Intrusion Detection and Snort (IDS)

Abstract:
Security is a big issue for all networks in today’s enterprise environment. Hackers and intruders have made many successful attempts to bring down high-profile company networks and web services. Many methods have been developed to secure the network infrastructure and communication over the Internet, among them the use of firewalls, encryption, and virtual private networks. Using intrusion detection methods, you can collect and use information from known types of attacks and find out if someone is trying to attack your network or particular hosts. The information collected this way can be used to harden your network security, as well as for legal purposes. Both commercial and open source products are now available for this purpose.
Snort is an open source Network Intrusion Detection System (NIDS) which is available free of cost. NIDS is the type of Intrusion Detection System (IDS) that is used for scanning data flowing on the network. There is also host-based intrusion detection systems, which are installed on a particular host and detect attacks targeted to that host only. Although all intrusion detection methods are still new, Snort is ranked among the top quality systems available today.
Snort uses rules stored in text files that can be modified by a text editor. Rules are grouped in categories. Rules belonging to each category are stored in separate files. These files are then included in a main configuration file called snort.conf. Snort reads these rules at the start-up time and builds internal data structures or chains to apply these rules to captured data. Finding signatures and using them in rules is a tricky job, since the more rules you use, the more processing power is required to process captured data in real time. It is important to implement as many signatures as you can use few rules as possible. Snort comes with a rich set of pre-defined rules to detect intrusion activity and you are free to add your own rules at will. You can also remove some of the built-in rules to avoid false alarms.
Here I describe intrusion detection, related terminology, installation and management of Snort as well as other products that work with Snort. These products include the database and Analysis Control for Intrusion Database (ACID).

1. Introduction to Intrusion Detection and Snort
Security is a big issue for all networks in today’s enterprise environment. Hackers and intruders have made many successful attempts to bring down high-profile company networks and web services. Many methods have been developed to secure the network infrastructure and communication over the Internet, among them the use of firewalls, encryption, and virtual private networks. Intrusion detection is a relatively new addition to such techniques. Intrusion detection methods started appearing in the last few years. Using intrusion detection methods, you can collect and use information from known types of attacks and find out if someone is trying to attack your network or particular hosts. The information collected this way can be used to harden your network security, as well as for legal purposes. Both commercial and open source products are now available for this purpose. Many vulnerability assessment tools are also available in the market that can be used to assess different types of security holes present in your network. A comprehensive security system consists of multiple tools, including:
• Firewalls that are used to block unwanted incoming as well as outgoing traffic of data. There is a range of firewall products available in the market both in Open Source and commercial products. The most popular Open Source firewall is the Net filter/ Ip tables.
• Intrusion detection systems (IDS) that are used to find out if someone has gotten into or is trying to get into your network. The most popular IDS is Snort, which is available at http://www.snort.org.
• Vulnerability assessment tools that are used to find and plug security holes present in your network. Information collected from vulnerability assessment tools is used to set rules on firewalls so that these security holes are safeguarded from malicious Internet users. There are many vulnerability assessment tools including Nampa and Nisus. These tools can work together and exchange information with each other. Some products provide complete systems consisting of all of these products bundled together.
Snort is an open source Network Intrusion Detection System (NIDS) which is available free of cost. NIDS is the type of Intrusion Detection System (IDS) that is used for scanning data flowing on the network. There are also host-based intrusion detection systems, which are installed on a particular host and detect attacks targeted to that host only. Although all intrusion detection methods are still new, Snort is ranked among the top quality systems available today.

 

Untitled

 

Fig 1:- Block Diagram of a complete Network Intrusion Detection System.

2. What Is Intrusion Detection?
Intrusion detection is a set of techniques and methods that are used to detect suspicious activity both at the network and host level. Intrusion detection systems fall into two basic categories: signature-based intrusion detection systems and anomaly detection systems. Intruders have signatures, like computer viruses, that can be detected using software. You try to find data packets that contain any known intrusion-related signatures or anomalies related to Internet protocols. Based upon a set of signatures and rules, the detection system is able to find and log suspicious activity and generate alerts. Anomaly-based intrusion detection usually depends on packet anomalies present in protocol header parts. In some cases these methods produce better results compared to signature-based IDS. Usually an intrusion detection system captures data from the network and applies its rules to that data or detects anomalies in it. Snort is primarily a rule-based IDS, however input plug-ins are present to detect anomalies in protocol headers.
Snort uses rules stored in text files that can be modified by a text editor. Rules are grouped in categories. Rules belonging to each category are stored in separate files. These files are then included in a main configuration file called snort. conf. Snort reads these rules at the start-up time and builds internal data structures or chains to apply these rules to captured data. Finding signatures and using them in rules is a tricky job, since the more rules you use, the more processing power is required to process captured data in real time. It is important to implement as many signatures as you can using as few rules as possible. Snort comes with a rich set of pre-defined rules to detect intrusion activity and you are free to add your own rules at will. You can also remove some of the built-in rules to avoid false alarms.

2.1 Some Definitions
Before we go into details of intrusion detection and Snort, you need to learn some definitions related to security. These definitions will be used in this book repeatedly in the coming chapters. A basic understanding of these terms is necessary to digest other complicated security concepts.

• IDS:-
Intrusion Detection System or IDS is software, hardware or combination of both used to detect intruder activity. Snort is an open source IDS available to the general public. IDS may have different capabilities depending upon how complex and sophisticated the components are. IDS appliances that are a combination of hardware and software are available from many companies. As mentioned earlier, IDS may use signatures, anomaly-based techniques or both.
• Network IDS or NIDS:-
NIDS are intrusion detection systems that capture data packets traveling on the network media (cables, wireless) and match them to a database of signatures. Depending upon whether a packet is matched with an intruder signature, an alert is generated or the packet is logged to a file or database. One major use of Snort is as a NIDS.[4] • Host IDS or HIDS:-
Host-based intrusion detection systems or HIDS are installed as agents on a host. These intrusion detection systems can look into system and application log files to detect any intruder activity. Some of these systems are reactive, meaning that they inform you only when something has happened. Some HIDS are proactive; they can sniff the network traffic coming to a particular host on which the HIDS is installed and alert you in real time.
• Signatures:-
Signature is the pattern that you look for inside a data packet. A signature is used to detect one or multiple types of attacks. For example, the presence of “scripts/iisadmin” in a packet going to your web server may indicate an intruder activity. Signatures may be present in different parts of a data packet depending upon the nature of the attack. For example, you can find signatures in the IP header, transport layer header (TCP or UDP header) and/or application layer header or payload. You will learn more about signatures later in this book. Usually IDS depends upon signatures to find out about intruder activity. Some vendor-specific IDS need updates from the vendor to add new signatures when a new type of attack is discovered. In other IDS, like Snort, you can update signatures yourself [7] 2.2 Where IDS should be placed in Network Topology
Depending upon your network topology, you may want to position intrusion detection systems at one or more places. It also depends upon what type of intrusion activities you want to detect: internal, external or both. For example, if you want to detect only external intrusion activities, and you have only one router connecting to the Internet, the best place for an intrusion detection system may be just inside the router or a firewall. If you have multiple paths to the Internet, you may want to place one IDS box at every entry point. However if you want to detect internal threats as well, you may want to place a box in every network segment. In many cases you don’t need to have intrusion detection activity in all network segments and you may want to limit it only to sensitive network areas. Note that more intrusion detection systems mean more work and more maintenance costs. Your decision really depends upon your security policy, which defines what you really want to protect from hackers.
As you can see from Figure, typically you should place IDS behind each of your firewalls and routers. In case your network contains a demilitarized zone (DMZ), IDS may be placed in that zone as well. However alert generation policy should not be as strict in a DMZ compared to private parts of the network

 

Untitled

 

 

Fig 2:- Typical locations for an intrusion detection system.

2.3 Honey Pots:-
Honey pots are systems used to lure hackers by exposing known vulnerabilities deliberately. Once a hacker finds a honey pot, it is more likely that the hacker will stick around for some time. During this time you can log hacker activities to find out his/her actions and techniques. Once you know these techniques, you can use this information later on to harden security on your actual servers. There are different ways to build and place honey pots. The honey pot should have common services running on it. These common services include Telnet server (port 23), Hyper Text Transfer Protocol (HTTP) server (port 80), File Transfer Protocol (FTP) server (port 21) and so on. You should place the honey pot somewhere close to your production server so that the hackers can easily take it for a real server. For example, if your production servers have Internet Protocol (IP) addresses 192.168.10.21 and
192.168.10.23, you can assign an IP address of 192.168.10.22 to the honey pot. You can also configure your firewall and/or router to redirect traffic on some ports to a honey pot where the intruder thinks that he/she is connecting to a real server. You should be careful in creating an alert mechanism so that when your honey pot is compromised, you are notified immediately. It is a good idea to keep log files on some other machine so that when the honey pot is compromised, the hacker does not have the ability to delete these files. So when should you install a honey pot? The answer depends on different criteria, including the following:
• You should create a honey pot if your organization has enough resources to track down hackers. These resources include both hardware and personnel. If you don’t have these resources, there is no need to install a honey pot. After all, there is no need to have data if you can’t use it.
• A honey pot is useful only if you want to use the information gathered in some way.
• You may also use a honey pot if you want to prosecute hackers by gathering
Evidence of their activities. Ideally a honey pot should look like a real system. You should create some fake data files, user accounts and so on to ensure a hacker that this is a real system. This will tempt the hacker to remain on the honey pot for a longer time and you will be able to record more activity.

3. IDS Policy:-
Before you install the intrusion detection system on your network, you must have a policy to detect intruders and take action when you find such activity. A policy must dictate IDS rules and how they will be applied. The IDS policy should contain the following components; you can add more depending upon your requirements.
• Who will monitor the IDS? Depending on the IDS, you may have alerting mechanisms that provide information about intruder activity. These alerting systems may be in the form of simple text files, or they may be more complicated, perhaps integrated to centralized network management systems like HP Open View or My SQL database. Someone is needed to monitor the intruder activity and the policy must define the responsible person(s). The intruder activity may also be monitored in real time using pop-up windows or web interfaces. In this case operators must have knowledge of alerts and their meaning in terms of severity levels.
• Who will administer the IDS, rotate logs and so on? As with all systems, you
Need to establish routine maintenance of the IDS.
• Who will handle incidents and how? If there is no incident handling, there is no point in installing an IDS. Depending upon the severity of the incident, you may need to get some government agencies involved.
• What will be the escalation process (level 1, level 2 and so on)? The escalation process is basically an incident response strategy. The policy should clearly describe which incidents should be escalated to higher management.
• Reporting. Reports may be generated showing what happened during the last
Day, week or month.
• Signature updates. Hackers are continuously creating new types of attacks.
These attacks are detected by the IDS if it knows about the attack in the form of signatures. Attack signatures are used in Snort rules to detect attacks. Because of the continuously changing nature of attacks, you must update signatures and rules on your IDS. You can update signatures directly from the Snort web site on a periodic basis or on your own when a new threat is discovered.
• Documentation is required for every project. The IDS policy should describe
What type of documentation will be done when attacks are detected. The documentation may include a simple log or record of complete intruder activity. You may also need to build some forms to record data. Reports are also part of regular documentation. Based on the IDS policy you will get a clear idea of how many IDS sensors and other resources are required for your network. With this information, you will be able to calculate the cost of ownership of IDS more precisely.

4. Components of Snort:-
Snort is logically divided into multiple components. These components work together to detect particular attacks and to generate output in a required format from the detection system. A Snort-based IDS consists of the following major components:
4.1 Packet Decoder
4.2 Preprocessors
4.3 Detection Engine
4.4 Logging and Alerting System
4.5 Output Modules

Figure given below shows how these components are arranged. Any data packet coming from the Internet enters the packet decoder. On its way towards the output modules, it is either dropped, logged or an alert is generated.
A brief introduction to these components is presented in this section. As you go through the book and create some rules, you will become more familiar with these components and how they interact with each other.

4.1 Packet Decoder:-
The packet decoder takes packets from different types of network interfaces and prepares the packets to be preprocessed or to be sent to the detection engine. The interfaces may be Ethernet, SLIP, PPP and so on.
4.2 Preprocessors:
Preprocessors are components or plug-ins that can be used with Snort to arrange or modify data packets before the detection engine does some operation to find out if the packet is being used by an intruder. Some preprocessors also perform detection by finding anomalies in packet headers and generating alerts. Preprocessors are very important for any IDS to prepare data packets to be analyzed against rules in the detection engine. Hackers use different techniques to fool IDS in different ways. For example, you may have created a rule to find a signature “scripts/iisadmin” in HTTP packets. If you are matching this string exactly, you can easily be fooled by a hacker who makes slight modifications to this string. For example:

To complicate the situation, hackers can also insert in the web Uniform Resource Identifier (URI) hexadecimal characters or Unicode characters which are perfectly legal as far as the web server is concerned. Note that the web servers usually understand all of these strings and are able to preprocess them to extract the intended string “scripts/iisadmin”. However if the IDS is looking for an exact match, it is not able to detect this attack. A preprocessor can rearrange the string so that it is detectable by the IDS. Preprocessors are also used for packet defragmentation. When a large data chunk is transferred to a host, the packet is usually fragmented. For example, default maximum length of any data packet on an Ethernet network is usually 1500 bytes. This value is controlled by the Maximum Transfer Unit (MTU) value for the network interface. This means that if you send data which is more than 1500 bytes, it will be split into multiple data packets so that each packet fragment is less than or equal to 1500 bytes. The receiving systems are capable of reassembling these smaller units again to form the original data packet. On IDS, before you can apply any rules or try to find a signature, you have to reassemble the packet. For example, half of the signature may be present in one segment and the other half in another segment. To detect the signature correctly you have to combine all packet segments. Hackers use fragmentation to defeat intrusion detection systems.
The preprocessors are used to safeguard against these attacks. Preprocessors in
Snort can defragment packets, decode HTTP URI, re-assemble TCP streams and so on. These functions are a very important part of the intrusion detection system
4.3 The Detection Engine:-
The detection engine is the most important part of Snort. Its responsibility is to
Detect if any intrusion activity exists in a packet. The detection engine employs Snort
Rules for this purpose. The rules are read into internal data structures or chains where
They are matched against all packets. If a packet matches any rule, appropriate action is taken; otherwise the packet is dropped. Appropriate actions may be logging the packet or generating alerts. The detection engine is the time-critical part of Snort. Depending upon how powerful your machine is and how many rules you have defined, it may take different amounts of time to respond to different packets. If traffic on your network is too high when Snort is working in NIDS mode, you may drop some packets and may not get a true real-time response. The load on the detection engine depends upon the following factors: This header includes TCP, UDP or other transport layer headers. It may also work on the ICMP header.
• The application layer level header. Application layer headers include, but are not limited to, DNS header, FTP header, SNMP header, and SMTP header. You may have to use some indirect methods for application layer headers, like offset of data to be looked for.
• Packet payload. This means that you can create a rule that is used by the detection engine to find a string inside the data that is present inside the packet. The detection engine works in different ways for different versions of Snort. In all 1.x versions of Snort, the detection engine stops further processing of a packet when a rule is matched. Depending upon the rule, the detection engine takes appropriate action by logging the packet or generating an alert. This means that if a packet matches criteria defined in multiple rules, only the first rule is applied to the packet without looking for other matches. This is fine except for one problem. A low priority rule generates a low priority alert, even if a high priority rule meriting a high priority alert is located later in the rule chain. This problem is rectified in Snort version 2 where all rules are matched against a packet before generating an alert. After matching all rules, the highest priority rule is selected to generate the alert.
The detection engine in Snort version 2.0 is completely rewritten so that it is a lot faster compared to detection in earlier versions of Snort. While Snort 2.0 is still not in release at the time of writing this book, earlier analysis shows that the new detection engine may be up to eighteen times faster.

4.4 Logging and Alerting System:-
Depending upon what the detection engine finds inside a packet, the packet may be used to log the activity or generate an alert. Logs are kept in simple text files, tcpdump- style files or some other form. All of the log files are stored under /log/
Snort folder by default. You can use –l command line options to modify the location of generating logs and alerts.
4.5 Output Modules:-
Output modules or plug-ins can do different operations depending on how you
Want to save output generated by the logging and alerting system of Snort. Basically these modules control the type of output generated by the logging and alerting system.
Tools can also be used to send alerts in other formats such as e-mail messages or viewing alerts using a web interface.

• Table summarizes different components of IDS.

Name Description
Packet Decoder Prepares packets for processing
Preprocessors or input plugging Used to normalize protocol headers, detect anomalies, packets reassembly and TCP stream re-assembly
Detection Engine Applies rules to Packets
Logging and Alerting System Generates alert and log messages
Output Modules Process alerts and logs and generate final output

 

Untitled

 

Fig 3: – Components OF Snort

5. TCP Stream Follow Up:-

A new preprocessor named Stream4 has been added to Snort. This preprocessor is capable of dealing with thousands of simultaneous streams and its configuration will be discussed. It allows TCP stream reassembly and state full inspection of TCP packets. This means that you can assemble packets in a particular TCP session to find anomalies and attacks that use multiple TCP packets. You can also look for packets coming to and/or originating from a particular server port.

6. Supported Platforms:-
Snort is supported on a number of hardware platforms and operating systems. Currently Snort is available for the following operating systems:
• Linux
• Open BSD
• Net BSD
• Solaris (both Sparc and i386)
• HP-UX
• AIX
• IRIX
• Mac OS
• Windows

7. How to Protect IDS Itself:-
One major issue is how to protect the system on which your intrusion detection software is running. If security of the IDS is compromised, you may start getting false alarms or no alarms at all. The intruder may disable IDS before actually performing any attack. There are different ways to protect your system, starting from very general recommendations to some sophisticated methods. Some of these are mentioned below.
• The first thing that you can do is not to run any service on your IDS sensor itself. Network servers are the most common method of exploiting a system.
• New threats are discovered and patches are released by vendors. This is almost a continuous and non-stop process. The platform on which you are running IDS should be patched with the latest releases from your vendor. For example, if Snort is running on a Microsoft Windows machine, you should have all the latest security patches from Microsoft installed.
• Configure the IDS machine so that it does not respond to ping (ICMP Echotype) packets.
• If you are running Snort on a Linux machine, use net filter/ip table to block any unwanted data. Snort will still be able to see all of the data.
• You should use IDS only for the purpose of intrusion detection. It should not be used for other activities and user accounts should not be created except those that are absolutely necessary. In addition to these common measures, Snort can be used in special cases as well.
Following are two special techniques that can be used with Snort to protect it from being attacked.

7.1 Snort on Stealth Interface:-
You can run Snort on a stealth interface which only listens to the incoming traffic But does not send any data packets out. A special cable is used on the stealth interface. On the host where Snort is running, you have to short pins 1 and 2. Pins 3 and 6 are connected to same pins on the other side.

7.2 Snort with no IP Address Interface:-
You can also use Snort on an interface where no IP address is assigned. For example, on a Linux machine, you can bring up interface eth0 using command “ifconfig eth0up” without assigning an actual IP address. The advantage is that when the Snort host doesn’t have an IP address itself, nobody can access it. You can configure an IP address on eth1 that can be used to access the sensor itself.
On Microsoft Windows systems, you can use an interface without binding TCP/IP to the interface, in which case no IP address will be assigned to the interface. Don’t forget to disable other protocols and services on the interface as well. In some cases it has been noted that win cap (library used on Microsoft Windows machines to capture packets) does not work well when no IP address is assigned on the interface. In such a case, you can use the following method.

8. Installing Snort and Getting Started:-
Snort installation may consist of only a working Snort daemon or of a complete Snort system with many other tools. If you install only Snort, you can capture intrusion data in text or binary files and then view these files later on with the help of a text editor or some other tool like Barnyard, which will be explained later in this book. With this simple installation you can also send alert data to an SNMP manager, like HP Open View or Open NMS, in the form of SNMP traps. Alert data can also be sent to a Microsoft Windows machine in the form of SMB pop-up windows. However, if you install other tools, you can perform more sophisticated operations on the intrusion data, such as logging Snort data to a database and analyzing it through a web interface. Using the web interface, you can view all alerts generated by Snort. The analysis tools allow you to make sense of the captured data instead of spending lots of time with Snort log files.
Other tools that can be used with Snort are listed below. Each of them has a specific task. A comprehensive working Snort system utilizes these tools to provide a web-based user interface with a backend database.
• My SQL is used with Snort to log alert data. Other databases like Oracle can also be used but My SQL is the most popular database with Snort. In fact, any ODBC-compliant database can be used with Snort.
• Apache acts as a web server.
• PHP is used as an interface between the web server and My SQL database.
• ACID is a PHP package that is used to view and analyze Snort data using a web browser.
• GD library is used by ACID to create graphs.
• PHPLOT is used to present data in graphic format on the web pages used in ACID. GD library must be working correctly to use PHPLOT.
• ADODB is used by ACID to connect to My SQL database.
• Snort Installation Scenarios:-
Typical Snort installations may vary depending upon the environment where you are installing it. Some of the typical installation schemes are listed below for your reference. You can select one of these depending on the type of network you have.
• Test Installation
• A simple Snort installation consists of a single Snort sensor. Snort logs data to text files. These log files can then be viewed later on by the Snort administrator. This arrangement is suitable only for test environments because the cost of data analysis is very high in the production environment. To install Snort for this purpose, you can get a pre-compiled version from http://www.snort.org and install it on your system.
• Single Sensor Production IDS:-
A production installation of Snort with only one sensor is suitable for small networks with only one Internet connection. Putting the sensor behind a router or firewall will enable you to detect the activity of intruders into the system. However, if you are really interested in scanning all Internet traffic, you can put the sensor outside the firewall as well.
In this installation, you can either download a precompiled version of Snort from its web site (http://www.snort.org) or compile it yourself from the source code. You should compile the source code yourself only if you need some feature which is not available in the precompiled versions.
In a production installation, you also need to implement startup and shutdown procedures so that Snort automatically starts at boot time. If you are installing a precompiled version for Linux, the installation procedure with RPM will take care of
it. On Microsoft Windows systems, you can start Snort as a service or put a batch file in the startup group. The logging is done in text or binary files and tools like Snort can be used to analyze data.
• Single Sensor with Network Management System Integration:-
In a production system, you can configure Snort to send traps to a network management system. There are a variety of network management systems used in the enterprise. The most popular commercial systems are from Hewlett-Packard, IBM and
Computer Associates. Snort integration into these network management systems is done through the use of SNMP traps.
• Single Sensor with Database and Web Interface:-
The most common use of Snort should be with integration to a database. The database is used to log Snort data where it can be viewed and analyzed later on, using a web-based interface. A typical setup of this type consists of three basic components:
1. Snort sensor
2. A database server
3. A web server
Snort logs data into the database. You can view the data using a web browser connected to the sensor. This scheme is shown in Figure 1. All three components can be present on the same system. Different types of database servers like My SQL, Posters SQL, Oracle, Microsoft SQL server and other ODBC-compliant databases can be used with Snort. PHP is used to get data from the database and to generate web pages. This setup provides a very good and comprehensive IDS which is easy to manage and user friendly. You have to provide a user name, password, database name and database server address to Snort to enable it to log to the database. In a single-sensor scheme where the database is running on the sensor itself, you can use “local host” as The host name. You have to build database logging capability into Snort at the compile time.

 

Untitled

Fig 4: – Distributed Snort installation with the help of tools like SCP and Barnyard.

Snort is available in both source code and binary forms. Pre-compiled binary packages are fine for most installations. As mentioned earlier, if you want to add or remove certain features of Snort, you need to download the source code version and then compile it yourself. If you want to build Snort without support for SMB alerts, you may want to build it yourself. The same is true of other features like SNMP traps, My SQL and so on. Compile the Snort package if you take a snapshot of the code under development.
The basic installation procedure is simple because you have plenty of predefined rules available with Snort that cover most of the known intrusion signatures. However, customization of your installation may require a lot of work.
After installation, basic information for getting started with Snort is also provided, including basic Snort concepts, logging and alerting and some information about Snort modes of operation.

• After Installation Processes:-
Now that you have built Snort binary, you have to do few things before you can start using Snort. These include:
1. Create directory //log/snort where Snort creates log files by default.
2. Create a directory to save configuration files
3. Create or copy the Snort configuration file in recently created directory.
4. Create a directory and copy default rule files to directory. The path of this directory is mentioned in the main snort. Conf file and you can create a directory of your own choice if you like.

9. Running Snort on Multiple Network Interfaces
When you start Snort, it listens to traffic on one interface. Using the command line option –i , you can specify the interface on which you want to
Run it. If you want to listen to multiple network interfaces, you have to run multiple copies of Snort in parallel. As an example, the following two commands start listening to network interfaces eth0 and eth1 on a Linux machine. If both sessions log to a My SQL database, which is configured through snort. conf file, the same database can be used.
Note that you can also have different configuration files for these two sessions. There may be many reasons for having separate configuration files. The main reason is that HOME_NETWORK is different for the two sessions. Another reason may be that you want to log alert data in log files for one interface and in a database for the second interface.

 

Untitled

 

Fig 5: – Running Snort on multiple network interfaces and logging to different places.

10. Advantages of Snort:-

1) Snort’s open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.
2) Snort performs protocol analysis, content searching, and content matching.
3) The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.
4) Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection.
5) In sniffer mode, the program will read network packets and display them on the console.
6) In packet logger mode, the program will log packets to the disk.
7) In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user.

11. Conclusion

We have successfully created a network based intrusion detection system with signature IDS methodology. It successfully captures packets transmitted over the entire network by promiscuous mode of operation and compares the traffic with crafted attack signatures. The attack log displays the list of attacks to the administrator for evasive action. This system works as an alert device I n the event of attacks directed towards an entire network it has functionality to run in the background and monitor the network. It also incorporates functionality to detect installed adapters on the system, selecting adapter for capture, pause capture and clearing captured data is shown in the screen shots. It may be incorporated with further signatures for attacks. This system could be used as a standalone for providing attack alerts to the administrator or it can be used as a base system for developing a network intrusion prevention system. The types of attacks share the characteristic that upon their
Initiation and while they are in progress, Global attack and of distributed intrusion detection processes produce sufficient network traffic (e.g. port scanning) so that local detectors can find sufficient evidence of the attack and report the attacks.

References:-
[1] Symantec Security Response, W32.ExploreZip.L.Worm,
http://securityresponse.symantec.com/avcenter/venc/data/w32.explorezip.l.worm.html January 2003.

[2] E. Biermann, E.Cloete, L.M. Venter, A comparison of Intrusion detection systems, Computers and Security, 20(2001)8, 676–683.

[3] International Standard IS0 7498.2, Information processing system – Open system interconnection Basic reference model, PaR 2: Security architecture, 1989.

[4] D. Oollmann, Cornpuler Security, John Wiley & Sons, 1999.

[5] R.G. Bace, Intrusion Detection. Macmillan Technical Publishing, 2000

[6] Herringshaw, C. (1997) ‘Detecting attacks on networks’, IEEE

[7] Snort-Wireless Intrusion Detection, http://snort-wireless.org, 2003.] [8] Patwardhan, A. Parker, J., Joshi, A., Karygiannis, A., and Iorga, M. “Secure Routing Intrusion. Detection in Ad Hoc Networks”, Third IEEE International Conference on Pervasive Computinal Communications, Hawaii, 2005.

[9] Intrusion Detection Systems with Snort : Rafael Ur Rehman .
Meera Gandhi, S.K.Srivatsa, Detecting and preventing attacks using network intrusion detection systems.

[10] http://www.snort.org

[11] http://www.snort.org/docs/faq.html

Download PPT

Leave a Reply

Your email address will not be published. Required fields are marked *