IDS - Ankurm.com

advertisement
Aim: To study the scope and importance of Intrusion detection systems
Theory:
Intrusion Detection System (IDS)
Definition:
An intrusion detection system (IDS) inspects all inbound and outbound network activity and
identifies suspicious patterns that may indicate a network or system attack from someone
attempting to break into or compromise a system.
Intrusion detection functions include:

Monitoring and analyzing both user and system activities

Analyzing system configurations and vulnerabilities

Assessing system and file integrity

Ability to recognize patterns typical of attacks

Analysis of abnormal activity patterns

Tracking user policy violations
ID systems are being developed in response to the increasing number of attacks on major sites
and networks, including those of the Pentagon, the White House, NATO, and the U.S. Defense
Department. The safeguarding of security is becoming increasingly difficult, because the
possible technologies of attack are becoming ever more sophisticated; at the same time, less
technical ability is required for the novice attacker, because proven past methods are easily
accessed through the Web.
There are several ways to categorize an IDS:

NIDS (Network Intrusion Detection Systems):
Network Intrusion Detection Systems are placed at a strategic point or points within the
network to monitor traffic to and from all devices on the network. Ideally you would scan
all inbound and outbound traffic, however doing so might create a bottleneck that would
impair the overall speed of the network.

HIDS (Host Intrusion Detection Systems):
Host Intrusion Detection Systems are run on individual hosts or devices on the network.
A HIDS monitors the inbound and outbound packets from the device only and will alert
the user or administrator of suspicious activity is detected

Signature Based:
A signature based IDS will monitor packets on the network and compare them against a
database of signatures or attributes from known malicious threats. This is similar to the
way most antivirus software detects malware. The issue is that there will be a lag between
a new threat being discovered in the wild and the signature for detecting that threat being
applied to your IDS. During that lag time your IDS would be unable to detect the new
threat.

Anomaly Based:
An IDS which is anomaly based will monitor network traffic and compare it against an
established baseline. The baseline will identify what is “normal” for that network- what
sort of bandwidth is generally used, what protocols are used, what ports and devices
generally connect to each other- and alert the administrator or user when traffic is
detected which is anomalous, or significantly different, than the baseline.

Passive system vs. Reactive system:
In a passive system, the IDS detects a potential security breach, logs the information and
signals an alert. In a reactive system, the IDS responds to the suspicious activity by
logging off a user or by reprogramming the firewall to block network traffic from the
suspected malicious source.
An IDS differs from a firewall. Firewall looks out for intrusions in order to stop them from
happening. The firewall limits the access between networks in order to prevent intrusion and
does not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it
has taken place and signals an alarm. An IDS also watches for attacks that originate from within
a system.
Snort
Snort® is an open source network intrusion prevention and detection system (IDS/IPS)
developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based
inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of
downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.
Components of Snort
Snort is logically divided in to the following five major components.

Packet Decoder:
A Packet Decoder is the first component which collects packets from different network
interfaces and prepares the packets to be preprocessed.

Pre-processors:
The second component, Pre-processors are used to arrange and modify packets before
being analysed by the detection engine. There are pre-processors that detect some basic
anomalies by de-fragmenting packets (which are fragmented by hackers as a method of
deception), HTTP URL Decoding (If hexadecimal characters are used by hackers as a
method of deception). There are pre-processors that detect and log port scanning
activities, detect anomalies in ARP packets (to identify ARP spoofing), etc.

Detection Engine:
The third component, the Detection engine is the heart of Snort. Its responsibility is to
analyse all the packets passing through it for signs of intrusion by using certain predefined rules. It can dissect a packet and apply rules to different parts of the packet like
IP header, transport layer header, application layer header and packet payload.

Logging and Alerting System:
The fourth component is the Logging and Alerting System – Upon the detection of
intrusion by the detection engine, either the activity is logged for the perusal of the
network engineers or an alert is generated.

Output modules or plug-ins:
The fifth component, Output modules or plug-ins are used to control the type of output
produced by the logging and alerting system. Some of its functions may be generating log
reports, logging alert reports in a file, sending SNMP traps, logging in to a database (like
MySQL), sending a message to Syslog server, etc.
In some installations, some additional tools might be used along with snort like MySQL database
to log the alert data, Apache could act as the web server, PHP could be the interface between the
web server and MySQL database, a PHP package like ACID could be used to view and analyse
Snort data, etc.
Snort is a single-threaded application, which can be configured to operate in four modes:

Packet Sniffer Mode
Packet Sniffer mode simply reads the packets off of the network and displays them in a
continuous stream on the console.

Packet logger Mode
Packet Logger mode logs the packets to disk. To record the packets to the disk, specify a
logging directory and Snort will automatically know to go into packet logger mode. A
directory named log in the current directory would be created. When Snort runs in this
mode, it collects every packet it sees and places it in a directory hierarchy based upon the
IP address of one of the hosts in the datagram.

Detection Mode
Network Intrusion Detection System (NIDS) mode allows Snort to analyze network
traffic for matches against a user-defined rule set and performs several actions based
upon what it sees.

Prevention Mode/ Inline Mode
It prevents the network threats. Snort Inline obtains packets from IP tables instead of
libpcap and then uses new rule types to help IP tables pass or drop packets based on Snort
rules.
Working of Snort
Snort captures raw packets with libpcap and then it decodes and preprocesses them prior to
forwarding them to the detection engine. The preprocessing includes early packet droppings,
classification, layer three IP fragment reassembly, layer four TCP session reconstructions and so
forth. The detection engine checks packet headers as well as payloads against several thousands
of rules stored in a database of pre-defined attack signatures, as shown in figure 1.
In figure 2, the text up to the first parenthesis is the rule header and the section enclosed in
parenthesis is the rule options. The words before the colons in the rule options section are called
option keywords. Snort rules are divided into two logical sections, the rule header and the rule
options. The rule header contains the rule's action, protocol, source and destination IP addresses
and net masks, and the source and destination ports information. The rule option section contains
alert messages and information on which parts of the packet should be inspected to determine if
the rule action should be taken. If one rule matches, an action is taken depending on the rule
configuration for the action. Two of the most commonly used actions are “alert” and “log”. The
alerting facility exists to report that a suspicious packet has been detected. The logging facility
exists to log full packet information. Snort is capable of outputting “alert” and “log” data in a
variety of output formats and methods.
Output formats include binary, libpcap and ASCII. Binary format offers speed and flexibility,
whereas ASCII format is easier to work with. Output methods include writing to a file, console
or screen, syslog, or SQL database plugins. The “alert” action in Snort is hard coded to perform
primarily two actions in sequence: write an event to the alerting facility, and log as much as
possible. The ‘log’ action logs the packet to the logging facility without generating an alert.
Conclusion: Thus we have studied the scope and importance Intrusion detection systems.
Download