1 | P a g e

INTRUSION DETECTION SYSTEM By Bikash Dash(White-hat)

Contents

Chapter No Title Page No

1 Introduction 1

2 Basic Requirements 3

3 What is intrusion 4

4 Introduction to IDS 4

4.1 Need of IDS &IPS 4

4.2 IDS VS Firewall 4

5 Types Of IDS 6

5.1 Network –based Intrusion Detection System 6

5.2 Host based intrusion detection system 8

5.3 Distributed Intrusion Detection System 10

6

7

Approaches

The need of IDS

11

11

8 SNORT 13

8.1 SNORT MODES OF OPERATION 13

8.2

8.3

8.4

8.5

Packet sniffers

Network intrusion detection mode

Network rules

Snort rule header

13

14

14

14

9 Configuring snort as ids 16

10 What is ips? 24

11 Challenges in ids 25

12

13

14

Conclusion

Appendices

Reference

26

2728

1

2 | P a g e

AbstractSnort: Intrusion Detection System

Malicious network traffic (such as worms, hacking attempts, etc.) has certain patterns to it.You could monitor your network traffic with a sniffer and look for this malicious traffic manually, but that would be an impossible task. IDS (Intrusion Detection System) software which automates the process of sniffing, examining, and upon finding something suspicious, alerting.

IDS have been called the burglar alarm of computer networks and are an important part of network perimeter security. Without IDS you have no idea if someone is probing or attacking your servers (unless the attack is so overwhelming that it results in a denial of service). Having this information can let you know if you need to make some firewall changes or harden the OS on a particular server a bit more.

You may see the term IPS for Intrusion Prevention Systems which takes things one step further, having the IDS adjust the firewall when it discovers something. Smart people disagree on the use of IPSs as it, in effect, gives an attacker some control of your firewall.

Snort (www.snort.org) is the most widely-used IDS software application and it's open source and included with Debian. There are two flavors of IDSs, host-based and network-based. Snort is a network-based IDS that can monitor all of the traffic on a network link to look for suspicious traffic. Typically, a network-based IDS is set up to monitor a DMZ or the internal network right behind the firewall so it alerts to any possible threats that your firewall didn't catch.

There is a Web interface that works with Snort called BASE (Basic Analysis and Security Engine) which is based on ACID (Analysis Console for Intrusion Databases) which we'll set up. BASE uses what's commonly referred to as a LAMP server (Linux, Apache, MySQL, PHP) so we'll need to install those applications as well.

2

3 | P a g e

Terminology

Alert/Alarm: A signal suggesting that a system has been or is being attacked.

True Positive: A legitimate attack which triggers an IDS to produce an alarm.

False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.

False Negative: A failure of an IDS to detect an actual attack.

True Negative: When no attack has taken place and no alarm is raised.

Noise: Data or interference that can trigger a false positive.

Site policy: Guidelines within an organization that control the rules and configurations of an IDS.

Site policy awareness: An IDS's ability to dynamically change its rules and configurations in response to changing environmental activity.

Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.

Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.

Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities.

Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users.

Misfeasor: They are commonly internal users and can be of two types:

1. An authorized user with limited permissions.

2. A user with full permissions and who misuses their powers.

Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.

3

4 | P a g e

SOFTWARE AND HARDWARE REQUIREMENTSSoftware Specification:OS :- Linux (Backtrack).Snort :- As intrusion detection system.BASE:- Basis analysis and security engine(Graphical detection Engine).MySQL :- Database to log of alerts and intrusions.PHP:- To setup up base on browser.Pear packages:- To set Graphical environment on BASE.Libpcap:- To set up network adapter on packet capture mode onnetwork.(Win cap in case of windows environment).Ado dB:- To setup connectivity between BASE and mysql .Apache: - To run the system as a server on network (having static IP address).Static IP:- The machine running Snort must need a static IP , so that every time you connect to the internet, you will get continuous alerts from from different machines.

Hardware Specification:

System Type : INTELProcessor : Pentium 4Processor Speed : 2.8 GHZHard Disk : 40 GBMemory Size : 128 MBCache Memory : 128 KBKeyboard Type : 104 key’sMonitor Type : EGA/VGAMonitor Manufacture : MicrotekMonitor Size : 15``Mouse : Logitech 3 ButtonsFloppy Card : 1.44 MB

4

5 | P a g e

CHAPTER-1

INTRODUCTION

“An intrusion detection system monitors computer systems, looking for signs of intrusion (unauthorized users) or misuse (authorized users overstepping their bounds).” (1) Intrusion Detection Systems (IDS) can operate on a variety of different levels. Host-Bases IDSs reside on a host machine and execute intrusion detection locally. Network-based Intrusion Detection Systems (NIDS) focus on network data flow. The key to successfully identifying and preventing intrusion lies within the various techniques.“Using intrusion detection methods, you can collect and use information from known types of attacks and find out if someone is trying to attack your network or particular hosts.” IDSs have a series of steps that all need to be completed before a system can be appropriately protected. These steps revolve around the data that is being processed on the system being monitored. “Data is collected by monitoring activities in the hosts or network. The raw data is analyzed to classify activities as normal or suspicious. When a suspicious activity is considered sufficiently serious, a response is triggered.”

Actually An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization.IDPSes typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content. TheIntrusion detection system(SNORT) is also a specialized tool that will parse and interpret network traffic or host activities and perform real-time network analysis and logging. This engine can manage number of network ranges,activities,network traffics, port analysis, and firewall and server logs on one system. This will happen when a network activity, malicious content ,intrusions, port analysis activities etc. Matches to our rules and

signatures of our intrusion detection system.

5

6 | P a g e

Some of the monetary tools are used based on IDs, they are below:

Alert/Alarm: A signal suggesting that a system has been or is being attacked. True Positive: A legitimate attack which triggers an IDS to produce an alarm. False Positive: An event signaling an IDS to produce an alarm when no attack has taken place. False Negative: A failure of an IDS to detect an actual attack. True Negative: When no attack has taken place and no alarm is raised. Noise: Data or interference that can trigger a false positive. Site policy: Guidelines within an organization that control the rules and configurations of an IDS Site policy awareness: An IDS's ability to dynamically change its rules and configurations in response

to changing environmental activity. Confidence value: A value an organization places on an IDS based on past performance and analysis

to help determine its ability to effectively identify an attack. Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to

distinguish false positives from actual attacks. Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information,

inflict harm or engage in other malicious activities. Masquerader: A user who does not have the authority to a system, but tries to access the information

as an authorized user. They are generally outside users. Misfeasor: They are commonly internal users and can be of two types:

1. An authorized user with limited permissions.2. A user with full permissions and who misuses their powers.

Clandestine user: A user who acts as a supervisor

6

7 | P a g e

CHAPTER-2

BASIC REQUIREMENTS:

The basic requirements used in IDSes are as follow as software wise and also hardware wise:

SOFTWARE AND HARDWARE REQUIREMENTSSoftware Specification:OS :- Linux (Backtrack).Snort :- As intrusion detection system.BASE:- Basis analysis and security engine(Graphical detection Engine).MySQL :- Database to log of alerts and intrusions.PHP:- To setup up base on browser.Pear packages:- To set Graphical environment on BASE.Libpcap:- To set up network adapter on packet capture mode onnetwork.(Win cap in case of windows environment).Ado Db:- To setup connectivity between BASE and mysql .Apache: - To run the system as a server on network (having static IP address).Static IP:- The machine running Snort must need a static IP , so that every time you connect to the internet, you will get continuous alerts from from different machines.

Hardware Specification:

System Type : INTELProcessor : Pentium 4Processor Speed : 2.8 GHZHard Disk : 40 GBMemory Size : 128 MBCache Memory : 128 KBKeyboard Type : 104 key’sMonitor Type : EGA/VGAMonitor Manufacture : MicrotekMonitor Size : 15``Mouse : Logitech 3 ButtonsFloppy Card : 1.44 MB

7

8 | P a g e

CHAPTER-3

What is Intrusion:-Intrusion is a malicious activity or programs or unauthorized system which can enter into a network without any invitation or identity .These intrusions try to gain access to the network clients or the network server machines. Intrusions use services running on a system in order to successfully exploit the system and create an account on the system. Once the attacker gains unauthorized access to the system , he can install rootkits or backdoors to the system to gain further access to the system and use the system as bot to attack on other machines over the world.

CHAPTER-4

INTRODUCTION TO IDS

Intrusion detection system(SNORT) is a specialized tool that will parse and interpret network traffic or host activities and perform real-time network analysis and logging. This engine can manage number of network ranges,activities,network traffics, port analysis, and firewall and server logs on one system.This will happen when a network activity, malicious content ,intrusions, port analysis activities etc.matches to our rules and signatures of our intrusion detection system. Intrusion detection is the act of detecting unwanted traffic on a network or a device. An IDS can be a piece of installed software or a physical appliance that monitors network traffic in order to detect unwanted activity and events such as illegal and malicious traffic, traffic that violates security policy, and traffic that violates acceptable use policies. Many IDS tools will also store a detected event in a log to be reviewed at a later date or will combine events with other data to make decisions regarding policies or damage control. An IPS is a type of IDS that can prevent or stop unwanted traffic. The IPS usually logs such events and related information.

4.1 Need of IDS and IPS:-Snort as an IDS and IPS can perform real-time packet analysis andlogging on network. One of the powerful features of snort is protocol analysis and content searching/matching and uses it to detect varietyof attacks such as buffer overflow , stealth port scans, SMB probes,OS footprinting etc.

4.2 IDS vs. Firewalls:-Firewalls:-Firewalls are the set of predefined rules and programs that can monitor and filter every packet flowing through the network.Firewalls are used over a network in order to protect the homenetwork resources from being accessed by the outside world(internet).Firewalls also works as a proxy server for the home network. Every data coming from outside client first pass through the firewall and then given access to the recourses. Firewall only works on well known ports and services such as: Trojan ports, os footprinting, somekind of malicious code detection etc. The network administrator can only use the predefined set of programs and rules and cannot set up own.

8

9 | P a g e

Firewalls have serious limitations:-- Firewalls cannot prevent inside attacks from network.- Cannot detect higher level attacks.- No firewall provides protection against viruses.- Firewall can’t find other vulnerabilities which might allow hacker toaccess internal network.

IDS(Snort):-Snort IDS is a more powerful engine then Firewalls:-- Snort Intrusion detection engine can be configured manually by the network administrators to write there own rules for thenetwork.- Snort engine can be set up for any any ports filtering ,packetfiltering and matching, sniffing and logging data.- Can prevent attacks from internal network users.- Can generate instant alerts for various viruses , worms, Trojans ,backdoors etc. and log them.- Administrator can rule to filter out and match every packet to the signatures defined on the network.

9

10 | P a g e

CHAPTER-5

Technologies(TYPES OF IDS):Several types of IDS technologies exist due to the variance of network configurations. Each type has advantages and disadvantage in detection,configuration, and cost. Specific categories will be discussed in detail in Section 3, Technologies.1. Network-based intrusion system(NIDS).2. Host-based intrusion system(HIDS).3. Distributed intrusion system.

5.1 Network-Based intrusion system(NIDS):-NIDS monitors the entire network perspective of the location where it is deployed .In this case, the NIDS must operate in promiscuous mode in order to monitor all the network traffic(not only the data assigned for particular NIC card). This is necessary to run the NIC card in promiscuous mode in order to protect the whole network connections. A Network Intrusion Detection System (NIDS) is one common type of IDS that analyses network traffic atall layers of the Open Systems Interconnection (OSI)model and makes decisions about the purpose of the traffic, analyzing for suspicious activity. Most NIDSs are easy to deploy on a network and can often view traffic from many systems at once. A term becoming more widely used by vendors is “Wireless Intrusion Prevention System” (WIPS) to describe a network device that monitors and analyses the wireless radio spectrum in a network for intrusions and performs countermeasures. “Network-based ID involves looking at the packets on the network as they pass by some sensor.” (“http://www.sans.org/resources/idfaq/network_based.php”) Packets are only of interest if they happen to match a particular signature. There are three main types of signatures:

String signatures – Look for strings, or combinations of strings, that could potentially be an intrusion. Signatures containing sensitive file names may cause an alarm.

Port signatures – Signatures that contain port numbers that are regularly attached (i.e. telnet (TCP port 23), FTP (TCP port 21/20), SUNRPC (TCP/UDP port 111), and IMAP (TCP port 143), or communications that are utilizing ports that are not used may be reason for suspicion.

Header condition signatures – Signatures that contain illogical data or well known, dangerous content. “The most famous example is Winnuke, where a packet is destined for a NetBIOS port and the Urgent pointer, or Out Of Band pointer is set. This resulted in the "blue screen of death" for Windows systems.” (“http://www.sans.org/resources/idfaq/network_based.php“)

The key to making this intrusion detection system successful lies within the placement. Sensors need to be in a position that will exposed the sensors to the flow of network packets.

5.1.1 An Overview of the Open SystemsInterconnection Model(OSI)A NIDS is placed on a network to analyze traffic in search of unwanted or malicious events. Network traffic is built on various layers; each layer delivers data from one point to another. The OSI model and transmission control protocol(TCP)/IP model show how each layer stacks up. Within the TCP/IP model, the lowest link layer controls how data flows on the wire, such as controlling voltages and the physical addresses of hardware, like mandatory access control (MAC) addresses. The Internet layer controls address routing and contains the IP stack. The transport layer controls

10

11 | P a g e

data flow and checks data integrity. It includes theTCP and user datagram protocol (UDP). Lastly, the most complicated but most familiar level is the application layer, which contains the traffic used by programs. Application layer traffic includes the Web(hypertext transfer protocol [HTTP]), file transfer protocol (FTP), email, etc. Most NIDSs detect unwanted traffic at each layer, but concentrate mostly on the application layer.

Figure 1.1

NETWORK INTRUSION DETECTION SYSTEM

11

12 | P a g e

5.2 Host-based intrusion detection system (HIDS):-

HIDS is a system that can be used on the host machine. In this case,the IDS will detect only the data coming on the host machine and work on entire network. The NIC card works in non-promiscuous mode by default. Another advantage of HIDS is, we can set different rule set for different hosts on the network.

Host-Based Intrusion Detection is accomplished by installing software on each individual local system. These software modules, or agents, work on the client system to perform intrusion detection. This can be accomplished using a variety of methods. One common method is to have the software agent monitor the system logs, and look for irregular patterns. An example of this is when an agent watches for unauthorized activities done by a user without adequate permissions. Essentially, the agent will keep a running log of the users actions. If the users actions raise a red flag (meaning that the actions of the user are suspicious), then the system administrator is able to backtrack the actions, and investigate why a particular user was using the system in that way. Another effective method for Host-Based IDSs is to watch for suspicious processes that are running. Sometimes a particular process name can mean trouble for system administrator, depending upon its purpose. Protecting the integrity of the system files is another high priority task for Host-Based IDSs. An IDS agent can take an inventory of system files, along with their permissions, and report any changes to the set. The same auditing tactic can be used to watch user accounts. An IDS that witnesses a users permissions being changed, or unauthorized user being created can indicate problems for a systems administrator. All of these methods are classified as agent-based software, which makes up the largest category of Host-Based IDSs. The other major category is the host wrappers/personal firewalls. “Host wrappers or personal firewalls can be configured to look at all network packets, connection attempts, or login attempts to the monitored machine.” (http://www.sans.org/resources/idfaq/host_based.php) Examples of these are dial-in attempts, non-network related communication ports, or software other software on the host attempting to connect to the network. (“http://www.sans.org/resources/idfaq/host_based.php”)

12

13 | P a g e

Figure 1.2HOST BASED INTRUSION DETECTION SYSTEM

Distributed intrusion detection system(DIDS):-

13

14 | P a g e

DIDS is just a combination on NIDS and HIDS over a network.

FIGURE 1.3Distributed intrusion detection system

14

15 | P a g e

CHAPTER-6

ApproachesJust as with many other technologies today, no single approach is going to give appropriate protection.

Therefore, a combination of the two or more intrusion detection techniques should be applied. “Within its limitations, it is useful as one portion of a defensive posture, but should not be relied upon as a sole means of protection.” (2) IDSs will never entirely replace the need for professional system administrators, mainly because a large function of the IDS system is merely data collections. Although the IDS can provide some help in data analysis, the need for human interaction/analysis will probably never go away. Not all-suspicious behavior should be assumed to be malicious, and IDSs would do just that.

CHAPTER-7

The Need for Intrusion Detection SystemsA computer intrusion can be damaging in a variety of ways, depending on the intent of the intrusion.

If the intrusion amounts to a nuisance, then resources have to be expended to alleviate the problem. This requires the system administrator to divert their attention away from business, and to focus on the annoyance. Even if an intrusion isn’t malicious, i.e. not damaging or theft related, the intrusion could bog down the network, causing a loss of productivity among the employees. Intrusions that are aimed at theft are particularly damaging to a company in terms of competition. Companies go to great lengths to protect their Intellectual Property, since it can be such a large source of income and market share. If this information falls into the wrong hands, i.e. the competition, then the company can suffer greatly due to lost revenue. Malicious damages may come about by a hacker who intends to hurt a company by destroying data. This is the most damaging type of an attack because it has a snowball effect. Not only does a company lose many records, customer information, business contacts, etc., but they also take a huge hit in the productivity area. Until all the information is restored, much of the staff cannot work efficiently. A company may also lose customers due to the fact that the company has the target of a computer hacking. Customers tend to get very nervous when they think that their personal data has the potential to fall into the wrongs hands.

March 11, 2005 - Pleasant Hill, California Computer Hacker from "Deceptive Duo" Guilty of Intrusions into Government Computers and Defacing Websites ($70,000)

September 9, 2004 - Ex-Official Of Local Computer Consulting Firm Pleads Guilty To Computer Attack Charge ($100,000)

August 23, 2004 - Former Employee Of A Massachusetts High-Technology Firm Charged With Computer Hacking ($26,400)

July 28, 2004 - Vallejo Woman Admits To Embezzling More Than $875,035 - Not-For-Profit Organization Victim Of Computer Fraud ($875,035)

July 21, 2004 - Florida Man Charged With Breaking Into Acxiom Computer Records - Intrusion and Theft of Data Result in Loss of More than $7 Million ($7,000,000)

May 1, 2001 - Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison ($80,000,000)

from http://www.usdoj.gov/criminal/cybercrime/cccases.html Many of the attacks listed above were done by “insiders”, which are people that had access to the

company’s internal network. In the case of an insider attack, a firewall can provide little protection. A common mistake occurs when companies assume that a firewall will protect them from hackers. One must understand the limitations of a firewall:

15

16 | P a g e

1. “Not all access to the Internet occurs through the firewall. The firewall cannot mitigate risk associated with connections it never sees.” (5)

2. “Not all threat originates outside the firewall. Intrusion detection systems are part of the infrastructure that is privy to the traffic on the internal network. Therefore, they will become even more important as security infrastructures evolve.” (5)

7.1 IDS LocationThe location of a Network Intrusion Detection System can be the deciding factor between success and failure. The type of information collected can also vary greatly depending on where the IDS sensor is placed. For example, in the figure below:

from http://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_user_guide_chapter09186a0080104f0c.html#145)

Sensor #1: This sensor monitors the communication between a protected network and the internet. This is the most common type of protection that is practiced.

Sensor #2: This sensor monitors the communication between a protected network and remote access servers.

Sensor #3: This sensor monitors the communication between internal sites. Sensor #4: This sensor monitors the communication between a protected network and the extranet

connection with a business partner.Having sensors at these various locations is necessary for complete coverage. Each sensor is strategically placed to collect data that could be the site of an intrusion attempt. A sensor should be placed in front of the firewall, so that the system administrator can start collecting data about the types of attacks that are being attempted against the network. A sensor should also be placed to aid the firewall (at the firewall level) in preventing attacks. In the event that an intrusion makes it past the firewall, another IDS agent should be there to intercept/divert the intrusion, or at least log the event. Lastly, a sensor should be placed on the local network for traffic that does no pass through the firewall. Statistics show that the most common type of system misuse comes from “insiders”.

16

17 | P a g e

7.2 Intrusion TacticsFending off potential attackers is must easier when the attack tactics are known. Listed below are the common hacking tactics used by computer hackers:

Password cracking – Discovery of user’s passwords. Trojan horses - Malicious programs that are disguised as legitimate software Interception of Communication - Gains unauthorized access or exceeds authorized access. Spoofing - A program used by a cracker to trick a computer system into thinking it is being accessed

by an authorized user. Packet Sniffer - A software or hardware tool that monitors data packets on a network. Generally used

to discover user passwords. Hacking - Taking advantage of system weaknesses to gain access to resources or privileges

from Intrusion Detection Systems (IDS) Part I (http://www.windowsecurity.com/articles/Intrusion_Detection_Systems_IDS_Part_I__network_intrusions_attack_symptoms_IDS_tasks_and_IDS_architecture.html)These are just a few of the many types of attacks that a systems administrator may have to face. Due to the

vast size of today’s networks, many companies are far more susceptible to attacks than they probably think. Comfort can no longer be found by hiring experienced/over-priced system administrators to fend off all of these attacks. Companies would go broke trying to compensate their resource pool of system administrators.

CHAPTER=8

SnortSnort is a lightweight intrusion detection system. Martin Roesch, who was aiming at creating an open

source package that could rival the commercial systems, developed Snort in 1998. Snort has had incredible success in the open source arena and has been established as a true competitor to commercial solutions.

8.1 Snort Modes of OperationSnort has two main modes of operation. This first is a packet sniffer mode, which is similar to

tcpdump. Packets are stored in a log file, which allows for later analysis. The other mode of operation is a Network Intrusion Detection System (NIDS). When Snort functional in this mode, rule sets are applied to packets, which in turn, look for suspicious behavior. Both modes of operation are detailed below.

8.2 Packet SnifferRunning Snort in packet sniffer mode will allow system administrators to collect and store packet data.

Snort can be configured to collect packet data in varying detail, depending on how much detail is required. Although very similar to tcpdump, Snort does have features that extend beyond the capability of tcpdump. “The major feature that Snort has which tcpdump does not is packet payload inspection. Snort decodes the application layer of a packet and can be given rules to collect traffic that has specific data contained within its application layer.” (http://www.snort.org/docs/lisapaper.txt) Snort also has a more readable display of the packet data. One additional feature that Snort provides is that while logging to a file, Snort will still log in a format that is compatible with tcpdump, so users can still use tcpdump for analysis.

17

18 | P a g e

8.3 Network Intrusion Detection ModeRunning Snort in Network Intrusion Detection Mode is quite different than running in packet sniffer

mode. Network Intrusion Detection mode does not capture/log the network packets. Instead, it applies a set of rules on each passing packet. The set of rules are managed by the system administrator and should reflect common intrusion patterns. These patterns are a lot like virus definition files in that they show a list of common packet patterns that generally indicate an intrusion or misuse of the system. No action is taken if the packet does not meet one of the implemented rules. If a packet does match one of the rules, then the packet is logged, and may also generate an alert. An alert is a notification to the system administrator that a questionable packet has just been received (or send out) from a particular system.

8.4 Network Intrusion Detection RulesThe rules definition files can generally be found in the /opt/snort/etc/snort.conf and can be activated

with the “-c” command line option. Snort rules contain two basic elements: a Rule Header and Rule Options. The Rule Header is going to contain the criteria for packet matching. It also contains instructions on what actions need to be taken in the event of a rule match. The Rule Options part will contain supplemental information to be used for the matching criteria. An example of a rule is provided below:

alert ip any any -> any any (msg: "IP Packet detected";)In this example, an alert is generated every time as IP packet is detected, either sending of receiving. This is a good rule to test Snort, but do not leave this rule in place. The particular rule has the ability to fill up a users hard rive because of all the excessive logging.

8.5 Snort Rule HeaderThe rule header contains a lot of information that need to be broken down into different sections.

Below is a listing of the Snort Rule Header architecture:

Action Protocol Address Port Direction Address Port

Action: The action part of the rule determines the type of action taken when criteria are met and a rule is exactly matched against a data packet.

Protocol: The protocol part is used to apply the rule on packets for a particular protocol only. Address: The address parts define source and destination addresses. Port: In case of TCP or UDP protocol, the port parts determine the source and destination ports of

a packet on which the rule is applied. In case of network layer protocols like IP and ICMP, port numbers have no significance.

Direction: The direction part of the rule actually determines which address and port number is used as source and which as destination.

8.6 Snort Rule OptionsSnort Rule Options can be found within the set of parenthesis contain in a Snort Rule. Options generally follow the format of having a keyword (i.e. ACK, CLASSTYPE, CONTENT, OFFSET, DEPTH, CONTENT-LIST, DSIZE, FLAGS, FRAGBITS, ICMP_ID, ICMP_SEQ, ITYPE, ICODE, ID, IPOPTS, IP_PROTO, LOGTO, MSG, PRIORITY, REACT, REFERENCE, RESP, REV, RPC, SAMEIP, SEQ, FLOW, SESSION, SID, TAG, TOS, TTL, URICONTENT), followed by an argument. The options portion of the rules is capable

18

19 | P a g e

of AND logical. The options supplement the rule header’s matching criteria. With all of these option available to the users, the search capability of Snort sets itself apart from the competition.

8.7 Snort AlertsWhen a packet does meet the criteria of a rule, then Snort can either log the entry to a log file, or it can send out an alert. Snort has a variety of alert modes, which are all detailed below:

Fast Mode (“-A fast”) – This mode reports Timestamp, Alert message, Source and destination IP addresses, and Source and destination ports. The actual packet is not logged while using this mode.

Full Mode (“-A full”) – This mode reports the same information as in Fast Mode, but it also includes the packet’s header.

UNIX Socket Mode (“-A unsock”) – This mode will allow a system administrator to send alerts to other programs using a UNIX socket.

Alerts to Syslog (“-s”) – This mode will store the alert is the syslog, which is where system level events are recorded.

SNMP Mode – Alerts can also be sent as SNMP messages, where Network Management Systems can help system administrators identify and correct the problem.

19

20 | P a g e

CHAPTER-9

Configuring Snort as IDS:-Installing Snort and BASE

Snort, the intrusion detection system, is a network monitor that watches traffic on the network and picks out anomalies. Originally designed by Martin Roesch, Snort is known as one of the premier open source security software suites in the world. The name is originally derived from Martin, who developed what he saw as a packet sniffer. But he knew that the software could do much more than just sniff packets, so he came up with Snort. It was not until much later that the Pig came into play at all.A very important thing about Snort is its ability to be implemented into many different types of tools. One of these tools is BASE, or the Base Analysis and Security Engine. BASE allows a user to set up a main system for monitoring, most likely utilizing Snort, and view the output on a separate machine via an easy to navigate and use web browser. All the information is stored in an easy to use format, with the ability to dig deeper into the data. The one thing that is difficult in BASE is the setup. This includes many different aspects, including installing, configuring, and running Snort. Following this, you have to set up a MySQL database, which can be a feat in itself, and finally an Apache Web Server. So in all essence, this is the installing and configuring of four major projects all in one. But once the final project is complete, it is quite a fantastic outcome.To start off with, you have to install LAMP. Basically, LAMP stands for Linux Apache MySQL PHP. These are some of the base services and programs needed for the project. Since we are building this project on an Ubuntu 10.10 system, we will use# tasksel install lamp-serverYou may have to install tasksel, because it is not a base package installed by default. After that, you will have most of the base tools you need for the system to run. When you install lamp, it will ask you plenty of questions, including asking for what the password for the root user will be on the MySQL database. The point of this software is to serve as the backbone for the software. LAMP uses Apache as the HTTP server for ACID/BASE, so the user can easily interact with the data, and MySQL serves as the backend database to hold the information.After installing that, you have to set up the MySQL database for snort. This is easily done by running the following commands:# mysql –u root –pmysql> create database snort;mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON snort.* TO ‘snort’@’localhost’ IDENTIFIED BY ‘password’;mysql> FLUSH PRIVILEGES;mysql> quitWhat this does is create the database that Snort will use to store the network information in. Now, there is another very important step, actually installing Snort. This is most easily done by installing it using apt-get again:# apt-get install snort-mysqlThis will begin the installation. There again are a few more questions that need to be answered. One is to input the network address for your local network. Included in this network address will be classless inter-domain routing, or CIDR. If you are on a home network, this is most likely going to be /24. If working on a corporate

20

21 | P a g e

network, check with the network administrator. After putting that in, the installation will ask if you want to install a database. We already have set one up, so we aren’t going to worry about that. So go ahead and put no.The next part is to add in the table structure for the MySQL database used with Snort. Snort, when downloaded, creates in a file called “create_mysql.gz” that includes the tables needed to log data to a database for MySQL. We are going to use this. The following commands are what are needed:# cd /usr/share/doc/snort-mysql# zcat create_mysql.gz | mysql –u snort –p snortInsert your password…# cd –What this does is to change to the snort MySQL directory that has the “create_mysql.gz” file. From there, we add the contents of that file to the database we created called snort. Then we go back to the original directory we were just in.The next little thing that is needed is to add a comment to the snort.conf file in /etc/snort/ directory. It should be on line 786, and looks about like this:

I want you to notice also that the password is in clear text, in the configuration file. That is, it shows it is password. After you do that work, go ahead and start the Snort daemon. This is done with the following command:# /etc/init.d/snort startNow, finally for the fun part. We get to install ACID/BASE. Go ahead and install acidbase from the command line again:# apt-get install acidbaseThis will start the installation. Again, you will be asked a few questions. The first will ask if you want to configure a database type for acidbase. Go ahead and say yes, then choose MySQL. You will have to enter a password, so go ahead and put in the password you used for setting up LAMP at the very beginning. Give one more user password, and your acid is set up.Now you have to do a simple edit to your /etc/acidbase/apache.conf file:

What this does is to allow the local system to connect to the acidbase setup. My IP address on the machine is 192.168.146.164, with a subnet mask of 255.255.255.0, or /24 CIDR. After doing that, restart the Apache server by typing:# /etc/init.d/apache2 restart

21

22 | P a g e

Snort :- Snort delivers the high performance engine. This engine consists of threat detection and prevention components that work together to reassemble traffic, prevent evasions, detect threats, and output information about these threats without creating false positives or missing legitimate threats.We need to configure snort manually in according to the needs of the network from the snort configuration file(snort.conf):-

FIGURE 2.1SNORT.CONF

22

23 | P a g e

Here we will set the network range for IDS . We can set it for multiple network ranges such as : 192.168.1.1/254 or192.168.1.1/254,192.168.11.1/254 etc.Set var HOME_NET any to:- var HOME_NET 192.168.1.0/101Set var EXTERNAL_NET any to:-var EXTERNAL_NET !$HOME_NETAfter that , we will set snort engine for our rules. Use the same file(snort.conf) to use rules.

FIGURE 2.2NETWORK RANGE

23

24 | P a g e

Configure snort for any number of rules you want such as :-Bad traffic , port scans, exploits, ftp, dos attacksSyntax of Rules defining:-Here's the general form of a Snort rule:Action proto src_ip src_port direction dst_ip dst_port (options)Example:-activate tcp any any -> 192.168.1.21 22 (content:"/bin/sh";activates:1; msg:"Possible SSH buffer overflow"; )dynamic tcp any any -> 192.168.1.21 22 (activated_by:1; count:100;)Next step , is to install PHP and PHP extensions for BASE to workproperly(graphs, statics, bar graphs etc.).

The next step is to download ADODB to maintain connectivity between Snort BASE engine and mysql

databse.Configure apache2 server to use mysql as backend database. We will set mysql extensions in apache2 configuration file.

24

25 | P a g e

FIGURE2.3ADODB

25

26 | P a g e

Finally, go to your web browser and go to http://localhost/acidbase to get to the website running. Sometimes you may get an error, in which case you can go to http://localhost/acidbase/base_db_setup.php to set up the different databases you may need. Your web server should look a little like this:

FIGURE 3.1BASE

Now mine already has a few alerts, but the system is now up and running. Congratulations! Now run an nmap scan on the system, and you’ll start to see alerts start to really pop up.Now we have to check weather the snort is working or not, this can be done by using a command :-Snort -c /etc/snort/snort.conf

26

27 | P a g e

FIGURE 3.2ALERT

27

28 | P a g e

CHAPTER-10

What is IPS:-An Intrusion Detection System (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management. IDPSs have become a necessary addition to the security infrastructure of nearly every organization. Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected.

10.1How IPS works:- 10.1.1Signature-based: compares known threat signatures to observed events to identify incidents.• This is very effective at detecting known threats but largely ineffective at detecting unknown threats and many variants on known threats.• Signature-based detection cannot track and understand the state of complex communications, so it cannot detect most attacks that comprise multiple events.Examples:• A telnet attempt with a username of “admin”, which is a violation of an organization’s security policy.• An e-mail with a subject of “Download movies” and an attachment filename of *.exe, which are characteristics of a known form of malware. 10.1.2Anomaly- Anomaly-based detection: sample network activity to compare to traffic that is known to be normal.• When measured activity is outside baseline parameters or clipping level, IDPS will trigger an alert.• Anomaly-based detection can detect new types of attacks.• Requires much more overhead and processing capacity than signature-based .• May generate many false positives.10.1.3Stateful protocol analysis: A key development in IDPS technologies was the use of protocol analyzers.• Protocol analyzers can natively decode application-layer network protocols, like HTTP or FTP. Once the protocols are fully decoded, the IPS analysis engine can evaluate different parts of the protocol for anomalous behaviour or exploits against predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state.• Problems with this type include that it is often very difficult or impossible to develop completely accurate models of protocols,it is very resource-intensive, and it cannot detect attacks that donot violate the characteristics of generally acceptable protocol behaviour.

28

29 | P a g e

CHAPTER-11

Challenges in IDS:11.1 Id scalability in large networks:Many networks are large and can even contain a heterogeneous collection of thousands of devices. Sub-components in a large network may communicate using different technologies and protocols. One challenge for IDS devices deployed over a large network is for IDS components to be able to communicate across sub-networks, sometimes through firewalls and gateways. On different parts of the network, network devices may use different data formats and different protocols for communication. The IDS must be able to recognize the different formats. The matter is further complicated if there are different trust relationships being enforced within parts of the network. Finally, the IDS devices must be able to communicate across barriers between parts of the network. However, opening up lines of communication can create more vulnerabilities in network boundaries that attackers can exploit.

11.2 Vulnerabilities in Operating SystemsMany common operating systems are simply not designed to operate securely. Thus, malware often is written to exploit discovered vulnerabilities in popular operating systems. Depending on the nature of the attack, many times if an operating is compromised, it can be difficult for an IDS to recognize that the operating system is no longer legitimate. Moving forward, operating systems must be designed to better support security policies pertaining to authentication, access control,and encryption.

11.3 Signature-Based DetectionA common strategy for IDS in detecting intrusions is to memorize signatures of known attacks. Theinherent weakness in relying on signatures is that the signature patterns must be known first. New attacks are often unrecognizable by popular IDS. Signature scan be masked as well. The on going race between new attacks and detection systems has been a challenge

29

30 | P a g e

CHAPTER-12

Conclusion:Nothing is security in this world. Every new lock has every new key. May be you have not, but someone have definitely…………Intrusion detection and prevention systems are important parts of a well-rounded security infrastructure. IDSs are used in conjunction with other technologies (e.g., firewalls and routers), are part of procedures (e.g., log reviews), and help enforce policies. Each of the IDS technologies—NIDS, WLAN IDS, NBAD, and HIDS—are used together, correlating data from each device and making decisions based on what each type of IDS can monitor. Although IDSs should be used as part of defense in depth (DiD), they should not be used alone. Other techniques, procedures, and policies should be used to protect the network. IDSs have made significant improvements in the past decade, but some concerns still plague our security administrators. These problems will continue to be addressed as IDS technologies improve.All the works are based on the education purposes and security audits.we are trying to solve and minimize the mistakes,if mistakes are found then suggestion can be given to bikash.dash2012@gmail.com

30

31 | P a g e

CHAPTER-13

IDS …………………………………….. 4SNORT……………………………………..13BASE ……………………………………..16IPS …………………………………….. 24

31

32 | P a g e

References

Amsterdam.(2010,1217).SnortIDS.Retrievedon05,2011,fromhttp://help.ubuntu.com/community/SnortIDS

Install Snort and BASE. (n.d.). Retrieved April 14, 2011, from VladGH: http://vladgh.com/blog/install-snort-and-base

Turnbull, J. (n.d.). Improving Snort performance with Barnyard. Retrieved April 18, 2011, from TechTarget:

http://searchenterpriselinux.techtarget.com/tip/Improving-Snort-performance-with Barnyard?ShortReg=1&mboxConv=searchEnterpriseLinux_RegActivate_Submit&

32

33 | P a g e

33