Industrial TrainingOn

Network Intrusion Detection System Using Snort

By – Disha Bedi

Abstract I did my summer internship in Siemens

Information Systems Ltd. on building network intrusion detection system using Snort.

The goal of this project is to implement network security to a product of Siemens, SPPA-T3000, which is the instrumentation and control system that provides remote access to power plant management systems.

About SISL Siemens Information Systems Ltd. (SISL) is an

integral part of Siemens Corporate Technology (CT). With over 2,800 employees, SISL is one of the largest centers of CT globally.

SISL is a leading "Systems Integrator and Total Solutions Provider" offering high-end consultancy in areas like Healthcare, Telecommunications, Manufacturing, Utilities, Public Sector & Government.

It offers comprehensive single-source solutions and services along the Consult - Design - Build - Operate - Maintain service chain.

Motivation Security is a big issue for all networks in

today's enterprise environment. Hackers and intruders have made many successful attempts to bring down high-profile company networks and web services.

Network Intrusion Detection System has a major role to play in safeguarding the network resources against various kinds of attacks.

Intrusion detection Intrusion detection is a set of techniques and

methods that are used to detect suspicious activity both at the network and host level.

Intruders have signatures that can be detected. Based upon a set of signatures and rules, the intrusion detection system (IDS) is able to find and log suspicious activity and generate alerts.

Usually an intrusion detection system captures a packet from the network, applies rules to its data and detects anomalies in it.

Snort Snort is an open source network intrusion

prevention system (NIPS) and network intrusion detection system (NIDS).

It has the ability to perform real-time traffic analysis and packet logging on Internet Protocol(IP) networks.

Snort is primarily a rule-based IDS. Snort reads these rules at the start-up time and builds internal data structures or chains to apply these rules to captured data.

Snort comes with a rich set of pre-defined rules to detect intrusion activity and you are free to add your own rules at will.

Components of snort

Basic Analysis and Security Engine (BASE)

BASE provides a web front-end to query and analyze the alerts coming from a Snort IDS system.

BASE is a web interface to perform analysis of intrusions that snort has detected on your network.

It is written in PHP. It works with Snort and databases like MySQL and makes information available in the database to the user through a web server.

Alerts logged in BASE

• Searching can be done on a large number of criteria like source and destination addresses, time, ports and so on.

• Graphical representation includes charts based upon time, protocol, IP addresses, port numbers and classifications.

Wireshark Wireshark is a network packet analyzer. A

network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible.

In this project, Wireshark is used to check if all the packets coming from the source, that satisfy the conditions mentioned in the snort rules, show an alert in BASE.

We also use Wireshark to look into the components of the packets and update our rule set accordingly from time to time.

Packet details in Wireshark

WRITING SNORT RULES Snort’s detection system is based on rules. These rules

in turn are based on intruder signatures. Snort rules can be used to check various parts of a data packet.

All Snort rules have two logical parts: rule header and rule options.

The rule header contains information about what action a rule takes. It also contains criteria for matching a rule against data packets. The rule options part usually contains an alert message and information about which part of the packet should be used to generate the alert message. The options part contains additional criteria for matching a rule against data packets.

Position of NIDS sensors A sensor can be placed behind the firewall. In this position, IDS willnot be able to detect every attack because some parts of the packets belonging to the attack will be blocked by the firewall, thus IDS will not be able to detect the signature of the attack. Another positioning option is the front of the firewall. In this case, the IDS will monitor all attacks coming from the outside.  

Position of NIDS sensors As our NIDS is Snort based which uses rules

(or signatures) to detect an intrusion, so it should be able to match the conditions mentioned in the rules to the signature of the intrusion.

Thus we place the sensor in front of the firewall because if we place it behind the firewall, firewall will block some unwanted or harmful parts of the packet and our snort based IDS will not be able to detect signature of the attack.

The Setup

The NIDS sensor in placed in front of the firewall. The NIDS monitors traffic passing on the highlighted line between the switch and the firewall.

Design and Implementation

Refer to snort installation manual and install snort and other necessary software.

Create three different files in /etc/snort/variables . Declare variables for device ip address, network addresses and ports for different protocols in the three files and include these files in the snort configuration file.

Create different files in /etc/snort/rules that will contain rules for different protocols. Include the path of these file in the snort configuration file.

Now create an ssh from your terminal to the NIDS machine. Start snort using “sudo /etc/init.d/snortbarn start. The snort should show alerts for unwanted packets in BASE.

Updating the rules The rules need to be updated from time to time because

the contents of the packets coming from terminal server, when we start the workbench, change with time.

Using wireshark we can see a raw presentation of contents of these packets and update our rules accordingly.

So, using wireshark, we first check if the packets have the same content as the content mentioned in our rules.

If the content is same, then snort should raise alert for these rules in BASE. Otherwise, if the contents are not same, the rules are updated with respect to the new content of the packet.

RESULT When we start snort and run different protocols

such as ssh, rdp, rmi etc, BASE shows new alerts, only the generic rules in our rule set show alerts. These are the alerts for the unwanted packets or intrusions in the network.

In BASE we can filter the alerts on the basis of source or destination addresses, source or destination ports, protocols or on the basis of the rule that generates alerts and then try finding out a solution to prevent these intrusions in the network in the future.

Limitations and Future Work

This project only deals with detection of network intrusion using Snort. It does not prevent intrusions from entering our host computer or the local network.

Network Intrusion Prevention can be implemented by Configuring ACLs (Access control lists) on the Routers, based on Snort IDS alerts, on which my 7th semester Seminar is based.