IDS (Intrusion Detection Systems)

An intrusion detection system (IDS) examines system or network activity to find possible
intrusions or attacks. Intrusion detection systems are either network-based or host-based; vendors
are only beginning to integrate the two technologies.
Types of IDS

Network-based and host-based IDS

A network-based IDS usually consists of a network appliance (or sensor) with a Network
Interface Card (NIC) operating in promiscuous mode and a separate management interface.
The IDS is placed along a network segment or boundary and monitors all traffic on that
segment.
A host-based IDS requires small programs (or agents) to be installed on individual systems
to be monitored. The agents monitor the operating system and write data to log files and/or
trigger alarms. A host-based IDS can only monitor the individual host systems on which

Knowledge-based and behavior-based IDS

A knowledge-based (or signature-based) IDS references a database of previous attack
profiles and known system vulnerabilities to identify active intrusion attempts.
Knowledge-based IDS is currently more common than behavior-based IDS. Advantages of
knowledge-based systems include the following:
It has lower false alarm rates than behavior-based IDS.
Alarms are more standardized and more easily understood than behavior-based IDS.
Disadvantages of knowledge-based systems include these:
Signature database must be continually updated and maintained.
New, unique, or original attacks may not be detected or may be improperly classified.
A behavior-based (or statistical anomaly based) IDS references a baseline or learned
pattern of normal system activity to identify active intrusion attempts. Deviations from this
 baseline or pattern cause an alarm to be triggered. Advantages of behavior-based systems
include that they
Dynamically adapt to new, unique, or original attacks.
Are less dependent on identifying specific operating system vulnerabilities.
Disadvantages of behavior-based systems include
Higher false alarm rates than knowledge-based IDSes.
Usage patterns that may change often and may not be static enough to implement an
effective behavior-based IDS.

Introduction to IDS
IDS Stands for Intrusion Detection System. The techniques and methods on which an IDS is
founded on are used to monitor and reveal malicious activities both on the host and network
level. Once the said activities occur then an alert is issued to aware every one of the attack. It can
be hardware or software or a combination of both; depends on the requirement. An IDS use both
signature or anomaly based technique together or separately; again depending on requirement.
Your network topology determines where to add intrusion detection systems. Whether it should
be positioned at one or more places depends on if you want to track internal threat or external
threat. For instance, if you want to protect yourself from external traffic then you should place an
IDS at the router and if you want to protect the inner network then place the IDS on every
network segment.
Categories of IDS
Signature-Based IDS
This IDS verifies signatures of data packets in the network traffic. Basically, it finds the data
packets and uses their signatures to confirm whether they are a threat or not. Such signatures are
commonly known for intrusion-related signatures or anomalies related to internet protocol.
Intruders such as computer viruses, etc, always have a signature, therefore, it can be easily
detected by software IDS. As it uses signatures to identify the threats.
Anomaly IDS
This IDS usually detects if a data packet behaves anomaly. It issues an alert if packet anomalies
are present in protocol header parts. This system produces better results in some cases
than signature-based IDS. Normally such IDS captures data from the network and on these
packets, it then applies the rules to it in order to detect anomalies.
Types of IDS
NIDS
NIDS stand for Network Intrusion Detection System. These types of IDS will capture data
packets that were received and sent in the network and tally such packets from the database of
signatures. if the packet is a match then no alert will be issued otherwise it will issue an alert
letting everyone know of a malicious attack. Snort is an excellent example of a NIDS.
HIDS
HIDS stands for Host Intrusion Detection System which, obviously, acts as a host. Such types of
IDS monitor system and application logs to detect intruder activity. Some IDS reacts when some
malicious activity takes place, others monitor all the traffics coming to the host where IDS is
installed and give alerts in real time.
Introduction to snort
pen source
software which helps in monitor network traffic in real-time, hence it can also be considered as a
packet sniffer. Basically, it examines each and every data packet in depth to see if there are any
malicious payloads. it can also be used for protocol analysis and content searching. It is capable
of detecting various attacks like port scans, buffer overflow, etc.

the system or hardware to added to your distribution; root privileges are required though. It
inspects all the network traffic against the provided set of rules and then alerts the administration

components work together to detect an intrusion. Following are the major components of snort :
Packet Decoder
Pre-processors
Detection Engine
Logging and Alerting System
Output Modules

Snort Components
The first component is the Decoder which is responsible for forming packets to be used by the
other components. It should be noted that the Decoder also looks for anomalies in headers (such
as invalid sizes), which may then cause it to generate alerts.
The next major components are the Preprocessors. These components work as plugins, and are
able to arrange or modify packet data. Its job is ultimately to try and make it harder to fool the
detection engine.
The primary component, the Detection Engine has the responsibility to if any intrusion
. It does this by chaining together sets of rules, specified in
configuration files which include these rules, and applying them to each packet. If the packet
matches a rule, the specified action of that rule is taken, or the packet is dropped. If snort is
performing this in real time, depending on the network load, latency may be experienced, with
worst case scenarios resulting in packets being dropped all together.
If a packet is matched to a rule, the log and or alert will be generated by the Alert and Logging
System. The message and contents generated by this component can of course be configured
through the configuration file. If a packet triggers multiple rules, the highest alert level is what
will actually be generated by this component.
Finally, after an alert or log is generated, it passes through the Output Modules component. This
component is tasked with controlling the type of output generated, uses a plugin system giving
the user flexibility, and is also highly configurable. This may include simply logging, or logging
to a database, sending SNMP traps, generating XML reports, or even sending alerts through
UNIX sockets, allowing for (for example) dynamic modification of network configurations
(Firewalls or Routers).

Snort can be runned in 4 modes:

- sniffer mode: snort will read the network traffic and print them to the screen.
- packet logger mode: snort will record the network traffic on a file
- IDS mode: network traffic matching security rules will be recorded (mode used in our tutorial)
- IPS mode: also known as snort-inline (IPS = Intrusion prevention system)

Snort is a very powerful tool and is known to be one of the best IDS on the market even when
compared to commercial IDS.
Snort Rule Format
Snort offers its user to write their own rule for generating logs of Incoming/Outgoing network
packets. Only they need to follow the snort rule format where packets must meet the threshold
conditions. Always bear in mind that the snort rule can be written by combining two main parts
the Header the Options
The header part contains information such as the action, protocol, the source IP and port, the
network packet Direction operator towards the destination IP and port, the remaining will be
considered in the options part.
Syntax: Action Protocol Source IP Source port -> Destination IP Destination port (options)
Header Fields:-
Action: It informs Snort what kind of action to be performed when it discovers a packet that
matches the rule description. There are five existing default job actions in Snort: alert, log, pass,
activate, and dynamic are keyword use to define the action of rules. You can also go with
additional options which include drop, reject, and sdrop.
Protocol: After deciding the option for action in the rule, you need to describe specific Protocol
(IP, TCP, UDP, ICMP, any) on which this rule will be applicable.
Source IP: This part of header describes the sender network interface from which traffic is
coming.
Source Port: This part of header describes the source Port from which traffic is coming.
- It denotes the direction of traffic flow between sender and
receiver networks.
Destination IP: This part of header describes the destination network interface in which traffic is
coming for establishing the connection.
Destination Port: This part of header describes the destination Port on which traffic is coming
for establishing the connection.
Option Fields:
The body fo

There are four major categories of rule options.

General: These options contains metadata that offers information with reference to them.
Payload: These options all come across for data contained by the packet payload and can be
interconnected.
Non-payload: These options come across for non-payload data.
Post-detection: These options are rule specific triggers that happen after a rule has