A SEMINAR REPORT ON Autonomous Rule Creation For IDS BY SUSHILKUMAR BOBADE ASHISH FATARPHEKAR NIKIT CHAUDHARY SUMIT DESAI
Under the Guidance of
Prof. Gayatri Naik
YADAVRAO TASGAONKAR INSTITUTE OF ENGINEERING AND TECHNOLOGY BHIVPURI ROAD, KARJAT MUMBAI UNIVERSITY (2013-14)
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 2
YADAVRAO TASGAONKAR INSTITUTE OF ENGINEERING AND TECHNOLOGY BHIVPURI ROAD, KARJAT. CERTIFICATE This is to certify that SUSHILKUMAR BOBADE ASHISH FATARPHEKAR NIKIT CHAUDHARY SUMIT DESAI
Have satisfactorily completed the requirements of the Seminar ON Autonomous Rule Creation For IDS Submitted in fulfilment of the requirement of University of Mumbai Department of Computer Engineering
Prof. Gayatri Naik Prof. Vaishali Londhe (Internal Guide) (Head of Department)
Dr. Rajendra Prasad (External Examiner) (Principal) College Stamp
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 3
ACKNOWLEDGEMENT
It is matter of great satisfaction and pleasure to present seminar on Autonomous Rule Creation Of Intrusion Detection System We wish to express our sincere thanks and gratitude to our honorable guide Mrs. Prof. Gayatri Naik for his constant guidance and motivation. We also thank her for her valuable support and encouragement through out the preparation of seminar without which the seminar would have not been completed. We wish to express our sincere thanks to H.O.D. Mrs. Prof. Vaishali Londhe who extended their valuable support during the course of seminar. We also thank our colleagues who have helped in successful completion of the seminar. Last but not least we would like to thank all our friends, who helped us not directly or indirectly. Helpful hand rendered by all of them will remain for long time in our memory. Finally we admit the cooperation, coordination & hard work are our keywords for success.
Thanking You!
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 4
ABSTRACT
Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDSs responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this activity. The majority of IDSs use a set of signatures that define what suspicious traffic is, and SNORT is one popular and actively developing open-source IDS that uses such a set of signatures known as SNORT rules. Our aim is to identify a way in which SNORT could be developed further by eneralising rules to identify novel attacks. In particular, we attempted to relax and vary the conditions and parameters of current SNORT rules, using a similar approach to classic rule learning operators such as generalisation and specialisation. We demonstrate the ffectiveness of our approach through experiments with standard datasets and show that we are able to detect previously undetected variants of various attacks. Nowadays it is very important to maintain a high level security to ensure safe and trusted communication of information between various organizations. But secured data communication over internet and any other network is always under threat of intrusions and misuses. So Intrusion Detection Systems have become a needful component in terms of computer and network security. There are arious approaches being utilized in intrusion detections, but unfortunately any of the systems so far is not completely flawless. So, the quest of betterment continues. In this progression, here we present an Intrusion Detection System (IDS), by applying genetic algorithm (GA) to efficiently detect various types of network intrusions. Parameters and evolution processes for GA are discussed in details and implemented. This approach uses evolution theory to rmation evolution in order to filter the traffic data and thus reduce the complexity. To implement and measure the performance of our system we used the KDD99 benchmark dataset and obtained reasonable detection rate.
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 5
CONTENTS
Page No.
Certificate 01 Acknowledgement 02 Abstract 03
CHAPTER 1: INTRODUCTION 1.1 Definition of IDS 06
CHAPTER 2: LITERATURE REVIEW 2.1 Evolution of IDS
CHAPTER 3: METHODOLOGY 3.1 Types of Intrusion Detection System 12 3.2 Implementation Approaches of IDS -: 15 3.3 Autonomous rule creation for Signature based IDS Using SNORT 11
1.1 Definition of IDS An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of flavors and approach the goal of detecting suspicious traffic in different ways. Intrusion detection (ID) is a type of security management system for computers and networks. An ID system gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization). ID uses vulnerability assessment (sometimes refered to as scanning), which is a technology developed to assess the security of a computer system or network. Intrusion detection functions include: Monitoring and analyzing both user and system activities Analyzing system configurations and vulnerabilities Assessing system and file integrity Ability to recognize patterns typical of attacks Analysis of abnormal activity patterns Tracking user policy violations ID systems are being developed in response to the increasing number of attacks on major sites and networks, including those of the Pentagon, the White House, NATO, and the U.S. Defense Department. The safeguarding of security is becoming increasingly difficult, because the possible technologies of attack are becoming ever more sophisticated; at the same time, less technical ability is required for the novice attacker, because proven past methods are easily accessed through the Web. Typically, an ID system follows a two-step process. The first procedures are host-based and are considered the passive component, these include: inspection of the system's configuration files to detect inadvisable settings; inspection of the password files to detect inadvisable passwords; and inspection of other system areas to detect policy violations. The second procedures are network-based and are considered the active component: mechanisms are set in place to reenact known methods of attack and to record system
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 7
responses.An intrusion detection system (IDS) is a type of security software designed to automatically alert administrators when someone or something is trying to compromise information system through malicious activities or through security policy violations. An IDS works by monitoring system activity through examining vulnerabil ities in the system, the integrity of files and conducting an analysis of patterns based on already known attacks. It also automatically monitors the Internet to search for any of the latest threats which could result in a future attack. An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. There are several ways to categorize an IDS:misuse detection vs. anomaly detection: in misuse detection, the IDS analyzes the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS looks for a specific attack that has already been documented. Like a virus detection system, misuse detection software is only as good as the database of attack signatures that it uses to compare packets against. In anomaly detection, the system administrator defines the baseline, or normal, state of the networks traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies. An intrusion detection system (IDS) is an active process or device that analyzes system and network activity for unauthorized entry and/or malicious activity. The way that an IDS detects anomalies can vary widely; however, the ultimate aim of any IDS is to catch perpetrators in the act before they do real damage to resources. An IDS protects a system from attack, misuse, and compromise. It can also monitor network activity, audit network and system configurations for vulnerabilities, analyze data integrity, and more. Depending on the detection methods you choose to deploy, there are several direct and incidental benefits to using an IDS. The intrusion detection system architectures commonly used in commercial and research systems have a number of problems that limit their configurability, scalability or efficiency. The most common shortcoming in the existing architectures is that they are built around a single monolithic entity that does most of the data collection and processing. In this paper, we review our architecture for a distributed intrusion detection system based on multiple independent entities working collectively. We call these entities autonomous agents. This approach solves some of the problems previously mentioned. We present the motivation and description of the approach, partial results obtained from an early prototype, a discussion of design and implementation issues, and directions for future work.
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 8
1.2 The Need of Intrusion Detection System :
The question is, where does the Intrusion detection system fit in the design. To put it in simpler terms, an Intrusion detection system can be compared with a burglar alarm. For example, the lock system in a car protects the car from theft. But if somebody breaks the lock system and tries to steal the car, it is the burglar alarm that detects that the lock has been broken and alerts the owner by raising an alarm. The Intrusion detection system in a similar way complements the firewall security. The firewall protects an organization from malicious attacks from the Internet and the Intrusion detection system detects if someone tries to break in through the firewall or manages to break in the firewall security and tries to have access on any system in the trusted side and alerts the system administrator in case there is a breach in security. Moreover, Firewalls do a very good job of filtering incoming traffic from the Internet; however, there are ways to circumvent the firewall. For example, external users can connect to the Intranet by dialing in through a modem installed in the private network of the organization. This kind of access would not be seen by the firewall. Therefore, an Intrusion detection system (IDS) is a security system that monitors computer systems and network traffic and analyzes that traffic for possible hostile attacks originating from outside the organization and also for system misuse or attacks originating from inside the organization.
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 9
CHAPTER 2 LITERATURE REVIEW
2.1 Evolution of IDS : In 1987 Dorothy E. Denning proposed intrusion detection as is an approach to counter the computer and networking attacks and misuses . Intrusion detection is implemented by an intrusion detection system and today there are many commercial intrusion detection systems available. In general, most of these commercial implementations are relative ineffective and insufficient, which gives rise to the need for research on more dynamic intrusion detection systems. Generally an intruder is defined as a system, program or person who tries to and may become successful to break into an information system or perform an action not legally allowed We refer intrusion as any set of actions that attempt to compromise the integrity, confidentiality, or availability of a computer resource . The act of detecting actions that attempt to compromise the integrity, confidentiality, or availability of a computer resource can be referred as intrusion detection . An intrusion detection system is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012 110. Computer attacks, e.g. the use of specialised methods to circumvent the security policy of an organisation, are becoming more and more common. IDSs are installed to identify such attacks and to react by usually generating an alert or blocking suspicious activity. IDSs come in many forms which we overview in the following section. The work presented here is based on a popular network intrusion detection system (NIDS) called SNORT (2006). SNORT detects attacks by comparing live Internet traffic against signatures that define known attacks. SNORT is an open-source GNU (2006) NIDS and an example of a system that uses signatures, in this case known as SNORT rules. The aim of this paper is to determine the effectiveness of generalisation when applied to the matching of Internet traffic against SNORTs rule signatures. Internet is a global public network. With the growth of the Internet and its potential, there has been subsequent change in business model of organizations across the world. More and more people are getting connected to the Internet every day to take advantage of the new business model popularly known as e-Business. Internetwork connectivity has therefore become very critical aspect of today's e_business. There are two sides of business on the Internet. On one side, the Internet brings intremendous potential to business in terms of
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 10
reaching the end users. At the same time it also brings in lot of risk to the business. There are both harmless and harmful users on the Internet. While an organization makes its information system available to harmless Internet users, at the same time the information is available to the malicious users as well. Malicious users or hackers can get access to an organizations internal systems in various reasons. These are, Software bugs called vulnerabilities Lapse in administration Leaving systems to default configuration The malicious users use different techniques like Password racking, sniffing unencrypted or clear text traffic etc. to exploit the system vulnerabilities mentioned above and compromise critical systems. Therefore, there needs to be some kind of security to the organizations private resources from the Internet as well as from inside users as survey says that eighty percent of the attacks happen from inside users for the very fact that they know the systems much more than an outsider knows and access to information is easier for an insider. Different organizations across the world deploy firewalls to protect their private network from the Public network. But, when it comes to securing a Private network from the Internet using firewalls, no network can be hundred percent secured. This is because; the business requires some kind of access to be granted on the Internal systems to Internet users. . The firewall provides security by allowing only specific services through it. The firewall implements a policy for allowing or disallowing connections based on organizational security policy and business needs. The firewall also protects the organization from malicious attack from the Internet by dropping connections from unknown sources. One preliminary IDS concept consisted of a set of tools intended to help administrators review audit trails.User access logs, file access logs, and system event logs are examples of audit trails. Fred Cohen noted in 1984 that it is impossible to detect an intrusion in every case, and that the resources needed to detect intrusions grow with the amount of usage. Dorothy E. Denning, assisted by Peter G. Neumann, published a model of an IDS in 1986 that formed the basis for many systems today. Her model used statistics for anomaly detection, and resulted in an early IDS at SRI International named the Intrusion Detection Expert System (IDES), which ran on Sun workstations and could consider both user and network level data. IDES had a dual approach with a rule-based Expert System to detect known types of intrusions plus a statistical
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 11
anomaly detection component based on profiles of users, host systems, and target systems. Lunt proposed adding an Artificial neural network as a third component. She said all three components could then report to a resolver. SRI followed IDES in 1993 with the Next- generation Intrusion Detection Expert System (NIDES). The Multics intrusion detection and alerting system (MIDAS), an expert system using P-BEST and Lisp, was developed in 1988 based on the work of Denning and Neumann. Haystack was also developed this year using statistics to reduce audit trails. Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at the Los Alamos National Laboratory. W&S created rules based on statistical analysis, and then used those rules for anomaly detection. In 1990, the Time-based Inductive Machine (TIM) did anomaly detection using inductive learning of sequential user patterns in Common Lisp on a VAX 3500 computer. The Network Security Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-3/50 workstation.The Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies including statistics, a profile checker, and an expert system. ComputerWatch at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detection. Then, in 1991, researchers at the University of California, Davis created a prototype Distributed Intrusion Detection System (DIDS), which was also an expert system. The Network Anomaly Detection and Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at the Los Alamos National Laboratory' s Integrated Computing Network (ICN), and was heavily influenced by the work of Denning and Lunt.NADIR used a statistics-based anomaly detector and an expert system. The Lawrence Berkeley National Laboratory announced Bro in 1998, which used its own rule language for packet analysis from libpcap data. Network Flight Recorder (NFR) in 1999 also used libpcap. APE was developed as a packet sniffer, also using libpcap, in November, 1998, and was renamed Snort one month later. APE has since become the world's largest used IDS/IPS system with over 300,000 active users. The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump to build profiles of rules for classifications In 2003, Dr. Yongguang Zhang and Dr. Wenke Lee argue for the importance of IDS in networks with mobile nodes.
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 12
CHAPTER 3 METHODOLOGY
3.1 Types of Intrusion Detection System There are three main types of Intrusion Detection Systems: Host Based Network Based Stack Based Signature Based Anomaly Based
Host Based IDS -: Intrusion Detection System is installed on a host in the network. HIDS collects and analyzes the traffic that is originated or is intended to that host. HIDS leverages their privileged access to monitor specific components of a host that are not readily accessible to other systems. Specific components of the operating system such as passwd files in UNIX and the Registry in Windows can be watched for misuse. There is great risk in making these types of components available to NIDS to monitor. Although HIDS is far better than NIDS in detecting malicious activities for a particular host, they have limited view of entire network topology and they cannot detect attack that is targeted for a host in a network which does not have HIDS installed.
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 13
Network Based IDS -: Network IDSs (NIDS) are placed in key areas of network infrastructure and monitors the traffic as it flows to other host. Unlike HIDS, NIDS have the capability of monitoring the network and detecting the malicious activities intended for that network. Monitoring criteria for a specific host in the network can be increased or decreased with relative ease. NIDS should be capable of standing against large amount number of network traffic to remain effective. As network traffic increases exponentially NIDS must grab all the traffic and analyze in a timely manner
Signature-Based IDS -: Signature-Based IDS use a rule set to identify intrusions by watching for patterns of events specific to known and documented attacks. It is typically connected to a large database which houses attack signatures. It compares the information it gathers against those attack signatures to detect a match. These types of systems are normally presumed to be able to detect only attacks known to its database. Thus, if the database is not updated with regularity, new attacks could slip through. It can, however, detect new attacks that share characteristics with old attacks, e.g., accessing 'cmd.exe' via a HTTP
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 14
Figure : Common Anomaly Based Network Intrusion detection System
GET request. But, in cases of new, uncataloged attacks, this technique is pretty porous. Also, signature based IDSs may affect performance in cases when intrusion patterns match several attack signatures. In cases such as these, there is a noticeable performance lag. Signature definitions stored in the database need to be specific so that variations on known attacks are not missed. This sometimes leads to building up of huge databases which eat up a chunk of space.
Anomaly Based IDS -: Anomaly- Based IDS examines ongoing traffic, activity, transactions and behavior in order to identify intrusions by detecting anomalies. It works on the notion that attack behavior differs enough from normal user behavior such that it can be detected by cataloging and identifying the differences involved. In most anomaly-based IDSs the system administrator defines the baseline of normal behavior. This includes the state of the network's traffic load, breakdown, protocol, and typical packet size. Anomaly detectors monitor network segments to compare their state to the normal baseline and look for current behavior which deviate statistically from the normal. This capability theoretically gives anomaly-based IDSs abilities to detect new attacks that are neither known nor for which signatures have been created. On the other hand, anomaly-based IDS systems have been known to be prone to a lot of false positives. In these cases, the attacks are reported based on changes to the current system on which the IDS is installed. This is because there is a change in the normal state of the system which is not perceived by the IDS.
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 15
3.2 Implementation Approaches of IDS -:
Techniques used: The implementation of an intrusion detector is based on two important aspects. Main approaches: According to its internal architecture, an intrusion detection system is based on a well-defined approach. There are here are two main approaches:
- Behavioral Approach:
This approach is based on tracking the behavior of a user, service or any application to infer a probable intrusion. If any of the entities mentioned above changes its behavior or the habits of its operation, the detector deduced that There's suspicious behavior and eventually transmit early warning. This approach itself uses either a probabilistic method in order to estimate a suspect traffic or a statistical method whose principle is to compare quantitatively the behavior of parameters related to the user such as the occupancy rate of bandwidth or the number of network access per day.
- Scenario based approach:
The principle of this proach is based on known techniques used by hackers to perform intrusions, already enrolled in a signature, for comparison with the behavior of the user in question without recourse to its history and determine if this behavior is legal or not. The signature is actually a series of rules for analyzing packets that flow through the network (pattern matching) or the compliance of the protocol (protocol approach). The use of both approaches in parallel will serve as a powerful solution for intrusion detection.
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 16
3.3 Autonomous rule creation for Signature based IDS Using SNORT.
Working of Signature based IDS -: From the figures referred from given below concept of signature based IDS can easily understand. It is clear that when any person sends data inside the network so first of all it goes to server and server check and if found malicious then server discards the packet otherwise send to destination system.
Figure 1: Snort working in network
In figure 1 system-I sends packet to system-A but before reaching the packet to destination server checks that packet and if packet is malicious then server discards the packet otherwise send packet to system- A and in figure 2 working of server is clearly mention that how server checks the packet. So, when a packet comes to server then server use comparing tool to check that packet from the database of signature stored in server and if server get result that packet is matched from the database then server discard the packet otherwise server sends the packet to destination system.
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 17
Figure 2: Snort Signature Database
Snort -:
Snort is an open source network intrusion detection and prevention system (available at http://www.snort.org/assets/125/snort_manual-_8_5_1.pdf). It can analyze real-time traffic analysis and data flow in network. It is able to check protocol analysis and can detect different type of attack. In NIDS snort basically checks packet against rule written by user. Snort rules can be written in any language, its structure is also good and it can be easily read and rules can be modify also. In buffer overflow attack, snort can detect the attack by matching the previous pattern of attacks and then will take appropriate action to prevent from attack. In signature based IDS system if pattern matches then attack can be easily found but when a new attack comes then system fails but snort overcome this limitation by analyzing the real- time traffic. Whenever any packet comes into network then snort checks the behavior of network if performance degrades of network then snort stop the processing of packet, discards the packet and stores its detail in the signature database.
Component of Snort
Snort is basically the combination of multiple components. All the component work together to find a particular attack and then take the corresponding action that is required for that particular attack. Basically it consists of following major components as shown in figure 3
1. Packet Decoder 2. Preprocessors 3. Detection Engine 4. Logging and Alerting System 5. Output Modules
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 18
Figure 3: Component of Snort
Packet comes from internet and enters into packet decoder and it goes through several phases, required action is taken by snort at every phase like if detection engine found any miscellaneous content in packet then it drop that packet and in the way towards output module packet is logged in or alert is generated.
1. Packet decoder The packet decoder collects packet from different-2 network interfaces and then send to be preprocessor or sent to the detection engine. Network interface might be Ethernet, SLIP, PPP and so on.
2. Preprocessors It works with snort to modify or arrange the packet before detection engine to apply some operation on packet if packet is corrupted. Sometimes they also generate alert if any anomalies found in the packet. Basically it matches the pattern of whole string so, by changing the sequence or by adding some extra value intruder can fool the IDS but preprocessor re- arranges the string and IDS can detect the string. Preprocessor does one very important task i.e. defragmentation. Because sometimes intruder break the signature into two parts and send them in two packets so, before checking the signature both packet should be defragmented and only then signature can be found and this is done by preprocessor.
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 19
3. The Detection Engine Its main work is to find out intrusion activity exits in packet with the help of snort rules and if found then apply appropriate rule otherwise it drops the packet. It takes different time to respond different packet and also depends upon the power of machine and number of rules defines in the system.
4. Logging and Alerting System Whatever detection engine finds in the packet, it might generate an alert or used to log activity. All log files are kept by default under /var/log/snort folder and by using l command line option, location can be changed.
5. Output Modules Output modules or plug- ins save output generated by the logging and alerting system of Snort depending on how user wants for different operation. Mainly it controls the different output due to logging and alerting system. Output modules can do things like the following depending on the configuration Simply logging to /var/log/snort/alerts file or some other file Sending SNMP traps Sending messages to syslog facility Can Generate XML output SMB messages to Microsoft Windows-based machines Autonomous Rule structure of snort
Basically rules are created by known intrusion signature system. It is divided into two parts: rule header and rule option and rules can be modifying according to need.
Rule header follows this pattern: Action + protocol + source address+ S-port + direction + destination address + D-port Alert ip any any -> any any (msg : IP Packet Detected ;)
Rule header Rule Option
Ex. -
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 20
IMPLEMENTATION OF SIGNATURE BASED IDS -:
We start by designing a conceptual framework of a signature based intrusion detection system. The frameworks will show the flow of packet into the network. Here we will flow data using TCP Replay within two systems inside the network. And then we will check the outcome in graphical form using Basic Analysis and Security Engine.
Data Collection and Analysis This work was done on open source intrusion detection system. Snort was configured to log the traffic flowing into Lab network from 192.20.14.50 to 192.20.14.48. Then collected data is used to see the relevance of an IDS system on to the protected network. And we used Snort because:
Snort is an open source intrusion detection system. It is therefore useful where it is not cost efficient to apply NIDS sensors. Snort is lightweight application. It is also economical when it comes to resource utilization. Snort can be used as a intrusion detection as well as intrusion prevention system. Snorts rule can be changed if needed. Its rules are flexible. Snort has more than 2500 rules in its database . And people can modify rule according to need of their network need. Snort is available for Linux as well as for Windows. It is most widely used for intrusion detection in network.
The Network Setup Intrusion detection system can be deployed to protect the network. It can be deployed between to hosts, between two switches or even the server firms. In our work we will place snort between two hosts.
Configuration and Validation of the IDS We are using Linux box running debian operating system to detect intrusion into our system placed inside the network. Whenever any intrusion will be detected by Snort, it will generate an alert. And if system successfully generates an alert then that means network will have been well configured and traffic monitoring is taking place.
Installation of Snort, PostgreSQL and BASE
In Debian operating system, configuration are made for snort-pgsql, Basic Analysis and Security Engine(BASE) to provide a user friendly web front end to simplify querying and
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 21
analysis of alerts, PostgreSQL database that is an open source Relational Database Management System (RDBMS), Apache a widely available http server that supports PHP languages, Secure Shell(SSL) to enable secure remote login into the network, and PHP a hyper text preprocessor enables creation of dynamic content and interaction with databases.
Snort's uses Snort basically used in three categories
1. A packet sniffer In its simplest form, snort is a packet sniffer. That said, its the easiest way to start.
# snort -d -e -v -v Put Snort in packet-sniffing mode (TCP headers only) -d Include all network layer headers (TCP, UDP, and ICMP)
-e Include the data link layer headers
2. Packet logger Snort has built- in packet- logging mechanisms that you can use to collect the data as a file, sort it into directories, or store the data as a binary file.
# snort -dev - l {logging-directory} -h {home-subnet-slash-notation}
If you wanted to log the data into the directory /var/adm/snort/logs with the home subnet 192.20.14.0/24, you would use the following: # snort -dev - l /var/adm/snort/logs -h 192.20.14.0/24
for logging in binary format, dont need all options. The binary format makes packet collection much faster for Snort, because Snort doesn't have to translate the data into human- readable format immediately. # snort -b -L {log-file}
for reading the log file # snort [-d|e] -r {log- file} [tcp|udp|icmp]
Here last item in line is optional, because if you want to filter the packets based on packet type like tcp , udp or icmp
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 22
3. As a Network Intrusion Detection System
To make Snort an IDS, just add one thing to the packet- logging function: the configuration file.
# snort -dev - l /var/adm/snort/logs -h 192.20.14.0/24 -c /root/mysnort.conf
Basic Analysis and Security Engine (BASE) -:
BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system. BASE is a web interface to perform analysis of intrusions that snort has detected on your network. It uses a user authentication and role-base system; so that you as the security admin can decide what and how much information each user can see. It also has a simple to use, web-based setup program for people not comfortable with editing files directly . BASE is PHP based analysis engine for managing a database of security events. These events can be from IDS's (such as Snort) as well as from firewall, network monitoring tools and even pcap files.
THE PACKET FLOW OVER NETWORK
For flow the traffic over network, first of all snort should be in running mode and after that we can send the traffic from one host to another by using TCP Replay. We can also send packet using snort and can check the alerts in Basic Analysis and Security Engine (BASE). We can flow the traffic by two methodologies given below.
TCP Replay -: It is suite of utilities for Unix system for editing and replacing network traffic, which was previously captured by tools like tcpdump and ethernal/wiershark.
It provides the ability to classify traffic as a client or server, edit packets at layer 2-4 and replay the traffic at arbitrary speed onto a network for sniffing through a device. There is a three step process for this:
1. Determine which packets are client->server and server->client 2. Rewrite IP addresses based on their direction 3. Send packets through inline device
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 23
Step 1: Use tcpprep to split traffic based on the source/destination port: $ tcpprep --port --cachefile=example.cache -- pcap=example.pcap In this case, all the packets directed to a TCP or UDP port < 1024 are considered client- >server, while other packets are server->client. This information is stored in a tcpprep cache file called example.cache for later use.
Step 2: Use tcprewrite to change the IP addresses to the local network:
$ tcprewrite endpoints=192.29.14.50:192.20.14.48 - -cachefile=example.cache -- infile=example.pcap -- outfile=new.pcap Here, we want all traffic to appear to be between two hosts: 192.29.14.50 and 192.20.14.48. We want one IP to be the "client" and the other IP the "server", so we use the cache file created in the last step
Step 3 Use tcpreplay to send the traffic through the IPS:
# tcpreplay --intf1=eth0 --intf2=eth1 -- cachefile=example.cache new.pcap Here we send the traffic. Since we want to split traffic between two interfaces (eth0 and eth1), we use the cache file created in Step #1 with the new.pcap created in Step #2. We can use the cache file for different pcap files because while the IP addresses of the packets have changed, their order and semantics have not.
5.2 Using snort In this method we just pass the name of tcpdump file and alerts can directly be seen in the Basic Analysis and Security Engine (BASE). $ snort --pcap-single=outside.tcpdump -c /etc/snort/snort.conf Where outside.tcpdump is testing DARPA dataset. This is used for generating alerts in BASE
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 24
APPLICATIONS
The Center for Education and Research in Information Assurance and Security (CERIAS) has produced a review of IDS research prototypes ,and a few are now commercial products.
Approaches for misuse detection Approaches for the misuse detection model are : o expert systems, containing a set of rules that describe attacks o signature verification, where attack scenarios are translated into sequences of audit events o petri nets, where known attacks are represented with graphical petri nets o sate-transition diagrams, representing attacks with a set of goals and transitions The common approach for misuse detection concerns signature verification , where a system detects previously seen, known attacks by looking for an invariant signature left by these attacks. This signature is found in audit files, in host-intrused machine, or in sniffers looking for packets inside or outside of the attacked machine. Limitation of this approach is due to : o frequent false-alarm detection o the need to specify a signature of the attack, and then to update signature of attacks on every IDS tool. A signature of an attack may not be easily discovered. o new attack signatures are not automatically discovered without update of the IDS
Approaches for anomaly detection Anomaly Detection in Network-based or Host-based IDS includes : o threshold detection detecting abnormal activity on the server or network, for example abnormal consumption of the CPU for one server, or abnormal saturation of the network o statistical measures, learned from historical values o rule-based measures, with expert systems o non-linear algorithms such as Neural Networks or Genetic algorithms
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 25
CONCLUSION
To protect a network against attacks including intrusion, we must study its architecture, analyse vulnerabilities, up to date with new threats, a purpose to minimize the risks that may occur. In this paper, we proposed and implemented a solution for securing a network based on intrusion detection systems. We performed several experiments to validate our solution. This paper proposes the implementation process of Snort in Debian. This IDS System demonstrated that it can detect and analyze the intrusion in real time network traffic. Once the Snort will identify any intrusion then it will send alert to security person and security person will take required action immediately. The future work is to develop a prototype model to filter, delete and quarantine the intrusion attack automatically in real time network.
Y.T.I.E.T COLLEGE [BHIVPURI ROAED] Page 26
REFERENCES
1. Kreibich, C and Crowcrowft, J. 2004. Honeycomb: creating intrusion detection signatures using honeypots. ACM SIGCOMM Computer Communication Review. 34 (1). pp. 51-56. http://portal.acm.org/citation.cfm?id=972384
2.Kreugel, C. et al. 2002. Stateful intrusion detection for high-speed networks. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy. May 2002. pp. 285- 294. http://www.cs.unc.edu/~jeffay/courses/nidsS05/signatures/kemerer-slicing-SP02.pdf
3.Paxson, V. 1999. Bro: a system for detecting network intruders in real- time. Computer Networks.31(23-24).December1999.pp.2435-2463. http://www.cs.unc.edu/~jeffay/courses/nidsS05/signatures/paxson-bro-cn99.pdf
4.Roesch, M. 1999. Snortlightweight intrusion detection for networks. In: Proceedings of LISA 99. 7-12 November 1999. USENIX. pp. 229-238. http://portal.acm.org/citation.cfm?id=1039864
5. Sommer, R and Paxson, V. 2003. Enhancing byte- level network intrusion detection signatures with context. In: Proceedings of the 10 t h ACM conference on Computer and Communications Security. October 2003. ACM. pp. 262-271. http://www.cs.unc.edu/~jeffay/courses/nidsS05/signatures/sommer-context-ccs03.pdf
6. Totsuka, A et al. 2000. Network-based intrusion detectionmodeling for a larger picture. Proceedings of LISA 2000. 3- 8 November 2000. USENIX. pp. 227-232. 68 http://www.usenix.org/events/lisa02/tech/full_papers/totsuka/totsuka.pdf