of 8
8/9/2019 Ids and Ips Report
1/19
Introducing IDS and IPS
1. 1 Introducing IDS and IPS
Intrusion detection system (IDS) and intrusion prevention system (IPS) solutions form an integral part
of a robust network defence solution. Maintaining secure network services is a key requirement of a profitable IPbased business. IDS and IPS work toget!er to provide a network security solution. "n
IDS captures packets in real time# processes t!em# and can respond to t!reats# but works on copies of
data traffic to detect suspicious activity by using signatures. $!is is called promiscuous mode. In t!e process of detecting malicious traffic# an IDS allows some malicious traffic to pass before t!e IDS can
respond to protect t!e network. "n IDS analyses a copy of t!e monitored traffic rat!er t!an t!e actualforwarded packet. $!e advantage of operating on a copy of t!e traffic is t!at t!e IDS does not affect t!e packet flow of t!e forwarded traffic. $!e disadvantage of operating on a copy of t!e traffic is t!at t!e
IDS cannot stop malicious traffic from singlepacket attacks from reac!ing t!e target system before t!e
IDS can apply a response to stop t!e attack. "n IDS often requires assistance from ot!er networking
devices# suc! as routers and firewalls# to respond to an attack.
"n IPS works inline in t!e data stream to provide protection from malicious attacks in real time. $!is
is called inline mode. %nlike an IDS# an IPS does not allow packets to enter t!e trusted side of t!enetwork. "n IPS monitors traffic at &ayer ' and &ayer to ensure t!at t!eir !eaders# states# and so on
are t!ose specified in t!e protocol suite. owever# t!e IPS sensor analyses at &ayer * to &ayer + t!e
payload of t!e packets for more sop!isticated embedded attacks t!at mig!t include malicious data. $!isdeeper analysis lets t!e IPS identify# stop# and block attacks t!at would normally pass t!roug! a
traditional firewall device. ,!en a packet comes in t!roug! an interface on an IPS# t!at packet is not
sent to t!e outbound or trusted interface until t!e packet !as been determined to be clean.
$!e key to differentiating an IDS from an IPS is t!at an IPS responds immediately and does not allow
any malicious traffic to pass# w!ereas an IDS allows malicious traffic to pass before it can respond.
IDS- "nalyses copies of t!e traffic stream.
Does not slow network traffic.
"llows some malicious traffic into t!e network.
S!own in fig .
IPS-
| P a g e
CHAPTER 1
8/9/2019 Ids and Ips Report
2/19
,orks inline in real time to monitor &ayer * t!roug! &ayer + traffic and content.
/eeds to be able to !andle network traffic.
Prevents malicious traffic from entering t!e network.
S!own in fig .*
0ig.. 1 Intrusion Detection System(IDS)
* | P a g e
8/9/2019 Ids and Ips Report
3/19
0ig.* Intrusion Prevention System (IPS)
1.2 Common Characteristics
IDS and IPS tec!nologies s!are several c!aracteristics-
2 IDS and IPS tec!nologies are deployed as sensors. "n IDS or an IPS sensor can be any of t!efollowing devices-
• " router configured wit! 3isco I4S IPS Software.
• "n appliance specifically designed to provide dedicated IDS or IPS services.
• " network module installed in an adaptive security appliance# switc!# or router.
2 IDS and IPS tec!nologies typically monitor for malicious activities in two spots-
• Malicious activity is monitored at t!e network to detect attacks against a network# including
attacks against !osts and devices# using network IDS and network IPS.
• Malicious activity is monitored on a !ost to detect attacks t!at are launc!ed from or on target
mc!ines# using !ost intrusion prevention system (IPS). ostbased attacks are detected by
' | P a g e
8/9/2019 Ids and Ips Report
4/19
reading security event logs# c!ecking for c!anges to critical system files# and c!ecking system
registries for malicious entries.
2 IDS and IPS tec!nologies generally use yes# signatures to detect patterns of misuse in network
traffic# alt!oug! ot!er tec!nologies will be introduced later in t!is c!apter " signature is a set of rules
t!at an IDS or IPS uses to detect typical intrusive activity. Signatures are usually c!osen from a broadcross section of intrusion detection signatures# and can detect severe breac!es of security# common
network attacks# and information gat!ering.
2 IDS and IPS tec!nologies look for t!e following general patterns of misuse-
• Atomic pattern: In an atomic pattern# an attempt is made to access a specific port on a specific
!ost# and malicious content is contained in a single packet. "n IDS is particularly vulnerable to
an atomic attack because until it finds t!e attack# malicious single packets are being allowedinto t!e network. "n IPS prevents t!ese packets from entering at all.
• Composite pattern: " composite pattern is a sequence of operations distributed across
multiple !osts over an arbitrary period of time.
1. Steps Ta!en
The "o##o$ing are the steps that occur $hen an attac! is #aunched in an en%ironment monitored
&' an IDS:
Step 1. "n attack is launc!ed on a network t!at !as a sensor deployed in IDS mode.
Step 2. $!e switc! sends copies of all packets to t!e IDS sensor (configured in promiscuous mode#
w!ic! is e5plained later in t!is section) to analy6e t!e packets. "t t!e same time# t!e target mac!ine
e5periences t!e malicious attack.
Step . $!e IDS sensor# using a signature# matc!es t!e malicious traffic to t!e signature.
Step (. $!e IDS sensor sends t!e switc! a command to deny access to t!e malicious traffic.
Step ). $!e IDS sends an alarm to a management console for logging and ot!er management purposes.
The "o##o$ing are the steps that occur $hen an attac! is #aunched in an en%ironment monitored
&' an IPS-
Step 1. "n attack is launc!ed on a network t!at !as a sensor deployed in IPS mode (configured ininline mode# w!ic! is e5plained later in t!is section).
| P a g e
8/9/2019 Ids and Ips Report
5/19
Step 2. $!e IPS sensor analy6es t!e packets as soon as t!ey come into t!e IPS sensor interface. $!e
IPS sensor# using signatures# matc!es t!e malicious traffic to t!e signature and t!e attack is stopped
immediately. $raffic in violation of policy can be dropped by an IPS sensor.
Step . $!e IPS sensor can send an alarm to a management console for logging and ot!er management
purposes.
*anagement Conso#e
" management console is a separate workstation equipped wit! software to configure# monitor# and
report on events.
Promiscuous +ersus In#ine *ode
" sensor can be deployed eit!er in promiscuous mode or inline mode. In promiscuous mode# t!e sensor
receives a copy of t!e data for analysis# w!ile t!e original traffic still makes its way to its ultimate
destination. 7y contrast# a sensor working inline analy6es t!e traffic live and t!erefore can actively block t!e packets before t!ey reac! t!eir destination
1.( Ad%antages and ,imitations
Tae 1.1 Ad%antages and ,imitations o" Dep#o'ing an IDS in Promiscuous *ode
Ad%antage ,imitation
Deploying t!e IDS sensor does not!ave any impact on t!e network (latency#
8itter# and so on).
IDS sensor response actions cannot stop t!e trigger packet and are not guaranteed to stop a connection.
IDS response actions are typically better at
stoppingan attacker more t!an a specific attack itself.
$!e IDS sensor is not inline and#t!erefore# a sensor failure cannot affect
network functionality
IDS sensor response actions are less !elpful instopping
email viruses and automated attackers suc! as
worms.
4verrunning t!e IDS sensor wit! data
does not affect network traffic9 !owever#
it does affect t!e capability of t!e IDS to analy6e t!e data
%sers deploying IDS sensor response actions must
!ave a well t!oug!tout security policy combined
wit! a good operational understanding of t!eir IDSdeployments. %sers must spend time to correctly
tune IDS sensors to ac!ieve e5pected levels of
intrusiondetection.
7eing out of band (447)# IDS sensors are more
vulnerableto network evasion tec!niques# w!ic! are t!e
process of totally concealing an attack.
: | P a g e
8/9/2019 Ids and Ips Report
6/19
Tae 1.2 Ad%antages and ,imitations o" Dep#o'ing an IPS in In#ine *ode
Ad%antage ,imitation
;ou can configure an IPS sensor to perform a packet drop t!at can stop t!e trigger packet# t!e
packets in a connection# or packets from a source
IP address.
"n IPS sensor must be inline and# t!erefore# IPSsensor errors or failure can !ave a negative effect
on network traffic.
7eing inline# an IPS sensor can use stream
normali6ation tec!niques to reduce or eliminatemany of t!e network evasion capabilities t!at
e5ist.
4verrunning IPS sensor capabilities wit! too
muc! traffic does negatively affect t!e performance of t!e network.
%sers deploying IPS sensor response actions must!ave a well t!oug!tout security policy combined
wit! a good operational understanding of t!eir IPS
deployments.
"n IPS sensor will affect network timing because
of latency# 8itter# and so on. "n IPS sensor must beappropriately si6ed and implemented so t!at time
sensitive applications# suc! as
8/9/2019 Ids and Ips Report
7/19
Host and -et$or! IPS
IPS tec!nology can be network based and !ost based. $!ere are advantages and limitations to IPS
compared wit! networkbased IPS. In many cases# t!e tec!nologies are t!oug!t to be complementary.
2.1 Host/ased IPS
IPS audits !ost log files# !ost file systems# and resources. " significant advantage of IPS is t!at it
can monitor operating system processes and protect critical system resources# including files t!at may
e5ist only on t!at specific !ost. IPS can combine t!e best features of antivirus# be!avioural analysis#signature filters# network firewalls# and application firewalls in one package. " simple form of IPS
enables system logging and log analysis on t!e !ost. owever# t!is approac! can be e5tremely labour
intensive.0or e5ample# t!e /imda and S>& Slammer worms did millions of dollars of damage to enterprises on
t!e first day of t!eir appearance# before updates were even available9 !owever# a network protected
wit! a 3S" stopped t!ese attacks wit!out any updates by identifying t!eir be!aviour as malicious. ostbased IPS operates by detecting attacks t!at occur on a !ost on w!ic! it is installed.
IPS works by intercepting operating system and application calls# securing t!e operating system and
application configurations# validating incoming service requests# and analysing local log files for after
t!efact suspicious activity.More precisely# IPS functions according to t!e following steps# as s!own in 0igure *.
0ig.*.
Step 1. "n application calls for system resources.
Step 2. IPS c!ecks t!e call against t!e policy.
+ | P a g e
CHAPTER 2
8/9/2019 Ids and Ips Report
8/19
Step . ?equests are allowed or denied.
IPS uses rules t!at are based on a combination of known attack c!aracteristics and a detailed
knowledge of t!e operating system and specific applications running on t!e !ost. $!ese rules enable
IPS to determine abnormal or outofbound activity and# t!erefore# prevent t!e !ost from e5ecutingcommands t!at do not fit t!e correct be!avior of t!e operating system or application.
IPS improves t!e security of !osts and servers by using rules t!at control operating system andnetwork stack be!avior. Processor control limits activity suc! as buffer overflows# ?egistry updates#
writes to t!e system directory# and t!e launc!ing of installation programs. ?egulation of network traffic
can !elp ensure t!at t!e !ost does not participate in accepting or initiating 0$P sessions# can ratelimit
w!en a denialofservice (DoS) attack is detected# or can keep t!e network stack from participating in aDoS attack.
$!e topology in 0igure *.* s!ows a typical IPS deployment.
0ig *.* IPS deployment
2.1.1 The ad%antages and #imitations o" HIPS are as "o##o$s:
2 Ad%antages o" HIPS: $!e success or failure of an attack can be readily determined. " network IPS
sends an alarm upon t!e presence of intrusive activity but cannot always ascertain t!e success or
failure of suc! an attack. IPS does not !ave to worry about fragmentation attacks or variable $ime to&ive ($$&) attacks because t!e !ost stack takes care of t!ese issues. If t!e network traffic stream is
encrypted# IPS !as access to t!e traffic in unencrypted form.
@ | P a g e
8/9/2019 Ids and Ips Report
9/19
2 ,imitations o" HIPS: $!ere are two ma8or drawbacks to IPS-
• HIPS does not pro%ide a comp#ete net$or! picture: 7ecause IPS e5amines information
only at t!e local !ost level# IPS !as difficulty constructing an accurate network picture or coordinating t!e events !appening across t!e entire network.
• HIPS has a re0uirement to support mu#tip#e operating s'stems: IPS needs to run on every
system in t!e network. $!is requires verifying support for all t!e different operating systemsused in your network.
2.2 -et$or!/ased IPS /etwork IPS involves t!e deployment of monitoring devices# or sensors# t!roug!out t!e network tocapture and analy6e t!e traffic. Sensors detect malicious and unaut!ori6ed activity in real time and can
take action w!en required. Sensors are deployed at designated network points t!at enable security
managers to monitor network activity w!ile it is occurring# regardless of t!e location of t!e attack target. /etwork IPS sensors are usually tuned for intrusion prevention analysis. $!e underlying
operating system of t!e platform on w!ic! t!e IPS software is mounted is stripped of unnecessary
network services# and essential services are secured (t!at is# !ardened). $!e !ardware includes t!e
following components-
2 -et$or! inter"ace card -IC: /etwork IPS must be able to connect to any network (At!ernet#
0ast At!ernet# Bigabit At!ernet).2 Processor: Intrusion prevention requires 3P% power to perform intrusion detection analysis and
pattern matc!ing.
2 *emor': Intrusion detection analysis is memory intensive. Memory directly affects t!e capability of a network IPS to efficiently and accurately detect an attack. /etwork IPS gives security managers real
time security insig!t into t!eir networks regardless of network growt!. "dditional !osts can be added
to protected networks wit!out needing more sensors. ,!en new networks are added# additional sensorsare easy to deploy. "dditional sensors are required only w!en t!eir rated traffic capacity is e5ceeded#
w!en t!eir performance does not meet current needs# or w!en a revision in security policy or network design requires additional sensors to !elp enforce security boundaries. 0igure *.' s!ows a typical
network IPS deployment. $!e key difference between t!is network IPS deployment e5ample and t!e previous IPS deployment e5ample is t!at t!ere is no 3S" software on t!e various platforms. In t!is
topology# t!e network IPS sensors are deployed at network entry points t!at protect critical network
segments. $!e network segments !ave internal and e5ternal corporate resources. $!e sensors report toa central management and monitoring server t!at is located inside t!e corporate firewall.
2.2.1 The ad%antages and #imitations o" net$or! IPS are as "o##o$s:
2 Ad%antages o" net$or! IPS: " networkbased monitoring system !as t!e benefitof easily seeing attacks t!at are occurring across t!e entire network. Seeing t!e attacks
against t!e entire network gives a clear indication of t!e e5tent to w!ic! t!e
network is being attacked. 0urt!ermore# because t!e monitoring system is e5amining only traffic from
t!e network# it does not !ave to support every type of operatingsystem t!at is used on t!e network.
C | P a g e
8/9/2019 Ids and Ips Report
10/19
2 ,imitations o" net$or! IPS: Ancryption of t!e network traffic stream can essentially blind network
IPS. ?econstructing fragmented traffic can also be a difficult problem to solve. Possibly t!e biggest
drawback to networkbased monitoring is t!at as networks become larger (wit! respect to bandwidt!)# it becomes more difficult to place network IPS at a single location in t!e network and
successfully capture all t!e traffic. Aliminating t!is problem requires t!e use of more sensors
t!roug!out t!e network. owever# t!is solution increases costs.
Comparing HIPS and -et$or! IPS
Tae 2.1 compares the ad%antages and #imitations o" HIPS and net$or! IPS.
Ad%antages ,imitations
HIPS Is !ost specific 4perating system dependent
Protects !ost after decryption &owerlevel network events not
seen
Provides applicationlevel encryption
Protection
ost is visible to attackers
-et$or!
IPS
3osteffective 3annot e5amine encrypted
traffic /ot visible on t!e network Does not know w!et!er an attack
was successful
4perating system independent
&owerlevel network events seen
Tae 2.1"dvantages and &imitations of ost7ased IPS and /etwork7ased IPS
| P a g e
8/9/2019 Ids and Ips Report
11/19
" !ostbased monitoring system e5amines information at t!e local !ost or operating system. /etwork based monitoring systems e5amine packets t!at are traveling t!roug! t!e network for known signs of
intrusive activity. "s you move down t!e feature list toward network IPS# t!e features describe
networkbased monitoring features9 applicationlevel encryption protection is a IPS feature# w!ereas
DoS prevention is a network IPS feature.
| P a g e
8/9/2019 Ids and Ips Report
12/19
T'pes o" IDS and IPS S'stems
Common Detection *ethodo#ogiesIDPS tec!nologies use many met!odologies to detect incidents. Sections '. t!roug! '.' discuss t!e
primary classes of detection met!odologies- signaturebased# anomalybased# and stateful protocol
analysis# respectively. Most IDPS tec!nologies use multiple detection met!odologies# eit!er separately
or integrated# to provide more broad and accurate detection.
'. Signature/ased Detection" signature is a pattern t!at corresponds to a known t!reat. Signature-based detection is t!e process of
comparing signatures against observed events to identify possible incidents.: A5amples of signatures
are as follows-
• " telnet attempt wit! a username of ErootF# w!ic! is a violation of an organi6ationGs security
policy
• "n email wit! a sub8ect of E0ree picturesHF and an attac!ment filename of Efreepics.e5eF#
w!ic! are c!aracteristics of a known form of malware
•"n operating system log entry wit! a status code value of =:# w!ic! indicates t!at t!e !ostGsauditing !as been disabled.
Signaturebased detection is very effective at detecting known t!reats but largely ineffective at
detecting previously unknown t!reats# t!reats disguised by t!e use of evasion tec!niques# and many
variants of known t!reats. 0or e5ample# if an attacker modified t!e malware in t!e previous e5ample touse a filename of Efreepics*.e5eF# a signature looking for Efreepics.e5eF would not matc! it.
Signaturebased detection is t!e simplest detection met!od because it 8ust compares t!e current unit of activity# suc! as a packet or a log entry# to a list of signatures using string comparison operations.
Signaturebased detection tec!nologies !ave little understanding of many network or application
protocols and cannot track and understand t!e state of comple5 communications. 0or e5ample# t!eycannot pair a request wit! t!e corresponding response# suc! as knowing t!at a request to a ,eb server
for a particular page generated a response status code of '# meaning t!at t!e server refused to fill t!e
request. $!ey also lack t!e ability to remember previous requests w!en processing t!e current request.$!is limitation prevents signaturebased detection met!ods from detecting attacks t!at comprise
multiple events if none of t!e events contains a clear indication of an attack.
* | P a g e
CHAPTER
8/9/2019 Ids and Ips Report
13/19
.2 Anoma#'/ased Detection
Anomaly-based detection is t!e process of comparing definitions of w!at activity is considered normal
against observed events to identify significant deviations. "n IDPS using anomalybased detection !as
profiles t!at represent t!e normal be!aviour of suc! t!ings as users# !osts# network connections# or applications. $!e profiles are developed by monitoring t!e c!aracteristics of typical activity over a
period of time. 0or e5ample# a profile for a network mig!t s!ow t!at ,eb activity comprises an
average of ' of network bandwidt! at t!e Internet border during typical workday !ours. $!e IDPSt!en uses statistical met!ods to compare t!e c!aracteristics of current activity to t!res!olds related to
t!e profile# suc! as detecting w!en ,eb activity comprises significantly more bandwidt! t!an e5pected
and alerting an administrator of t!e anomaly. Profiles can be developed for many be!avioural
attributes# suc! as t!e number of emails sent by a user# t!e number of failed login attempts for a !ost#
and t!e level of processor usage for a !ost in a given period of time.
$!e ma8or benefit of anomalybased detection met!ods is t!at t!ey can be very effective at detecting
previously unknown t!reats. 0or e5ample# suppose t!at a computer becomes infected wit! a new type
of malware. $!e malware could consume t!e computerGs processing resources# send large numbers of emails# initiate large numbers of network connections# and perform ot!er be!aviour t!at would be
significantly different from t!e establis!ed profiles for t!e computer.
"n initial profile is generated over a period of time (typically days# sometimes weeks) sometimes
called a training period . Profiles for anomalybased detection can eit!er be static or dynamic. 4nce
generated# a static profile is unc!anged unless t!e IDPS is specifically directed to generate a new profile. " dynamic profile is ad8usted constantly as additional events are observed. 7ecause systems
and networks c!ange over time# t!e corresponding measures of normal be!aviour also c!ange9 a static
profile will eventually become inaccurate# so it needs to be regenerated periodically. Dynamic profilesdo not !ave t!is problem# but t!ey are susceptible to evasion attempts from attackers. 0or e5ample# an
attacker can perform small amounts of malicious activity occasionally# t!en slowly increase t!e
frequency and quantity of activity. If t!e rate of c!ange is sufficiently slow# t!e IDPS mig!t t!ink t!e
malicious activity is normal be!aviour and include it in its profile. Malicious activity mig!t also beobserved by an IDPS w!ile it builds its initial profiles.
Inadvertently including malicious activity as part of a profile is a common problem wit! anomaly
based IDPS products. (In some cases# administrators can modify t!e profile to e5clude activity in t!e
profile t!at is known to be malicious.) "not!er problem wit! building profiles is t!at it can be very
c!allenging in some cases to make t!em accurate# because computing activity can be so comple5. 0or e5ample# if a particular maintenance activity t!at performs large file transfers occurs only once a
mont!# it mig!t not be observed during t!e training period9 w!en t!e maintenance occurs# it is likely to
be considered a significant deviation from t!e profile and trigger an alert. "nomalybased IDPS products often produce many false positives because of benign activity t!at deviates significantly from
profiles# especially in more diverse or dynamic environments. "not!er notewort!y problem wit! t!e
use of anomalybased detection tec!niques is t!at it is often difficult for analysts to determine w!y a
' | P a g e
8/9/2019 Ids and Ips Report
14/19
particular alert was generated and to validate t!at an alert is accurate and not a false positive# because
of t!e comple5ity of events and number of events t!at may !ave caused t!e alert to be generated.
. State"u# Protoco# Ana#'sis
Stateful protocol analysis is t!e process of comparing predetermined profiles of generally accepted
definitions of benign protocol activity for eac! protocol state against observed events to identifydeviations.= %nlike anomalybased detection# w!ic! uses !ost or networkspecific profiles# stateful
protocol analysis relies on vendordeveloped universal profiles t!at specify !ow particular protocols
s!ould and s!ould not be used. $!e EstatefulF in stateful protocol analysis means t!at t!e IDPS iscapable of understanding and tracking t!e state of network# transport# and application protocols t!at
!ave a notion of state. 0or e5ample# w!en a user starts a 0ile $ransfer Protocol (0$P) session# t!e
session is initially in t!e unaut!enticated state. %naut!enticated users s!ould only perform a few
commands in t!is state# suc! as viewing !elp information or providing usernames and passwords. "n
important part of understanding state is pairing requests wit! responses# so w!en an 0$P aut!enticationattempt occurs# t!e IDPS can determine if it was successful by finding t!e status code in t!e
corresponding response. 4nce t!e user !as aut!enticated successfully# t!e session is in t!eaut!enticated state# and users are e5pected to perform any of several do6en commands. Performing
most of t!ese commands w!ile in t!e unaut!enticated state would be considered suspicious# but in t!e
aut!enticated state performing most of t!em is considered benign.
Stateful protocol analysis can identify une5pected sequences of commands# suc! as issuing t!e same
command repeatedly or issuing a command wit!out first issuing a command upon w!ic! it isdependent. "not!er state tracking feature of stateful protocol analysis is t!at for protocols t!at perform
aut!entication# t!e IDPS can keep track of t!e aut!enticator used for eac! session# and record t!e
aut!enticator used for suspicious activity. $!is is !elpful w!en investigating an incident. Some IDPSscan also use t!e aut!enticator information to define acceptable activity differently for multiple classes
of users or specific users.
$!e Eprotocol analysisF performed by stateful protocol analysis met!ods usually includes
reasonableness c!ecks for individual commands# suc! as minimum and ma5imum lengt!s for
arguments. If a command typically !as a username argument# and usernames !ave a ma5imum lengt!of * c!aracters# t!en an argument wit! a lengt! of c!aracters is suspicious. If t!e large argument
contains binary data# t!en it is even more suspicious.
Stateful protocol analysis met!ods use protocol models# w!ic! are typically based primarily on
protocol standards from software vendors and standards bodies (e.g.# Internet Angineering $ask 0orce
JIA$0K ?equest for 3omments J?03K). $!e protocol models also typically take into account variancesin eac! protocolGs implementation. Many standards are not e5!austively complete in e5plaining t!e
details of t!e protocol# w!ic! causes variations among implementations. "lso# many vendors eit!er
violate standards or add proprietary features# some of w!ic! may replace features from t!e standards.0or proprietary protocols# complete details about t!e protocols are often not available# making it
difficult for IDPS tec!nologies to perform compre!ensive# accurate analysis. "s protocols are revised
and vendors alter t!eir protocol implementations# IDPS protocol models need to be updated to reflectt!ose c!anges.
| P a g e
8/9/2019 Ids and Ips Report
15/19
$!e primary drawback to stateful protocol analysis met!ods is t!at t!ey are very resourceintensive
because of t!e comple5ity of t!e analysis and t!e over!ead involved in performing state tracking for
many simultaneous sessions. "not!er serious problem is t!at stateful protocol analysis met!ods cannotdetect attacks t!at do not violate t!e c!aracteristics of generally acceptable protocol be!avior# suc! as
performing many benign actions in a s!ort period of time to cause a denial of service. ;et anot!er
problem is t!at t!e protocol model used by an IDPS mig!t conflict wit! t!e way t!e protocol isimplemented in particular versions of specific applications and operating systems# or !ow different
client and server implementations of t!e protocol interact.
: | P a g e
8/9/2019 Ids and Ips Report
16/19
Snort
4.1 What is SNORT?
Snort is an open source# crossplatform# softwarebased lig!tweig!t /etwork Intrusion Detection
System (/IDS) developed by Martin ?oesc! of Sourcefire. Snort is capable of performing realtime
traffic analysis and packet logging on IP networks. It can perform protocol analysis# pattern matc!ingand can be used to detect a variety of attacks and probes# suc! as buffer overflows# stealt! port scans#
3BI attacks# SM7 probes and 4S fingerprinting attempts. Snort uses a fle5ible rules language to
describe traffic t!at it s!ould collect or pass# and includes a detection engine utili6ing a modular plugin arc!itecture. Snort !as realtime alerting capability as well# incorporating alerting mec!anisms for
Syslog# user specified files# a %/IL socket# or ,in Popup messages to ,indows clients using
Sambas smb client Suitable Plugins allows t!e detection and reporting subsystems to be e5tended.
"vailable plugins includes statistical anomaly detection# database logging# small fragment detection# port scan detection# and $$P %?I normali6ation.Snort can be configured to run in t!ree modes. $!ese are
N Pac!et Sni""erSnorts packet sniffing mode allows it to capture and display all network traffic to t!e administrator. It
provides you wit! t!e fle5ibility to display eit!er t!e entire packet or only certain !eader information.
N Pac!et ,oggerSnorts packet logging mode performs t!e same functionality as t!e packet sniffing mode but creates a
traffic data file.
N -et$or! Intrusion Detection s'stem,!en ran in t!is mode# Snort is capable of detecting potential network intrusions using a rulebased
intrusiondetection mec!anism.
(.2 Introduction to Snort Ru#es
= | P a g e
CHAPTER (
8/9/2019 Ids and Ips Report
17/19
Snort uses a simple# lig!tweig!t rules description language t!at is fle5ible and quite powerful.
$!ere are a number of simple guidelines to remember w!en developing Snort rules t!at will
!elp safeguard your sanity. Most Snort rules are written in a single line. $!is was required inversions prior to .@. In current versions of Snort# rules may span multiple lines by adding a
backslas! O to t!e end of t!e line.
Snort rules are divided into two logical sections# t!e rule !eader and t!e rule options. $!e rule !eader
contains t!e ruleGs action# protocol# source and destination IP addresses and netmasks# and t!e sourceand destination ports information. $!e rule option section contains alert messages and information on
w!ic! parts of t!e packet s!ould be inspected to determine if t!e rule action s!ould be taken.
alert tcp any any C*[email protected]* O
(content-R @= a:R9 msg-Rmountd accessR9)
0igure '.- Sample Snort ?ule
$!e te5t up to t!e first parent!esis is t!e rule !eader and t!e section enclosed in parent!esis contains
t!e rule options. $!e words before t!e colons in t!e rule options section are called option keywords.
"ll of t!e elements in t!at make up a rule must be true for t!e indicated rule action to be taken. ,!entaken toget!er# t!e elements can be considered to form a logical "/D statement. "t t!e same time# t!e
various rules in a Snort rules library file can be considered to form a large logical 4? statement.
+ | P a g e
8/9/2019 Ids and Ips Report
18/19
Conc#usion
$!ere are many tec!nologies in t!e market today to !elp companies fig!t t!e inevitable network and
system attack. aving IPS and IDS tec!nologies are only two of many resources t!at can be deployed
to increase visibility and control wit!in a corporate computing environment. IDS and IPS are to
provide a foundation of tec!nology t!at meets t!e requirement of tracking# identifying network attacksto w!ic! detect t!roug! logs of IDS systems and prevent an action t!roug! IPS systems. If t!e !ost is
wit! critical systems# confidential data and strict compliance regulations# t!en itGs a great to use IDS#
IPS or bot! in network environments. Intrusion types of systems are put in place to serve a business
needs for meeting an ob8ective of network security. $!e IDS and IPS are to provide a foundation of tec!nology meets to tracking# identifying network attacks to w!ic! detect t!roug! logs of IDS systems
and prevent an action t!roug! IPS systems. If t!e !ost wit! critical systems# confidential data and strictcompliance regulations# t!en itGs a great to use of IDS# IPS or bot! in network environments. $!e basic
benefits of IDS and IPS systems are as-
• /ormal and intrusive malicious activities detected
• Proactive protection of network security infrastructure
• 4perational efficiencies to reduced need to react to event logs for protection
• Increased coverage against packet attacks and 6eroday attacks
$!e deterministic intrusion detection or prevention is t!e ne5t generation firewall wit! deep packetinspection and sniffing in network. 7ut it is not a silver bullet# to become a basic at t!e border and
deeper in t!e network for EDefense in Dept!.F
@ | P a g e
8/9/2019 Ids and Ips Report
19/19
Re"erences
JK T.P. "nderson# Computer Security Threat Monitoring and Surveillance# tec!. report9 Tames P."nderson 3o.# 0ort ,as!ington# Pa.# C@.
J*K D.A. Denning# E"n Intrusion Detection Model#F IEEE Trans. Software Eng.#