Ids and Ips Report

8/9/2019 Ids and Ips Report

1/19

Introducing IDS and IPS

1. 1 Introducing IDS and IPS

Intrusion detection system (IDS) and intrusion prevention system (IPS) solutions form an integral part

of a robust network defence solution. Maintaining secure network services is a key requirement of a profitable IPbased business. IDS and IPS work toget!er to provide a network security solution. "n

IDS captures packets in real time# processes t!em# and can respond to t!reats# but works on copies of

data traffic to detect suspicious activity by using signatures. $!is is called promiscuous mode. In t!e process of detecting malicious traffic# an IDS allows some malicious traffic to pass before t!e IDS can

respond to protect t!e network. "n IDS analyses a copy of t!e monitored traffic rat!er t!an t!e actualforwarded packet. $!e advantage of operating on a copy of t!e traffic is t!at t!e IDS does not affect t!e packet flow of t!e forwarded traffic. $!e disadvantage of operating on a copy of t!e traffic is t!at t!e

IDS cannot stop malicious traffic from singlepacket attacks from reac!ing t!e target system before t!e

IDS can apply a response to stop t!e attack. "n IDS often requires assistance from ot!er networking

devices# suc! as routers and firewalls# to respond to an attack.

"n IPS works inline in t!e data stream to provide protection from malicious attacks in real time. $!is

is called inline mode. %nlike an IDS# an IPS does not allow packets to enter t!e trusted side of t!enetwork. "n IPS monitors traffic at &ayer ' and &ayer to ensure t!at t!eir !eaders# states# and so on

are t!ose specified in t!e protocol suite. owever# t!e IPS sensor analyses at &ayer * to &ayer + t!e

payload of t!e packets for more sop!isticated embedded attacks t!at mig!t include malicious data. $!isdeeper analysis lets t!e IPS identify# stop# and block attacks t!at would normally pass t!roug! a

traditional firewall device. ,!en a packet comes in t!roug! an interface on an IPS# t!at packet is not

sent to t!e outbound or trusted interface until t!e packet !as been determined to be clean.

$!e key to differentiating an IDS from an IPS is t!at an IPS responds immediately and does not allow

any malicious traffic to pass# w!ereas an IDS allows malicious traffic to pass before it can respond.

IDS- "nalyses copies of t!e traffic stream.

Does not slow network traffic.

"llows some malicious traffic into t!e network.

S!own in fig .

IPS-

| P a g e

CHAPTER 1


2/19

,orks inline in real time to monitor &ayer * t!roug! &ayer + traffic and content.

/eeds to be able to !andle network traffic.

Prevents malicious traffic from entering t!e network.

S!own in fig .*

0ig.. 1 Intrusion Detection System(IDS)

* | P a g e


3/19

0ig.* Intrusion Prevention System (IPS)

1.2 Common Characteristics

IDS and IPS tec!nologies s!are several c!aracteristics-

2 IDS and IPS tec!nologies are deployed as sensors. "n IDS or an IPS sensor can be any of t!efollowing devices-

• " router configured wit! 3isco I4S IPS Software.

• "n appliance specifically designed to provide dedicated IDS or IPS services.

• " network module installed in an adaptive security appliance# switc!# or router.

2 IDS and IPS tec!nologies typically monitor for malicious activities in two spots-

• Malicious activity is monitored at t!e network to detect attacks against a network# including

attacks against !osts and devices# using network IDS and network IPS.

• Malicious activity is monitored on a !ost to detect attacks t!at are launc!ed from or on target

mc!ines# using !ost intrusion prevention system (IPS). ostbased attacks are detected by

' | P a g e


4/19

reading security event logs# c!ecking for c!anges to critical system files# and c!ecking system

registries for malicious entries.

2 IDS and IPS tec!nologies generally use yes# signatures to detect patterns of misuse in network

traffic# alt!oug! ot!er tec!nologies will be introduced later in t!is c!apter " signature is a set of rules

t!at an IDS or IPS uses to detect typical intrusive activity. Signatures are usually c!osen from a broadcross section of intrusion detection signatures# and can detect severe breac!es of security# common

network attacks# and information gat!ering.

2 IDS and IPS tec!nologies look for t!e following general patterns of misuse-

• Atomic pattern: In an atomic pattern# an attempt is made to access a specific port on a specific

!ost# and malicious content is contained in a single packet. "n IDS is particularly vulnerable to

an atomic attack because until it finds t!e attack# malicious single packets are being allowedinto t!e network. "n IPS prevents t!ese packets from entering at all.

• Composite pattern: " composite pattern is a sequence of operations distributed across

multiple !osts over an arbitrary period of time.

1. Steps Ta!en

The "o##o$ing are the steps that occur $hen an attac! is #aunched in an en%ironment monitored

&' an IDS:

Step 1. "n attack is launc!ed on a network t!at !as a sensor deployed in IDS mode.

Step 2. $!e switc! sends copies of all packets to t!e IDS sensor (configured in promiscuous mode#

w!ic! is e5plained later in t!is section) to analy6e t!e packets. "t t!e same time# t!e target mac!ine

e5periences t!e malicious attack.

Step . $!e IDS sensor# using a signature# matc!es t!e malicious traffic to t!e signature.

Step (. $!e IDS sensor sends t!e switc! a command to deny access to t!e malicious traffic.

Step ). $!e IDS sends an alarm to a management console for logging and ot!er management purposes.

The "o##o$ing are the steps that occur $hen an attac! is #aunched in an en%ironment monitored

&' an IPS-

Step 1. "n attack is launc!ed on a network t!at !as a sensor deployed in IPS mode (configured ininline mode# w!ic! is e5plained later in t!is section).

| P a g e


5/19

Step 2. $!e IPS sensor analy6es t!e packets as soon as t!ey come into t!e IPS sensor interface. $!e

IPS sensor# using signatures# matc!es t!e malicious traffic to t!e signature and t!e attack is stopped

immediately. $raffic in violation of policy can be dropped by an IPS sensor.

Step . $!e IPS sensor can send an alarm to a management console for logging and ot!er management

purposes.

*anagement Conso#e

" management console is a separate workstation equipped wit! software to configure# monitor# and

report on events.

Promiscuous +ersus In#ine *ode

" sensor can be deployed eit!er in promiscuous mode or inline mode. In promiscuous mode# t!e sensor

receives a copy of t!e data for analysis# w!ile t!e original traffic still makes its way to its ultimate

destination. 7y contrast# a sensor working inline analy6es t!e traffic live and t!erefore can actively block t!e packets before t!ey reac! t!eir destination

1.( Ad%antages and ,imitations

Tae 1.1 Ad%antages and ,imitations o" Dep#o'ing an IDS in Promiscuous *ode

Ad%antage ,imitation

Deploying t!e IDS sensor does not!ave any impact on t!e network (latency#

8itter# and so on).

IDS sensor response actions cannot stop t!e trigger packet and are not guaranteed to stop a connection.

IDS response actions are typically better at

stoppingan attacker more t!an a specific attack itself.

$!e IDS sensor is not inline and#t!erefore# a sensor failure cannot affect

network functionality

IDS sensor response actions are less !elpful instopping

email viruses and automated attackers suc! as

worms.

4verrunning t!e IDS sensor wit! data

does not affect network traffic9 !owever#

it does affect t!e capability of t!e IDS to analy6e t!e data

%sers deploying IDS sensor response actions must

!ave a well t!oug!tout security policy combined

wit! a good operational understanding of t!eir IDSdeployments. %sers must spend time to correctly

tune IDS sensors to ac!ieve e5pected levels of

intrusiondetection.

7eing out of band (447)# IDS sensors are more

vulnerableto network evasion tec!niques# w!ic! are t!e

process of totally concealing an attack.

: | P a g e


6/19

Tae 1.2 Ad%antages and ,imitations o" Dep#o'ing an IPS in In#ine *ode

Ad%antage ,imitation

;ou can configure an IPS sensor to perform a packet drop t!at can stop t!e trigger packet# t!e

packets in a connection# or packets from a source

IP address.

"n IPS sensor must be inline and# t!erefore# IPSsensor errors or failure can !ave a negative effect

on network traffic.

7eing inline# an IPS sensor can use stream

normali6ation tec!niques to reduce or eliminatemany of t!e network evasion capabilities t!at

e5ist.

4verrunning IPS sensor capabilities wit! too

muc! traffic does negatively affect t!e performance of t!e network.

%sers deploying IPS sensor response actions must!ave a well t!oug!tout security policy combined

wit! a good operational understanding of t!eir IPS

deployments.

"n IPS sensor will affect network timing because

of latency# 8itter# and so on. "n IPS sensor must beappropriately si6ed and implemented so t!at time

sensitive applications# suc! as


7/19

Host and -et$or! IPS

IPS tec!nology can be network based and !ost based. $!ere are advantages and limitations to IPS

compared wit! networkbased IPS. In many cases# t!e tec!nologies are t!oug!t to be complementary.

2.1 Host/ased IPS

IPS audits !ost log files# !ost file systems# and resources. " significant advantage of IPS is t!at it

can monitor operating system processes and protect critical system resources# including files t!at may

e5ist only on t!at specific !ost. IPS can combine t!e best features of antivirus# be!avioural analysis#signature filters# network firewalls# and application firewalls in one package. " simple form of IPS

enables system logging and log analysis on t!e !ost. owever# t!is approac! can be e5tremely labour

intensive.0or e5ample# t!e /imda and S>& Slammer worms did millions of dollars of damage to enterprises on

t!e first day of t!eir appearance# before updates were even available9 !owever# a network protected

wit! a 3S" stopped t!ese attacks wit!out any updates by identifying t!eir be!aviour as malicious. ostbased IPS operates by detecting attacks t!at occur on a !ost on w!ic! it is installed.

IPS works by intercepting operating system and application calls# securing t!e operating system and

application configurations# validating incoming service requests# and analysing local log files for after

t!efact suspicious activity.More precisely# IPS functions according to t!e following steps# as s!own in 0igure *.

0ig.*.

Step 1. "n application calls for system resources.

Step 2. IPS c!ecks t!e call against t!e policy.

+ | P a g e

CHAPTER 2


8/19

Step . ?equests are allowed or denied.

IPS uses rules t!at are based on a combination of known attack c!aracteristics and a detailed

knowledge of t!e operating system and specific applications running on t!e !ost. $!ese rules enable

IPS to determine abnormal or outofbound activity and# t!erefore# prevent t!e !ost from e5ecutingcommands t!at do not fit t!e correct be!avior of t!e operating system or application.

IPS improves t!e security of !osts and servers by using rules t!at control operating system andnetwork stack be!avior. Processor control limits activity suc! as buffer overflows# ?egistry updates#

writes to t!e system directory# and t!e launc!ing of installation programs. ?egulation of network traffic

can !elp ensure t!at t!e !ost does not participate in accepting or initiating 0$P sessions# can ratelimit

w!en a denialofservice (DoS) attack is detected# or can keep t!e network stack from participating in aDoS attack.

$!e topology in 0igure *.* s!ows a typical IPS deployment.

0ig *.* IPS deployment

2.1.1 The ad%antages and #imitations o" HIPS are as "o##o$s:

2 Ad%antages o" HIPS: $!e success or failure of an attack can be readily determined. " network IPS

sends an alarm upon t!e presence of intrusive activity but cannot always ascertain t!e success or

failure of suc! an attack. IPS does not !ave to worry about fragmentation attacks or variable $ime to&ive ($$&) attacks because t!e !ost stack takes care of t!ese issues. If t!e network traffic stream is

encrypted# IPS !as access to t!e traffic in unencrypted form.

@ | P a g e


9/19

2 ,imitations o" HIPS: $!ere are two ma8or drawbacks to IPS-

• HIPS does not pro%ide a comp#ete net$or! picture: 7ecause IPS e5amines information

only at t!e local !ost level# IPS !as difficulty constructing an accurate network picture or coordinating t!e events !appening across t!e entire network.

• HIPS has a re0uirement to support mu#tip#e operating s'stems: IPS needs to run on every

system in t!e network. $!is requires verifying support for all t!e different operating systemsused in your network.

2.2 -et$or!/ased IPS /etwork IPS involves t!e deployment of monitoring devices# or sensors# t!roug!out t!e network tocapture and analy6e t!e traffic. Sensors detect malicious and unaut!ori6ed activity in real time and can

take action w!en required. Sensors are deployed at designated network points t!at enable security

managers to monitor network activity w!ile it is occurring# regardless of t!e location of t!e attack target. /etwork IPS sensors are usually tuned for intrusion prevention analysis. $!e underlying

operating system of t!e platform on w!ic! t!e IPS software is mounted is stripped of unnecessary

network services# and essential services are secured (t!at is# !ardened). $!e !ardware includes t!e

following components-

2 -et$or! inter"ace card -IC: /etwork IPS must be able to connect to any network (At!ernet#

0ast At!ernet# Bigabit At!ernet).2 Processor: Intrusion prevention requires 3P% power to perform intrusion detection analysis and

pattern matc!ing.

2 *emor': Intrusion detection analysis is memory intensive. Memory directly affects t!e capability of a network IPS to efficiently and accurately detect an attack. /etwork IPS gives security managers real

time security insig!t into t!eir networks regardless of network growt!. "dditional !osts can be added

to protected networks wit!out needing more sensors. ,!en new networks are added# additional sensorsare easy to deploy. "dditional sensors are required only w!en t!eir rated traffic capacity is e5ceeded#

w!en t!eir performance does not meet current needs# or w!en a revision in security policy or network design requires additional sensors to !elp enforce security boundaries. 0igure *.' s!ows a typical

network IPS deployment. $!e key difference between t!is network IPS deployment e5ample and t!e previous IPS deployment e5ample is t!at t!ere is no 3S" software on t!e various platforms. In t!is

topology# t!e network IPS sensors are deployed at network entry points t!at protect critical network

segments. $!e network segments !ave internal and e5ternal corporate resources. $!e sensors report toa central management and monitoring server t!at is located inside t!e corporate firewall.

2.2.1 The ad%antages and #imitations o" net$or! IPS are as "o##o$s:

2 Ad%antages o" net$or! IPS: " networkbased monitoring system !as t!e benefitof easily seeing attacks t!at are occurring across t!e entire network. Seeing t!e attacks

against t!e entire network gives a clear indication of t!e e5tent to w!ic! t!e

network is being attacked. 0urt!ermore# because t!e monitoring system is e5amining only traffic from

t!e network# it does not !ave to support every type of operatingsystem t!at is used on t!e network.

C | P a g e


10/19

2 ,imitations o" net$or! IPS: Ancryption of t!e network traffic stream can essentially blind network

IPS. ?econstructing fragmented traffic can also be a difficult problem to solve. Possibly t!e biggest

drawback to networkbased monitoring is t!at as networks become larger (wit! respect to bandwidt!)# it becomes more difficult to place network IPS at a single location in t!e network and

successfully capture all t!e traffic. Aliminating t!is problem requires t!e use of more sensors

t!roug!out t!e network. owever# t!is solution increases costs.

Comparing HIPS and -et$or! IPS

Tae 2.1 compares the ad%antages and #imitations o" HIPS and net$or! IPS.

Ad%antages ,imitations

HIPS Is !ost specific 4perating system dependent

Protects !ost after decryption &owerlevel network events not

seen

Provides applicationlevel encryption

Protection

ost is visible to attackers

-et$or!

IPS

3osteffective 3annot e5amine encrypted

traffic /ot visible on t!e network Does not know w!et!er an attack

was successful

4perating system independent

&owerlevel network events seen

Tae 2.1"dvantages and &imitations of ost7ased IPS and /etwork7ased IPS

| P a g e


11/19

" !ostbased monitoring system e5amines information at t!e local !ost or operating system. /etwork based monitoring systems e5amine packets t!at are traveling t!roug! t!e network for known signs of

intrusive activity. "s you move down t!e feature list toward network IPS# t!e features describe

networkbased monitoring features9 applicationlevel encryption protection is a IPS feature# w!ereas

DoS prevention is a network IPS feature.

| P a g e


12/19

T'pes o" IDS and IPS S'stems

Common Detection *ethodo#ogiesIDPS tec!nologies use many met!odologies to detect incidents. Sections '. t!roug! '.' discuss t!e

primary classes of detection met!odologies- signaturebased# anomalybased# and stateful protocol

analysis# respectively. Most IDPS tec!nologies use multiple detection met!odologies# eit!er separately

or integrated# to provide more broad and accurate detection.

'. Signature/ased Detection" signature is a pattern t!at corresponds to a known t!reat. Signature-based detection is t!e process of

comparing signatures against observed events to identify possible incidents.: A5amples of signatures

are as follows-

• " telnet attempt wit! a username of ErootF# w!ic! is a violation of an organi6ationGs security

policy

• "n email wit! a sub8ect of E0ree picturesHF and an attac!ment filename of Efreepics.e5eF#

w!ic! are c!aracteristics of a known form of malware

•"n operating system log entry wit! a status code value of =:# w!ic! indicates t!at t!e !ostGsauditing !as been disabled.

Signaturebased detection is very effective at detecting known t!reats but largely ineffective at

detecting previously unknown t!reats# t!reats disguised by t!e use of evasion tec!niques# and many

variants of known t!reats. 0or e5ample# if an attacker modified t!e malware in t!e previous e5ample touse a filename of Efreepics*.e5eF# a signature looking for Efreepics.e5eF would not matc! it.

Signaturebased detection is t!e simplest detection met!od because it 8ust compares t!e current unit of activity# suc! as a packet or a log entry# to a list of signatures using string comparison operations.

Signaturebased detection tec!nologies !ave little understanding of many network or application

protocols and cannot track and understand t!e state of comple5 communications. 0or e5ample# t!eycannot pair a request wit! t!e corresponding response# suc! as knowing t!at a request to a ,eb server

for a particular page generated a response status code of '# meaning t!at t!e server refused to fill t!e

request. $!ey also lack t!e ability to remember previous requests w!en processing t!e current request.$!is limitation prevents signaturebased detection met!ods from detecting attacks t!at comprise

multiple events if none of t!e events contains a clear indication of an attack.

* | P a g e

CHAPTER


13/19

.2 Anoma#'/ased Detection

Anomaly-based detection is t!e process of comparing definitions of w!at activity is considered normal

against observed events to identify significant deviations. "n IDPS using anomalybased detection !as

profiles t!at represent t!e normal be!aviour of suc! t!ings as users# !osts# network connections# or applications. $!e profiles are developed by monitoring t!e c!aracteristics of typical activity over a

period of time. 0or e5ample# a profile for a network mig!t s!ow t!at ,eb activity comprises an

average of ' of network bandwidt! at t!e Internet border during typical workday !ours. $!e IDPSt!en uses statistical met!ods to compare t!e c!aracteristics of current activity to t!res!olds related to

t!e profile# suc! as detecting w!en ,eb activity comprises significantly more bandwidt! t!an e5pected

and alerting an administrator of t!e anomaly. Profiles can be developed for many be!avioural

attributes# suc! as t!e number of emails sent by a user# t!e number of failed login attempts for a !ost#

and t!e level of processor usage for a !ost in a given period of time.

$!e ma8or benefit of anomalybased detection met!ods is t!at t!ey can be very effective at detecting

previously unknown t!reats. 0or e5ample# suppose t!at a computer becomes infected wit! a new type

of malware. $!e malware could consume t!e computerGs processing resources# send large numbers of emails# initiate large numbers of network connections# and perform ot!er be!aviour t!at would be

significantly different from t!e establis!ed profiles for t!e computer.

"n initial profile is generated over a period of time (typically days# sometimes weeks) sometimes

called a training period . Profiles for anomalybased detection can eit!er be static or dynamic. 4nce

generated# a static profile is unc!anged unless t!e IDPS is specifically directed to generate a new profile. " dynamic profile is ad8usted constantly as additional events are observed. 7ecause systems

and networks c!ange over time# t!e corresponding measures of normal be!aviour also c!ange9 a static

profile will eventually become inaccurate# so it needs to be regenerated periodically. Dynamic profilesdo not !ave t!is problem# but t!ey are susceptible to evasion attempts from attackers. 0or e5ample# an

attacker can perform small amounts of malicious activity occasionally# t!en slowly increase t!e

frequency and quantity of activity. If t!e rate of c!ange is sufficiently slow# t!e IDPS mig!t t!ink t!e

malicious activity is normal be!aviour and include it in its profile. Malicious activity mig!t also beobserved by an IDPS w!ile it builds its initial profiles.

Inadvertently including malicious activity as part of a profile is a common problem wit! anomaly

based IDPS products. (In some cases# administrators can modify t!e profile to e5clude activity in t!e

profile t!at is known to be malicious.) "not!er problem wit! building profiles is t!at it can be very

c!allenging in some cases to make t!em accurate# because computing activity can be so comple5. 0or e5ample# if a particular maintenance activity t!at performs large file transfers occurs only once a

mont!# it mig!t not be observed during t!e training period9 w!en t!e maintenance occurs# it is likely to

be considered a significant deviation from t!e profile and trigger an alert. "nomalybased IDPS products often produce many false positives because of benign activity t!at deviates significantly from

profiles# especially in more diverse or dynamic environments. "not!er notewort!y problem wit! t!e

use of anomalybased detection tec!niques is t!at it is often difficult for analysts to determine w!y a

' | P a g e


14/19

particular alert was generated and to validate t!at an alert is accurate and not a false positive# because

of t!e comple5ity of events and number of events t!at may !ave caused t!e alert to be generated.

. State"u# Protoco# Ana#'sis

Stateful protocol analysis is t!e process of comparing predetermined profiles of generally accepted

definitions of benign protocol activity for eac! protocol state against observed events to identifydeviations.= %nlike anomalybased detection# w!ic! uses !ost or networkspecific profiles# stateful

protocol analysis relies on vendordeveloped universal profiles t!at specify !ow particular protocols

s!ould and s!ould not be used. $!e EstatefulF in stateful protocol analysis means t!at t!e IDPS iscapable of understanding and tracking t!e state of network# transport# and application protocols t!at

!ave a notion of state. 0or e5ample# w!en a user starts a 0ile $ransfer Protocol (0$P) session# t!e

session is initially in t!e unaut!enticated state. %naut!enticated users s!ould only perform a few

commands in t!is state# suc! as viewing !elp information or providing usernames and passwords. "n

important part of understanding state is pairing requests wit! responses# so w!en an 0$P aut!enticationattempt occurs# t!e IDPS can determine if it was successful by finding t!e status code in t!e

corresponding response. 4nce t!e user !as aut!enticated successfully# t!e session is in t!eaut!enticated state# and users are e5pected to perform any of several do6en commands. Performing

most of t!ese commands w!ile in t!e unaut!enticated state would be considered suspicious# but in t!e

aut!enticated state performing most of t!em is considered benign.

Stateful protocol analysis can identify une5pected sequences of commands# suc! as issuing t!e same

command repeatedly or issuing a command wit!out first issuing a command upon w!ic! it isdependent. "not!er state tracking feature of stateful protocol analysis is t!at for protocols t!at perform

aut!entication# t!e IDPS can keep track of t!e aut!enticator used for eac! session# and record t!e

aut!enticator used for suspicious activity. $!is is !elpful w!en investigating an incident. Some IDPSscan also use t!e aut!enticator information to define acceptable activity differently for multiple classes

of users or specific users.

$!e Eprotocol analysisF performed by stateful protocol analysis met!ods usually includes

reasonableness c!ecks for individual commands# suc! as minimum and ma5imum lengt!s for

arguments. If a command typically !as a username argument# and usernames !ave a ma5imum lengt!of * c!aracters# t!en an argument wit! a lengt! of c!aracters is suspicious. If t!e large argument

contains binary data# t!en it is even more suspicious.

Stateful protocol analysis met!ods use protocol models# w!ic! are typically based primarily on

protocol standards from software vendors and standards bodies (e.g.# Internet Angineering $ask 0orce

JIA$0K ?equest for 3omments J?03K). $!e protocol models also typically take into account variancesin eac! protocolGs implementation. Many standards are not e5!austively complete in e5plaining t!e

details of t!e protocol# w!ic! causes variations among implementations. "lso# many vendors eit!er

violate standards or add proprietary features# some of w!ic! may replace features from t!e standards.0or proprietary protocols# complete details about t!e protocols are often not available# making it

difficult for IDPS tec!nologies to perform compre!ensive# accurate analysis. "s protocols are revised

and vendors alter t!eir protocol implementations# IDPS protocol models need to be updated to reflectt!ose c!anges.

| P a g e


15/19

$!e primary drawback to stateful protocol analysis met!ods is t!at t!ey are very resourceintensive

because of t!e comple5ity of t!e analysis and t!e over!ead involved in performing state tracking for

many simultaneous sessions. "not!er serious problem is t!at stateful protocol analysis met!ods cannotdetect attacks t!at do not violate t!e c!aracteristics of generally acceptable protocol be!avior# suc! as

performing many benign actions in a s!ort period of time to cause a denial of service. ;et anot!er

problem is t!at t!e protocol model used by an IDPS mig!t conflict wit! t!e way t!e protocol isimplemented in particular versions of specific applications and operating systems# or !ow different

client and server implementations of t!e protocol interact.

: | P a g e


16/19

Snort

4.1 What is SNORT?

Snort is an open source# crossplatform# softwarebased lig!tweig!t /etwork Intrusion Detection

System (/IDS) developed by Martin ?oesc! of Sourcefire. Snort is capable of performing realtime

traffic analysis and packet logging on IP networks. It can perform protocol analysis# pattern matc!ingand can be used to detect a variety of attacks and probes# suc! as buffer overflows# stealt! port scans#

3BI attacks# SM7 probes and 4S fingerprinting attempts. Snort uses a fle5ible rules language to

describe traffic t!at it s!ould collect or pass# and includes a detection engine utili6ing a modular plugin arc!itecture. Snort !as realtime alerting capability as well# incorporating alerting mec!anisms for

Syslog# user specified files# a %/IL socket# or ,in Popup messages to ,indows clients using

Sambas smb client Suitable Plugins allows t!e detection and reporting subsystems to be e5tended.

"vailable plugins includes statistical anomaly detection# database logging# small fragment detection# port scan detection# and $$P %?I normali6ation.Snort can be configured to run in t!ree modes. $!ese are

N Pac!et Sni""erSnorts packet sniffing mode allows it to capture and display all network traffic to t!e administrator. It

provides you wit! t!e fle5ibility to display eit!er t!e entire packet or only certain !eader information.

N Pac!et ,oggerSnorts packet logging mode performs t!e same functionality as t!e packet sniffing mode but creates a

traffic data file.

N -et$or! Intrusion Detection s'stem,!en ran in t!is mode# Snort is capable of detecting potential network intrusions using a rulebased

intrusiondetection mec!anism.

(.2 Introduction to Snort Ru#es

= | P a g e

CHAPTER (


17/19

Snort uses a simple# lig!tweig!t rules description language t!at is fle5ible and quite powerful.

$!ere are a number of simple guidelines to remember w!en developing Snort rules t!at will

!elp safeguard your sanity. Most Snort rules are written in a single line. $!is was required inversions prior to .@. In current versions of Snort# rules may span multiple lines by adding a

backslas! O to t!e end of t!e line.

Snort rules are divided into two logical sections# t!e rule !eader and t!e rule options. $!e rule !eader

contains t!e ruleGs action# protocol# source and destination IP addresses and netmasks# and t!e sourceand destination ports information. $!e rule option section contains alert messages and information on

w!ic! parts of t!e packet s!ould be inspected to determine if t!e rule action s!ould be taken.

alert tcp any any C*[email protected]* O

(content-R @= a:R9 msg-Rmountd accessR9)

0igure '.- Sample Snort ?ule

$!e te5t up to t!e first parent!esis is t!e rule !eader and t!e section enclosed in parent!esis contains

t!e rule options. $!e words before t!e colons in t!e rule options section are called option keywords.

"ll of t!e elements in t!at make up a rule must be true for t!e indicated rule action to be taken. ,!entaken toget!er# t!e elements can be considered to form a logical "/D statement. "t t!e same time# t!e

various rules in a Snort rules library file can be considered to form a large logical 4? statement.

+ | P a g e


18/19

Conc#usion

$!ere are many tec!nologies in t!e market today to !elp companies fig!t t!e inevitable network and

system attack. aving IPS and IDS tec!nologies are only two of many resources t!at can be deployed

to increase visibility and control wit!in a corporate computing environment. IDS and IPS are to

provide a foundation of tec!nology t!at meets t!e requirement of tracking# identifying network attacksto w!ic! detect t!roug! logs of IDS systems and prevent an action t!roug! IPS systems. If t!e !ost is

wit! critical systems# confidential data and strict compliance regulations# t!en itGs a great to use IDS#

IPS or bot! in network environments. Intrusion types of systems are put in place to serve a business

needs for meeting an ob8ective of network security. $!e IDS and IPS are to provide a foundation of tec!nology meets to tracking# identifying network attacks to w!ic! detect t!roug! logs of IDS systems

and prevent an action t!roug! IPS systems. If t!e !ost wit! critical systems# confidential data and strictcompliance regulations# t!en itGs a great to use of IDS# IPS or bot! in network environments. $!e basic

benefits of IDS and IPS systems are as-

• /ormal and intrusive malicious activities detected

• Proactive protection of network security infrastructure

• 4perational efficiencies to reduced need to react to event logs for protection

• Increased coverage against packet attacks and 6eroday attacks

$!e deterministic intrusion detection or prevention is t!e ne5t generation firewall wit! deep packetinspection and sniffing in network. 7ut it is not a silver bullet# to become a basic at t!e border and

deeper in t!e network for EDefense in Dept!.F

@ | P a g e


19/19

Re"erences

JK T.P. "nderson# Computer Security Threat Monitoring and Surveillance# tec!. report9 Tames P."nderson 3o.# 0ort ,as!ington# Pa.# C@.

J*K D.A. Denning# E"n Intrusion Detection Model#F IEEE Trans. Software Eng.#

Ids and Ips Report

Documents

Transcript of Ids and Ips Report