SlideShare a Scribd company logo
1 of 43
Download to read offline
Network Protection Using Intrusion
Detection System (IDS)
Muhammad Arsalan Paracha
CIPMA Lab, PIEAS
Outline
 Network Security Fundamentals
 IDS Overview
 IDS Types
 Snort - IDS
 Components
 Rules
 Configurations
 Attack detection
What is Security
“Quality or state of being secure or free from danger”
3
What is Network Security
Application of administrative, physical, and technical
controls in a network to provide Confidentiality, Integrity
and Availability.
4
CIA Triad
Protection from unauthorized access
Protection from unauthorized alteration Provide timely and uninterrupted access
Few Terminologies
Vulnerability: Any weakness
Attack: Exploitation of a vulnerability
Threat: The possibility of an attack
Cyber Attack: Any action compromising the security of information owned by an individual /
organization
Cyber Weapon: Any S/W, H/W or User used for a cyber attack
Security, Functionality, and Ease of Use
Security
Ease of Use
Functionality
7
Network Security Monitoring (NSM)
 Network security monitoring is an automated process that monitors network
devices and traffic for security vulnerabilities, threats, and suspicious activities.
 Organizations can use it to detect and respond to cybersecurity breaches
quickly.
8
 The NSM Cycle consists of three distinct phases:
 Collection
 Detection
 Analysis
NSM Cycle
Intrusion Detection System (IDS)
 A collection of techniques and methodologies used to monitor suspicious
activities both at the network and the host level
 It is not a firewall (Additional level of security in the network)
 IDS is more like an alarm system
 It will perform actions like
 Alerting, logging , etc upon detection.
 Network administrators can make changes in the firewall rules upon detection of attacks
 Can help detect attacks that pass through the firewall
 Protection from the insiders
 It inspects the content of the network traffic
10
IDS
 Deployed with multiple sensors on various location on the network
 Report to a centralized management console
 A sensor
 Monitors traffic, matches against the rule sets and raises alerts, logs it or
some other action.
 A rule set contains
 Traffic signatures or rules for unwanted behavior
 Rules
Check for threshold, protocol IP source and destination
 Signatures
Traffic patterns associated with attack
IDS
Dr. Hanif Durad
12
Host Based IDS (HIDS)
 Log Monitors
 Parse system event Log files
 Example: Apache,
access log file
check for “cgi-bin”
 Integrity Checkers
 check for key system structures to change
 System files, registry keys
 Tripwire (FIM solution)
File Additions , deletions, flag modifications, access time etc.
Network Based IDS (NIDS)
 Signature Based
 Database of know signatures
 Similar to virus signatures, but it looks for attack signatures
 Anomaly based
 Form a baseline for a normal system
 Raise an alarm when the system is no longer functioning under normal conditions
Signature Based IDS
 The most common form of IDS is signature-based
 These systems work by examining packet data for indicators of
compromise (IOCs)
 Indicators are combined with IDS platform-specific directives to form
signatures (also called rules)
 Whenever a signature-based IDS locates data that matches content found
in a signature, it generates an alert
 The two most popular signature-based detection IDS’s are Snort and
Suricata
15
Snort - an network intrusion
prevention and detection system
16
Snort Modes
 Sniffer mode
 simply reads the packets off of the network and displays them for you in a
continuous stream on the console (screen).
 Packet Logger mode
 logs the packets to disk
 IDS / offline mode
 IPS / Inline mode
17
Snort Components
18
Packet Decoder
 Takes packets from different types of network interfaces (Ethernet, SLIP,PPP…)
 Determine which underlying protocols are used in the packet (such as Ethernet,
IP, TCP, etc.)
 It also detects various anomalous behaviors in packet headers.
19
Preprocessor
 Plugins that modify or setup data for the detection engine
 It rearranges the data to be detectable by the IDS
 Packet defragmentation
 If the packets are too large, then it gets fragmented into smaller packets
 Must be reassembled prior to analysis
20
Preprocessor
 frag3 – Detects packet fragmentation
 Stream5 (Self protection against TCP and UDP)
 http_inspect – Web Traffic
 rpc_decode – RPC traffic
 Reputation - provides basic IP blacklist/whitelist capabilities
 sfportscan – Detect port scanning activities.
21
+Many other
Detection Engine
 Most important part of the engine
 Uses the detection rules
 It is dependent on
 Speed of the machine
 Number of rules
 Load on the network
 The Detection Engine applies rules to different parts of the packet
 Header (IP/TCP/Application)
 Packet Payload
 Policy for matching of rules varies with versions
22
Logging and Alerting system
 Based upon the matched rule
 Logged, alert generated
 Logs /var/log/snort
 -l for the modification of location
23
Snort Rules
 In a single line
 Rules are created by known intrusion signatures.
 Included in snort configuration file.
rule header rule options
Snort Rule
Actions
Protocol
Source ip address
Source port #
destination ip address
Destination port
Rule options
Rule header
Rule Header - Actions
 The first item in a rule is the rule action. The rule action tells Snort what to do
when it finds a packet that matches the rule criteria. There are 3 available
default actions in Snort, alert, log, pass. In addition, if you are running Snort
in inline mode, you have additional options which include drop, reject, and
sdrop.
 alert - generate an alert using the selected alert method, and then log the packet
 log - log the packet
 pass - ignore the packet
 drop - block and log the packet
 reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or
an ICMP port unreachable message if the protocol is UDP.
 sdrop - block the packet but do not log it.
Rule Header - Source and Destination
IP Address Field (1/2)
 (source network) (port) -> (destination network) (port)
 CIDR (Classless Inter Domain Routing) notation is used for the
network arguments. 10.35.24.0/24
 For the Snort rules files, you really deal with only two types of
entries:
 Networks
 Hosts
Rule Header - Source and Destination
IP Address Field (2/2)
 Source and Destination IP Address Field
 Format: Address/netmask
Address x.x.x.x
Netmask = bits of network mask
For example
 24.0.0.0/8 Class A
 24.3.0.0/16 Class b
 192.185.67.0/24 Class C
 192.185.67.188 host address
 Special keywords:
any
! (negation)
$HOME_NET (variable defined elsewhere)
Rule Header -Source and Destination Port
Field
 Source and Destination Port Field
 Static port: 111
 All ports: any
 Range: 110:3000
 Negation: !80
 Less than or equal :1023
 Greater than or equal 1024:
Rule Header –Direction Indicator
 Rule Header Fields
 ->
 Source information specified to the left of arrow, destination information
specified to the right of the arrow
 There is also a bidirectional operator, which is indicated with a <> symbol. This
tells Snort to consider the address/port pairs in either the source or destination
orientation. This is handy for recording/analyzing both sides of a conversation,
such as telnet or POP3 sessions
Rules Options
 All Snort rule options are separated from each other using the semicolon (;)
character. Rule option keywords are separated from their arguments with a
colon (:) character
 There are four major categories of rule options
 General (msg, reference & classtype)
 These options provide information about the rule but do not have any affect during detection
 Payload (content, depth, offset & nocase)
 These options all look for data inside the packet payload and can be inter-related
 Non-Payload (ttl, id, dsize, flags, seq & icmp-id)
 These options look for non-payload data
 Post Detection (logto & session)
 These options are rule specific triggers that happen after a rule has “fired.”
Snort Rule example
 Rule Header
alert tcp $External_NET any -> $Home_Net 21
 Rule Options
(msg: “ftp Exploit”; flow_to_server, established; content:
“|31c031db 41c9b046 cd80 31c031db|”; reference:
bugtraq,1387; classtype:attempted-admin; sid 344; rev4;)
Rule Classification
Snort Configuration File
34
Snort.conf
 The Snort configuration file contains 9 basic sections:
1) Set the network variables.
2) Configure the decoder
3) Configure the base detection engine
4) Configure dynamic loaded libraries
5) Configure preprocessors
6) Configure output plugins
7) Customize your rule set
8) Customize preprocessor and decoder rule set
9) Customize shared object rule set
35
Snort Configuration
 Snort configuration has three main parameters
1. Variables
2. Config
3. Includes
Snort Configuration: Variables
 Variables are used to store information to be referenced and manipulated
 Three Types of Variables may be defined in snort:
 var
 Simple variable can be defined for any purpose
 Portvar
 Portvar are used to define port or ports list
 Ipvar
 Ipvar is used to define Ips or IP lists
Snort Configuration: Variables
 example
 var RULES_PATH /usr/local/etc/rules/
 portvar MY_PORTS [22,80,1024:1050]
 ipvar MY_NET [192.168.1.0/24,10.1.1.0/24]
 Usage:
 alert tcp any any -> $MY_NET $MY_PORTS (flags:S; msg:"SYN packet";)
Snort Configuration: Config
 Many configuration and command line options of Snort can be specified in
the configuration file
 Format
 config <directive> [: <value>]
 Example
 Config frag3
OR
 config alert_with_interface_name ens33 (snort –I)
Snort Configuration: Include
 The include keyword allows other snort config files to be included within the
snort.conf indicated on the Snort command line
 It work much like #include in C programming language
 Format
 include <include file path/name>
 Example
 include $RULE_PATH/example.rule
Attack Detection in Snort
41
Rule options for NMAP
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:
"NMAP ping sweep Scan"; dsize:0;sid:10000004; rev: 1; )
Identify NMAP Ping Scan
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:
"NMAP TCP Scan";sid:10000005; rev:2; )
Identify NMAP TCP Scan
Identify NMAP XMAS Scan
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap
XMAS Tree Scan"; flags:FPU; sid:1000006; rev:1; )
Rule options for NMAP
Identify NMAP FIN Scan
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap FIN
Scan"; flags:F; sid:1000008; rev:1;)
Identify NMAP NULL Scan
alert tcp $EXTERNAL_NET any -> $HOME_NET 22
(msg:"Nmap NULL Scan"; flags:0; sid:1000009; rev:1; )
Identify NMAP UDP Scan
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"Nmap
UDP Scan"; sid:1000010; rev:1; )

More Related Content

Similar to IDS_WK_Arsalan.pptx

Chapter 12
Chapter 12Chapter 12
Chapter 12cclay3
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1whitehat 'People'
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsCisco Canada
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]Phil Huggins FBCS CITP
 
All About Snort
All About SnortAll About Snort
All About Snort28pranjal
 
Csec630 Lab 2 Essay
Csec630 Lab 2 EssayCsec630 Lab 2 Essay
Csec630 Lab 2 EssayBeth Hines
 
An analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORTAn analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORTijsrd.com
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Bro Policy Assignment
Bro Policy AssignmentBro Policy Assignment
Bro Policy AssignmentTara Hardin
 
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...Disha Bedi
 
Low cost multi-sensor IDS system
Low cost multi-sensor IDS systemLow cost multi-sensor IDS system
Low cost multi-sensor IDS systemRobert Schrack
 

Similar to IDS_WK_Arsalan.pptx (20)

Chapter 12
Chapter 12Chapter 12
Chapter 12
 
Snort
SnortSnort
Snort
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]
 
All About Snort
All About SnortAll About Snort
All About Snort
 
Csec630 Lab 2 Essay
Csec630 Lab 2 EssayCsec630 Lab 2 Essay
Csec630 Lab 2 Essay
 
An analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORTAn analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORT
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Bro Policy Assignment
Bro Policy AssignmentBro Policy Assignment
Bro Policy Assignment
 
Bro Policy Assignment
Bro Policy AssignmentBro Policy Assignment
Bro Policy Assignment
 
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
 
Low cost multi-sensor IDS system
Low cost multi-sensor IDS systemLow cost multi-sensor IDS system
Low cost multi-sensor IDS system
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
6
66
6
 

Recently uploaded

UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Juan Carlos Gonzalez
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 

Recently uploaded (20)

UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 

IDS_WK_Arsalan.pptx

  • 1. Network Protection Using Intrusion Detection System (IDS) Muhammad Arsalan Paracha CIPMA Lab, PIEAS
  • 2. Outline  Network Security Fundamentals  IDS Overview  IDS Types  Snort - IDS  Components  Rules  Configurations  Attack detection
  • 3. What is Security “Quality or state of being secure or free from danger” 3
  • 4. What is Network Security Application of administrative, physical, and technical controls in a network to provide Confidentiality, Integrity and Availability. 4
  • 5. CIA Triad Protection from unauthorized access Protection from unauthorized alteration Provide timely and uninterrupted access
  • 6. Few Terminologies Vulnerability: Any weakness Attack: Exploitation of a vulnerability Threat: The possibility of an attack Cyber Attack: Any action compromising the security of information owned by an individual / organization Cyber Weapon: Any S/W, H/W or User used for a cyber attack
  • 7. Security, Functionality, and Ease of Use Security Ease of Use Functionality 7
  • 8. Network Security Monitoring (NSM)  Network security monitoring is an automated process that monitors network devices and traffic for security vulnerabilities, threats, and suspicious activities.  Organizations can use it to detect and respond to cybersecurity breaches quickly. 8
  • 9.  The NSM Cycle consists of three distinct phases:  Collection  Detection  Analysis NSM Cycle
  • 10. Intrusion Detection System (IDS)  A collection of techniques and methodologies used to monitor suspicious activities both at the network and the host level  It is not a firewall (Additional level of security in the network)  IDS is more like an alarm system  It will perform actions like  Alerting, logging , etc upon detection.  Network administrators can make changes in the firewall rules upon detection of attacks  Can help detect attacks that pass through the firewall  Protection from the insiders  It inspects the content of the network traffic 10
  • 11. IDS  Deployed with multiple sensors on various location on the network  Report to a centralized management console  A sensor  Monitors traffic, matches against the rule sets and raises alerts, logs it or some other action.  A rule set contains  Traffic signatures or rules for unwanted behavior  Rules Check for threshold, protocol IP source and destination  Signatures Traffic patterns associated with attack
  • 13. Host Based IDS (HIDS)  Log Monitors  Parse system event Log files  Example: Apache, access log file check for “cgi-bin”  Integrity Checkers  check for key system structures to change  System files, registry keys  Tripwire (FIM solution) File Additions , deletions, flag modifications, access time etc.
  • 14. Network Based IDS (NIDS)  Signature Based  Database of know signatures  Similar to virus signatures, but it looks for attack signatures  Anomaly based  Form a baseline for a normal system  Raise an alarm when the system is no longer functioning under normal conditions
  • 15. Signature Based IDS  The most common form of IDS is signature-based  These systems work by examining packet data for indicators of compromise (IOCs)  Indicators are combined with IDS platform-specific directives to form signatures (also called rules)  Whenever a signature-based IDS locates data that matches content found in a signature, it generates an alert  The two most popular signature-based detection IDS’s are Snort and Suricata 15
  • 16. Snort - an network intrusion prevention and detection system 16
  • 17. Snort Modes  Sniffer mode  simply reads the packets off of the network and displays them for you in a continuous stream on the console (screen).  Packet Logger mode  logs the packets to disk  IDS / offline mode  IPS / Inline mode 17
  • 19. Packet Decoder  Takes packets from different types of network interfaces (Ethernet, SLIP,PPP…)  Determine which underlying protocols are used in the packet (such as Ethernet, IP, TCP, etc.)  It also detects various anomalous behaviors in packet headers. 19
  • 20. Preprocessor  Plugins that modify or setup data for the detection engine  It rearranges the data to be detectable by the IDS  Packet defragmentation  If the packets are too large, then it gets fragmented into smaller packets  Must be reassembled prior to analysis 20
  • 21. Preprocessor  frag3 – Detects packet fragmentation  Stream5 (Self protection against TCP and UDP)  http_inspect – Web Traffic  rpc_decode – RPC traffic  Reputation - provides basic IP blacklist/whitelist capabilities  sfportscan – Detect port scanning activities. 21 +Many other
  • 22. Detection Engine  Most important part of the engine  Uses the detection rules  It is dependent on  Speed of the machine  Number of rules  Load on the network  The Detection Engine applies rules to different parts of the packet  Header (IP/TCP/Application)  Packet Payload  Policy for matching of rules varies with versions 22
  • 23. Logging and Alerting system  Based upon the matched rule  Logged, alert generated  Logs /var/log/snort  -l for the modification of location 23
  • 24. Snort Rules  In a single line  Rules are created by known intrusion signatures.  Included in snort configuration file. rule header rule options
  • 25. Snort Rule Actions Protocol Source ip address Source port # destination ip address Destination port Rule options Rule header
  • 26. Rule Header - Actions  The first item in a rule is the rule action. The rule action tells Snort what to do when it finds a packet that matches the rule criteria. There are 3 available default actions in Snort, alert, log, pass. In addition, if you are running Snort in inline mode, you have additional options which include drop, reject, and sdrop.  alert - generate an alert using the selected alert method, and then log the packet  log - log the packet  pass - ignore the packet  drop - block and log the packet  reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.  sdrop - block the packet but do not log it.
  • 27. Rule Header - Source and Destination IP Address Field (1/2)  (source network) (port) -> (destination network) (port)  CIDR (Classless Inter Domain Routing) notation is used for the network arguments. 10.35.24.0/24  For the Snort rules files, you really deal with only two types of entries:  Networks  Hosts
  • 28. Rule Header - Source and Destination IP Address Field (2/2)  Source and Destination IP Address Field  Format: Address/netmask Address x.x.x.x Netmask = bits of network mask For example  24.0.0.0/8 Class A  24.3.0.0/16 Class b  192.185.67.0/24 Class C  192.185.67.188 host address  Special keywords: any ! (negation) $HOME_NET (variable defined elsewhere)
  • 29. Rule Header -Source and Destination Port Field  Source and Destination Port Field  Static port: 111  All ports: any  Range: 110:3000  Negation: !80  Less than or equal :1023  Greater than or equal 1024:
  • 30. Rule Header –Direction Indicator  Rule Header Fields  ->  Source information specified to the left of arrow, destination information specified to the right of the arrow  There is also a bidirectional operator, which is indicated with a <> symbol. This tells Snort to consider the address/port pairs in either the source or destination orientation. This is handy for recording/analyzing both sides of a conversation, such as telnet or POP3 sessions
  • 31. Rules Options  All Snort rule options are separated from each other using the semicolon (;) character. Rule option keywords are separated from their arguments with a colon (:) character  There are four major categories of rule options  General (msg, reference & classtype)  These options provide information about the rule but do not have any affect during detection  Payload (content, depth, offset & nocase)  These options all look for data inside the packet payload and can be inter-related  Non-Payload (ttl, id, dsize, flags, seq & icmp-id)  These options look for non-payload data  Post Detection (logto & session)  These options are rule specific triggers that happen after a rule has “fired.”
  • 32. Snort Rule example  Rule Header alert tcp $External_NET any -> $Home_Net 21  Rule Options (msg: “ftp Exploit”; flow_to_server, established; content: “|31c031db 41c9b046 cd80 31c031db|”; reference: bugtraq,1387; classtype:attempted-admin; sid 344; rev4;)
  • 35. Snort.conf  The Snort configuration file contains 9 basic sections: 1) Set the network variables. 2) Configure the decoder 3) Configure the base detection engine 4) Configure dynamic loaded libraries 5) Configure preprocessors 6) Configure output plugins 7) Customize your rule set 8) Customize preprocessor and decoder rule set 9) Customize shared object rule set 35
  • 36. Snort Configuration  Snort configuration has three main parameters 1. Variables 2. Config 3. Includes
  • 37. Snort Configuration: Variables  Variables are used to store information to be referenced and manipulated  Three Types of Variables may be defined in snort:  var  Simple variable can be defined for any purpose  Portvar  Portvar are used to define port or ports list  Ipvar  Ipvar is used to define Ips or IP lists
  • 38. Snort Configuration: Variables  example  var RULES_PATH /usr/local/etc/rules/  portvar MY_PORTS [22,80,1024:1050]  ipvar MY_NET [192.168.1.0/24,10.1.1.0/24]  Usage:  alert tcp any any -> $MY_NET $MY_PORTS (flags:S; msg:"SYN packet";)
  • 39. Snort Configuration: Config  Many configuration and command line options of Snort can be specified in the configuration file  Format  config <directive> [: <value>]  Example  Config frag3 OR  config alert_with_interface_name ens33 (snort –I)
  • 40. Snort Configuration: Include  The include keyword allows other snort config files to be included within the snort.conf indicated on the Snort command line  It work much like #include in C programming language  Format  include <include file path/name>  Example  include $RULE_PATH/example.rule
  • 42. Rule options for NMAP alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "NMAP ping sweep Scan"; dsize:0;sid:10000004; rev: 1; ) Identify NMAP Ping Scan alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "NMAP TCP Scan";sid:10000005; rev:2; ) Identify NMAP TCP Scan Identify NMAP XMAS Scan alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap XMAS Tree Scan"; flags:FPU; sid:1000006; rev:1; )
  • 43. Rule options for NMAP Identify NMAP FIN Scan alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap FIN Scan"; flags:F; sid:1000008; rev:1;) Identify NMAP NULL Scan alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap NULL Scan"; flags:0; sid:1000009; rev:1; ) Identify NMAP UDP Scan alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"Nmap UDP Scan"; sid:1000010; rev:1; )