Embed Size (px)
Citation preview
Network Intrusion Network Intrusion Detection System Detection System
Using SnortUsing Snort
By-By-Disha BediDisha Bedi
IntroductionIntroduction In my project I developed a rule based network In my project I developed a rule based network
intrusion detection system using Snort.intrusion detection system using Snort. BASE is used as the output module and BASE is used as the output module and
Wireshark is used as a packet analyzer to Wireshark is used as a packet analyzer to modify our rules from time to time. modify our rules from time to time.
A combination of Snort and BASE makes it A combination of Snort and BASE makes it possible to log the intrusion detection data into possible to log the intrusion detection data into a database and then view and analyze it later, a database and then view and analyze it later, using a web interface.using a web interface.
The goal of this project is to implement The goal of this project is to implement network security to a product of Siemens, network security to a product of Siemens, SPPA-T3000SPPA-T3000, which is the instrumentation and , which is the instrumentation and control system that provides remote access to control system that provides remote access to power plant management systems. power plant management systems.
Intrusion Detection Intrusion Detection SystemSystem(IDS)(IDS)
Intrusion detectionIntrusion detection is a set of techniques is a set of techniques and methods that are used to detect and methods that are used to detect suspicious activity both at the network and suspicious activity both at the network and host level. host level.
Intruders have signatures that can be Intruders have signatures that can be detected. Based upon a set of signatures and detected. Based upon a set of signatures and rules, the intrusion detection system (IDS) is rules, the intrusion detection system (IDS) is able to find and log suspicious activity and able to find and log suspicious activity and generate alerts. generate alerts.
Usually an intrusion detection system Usually an intrusion detection system captures a packet from the network, applies captures a packet from the network, applies rules to its data and detects anomalies in it. rules to its data and detects anomalies in it.
Components of Components of IDSIDS
SensorsSensors are placed to listen to various are placed to listen to various activities in a network or system. activities in a network or system.
ConsoleConsole monitors events and alerts. monitors events and alerts. EngineEngine generates alerts if there is a generates alerts if there is a
suspicious activity in the monitored suspicious activity in the monitored eventsevents. .
Types of IDSTypes of IDS There are two types of IDS based on the choice There are two types of IDS based on the choice
of sensor position-of sensor position- Host Intrusion Detection Systems (HIDS):Host Intrusion Detection Systems (HIDS): A host based intrusion detection system (HIDS) A host based intrusion detection system (HIDS)
monitors internal components of a computer. monitors internal components of a computer. Network Intrusion Detection Systems (NIDS):Network Intrusion Detection Systems (NIDS): Network based intrusion detection systems (NIDS) Network based intrusion detection systems (NIDS)
analyzes network packets captured by one or more analyzes network packets captured by one or more sensors, which are located in the network.sensors, which are located in the network.
There are two types of IDS based on There are two types of IDS based on the choice of detection enginethe choice of detection engine--
Anomaly DetectionAnomaly Detection An anomaly based detection engine can An anomaly based detection engine can
trace deviations from the normal state of a trace deviations from the normal state of a system, which is possibly caused by an system, which is possibly caused by an attack to the system. attack to the system.
Signature DetectionSignature Detection Signature based intrusion detection Signature based intrusion detection
engines try to detect an attack from its engines try to detect an attack from its fingerprints. fingerprints.
Positioning of Positioning of sensors sensors
Behind the firewall:Behind the firewall: IDS will not be able to detect every IDS will not be able to detect every
attack because some parts of the packets attack because some parts of the packets belonging to the attack will be blocked by belonging to the attack will be blocked by the firewall, thus IDS is unable to detect the firewall, thus IDS is unable to detect the signature of the attack. the signature of the attack.
In front of the firewall:In front of the firewall: IDS will monitor all attacks coming from IDS will monitor all attacks coming from
the outside. Thus it is able to detect the outside. Thus it is able to detect signatures of the attacks.signatures of the attacks.
Protecting the IDS Protecting the IDS itself itself One major issue is how to protect the system on One major issue is how to protect the system on
which your intrusion detection software is which your intrusion detection software is running. If security of the IDS is compromised, running. If security of the IDS is compromised, you may start getting false alarms or no alarms you may start getting false alarms or no alarms at all. The intruder may disable IDS before at all. The intruder may disable IDS before actually performing any attack.actually performing any attack.
There are 2 ways of protecting the IDS:There are 2 ways of protecting the IDS: Snort on Stealth Interface:Snort on Stealth Interface: Only listens to the incoming traffic but does not Only listens to the incoming traffic but does not
send any data packets out. send any data packets out. Snort with no IP Address Interface:Snort with no IP Address Interface: When the IDS host doesn’t have an IP address When the IDS host doesn’t have an IP address
itself, nobody can access it.itself, nobody can access it.
SnortSnort Snort is primarily a rule-based IDS. It has the Snort is primarily a rule-based IDS. It has the
ability to perform real-time traffic analysis ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) and packet logging on Internet Protocol (IP) networks. networks.
Snort reads the rules at the start-up time and Snort reads the rules at the start-up time and builds internal data structures or chains to builds internal data structures or chains to apply these rules to captured data. apply these rules to captured data.
Snort comes with a rich set of pre-defined Snort comes with a rich set of pre-defined rules to detect intrusion activity and you are rules to detect intrusion activity and you are free to add your own rules at will. free to add your own rules at will.
Modes of SnortModes of SnortSnort can be configured to run in three modes-Snort can be configured to run in three modes- Sniffer modeSniffer mode, which simply reads the packets off , which simply reads the packets off
of the network and displays them on the screen.of the network and displays them on the screen. Packet Logger modePacket Logger mode, which logs the packets to , which logs the packets to
disk.disk. Network Intrusion Detection System (NIDS) Network Intrusion Detection System (NIDS)
modemode, which allows Snort to analyze network , which allows Snort to analyze network traffic for matches against a user-defined rule set traffic for matches against a user-defined rule set and performs several actions based upon what it and performs several actions based upon what it sees.sees.
Components of Components of SnortSnort
Packet DecoderPacket Decoder:: Prepares packets for Prepares packets for processing.processing.
Preprocessors or Input PluginsPreprocessors or Input Plugins:: Used to Used to detect anomalies, packet defragmentation detect anomalies, packet defragmentation and reassembly.and reassembly.
Detection EngineDetection Engine:: Applies rules to packets. Applies rules to packets. Logging and Alerting SystemLogging and Alerting System:: Generates Generates
alert and log messages.alert and log messages. Output ModulesOutput Modules:: Process alerts and logs Process alerts and logs
and generate final output.and generate final output.
Flow of packetsFlow of packets
Basic Analysis and Basic Analysis and Security Engine Security Engine
(BASE)(BASE) BASE is the output module used in our IDS.BASE is the output module used in our IDS. This application provides a web front-end to This application provides a web front-end to
query and analyze the alerts coming from a query and analyze the alerts coming from a Snort IDS system. Snort IDS system.
It is written in PHP.It is written in PHP.
WiresharkWireshark Wireshark is a network packet Wireshark is a network packet
analyzer. analyzer. A network packet analyzer will try to A network packet analyzer will try to
capture network packets and tries to capture network packets and tries to display that packet data as detailed display that packet data as detailed as possible. as possible.
Writing Snort Writing Snort rulesrules All Snort rules have two logical parts: All Snort rules have two logical parts:
rule header and rule options.rule header and rule options. The The rule headerrule header contains information about contains information about
what action a rule takes. It also contains criteria what action a rule takes. It also contains criteria for matching a rule against data packets. for matching a rule against data packets.
The general structure of a Snort rule header:The general structure of a Snort rule header: The The rule optionsrule options part usually contains an alert part usually contains an alert
message and information about which part of the message and information about which part of the packet should be used to generate the alert packet should be used to generate the alert message. The options part contains additional message. The options part contains additional criteria for matching a rule against data packets.criteria for matching a rule against data packets.
Use of Variables Use of Variables Three types of variables may be defined in Snort:Three types of variables may be defined in Snort:• • var • portvar • ipvarvar • portvar • ipvar Defining variables:Defining variables: var RULES_PATH /snort/rules/var RULES_PATH /snort/rules/ portvar MY_PORTS [22,80,1024:1050]portvar MY_PORTS [22,80,1024:1050] ipvar MY_NET [192.168.1.0/24,10.1.1.0/24]ipvar MY_NET [192.168.1.0/24,10.1.1.0/24] Implementing variables:Implementing variables: alert tcp any any -> $MY_NET $MY_PORTS alert tcp any any -> $MY_NET $MY_PORTS
( msg:"SYN packet";)( msg:"SYN packet";) include $RULE_PATH/example.ruleinclude $RULE_PATH/example.rule
Design and Design and implementationimplementation
Position of NIDS sensors:Position of NIDS sensors: As our NIDS is Snort based which uses rules As our NIDS is Snort based which uses rules
(or signatures) to detect an intrusion, so it (or signatures) to detect an intrusion, so it should be able to match the conditions should be able to match the conditions mentioned in the rules to the signature of the mentioned in the rules to the signature of the intrusion. intrusion.
Thus we place the sensor in front of the Thus we place the sensor in front of the firewall because if we place it behind the firewall because if we place it behind the firewall, firewall will block some unwanted or firewall, firewall will block some unwanted or harmful parts of the packet and our snort harmful parts of the packet and our snort based IDS will not be able to detect signature based IDS will not be able to detect signature of the attack.of the attack.
Setup:Setup:
Firewall(192.168.2.34 )
Switch in DMZ (172.18.21.10)
Switch in internal system(192.168.2.138)
System to controlSwitch in DMZ
Terminal server (Workbench)(172.18.21.2)
Internal thinclients
System to controlInternal switch
Application server
NIDS(192.168.2.39)
Internet
Internal NetworkDMZ
Work done:Work done: Install, configure and start snort as well as Install, configure and start snort as well as
MySql, BASE, barnyard etc.MySql, BASE, barnyard etc. Create three different files in Create three different files in
/etc/snort/variables . Declare variables for /etc/snort/variables . Declare variables for device ip address, network addresses and ports device ip address, network addresses and ports for different protocols in the three files and for different protocols in the three files and include these files in the snort configuration file. include these files in the snort configuration file.
Create different files in /etc/snort/rules that will Create different files in /etc/snort/rules that will contain rules for different protocols. Include the contain rules for different protocols. Include the path of these file in the snort configuration file.path of these file in the snort configuration file.
Also, include a file for the generic rules, which Also, include a file for the generic rules, which are written to show alerts for all kinds of are written to show alerts for all kinds of incoming packets, wanted and unwanted.incoming packets, wanted and unwanted.
Now create an ssh from your terminal to the Now create an ssh from your terminal to the NIDS machine. NIDS machine.
Start snort using “sudo /etc/init.d/snortbarn Start snort using “sudo /etc/init.d/snortbarn start”. The snort should show alerts for start”. The snort should show alerts for unwanted packets in BASE. unwanted packets in BASE.
Using wireshark, we first check if the packets Using wireshark, we first check if the packets have the same content as the content have the same content as the content mentioned in our rules. If the content is mentioned in our rules. If the content is same, then snort should raise alert for these same, then snort should raise alert for these rules in BASE. Otherwise, if the contents are rules in BASE. Otherwise, if the contents are not same, the rules are updated with respect not same, the rules are updated with respect to the new content of the packet.to the new content of the packet.
ResultResult When we start snort and run different When we start snort and run different
protocols such as ssh, rdp, rmi etc, BASE protocols such as ssh, rdp, rmi etc, BASE shows new alerts. shows new alerts.
Only the generic rules in our rule set show Only the generic rules in our rule set show alerts. These are the alerts for the unwanted alerts. These are the alerts for the unwanted packets or intrusions in the network.packets or intrusions in the network.
In BASE we can filter the alerts on the basis In BASE we can filter the alerts on the basis of various parameters and then try finding of various parameters and then try finding out a solution to prevent these intrusions in out a solution to prevent these intrusions in the network in the future.the network in the future.
