just as with many other technologies today, no single approach is going to give appropriate protection.Therefore, a combination of the two or more intrusion detection techniques should be applied. ―Within itslimitations, it is useful as one portion of a defensive posture, but should not be relied upon as a sole means ofprotection.‖ (2) IDSs will never entirely replace the need for professional system administrators, mainlybecause a large function of the IDS system is merely data collections. Although the IDS can provide somehelp in data analysis, the need for human interaction/analysis will probably never go away. Not all-suspiciousbehavior should be assumed to be malicious, and IDSs would do just that. CHAPTER-7 The Need for Intrusion Detection Systems A computer intrusion can be damaging in a variety of ways, depending on the intent of the intrusion.If the intrusion amounts to a nuisance, then resources have to be expended to alleviate the problem. Thisrequires the system administrator to divert their attention away from business, and to focus on the annoyance.Even if an intrusion isn‘t malicious, i.e. not damaging or theft related, the intrusion could bog down thenetwork, causing a loss of productivity among the employees. Intrusions that are aimed at theft areparticularly damaging to a company in terms of competition. Companies go to great lengths to protect theirIntellectual Property, since it can be such a large source of income and market share. If this information fallsinto the wrong hands, i.e. the competition, then the company can suffer greatly due to lost revenue. Maliciousdamages may come about by a hacker who intends to hurt a company by destroying data. This is the mostdamaging type of an attack because it has a snowball effect. Not only does a company lose many records,customer information, business contacts, etc., but they also take a huge hit in the productivity area. Until allthe information is restored, much of the staff cannot work efficiently. A company may also lose customersdue to the fact that the company has the target of a computer hacking. Customers tend to get very nervouswhen they think that their personal data has the potential to fall into the wrongs hands. March 11, 2005 - Pleasant Hill, California Computer Hacker from "Deceptive Duo" Guilty of Intrusions into Government Computers and Defacing Websites ($70,000) September 9, 2004 - Ex-Official Of Local Computer Consulting Firm Pleads Guilty To Computer Attack Charge ($100,000) August 23, 2004 - Former Employee Of A Massachusetts High-Technology Firm Charged With Computer Hacking ($26,400) July 28, 2004 - Vallejo Woman Admits To Embezzling More Than $875,035 - Not-For-Profit Organization Victim Of Computer Fraud ($875,035) July 21, 2004 - Florida Man Charged With Breaking Into Acxiom Computer Records - Intrusion and Theft of Data Result in Loss of More than $7 Million ($7,000,000) May 1, 2001 - Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison ($80,000,000) from http://www.usdoj.gov/criminal/cybercrime/cccases.html Many of the attacks listed above were done by ―insiders‖, which are people that had access to thecompany‘s internal network. In the case of an insider attack, a firewall can provide little protection. Acommon mistake occurs when companies assume that a firewall will protect them from hackers. One mustunderstand the limitations of a firewall: 16
  • 17. 17 | P a g e 1. ―Not all access to the Internet occurs through the firewall. The firewall cannot mitigate risk associated with connections it never sees.‖ (5) 2. ―Not all threat originates outside the firewall. Intrusion detection systems are part of the infrastructure that is privy to the traffic on the internal network. Therefore, they will become even more important as security infrastructures evolve.‖ (5)7.1 IDS LocationThe location of a Network Intrusion Detection System can be the deciding factor between success and failure.The type of information collected can also vary greatly depending on where the IDS sensor is placed. Forexample, in the figure below:fromhttp://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_user_guide_chapter09186a0080104f0c.html#145) Sensor #1: This sensor monitors the communication between a protected network and the internet. This is the most common type of protection that is practiced. Sensor #2: This sensor monitors the communication between a protected network and remote access servers. Sensor #3: This sensor monitors the communication between internal sites. Sensor #4: This sensor monitors the communication between a protected network and the extranet connection with a business partner.Having sensors at these various locations is necessary for complete coverage. Each sensor is strategicallyplaced to collect data that could be the site of an intrusion attempt. A sensor should be placed in front of thefirewall, so that the system administrator can start collecting data about the types of attacks that are beingattempted against the network. A sensor should also be placed to aid the firewall (at the firewall level) inpreventing attacks. In the event that an intrusion makes it past the firewall, another IDS agent should be thereto intercept/divert the intrusion, or at least log the event. Lastly, a sensor should be placed on the localnetwork for traffic that does no pass through the firewall. Statistics show that the most common type ofsystem misuse comes from ―insiders‖. 17
  • 18. 18 | P a g e7.2 Intrusion TacticsFending off potential attackers is must easier when the attack tactics are known. Listed below are thecommon hacking tactics used by computer hackers: Password cracking – Discovery of user‘s passwords. Trojan horses - Malicious programs that are disguised as legitimate software Interception of Communication - Gains unauthorized access or exceeds authorized access. Spoofing - A program used by a cracker to trick a computer system into thinking it is being accessed by an authorized user. Packet Sniffer - A software or hardware tool that monitors data packets on a network. Generally used to discover user passwords. Hacking - Taking advantage of system weaknesses to gain access to resources or privilegesfrom Intrusion Detection Systems (IDS) Part I(http://www.windowsecurity.com/articles/Intrusion_Detection_Systems_IDS_Part_I__network_intrusions_attack_symptoms_IDS_tasks_and_IDS_architecture.html)These are just a few of the many types of attacks that a systems administrator may have to face. Due to thevast size of today‘s networks, many companies are far more susceptible to attacks thanthey probably think.Comfort can no longer be found by hiring experienced/over-priced system administrators to fend off all ofthese attacks. Companies would go broke trying to compensate their resource pool of system administrators. CHAPTER=8Snort Snort is a lightweight intrusion detection system. Martin Roesch, who was aiming at creating an opensource package that could rival the commercial systems, developed Snort in 1998. Snort has had incrediblesuccess in the open source arena and has been established as a true competitor to commercial solutions.8.1 Snort Modes of Operation Snort has two main modes of operation. This first is a packet sniffer mode, which is similar totcpdump. Packets are stored in a log file, which allows for later analysis. The other mode of operation is aNetwork Intrusion Detection System (NIDS). When Snort functional in this mode, rule sets are applied topackets, which in turn, look for suspicious behavior. Both modes of operation are detailed below.8.2 Packet Sniffer Running Snort in packet sniffer mode will allow system administrators to collect and store packet data.Snort can be configured to collect packet data in varying detail, depending on how much detail is required.Although very similar to tcpdump, Snort does have features that extend beyond the capability of tcpdump.―The major feature that Snort has which tcpdump does not is packet payload inspection. Snort decodes theapplication layer of a packet and can be given rules to collect traffic that has specific data contained within itsapplication layer.‖ (http://www.snort.org/docs/lisapaper.txt) Snort also has a more readable display of thepacket data. One additional feature that Snort provides is that while logging to a file, Snort will still log in aformat that is compatible with tcpdump, so users can still use tcpdump for analysis. 18
  • 19. 19 | P a g e8.3 Network Intrusion Detection Mode Running Snort in Network Intrusion Detection Mode is quite different than running in packet sniffermode. Network Intrusion Detection mode does not capture/log the network packets. Instead, it applies a setof rules on each passing packet. The set of rules are managed by the system administrator and should reflectcommon intrusion patterns. These patterns are a lot like virus definition files in that they show a list ofcommon packet patterns that generally indicate an intrusion or misuse of the system. No action is taken if thepacket does not meet one of the implemented rules. If a packet does match one of the rules, then the packet islogged, and may also generate an alert. An alert is a notification to the system administrator that aquestionable packet has just been received (or send out) from a particular system.8.4 Network Intrusion Detection Rules The rules definition files can generally be found in the /opt/snort/etc/snort.conf and can be activatedwith the ―-c‖ command line option. Snort rules contain two basic elements: a Rule Header and Rule Options.The Rule Header is going to contain the criteria for packet matching. It also contains instructions on whatactions need to be taken in the event of a rule match. The Rule Options part will contain supplementalinformation to be used for the matching criteria. An example of a rule is provided below: alertip any any -> any any (msg: "IP Packet detected";)In this example, an alert is generated every time as IP packet is detected, either sending of receiving. This is agood rule to test Snort, but do not leave this rule in place. The particular rule has the ability to fill up a usershard rive because of all the excessive logging.8.5 Snort Rule Header The rule header contains a lot of information that need to be broken down into different sections.Below is a listing of the Snort Rule Header architecture: Action Protocol Address Port Direction Address Port Action: The action part of the rule determines the type of action taken when criteria are met and a rule is exactly matched against a data packet. Protocol: The protocol part is used to apply the rule on packets for a particular protocol only. Address: The address parts define source and destination addresses. Port: In case of TCP or UDP protocol, the port parts determine the source and destination ports of a packet on which the rule is applied. In case of network layer protocols like IP and ICMP, port numbers have no significance. Direction: The direction part of the rule actually determines which address and port number is used as source and which as destination.8.6 Snort Rule OptionsSnort Rule Options can be found within the set of parenthesis contain in a Snort Rule. Options generallyfollow the format of having a keyword (i.e. ACK, CLASSTYPE, CONTENT, OFFSET, DEPTH, CONTENT-LIST, DSIZE, FLAGS, FRAGBITS, ICMP_ID, ICMP_SEQ, ITYPE, ICODE, ID, IPOPTS, IP_PROTO,LOGTO, MSG, PRIORITY, REACT, REFERENCE, RESP, REV, RPC, SAMEIP, SEQ, FLOW, SESSION,SID, TAG, TOS, TTL, URICONTENT), followed by an argument. The options portion of the rules is capable 19
  • 20. 20 | P a g eof AND logical. The options supplement the rule header‘s matching criteria. With all of these optionavailable to the users, the search capability of Snort sets itself apart from the competition.8.7 Snort AlertsWhen a packet does meet the criteria of a rule, then Snort can either log the entry to a log file, or it can sendout an alert. Snort has a variety of alert modes, which are all detailed below: Fast Mode (―-A fast‖) – This mode reports Timestamp, Alert message, Source and destination IP addresses, and Source and destination ports. The actual packet is not logged while using this mode. Full Mode (―-A full‖) – This mode reports the same information as in Fast Mode, but it also includes the packet‘s header. UNIX Socket Mode (―-A unsock‖) – This mode will allow a system administrator to send alerts to other programs using a UNIX socket. Alerts to Syslog (―-s‖) – This mode will store the alert is the syslog, which is where system level events are recorded. SNMP Mode – Alerts can also be sent as SNMP messages, where Network Management Systems can help system administrators identify and correct the problem. 20
  • 21. 21 | P a g e CHAPTER-9Configuring Snort as IDS:- Installing Snort and BASESnort, the intrusion detection system, is a network monitor that watches traffic on the network and picks outanomalies. Originally designed by Martin Roesch, Snort is known as one of the premier open source securitysoftware suites in the world. The name is originally derived from Martin, who developed what he saw as apacket sniffer. But he knew that the software could do much more than just sniff packets, so he came up withSnort. It was not until much later that the Pig came into play at all.A very important thing about Snort is its ability to be implemented into many different types of tools. One ofthese tools is BASE, or the Base Analysis and Security Engine. BASE allows a user to set up a main systemfor monitoring, most likely utilizing Snort, and view the output on a separate machine via an easy to navigateand use web browser. All the information is stored in an easy to use format, with the ability to dig deeper intothe data. The one thing that is difficult in BASE is the setup. This includes many different aspects, includinginstalling, configuring, and running Snort. Following this, you have to set up a MySQL database, which canbe a feat in itself, and finally an Apache Web Server. So in all essence, this is the installing and configuring offour major projects all in one. But once the final project is complete, it is quite a fantastic outcome.To start off with, you have to install LAMP. Basically, LAMP stands for Linux Apache MySQL PHP. Theseare some of the base services and programs needed for the project. Since we are building this project on anUbuntu 10.10 system, we will use# tasksel install lamp-serverYou may have to install tasksel, because it is not a base package installed by default. After that, you will havemost of the base tools you need for the system to run. When you install lamp, it will ask you plenty ofquestions, including asking for what the password for the root user will be on the MySQL database. The pointof this software is to serve as the backbone for the software. LAMP uses Apache as the HTTP server forACID/BASE, so the user can easily interact with the data, and MySQL serves as the backend database to holdthe information.After installing that, you have to set up the MySQL database for snort. This is easily done by running thefollowing commands:# mysql –u root –pmysql> create database snort;mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATETEMPORARY TABLES, LOCK TABLES ON snort.* TO ‗snort‘@‘localhost‘ IDENTIFIED BY ‗password‘;mysql> FLUSH PRIVILEGES;mysql> quitWhat this does is create the database that Snort will use to store the network information in. Now, there isanother very important step, actually installing Snort. This is most easily done by installing it using apt-getagain:# apt-get install snort-mysqlThis will begin the installation. There again are a few more questions that need to be answered. One is to inputthe network address for your local network. Included in this network address will be classless inter-domainrouting, or CIDR. If you are on a home network, this is most likely going to be /24. If working on a corporate 21
  • 22. 22 | P a g enetwork, check with the network administrator. After putting that in, the installation will ask if you want toinstall a database. We already have set one up, so we aren‘t going to worry about that. So go ahead and put no.The next part is to add in the table structure for the MySQL database used with Snort. Snort, whendownloaded, creates in a file called ―create_mysql.gz‖ that includes the tables needed to log data to a databasefor MySQL. We are going to use this. The following commands are what are needed:# cd /usr/share/doc/snort-mysql# zcat create_mysql.gz | mysql –u snort –p snortInsert your password…# cd –What this does is to change to the snort MySQL directory that has the ―create_mysql.gz‖ file. From there, weadd the contents of that file to the database we created called snort. Then we go back to the original directorywe were just in.The next little thing that is needed is to add a comment to the snort.conf file in /etc/snort/ directory. It shouldbe on line 786, and looks about like this:I want you to notice also that the password is in clear text, in the configuration file. That is, it shows it ispassword. After you do that work, go ahead and start the Snort daemon. This is done with the followingcommand:# /etc/init.d/snort startNow, finally for the fun part. We get to install ACID/BASE. Go ahead and install acidbase from the commandline again:# apt-get installacidbaseThis will start the installation. Again, you will be asked a few questions. The first will ask if you want toconfigure a database type for acidbase. Go ahead and say yes, then choose MySQL. You will have to enter apassword, so go ahead and put in the password you used for setting up LAMP at the very beginning. Give onemore user password, and your acid is set up.Now you have to do a simple edit to your /etc/acidbase/apache.conf file:What this does is to allow the local system to connect to the acidbase setup. My IP address on the machine is192.168.146.164, with a subnet mask of 255.255.255.0, or /24 CIDR. After doing that, restart the Apacheserver by typing:# /etc/init.d/apache2 restart 22
  • 23. 23 | P a g eSnort :- Snort delivers the high performance engine. This engine consists of threat detection and preventioncomponents that work together to reassemble traffic, prevent evasions, detect threats, and output informationabout these threats without creating false positives or missing legitimate threats. need to configure snort Wemanually in according to the needs of the network from the snort configuration file(snort.conf):- FIGURE 2.1 SNORT.CONF 23
  • 24. 24 | P a g eHere we will set the network range for IDS . We can set it formultiple network ranges such as :192.168.1.1/254 or192.168.1.1/254,192.168.11.1/254 etc.Set var HOME_NET any to: var HOME_NET 192.168.1.0/101 -Set var EXTERNAL_NET any to: var EXTERNAL_NET ! -$HOME_NETAfter that , we will set snort engine for our rules. Use the same file(snort.conf) to use rules. FIGURE 2.2 NETWORK RANGE 24
  • 25. 25 | P a g eConfigure snort for any number of rules you want such as : -Bad traffic , port scans, exploits, ftp, dos attacksSyntax of Rules defining:-Heres the general form of a Snort rule:Action proto src_ipsrc_port direction dst_ipdst_port (options)Example:-activatetcp any any -> 192.168.1.21 22 (content:"/bin/sh";activates:1; msg:"Possible SSH buffer overflow"; )dynamictcp any any -> 192.168.1.21 22 (activated_by:1; count:100;) Next step , is to install PHP and PHP extensions for BASE to workproperly(graphs, statics, bar graphs etc.).The next step is to download ADODB to maintain connectivitybetween Snort BASE engine andmysqldatabse.Configure apache2 server to use mysql as backend database. We will set mysql extensions in apache2configuration file. 25
  • 26. 26 | P a g e FIGURE2.3 ADODB 26
  • 27. 27 | P a g eFinally, go to your web browser and go to http://localhost/acidbase to get to the website running. Sometimesyou may get an error, in which case you can go to http://localhost/acidbase/base_db_setup.php to set up thedifferent databases you may need. Your web server should look a little like this: FIGURE 3.1 BASENow mine already has a few alerts, but the system is now up and running. Congratulations! Now run an nmapscan on the system, and you‘ll start to see alerts start to really pop up.Now we have to check weather the sn is working or not, this can be done by using a command :- ortSnort -c /etc/snort/snort.conf 27
  • 28. 28 | P a g e FIGURE 3.2 ALERT 28
  • 29. 29 | P a g e CHAPTER-10 What is IPS:-An Intrusion Detection System (IDS) is a device or software application that monitors network and/or systemactivities for malicious activities or policy violations and produces reports to a Management. IDPSs havebecome a necessary addition to the security infrastructure of nearly every organization. Intrusion preventionsystems are considered extensions of intrusion detection systems because they both monitor network trafficand/or system activities for malicious activity. The main differences are, unlike intrusion detection systems,intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that aredetected.10.1How IPS works:-10.1.1Signature-based: compares known threat signatures to observed events to identify incidents.• This is very effective at detecting known threats but largely ineffective at detecting unknown threats andmany variants on known threats.• Signature-based detection cannot track and understand the state of complex communications, so it cannotdetect most attacks that comprise multiple events.Examples:• A telnet attempt with a username of ―admin‖, which is a violation of an organization‘s security policy.• An e-mail with a subject of ―Download movies‖ and an attachment filename of *.exe, which arecharacteristics of a known form of malware. 10.1.2Anomaly- Anomaly-based detection: sample network activity to compare to traffic that is known tobe normal.• When measured activity is outside baseline parameters or clipping level, IDPS will trigger an alert.• Anomaly-based detection can detect new types of attacks.• Requires much more overhead and processing capacity than signature-based .• May generate many false positives.10.1.3Stateful protocol analysis: A key development in IDPS technologies was the use of protocol analyzers.• Protocol analyzers can natively decode application-layer network protocols, like HTTP or FTP. Once theprotocols are fully decoded, the IPS analysis engine can evaluate different parts of theprotocol for anomalousbehaviour or exploits against predetermined profiles of generally accepted definitions of benign protocolactivity for each protocol state.• Problems with this type include that it is often very difficult or impossible to develop completely accuratemodels of protocols,it is very resource-intensive, and it cannot detect attacks that donot violate thecharacteristics of generally acceptable protocol behaviour. 29
  • 30. 30 | P a g e CHAPTER-11Challenges in IDS:11.1Id scalability in large networks:Many networks are large and can even contain a heterogeneous collection of thousands of devices. Sub-components in a large network may communicate using different technologies and protocols. One challengefor IDS devices deployed over a large network is for IDS components to be able to communicate across sub-networks, sometimes through firewalls and gateways. On different parts of the network, network devices mayuse different data formats and different protocols for communication. The IDS must be able to recognize thedifferent formats. The matter is further complicated if there are different trust relationships being enforcedwithin parts of the network. Finally, the IDS devices must be able to communicate across barriers betweenparts of the network. However, opening up lines of communication can create more vulnerabilities in networkboundaries that attackers can exploit.11.2 Vulnerabilities in Operating SystemsMany common operating systems are simply not designed to operate securely. Thus, malware often is writtento exploit discovered vulnerabilities in popular operating systems. Depending on the nature of the attack,many times if an operating is compromised, it can be difficult for an IDS to recognize that the operatingsystem is no longer legitimate. Moving forward, operating systems must be designed to better support securitypolicies pertaining to authentication, access control,and encryption.11.3 Signature-Based DetectionA common strategy for IDS in detecting intrusions isto memorize signatures of known attacks. Theinherent weakness in relying on signatures is that the signature patterns must be known first. New attacks areoften unrecognizable by popular IDS. Signature scan be masked as well. The ongoing race between newattacks and detection systems has been a challenge 30
  • 31. 31 | P a g e CHAPTER-12Conclusion:Nothing is security in this world. Every new lock has everynew key. May be you have not, but someone havedefinitely…………Intrusion detection and prevention systems are important parts of a well-rounded securityinfrastructure. IDSsare used in conjunction with other technologies (e.g., firewalls and routers), are part of procedures (e.g., logreviews), and help enforce policies. Each of the IDS technologies—NIDS, WLAN IDS, NBAD, and HIDS—are used together, correlating data from each device and making decisions based on what each type of IDS canmonitor. Although IDSs should be used as part of defense in depth (DiD), they should not be used alone.Other techniques, procedures, and policies should be used to protect the network. IDSs have made significantimprovements in the past decade, but some concerns still plague our security administrators. These problemswill continue to be addressed as IDS technologies improve.All the works are based on the education purposes and security audits.we are trying to solve and minimize themistakes,if mistakes are found then suggestion can be given to bikash.dash2012@gmail.com 31
  • 32. 32 | P a g e CHAPTER-13 IDS …………………………………….. 4 SNORT……………………………………..13 BASE ……………………………………..16 IPS …………………………………….. 24 32
  • 33. 33 | P a g e References  Amsterdam.(2010,1217).SnortIDS.Retrievedon05,2011,fromhttp://help.ubuntu.com/community/SnortI DS  Install Snort and BASE. (n.d.). Retrieved April 14, 2011, from VladGH: http://vladgh.com/blog/install-snort-and-base  Turnbull, J. (n.d.). Improving Snort performance with Barnyard. Retrieved April 18, 2011, from TechTarget:  http://searchenterpriselinux.techtarget.com/tip/Improving-Snort-performance- withBarnyard?ShortReg=1&mboxConv=searchEnterpriseLinux_RegActivate_Submit& 33
  • 34. 34 | P a g e 34