Successfully reported this slideshow.
Your SlideShare is downloading. ×


Upcoming SlideShare
Loading in …3

Check these out next

1 of 43 Ad

More Related Content

Similar to IDS_WK_Arsalan.pptx (20)

Recently uploaded (20)



  1. 1. Network Protection Using Intrusion Detection System (IDS) Muhammad Arsalan Paracha CIPMA Lab, PIEAS
  2. 2. Outline  Network Security Fundamentals  IDS Overview  IDS Types  Snort - IDS  Components  Rules  Configurations  Attack detection
  3. 3. What is Security “Quality or state of being secure or free from danger” 3
  4. 4. What is Network Security Application of administrative, physical, and technical controls in a network to provide Confidentiality, Integrity and Availability. 4
  5. 5. CIA Triad Protection from unauthorized access Protection from unauthorized alteration Provide timely and uninterrupted access
  6. 6. Few Terminologies Vulnerability: Any weakness Attack: Exploitation of a vulnerability Threat: The possibility of an attack Cyber Attack: Any action compromising the security of information owned by an individual / organization Cyber Weapon: Any S/W, H/W or User used for a cyber attack
  7. 7. Security, Functionality, and Ease of Use Security Ease of Use Functionality 7
  8. 8. Network Security Monitoring (NSM)  Network security monitoring is an automated process that monitors network devices and traffic for security vulnerabilities, threats, and suspicious activities.  Organizations can use it to detect and respond to cybersecurity breaches quickly. 8
  9. 9.  The NSM Cycle consists of three distinct phases:  Collection  Detection  Analysis NSM Cycle
  10. 10. Intrusion Detection System (IDS)  A collection of techniques and methodologies used to monitor suspicious activities both at the network and the host level  It is not a firewall (Additional level of security in the network)  IDS is more like an alarm system  It will perform actions like  Alerting, logging , etc upon detection.  Network administrators can make changes in the firewall rules upon detection of attacks  Can help detect attacks that pass through the firewall  Protection from the insiders  It inspects the content of the network traffic 10
  11. 11. IDS  Deployed with multiple sensors on various location on the network  Report to a centralized management console  A sensor  Monitors traffic, matches against the rule sets and raises alerts, logs it or some other action.  A rule set contains  Traffic signatures or rules for unwanted behavior  Rules Check for threshold, protocol IP source and destination  Signatures Traffic patterns associated with attack
  12. 12. IDS Dr. Hanif Durad 12
  13. 13. Host Based IDS (HIDS)  Log Monitors  Parse system event Log files  Example: Apache, access log file check for “cgi-bin”  Integrity Checkers  check for key system structures to change  System files, registry keys  Tripwire (FIM solution) File Additions , deletions, flag modifications, access time etc.
  14. 14. Network Based IDS (NIDS)  Signature Based  Database of know signatures  Similar to virus signatures, but it looks for attack signatures  Anomaly based  Form a baseline for a normal system  Raise an alarm when the system is no longer functioning under normal conditions
  15. 15. Signature Based IDS  The most common form of IDS is signature-based  These systems work by examining packet data for indicators of compromise (IOCs)  Indicators are combined with IDS platform-specific directives to form signatures (also called rules)  Whenever a signature-based IDS locates data that matches content found in a signature, it generates an alert  The two most popular signature-based detection IDS’s are Snort and Suricata 15
  16. 16. Snort - an network intrusion prevention and detection system 16
  17. 17. Snort Modes  Sniffer mode  simply reads the packets off of the network and displays them for you in a continuous stream on the console (screen).  Packet Logger mode  logs the packets to disk  IDS / offline mode  IPS / Inline mode 17
  18. 18. Snort Components 18
  19. 19. Packet Decoder  Takes packets from different types of network interfaces (Ethernet, SLIP,PPP…)  Determine which underlying protocols are used in the packet (such as Ethernet, IP, TCP, etc.)  It also detects various anomalous behaviors in packet headers. 19
  20. 20. Preprocessor  Plugins that modify or setup data for the detection engine  It rearranges the data to be detectable by the IDS  Packet defragmentation  If the packets are too large, then it gets fragmented into smaller packets  Must be reassembled prior to analysis 20
  21. 21. Preprocessor  frag3 – Detects packet fragmentation  Stream5 (Self protection against TCP and UDP)  http_inspect – Web Traffic  rpc_decode – RPC traffic  Reputation - provides basic IP blacklist/whitelist capabilities  sfportscan – Detect port scanning activities. 21 +Many other
  22. 22. Detection Engine  Most important part of the engine  Uses the detection rules  It is dependent on  Speed of the machine  Number of rules  Load on the network  The Detection Engine applies rules to different parts of the packet  Header (IP/TCP/Application)  Packet Payload  Policy for matching of rules varies with versions 22
  23. 23. Logging and Alerting system  Based upon the matched rule  Logged, alert generated  Logs /var/log/snort  -l for the modification of location 23
  24. 24. Snort Rules  In a single line  Rules are created by known intrusion signatures.  Included in snort configuration file. rule header rule options
  25. 25. Snort Rule Actions Protocol Source ip address Source port # destination ip address Destination port Rule options Rule header
  26. 26. Rule Header - Actions  The first item in a rule is the rule action. The rule action tells Snort what to do when it finds a packet that matches the rule criteria. There are 3 available default actions in Snort, alert, log, pass. In addition, if you are running Snort in inline mode, you have additional options which include drop, reject, and sdrop.  alert - generate an alert using the selected alert method, and then log the packet  log - log the packet  pass - ignore the packet  drop - block and log the packet  reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.  sdrop - block the packet but do not log it.
  27. 27. Rule Header - Source and Destination IP Address Field (1/2)  (source network) (port) -> (destination network) (port)  CIDR (Classless Inter Domain Routing) notation is used for the network arguments.  For the Snort rules files, you really deal with only two types of entries:  Networks  Hosts
  28. 28. Rule Header - Source and Destination IP Address Field (2/2)  Source and Destination IP Address Field  Format: Address/netmask Address x.x.x.x Netmask = bits of network mask For example  Class A  Class b  Class C  host address  Special keywords: any ! (negation) $HOME_NET (variable defined elsewhere)
  29. 29. Rule Header -Source and Destination Port Field  Source and Destination Port Field  Static port: 111  All ports: any  Range: 110:3000  Negation: !80  Less than or equal :1023  Greater than or equal 1024:
  30. 30. Rule Header –Direction Indicator  Rule Header Fields  ->  Source information specified to the left of arrow, destination information specified to the right of the arrow  There is also a bidirectional operator, which is indicated with a <> symbol. This tells Snort to consider the address/port pairs in either the source or destination orientation. This is handy for recording/analyzing both sides of a conversation, such as telnet or POP3 sessions
  31. 31. Rules Options  All Snort rule options are separated from each other using the semicolon (;) character. Rule option keywords are separated from their arguments with a colon (:) character  There are four major categories of rule options  General (msg, reference & classtype)  These options provide information about the rule but do not have any affect during detection  Payload (content, depth, offset & nocase)  These options all look for data inside the packet payload and can be inter-related  Non-Payload (ttl, id, dsize, flags, seq & icmp-id)  These options look for non-payload data  Post Detection (logto & session)  These options are rule specific triggers that happen after a rule has “fired.”
  32. 32. Snort Rule example  Rule Header alert tcp $External_NET any -> $Home_Net 21  Rule Options (msg: “ftp Exploit”; flow_to_server, established; content: “|31c031db 41c9b046 cd80 31c031db|”; reference: bugtraq,1387; classtype:attempted-admin; sid 344; rev4;)
  33. 33. Rule Classification
  34. 34. Snort Configuration File 34
  35. 35. Snort.conf  The Snort configuration file contains 9 basic sections: 1) Set the network variables. 2) Configure the decoder 3) Configure the base detection engine 4) Configure dynamic loaded libraries 5) Configure preprocessors 6) Configure output plugins 7) Customize your rule set 8) Customize preprocessor and decoder rule set 9) Customize shared object rule set 35
  36. 36. Snort Configuration  Snort configuration has three main parameters 1. Variables 2. Config 3. Includes
  37. 37. Snort Configuration: Variables  Variables are used to store information to be referenced and manipulated  Three Types of Variables may be defined in snort:  var  Simple variable can be defined for any purpose  Portvar  Portvar are used to define port or ports list  Ipvar  Ipvar is used to define Ips or IP lists
  38. 38. Snort Configuration: Variables  example  var RULES_PATH /usr/local/etc/rules/  portvar MY_PORTS [22,80,1024:1050]  ipvar MY_NET [,]  Usage:  alert tcp any any -> $MY_NET $MY_PORTS (flags:S; msg:"SYN packet";)
  39. 39. Snort Configuration: Config  Many configuration and command line options of Snort can be specified in the configuration file  Format  config <directive> [: <value>]  Example  Config frag3 OR  config alert_with_interface_name ens33 (snort –I)
  40. 40. Snort Configuration: Include  The include keyword allows other snort config files to be included within the snort.conf indicated on the Snort command line  It work much like #include in C programming language  Format  include <include file path/name>  Example  include $RULE_PATH/example.rule
  41. 41. Attack Detection in Snort 41
  42. 42. Rule options for NMAP alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "NMAP ping sweep Scan"; dsize:0;sid:10000004; rev: 1; ) Identify NMAP Ping Scan alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "NMAP TCP Scan";sid:10000005; rev:2; ) Identify NMAP TCP Scan Identify NMAP XMAS Scan alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap XMAS Tree Scan"; flags:FPU; sid:1000006; rev:1; )
  43. 43. Rule options for NMAP Identify NMAP FIN Scan alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap FIN Scan"; flags:F; sid:1000008; rev:1;) Identify NMAP NULL Scan alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap NULL Scan"; flags:0; sid:1000009; rev:1; ) Identify NMAP UDP Scan alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"Nmap UDP Scan"; sid:1000010; rev:1; )