![When Snort generates an alert message, it will usually look like the
following:
[**] [116:56:1] (snort_decoder): T/TCP Detected [**]
The first number is the Generator ID, this tells the user what component of Snort
generated this alert. For a list of GIDs, please read etc/generators in the Snort
source. In this case, we know that this event came from the “decode”(116)
component of Snort.
The second number is the Snort ID (sometimes referred to as Signature ID). For a
list of preprocessor SIDs, please see etc/gen-msg.map. Rule-based SIDs are
written directly into the rules with the sid option. In this case,56 represents aT/TCP
event.
The third number is the revision ID. This number is primarily used when writing
signatures, as each rendition of the rule should increment this number with the rev
option.](https://image.slidesharecdn.com/pertemuan9intrusiondetectionsystem-200518031047/85/Pertemuan-9-intrusion-detection-system-16-320.jpg)
Pertemuan 9 intrusion detection system
- 1. NETWORK SECURITY Jupriyadi, S.Kom. M.T. jupriyadi@teknokrat.ac.id Bandarlampung, April 2020 https://spada.teknokrat.ac.id Chapter 9
- 2. • To be understand the basic concepts of IDS • The student will be able build an IDS using snort
- 3. Defined as the tools, methods, and resources to help identify, assess, and report unauthorized or unapproved network activity IDSes can detect and deal with insider attacks, as well as, external attacks, and are often very useful in detecting violations of corporate security policy and other internal threats.
- 4. “An Intrusion Detection System is required to detect all types of malicious network traffic and computer usage that can't be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).”
- 5. Based on location : 1. Network-based (NIDS) Monitors network traffic Provides early warning system for attacks 2. Host-based (HIDS) Monitors activity on host machine Able to stop compromises while they are in progress
- 6. Based on detection method: 1. Signature Based IDS Monitor network or server traffic and match bytes or packet sequences against a set of predetermined attack lists or signatures. 2. Anomaly Based IDS Use network traffic baselines to determine a “normal” state for the network and compare current traffic to that baseline.
- 7. Signature detections Also know as misuse detection IDS analyzes information it gathers and compares it to a database of known attacks, which are identified by their individual signatures Anomaly detection Baseline is defined to describe normal state of network or host Any activity outside baseline is considered to be an attack
- 8. • The ability to know when an intruder or attacker is engaged in reconnaissance or other malicious activity can mean the difference between being compromised and not being compromised. • An IDS can alert the administrator of a successful compromise, allowing them the opportunity to implement mitigating actions before further damage is caused
- 9. Cisco Systems, Inc. Computer Associates International Inc. CyberSafe Corp. Cylant Technology Palo Alto Network Internet Security Systems Inc. Snort Etc..
- 10. It is an open source Intrusion Prevention System capable of real-time traffic analysis and packet logging (www.snort.org) Multiplatform software
- 12. 1. Sniffer mode, which simply reads the packets off of the network and displays them for you in a continuousstream on the console (screen) 2. Packet Logger mode, which logs the packets to disk. 3. Intrusion Detection System (IDS) mode, which performs detection and analysis on network traffic.This is the most complex and configurable mode.
- 13. ./snort -v This command will run Snort and just show the IP and TCP/UDP/ICMP headers, nothing else. If you want to see the application data in transit, try the following: ./snort -vd This instructs Snort to display the packet data as well as the headers. If you want an even more descriptive display, showing the data link layer headers, do this: ./snort -vde As an aside, notice that the command line switches can be listed separately or in a combined form. The last command could also be typed out as: ./snort -d -v -e
- 14. Need to specify a logging directory and Snort will automatically know to go into packet logger mode: ./snort -dev -l ./log This rule tells Snort that you want to print out the data link and TCP/IP headers as well as application data into thedirectory./log, and you want to log the packets relative to the 192.168.1.0 class C network. All incoming packetswill be recorded into subdirectories of the log directory, with the directory names being based on the address of theremote (non-192.168.1) host. ./snort -dev -l ./log -h 192.168.1.0/24
- 15. To enable Intrusion Detection System (IDS) mode sothat you don’t record every single packet sent downthe wire, try this: ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
- 16. When Snort generates an alert message, it will usually look like the following: [**] [116:56:1] (snort_decoder): T/TCP Detected [**] The first number is the Generator ID, this tells the user what component of Snort generated this alert. For a list of GIDs, please read etc/generators in the Snort source. In this case, we know that this event came from the “decode”(116) component of Snort. The second number is the Snort ID (sometimes referred to as Signature ID). For a list of preprocessor SIDs, please see etc/gen-msg.map. Rule-based SIDs are written directly into the rules with the sid option. In this case,56 represents aT/TCP event. The third number is the revision ID. This number is primarily used when writing signatures, as each rendition of the rule should increment this number with the rev option.
- 17. • Most Snort rules are written in a single line • May span multiple lines by adding a backslashto the end of the line • Snort rules are divided into two logical sections, the rule header and the rule options The rule header containsthe rule’s action, protocol, source and destination IP addresses and netmasks, and the source and destination portsinformation. The rule option section contains alert messages and information on which parts of the packet should beinspected to determine if the rule action should be taken.
- 18. alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";) The first item in a rule is the rule action : 1. alert - generate an alert using the selected alert method,and then log the packet 2. log - log the packet 3. pass - ignore the packet 4. drop - block and log the packet 5. reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP 6. sdrop - block the packet but do not log it
- 19. log udp any any -> 192.168.1.0/24 1:1024 log udp traffic coming from any port and destination ports ranging from 1 to 1024 log tcp any any -> 192.168.1.0/24 :6000 log tcp traffic from any port going to ports less than or equal to 6000 log tcp any :1024 -> 192.168.1.0/24 500: log tcp traffic from privileged ports less than or equal to 1024 going to ports greater than or equal to 500
- 20. What's Next ?
- 21. 21