2. • To be understand the basic concepts of IDS
• The student will be able build an IDS using snort
3. Defined as the tools, methods, and resources to help
identify, assess, and report unauthorized or
unapproved network activity
IDSes can detect and deal with insider attacks, as well
as, external attacks, and are often very useful in
detecting violations of corporate security policy and other
internal threats.
4. “An Intrusion Detection System is required to detect all
types of malicious network traffic and computer usage that
can't be detected by a conventional firewall. This includes
network attacks against vulnerable services, data driven
attacks on applications, host based attacks such as privilege
escalation, unauthorized logins and access to sensitive files,
and malware (viruses, trojan horses, and worms).”
5. Based on location :
1. Network-based (NIDS)
Monitors network traffic
Provides early warning system for attacks
2. Host-based (HIDS)
Monitors activity on host machine
Able to stop compromises while they are in progress
6. Based on detection method:
1. Signature Based IDS
Monitor network or server traffic and match bytes or packet
sequences against a set of predetermined attack lists or
signatures.
2. Anomaly Based IDS
Use network traffic baselines to determine a “normal” state for
the network and compare current traffic to that baseline.
7. Signature detections
Also know as misuse detection
IDS analyzes information it gathers and compares it to a
database of known attacks, which are identified by their
individual signatures
Anomaly detection
Baseline is defined to describe normal state of network or host
Any activity outside baseline is considered to be an attack
8. • The ability to know when an intruder or attacker is
engaged in reconnaissance or other malicious activity
can mean the difference between being compromised
and not being compromised.
• An IDS can alert the administrator of a successful
compromise, allowing them the opportunity to
implement mitigating actions before further damage is
caused
9. Cisco Systems, Inc.
Computer Associates International Inc.
CyberSafe Corp.
Cylant Technology
Palo Alto Network
Internet Security Systems Inc.
Snort
Etc..
10. It is an open source Intrusion Prevention System capable
of real-time traffic analysis and packet logging
(www.snort.org)
Multiplatform software
11.
12. 1. Sniffer mode, which simply reads the packets off of the
network and displays them for you in a continuousstream on
the console (screen)
2. Packet Logger mode, which logs the packets to disk.
3. Intrusion Detection System (IDS) mode, which
performs detection and analysis on network traffic.This is the
most complex and configurable mode.
13. ./snort -v
This command will run Snort and just show the IP and
TCP/UDP/ICMP headers, nothing else. If you want to see the
application data in transit, try the following:
./snort -vd
This instructs Snort to display the packet data as well as the
headers. If you want an even more descriptive display, showing
the data link layer headers, do this:
./snort -vde
As an aside, notice that the command line switches can be listed
separately or in a combined form. The last command could also
be typed out as:
./snort -d -v -e
14. Need to specify a logging directory and Snort will automatically know
to go into packet logger mode:
./snort -dev -l ./log
This rule tells Snort that you want to print out the data link and TCP/IP
headers as well as application data into thedirectory./log, and you
want to log the packets relative to the 192.168.1.0 class C network.
All incoming packetswill be recorded into subdirectories of the log
directory, with the directory names being based on the address of
theremote (non-192.168.1) host.
./snort -dev -l ./log -h 192.168.1.0/24
15. To enable Intrusion Detection System (IDS) mode sothat you don’t
record every single packet sent downthe wire, try this:
./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
16. When Snort generates an alert message, it will usually look like the
following:
[**] [116:56:1] (snort_decoder): T/TCP Detected [**]
The first number is the Generator ID, this tells the user what component of Snort
generated this alert. For a list of GIDs, please read etc/generators in the Snort
source. In this case, we know that this event came from the “decode”(116)
component of Snort.
The second number is the Snort ID (sometimes referred to as Signature ID). For a
list of preprocessor SIDs, please see etc/gen-msg.map. Rule-based SIDs are
written directly into the rules with the sid option. In this case,56 represents aT/TCP
event.
The third number is the revision ID. This number is primarily used when writing
signatures, as each rendition of the rule should increment this number with the rev
option.
17. • Most Snort rules are written in a single line
• May span multiple lines by adding a backslashto the end of the
line
• Snort rules are divided into two logical sections, the rule header
and the rule options
The rule header containsthe rule’s action, protocol, source and destination IP
addresses and netmasks, and the source and destination portsinformation.
The rule option section contains alert messages and information on which
parts of the packet should beinspected to determine if the rule action should
be taken.
18. alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|";
msg:"mountd access";)
The first item in a rule is the rule action :
1. alert - generate an alert using the selected alert method,and
then log the packet
2. log - log the packet
3. pass - ignore the packet
4. drop - block and log the packet
5. reject - block the packet, log it, and then send a TCP reset if
the protocol is TCP or an ICMP port unreachable message if the
protocol is UDP
6. sdrop - block the packet but do not log it
19. log udp any any -> 192.168.1.0/24 1:1024
log udp traffic coming from any port and destination ports
ranging from 1 to 1024
log tcp any any -> 192.168.1.0/24 :6000
log tcp traffic from any port going to ports less than or equal to
6000
log tcp any :1024 -> 192.168.1.0/24 500:
log tcp traffic from privileged ports less than or equal to 1024 going
to ports greater than or equal to 500
