IDS/IPS Basics functionality and Snort Components.

1. Intrusion Detection System/Intrusion
Prevention System (Snort):Intro (Part 1)
By
Mahendra Pratap Singh
Team: WhitehatPeople

2. Introduction
 Intrusion: the act of thrusting in, or of entering into a place or state
without invitation, right, or welcome.
 Intrusion detection is an act of detecting an unauthorized intrusion
by a computer on a network. This unauthorized access, or intrusion,
is an attempt to compromise, or otherwise do harm, to other network
devices.
 IDS: An IDS is the high-tech equivalent of a burglar alarm, one that
is configured to monitor information gateways, hostile activities, and
known intruders.

3. IDS
 An IDS is a specialized tool that knows how to parse and interpret
network traffic and/or host activities. This data can range from
network packet analysis to the contents of log files from routers,
firewalls, and servers, local system logs and access calls, network
flow data, and more.
 Furthermore, an IDS often stores a database of known attack
signatures and can compare patterns of activity, traffic, or behavior it
sees in the data it’s monitoring against those signatures to recognize
when a close match between a signature and current or recent
behavior occurs.

4. Types of IDS
 Network based IDS: IDSes that monitor network links and
backbones looking for attack signatures are called network-based
IDSes.
 Host based IDS: IDS that operate on hosts and defend and monitor
the operating and file systems for signs of intrusion and are called
host based IDSes.
 Distributed IDS: Groups of IDSes functioning as remote sensors
and reporting to a central management station are known as
distributed IDSes (DIDSes).
 A gateway IDS is a network IDS deployed at the gateway between
your network and another network, whereas Application IDS
understand and parse application specific traffic and underlying
protocol

5. How does an IDS work?
IDSes uses different approaches for event analysis. Signature
Detection is the same approach used by an antivirus software to
detect infected file or any virus. In these IDSes attack signatures
are stored in database and detects intrusion by matching these
attack signature with network traffic.
Anomaly Detection (Heuristics) technique, uses predefined rules
about normal and abnormal activity. Most effective solutions
combine network- and host-based IDS implementations. Likewise,
the majority of implementations are primarily signature-based, with
only limited anomaly-based detection capabilities present in certain
specific products or solutions.

6. Snort: An Open Source IDS
 Snort is an open source IDS it can perform real time packet analysis
on IP networks. Snort can detect verity of attacks such as buffer
overflows, stealth port scans, Common Gateway Interface (CGI)
attacks, Server Message Block (SMB) probes, operating system
fingerprinting attempts, and much more.
 Snort can be configured in three modes:
A) Sniffer Mode
B) Packet Logger
C) Network Intrusion Detection

7. Some predefined signatures (community signatures) and SourceFire
VDB signatures provided with Snort, also you can write your own
Signature based on your own need. Signatures can be written for
scanning behavior of attacks or for the exploit attempts.
IDSes can be used when patches for newly discovered
vulnerabilities are not announced yet, but still those vulnerabilities
needs to be monitored till official solution is available.
Some questions needs to be answered before considering IDS,
Should your IDS be inline, sitting at the choke point(s) between your
network and the world, or not? Does it make sense to drop traffic
actively, or do you just want to generate alerts for analysis without
touching the network.

8. Snort is a packet sniffer/packet logger/network IDS.
Rule types for Snort can be downloaded from Snort site. Rules are
organized by rule type, include P2P, backdoor, DDOS attacks, web
attacks, viruses and many others.
Rules are mapped to a number that is recognized as a type of
attack known as a Sensor ID (SID).
Hardware/Software Requirement for Snort:
Fast Hard Drive to process and store Data, logs.
Fast Network Interface Card(NIC) to process packets.
Large RAM for faster processing

9. Snort Architecture
There are four basic components of Snort’s architecture:
a) The Sniffer
b) The Preprocessor
c) The Detection Engine
d) The Output.
Snort is designed to take packets and process them through
preprocessor and then check those packets against a series of
rules. The preprocessor, the detection engine, and the alert
components of Snort are all plug-ins. Plug-ins are programs that are
written to conform to Snort’s plug-in API.

10. Snort Architecture

11. Part 1 - Packet Sniffer
 A network sniffer allows an application or a hardware device
to eavesdrop on data network traffic.
 Sniffer are used for Network analysis and troubleshooting,
performance analysis etc. If network traffic is encrypted it can
prevent people to sniff network.
 As a sniffer, Snort can save the packets to be processed and
viewed later as a packet logger.

12. Part 2 – Preprocessor
Preprocessor takes the packets and check them against set plug-ins
like RPC plug-in, HTTP plug-in, port scanner plug-in.
These plug-ins check for a certain type of behavior from the packet.
On that particular behavior plug-in send that packet to Detection
engine.
Plug-ins can be enabled and disabled on need basis.
Snort support many kind of preprocessors and their attendant plug-
ins, covering many commonly used protocols.

13. Part 3 – Detection Engine
Once packets are checked by preprocessor they are passed to
Detection engine.
Detection engine takes that data and checks through set of rules.
If rules match the data in the packet, they are sent to the alert
processor.
Snort has a particular syntax that it uses with its rules. Rule syntax
can involve the type of protocol, the content, the length, the header,
and other various elements, including garbage characters for
defining butter overflow rules.

14. Part 4 – Output Component
Once Snort data processed in Detection engine, if data matches a
rule, an alert is triggered.
Alert can be sent to log file through network connection, through
UNIX sockets or Windows Popup (SMB) or SNMP traps.
The alerts can also be stored in an SQL database such as MySQL.
Logs can also be used on Web interface.
Through Syslog tool (ex. Swatch), Snort alerts can be sent via e-
mail to notify system admin in real time.

15. Thanks for your time.
More in next Part
By
Mahendra Pratap Singh | Team Whitehat People
(Source: Snort IDS and IPS Toolkit by Jay Beale’s Open Source Security Series)