Intrusion Detection System (IDS).ppt
-
Upload
anubhav-sharma -
Category
Documents
-
view
82 -
download
1
description
Transcript of Intrusion Detection System (IDS).ppt
![Page 1: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/1.jpg)
Intrusion Detection System (IDS) Contents:1. Introduction to IDS2. How does an IDS works?3. Types of IDS4. Topics comes under IDS5. SNORT6. Practical implementation of SNORT
![Page 2: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/2.jpg)
Introduction to IDS A system that tries to identify attempts to hack or
break into a computer system or to misuse it. IDSs may monitor packets passing over the network,
monitor system files, monitor log files, or set up deception systems that attempt to trap hackers.
Computer systems have become more vulnerable to intrusions than ever.
Intrusion Detection is a security technology that allows not only the detection of attacks, but also attempts to provide notification of new attacks unforeseen by other components. Intrusion detection is an important component of a security system, and it complements other security technologies.
![Page 3: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/3.jpg)
How does an IDS works? While there are several types of IDSs, the
most common types work the same. They analyze network traffic and log files for certain patterns.
What kind of patterns you may ask? While a firewall will continually block a hacker
from connecting to a network, most firewalls never alert an administrator.
The administrator may notice if he/she checks the access log of the firewall, but that could be weeks or even months after the attack.
This is where an IDS comes into play.
![Page 4: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/4.jpg)
• The attempts to pass through the firewall are logged, and IDS will analyze its log.
• At some point in the log there will be a large number of request-reject entries.
• An IDS will flag the events and alert an administrator. The administrator can then see what is happening right after or even while the attacks are still taking place.
• This gives an administrator the advantage of being able to analyze the techniques being used, source of attacks, and methods used by the hacker.
![Page 5: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/5.jpg)
![Page 6: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/6.jpg)
Types of intrusion detection systems1. Host-Based Intrusion Detection
System (HIDS):
Host-based intrusion detection systems or HIDS are installed as agents on a host.
These intrusion detection systems can look into system and application log files to detect any intruder activity.
![Page 7: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/7.jpg)
2) Network-Based Intrusion Detection System (NIDS)
These IDSs detect attacks by capturing and analyzing network packets.
Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment, thereby protecting those hosts.
Network-based IDSs often consist of a set of single-purpose sensors or hosts placed at various points in a network.
These units monitor network traffic, performing local analysis of that traffic and reporting attacks to a central management console.
![Page 8: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/8.jpg)
Topics comes under IDS Signatures Alerts Logs False Alarms Sensors
![Page 9: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/9.jpg)
SNORT Snort is a very flexible network intrusion
detection system that has a large set of pre-configured rules.
Snort also allows you to write your own rule set. There are several mailing lists on the internet where people share new snort rules that can counter the latest attacks.
Snort is a modern security application that can perform the following three functions :
It can serve as a packet sniffer. It can work as a packet logger. It can work as a Network-Based Intrusion
Detection System (NIDS).
![Page 10: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/10.jpg)
Practical Implementation Here I am presenting you a practical
implementation of SNORT. I am going to set up SNORT in
WINDOWS-7. For this, first we need some software as I
listed below :1) SNORT (http://dl.snort.org)2) Oink master (
http://sourceforge.net/projects/oinkmaster/files/oinkmaster/2.0/oinkmaster-2.0.tar.gz/download)
![Page 11: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/11.jpg)
3) Kiwi Syslog Server 9.0.3 (http://kiwisyslog.com/kiwi-syslog-server-download/)
4) Notepad++ (http://sourceforge.net/projects/notepad-plus)
So these are the basic software which we need to need to install our system before set-up SNORT.
Continue……..
![Page 12: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/12.jpg)
STEP-1 (Acquiring updated Rules and an Oinkcode) First you have to signup on link
https://www.snort.org/signup”
![Page 13: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/13.jpg)
Why we signup????????? You will need to become a Registered
member on the Snort website.
This is needed in order to download and use the Source fire VRT Certified Rules.
Snort will not be operating up to date without them (and Oink master will not work).
![Page 14: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/14.jpg)
After you have created an account, log in to the Snort website and copy your personalized Oink code (to be used by Oink master).
Also, download the Source fire VRT Certified Rules (registered-user release)
Be sure to grab the “snapshot” version, as shown next slide.
Continue…….
![Page 15: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/15.jpg)
![Page 16: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/16.jpg)
![Page 17: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/17.jpg)
Step-2(Applying our updated Rules) **BEFORE APPLYING THESE UPDATED RULES,
COPY THE FILE C:\SNORT\ETC\SNORT.CONF TO YOUR DESKTOP**
Right-click on the snortrules-snapshot-2.8.tar.gz file that we downloaded and choose “Extract Here”
Right-click on the newly extracted file (snortrules-snapshot-2.8_s.tar) and choose “Extract files...”.
Change the Path to C:\Snort and check “Overwrite without prompt”
![Page 18: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/18.jpg)
![Page 19: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/19.jpg)
![Page 20: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/20.jpg)
Step-3(Configuring the snort.conf File) Edit the file you copied to your Desktop
(snort.conf) with Notepad++ and perform the following:
Now edit these lines:
![Page 21: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/21.jpg)
Continue….. Now save and close this file. Copy this
file to c:\snort\etc and overwrite the existing one.
Keep in mind that you will need to tailor this file (especially the rule set section) and any other configuration files to further suit your IDS/IPS needs.
![Page 22: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/22.jpg)
Step-4(Verifying Snort Operation) Open a Command Prompt and run “c:\snort\bin\
snort –W” (be sure to use a capital “W”) Now run c:\snort\bin\snort -v -iX (replace X with
your Device Interface number found from running the previous line)
After a couple of seconds you will see “Not Using PCAP_FRAMES”. Snort is now running and will alert you if a Rule is triggered. If you have suspicious network traffic going across your interface, the command prompt window will rapidly scroll text.
![Page 23: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/23.jpg)
![Page 24: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/24.jpg)
![Page 25: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/25.jpg)
Continue…….. While still leaving the Snort command
prompt window open, launch a second command prompt window.
From the new window, run the command ping google.com If it hasn't occurred already, this ping command will trigger a Snort alert!
![Page 26: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/26.jpg)
![Page 27: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/27.jpg)
Continue…….. You can now close both command prompt
windows, as we have verified that Snort is installed and alerting correctly in verbose mode.
To test that our configuration file is correct, open a new command prompt window and type:
“c:\snort\bin\snort -iX -s -l c:\snort\log\ -c c:\snort\etc\snort.conf” (replace X with your Device Interface number)
![Page 28: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/28.jpg)
If you have correctly entered all information, you should receive a graceful exit such as the screen shot below. If you receive a fatal error, you should first verify that you have typed all modifications correctly into the snort.conf file and then search through the file for entries matching your fatal error message.
![Page 29: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/29.jpg)
Step-5(Verifying Kiwi Operation and Tying it to Snort) Now open the Kiwi Syslog Server
Console and type CTRL-T (you should see a test message appear, which indicates Kiwi is working)
![Page 30: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/30.jpg)
Continue……… Using Notepad++, create a file on your
Desktop called Snortstart.bat and place the following line of code in it: c:\snort\bin\snort -iX -s -l c:\snort\log\ -c c:\snort\etc\snort.conf (replace X with your Device Interface number)
Also create a shortcut on your Desktop for the Kiwi Syslog Server Console
Open the Kiwi Syslog Server Console (if it isn't already)
![Page 31: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/31.jpg)
Now right-click and run Snortstart.bat as an Administrator. Wait (about thirty seconds) until you see the familiar line “Not Using PCAP_FRAMES” at the end. Finally, open another command prompt window and run: ping google.com and……. At this point you should see the Snort Alert outputting into Kiwi!!!!
![Page 32: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/32.jpg)
Note that the reason why we have to run our batch file as an Administrator is that,-
“in our current configuration, we need to maintain rights to not only output our alerts to Kiwi, but to write them to a log file.”
At this point we have successfully installed Snort and have our Alerts being output to two sources.
Our final step will be to configure Oinkmaster to help us update and manage our Rules.
![Page 33: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/33.jpg)
Step-6(Configuring Oinkmaster and Verifying its Operation) Right-click on the oinkmaster-2.0.tar.gz file that
we downloaded and choose “Extract Here” Right-click on this new file (oinkmaster-2.0.tar)
and choose “Extract Here” Now we have a new folder called oinkmaster-
2.0. Move this new folder into c:\snort Go to c:\snort and create a folder named: temp Go to c:\snort\oinkmaster-2.0\contrib and copy
the oink-gui file to your Desktop. Rename this file to: Update Snort Rules
![Page 34: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/34.jpg)
Now we have an additional module we need to download and install:
![Page 35: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/35.jpg)
Once the file has been downloaded, open a command prompt window and type the line as shown below (note that your path name might be different.
Once the installation has been complete, you can close the command prompt window .
![Page 36: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/36.jpg)
Now double-click on our Update Snort Rules file we have on the desktop and configure Oinkmaster to match the screen shots shown:
Note that your “Editor” path may be different than that shown.
![Page 37: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/37.jpg)
Continue……. Now go back to the “Required files and
directories” tab and click “Edit” (to the right of the oinkmaster.conf file entry).
Where <oinkcode> is equal to the personal Oink code you downloaded from Snort.org earlier in this guide.
Now save your oinkmaster.conf file and close Notepad++
![Page 38: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/38.jpg)
You are now back at the main Oinkmaster GUI page
Click “Save current settings”
Click “Update rules!”
After a few minutes of watching the rule update process, it will read: done.Click “Exit” to close out of the Oinkmaster GUI.
**REMEMBER THAT EVERY TIME YOU UPDATE THE RULES, YOU WILL NEED TO STOP AND THEN RESTART SNORT FOR THE NEW RULES TO TAKE EFFECT**
![Page 39: Intrusion Detection System (IDS).ppt](https://reader031.fdocuments.us/reader031/viewer/2022020112/55cf9d45550346d033acec40/html5/thumbnails/39.jpg)