Professional Documents
Culture Documents
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
By-
Disha Bedi
Introduction
In my project I developed a rule based network intrusion
detection system using Snort.
BASE is used as the output module and Wireshark is
used as a packet analyzer to modify our rules from time
to time.
A combination of Snort and BASE makes it possible to
log the intrusion detection data into a database and then
view and analyze it later, using a web interface.
The goal of this project is to implement network security
to a product of Siemens, SPPA-T3000, which is the
instrumentation and control system that provides remote
access to power plant management systems.
Intrusion Detection System
(IDS)
Intrusion detection is a set of techniques and methods
that are used to detect suspicious activity both at the
network and host level.
Intruders have signatures that can be detected. Based
upon a set of signatures and rules, the intrusion
detection system (IDS) is able to find and log
suspicious activity and generate alerts.
Usually an intrusion detection system captures a packet
from the network, applies rules to its data and detects
anomalies in it.
Components of IDS
Sensors are placed to listen to various activities in a
network or system.
Console monitors events and alerts.
Engine generates alerts if there is a suspicious
activity in the monitored events.
Types of IDS
There are two types of IDS based on the choice of sensor
position-
Host Intrusion Detection Systems (HIDS):
A host based intrusion detection system (HIDS) monitors
internal components of a computer.
Network Intrusion Detection Systems (NIDS):
Network based intrusion detection systems (NIDS) analyzes
network packets captured by one or more sensors, which are
located in the network.
There are two types of IDS based on the choice of
detection engine-
Anomaly Detection
An anomaly based detection engine can trace deviations
from the normal state of a system, which is possibly
caused by an attack to the system.
Signature Detection
Signature based intrusion detection engines try to detect
an attack from its fingerprints.
Positioning of sensors
Behind the firewall:
IDS will not be able to detect every attack because
some parts of the packets belonging to the attack will
be blocked by the firewall, thus IDS is unable to detect
the signature of the attack.
In front of the firewall:
IDS will monitor all attacks coming from the outside.
Thus it is able to detect signatures of the attacks.
Protecting the IDS itself
One major issue is how to protect the system on which your
intrusion detection software is running. If security of the
IDS is compromised, you may start getting false alarms or
no alarms at all. The intruder may disable IDS before
actually performing any attack.
There are 2 ways of protecting the IDS:
Snort on Stealth Interface:
Only listens to the incoming traffic but does not send any
data packets out.
Snort with no IP Address Interface:
When the IDS host doesn’t have an IP address itself,
nobody can access it.
Snort
Snort is primarily a rule-based IDS. It has the ability to
perform real-time traffic analysis and packet logging on
Internet Protocol (IP) networks.
Snort reads the rules at the start-up time and builds
internal data structures or chains to apply these rules to
captured data.
Snort comes with a rich set of pre-defined rules to
detect intrusion activity and you are free to add your
own rules at will.
Modes of Snort
Snort can be configured to run in three modes-
Sniffer mode, which simply reads the packets off of
the network and displays them on the screen.
Packet Logger mode, which logs the packets to disk.
Network Intrusion Detection System (NIDS)
mode, which allows Snort to analyze network traffic
for matches against a user-defined rule set and
performs several actions based upon what it sees.
Components of Snort
Packet Decoder: Prepares packets for processing.
Preprocessors or Input Plugins: Used to detect
anomalies, packet defragmentation and reassembly.
Detection Engine: Applies rules to packets.
Logging and Alerting System: Generates alert and
log messages.
Output Modules: Process alerts and logs and
generate final output.
Flow of packets
Basic Analysis and Security
Engine (BASE)
BASE is the output module used in our IDS.
This application provides a web front-end to query and
analyze the alerts coming from a Snort IDS system.
It is written in PHP.
Wireshark
Wireshark is a network packet analyzer.
A network packet analyzer will try to capture
network packets and tries to display that packet
data as detailed as possible.
Writing Snort rules
All Snort rules have two logical parts:
rule header and rule options.
Firewall
(192.168.2.34 )
Switch in DMZ Switch in internal system
(172.18.21.10) (192.168.2.138)