network intrusion detection system and analysis
TRANSCRIPT
Network Intrusion Detection System And Analysis
BIKRANT GAUTAMSECURITY AND CRYPTOGRAPHIC PROTOCOL – 606
SCSU 2015
Intrusion Detection System Overview
What is Intrusion?
Restricted Access to computer Infrastructure
What is intrusion detection System?
Mechanism to trace the intrusion
Why is it required?
Protect CIA triad
How does IDS work?
Intrusion Detection System
• Two IDS in this model
• One external for monitoring external traffic
• One internal for monitoring internal traffic
Types of IDS
HIDs examine specific host-based actions, such as what applications are being used, what files are being accessed and what information resides in the kernel logs.
NIDs analyze the flow of information between computers, i.e., network traffic. They essentially "sniff" the network for suspicious behavior.
NIDS Introduction
Why NIDS?
Monitor network traffic
Alert the responsible personnel or the target
Apply preventive measures-(Network Intrusion Prevention System)
NIDS FunctionalityHow it works?
Sniffing
collect and inspect incoming traffic
Protocol awareness
protocol reassembly and normalization
Alerting
Send email / log events / Sending SNMP
Modes of Detection Signature Based
Old method
Compare data packets against known malicious sequence
Protocol Awareness
Compare the network packets against standard protocol
Behavioral Analysis
Recent Development
Learn pattern, alert when pattern changes
Types of NIDS/NIPSs Commercial
Check Point IPS, CISO IPS, IBM Security NIPS
Roll on your own
Free to use for users, SNORT, BRO
Output of NIDS/NIPS Depends upon the vendor
General evidences/output
Configuration: Configuration of devices being monitored
Alert Data: Alert through text files emails sms
Packet headers/flow Information: logged malicious packets headers
Content Data: Captured full data packets
Correlated Activates: Correlated event data
NIDS EXAMPLE SNORT
The single most widely used IDS in the world.
Signature Based
Open Source
Large support community
SNORT ARCHITECTURE
Trucia Victor / url / http://truica-victor.com/snort-architecture/
SNORT CONFIGURATIONS
RULES
Rules written in a single line
Rules are created with known intrusion signatures
Stored in /etc/snort/rules
Native alerts are stored in /var/log/snort
Global values are stored at /etc/snort/snort.conf
Header
Example rule header
log tcp 192.168.1.12 123 -> 192.168.1.19 27
RULE BODY
Rule Body
Used to extract meta data about the events
rule options: msg, sid, rev, reference
Example:
SNORT EXAMPLES Snort rule
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP PING”; icode:0; itype:8; classtype:misc-activity: sid:384; rev:5;)
Snort packet
IP 10.0.1.10 > 10.0.1.254: ICMP echo request, id 32335, seq 0, length 64
0x0000: 4500 0045 a023 ab00 87ef 0a00 abc8 01oe E . . T . . . . .@ . X . . . . .
0x0010: 3400 0145 02a3 acd0 84af 0000 dbc5 0101 .u . T . - &. . . . . . . . . . I
Snort Alert
[**] [1:384:5] ICMP PING [**] [Classification: Misc Activity] [Priority: 3] 04/13 -03:12:08.359790 10.0.1.10 -> 10.0.1.254 ICMP TTL:64 TOS: 0X0 ID:38125 IpLen:20 DmgLen:84 Type:8 Code:0 ID:32335 Seq:1 ECHO
Malicious Packet
Snort rule to capture malicious packet
Alert Fired
Challenges with current NIDS SNORT/Signature based
More processing for packet logging
Requires high disk capacity to log information
Conclusion NIDS/NIPS are the first step on against malicious activities
Investigators leverage evidence from NIDS to find the root of the problem
Field of further study and research
Case Study
Case Study Corresponding packet analysis
SNORT ALERT Corresponding Packet
Case Study Further exploring the Packet content
Packet Content Analysis:
Case Study
Analysis of HEX Values
Case Study Further Action:
Case Study Further analysis of Target IP (192.168.1.69)
Searching all the alerts related with this IP
Count of Malicious Alert for same IP
Alert Message
Case Study Alert Message Analysis:
The alert
TCP windows scale option found with length > 14
Findings:
Case Study Investigation Findings and Conclusion Further Steps
Thank you