Intrusion Detection System/Intrusion Prevention System (Snort):Intro (Part 1)

ByMahendra Pratap SinghTeam: WhitehatPeople

Introduction

Intrusion: the act of thrusting in, or of entering into a place or state without invitation, right, or welcome.

Intrusion detection is an act of detecting an unauthorized intrusion by a computer on a network. This unauthorized access, or intrusion, is an attempt to compromise, or otherwise do harm, to other network devices.

IDS: An IDS is the high-tech equivalent of a burglar alarm, one that is configured to monitor information gateways, hostile activities, and known intruders.

IDS An IDS is a specialized tool that knows how to parse and interpret

network traffic and/or host activities. This data can range from network packet analysis to the contents of log files from routers, firewalls, and servers, local system logs and access calls, network flow data, and more.

Furthermore, an IDS often stores a database of known attack signatures and can compare patterns of activity, traffic, or behavior it sees in the data it’s monitoring against those signatures to recognize when a close match between a signature and current or recent behavior occurs.

Types of IDS

Network based IDS: IDSes that monitor network links and backbones looking for attack signatures are called network-based IDSes.

Host based IDS: IDS that operate on hosts and defend and monitor the operating and file systems for signs of intrusion and are called host based IDSes.

Distributed IDS: Groups of IDSes functioning as remote sensors and reporting to a central management station are known as distributed IDSes (DIDSes).

A gateway IDS is a network IDS deployed at the gateway between your network and another network, whereas Application IDS understand and parse application specific traffic and underlying protocol

How does an IDS work?

IDSes uses different approaches for event analysis. Signature Detection is the same approach used by an antivirus software to detect infected file or any virus. In these IDSes attack signatures are stored in database and detects intrusion by matching these attack signature with network traffic.

Anomaly Detection (Heuristics) technique, uses predefined rules about normal and abnormal activity. Most effective solutions combine network- and host-based IDS implementations. Likewise, the majority of implementations are primarily signature-based, with only limited anomaly-based detection capabilities present in certain specific products or solutions.

Snort: An Open Source IDS

Snort is an open source IDS it can perform real time packet analysis on IP networks. Snort can detect verity of attacks such as buffer overflows, stealth port scans, Common Gateway Interface (CGI) attacks, Server Message Block (SMB) probes, operating system fingerprinting attempts, and much more.

Snort can be configured in three modes:

A) Sniffer Mode

B) Packet Logger

C) Network Intrusion Detection

Some predefined signatures (community signatures) and SourceFire VDB signatures provided with Snort, also you can write your own Signature based on your own need. Signatures can be written for scanning behavior of attacks or for the exploit attempts.

IDSes can be used when patches for newly discovered vulnerabilities are not announced yet, but still those vulnerabilities needs to be monitored till official solution is available.

Some questions needs to be answered before considering IDS, Should your IDS be inline, sitting at the choke point(s) between your network and the world, or not? Does it make sense to drop traffic actively, or do you just want to generate alerts for analysis without touching the network.

Snort is a packet sniffer/packet logger/network IDS.

Rule types for Snort can be downloaded from Snort site. Rules are organized by rule type, include P2P, backdoor, DDOS attacks, web attacks, viruses and many others.

Rules are mapped to a number that is recognized as a type of attack known as a Sensor ID (SID).

Hardware/Software Requirement for Snort:

Fast Hard Drive to process and store Data, logs.

Fast Network Interface Card(NIC) to process packets.

Large RAM for faster processing

Snort Architecture

There are four basic components of Snort’s architecture:

a) The Sniffer

b) The Preprocessor

c) The Detection Engine

d) The Output.

Snort is designed to take packets and process them through preprocessor and then check those packets against a series of rules. The preprocessor, the detection engine, and the alert components of Snort are all plug-ins. Plug-ins are programs that are written to conform to Snort’s plug-in API.

Snort Architecture

Part 1 - Packet Sniffer

A network sniffer allows an application or a hardware device to eavesdrop on data network traffic.

Sniffer are used for Network analysis and troubleshooting, performance analysis etc. If network traffic is encrypted it can prevent people to sniff network.

As a sniffer, Snort can save the packets to be processed and viewed later as a packet logger.

Part 2 – Preprocessor

Preprocessor takes the packets and check them against set plug-ins like RPC plug-in, HTTP plug-in, port scanner plug-in.

These plug-ins check for a certain type of behavior from the packet. On that particular behavior plug-in send that packet to Detection engine.

Plug-ins can be enabled and disabled on need basis.

Snort support many kind of preprocessors and their attendant plug-ins, covering many commonly used protocols.

Part 3 – Detection Engine

Once packets are checked by preprocessor they are passed to Detection engine.

Detection engine takes that data and checks through set of rules.

If rules match the data in the packet, they are sent to the alert processor.

Snort has a particular syntax that it uses with its rules. Rule syntax can involve the type of protocol, the content, the length, the header, and other various elements, including garbage characters for defining butter overflow rules.

Part 4 – Output Component

Once Snort data processed in Detection engine, if data matches a rule, an alert is triggered.

Alert can be sent to log file through network connection, through UNIX sockets or Windows Popup (SMB) or SNMP traps.

The alerts can also be stored in an SQL database such as MySQL.

Logs can also be used on Web interface.

Through Syslog tool (ex. Swatch), Snort alerts can be sent via e-mail to notify system admin in real time.

Thanks for your time.

More in next Part

By

Mahendra Pratap Singh | Team Whitehat People

(Source: Snort IDS and IPS Toolkit by Jay Beale’s Open Source Security Series)