1.
Network Protection Using Intrusion
Detection System (IDS)
Muhammad Arsalan Paracha
CIPMA Lab, PIEAS

2.
Outline
 Network Security Fundamentals
 IDS Overview
 IDS Types
 Snort - IDS
 Components
 Rules
 Configurations
 Attack detection

3.
What is Security
“Quality or state of being secure or free from danger”
3

4.
What is Network Security
Application of administrative, physical, and technical
controls in a network to provide Confidentiality, Integrity
and Availability.
4

5.
CIA Triad
Protection from unauthorized access
Protection from unauthorized alteration Provide timely and uninterrupted access

6.
Few Terminologies
Vulnerability: Any weakness
Attack: Exploitation of a vulnerability
Threat: The possibility of an attack
Cyber Attack: Any action compromising the security of information owned by an individual /
organization
Cyber Weapon: Any S/W, H/W or User used for a cyber attack

7.
Security, Functionality, and Ease of Use
Security
Ease of Use
Functionality
7

8.
Network Security Monitoring (NSM)
 Network security monitoring is an automated process that monitors network
devices and traffic for security vulnerabilities, threats, and suspicious activities.
 Organizations can use it to detect and respond to cybersecurity breaches
quickly.
8

9.
 The NSM Cycle consists of three distinct phases:
 Collection
 Detection
 Analysis
NSM Cycle

10.
Intrusion Detection System (IDS)
 A collection of techniques and methodologies used to monitor suspicious
activities both at the network and the host level
 It is not a firewall (Additional level of security in the network)
 IDS is more like an alarm system
 It will perform actions like
 Alerting, logging , etc upon detection.
 Network administrators can make changes in the firewall rules upon detection of attacks
 Can help detect attacks that pass through the firewall
 Protection from the insiders
 It inspects the content of the network traffic
10

11.
IDS
 Deployed with multiple sensors on various location on the network
 Report to a centralized management console
 A sensor
 Monitors traffic, matches against the rule sets and raises alerts, logs it or
some other action.
 A rule set contains
 Traffic signatures or rules for unwanted behavior
 Rules
Check for threshold, protocol IP source and destination
 Signatures
Traffic patterns associated with attack

12.
IDS
Dr. Hanif Durad
12

13.
Host Based IDS (HIDS)
 Log Monitors
 Parse system event Log files
 Example: Apache,
access log file
check for “cgi-bin”
 Integrity Checkers
 check for key system structures to change
 System files, registry keys
 Tripwire (FIM solution)
File Additions , deletions, flag modifications, access time etc.

14.
Network Based IDS (NIDS)
 Signature Based
 Database of know signatures
 Similar to virus signatures, but it looks for attack signatures
 Anomaly based
 Form a baseline for a normal system
 Raise an alarm when the system is no longer functioning under normal conditions

15.
Signature Based IDS
 The most common form of IDS is signature-based
 These systems work by examining packet data for indicators of
compromise (IOCs)
 Indicators are combined with IDS platform-specific directives to form
signatures (also called rules)
 Whenever a signature-based IDS locates data that matches content found
in a signature, it generates an alert
 The two most popular signature-based detection IDS’s are Snort and
Suricata
15

16.
Snort - an network intrusion
prevention and detection system
16

17.
Snort Modes
 Sniffer mode
 simply reads the packets off of the network and displays them for you in a
continuous stream on the console (screen).
 Packet Logger mode
 logs the packets to disk
 IDS / offline mode
 IPS / Inline mode
17

18.
Snort Components
18

19.
Packet Decoder
 Takes packets from different types of network interfaces (Ethernet, SLIP,PPP…)
 Determine which underlying protocols are used in the packet (such as Ethernet,
IP, TCP, etc.)
 It also detects various anomalous behaviors in packet headers.
19

20.
Preprocessor
 Plugins that modify or setup data for the detection engine
 It rearranges the data to be detectable by the IDS
 Packet defragmentation
 If the packets are too large, then it gets fragmented into smaller packets
 Must be reassembled prior to analysis
20

21.
Preprocessor
 frag3 – Detects packet fragmentation
 Stream5 (Self protection against TCP and UDP)
 http_inspect – Web Traffic
 rpc_decode – RPC traffic
 Reputation - provides basic IP blacklist/whitelist capabilities
 sfportscan – Detect port scanning activities.
21
+Many other

22.
Detection Engine
 Most important part of the engine
 Uses the detection rules
 It is dependent on
 Speed of the machine
 Number of rules
 Load on the network
 The Detection Engine applies rules to different parts of the packet
 Header (IP/TCP/Application)
 Packet Payload
 Policy for matching of rules varies with versions
22

23.
Logging and Alerting system
 Based upon the matched rule
 Logged, alert generated
 Logs /var/log/snort
 -l for the modification of location
23

24.
Snort Rules
 In a single line
 Rules are created by known intrusion signatures.
 Included in snort configuration file.
rule header rule options

25.
Snort Rule
Actions
Protocol
Source ip address
Source port #
destination ip address
Destination port
Rule options
Rule header

26.
Rule Header - Actions
 The first item in a rule is the rule action. The rule action tells Snort what to do
when it finds a packet that matches the rule criteria. There are 3 available
default actions in Snort, alert, log, pass. In addition, if you are running Snort
in inline mode, you have additional options which include drop, reject, and
sdrop.
 alert - generate an alert using the selected alert method, and then log the packet
 log - log the packet
 pass - ignore the packet
 drop - block and log the packet
 reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or
an ICMP port unreachable message if the protocol is UDP.
 sdrop - block the packet but do not log it.

27.
Rule Header - Source and Destination
IP Address Field (1/2)
 (source network) (port) -> (destination network) (port)
 CIDR (Classless Inter Domain Routing) notation is used for the
network arguments. 10.35.24.0/24
 For the Snort rules files, you really deal with only two types of
entries:
 Networks
 Hosts

28.
Rule Header - Source and Destination
IP Address Field (2/2)
 Source and Destination IP Address Field
 Format: Address/netmask
Address x.x.x.x
Netmask = bits of network mask
For example
 24.0.0.0/8 Class A
 24.3.0.0/16 Class b
 192.185.67.0/24 Class C
 192.185.67.188 host address
 Special keywords:
any
! (negation)
$HOME_NET (variable defined elsewhere)

29.
Rule Header -Source and Destination Port
Field
 Source and Destination Port Field
 Static port: 111
 All ports: any
 Range: 110:3000
 Negation: !80
 Less than or equal :1023
 Greater than or equal 1024:

30.
Rule Header –Direction Indicator
 Rule Header Fields
 ->
 Source information specified to the left of arrow, destination information
specified to the right of the arrow
 There is also a bidirectional operator, which is indicated with a <> symbol. This
tells Snort to consider the address/port pairs in either the source or destination
orientation. This is handy for recording/analyzing both sides of a conversation,
such as telnet or POP3 sessions

31.
Rules Options
 All Snort rule options are separated from each other using the semicolon (;)
character. Rule option keywords are separated from their arguments with a
colon (:) character
 There are four major categories of rule options
 General (msg, reference & classtype)
 These options provide information about the rule but do not have any affect during detection
 Payload (content, depth, offset & nocase)
 These options all look for data inside the packet payload and can be inter-related
 Non-Payload (ttl, id, dsize, flags, seq & icmp-id)
 These options look for non-payload data
 Post Detection (logto & session)
 These options are rule specific triggers that happen after a rule has “fired.”

32.
Snort Rule example
 Rule Header
alert tcp $External_NET any -> $Home_Net 21
 Rule Options
(msg: “ftp Exploit”; flow_to_server, established; content:
“|31c031db 41c9b046 cd80 31c031db|”; reference:
bugtraq,1387; classtype:attempted-admin; sid 344; rev4;)

33.
Rule Classification

34.
Snort Configuration File
34

35.
Snort.conf
 The Snort configuration file contains 9 basic sections:
1) Set the network variables.
2) Configure the decoder
3) Configure the base detection engine
4) Configure dynamic loaded libraries
5) Configure preprocessors
6) Configure output plugins
7) Customize your rule set
8) Customize preprocessor and decoder rule set
9) Customize shared object rule set
35

36.
Snort Configuration
 Snort configuration has three main parameters
1. Variables
2. Config
3. Includes

37.
Snort Configuration: Variables
 Variables are used to store information to be referenced and manipulated
 Three Types of Variables may be defined in snort:
 var
 Simple variable can be defined for any purpose
 Portvar
 Portvar are used to define port or ports list
 Ipvar
 Ipvar is used to define Ips or IP lists

38.
Snort Configuration: Variables
 example
 var RULES_PATH /usr/local/etc/rules/
 portvar MY_PORTS [22,80,1024:1050]
 ipvar MY_NET [192.168.1.0/24,10.1.1.0/24]
 Usage:
 alert tcp any any -> $MY_NET $MY_PORTS (flags:S; msg:"SYN packet";)

39.
Snort Configuration: Config
 Many configuration and command line options of Snort can be specified in
the configuration file
 Format
 config <directive> [: <value>]
 Example
 Config frag3
OR
 config alert_with_interface_name ens33 (snort –I)

40.
Snort Configuration: Include
 The include keyword allows other snort config files to be included within the
snort.conf indicated on the Snort command line
 It work much like #include in C programming language
 Format
 include <include file path/name>
 Example
 include $RULE_PATH/example.rule

41.
Attack Detection in Snort
41

42.
Rule options for NMAP
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:
"NMAP ping sweep Scan"; dsize:0;sid:10000004; rev: 1; )
Identify NMAP Ping Scan
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:
"NMAP TCP Scan";sid:10000005; rev:2; )
Identify NMAP TCP Scan
Identify NMAP XMAS Scan
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap
XMAS Tree Scan"; flags:FPU; sid:1000006; rev:1; )

43.
Rule options for NMAP
Identify NMAP FIN Scan
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Nmap FIN
Scan"; flags:F; sid:1000008; rev:1;)
Identify NMAP NULL Scan
alert tcp $EXTERNAL_NET any -> $HOME_NET 22
(msg:"Nmap NULL Scan"; flags:0; sid:1000009; rev:1; )
Identify NMAP UDP Scan
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"Nmap
UDP Scan"; sid:1000010; rev:1; )