Intrusion Detection System, Snort, Modes of Snort, Components of Snort, Basic Analysis and Security Engine (BASE), Wireshark, Writing Snort rules

2.  I did my summer internship in Siemens
Information Systems Ltd. on building
network intrusion detection system using
Snort.
 The goal of this project is to implement
network security to a product of Siemens,
SPPA-T3000, which is the instrumentation
and control system that provides remote
access to power plant management systems.

3.  Siemens Information Systems Ltd. (SISL) is an
integral part of Siemens Corporate Technology
(CT). With over 2,800 employees, SISL is one
of the largest centers of CT globally.
 SISL is a leading "Systems Integrator and
Total Solutions Provider" offering high-end
consultancy in areas like Healthcare,
Telecommunications, Manufacturing, Utilities,
Public Sector & Government.
 It offers comprehensive single-source solutions
and services along the Consult - Design - Build -
Operate - Maintain service chain.

4.  Security is a big issue for all networks in
today's enterprise environment. Hackers and
intruders have made many successful
attempts to bring down high-profile company
networks and web services.
 Network Intrusion Detection System has a
major role to play in safeguarding the
network resources against various kinds of
attacks.

5.  Intrusion detection is a set of techniques
and methods that are used to detect
suspicious activity both at the network and
host level.
 Intruders have signatures that can be
detected. Based upon a set of signatures and
rules, the intrusion detection system (IDS) is
able to find and log suspicious activity and
generate alerts.
 Usually an intrusion detection system
captures a packet from the network, applies
rules to its data and detects anomalies in it.

6.  Snort is an open source network intrusion
prevention system (NIPS) and network intrusion
detection system (NIDS).
 It has the ability to perform real-time traffic
analysis and packet logging on Internet Protocol(IP)
networks.
 Snort is primarily a rule-based IDS. Snort reads
these rules at the start-up time and builds internal
data structures or chains to apply these rules to
captured data.
 Snort comes with a rich set of pre-defined rules to
detect intrusion activity and you are free to add
your own rules at will.

8.  BASE provides a web front-end to query and
analyze the alerts coming from a Snort IDS
system.
 BASE is a web interface to perform analysis
of intrusions that snort has detected on your
network.
 It is written in PHP. It works with Snort and
databases like MySQL and makes information
available in the database to the user through
a web server.

9. • Searching can be done on a large number of criteria like
source and destination addresses, time, ports and so on.
• Graphical representation includes charts based upon
time, protocol, IP addresses, port numbers and
classifications.

10.  Wireshark is a network packet analyzer. A
network packet analyzer will try to capture
network packets and tries to display that
packet data as detailed as possible.
 In this project, Wireshark is used to check
if all the packets coming from the source,
that satisfy the conditions mentioned in the
snort rules, show an alert in BASE.
 We also use Wireshark to look into the
components of the packets and update our
rule set accordingly from time to time.

12.  Snort’s detection system is based on rules. These
rules in turn are based on intruder signatures.
Snort rules can be used to check various parts of
a data packet.
 All Snort rules have two logical parts: rule header
and rule options.
The rule header contains information about what
action a rule takes. It also contains criteria for
matching a rule against data packets.
The rule options part usually contains an alert
message and information about which part of the
packet should be used to generate the alert
message. The options part contains additional
criteria for matching a rule against data packets.

13.  A sensor can be placed behind
the firewall. In this position, IDS will
not be able to detect every attack
because some parts of the packets
belonging to the attack will be
blocked by the firewall, thus IDS will
not be able to detect the signature
of the attack.
 Another positioning option is the
front of the firewall. In this case, the
IDS will monitor all attacks coming
from the outside.

14.  As our NIDS is Snort based which uses rules
(or signatures) to detect an intrusion, so it
should be able to match the conditions
mentioned in the rules to the signature of
the intrusion.
 Thus we place the sensor in front of the
firewall because if we place it behind the
firewall, firewall will block some unwanted or
harmful parts of the packet and our snort
based IDS will not be able to detect
signature of the attack.

15. The NIDS sensor in placed in front of the firewall. The NIDS monitors traffic
passing on the highlighted line between the switch and the firewall.

16.  Refer to snort installation manual and install snort and
other necessary software.
 Create three different files in /etc/snort/variables .
Declare variables for device ip address, network
addresses and ports for different protocols in the
three files and include these files in the snort
configuration file.
 Create different files in /etc/snort/rules that will
contain rules for different protocols. Include the path
of these file in the snort configuration file.
 Now create an ssh from your terminal to the NIDS
machine. Start snort using “sudo /etc/init.d/snortbarn
start. The snort should show alerts for unwanted
packets in BASE.

17.  The rules need to be updated from time to time
because the contents of the packets coming from
terminal server, when we start the workbench, change
with time.
 Using wireshark we can see a raw presentation of
contents of these packets and update our rules
accordingly.
 So, using wireshark, we first check if the packets
have the same content as the content mentioned in
our rules.
 If the content is same, then snort should raise alert
for these rules in BASE. Otherwise, if the contents
are not same, the rules are updated with respect to
the new content of the packet.

18.  When we start snort and run different protocols
such as ssh, rdp, rmi etc, BASE shows new
alerts, only the generic rules in our rule set show
alerts. These are the alerts for the unwanted
packets or intrusions in the network.
 In BASE we can filter the alerts on the basis of
source or destination addresses, source or
destination ports, protocols or on the basis of
the rule that generates alerts and then try
finding out a solution to prevent these intrusions
in the network in the future.

19.  This project only deals with detection of
network intrusion using Snort. It does not
prevent intrusions from entering our host
computer or the local network.
 Network Intrusion Prevention can be
implemented by Configuring ACLs (Access
control lists) on the Routers, based on Snort
IDS alerts, on which my 7th semester Seminar is
based.