Intrusion Detection System : Snort

 

Hands-on Practice

- Snort

 

What is Intrusion Detection System?

An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of flavors and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems.

 

Network Intrusion Detection Systems : Network intrusion detection systems NIDS are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis for a passing traffic on the entire subnet, works in a promiscuous mode, and matches the traffic that is passed on the subnets to the library of known attacks. Once the attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. Example of the NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. Ideally one would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network.

 

Host Intrusion Detection Systems : Host intrusion detection systems run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected. It takes a snapshot of existing system files and matches it to the previous snapshot. If the critical system files were modified or deleted, the alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which are not expected to change their configurations.

[From Wikipedia]

 

Intrusion Detection System Techniques

- Anomaly based intrusion detection
  An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is
normal for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline. The issue is that it may raise a False Positive alarm for a legitimate use of bandwidth if the baselines are not intelligently configured.

- Misuse/Signature based intrusion detection
  A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS. During that lag time your IDS would be unable to detect the new threat.

 

Intrusion Detection System Tools

- Snort - NIDS
  Snort's open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. These basic services have many purposes including application-aware triggered quality of service, to de-prioritize bulk traffic when latency-sensitive applications are in use.
Website : http://www.snort.org/

- Tripwire - HIDS
  Tripwire software detects improper change, including additions to, deletions from and modifications of file systems and identifies the source. It simplifies and eases management of change monitoring policies..
Website : http://www.tripwire.org/

- OSSEC - HIDS
  OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. OSSEC has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed.

Website : http://www.ossec.net/

 

References

·  Wikipedia, Intrusion Detectino System Wikipedia

·  Snort, http://www.snorg.org/

·  R, http://www.tripwire.org/

·  OSSEC, http://www.ossec.net/

·  Mattord, verma (2008). Principles of Information Security. Course Technology. pp. 290301. ISBN 978-1-4239-0177-8.

·  KR, Karthikeyan, and A. Indra. "Intrusion Detection Tools and TechniquesA Survey."