Aim: To study the scope and importance of Intrusion detection systems

Theory:

Intrusion Detection System (IDS)

Definition:

An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system.

Intrusion detection functions include:

  • Monitoring and analyzing both user and system activities
  • Analyzing system configurations and vulnerabilities
  • Assessing system and file integrity
  • Ability to recognize patterns typical of attacks
  • Analysis of abnormal activity patterns
  • Tracking user policy violations

ID systems are being developed in response to the increasing number of attacks on major sites and networks, including those of the Pentagon, the White House, NATO, and the U.S. Defense Department. The safeguarding of security is becoming increasingly difficult, because the possible technologies of attack are becoming ever more sophisticated; at the same time, less technical ability is required for the novice attacker, because proven past methods are easily accessed through the Web.

There are several ways to categorize an IDS:

  • NIDS (Network Intrusion Detection Systems):

Network Intrusion Detection Systems are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. Ideally you would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network.

  • HIDS (Host Intrusion Detection Systems):

Host Intrusion Detection Systems are run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator of suspicious activity is detected

  • Signature Based:

A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS. During that lag time your IDS would be unable to detect the new threat.

  • Anomaly Based:

An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline.

  • Passive system vs. Reactive system:

In a passive system, the IDS detects a potential security breach, logs the information and signals an alert. In a reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source.

An IDS differs from a firewall. Firewall looks out for intrusions in order to stop them from happening. The firewall limits the access between networks in order to prevent intrusion and does not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system.

Snort

Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.

Components of Snort

Snort is logically divided in to the following five major components.

  • Packet Decoder:

A Packet Decoder is the first component which collects packets from different network interfaces and prepares the packets to be preprocessed.

  • Pre-processors:

The second component, Pre-processors are used to arrange and modify packets before being analysed by the detection engine. There are pre-processors that detect some basic anomalies by de-fragmenting packets (which are fragmented by hackers as a method of deception), HTTP URL Decoding (If hexadecimal characters are used by hackers as a method of deception). There are pre-processors that detect and log port scanning activities, detect anomalies in ARP packets (to identify ARP spoofing), etc.

  • Detection Engine:

The third component, the Detection engine is the heart of Snort. Its responsibility is to analyse all the packets passing through it for signs of intrusion by using certain pre-defined rules. It can dissect a packet and apply rules to different parts of the packet like IP header, transport layer header, application layer header and packet payload.

  • Logging and Alerting System:

The fourth component is the Logging and Alerting System – Upon the detection of intrusion by the detection engine, either the activity is logged for the perusal of the network engineers or an alert is generated.

  • Output modules or plug-ins:

The fifth component, Output modules or plug-ins are used to control the type of output produced by the logging and alerting system. Some of its functions may be generating log reports, logging alert reports in a file, sending SNMP traps, logging in to a database (like MySQL), sending a message to Syslog server, etc.

In some installations, some additional tools might be used along with snort like MySQL database to log the alert data, Apache could act as the web server, PHP could be the interface between the web server and MySQL database, a PHP package like ACID could be used to view and analyse Snort data, etc.

Snort is a single-threaded application, whichcan be configured to operate in four modes:

  • Packet Sniffer Mode

Packet Sniffer mode simply reads the packetsoff of the network and displays them in a continuous stream on the console.

  • Packet logger Mode

Packet Logger mode logs the packets to disk. To record the packets to the disk, specify a logging directory and Snort will automatically know to go into packet logger mode. A directory named log in the current directory would be created. When Snort runs in this mode, it collects every packet it sees and places it in a directory hierarchy based upon the IP address of one of the hosts in the datagram.

  • Detection Mode

Network Intrusion Detection System (NIDS) mode allows Snort to analyze network traffic for matches against a user-defined rule set and performs several actions based upon what it sees.

  • Prevention Mode/ Inline Mode

It prevents the network threats. Snort Inline obtains packets from IP tables instead of libpcapand then uses new rule types to help IP tables pass or drop packets based on Snort rules.

Working of Snort

Snort captures raw packets with libpcapand then it decodes and preprocesses them prior to forwarding them to the detection engine. The preprocessing includes early packet droppings, classification, layer three IP fragment reassembly, layer four TCP session reconstructions and so forth. The detection engine checks packet headers as well as payloadsagainst several thousands of rules stored in a database of pre-defined attack signatures, as shown in figure 1.

In figure 2, the text up to the first parenthesis is the rule header and the section enclosed in parenthesis is the rule options. The words before the colons in the rule options section are called option keywords. Snort rules are divided into two logical sections, the rule header and the rule options. The rule header contains the rule's action, protocol, source and destination IP addresses and net masks, and the source and destination ports information. The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action shouldbe taken. If one rule matches, an action is taken depending on the rule configuration for the action. Two of the mostcommonly used actions are “alert” and “log”. The alertingfacility exists to report that a suspicious packet has been detected. The logging facility exists to log full packet information. Snort is capable of outputting “alert” and “log” data in a variety of output formats and methods.

Output formats include binary, libpcap and ASCII. Binary format offers speed and flexibility, whereas ASCII format is easier to work with. Output methods include writing to a file, console or screen, syslog, or SQL database plugins. The “alert” action in Snort is hard coded to perform primarily two actions in sequence: write an event to the alerting facility, and log as much as possible. The ‘log’ action logs the packet to the logging facility without generating an alert.

Conclusion: Thus we have studied the scope and importance Intrusion detection systems.