Académique Documents
Professionnel Documents
Culture Documents
Volume: 2 Issue: 6
ISSN: 2321-8169
1450 1456
________________________________________________________________________________________________________________________________
Abstract--Network intrusion detection along with firewall provides an important layer of security for computer system or network. This paper
describes a virtual network created using virtualization tool implemented with snort IDS to monitor traffic crossing the network. Snort is a
freeware and open source NIDS tool which is basically a rule-driven system. The uniqueness of this hands-on learning is that it also allows new
developer to learn snort rule writing by testing and debugging their rules against the live traffic. The main aim of this research paper is to
provide a brief overview of snort and configure it in a virtual network to log or alert intrusions in a network. We have made our own set of
signatures in the snort and have implemented it in a specified virtual network so that our created network will remain congestion and hasle free.
Keywords: Networks, Virtualization, snort, MySQL, Barnyard2.
_________________________________________________*****_________________________________________________
1.
Introduction
Problem Overview
1450
IJRITCC | June 2014, Available @ http://www.ijritcc.org
_____________________________________________________________________________________________________________________
ISSN: 2321-8169
1450 1456
________________________________________________________________________________________________________________________________
In network intrusion detection system (NIDS) mode alerts
will be generated. Alerts can be generated in different ways. It
can be logged or can be displayed to console. Alerts can also
be generated in such a way that it will display only useful
information or will display the entire header information.
3.
Implementation
Machine 1
virtual
network
Virtual
network
Machine
with Snort
sensor
installed
Machine 3
Machine 2
Virtual
network
2.
_____________________________________________________________________________________________________________________
ISSN: 2321-8169
1450 1456
________________________________________________________________________________________________________________________________
make zlib1g-dev libmysqld-dev libdnet libdnet-dev libpcre3
libpcre3- dev gcc make flex byacc bison linux-headers-generic
libxml2-dev libdumbnet-dev zlib1g zlib1g-dev
Basic requirements:
Snort rule:
Creating Database
Installing Barnyard2
4.4.1
Snort rule:
Rules in snort follow a specific standard and are defined
within plaintext *.rule file. They can be downloaded from
snort official website or can be created by own according to
our requirements i.e. user defined rules
1452
IJRITCC | June 2014, Available @ http://www.ijritcc.org
_____________________________________________________________________________________________________________________
ISSN: 2321-8169
1450 1456
________________________________________________________________________________________________________________________________
Where create_mysql is a script present in the contrib
directory that will create all of the necessary tables. Tables
generated were verified using following command
1453
IJRITCC | June 2014, Available @ http://www.ijritcc.org
_____________________________________________________________________________________________________________________
ISSN: 2321-8169
1450 1456
________________________________________________________________________________________________________________________________
about the data in the network such as source ip address, the
content of one such packet is explained in table 1 below.
Timestamps
1900
Source Port
->
Direction indicator
192.168.1.5
Destination IP address
50649
Destination Port
UDP
Port host
TTL:64
Time to live
TOS:0*0
Type of service
ID:922
Identification number
Iplen:20
Length of packet
Dgmlen:359
Length of datagram
Source IP address
Table 5.2:Load.rules
1 Alert tcp any any -> any any (msg:mp3 download;
uricontent:.mp3;nocase;flow:established,to_server;
sid:10011;rev:1;)
2. Alert tcp any any -> any any (msg:pdf download;
uricontent:.pdf;nocase;flow:established,to_server;
sid:10011;rev:1;)
Table5.3:Social.rules
1.
2.
6.
5. Creating Rules in Snort
Our next step was to create rules in the Snort. This is the most
important part of the IDS configuration because it determines
which packets are going to raise alerts. However, there are
different sources for finding and deploying rules, and we have
developed user defined rules which are created and
maintained locally, according to the specific needs of the
network. Three alert files were created these are:
Local.rule : rules contained in these file will generate an alert
when protocol such as ftp or telnet is used. Table 5.1 contains
rules defined in this category
Since rules have now been defined to alert and log the
network suspicious packets. These rules are now analyzed
with live data entering in the network. For this we have started
snort to run in NIDS mode several times a day and of the run
output is shown below in figure 6.1 where a total of 450916
packets were being received analyzed by snort, the alerts thus
generated are shown on console as shown in figure 6.2 below
and are logged in database file as well as will be seen later.
Snort was configured to include the user defined rule files
which we have created above and all other default rules that
come along with snort were uncommented.
1454
_____________________________________________________________________________________________________________________
ISSN: 2321-8169
1450 1456
________________________________________________________________________________________________________________________________
alerts were generated. Out of these 4070 alert, YouTube
access have generated the maximum number of alert (i.e.
around 58%) and we can say that YouTube has been used
maximum number of times in our virtual network, This
comparison is given in graph 7.1
Results
1455
IJRITCC | June 2014, Available @ http://www.ijritcc.org
_____________________________________________________________________________________________________________________
ISSN: 2321-8169
1450 1456
________________________________________________________________________________________________________________________________
8. Conclusion
This paper describes the implementation of ids in a virtual
environment so as to test the traffic for any kind of intrusion
or anomaly in the network. Based upon the alert count we
concluded that a particular packet can also make a network
congested In Snort we can either block or drop that particular
packet from the network so as to make network free from any
kind of congestion. All the logs or alerts generated in Snort
during live analysis of data packets can be stored in a database
that can be retrieved later on using simple SQL querying.
Barnyard2 can also be a useful tool as it can log that details
which are miss by MYSQL. We have successfully
implemented and analyze snort in a virtual environment using
virtual box and MYSQL. Now days there are many dynamic
websites which automatically updates after few seconds and
sends packets after regular intervals so in that case the alerts
generated will be very high, as in the case of you tube. The
future work is to introduce a threshold parameter to limit the
occurrence of alerts based on the number of times that rule is
triggered in a given time period.
9.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
References
_____________________________________________________________________________________________________________________