SlideShare ist ein Scribd-Unternehmen logo
1 von 43
Downloaden Sie, um offline zu lesen
Network Protection Using Intrusion
Detection System (IDS)
Muhammad Arsalan Paracha
CIPMA Lab, PIEAS
Outline
 Network Security Fundamentals
 IDS Overview
 IDS Types
 Snort - IDS
 Components
 Rules
 Configurations
 Attack detection
What is Security
“Quality or state of being secure or free from danger”
3
What is Network Security
Application of administrative, physical, and technical
controls in a network to provide Confidentiality, Integrity
and Availability.
4
CIA Triad
Protection from unauthorized access
Protection from unauthorized alteration Provide timely and uninterrupted access
Few Terminologies
Vulnerability: Any weakness
Attack: Exploitation of a vulnerability
Threat: The possibility of an attack
Cyber Attack: Any action compromising the security of information owned by an individual /
organization
Cyber Weapon: Any S/W, H/W or User used for a cyber attack
Security, Functionality, and Ease of Use
Security
Ease of Use
Functionality
7
Network Security Monitoring (NSM)
 Network security monitoring is an automated process that monitors network
devices and traffic for security vulnerabilities, threats, and suspicious activities.
 Organizations can use it to detect and respond to cybersecurity breaches
quickly.
8
 The NSM Cycle consists of three distinct phases:
 Collection
 Detection
 Analysis
NSM Cycle
Intrusion Detection System (IDS)
 A collection of techniques and methodologies used to monitor suspicious
activities both at the network and the host level
 It is not a firewall (Additional level of security in the network)
 IDS is more like an alarm system
 It will perform actions like
 Alerting, logging , etc upon detection.
 Network administrators can make changes in the firewall rules upon detection of attacks
 Can help detect attacks that pass through the firewall
 Protection from the insiders
 It inspects the content of the network traffic
10
IDS
 Deployed with multiple sensors on various location on the network
 Report to a centralized management console
 A sensor
 Monitors traffic, matches against the rule sets and raises alerts, logs it or
some other action.
 A rule set contains
 Traffic signatures or rules for unwanted behavior
 Rules
Check for threshold, protocol IP source and destination
 Signatures
Traffic patterns associated with attack
IDS
Dr. Hanif Durad
12
Host Based IDS (HIDS)
 Log Monitors
 Parse system event Log files
 Example: Apache,
access log file
check for “cgi-bin”
 Integrity Checkers
 check for key system structures to change
 System files, registry keys
 Tripwire (FIM solution)
File Additions , deletions, flag modifications, access time etc.
Network Based IDS (NIDS)
 Signature Based
 Database of know signatures
 Similar to virus signatures, but it looks for attack signatures
 Anomaly based
 Form a baseline for a normal system
 Raise an alarm when the system is no longer functioning under normal conditions
Signature Based IDS
 The most common form of IDS is signature-based
 These systems work by examining packet data for indicators of
compromise (IOCs)
 Indicators are combined with IDS platform-specific directives to form
signatures (also called rules)
 Whenever a signature-based IDS locates data that matches content found
in a signature, it generates an alert
 The two most popular signature-based detection IDS’s are Snort and
Suricata
15
Snort - an network intrusion
prevention and detection system
16
Snort Modes
 Sniffer mode
 simply reads the packets off of the network and displays them for you in a
continuous stream on the console (screen).
 Packet Logger mode
 logs the packets to disk
 IDS / offline mode
 IPS / Inline mode
17
Snort Components
18
Packet Decoder
 Takes packets from different types of network interfaces (Ethernet, SLIP,PPP…)
 Determine which underlying protocols are used in the packet (such as Ethernet,
IP, TCP, etc.)
 It also detects various anomalous behaviors in packet headers.
19
Preprocessor
 Plugins that modify or setup data for the detection engine
 It rearranges the data to be detectable by the IDS
 Packet defragmentation
 If the packets are too large, then it gets fragmented into smaller packets
 Must be reassembled prior to analysis
20
Preprocessor
 frag3 – Detects packet fragmentation
 Stream5 (Self protection against TCP and UDP)
 http_inspect – Web Traffic
 rpc_decode – RPC traffic
 Reputation - provides basic IP blacklist/whitelist capabilities
 sfportscan – Detect port scanning activities.
21
+Many other
Detection Engine
 Most important part of the engine
 Uses the detection rules
 It is dependent on
 Speed of the machine
 Number of rules
 Load on the network
 The Detection Engine applies rules to different parts of the packet
 Header (IP/TCP/Application)
 Packet Payload
 Policy for matching of rules varies with versions
22
Logging and Alerting system
 Based upon the matched rule
 Logged, alert generated
 Logs /var/log/snort
 -l for the modification of location
23
Snort Rules
 In a single line
 Rules are created by known intrusion signatures.
 Included in snort configuration file.
rule header rule options
Snort Rule
Actions
Protocol
Source ip address
Source port #
destination ip address
Destination port
Rule options
Rule header
Rule Header - Actions
 The first item in a rule is the rule action. The rule action tells Snort what to do
when it finds a packet that matches the rule criteria. There are 3 available
default actions in Snort, alert, log, pass. In addition, if you are running Snort
in inline mode, you have additional options which include drop, reject, and
sdrop.
 alert - generate an alert using the selected alert method, and then log the packet
 log - log the packet
 pass - ignore the packet
 drop - block and log the packet
 reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or
an ICMP port unreachable message if the protocol is UDP.
 sdrop - block the packet but do not log it.
Rule Header - Source and Destination
IP Address Field (1/2)
 (source network) (port) -> (destination network) (port)
 CIDR (Classless Inter Domain Routing) notation is used for the
network arguments. 10.35.24.0/24
 For the Snort rules files, you really deal with only two types of
entries:
 Networks
 Hosts
Rule Header - Source and Destination
IP Address Field (2/2)
 Source and Destination IP Address Field
 Format: Address/netmask
Address x.x.x.x
Netmask = bits of network mask
For example
 24.0.0.0/8 Class A
 24.3.0.0/16 Class b
 192.185.67.0/24 Class C
 192.185.67.188 host address
 Special keywords:
any
! (negation)
$HOME_NET (variable defined elsewhere)
Rule Header -Source and Destination Port
Field
 Source and Destination Port Field
 Static port: 111
 All ports: any
 Range: 110:3000
 Negation: !80
 Less than or equal :1023
 Greater than or equal 1024:
Rule Header –Direction Indicator
 Rule Header Fields
 ->
 Source information specified to the left of arrow, destination information
specified to the right of the arrow
 There is also a bidirectional operator, which is indicated with a <> symbol. This
tells Snort to consider the address/port pairs in either the source or destination
orientation. This is handy for recording/analyzing both sides of a conversation,
such as telnet or POP3 sessions
Rules Options
 All Snort rule options are separated from each other using the semicolon (;)
character. Rule option keywords are separated from their arguments with a
colon (:) character
 There are four major categories of rule options
 General (msg, reference & classtype)
 These options provide information about the rule but do not have any affect during detection
 Payload (content, depth, offset & nocase)
 These options all look for data inside the packet payload and can be inter-related
 Non-Payload (ttl, id, dsize, flags, seq & icmp-id)
 These options look for non-payload data
 Post Detection (logto & session)
 These options are rule specific triggers that happen after a rule has “fired.”
Snort Rule example
 Rule Header
alert tcp $External_NET any -> $Home_Net 21
 Rule Options
(msg: “ftp Exploit”; flow_to_server, established; content:
“|31c031db 41c9b046 cd80 31c031db|”; reference:
bugtraq,1387; classtype:attempted-admin; sid 344; rev4;)
Rule Classification
Snort Configuration File
34
Snort.conf
 The Snort configuration file contains 9 basic sections:
1) Set the network variables.
2) Configure the decoder
3) Configure the base detection engine
4) Configure dynamic loaded libraries
5) Configure preprocessors
6) Configure output plugins
7) Customize your rule set
8) Customize preprocessor and decoder rule set
9) Customize shared object rule set
35
Snort Configuration
 Snort configuration has three main parameters
1. Variables
2. Config
3. Includes
Snort Configuration: Variables
 Variables are used to store information to be referenced and manipulated
 Three Types of Variables may be defined in snort:
 var
 Simple variable can be defined for any purpose
 Portvar
 Portvar are used to define port or ports list
 Ipvar
 Ipvar is used to define Ips or IP lists
Snort Configuration: Variables
 example
 var RULES_PATH /usr/local/etc/rules/
 portvar MY_PORTS [22,80,1024:1050]
 ipvar MY_NET [192.168.1.0/24,10.1.1.0/24]
 Usage:
 alert tcp any any -> $MY_NET $MY_PORTS (flags:S; msg:"SYN packet";)
Snort Configuration: Config
 Many configuration and command line options of Snort can be specified in
the configuration file
 Format
 config <directive> [: <value>]
 Example
 Config frag3
OR
 config alert_with_interface_name ens33 (snort –I)
Snort Configuration: Include
 The include keyword allows other snort config files to be included within the
snort.conf indicated on the Snort command line
 It work much like #include in C programming language
 Format
 include <include file path/name>
 Example
 include $RULE_PATH/example.rule
Attack Detection in Snort
41
Rule options for NMAP
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:
"NMAP ping sweep Scan"; dsize:0;sid:10000004; rev: 1; )
Identify NMAP Ping Scan
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:
"NMAP TCP Scan";sid:10000005; rev:2; )
Identify NMAP TCP Scan
Identify NMAP XMAS Scan
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap
XMAS Tree Scan"; flags:FPU; sid:1000006; rev:1; )
Rule options for NMAP
Identify NMAP FIN Scan
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap FIN
Scan"; flags:F; sid:1000008; rev:1;)
Identify NMAP NULL Scan
alert tcp $EXTERNAL_NET any -> $HOME_NET 22
(msg:"Nmap NULL Scan"; flags:0; sid:1000009; rev:1; )
Identify NMAP UDP Scan
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"Nmap
UDP Scan"; sid:1000010; rev:1; )

Más contenido relacionado

Ähnlich wie IDS_WK_Arsalan.pptx

Chapter 12
Chapter 12Chapter 12
Chapter 12cclay3
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1whitehat 'People'
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsCisco Canada
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]Phil Huggins FBCS CITP
 
All About Snort
All About SnortAll About Snort
All About Snort28pranjal
 
Csec630 Lab 2 Essay
Csec630 Lab 2 EssayCsec630 Lab 2 Essay
Csec630 Lab 2 EssayBeth Hines
 
An analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORTAn analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORTijsrd.com
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Bro Policy Assignment
Bro Policy AssignmentBro Policy Assignment
Bro Policy AssignmentTara Hardin
 
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...Disha Bedi
 
Low cost multi-sensor IDS system
Low cost multi-sensor IDS systemLow cost multi-sensor IDS system
Low cost multi-sensor IDS systemRobert Schrack
 

Ähnlich wie IDS_WK_Arsalan.pptx (20)

Chapter 12
Chapter 12Chapter 12
Chapter 12
 
Snort
SnortSnort
Snort
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]
 
All About Snort
All About SnortAll About Snort
All About Snort
 
Csec630 Lab 2 Essay
Csec630 Lab 2 EssayCsec630 Lab 2 Essay
Csec630 Lab 2 Essay
 
An analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORTAn analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORT
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Bro Policy Assignment
Bro Policy AssignmentBro Policy Assignment
Bro Policy Assignment
 
Bro Policy Assignment
Bro Policy AssignmentBro Policy Assignment
Bro Policy Assignment
 
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
 
Low cost multi-sensor IDS system
Low cost multi-sensor IDS systemLow cost multi-sensor IDS system
Low cost multi-sensor IDS system
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
6
66
6
 

Último

.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch TuesdayIvanti
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applicationsnooralam814309
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveIES VE
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarThousandEyes
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Libraryshyamraj55
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 

Último (20)

.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch Tuesday
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applications
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? Webinar
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Library
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 

IDS_WK_Arsalan.pptx

  • 1. Network Protection Using Intrusion Detection System (IDS) Muhammad Arsalan Paracha CIPMA Lab, PIEAS
  • 2. Outline  Network Security Fundamentals  IDS Overview  IDS Types  Snort - IDS  Components  Rules  Configurations  Attack detection
  • 3. What is Security “Quality or state of being secure or free from danger” 3
  • 4. What is Network Security Application of administrative, physical, and technical controls in a network to provide Confidentiality, Integrity and Availability. 4
  • 5. CIA Triad Protection from unauthorized access Protection from unauthorized alteration Provide timely and uninterrupted access
  • 6. Few Terminologies Vulnerability: Any weakness Attack: Exploitation of a vulnerability Threat: The possibility of an attack Cyber Attack: Any action compromising the security of information owned by an individual / organization Cyber Weapon: Any S/W, H/W or User used for a cyber attack
  • 7. Security, Functionality, and Ease of Use Security Ease of Use Functionality 7
  • 8. Network Security Monitoring (NSM)  Network security monitoring is an automated process that monitors network devices and traffic for security vulnerabilities, threats, and suspicious activities.  Organizations can use it to detect and respond to cybersecurity breaches quickly. 8
  • 9.  The NSM Cycle consists of three distinct phases:  Collection  Detection  Analysis NSM Cycle
  • 10. Intrusion Detection System (IDS)  A collection of techniques and methodologies used to monitor suspicious activities both at the network and the host level  It is not a firewall (Additional level of security in the network)  IDS is more like an alarm system  It will perform actions like  Alerting, logging , etc upon detection.  Network administrators can make changes in the firewall rules upon detection of attacks  Can help detect attacks that pass through the firewall  Protection from the insiders  It inspects the content of the network traffic 10
  • 11. IDS  Deployed with multiple sensors on various location on the network  Report to a centralized management console  A sensor  Monitors traffic, matches against the rule sets and raises alerts, logs it or some other action.  A rule set contains  Traffic signatures or rules for unwanted behavior  Rules Check for threshold, protocol IP source and destination  Signatures Traffic patterns associated with attack
  • 13. Host Based IDS (HIDS)  Log Monitors  Parse system event Log files  Example: Apache, access log file check for “cgi-bin”  Integrity Checkers  check for key system structures to change  System files, registry keys  Tripwire (FIM solution) File Additions , deletions, flag modifications, access time etc.
  • 14. Network Based IDS (NIDS)  Signature Based  Database of know signatures  Similar to virus signatures, but it looks for attack signatures  Anomaly based  Form a baseline for a normal system  Raise an alarm when the system is no longer functioning under normal conditions
  • 15. Signature Based IDS  The most common form of IDS is signature-based  These systems work by examining packet data for indicators of compromise (IOCs)  Indicators are combined with IDS platform-specific directives to form signatures (also called rules)  Whenever a signature-based IDS locates data that matches content found in a signature, it generates an alert  The two most popular signature-based detection IDS’s are Snort and Suricata 15
  • 16. Snort - an network intrusion prevention and detection system 16
  • 17. Snort Modes  Sniffer mode  simply reads the packets off of the network and displays them for you in a continuous stream on the console (screen).  Packet Logger mode  logs the packets to disk  IDS / offline mode  IPS / Inline mode 17
  • 19. Packet Decoder  Takes packets from different types of network interfaces (Ethernet, SLIP,PPP…)  Determine which underlying protocols are used in the packet (such as Ethernet, IP, TCP, etc.)  It also detects various anomalous behaviors in packet headers. 19
  • 20. Preprocessor  Plugins that modify or setup data for the detection engine  It rearranges the data to be detectable by the IDS  Packet defragmentation  If the packets are too large, then it gets fragmented into smaller packets  Must be reassembled prior to analysis 20
  • 21. Preprocessor  frag3 – Detects packet fragmentation  Stream5 (Self protection against TCP and UDP)  http_inspect – Web Traffic  rpc_decode – RPC traffic  Reputation - provides basic IP blacklist/whitelist capabilities  sfportscan – Detect port scanning activities. 21 +Many other
  • 22. Detection Engine  Most important part of the engine  Uses the detection rules  It is dependent on  Speed of the machine  Number of rules  Load on the network  The Detection Engine applies rules to different parts of the packet  Header (IP/TCP/Application)  Packet Payload  Policy for matching of rules varies with versions 22
  • 23. Logging and Alerting system  Based upon the matched rule  Logged, alert generated  Logs /var/log/snort  -l for the modification of location 23
  • 24. Snort Rules  In a single line  Rules are created by known intrusion signatures.  Included in snort configuration file. rule header rule options
  • 25. Snort Rule Actions Protocol Source ip address Source port # destination ip address Destination port Rule options Rule header
  • 26. Rule Header - Actions  The first item in a rule is the rule action. The rule action tells Snort what to do when it finds a packet that matches the rule criteria. There are 3 available default actions in Snort, alert, log, pass. In addition, if you are running Snort in inline mode, you have additional options which include drop, reject, and sdrop.  alert - generate an alert using the selected alert method, and then log the packet  log - log the packet  pass - ignore the packet  drop - block and log the packet  reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.  sdrop - block the packet but do not log it.
  • 27. Rule Header - Source and Destination IP Address Field (1/2)  (source network) (port) -> (destination network) (port)  CIDR (Classless Inter Domain Routing) notation is used for the network arguments. 10.35.24.0/24  For the Snort rules files, you really deal with only two types of entries:  Networks  Hosts
  • 28. Rule Header - Source and Destination IP Address Field (2/2)  Source and Destination IP Address Field  Format: Address/netmask Address x.x.x.x Netmask = bits of network mask For example  24.0.0.0/8 Class A  24.3.0.0/16 Class b  192.185.67.0/24 Class C  192.185.67.188 host address  Special keywords: any ! (negation) $HOME_NET (variable defined elsewhere)
  • 29. Rule Header -Source and Destination Port Field  Source and Destination Port Field  Static port: 111  All ports: any  Range: 110:3000  Negation: !80  Less than or equal :1023  Greater than or equal 1024:
  • 30. Rule Header –Direction Indicator  Rule Header Fields  ->  Source information specified to the left of arrow, destination information specified to the right of the arrow  There is also a bidirectional operator, which is indicated with a <> symbol. This tells Snort to consider the address/port pairs in either the source or destination orientation. This is handy for recording/analyzing both sides of a conversation, such as telnet or POP3 sessions
  • 31. Rules Options  All Snort rule options are separated from each other using the semicolon (;) character. Rule option keywords are separated from their arguments with a colon (:) character  There are four major categories of rule options  General (msg, reference & classtype)  These options provide information about the rule but do not have any affect during detection  Payload (content, depth, offset & nocase)  These options all look for data inside the packet payload and can be inter-related  Non-Payload (ttl, id, dsize, flags, seq & icmp-id)  These options look for non-payload data  Post Detection (logto & session)  These options are rule specific triggers that happen after a rule has “fired.”
  • 32. Snort Rule example  Rule Header alert tcp $External_NET any -> $Home_Net 21  Rule Options (msg: “ftp Exploit”; flow_to_server, established; content: “|31c031db 41c9b046 cd80 31c031db|”; reference: bugtraq,1387; classtype:attempted-admin; sid 344; rev4;)
  • 35. Snort.conf  The Snort configuration file contains 9 basic sections: 1) Set the network variables. 2) Configure the decoder 3) Configure the base detection engine 4) Configure dynamic loaded libraries 5) Configure preprocessors 6) Configure output plugins 7) Customize your rule set 8) Customize preprocessor and decoder rule set 9) Customize shared object rule set 35
  • 36. Snort Configuration  Snort configuration has three main parameters 1. Variables 2. Config 3. Includes
  • 37. Snort Configuration: Variables  Variables are used to store information to be referenced and manipulated  Three Types of Variables may be defined in snort:  var  Simple variable can be defined for any purpose  Portvar  Portvar are used to define port or ports list  Ipvar  Ipvar is used to define Ips or IP lists
  • 38. Snort Configuration: Variables  example  var RULES_PATH /usr/local/etc/rules/  portvar MY_PORTS [22,80,1024:1050]  ipvar MY_NET [192.168.1.0/24,10.1.1.0/24]  Usage:  alert tcp any any -> $MY_NET $MY_PORTS (flags:S; msg:"SYN packet";)
  • 39. Snort Configuration: Config  Many configuration and command line options of Snort can be specified in the configuration file  Format  config <directive> [: <value>]  Example  Config frag3 OR  config alert_with_interface_name ens33 (snort –I)
  • 40. Snort Configuration: Include  The include keyword allows other snort config files to be included within the snort.conf indicated on the Snort command line  It work much like #include in C programming language  Format  include <include file path/name>  Example  include $RULE_PATH/example.rule
  • 42. Rule options for NMAP alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "NMAP ping sweep Scan"; dsize:0;sid:10000004; rev: 1; ) Identify NMAP Ping Scan alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "NMAP TCP Scan";sid:10000005; rev:2; ) Identify NMAP TCP Scan Identify NMAP XMAS Scan alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap XMAS Tree Scan"; flags:FPU; sid:1000006; rev:1; )
  • 43. Rule options for NMAP Identify NMAP FIN Scan alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap FIN Scan"; flags:F; sid:1000008; rev:1;) Identify NMAP NULL Scan alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap NULL Scan"; flags:0; sid:1000009; rev:1; ) Identify NMAP UDP Scan alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"Nmap UDP Scan"; sid:1000010; rev:1; )