Network intrusion detection system and analysis
Download as PPTX, PDF3 likes6,882 views
This document discusses network intrusion detection systems (NIDS). It describes what an intrusion detection system is, why they are required to protect confidentiality, integrity and availability, and how they work by monitoring network traffic and detecting anomalous behavior. It outlines different types of NIDS including host-based and network-based, and how the popular open-source NIDS Snort functions using rules, signatures, and protocol analysis to generate alerts when it detects suspicious network activity. Challenges with NIDS are also discussed.
![SNORT EXAMPLES
Snort rule
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP PING”; icode:0;
itype:8; classtype:misc-activity: sid:384; rev:5;)
Snort packet
IP 10.0.1.10 > 10.0.1.254: ICMP echo request, id 32335, seq 0, length 64
0x0000: 4500 0045 a023 ab00 87ef 0a00 abc8 01oe E . . T . . . . .@ . X . . . . .
0x0010: 3400 0145 02a3 acd0 84af 0000 dbc5 0101 .u . T . - &. . . . . . . . . . I
Snort Alert
[**] [1:384:5] ICMP PING [**] [Classification: Misc Activity] [Priority: 3] 04/13 -
03:12:08.359790 10.0.1.10 -> 10.0.1.254 ICMP TTL:64 TOS: 0X0 ID:38125
IpLen:20 DmgLen:84 Type:8 Code:0 ID:32335 Seq:1 ECHO
Malicious Packet
Snort rule to capture malicious packet
Alert Fired](https://image.slidesharecdn.com/networkintrusiondetectionsystemandanalysis-150508081445-lva1-app6892/85/Network-intrusion-detection-system-and-analysis-15-320.jpg)
Network intrusion detection system and analysis
- 1. Network Intrusion Detection System And Analysis BIKRANT GAUTAM SECURITY AND CRYPTOGRAPHIC PROTOCOL – 606 SCSU 2015
- 2. Intrusion Detection System Overview What is Intrusion? Restricted Access to computer Infrastructure What is intrusion detection System? Mechanism to trace the intrusion Why is it required? Protect CIA triad How does IDS work?
- 3. Intrusion Detection System • Two IDS in this model • One external for monitoring external traffic • One internal for monitoring internal traffic
- 4. Types of IDS HIDs examine specific host-based actions, such as what applications are being used, what files are being accessed and what information resides in the kernel logs. NIDs analyze the flow of information between computers, i.e., network traffic. They essentially "sniff" the network for suspicious behavior.
- 5. NIDS Introduction Why NIDS? Monitor network traffic Alert the responsible personnel or the target Apply preventive measures-(Network Intrusion Prevention System)
- 6. NIDS Functionality How it works? Sniffing collect and inspect incoming traffic Protocol awareness protocol reassembly and normalization Alerting Send email / log events / Sending SNMP
- 7. Modes of Detection Signature Based Old method Compare data packets against known malicious sequence Protocol Awareness Compare the network packets against standard protocol Behavioral Analysis Recent Development Learn pattern, alert when pattern changes
- 8. Types of NIDS/NIPSs Commercial Check Point IPS, CISO IPS, IBM Security NIPS Roll on your own Free to use for users, SNORT, BRO
- 9. Output of NIDS/NIPS Depends upon the vendor General evidences/output Configuration: Configuration of devices being monitored Alert Data: Alert through text files emails sms Packet headers/flow Information: logged malicious packets headers Content Data: Captured full data packets Correlated Activates: Correlated event data
- 10. NIDS EXAMPLE SNORT The single most widely used IDS in the world. Signature Based Open Source Large support community
- 11. SNORT ARCHITECTURE Trucia Victor / url / http://truica-victor.com/snort-architecture/
- 12. SNORT CONFIGURATIONS RULES Rules written in a single line Rules are created with known intrusion signatures Stored in /etc/snort/rules Native alerts are stored in /var/log/snort Global values are stored at /etc/snort/snort.conf
- 13. Header Example rule header log tcp 192.168.1.12 123 -> 192.168.1.19 27
- 14. RULE BODY Rule Body Used to extract meta data about the events rule options: msg, sid, rev, reference Example:
- 15. SNORT EXAMPLES Snort rule alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP PING”; icode:0; itype:8; classtype:misc-activity: sid:384; rev:5;) Snort packet IP 10.0.1.10 > 10.0.1.254: ICMP echo request, id 32335, seq 0, length 64 0x0000: 4500 0045 a023 ab00 87ef 0a00 abc8 01oe E . . T . . . . .@ . X . . . . . 0x0010: 3400 0145 02a3 acd0 84af 0000 dbc5 0101 .u . T . - &. . . . . . . . . . I Snort Alert [**] [1:384:5] ICMP PING [**] [Classification: Misc Activity] [Priority: 3] 04/13 - 03:12:08.359790 10.0.1.10 -> 10.0.1.254 ICMP TTL:64 TOS: 0X0 ID:38125 IpLen:20 DmgLen:84 Type:8 Code:0 ID:32335 Seq:1 ECHO Malicious Packet Snort rule to capture malicious packet Alert Fired
- 16. Challenges with current NIDS SNORT/Signature based More processing for packet logging Requires high disk capacity to log information
- 17. Conclusion NIDS/NIPS are the first step on against malicious activities Investigators leverage evidence from NIDS to find the root of the problem Field of further study and research
- 18. Case Study
- 19. Case Study Corresponding packet analysis SNORT ALERT Corresponding Packet
- 20. Case Study Further exploring the Packet content Packet Content Analysis:
- 21. Case Study Analysis of HEX Values
- 23. Case Study Further analysis of Target IP (192.168.1.69) Searching all the alerts related with this IP Count of Malicious Alert for same IP Alert Message
- 24. Case Study Alert Message Analysis: The alert TCP windows scale option found with length > 14 Findings:
- 25. Case Study Investigation Findings and Conclusion Further Steps
- 26. Thank you