Using open-source snort understanding the different IDS systems

1. IDS with Snort
NULL MEET FEB 13X19’
BY SHYAMSUNDAR DAS

2. Agenda
•Where Firewall fails
•Comparison
•How IDS works
•Types of IDS
•Signature Detection
•State based detection
•Writing rules with SNORT

3. Need for IDS
Where firewall fails?
• Firewall can’t protect against what has been authorized.
•Firewalls are only as effective as the rules they are configured to enforce.
•Firewalls can’t stop attacks if the traffic does not pass through them.
•Insider attackers are common
•Detection of abnormal behaviour
•Analysis of encrypted traffic for intrusion

4. A comparison

5. How IDS work?
• Packet capturing
– Libpcap
– Libipq
• Packed Decoding
• Detection Engine
• Alert / Log generation
• Alert Analysis

6. IDS Terminology
• Alert/Alarm
• Signal suggesting that the system is being attacked
• False Positives
• An alarm when no attack has taken place
• False Negatives
• Failure to detect an actual attack
• True Positives
• An alarm produced by IDS for an legitimate attack
• True Negative
• No alarm is raised when there is no attack

7. Types of IDS
• Based on Architecture
– NIDS – Network IDS
– HIDS – Host IDS
– Hybrid IDS
• Based on Detection Methodology
– Misuse Detection
– Anomaly Detection
– Protocol Analysis Detection

8. NIDS
• IDSs detect attacks by capturing and
analysing network packets
• Sniffing done by enabling the Ethernet
interface to “promiscuous mode”
• Hub & Switched network
• Detection methodology includes Signature
detection and Anomaly detection through
traffic profiling
Fig: NIDS Deployment

9. NIDS Sensor Architecture

10. HIDS
• Operates on information collected from
within an individual computer system
• Performs integrity checks, log analysis and
audit trails
• Detection methodology includes Signature
detection and Anomaly detection through
user and system profiling

11. HIDS Sensor Architecture

12. Hybrid IDS
• Includes both NIDS and HIDS
sensors
• Common Management console
• Distributed and provides correlated
inferences from both NIDS and HIDS

13. Signature Detection Engine
● Load all the signatures in the memory
● Classify all the signatures based on protocol
● On arrival of a packet
–Decode the packet
–Extract the classification parameter
–Identify the class and match the rules within this
class
–If any rule matches
•Form an alert
•Hand the alert information to the communication
module
Fig :Types of Signature detection

14. What Signatures Lack?
• Knowledge of connection state at which
the attack can occur
• Knowledge of pre-conditions & postconditions
for the attack to be successful
• Consequences
–High false positives
–Huge computation overhead

15. State based detection
figure shows that “WIZ” has to be searched for
detecting the intrusion.
• In a state based detection the connection
will pass through different states
– TCP connection establishment
– SMTP Handshake
– COMMAND mode
• When the connection reaches the command
mode its only then our model starts the signature detection

16. Intro to Snort
What is Snort?
◦ Snort is a multi-mode packet analysis tool
◦ Sniffer
◦ Packet Logger
◦ Forensic Data Analysis tool
◦ Network Intrusion Detection System
Where did it come from?
◦ Developed out of the evolving need to perform network traffic analysis in
both real-time and for forensic post processing

17. Detection Engine
•Rules form “signatures”
•Modular detection elements are combined to form these signatures
•Wide range of detection capabilities
• Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits,
etc.
•Rules system is very flexible, and creation of new rules is relatively simple

18. Data Flow
Rule Header
• Action type
• Protocol
• IP address
• Port number
• Direction
Rule Options
• Contains set of keywords
–Content, message, reference etc
• Rule option category
–Meta-data : Information about rule
–Payload : look for data into the packet payload
–Non-payload : look for non payload data
–Post-detection : triggers after the rule has fired

19. Writing Snort rules
This rule will generate an alert whenever Snort detects an ICMP Echo request (ping) or Echo
reply message.
alert icmp any any -> $HOME_NET any (msg:”ICMP test”; sid:1000001; rev:1; classtype:icmp-
event;)
sudo snort -T -i eth0 -c /etc/snort/snort.conf

20. Demo time

21. Snort Rules- To detect sub seven trojan
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22";
flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;
reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity;
rev:4;)
alert action to take; also log, pass, activate, dynamic
tcp protocol; also udp, icmp, ip
$EXTERNAL_NET source address; this is a variable – specific IP is ok
27374 source port; also any, negation (!21), range (1:1024)
-> direction; best not to change this, although <> is allowed
$HOME_NET destination address; this is also a variable here
any destination port

22. Snort Rules(contd…)
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+;
content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;
reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)
msg:”BACKDOOR subseven 22”; message to appear in logs
flags: A+; tcp flags; many options, like SA, SA+, !R, SF*
content: “|0d0…0a|”; binary data to check in packet; content without | (pipe) characters do simple
content matches
reference…; where to go to look for background on this rule
sid:103; rule identifier
classtype: misc-activity; rule type; many others
rev:4; rule revision number
other rule options possible, like offset, depth, nocase

23. ANY QUESTIONS?