Y.T.I.E.

T COLLEGE [BHIVPURI ROAED]

Page 1


A
SEMINAR REPORT
ON
Autonomous Rule Creation For IDS
BY
SUSHILKUMAR BOBADE
ASHISH FATARPHEKAR
NIKIT CHAUDHARY
SUMIT DESAI


Under the Guidance
of


Prof. Gayatri Naik




YADAVRAO TASGAONKAR INSTITUTE
OF
ENGINEERING AND TECHNOLOGY
BHIVPURI ROAD, KARJAT
MUMBAI UNIVERSITY
(2013-14)



Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 2


YADAVRAO TASGAONKAR INSTITUTE OF ENGINEERING AND
TECHNOLOGY
BHIVPURI ROAD, KARJAT.
CERTIFICATE
This is to certify that
SUSHILKUMAR BOBADE
ASHISH FATARPHEKAR
NIKIT CHAUDHARY
SUMIT DESAI

Have satisfactorily completed the requirements of
the
Seminar
ON
Autonomous Rule Creation For IDS
Submitted in fulfilment of the requirement of University of Mumbai
Department of Computer Engineering


Prof. Gayatri Naik Prof. Vaishali Londhe
(Internal Guide) (Head of Department)



Dr. Rajendra Prasad
(External Examiner) (Principal)
College Stamp


Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 3

ACKNOWLEDGEMENT

It is matter of great satisfaction and pleasure to present seminar on
Autonomous Rule Creation Of Intrusion Detection System We wish to express our
sincere thanks and gratitude to our honorable guide Mrs. Prof. Gayatri Naik for his
constant guidance and motivation. We also thank her for her valuable support and
encouragement through out the preparation of seminar without which the seminar would have
not been completed. We wish to express our sincere thanks to H.O.D. Mrs. Prof. Vaishali
Londhe who extended their valuable support during the course of seminar. We also thank
our colleagues who have helped in successful completion of the seminar. Last but not least
we would like to thank all our friends, who helped us not directly or indirectly. Helpful hand
rendered by all of them will remain for long time in our memory. Finally we admit the
cooperation, coordination & hard work are our keywords for success.

Thanking You!














Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 4

ABSTRACT

Intrusion Detection Systems (IDSs) provide an important layer of security for computer
systems and networks. An IDSs responsibility is to detect suspicious or unacceptable system
and network activity and to alert a systems administrator to this activity. The majority of IDSs
use a set of signatures that define what suspicious traffic is, and SNORT is one popular and
actively developing open-source IDS that uses such a set of signatures known as SNORT
rules. Our aim is to identify a way in which SNORT could be developed further by
eneralising rules to identify novel attacks. In particular, we attempted to relax and vary the
conditions and parameters of current SNORT rules, using a similar approach to classic rule
learning operators such as generalisation and specialisation. We demonstrate the ffectiveness
of our approach through experiments with standard datasets and show that we are able to
detect previously undetected variants of various attacks. Nowadays it is very important to
maintain a high level security to ensure safe and trusted communication of information
between various organizations. But secured data communication over internet and any other
network is always under threat of intrusions and misuses. So Intrusion Detection Systems
have become a needful component in terms of computer and network security. There are
arious approaches being utilized in intrusion detections, but unfortunately any of the systems
so far is not completely flawless. So, the quest of betterment continues. In this progression,
here we present an Intrusion Detection System (IDS), by applying genetic algorithm (GA) to
efficiently detect various types of network intrusions. Parameters and evolution processes for
GA are discussed in details and implemented. This approach uses evolution theory to rmation
evolution in order to filter the traffic data and thus reduce the complexity. To implement and
measure the performance of our system we used the KDD99 benchmark dataset and obtained
reasonable detection rate.





Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 5

CONTENTS


Page
No.

Certificate 01
Acknowledgement 02
Abstract 03

CHAPTER 1: INTRODUCTION
1.1 Definition of IDS 06

CHAPTER 2: LITERATURE REVIEW
2.1 Evolution of IDS


CHAPTER 3: METHODOLOGY
3.1 Types of Intrusion Detection System 12
3.2 Implementation Approaches of IDS -: 15
3.3 Autonomous rule creation for Signature based IDS
Using SNORT
11

CHAPTER 4: APPLICATIONS
CHAPTER 5: CONCLUSION
REFERENCES

24
25
26















Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 6

CHAPTER 1
Introduction

1.1 Definition of IDS
An intrusion detection system (IDS) is a device or software application that monitors network or
system activities for malicious activities or policy violations and produces reports to a
management station. IDS come in a variety of flavors and approach the goal of detecting
suspicious traffic in different ways. Intrusion detection (ID) is a type of security management
system for computers and networks. An ID system gathers and analyzes information from
various areas within a computer or a network to identify possible security breaches, which
include both intrusions (attacks from outside the organization) and misuse (attacks from within
the organization). ID uses vulnerability assessment (sometimes refered to as scanning), which is
a technology developed to assess the security of a computer system or network.
Intrusion detection functions include:
Monitoring and analyzing both user and system activities
Analyzing system configurations and vulnerabilities
Assessing system and file integrity
Ability to recognize patterns typical of attacks
Analysis of abnormal activity patterns
Tracking user policy violations
ID systems are being developed in response to the increasing number of attacks on major sites
and networks, including those of the Pentagon, the White House, NATO, and the U.S. Defense
Department. The safeguarding of security is becoming increasingly difficult, because the
possible technologies of attack are becoming ever more sophisticated; at the same time, less
technical ability is required for the novice attacker, because proven past methods are easily
accessed through the Web. Typically, an ID system follows a two-step process. The first
procedures are host-based and are considered the passive component, these include: inspection
of the system's configuration files to detect inadvisable settings; inspection of the password files
to detect inadvisable passwords; and inspection of other system areas to detect policy violations.
The second procedures are network-based and are considered the active component:
mechanisms are set in place to reenact known methods of attack and to record system


Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 7

responses.An intrusion detection system (IDS) is a type of security software designed to
automatically alert administrators when someone or something is trying to compromise
information system through malicious activities or through security policy violations. An IDS
works by monitoring system activity through examining vulnerabil ities in the system, the
integrity of files and conducting an analysis of patterns based on already known attacks. It also
automatically monitors the Internet to search for any of the latest threats which could result in a
future attack. An intrusion detection system (IDS) inspects all inbound and outbound network
activity and identifies suspicious patterns that may indicate a network or system attack from
someone attempting to break into or compromise a system. There are several ways to categorize
an IDS:misuse detection vs. anomaly detection: in misuse detection, the IDS analyzes the
information it gathers and compares it to large databases of attack signatures. Essentially, the
IDS looks for a specific attack that has already been documented. Like a virus detection system,
misuse detection software is only as good as the database of attack signatures that it uses to
compare packets against. In anomaly detection, the system administrator defines the baseline, or
normal, state of the networks traffic load, breakdown, protocol, and typical packet size. The
anomaly detector monitors network segments to compare their state to the normal baseline and
look for anomalies. An intrusion detection system (IDS) is an active process or device that
analyzes system and network activity for unauthorized entry and/or malicious activity. The way
that an IDS detects anomalies can vary widely; however, the ultimate aim of any IDS is to catch
perpetrators in the act before they do real damage to resources. An IDS protects a system from
attack, misuse, and compromise. It can also monitor network activity, audit network and system
configurations for vulnerabilities, analyze data integrity, and more. Depending on the detection
methods you choose to deploy, there are several direct and incidental benefits to using an IDS.
The intrusion detection system architectures commonly used in commercial and research
systems have a number of problems that limit their configurability, scalability or efficiency. The
most common shortcoming in the existing architectures is that they are built around a single
monolithic entity that does most of the data collection and processing. In this paper, we review
our architecture for a distributed intrusion detection system based on multiple independent
entities working collectively. We call these entities autonomous agents. This approach solves
some of the problems previously mentioned. We present the motivation and description of the
approach, partial results obtained from an early prototype, a discussion of design and
implementation issues, and directions for future work.

Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 8

1.2 The Need of Intrusion Detection System :

The question is, where does the Intrusion detection system fit in the design. To put it in simpler
terms, an Intrusion detection system can be compared with a burglar alarm. For example, the
lock system in a car protects the car from theft. But if somebody breaks the lock system and
tries to steal the car, it is the burglar alarm that detects that the lock has been broken and alerts
the owner by raising an alarm. The Intrusion detection system in a similar way complements the
firewall security. The firewall protects an organization from malicious attacks from the Internet
and the Intrusion detection system detects if someone tries to break in through the firewall or
manages to break in the firewall security and tries to have access on any system in the trusted
side and alerts the system administrator in case there is a breach in security. Moreover,
Firewalls do a very good job of filtering incoming traffic from the Internet; however, there are
ways to circumvent the firewall. For example, external users can connect to the Intranet by
dialing in through a modem installed in the private network of the organization. This kind of
access would not be seen by the firewall. Therefore, an Intrusion detection system (IDS) is a
security system that monitors computer systems and network traffic and analyzes that traffic for
possible hostile attacks originating from outside the organization and also for system misuse or
attacks originating from inside the organization.













Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 9

CHAPTER 2
LITERATURE REVIEW

2.1 Evolution of IDS :
In 1987 Dorothy E. Denning proposed intrusion detection as is an approach to counter
the computer and networking attacks and misuses . Intrusion detection is implemented by
an intrusion detection system and today there are many commercial intrusion detection
systems available. In general, most of these commercial implementations are relative
ineffective and insufficient, which gives rise to the need for research on more dynamic
intrusion detection systems. Generally an intruder is defined as a system, program or person
who tries to and may become successful to break into an information system or perform an
action not legally allowed We refer intrusion as any set of actions that attempt to compromise
the integrity, confidentiality, or availability of a computer resource . The act of detecting actions
that attempt to compromise the integrity, confidentiality, or availability of a computer resource
can be referred as intrusion detection . An intrusion detection system is a device or software
application that monitors network and/or system activities for malicious activities or policy
violations and produces International Journal of Network Security & Its Applications (IJNSA),
Vol.4, No.2, March 2012 110. Computer attacks, e.g. the use of specialised methods to
circumvent the security policy of an organisation, are becoming more and more common. IDSs
are installed to identify such attacks and to react by usually generating an alert or blocking
suspicious activity. IDSs come in many forms which we overview in the following section. The
work presented here is based on a popular network intrusion detection system (NIDS) called
SNORT (2006). SNORT detects attacks by comparing live Internet traffic against signatures that
define known attacks. SNORT is an open-source GNU (2006) NIDS and an example of a
system that uses signatures, in this case known as SNORT rules. The aim of this paper is to
determine the effectiveness of generalisation when applied to the matching of Internet traffic
against SNORTs rule signatures. Internet is a global public network. With the growth of the
Internet and its potential, there has been subsequent change in business model of organizations
across the world. More and more people are getting connected to the Internet every day to take
advantage of the new business model popularly known as e-Business. Internetwork connectivity
has therefore become very critical aspect of today's e_business. There are two sides of business
on the Internet. On one side, the Internet brings intremendous potential to business in terms of

Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 10

reaching the end users. At the same time it also brings in lot of risk to the business. There are
both harmless and harmful users on the Internet. While an organization makes its information
system available to harmless Internet users, at the same time the information is available to the
malicious users as well. Malicious users or hackers can get access to an organizations internal
systems in various reasons. These are,
Software bugs called vulnerabilities
Lapse in administration
Leaving systems to default configuration
The malicious users use different techniques like Password racking, sniffing unencrypted or
clear text traffic etc. to exploit the system vulnerabilities mentioned above and compromise
critical systems. Therefore, there needs to be some kind of security to the organizations private
resources from the Internet as well as from inside users as survey says that eighty percent of the
attacks happen from inside users for the very fact that they know the systems much more than an
outsider knows and access to information is easier for an insider. Different organizations across
the world deploy firewalls to protect their private network from the Public network. But, when it
comes to securing a Private network from the Internet using firewalls, no network can be
hundred percent secured. This is because; the business requires some kind of access to be
granted on the Internal systems to Internet users. . The firewall provides security by allowing
only specific services through it. The firewall implements a policy for allowing or disallowing
connections based on organizational security policy and business needs. The firewall also
protects the organization from malicious attack from the Internet by dropping connections from
unknown sources.
One preliminary IDS concept consisted of a set of tools intended to help administrators review
audit trails.User access logs, file access logs, and system event logs are examples of audit trails.
Fred Cohen noted in 1984 that it is impossible to detect an intrusion in every case, and that the
resources needed to detect intrusions grow with the amount of usage. Dorothy E. Denning,
assisted by Peter G. Neumann, published a model of an IDS in 1986 that formed the basis for
many systems today. Her model used statistics for anomaly detection, and resulted in an early
IDS at SRI International named the Intrusion Detection Expert System (IDES), which ran
on Sun workstations and could consider both user and network level data. IDES had a dual
approach with a rule-based Expert System to detect known types of intrusions plus a statistical

Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 11

anomaly detection component based on profiles of users, host systems, and target systems. Lunt
proposed adding an Artificial neural network as a third component. She said all three
components could then report to a resolver. SRI followed IDES in 1993 with the Next-
generation Intrusion Detection Expert System (NIDES). The Multics intrusion detection and
alerting system (MIDAS), an expert system using P-BEST and Lisp, was developed in 1988
based on the work of Denning and Neumann. Haystack was also developed this year using
statistics to reduce audit trails. Wisdom & Sense (W&S) was a statistics-based anomaly detector
developed in 1989 at the Los Alamos National Laboratory. W&S created rules based on
statistical analysis, and then used those rules for anomaly detection. In 1990, the Time-based
Inductive Machine (TIM) did anomaly detection using inductive learning of sequential user
patterns in Common Lisp on a VAX 3500 computer. The Network Security Monitor (NSM)
performed masking on access matrices for anomaly detection on a Sun-3/50 workstation.The
Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety
of strategies including statistics, a profile checker, and an expert system. ComputerWatch
at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detection.
Then, in 1991, researchers at the University of California, Davis created a prototype Distributed
Intrusion Detection System (DIDS), which was also an expert system. The Network Anomaly
Detection and Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at
the Los Alamos National Laboratory' s Integrated Computing Network (ICN), and was heavily
influenced by the work of Denning and Lunt.NADIR used a statistics-based anomaly detector
and an expert system. The Lawrence Berkeley National Laboratory announced Bro in 1998,
which used its own rule language for packet analysis from libpcap data. Network Flight
Recorder (NFR) in 1999 also used libpcap. APE was developed as a packet sniffer, also using
libpcap, in November, 1998, and was renamed Snort one month later. APE has since become
the world's largest used IDS/IPS system with over 300,000 active users.
The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump to build profiles of
rules for classifications In 2003, Dr. Yongguang Zhang and Dr. Wenke Lee argue for the
importance of IDS in networks with mobile nodes.





Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 12

CHAPTER 3
METHODOLOGY

3.1 Types of Intrusion Detection System
There are three main types of Intrusion Detection Systems:
Host Based
Network Based
Stack Based
Signature Based
Anomaly Based

Host Based IDS -:
Intrusion Detection System is installed on a host in the network. HIDS collects and
analyzes the traffic that is originated or is intended to that host. HIDS leverages their
privileged access to monitor specific components of a host that are not readily accessible
to other systems. Specific components of the operating system such as passwd files in
UNIX and the Registry in Windows can be watched for misuse. There is great risk in
making these types of components available to NIDS to monitor. Although HIDS is far
better than NIDS in detecting malicious activities for a particular host, they have limited
view of entire network topology and they cannot detect attack that is targeted for a host
in a network which does not have HIDS installed.


Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 13

Network Based IDS -:
Network IDSs (NIDS) are placed in key areas of network infrastructure and monitors the
traffic as it flows to other host. Unlike HIDS, NIDS have the capability of monitoring the
network and detecting the malicious activities intended for that network. Monitoring
criteria for a specific host in the network can be increased or decreased with relative ease.
NIDS should be capable of standing against large amount number of network traffic to
remain effective. As network traffic increases exponentially NIDS must grab all the
traffic and analyze in a timely manner


Signature-Based IDS -:
Signature-Based IDS use a rule set to identify intrusions by watching for patterns of
events specific to known and documented attacks. It is typically connected to a large
database which houses attack signatures. It compares the information it gathers against
those attack signatures to detect a match. These types of systems are normally presumed
to be able to detect only attacks known to its database. Thus, if the database is not
updated with regularity, new attacks could slip through. It can, however, detect new
attacks that share characteristics with old attacks, e.g., accessing 'cmd.exe' via a HTTP

Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 14






Figure : Common Anomaly Based Network Intrusion detection System


GET request. But, in cases of new, uncataloged attacks, this technique is pretty porous.
Also, signature based IDSs may affect performance in cases when intrusion patterns
match several attack signatures. In cases such as these, there is a noticeable performance
lag. Signature definitions stored in the database need to be specific so that variations on
known attacks are not missed. This sometimes leads to building up of huge databases
which eat up a chunk of space.

Anomaly Based IDS -:
Anomaly- Based IDS examines ongoing traffic, activity, transactions and behavior in
order to identify intrusions by detecting anomalies. It works on the notion that attack
behavior differs enough from normal user behavior such that it can be detected by
cataloging and identifying the differences involved. In most anomaly-based IDSs the
system administrator defines the baseline of normal behavior. This includes the state of
the network's traffic load, breakdown, protocol, and typical packet size. Anomaly
detectors monitor network segments to compare their state to the normal baseline and
look for current behavior which deviate statistically from the normal. This capability
theoretically gives anomaly-based IDSs abilities to detect new attacks that are neither
known nor for which signatures have been created. On the other hand, anomaly-based
IDS systems have been known to be prone to a lot of false positives. In these cases, the
attacks are reported based on changes to the current system on which the IDS is
installed. This is because there is a change in the normal state of the system which is not
perceived by the IDS.


Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 15

3.2 Implementation Approaches of IDS -:

Techniques used: The implementation of an intrusion detector is based on two important
aspects. Main approaches: According to its internal architecture, an intrusion detection
system is based on a well-defined approach. There are here are two main approaches:

- Behavioral Approach:

This approach is based on tracking the behavior of a user, service or any application to infer a
probable intrusion. If any of the entities mentioned above changes its behavior or the habits
of its operation, the detector deduced that There's suspicious behavior and eventually
transmit early warning. This approach itself uses either a probabilistic method in order to
estimate a suspect traffic or a statistical method whose principle is to compare quantitatively
the behavior of parameters related to the user such as the occupancy rate of bandwidth or
the number of network access per day.

- Scenario based approach:

The principle of this proach is based on known techniques used by hackers to perform
intrusions, already enrolled in a signature, for comparison with the behavior of the user in
question without recourse to its history and determine if this behavior is legal or not. The
signature is actually a series of rules for analyzing packets that flow through the network
(pattern matching) or the compliance of the protocol (protocol approach). The use of both
approaches in parallel will serve as a powerful solution for intrusion detection.







Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 16

3.3 Autonomous rule creation for Signature based IDS Using SNORT.

Working of Signature based IDS -:
From the figures referred from given below concept of signature based IDS can easily
understand. It is clear that when any person sends data inside the network so first of all it goes
to server and server check and if found malicious then server discards the packet otherwise
send to destination system.















Figure 1: Snort working in network


In figure 1 system-I sends packet to system-A but before reaching the packet to destination
server checks that packet and if packet is malicious then server discards the packet otherwise
send packet to system- A and in figure 2 working of server is clearly mention that how server
checks the packet. So, when a packet comes to server then server use comparing tool to check
that packet from the database of signature stored in server and if server get result that packet
is matched from the database then server discard the packet otherwise server sends the packet
to destination system.


Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 17











Figure 2: Snort Signature Database


Snort -:

Snort is an open source network intrusion detection and prevention system (available at
http://www.snort.org/assets/125/snort_manual-_8_5_1.pdf). It can analyze real-time traffic
analysis and data flow in network. It is able to check protocol analysis and can detect
different type of attack. In NIDS snort basically checks packet against rule written by user.
Snort rules can be written in any language, its structure is also good and it can be easily read
and rules can be modify also. In buffer overflow attack, snort can detect the attack by
matching the previous pattern of attacks and then will take appropriate action to prevent from
attack. In signature based IDS system if pattern matches then attack can be easily found but
when a new attack comes then system fails but snort overcome this limitation by analyzing
the real- time traffic. Whenever any packet comes into network then snort checks the behavior
of network if performance degrades of network then snort stop the processing of packet,
discards the packet and stores its detail in the signature database.


Component of Snort

Snort is basically the combination of multiple components. All the component work together
to find a particular attack and then take the corresponding action that is required for that
particular attack. Basically it consists of following major components as shown in figure 3

1. Packet Decoder
2. Preprocessors
3. Detection Engine
4. Logging and Alerting System
5. Output Modules

Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 18













Figure 3: Component of Snort


Packet comes from internet and enters into packet decoder and it goes through several phases,
required action is taken by snort at every phase like if detection engine found any
miscellaneous content in packet then it drop that packet and in the way towards output
module packet is logged in or alert is generated.

1. Packet decoder
The packet decoder collects packet from different-2 network interfaces and then send to be
preprocessor or sent to the detection engine. Network interface might be Ethernet, SLIP, PPP
and so on.

2. Preprocessors
It works with snort to modify or arrange the packet before detection engine to apply some
operation on packet if packet is corrupted. Sometimes they also generate alert if any
anomalies found in the packet. Basically it matches the pattern of whole string so, by
changing the sequence or by adding some extra value intruder can fool the IDS but
preprocessor re- arranges the string and IDS can detect the string. Preprocessor does one very
important task i.e. defragmentation. Because sometimes intruder break the signature into two
parts and send them in two packets so, before checking the signature both packet should be
defragmented and only then signature can be found and this is done by preprocessor.


Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 19


3. The Detection Engine
Its main work is to find out intrusion activity exits in packet with the help of snort rules and if
found then apply appropriate rule otherwise it drops the packet. It takes different time to
respond different packet and also depends upon the power of machine and number of rules
defines in the system.

4. Logging and Alerting System
Whatever detection engine finds in the packet, it might generate an alert or used to log
activity. All log files are kept by default under /var/log/snort folder and by using l command
line option, location can be changed.

5. Output Modules
Output modules or plug- ins save output generated by the logging and alerting system of Snort
depending on how user wants for different operation. Mainly it controls the different output
due to logging and alerting system. Output modules can do things like the following
depending on the configuration Simply logging to /var/log/snort/alerts file or some other file
Sending SNMP traps Sending messages to syslog facility Can Generate XML output SMB
messages to Microsoft Windows-based machines
Autonomous Rule structure of snort

Basically rules are created by known intrusion signature system. It is divided into two parts:
rule header and rule option and rules can be modifying according to need.

Rule header follows this pattern: Action + protocol + source address+ S-port + direction +
destination address + D-port Alert ip any any -> any any (msg : IP Packet Detected ;)

Rule header Rule Option



Ex. -







Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 20

IMPLEMENTATION OF SIGNATURE BASED IDS -:

We start by designing a conceptual framework of a signature based intrusion detection
system. The frameworks will show the flow of packet into the network. Here we will flow
data using TCP Replay within two systems inside the network. And then we will check the
outcome in graphical form using Basic Analysis and Security Engine.

Data Collection and Analysis
This work was done on open source intrusion detection system. Snort was configured to log
the traffic flowing into Lab network from 192.20.14.50 to 192.20.14.48. Then collected data
is used to see the relevance of an IDS system on to the protected network. And we used Snort
because:

Snort is an open source intrusion detection system. It is therefore useful where it is
not cost efficient to apply NIDS sensors.
Snort is lightweight application. It is also economical when it comes to resource
utilization. Snort can be used as a intrusion detection as well as intrusion prevention
system.
Snorts rule can be changed if needed. Its rules are flexible. Snort has more than 2500
rules in its database . And people can modify rule according to need of their network
need.
Snort is available for Linux as well as for Windows. It is most widely used for
intrusion detection in network.

The Network Setup
Intrusion detection system can be deployed to protect the network. It can be deployed
between to hosts, between two switches or even the server firms. In our work we will place
snort between two hosts.

Configuration and Validation of the IDS
We are using Linux box running debian operating system to detect intrusion into our system
placed inside the network. Whenever any intrusion will be detected by Snort, it will generate
an alert. And if system successfully generates an alert then that means network will have been
well configured and traffic monitoring is taking place.

Installation of Snort, PostgreSQL and BASE

In Debian operating system, configuration are made for snort-pgsql, Basic Analysis and
Security Engine(BASE) to provide a user friendly web front end to simplify querying and

Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 21

analysis of alerts, PostgreSQL database that is an open source Relational Database
Management System (RDBMS), Apache a widely available http server that supports PHP
languages, Secure Shell(SSL) to enable secure remote login into the network, and PHP a
hyper text preprocessor enables creation of dynamic content and interaction with databases.


Snort's uses
Snort basically used in three categories


1. A packet sniffer
In its simplest form, snort is a packet sniffer. That said, its the easiest way to start.

# snort -d -e -v
-v Put Snort in packet-sniffing mode (TCP headers only) -d Include all network layer headers
(TCP, UDP, and ICMP)

-e Include the data link layer headers

2. Packet logger
Snort has built- in packet- logging mechanisms that you can use to collect the data as a file,
sort it into directories, or store the data as a binary file.

# snort -dev - l {logging-directory} -h {home-subnet-slash-notation}

If you wanted to log the data into the directory /var/adm/snort/logs with the home subnet
192.20.14.0/24, you would use the following:
# snort -dev - l /var/adm/snort/logs -h 192.20.14.0/24

for logging in binary format, dont need all options. The binary format makes packet
collection much faster for Snort, because Snort doesn't have to translate the data into human-
readable format immediately.
# snort -b -L {log-file}

for reading the log file
# snort [-d|e] -r {log- file} [tcp|udp|icmp]

Here last item in line is optional, because if you want to filter the packets based on packet
type like tcp , udp or icmp

Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 22

3. As a Network Intrusion Detection System

To make Snort an IDS, just add one thing to the packet- logging function: the configuration
file.

# snort -dev - l /var/adm/snort/logs -h 192.20.14.0/24 -c /root/mysnort.conf


Basic Analysis and Security Engine (BASE) -:

BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis
Console for Intrusion Databases (ACID) project. This application provides a web front-end to
query and analyze the alerts coming from a SNORT IDS system. BASE is a web interface to
perform analysis of intrusions that snort has detected on your network. It uses a user
authentication and role-base system; so that you as the security admin can decide what and
how much information each user can see. It also has a simple to use, web-based setup
program for people not comfortable with editing files directly . BASE is PHP based analysis
engine for managing a database of security events. These events can be from IDS's (such as
Snort) as well as from firewall, network monitoring tools and even pcap files.

THE PACKET FLOW OVER NETWORK

For flow the traffic over network, first of all snort should be in running mode and after that
we can send the traffic from one host to another by using TCP Replay. We can also send
packet using snort and can check the alerts in Basic Analysis and Security Engine (BASE).
We can flow the traffic by two methodologies given below.

TCP Replay -:
It is suite of utilities for Unix system for editing and replacing network traffic, which was
previously captured by tools like tcpdump and ethernal/wiershark.

It provides the ability to classify traffic as a client or server, edit packets at layer 2-4 and
replay the traffic at arbitrary speed onto a network for sniffing through a device.
There is a three step process for this:

1. Determine which packets are client->server and server->client
2. Rewrite IP addresses based on their direction
3. Send packets through inline device

Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 23


Step 1: Use tcpprep to split traffic based on the source/destination port:
$ tcpprep --port --cachefile=example.cache -- pcap=example.pcap
In this case, all the packets directed to a TCP or UDP port < 1024 are considered client-
>server, while other packets are server->client. This information is stored in a tcpprep
cache file called example.cache for later use.

Step 2: Use tcprewrite to change the IP addresses to the local network:

$ tcprewrite endpoints=192.29.14.50:192.20.14.48 - -cachefile=example.cache --
infile=example.pcap -- outfile=new.pcap
Here, we want all traffic to appear to be between two hosts: 192.29.14.50 and
192.20.14.48. We want one IP to be the "client" and the other IP the "server", so we
use the cache file created in the last step

Step 3
Use tcpreplay to send the traffic through the IPS:

# tcpreplay --intf1=eth0 --intf2=eth1 -- cachefile=example.cache new.pcap
Here we send the traffic. Since we want to split traffic between two interfaces (eth0
and eth1), we use the cache file created in Step #1 with the new.pcap created in Step
#2. We can use the cache file for different pcap files because while the IP addresses of
the packets have changed, their order and semantics have not.

5.2 Using snort
In this method we just pass the name of tcpdump file and alerts can directly be seen in the
Basic Analysis and Security Engine (BASE).
$ snort --pcap-single=outside.tcpdump -c /etc/snort/snort.conf Where outside.tcpdump is
testing DARPA dataset. This is used for generating alerts in BASE













Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 24

APPLICATIONS



The Center for Education and Research in Information Assurance and Security (CERIAS) has
produced a review of IDS research prototypes ,and a few are now commercial products.

Approaches for misuse detection
Approaches for the misuse detection model are :
o expert systems, containing a set of rules that describe attacks
o signature verification, where attack scenarios are translated into sequences of audit
events
o petri nets, where known attacks are represented with graphical petri nets
o sate-transition diagrams, representing attacks with a set of goals and transitions
The common approach for misuse detection concerns signature verification , where a
system detects previously seen, known attacks by looking for an invariant signature left by
these attacks. This signature is found in audit files, in host-intrused machine, or in sniffers
looking for packets inside or outside of the attacked machine.
Limitation of this approach is due to :
o frequent false-alarm detection
o the need to specify a signature of the attack, and then to update signature of attacks on
every IDS tool. A signature of an attack may not be easily discovered.
o new attack signatures are not automatically discovered without update of the IDS

Approaches for anomaly detection
Anomaly Detection in Network-based or Host-based IDS includes :
o threshold detection detecting abnormal activity on the server or network, for
example
abnormal consumption of the CPU for one server, or abnormal saturation of the
network
o statistical measures, learned from historical values
o rule-based measures, with expert systems
o non-linear algorithms such as Neural Networks or Genetic algorithms

Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 25

CONCLUSION

To protect a network against attacks including intrusion, we must study its architecture,
analyse vulnerabilities, up to date with new threats, a purpose to minimize the risks that may
occur. In this paper, we proposed and implemented a solution for securing a network based on
intrusion detection systems. We performed several experiments to validate our solution. This
paper proposes the implementation process of Snort in Debian. This IDS System
demonstrated that it can detect and analyze the intrusion in real time network traffic. Once the
Snort will identify any intrusion then it will send alert to security person and security person
will take required action immediately. The future work is to develop a prototype model to
filter, delete and quarantine the intrusion attack automatically in real time network.
































Y.T.I.E.T COLLEGE [BHIVPURI ROAED]
Page 26

REFERENCES


1. Kreibich, C and Crowcrowft, J. 2004. Honeycomb: creating intrusion detection signatures
using honeypots. ACM SIGCOMM Computer Communication Review. 34 (1). pp. 51-56.
http://portal.acm.org/citation.cfm?id=972384

2.Kreugel, C. et al. 2002. Stateful intrusion detection for high-speed networks. In:
Proceedings of the 2002 IEEE Symposium on Security and Privacy. May 2002. pp. 285-
294. http://www.cs.unc.edu/~jeffay/courses/nidsS05/signatures/kemerer-slicing-SP02.pdf

3.Paxson, V. 1999. Bro: a system for detecting network intruders in real- time. Computer
Networks.31(23-24).December1999.pp.2435-2463.
http://www.cs.unc.edu/~jeffay/courses/nidsS05/signatures/paxson-bro-cn99.pdf

4.Roesch, M. 1999. Snortlightweight intrusion detection for networks. In: Proceedings of
LISA 99. 7-12 November 1999. USENIX. pp. 229-238.
http://portal.acm.org/citation.cfm?id=1039864

5. Sommer, R and Paxson, V. 2003. Enhancing byte- level network intrusion detection
signatures with context. In: Proceedings of the 10
t h
ACM conference on Computer and
Communications Security. October 2003. ACM. pp. 262-271.
http://www.cs.unc.edu/~jeffay/courses/nidsS05/signatures/sommer-context-ccs03.pdf

6. Totsuka, A et al. 2000. Network-based intrusion detectionmodeling for a larger picture.
Proceedings of LISA 2000. 3- 8 November 2000. USENIX. pp. 227-232. 68
http://www.usenix.org/events/lisa02/tech/full_papers/totsuka/totsuka.pdf


7.https://www.sans.org/reading-room/whitepapers/detection/application-neural- networks-
intrusion-detection-336

8. http://en.wikipedia.org/wiki/Intrusion_detection_system.