Professional Documents
Culture Documents
Intrusion Detection System Using Snort
Intrusion Detection System Using Snort
Intrusion Detection System Using Snort
1, 2,3,4,5 RKGITW
Abstract: Security is a big issue for all able to find and log suspicious activity and
networks in today’s enterprise environment. generate alerts. Anomaly-based intrusion
Hackers and intruders have made many Detection usually depends on packet
successful attempts to bring down high- anomalies present in protocol header parts.
profile company networks and web services. In some cases these methods produce better
Many methods have been developed to results compared to signature-based IDS.
secure the network infrastructure and Usually an intrusion detection system
communication over the Internet, among captures data from the network and applies
them the use of firewalls, encryption, and its rules to that data or detects anomalies in
virtual private networks. Intrusion detection it .Snort uses rules stored in text files that
is a relatively new addition to such can be modified by a text editor. Rules are
techniques. The advantage of this approach grouped in categories. Rules belonging to
is that it provides a global and each category are stored in separate files.
comprehensive context in which to describe These files are then included in a main
intrusion detection system (IDS). Snort is configuration file called snort.conf. Snort
primarily a rule-based IDS, however input reads these rules at the start-up time and
plug-ins are present to detect anomalies in builds internal data structures or chains to
protocol headers. This paper presents the apply these rules to captured data. Snort
intrusion detection and vulnerability comes with a rich set of pre-defined rules to
scanning capabilities that are considered detect intrusion activity and we are free to
necessary for the network. add our own rules at will. We can also
Index term: Intrusion detection, remove some of the built-in rules to avoid
vulnerability scanning, architecture, IDS, false alarms.
snort.
II. Where IDS should be Placed in
I. Introduction: Network Topology?
Packet Decoder-
The packet decoder takes packets from
different types of network interfaces and
prepares the packets to be preprocessed or to
be sent to the detection engine. The
interfaces may be Ethernet, SLIP, PPP and
so on.
Preprocessors-
Preprocessors are components or plug-ins
that can be used with Snort to arrange or
modify data packets before the detection
engine does some operation to find out if the
packet is being used by an intruder. Some
preprocessors also perform detection by
finding anomalies in packet headers and
generating alerts. Preprocessors are very
important for any IDS to prepare data
packets to be analyzed against rules in the Fig.2. Components of Snort.
detection engine.
VI. How to Protect IDS Itself?
The Detection Engine-
The detection engine is the most important One major issue is how to protect the system
part of Snort. Its responsibility is to detect if on which our intrusion detection software is
any intrusion activity exists in a packet. running. If security of the IDS is
compromised, we may start getting false
Logging and Alerting System- alarms or no alarms at all. The intruder may
Depending upon what the detection engine disable IDS before actually performing any
finds inside a packet, the packet may be attack. There are different ways to protect
used to log the activity or generate an alert. our system, starting from very general
Logs are kept in simple text files,or some recommendations to some sophisticated
other form. All of the log files are stored methods. Some of these are mentioned
under /var/log/ snort folder by default. below:
• The first thing that we can do is not to run
Output Modules- any service on our IDS sensor itself.
Output modules or plug-ins can do different Network servers are the most common
operations depending on how we want to method of exploiting a system.
save output generated by the logging and • New threats are discovered and patches are
alerting system of Snort. Basically these released by vendors. This is almost a
modules control the type of output generated continuous and non-stop process. The
by the logging and alerting system. platform on which we are running IDS
should be patched with the latest releases
from our vendor.
• If we are running Snort on a Linux System. He is working as Asso. Prof. in
machine, use netfilter to block any unwanted RKGITW. He has published a number of
data. Snort will still be able to see all of the research papers in various International and
data. National journals. His research interests are
Power system losses, Restructuring and
VII. Conclusion: Deregulation of Power. He is a Member of
IEEE and ISTE.
Intrusion detection is the process of Sonal Sapra has graduated in Electrical
monitoring the events occurring in a Engineering in 2003 from KIET, Ghaziabad
computer system or network and analyzing and received her M.Tech degree in 2007
them for signs of possible incidents, which from UPTU. Presently she is working as
are violations or imminent threats of Asst. Prof. in RKGITW Ghaziabad. She has
violation of computer security policies, published a number of research papers in
acceptable use policies, or standard security various International and National journals.
practices. Snort is primarily a rule based IDS Her research interests are Multilevel
which is used to perform intrusion detection Inverter, Power system losses and
and attempting to stop detected possible Deregulation of Power.
incidents. Intrusion detection systems (IDS) Anjali Sharma is a student of Final Year in
are primarily focused on identifying possible Raj Kumar Goel Institute of Technology for
incidents, logging information about them, Women, Ghaziabad. She has published a
attempting to stop them, and reporting them number of research papers in National and
to security administrators. International conference. Her research
interest include Power system losses, Smart
VIII. References: Grid, Artificial Intelligence, Data security
etc.
[1] Intrusion detection FAQ at Swati Singh is a student of Final Year in
http://www.sans.org/newlook/resources/IDF Raj Kumar Goel Institute of Technology for
AQ/ID_FAQ.htm Women, Ghaziabad. She has published a
[2] Honey Pot Project at number of research papers in National and
http://project.honeynet.org/ International conference. Her research
[3] Snort FAQ at interest includes Cryptography, Artificial
http://www.snort.org/docs/faq.html Intelligence, Data security etc.
[4]Honeyd Honey Pot at
http://www.citi.umich.edu/u/provos/honeyd/
[5] Cisco systems at http://www.cisco.com
[6]Checkpoint web site at
http://www.checkpoint.com
[7] Netfilter at http://www.netfilter.org
[8] Snort at http://www.snort.org
I X. Bibliography: