INDEX
INDEX .......................................................................................................................................... 1
LIST OUT FIGURES ........................................................................................................................ 2
1. ABSTRACT ............................................................................................................................... 3
2. INTRODUCTION ........................................................................................................................ 4
3. HISTORY................................................................................................................................... 5
4. DEALING WITH INTRUDRES....................................................................................................... 6
5. HOW DOES IDS WORK? ............................................................................................................ 7
6. Types of IDS ............................................................................................................................. 8
6.1 Network Intrusion Detection Systems ................................................................................. 8
6.2 Host Based Intrusion Detection Systems .............................................................................. 8
6.3HIDS vs NIDS........................................................................................................................ 8
6.4 HIDS and NIDS Used in Combination ................................................................................... 9
7. IDS Techniques ....................................................................................................................... 10
7.1 Misuse Detection or Signature based IDS or Pattern Detection .......................................... 10
7.2 Behavior based IDS or Abnormal behaviour....................................................................... 11
8. Firewall vs. IDS ....................................................................................................................... 13
9. Benefits of IDS........................................................................................................................ 15
10. SNORT ................................................................................................................................. 16
11. Working of Signature based IDS ............................................................................................ 19
12. CONCLUSION ........................................................................................................................ 20
13. REFERENCES ......................................................................................................................... 21
Page 1
LIST OUT FIGURES
Fig 5.1 Component of IDS ............................................................................................................. 7
Fig 7.1 A typical misuse detection system ................................................................................... 10
Fig 7.2 In misuse detection pattern matching .............................................................................. 11
Fig 7.3 Typical anomaly detection system ................................................................................... 12
Fig 8.2 place of firewall and IDS .................................................................................................. 13
Fig 10.1 Block diagram of a complete network intrusion detection system .................................. 16
Fig 10.2 Component of snort ...................................................................................................... 17
Fig 11.1 Snort working in network. ............................................................................................. 19
Fig 11.2 Snort signature Database............................................................................................... 19
Page 2
1. ABSTRACT
Nowadays it is very important to maintain a high level security to ensure safe and trusted
communication of information between various organizations. But secured data
communication over internet and any other network is always under threat of intrusions and
misuses. So Intrusion Detection Systems have become a needful component in terms of
computer and network security. An intruder is a hacker or cracker which always tries to get
access to secure, system intrusion occurs when an unauthorized person try to gain access or
interrupt the normal operations of an information system. . Intrusion detection consists of
procedures for detection of illegal activity of (intruders) system that identify the intruders.
IDS tools aim to detect computer attacks and/or computer misuse and alert the proper
individuals upon detection. An IDS provides much of the same functionality as a burglar
alarm installed in a house A Snort is tool which can give alert/alarm to the authentic user or
Network Administrator by sending email or giving alarm for illegal network activities.
Page 3
2. INTRODUCTION
INTRUSION DETECTION SYSTEM
Intrusion is some time also called as hacker or cracker attempting to break into or misuse
your system. While introducing the concept of intrusion detection in 1980, defined an
intrusion attempt or a threat to be the potential possibility of a deliberate unauthorized
attempt to
 Access information,
 Manipulate information, or
 Render a system unreliable or unusable.
Intrusion detection systems do exactly as the name suggests: they detect possible intrusions.
More specifically, IDS tools aim to detect computer attacks and/or computer misuse, and to
alert the proper individuals upon detection.
An intrusion detection system (IDS) inspects all inbound and outbound network activity and
identifies suspicious patterns that may indicate a network or system attack from someone
attempting to break into or compromise a system.
An IDS installed on a network provides much the same purpose as a burglar alarm system
installed in a house. Through various methods, both detect when an intruder/attacker/burglar
is present, and both subsequently issue some type of warning or alert.
Page 4
3. HISTORY
A computer system should provide confidentiality, integrity and assurance against denial of
service.
However, due to increased connectivity (especially on the Internet), and the vast spectrum of
financial possibilities that are opening up, more and more systems are subject to attack by
intruders. So IDS come in to existence.IDS provides all facilities to protect your system.
Intrusion Detection (ID) defined:
Process of monitoring computer networks and systems for violations of security policy
 First ID System--manual “system audits” 1980, ID was born Government sponsored
development in early 1980’s. First ID systems for Air Force and Navy.
 First document need for automated audit trail review to support security goals. As the
Growth of Internet force IDS to be developed
 Commercial ID systems began appearing in early 1990’s
Page 5
4. DEALING WITH INTRUDRES
Due to increase connectivity (more specially on internet), and much chances of financial
possibility that are opening more and more system are subject to attack by intruders (intruders
are the hacker or cracker those are unauthorised users), because complete secure system is
still a dream.
Firewall and filtering router are not enough to protect electronic assets .so detection is
needed. In terms of the relation intruder-victim, attacks are categorized as:
 External Intruders: who are unauthorised users of the machines they attack, they
coming from outside, frequently via the Internet they can be any person which are not
in our knowledge.
 Internal Intruders: who has permission to access system but not some portion of it,
they coming from own enterprise’s employees or their business partners or customers
further subdivided:
 Masquerade: Those user who masquerade another user means using others user no or
identification no access the non permitted information.
 Legitimate: Those user who legally access the information but they are not allowed
to access information .but using some kind of techniques they able to access sensitive
data legally .They are most dangerous type.
 Clandestine: User who have power to turnoff audit control for themselves and steal
information.
Page 6
5. HOW DOES IDS WORK?
Intrusion detection systems serve three essential security functions: they monitor, detect, and
respond to unauthorized activity by company insiders and outsider intrusion. Intrusion
detection systems use policies to define certain events that, if detected will issue an alert. In
other words, if a particular event is considered to constitute a security incident, an alert will
be issued if that event is detected. Certain intrusion detection systems have the capability of
sending out alerts, so that the administrator of the IDS will receive a notification of a possible
security incident in the form of a page, email, or SNMP trap. Many intrusion detection
systems not only recognize a particular incident and issue an appropriate alert, they also
respond automatically to the event. Such a response might include logging off a user,
disabling a user account, and launching of scripts.
Fig 5.1 Component of IDS
In terms of response IDS classified as:
 Passive system: in a passive system, the IDS detects a potential security breach, logs
the information and signals an alert
 Reactive system: In a reactive system, the IDS respond to the suspicious activity by
logging off a user or by reprogramming the firewall to block network traffic from the
suspected malicious source.
Page 7
6. Types of IDS
Basically IDS are of two type’s i.e.
 NIDS (Network Intrusion Detection Systems)
 HIDS (Host Intrusion Detection Systems)
Both of them have their own prone and cons. let us discuss both of them one by one.
6.1 Network Intrusion Detection Systems
A network IDS (NIDS) monitors all traffic on the network segment that it is placed on. This
is generally accomplished by placing the network interface card in promiscuous mode to
capture all network traffic that crosses its network segment. Network traffic on other
segments can't be monitored unless the traffic is directed to the NIDS promiscuous interface.
Network Intrusion Detection involves looking at the packets on the network as they pass by
the NIDS. The NIDS can only see the packets that are carried on the network segment it’s
attached to. Packets are considered to be of interest if they match a signature or certain
behavior. Network Intrusion Detection Systems are placed at a strategic point or points within
the network to monitor traffic to and from all devices on the network. Ideally you would scan
all inbound and outbound traffic; however doing so might create a bottleneck that would
impair the overall speed of the network.
6.2 Host Based Intrusion Detection Systems
A Host IDS (HIDS) uses a piece or pieces of software on the system to be monitored. The
loaded software uses log files and/or the system's auditing agents as sources of data. In
contrast, a NIDS monitors the traffic on its network segment as a data source.
Host based intrusion detection involves not only looking at the network traffic in and out of a
single computer, but also checking the integrity of your system files and watching for
suspicious processes. To get complete coverage at your network with HIDS, you must load
the software on every computer. Host based Intrusion Detection is much more effective in
detecting insider attacks than is NIDS. Host Intrusion Detection Systems are run on
individual hosts or devices on the network. A HIDS monitors the inbound and outbound
packets from the device only and will alert the user or administrator of suspicious activity is
detected
6.3HIDS vs NIDS
 Unauthorized outsider access: When an unauthorized user logs in successfully, or
attempts to log in, they are best tracked with host-based IDS. However, detecting the
unauthorized user before their log on attempt is best accomplished with networkbased IDS.
Page 8
 Bandwidth theft/denial of service: These attacks from outside the network single out
network resources for abuse or overload. The packets that initiate/carry these attacks
can best be noticed with use of network-based IDS.
 Traffic monitors: NIDS monitors all traffic on a network segment & can detect
intrusion that crosses a specific network segment. It will not see traffic that passes
between LAN computers. Whereas a HIDS examines all traffic and activity for a
particular machine and can detect system log files as well as inbound and outbound
packets. Each system is requiring its own IDS.
6.4 HIDS and NIDS Used in Combination
The two types of intrusion detection systems differ significantly from each other, but
complement one another well. The best IDS tools combine both approaches under one
management console. That way, the user gets comprehensive coverage, making sure to guard
against as many threats as possible.
Page 9
7. IDS Techniques
Now that we have examined the two basic types of IDS and why they should be used
together, we can investigate how they go about doing their job. For each of the two types,
there are two basic techniques used to detect intruders:
 Misuse detection (Signature detection or Pattern Detection).
 Anomaly detection ( Behavior detection)
7.1 Misuse Detection or Signature based IDS or Pattern Detection
Almost all IDSs are signature based, also known as knowledge based. Signature based IDSs
monitor network traffic and analyzes this traffic against specific predefined attacks. When an
attack is detected an alarm is generated. This means that any traffic that doesn’t specifically
match a signature is considered safe. Signature based IDSs obviously require that the
signature base be updated regularly to detect new exploits. If legitimate network traffic
triggers an alarm this is called a false positive. The amount of false positives generated by
signature based IDSs can be significantly less than behavior based IDSs.
Fig 7.1 A typical misuse detection system
Page 10
Fig 7.2 In misuse detection pattern matching
A signature based IDS will monitor packets on the network and compare them against a
database of signatures or attributes from known malicious threats. This is similar to the way
most antivirus software detects malware. The issue is that there will be a lag between a new
threat being discovered in the wild and the signature for detecting that threat being applied to
your IDS. During that lag time your IDS would be unable to detect the new threat.
7.2 Behavior based IDS or Abnormal behaviour
It does what its name describes. It looks for abnormal behavior. How is this different from
suspicious detection? Here is an example; most corporate LANs are only active during
business hours. From 9 AM - 6 PM, the servers are active, users are logged on, and the
routers are busy. However, during non-business hours, the network should be rather stagnant.
This is where the abnormal IDS come into play. In the event that a workstation on your
network is infected with a Trojan, the hacker could use that machine to gain access to the rest
of your network including the file servers. Usually, this is late at night when the administrator
and users won't notice. Abnormal IDS would record network activity and file requests during
non-business hours. So, if a user was all of the sudden requesting files from server at 2 AM,
the abnormal detection IDS would send a red flag. This allows network administrators to
know exactly what is going on when they are not there.
Behavior-based intrusion detection techniques assume that an intrusion can be detected by
observing a deviation from normal or expected behavior of the system or the users. The
model of normal or valid behavior is extracted from reference information collected by
various means. The intrusion detection system later compares this model with the current
activity. When a deviation is observed, an alarm is generated. In other words, anything that
does not correspond to a previously learned behavior is considered intrusive.
Advantages of behavior-based approaches are that they can detect attempts to exploit new
and unforeseen vulnerabilities. They can even contribute to the automatic discovery of these
new attacks. They also help detect 'internal abuse' types of attacks that do not actually involve
exploiting any security vulnerability. An IDS which is anomaly based will monitor network
Page 11
traffic and compare it against an established baseline. The baseline wills an example of this
would be if a user logs on and off of a machine 20 times a day instead of the normal 1 or 2.
Also, if a computer is used at 2:00 AM when normally no one outside of business hours
should have access, this should raise some suspicions.
Fig 7.3 Typical anomaly detection system
Page 12
8. Firewall vs. IDS
Although IDSs may be used in conjunction with firewalls, which aim to regulate and control
the flow of information into and out of a network, the two security tools should not be
considered the same thing. Using the previous example, firewalls can be thought of as a fence
or a security guard placed in front of a house. They protect a network and attempt to prevent
intrusions, while IDS tools detect whether or not the network is under attack or has, in fact,
been breached. IDS tools thus form an integral part of a thorough and complete security
system. They don’t fully guarantee security, but when used with security policy, vulnerability
assessments, data encryption, user authentication, access control, and firewalls, they can
greatly enhance network safety. most firewalls never alert an administrator. The administrator
may notice if he/she checks the access log of the firewall, but that could be weeks or even
months after the attack. This is where an IDS comes into play.
 Firewall cannot detect security breaches associated with traffic that does not pass
through it. Only IDS is aware of traffic in the internal network
 Not all access to the Internet occurs through the firewall.
 Firewall does not inspect the content of the permitted traffic
 Firewall is more likely to be attacked more often than IDS
 Firewall is usually helpless against tunnelling attacks
 IDS is capable of monitoring messages from other pieces of security infrastructure
Whereas a firewall may be used in both home and commercial environments, Intrusion
Detection Systems are only really feasible within commerce.
Fig 8.2 place of firewall and IDS
The combination of the Intrusion Detection System and a firewall will allow maximum
filtering of network traffic and will definitely prevent the majority of attacks.
Page 13
Some reasons for adding IDS to you firewall are:
 Double-checks misconfigured firewalls.
 Catches attacks that firewalls legitimate allow through (such as attacks against
webservers).
 Catches attempts that fail.
 Catches insider hacking.
Page 14
9. Benefits of IDS
 Monitors the operation of firewalls, routers, key management servers and files critical
to other security mechanisms.
 Allows administrator to tune, organize and comprehend often incomprehensible
operating system audit trails and other logs.
 Can make the security management of systems by non-expert staff possible by
providing nice user friendly interface.
 Comes with extensive attack signature database against which information from the
customers system can be matched.
 Can recognize and report alterations to data files.
 It provides time to time information, it recognize attacker (intrusion) & report
alteration to data files.
 IDS generate alarm and report to administrator that security is breaches and also react
to intruders by blocking them or blocking server.
Page 15
10. SNORT
Snort is an open source network intrusion detection and prevention system. It can analyze real-time traffic
analysis and data flow in network. It is able to check protocol analysis and can detect different type of attack. In
NIDS snort basically checks packet against rule written by user. Snort rules can be written in any language, its
structure is also good and it can be easily read and rules can be modify also. In buffer overflow attack, snort can
detect the attack by matching the previous pattern of attacks and then will take appropriate action to prevent
from attack. In signature based IDS system if pattern matches then attack can be easily found but when a new
attack comes then system fails but snort overcome this limitation by analyzing the real-time traffic. Whenever
any packet comes into network then snort checks the behavior of network if performance degrades of network
then snort stop the processing of packet, discards the packet and stores its detail in the signature database
Fig 10.1 Block diagram of a complete network intrusion detection system
As you can see, data is captured and analyzed by snort. Snort then stores data in Mysql
database using the database output plug-in. Apache web server takes help from ACID , P
Page 16
HP, GD library and PHPLOT package to display this data in a browser window when a user
connects to apache a user can then make different types of queries on the forms displayed in
the web pages to analyze, archive, graph and delete data.
10.0 Components of snort
Snort is basically the combination of multiple components. All the component work together to find a
particular attack and then take the corresponding action that is required for that particular attack. Basically it
consists of following major components as shown in figure
Fig 10.2 Component of snort
Packet comes from internet and enters into packet decoder and it goes through several phases, required action
is taken by snort at every phase like if detection engine found any miscellaneous content in packet then it drop
that packet and in the way towards output module packet is logged in or alert is generated.
Page 17





Packet Decoder
Preprocessors
Detection Engine
Logging and Alerting System
Output Modules
Packet Decoder
The packet decoder takes packets from different types of network interfaces and prepares the
packets to be preprocessed or to be sent to the detection engine. The interfaces may be
Ethernet, SLIP, PPP and so on.
Preprocessors
Preprocessors are components or plug-ins that can be used with Snort to arrange or modify data packets before
the detection engine does some operation to find out if the packet is being used by an intruder. They are also
used to normalize protocol headers, detect anomalies, packet reassembly and TCP stream re-assembly.
Detection Engine
The detection engine is the most important part of Snort. Its responsibility is to detect if any
intrusion activity exists in a packet. The detection engine employs Snort rules for this
purpose. The rules are read into internal data structures or chains where they are matched
against all packets. If a packet matches any rule, appropriate action is taken; otherwise the
packet is dropped. Appropriate actions may be logging the packet or generating alerts.
Logging and Alerting System
It generates alert and log messages depending upon what the detection engine finds inside a
packet.
Output Modules
Output modules or plug-ins process alerts and logs and generate final output.
Page 18
11. Working of Signature based IDS
From the figures given below concept of signature based IDS can easily understand. It is clear that
when any person sends data inside the network so first of all it goes to server and server check and if
found malicious then server discards the packet otherwise send to destination system.
Fig 11.1 Snort working in network.
Fig 11.2 Snort signature Database
In figure 11.1 system-I sends packet to system-A but before reaching the packet to destination server
checks that packet and if packet is malicious then server discards the packet otherwise send packet to
system-A and in figure 11.2 working of server is clearly mention that how server checks the packet.
So, when a packet comes to server then server use comparing tool to check that packet from the
database of signature stored in server and if server get result that packet is matched from the database
then server discard the packet otherwise server sends the packet to destination system.
Page 19
12. CONCLUSION
As security incidents become more numerous, IDS tools are becoming increasingly
necessary. They round out the security arsenal, working in conjunction with other
information security tools, such as firewalls, and allow for the complete supervision of all
network activity







IDS have come a long way
Still a long way to go
Many different products on the market
Many different uses
Open source solutions are very popular
No easy or long-term solution to network security
Vigilance will have to be maintained
Intrusion detection systems add an early warning capability to your defences , alerting you to
any type of suspicious activity that typically occurs before and during an attack. Since most
cannot stop an attack, intrusion detection systems should not be considered an alternative to
traditional good security practices. There is no substitute for a carefully thought out corporate
security policy, backed up by effective security procedures which are carried out by skilled
staff using the necessary tools. Instead, intrusion detection systems should be viewed as an
additional tool in the continuing battle against hackers and crackers.
Page 20
13. REFERENCES
 www.securityfocusonline.com/IDS
 www.linuxsecurity.com/4030/topic/IDS
 www.acm.com/intrusion detection system/
 www.securitydocs.com
 www.studymafia.org
 Reference book: Intrusion Detection Systems with Snort by Rafeeq Ur
Rehman
Page 21