IDS – Intrusion Detection
Systems
Overview
 Concept: “An Intrusion Detection System is required to detect all types of
malicious network traffic and computer usage that can't be detected by a
conventional firewall. This includes network attacks against vulnerable
services, data driven attacks on applications, host based attacks such as
privilege escalation, unauthorized logins and access to sensitive files, and
malware (viruses, trojan horses, and worms).”
 Components:



Sensors which generate security events
Console to monitor events and alerts and control the sensors
Engine that records events logged by the sensors in a database and uses a
system of rules to generate alerts from security events received.
 Types:




Anomaly-Based Intrusion Detection System
Signature-Based Intrusion Detection System
Network-Based Intrusion Detection System
Host-based Intrusion Detection System
IDS mechanisms work together
Source: ComputerWorld
Basic tools
 Enterprise systems: Cisco Safe and IDS, Symantec Intrusion
Protection, CA Host-based IPS, Network Intrusion- Prevention
Systems, Others.
 Honeypots: Honeyd Virtual Honeypot and Deception ToolKit
 Snort: open source, from PCs to large networks; for Linux/UNIX,
Windows, Macs.
 References




Infosyssec IDS FAQ
SANS IDS FAQ
SANS InfoSec Reading Room: Intrusion Detection
WindowsSecurity.com: Intrusion Detection Systems (IDS):
Classification; methods; techniques
Snort
 What is Snort?

What can it do: detect and respond
Open source and business.

The main Web site for Snort.

 Downloading


Download WinPcap 3.1 (do not use newer WinPcap versions.)
Download Snort for Windows or Linux
 Install and setup




Install WinCap, then Snort, by double-clicking in the downloaded files. Snort
is installed in c:\snort and snort.exe is in the c:\snort\bin directory.
Create a login in the Snort Web account signup page and login.
Go to the Download rules page and download under Sourcefire VRT Certified
Rules - The Official Snort Ruleset (registered user release) the CURRENT file.
It will look like: snortrules-snapshot-CURRENT.tar.gz
Extract this file to the directory c:\snort and both signatures (under doc) and
rules (under rules) will be created.
Snort
 Using snort





at the command prompt start in c:\snort\bin (options)
checking available interfaces c:\snort\bin snort -W
example
capturing and viewing packets:
c:\snort\bin snort -dev (press Control-C to stop the capture) example
capturing and saving in log file:
c:\snort\bin snort -de -K ascii -l c:\snort\log examples: tcp arp
log the Snort alert messages to the Windows Even Viewer, Applications
c:\snort\bin snort -E - l c:\snort\log -c c:\snort\etc\snort.conf
see example of running in IDS mode and events in Event viewer.
 Modifying and creating rules



creating rules: experts only, download updates and read them.
modifying not a problem: typically many false positives are eliminated
example: I got many false positives as “MISC UPnP malformed
advertisement [Classification: Misc Attack] “ I looked for misc.rules
and edited rule as follows: #alert udp $EXTERNAL_NET any ->
$HOME_NET 1900 (msg:"MISC UPnP malformed advertisement";
content:"NOTIFY * "; nocase; In the example I just commented out the
rule: added # in front of the line.
Snort
 Additional references
–
–
–
–
–
–
–
–
–
Snort documentation
a Snort Reporting Tool
Snort IDS Policy Manager For Windows 2000/XP
Snort-Wireless
Securing your system with Snort in Linux
Snort install in Win 2000/XP with Acid and MySQL
Snort install in Linux with Acid and MySQL
ACID - Analysis Console for Intrusion Databases
ACID: Installation and Configuration in Linux
– MySQL A free DB client and server