intrusion detection system

Download Intrusion Detection System

If you can't read please download the document

Post on 19-May-2015

30.940 views

Category:

Technology

2 download

Embed Size (px)

DESCRIPTION

ids&ips technique is used to capture logs,sessions,port no,trojans,and malicious activity on the networkand servers.here u can get detailed about ids and ips techniques

TRANSCRIPT

  • 1. 1|PageINTRUSION DETECTION SYSTEMBy BikashDash(White-hat) ContentsChapter No Title Page No1Introduction12Basic Requirements33What is intrusion 44Introduction to IDS 4 4.1 Need of IDS &IPS4 4.2 IDS VS Firewall 45Types Of IDS6 5.1 Network based Intrusion Detection System 6 5.2 Host based intrusion detection system 8 5.3 Distributed Intrusion Detection System106Approaches117The need of IDS 118SNORT 13 8.1 SNORT MODES OF OPERATION13 8.2 Packet sniffers 13 8.3 Network intrusion detection mode14 8.4 Network rules 14 8.5 Snort rule header 149Configuring snort as ids1610 What is ips?2411 Challenges in ids 2512 Conclusion2613 Appendices27 2814 Reference 1

2. 2|Page 2 3. 3|PageAbstract Snort: Intrusion Detection SystemMalicious network traffic (such as worms, hacking attempts, etc.) has certain patterns to it.You could monitoryour network traffic with a sniffer and look for this malicious traffic manually, but that would be animpossible task. IDS (Intrusion Detection System) software which automates the process of sniffing,examining, andupon finding somethingsuspicious,alerting.IDS have been called the burglar alarm of computer networks and are an important part of network perimetersecurity. Without IDS you have no idea if someone is probing or attacking your servers (unless the attack is sooverwhelming that it results in a denial of service). Having this information can let you know if you need tomake some firewall changes or harden the OS on a particular server a bit more.You may see the term IPS for Intrusion Prevention Systems which takes things one step further, having theIDS adjust the firewall when it discovers something. Smart people disagree on the use of IPSs as it, in effect,givesan attackersomecontrol ofyourfirewall.Snort (www.snort.org) is the most widely-used IDS software application and its open source and includedwith Debian. There are two flavors of IDSs, host-based and network-based. Snort is a network-based IDS thatcan monitor all of the traffic on a network link to look for suspicious traffic. Typically, a network-based IDSis set up to monitor a DMZ or the internal network right behind the firewall so it alerts to any possible threatsthat yourfirewalldidntcatch.There is a Web interface that works with Snort called BASE (Basic Analysis and Security Engine) which isbased on ACID (Analysis Console for Intrusion Databases) which well set up. BASE uses whats commonlyreferred to as a LAMP server (Linux, Apache, MySQL, PHP) so well need to install those applications aswell. 3 4. 4|PageTerminology Alert/Alarm: A signal suggesting that a system has been or is being attacked. True Positive: A legitimate attack which triggers an IDS to produce an alarm. False Positive: An event signaling an IDS to produce an alarm when no attack has taken place. False Negative: A failure of an IDS to detect an actual attack. True Negative: When no attack has taken place and no alarm is raised. Noise: Data or interference that can trigger a false positive. Site policy: Guidelines within an organization that control the rules and configurations of an IDS. Site policy awareness: An IDSs ability to dynamically change its rules and configurations in response tochanging environmental activity. Confidence value: A value an organization places on an IDS based on past performance and analysis tohelp determine its ability to effectively identify an attack. Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguishfalse positives from actual attacks. Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information,inflict harm or engage in other malicious activities. Masquerader: A user who does not have the authority to a system, but tries to access the information asan authorized user. They are generally outside users. Misfeasor: They are commonly internal users and can be of two types: 1. An authorized user with limited permissions. 2. A user with full permissions and who misuses their powers. Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid beingcaptured. 4 5. 5|PageSOFTWARE AND HARDWARE REQUIREMENTSSoftware Specification:OS :- Linux (Backtrack).Snort :- As intrusion detection system.BASE:- Basis analysis and security engine(Graphical detection Engine).MySQL :- Database to log of alerts and intrusions.PHP:- To setup up base on browser.Pear packages:- To set Graphical environment on BASE.Libpcap:- To set up network adapter on packet capture mode onnetwork.(Win cap in case of windows environment).Ado dB:- To setup connectivity between BASE and mysql .Apache: - To run the system as a server on network (having static IP address).Static IP:- The machine running Snort must need a static IP , so that every time you connect to the internet,you will get continuous alerts from from different machines.Hardware Specification: System Type :INTEL Processor:Pentium 4 Processor Speed:2.8 GHZ Hard Disk:40 GB Memory Size :128 MB Cache Memory :128 KB Keyboard Type:104 keys Monitor Type:EGA/VGA Monitor Manufacture :Microtek Monitor Size:15`` Mouse :Logitech 3 Buttons Floppy Card:1.44 MB 5 6. 6|PageCHAPTER-1INTRODUCTION An intrusion detection system monitors computer systems, looking for signs of intrusion(unauthorized users) or misuse (authorized users overstepping their bounds). (1) Intrusion Detection Systems(IDS) can operate on a variety of different levels. Host-Bases IDSs reside on a host machine and executeintrusion detection locally. Network-based Intrusion Detection Systems (NIDS) focus on network data flow.The key to successfully identifying and preventing intrusion lies within the various techniques.Usingintrusion detection methods, you can collect and use information from known types of attacks and find out ifsomeone is trying to attack your network or particular hosts. IDSs have a series of steps that all need to becompleted before a system can be appropriately protected. These steps revolve around the data that is beingprocessed on the system being monitored. Data is collected by monitoring activities in the hosts or network.The raw data is analyzed to classify activities as normal or suspicious. When a suspicious activity isconsidered sufficiently serious, a response is triggered. Actually Anintrusion detection system (IDS) is a device or software application thatmonitors network and/or system activities for malicious activities or policy violations and produces reports toa Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required norexpected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused onidentifying possible incidents, logging information about them, and reporting attempts. In addition,organizations use IDPSes for other purposes, such as identifying problems with security policies,documenting existing threats, and deterring individuals from violating security policies. IDPSes have becomea necessary addition to the security infrastructure of nearly every organization.IDPSes typically recordinformation related to observed events, notify security administrators of important observed events, andproduce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it fromsucceeding. They use several response techniques, which involve the IDPS stopping the attack itself, changingthe security environment (e.g., reconfiguring a firewall), or changing the attacks content. TheIntrusiondetection system(SNORT) is also a specialized tool that willparse and interpret network traffic or hostactivities and perform real-timenetwork analysis and logging. This engine can manage number of networkranges,activities,network traffics, port analysis, andfirewall and server logs on one system. This will happenwhen a network activity, malicious content ,intrusions, port analysis activities etc. Matches to our rules andsignatures of our intrusion detection system.6 7. 7|PageSome of the monetary tools are used based on IDs, they are below:Alert/Alarm: A signal suggesting that a system has been or is being attacked.True Positive: A legitimate attack which triggers an IDS to produce an alarm.False Positive: An event signalingan IDS to produce an alarm when no attack has taken place.False Negative: A failure of an IDS to detect an actual attack.True Negative: When no attack has taken place and no alarm is raised.Noise: Data or interference that can trigger a false positive.Site policy: Guidelines within an organization that control the rules and configurations of an IDSSite policy awareness: An IDSs ability to dynamically change its rules and configurations in responseto changing environmental activity.Confidence value: A value an organization places on an IDS based on past performance and analysisto help determine its ability to effectively identify an attack. Alarm filtering: The process of categorizing attack alerts produced from an IDS in order todistinguish false positives from actual attacks.Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information,inflict harm or engage in other malicious activities.Masquerader: A user who does not have the authority to a system, but tries to access the informationas an authorized user. They are generally outside users.Misfeasor: They are commonly internal users and can be of two types:1. An authorized user with limited permissions.2. A user with full permissions and who misuses their powers.Clandestine user: A user who acts as a supervisor7 8. 8|Page CHAPTER-2BASIC REQUIREMENTS:The basic requirements used in IDSesare as follow as software wise and also hardware wise:SOFTWARE AND HARDWARE REQUIREMENTSSoftware Specification:OS :- Linux (Backtrack).Snort :- As intrusion detection system.BASE:- Basis analysis and security engine(Graphical detection Engine).MySQL :- Database to log of alerts and intrusio