This document discusses network intrusion detection systems (NIDS). It describes what an intrusion detection system is, why they are required to protect confidentiality, integrity and availability, and how they work by monitoring network traffic and detecting anomalous behavior. It outlines different types of NIDS including host-based and network-based, and how the popular open-source NIDS Snort functions using rules, signatures, and protocol analysis to generate alerts when it detects suspicious network activity. Challenges with NIDS are also discussed.

1. Network Intrusion
Detection System
And Analysis
BIKRANT GAUTAM
SECURITY AND CRYPTOGRAPHIC PROTOCOL – 606
SCSU 2015

2. Intrusion Detection System Overview
What is Intrusion?
Restricted Access to computer Infrastructure
What is intrusion detection System?
Mechanism to trace the intrusion
Why is it required?
Protect CIA triad
How does IDS work?

3. Intrusion Detection System
• Two IDS in this model
• One external for monitoring external traffic
• One internal for monitoring internal traffic

4. Types of IDS
HIDs examine specific host-based
actions, such as what applications
are being used, what files are being
accessed and what information
resides in the kernel logs.
NIDs analyze the flow of
information between
computers, i.e., network
traffic. They essentially "sniff"
the network for suspicious
behavior.

5. NIDS Introduction
Why NIDS?
Monitor network traffic
Alert the responsible personnel or the target
Apply preventive measures-(Network Intrusion Prevention System)

6. NIDS Functionality
How it works?
Sniffing
collect and inspect incoming traffic
Protocol awareness
protocol reassembly and normalization
Alerting
Send email / log events / Sending SNMP

7. Modes of Detection
Signature Based
Old method
Compare data packets against known malicious sequence
Protocol Awareness
Compare the network packets against standard protocol
Behavioral Analysis
Recent Development
Learn pattern, alert when pattern changes

8. Types of NIDS/NIPSs
Commercial
Check Point IPS, CISO IPS, IBM Security NIPS
Roll on your own
Free to use for users, SNORT, BRO

9. Output of NIDS/NIPS
Depends upon the vendor
General evidences/output
Configuration: Configuration of devices being monitored
Alert Data: Alert through text files emails sms
Packet headers/flow Information: logged malicious packets headers
Content Data: Captured full data packets
Correlated Activates: Correlated event data

10. NIDS EXAMPLE
SNORT
The single most widely used IDS in the world.
Signature Based
Open Source
Large support community

11. SNORT ARCHITECTURE
Trucia Victor / url / http://truica-victor.com/snort-architecture/

12. SNORT CONFIGURATIONS
RULES
Rules written in a single line
Rules are created with known intrusion signatures
Stored in /etc/snort/rules
Native alerts are stored in /var/log/snort
Global values are stored at /etc/snort/snort.conf

13. Header
Example rule header
log tcp 192.168.1.12 123 -> 192.168.1.19 27

14. RULE BODY
Rule Body
Used to extract meta data about the events
rule options: msg, sid, rev, reference
Example:

15. SNORT EXAMPLES
Snort rule
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP PING”; icode:0;
itype:8; classtype:misc-activity: sid:384; rev:5;)
Snort packet
IP 10.0.1.10 > 10.0.1.254: ICMP echo request, id 32335, seq 0, length 64
0x0000: 4500 0045 a023 ab00 87ef 0a00 abc8 01oe E . . T . . . . .@ . X . . . . .
0x0010: 3400 0145 02a3 acd0 84af 0000 dbc5 0101 .u . T . - &. . . . . . . . . . I
Snort Alert
[**] [1:384:5] ICMP PING [**] [Classification: Misc Activity] [Priority: 3] 04/13 -
03:12:08.359790 10.0.1.10 -> 10.0.1.254 ICMP TTL:64 TOS: 0X0 ID:38125
IpLen:20 DmgLen:84 Type:8 Code:0 ID:32335 Seq:1 ECHO
Malicious Packet
Snort rule to capture malicious packet
Alert Fired

16. Challenges with current NIDS
SNORT/Signature based
More processing for packet logging
Requires high disk capacity to log information

17. Conclusion
NIDS/NIPS are the first step on against malicious activities
Investigators leverage evidence from NIDS to find the root of the problem
Field of further study and research

18. Case Study

19. Case Study
Corresponding packet analysis
SNORT ALERT Corresponding Packet

20. Case Study
Further exploring the Packet content
Packet Content
Analysis:

21. Case Study
Analysis of HEX Values

22. Case Study
Further Action:

23. Case Study
Further analysis of Target IP (192.168.1.69)
Searching all the alerts related with this IP
Count of Malicious Alert for same IP
Alert Message

24. Case Study
Alert Message Analysis:
The alert
TCP windows scale option found with length > 14
Findings:

25. Case Study
Investigation Findings and Conclusion Further Steps

26. Thank you