Signature-Based Network Intrusion Detection System Using .
International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 1 Issue 10, December- 2012Signature-Based Network Intrusion Detection SystemUsing SNORT And WINPCAPSagar N. Shah*Ms. Purnima SinghM.E. (Computer Science & Engineering),Assistant Professor, Computer Science & Engineering,Parul Institute of Engineering & Technology,Vadodara, Gujarat, IndiaParul Institute of Engineering & Technology,Vadodara, Gujarat, IndiaAbstract- Nowadays, organizations discoverIntrusion detection functions include [2]: Analysis of abnormal activity patternsAnalyzing system configurations andvulnerabilitiesAbility to recognize patterns typical ofattacksMonitoring and analyzing both user andsystem activitiesAssessing system and file integrityIIJJEERRTTthat it is essential to protect their valuableinformation and internal resources fromunauthorized access like deploying firewall. Asthe use of internet is growing rapidly thepossibility of attack is also increasing in thatratio. Signature is the pattern that you look forinside a data packet. Signatures may be presentin different parts of a data packet dependingupon the nature of the attack. Intrusiondetection system’s main role in a network is tohelp computer systems to prepare and deal withthe network attacks. Intrusion detection systems(IDS) have become a key component in ensuringthe safety of systems and networks. Thesesystems enforce a security policy by inspectingarriving packets for known signatures(patterns). Snort is mostly used signature basedIDS because of it is Lightweight and open sourcesoftware. Basic analysis and security engine(BASE) is also used to see the alerts generatedby Snort. In this paper we have implemented thesignature-based Network intrusion detectionusing Snort and WinPcap.detection system’s main role in a network is to helpcomputer systems to prepare and deal with thenetwork attacks.-Keywords Network Intrusion Detection System,Snort, Signature-based, WinPcap, BASEI.INTRODUCTIONAs the use of technology is increases, riskassociated with technology is also increases.Network security is the big challenge among theresearchers. People are working in the field ofnetwork security from 1987 when DorothyDenning published an intrusion detection model[1]. But till now we did not get any perfectsolution. While the availability of ies, it has also brought new possibilitiesfor malicious users. The Importance of networkSecurity is therefore growing; one of the ways ofmalicious activity detection on a network is byusing Intrusion Detection System. IntrusionIntrusion Detection Systems (IDS) inspect arrivingpackets for malicious content (signatures) asdefined by a security policy. Unfortunately,comparing packet headers and payloads against apolicy can be complex and time-consuming. Forexample, it has been found that content matching(scanning for signatures) accounts for more than70% of the packet processing time [3],[4].This paper focuses on analyzing the abnormalactivity that has been detected by our IntrusionDetection System using Snort and WinPcap. Snortis a popular NIDS that is used to audit networkpackets and compare those packets with thedatabase of known attack signature and this attacksignature database must be updated time by time.II.SIGNATURE-BASEDNETWORK IDSA signature-based NIDS examines ongoing traffic,activity, transactions, or behaviour for matcheswith known patterns of events specific to knownattacks. As with antivirus software, a signaturebased NIDS requires access to a current database ofattack signatures and some way to activelycompare and match current behaviour against alarge collection of signatures.www.ijert.org1
International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 1 Issue 10, December- 2012Signature based detection system (also calledmisuse based), this type of detection is veryeffective against known attacks [5]. It implies thatmisuse detection requires specific knowledge ofgiven intrusive behaviour. An example of Signaturebased Intrusion Detection System is SNORT.Advantages [6]: Signature definitions are modeled onknown intrusive activity. So, the user canexamine the signature database, andquickly determine which intrusive activitythe misuse detection system isprogrammed to alert on.Misuse detection system begins here are low false positives as long asattacks are clearly defined in advance.When an alarm fires, the user can relatethis directly to a specific type of activityoccurring on the network.Snort is basically the combination of multiplecomponents. All the component work together tofind a particular attack and then take thecorresponding action that is required for thatparticular attack. Basically it consists of followingmajor components as shown in figure 1 [7]:1. Packet Decoder2. Preprocessor3. Detection Engine4. Logging and Alerting System5. Output ModulesDisadvantages [6]: One of the biggest problem for Signaturebased NIDS is how to keep up with largevolume of incoming traffic when eachpacket needs to be compared with everysignature in the database. So, processingthe whole traffic is so time-consuming andwill slow down the throughput of thesystem.Misuse detection system must have asignature defined for all of the possibleattacks that an attacker may launch againstyour network. This leads to the necessityfor frequent signature updates to keep thesignature database of your misusedetection system up-to-date.Misuse detection has a well-knownproblem of raising alerts regardless of theoutcome. For example a window wormtrying to attack a Linux system, the misuseIDS will send so many alerts forunsuccessful attacks which may be hard tomanage.Someone may set up the misuse detectionsystem in their lab and intentionally try tofind ways to launch attacks that bypassdetection by the misuse detection system.The knowledge about attacks is verydependent on the operating system,version and application hence tied tospecific environments.IIJJEERRTT III.Component of SnortFigure 1: Component of Snort [7]Packet comes from internet and enters into packetdecoder and it goes through several phases,required action is taken by snort at every phase likeif detection engine found any miscellaneouscontent in packet then it drop that packet and in theway towards output module packet is logged in oralert is generated.1. Packet Decoder:The packet decoder collects packet from differentnetwork interfaces and then send to be preprocessoror sent to the detection engine. Network interfacemight be Ethernet, SLIP, PPP and so on.2. Preprocessor:It works with snort to modify or arrange the packetbefore detection engine to apply some operation onpacket if packet is corrupted. Sometimes they alsogenerate alert if any anomalies found in the packet.Basically it matches the pattern of whole string. so,by changing the sequence or by adding some extravalue intruder can fool the IDS but preprocessor rearranges the string and IDS can detect the string.Preprocessor does one very important task i.e.defragmentation. Because sometimes intruderbreak the signature into two parts and send them intwo packets. So, before checking the signature bothpacket should be defragmented and only thensignature can be found and this is done bypreprocessor.www.ijert.org2
International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 1 Issue 10, December- 20123. Detection Engine:Its main work is to find out intrusion activity exitsin packet with the help of snort rules and if foundthen apply appropriate rule otherwise it drops thepacket. It takes different time to respond differentpacket and also depends upon the power ofmachine and number of rules defines in the system.4. Logging and Alerting System:This system is responsible from the generation ofalerts and logging of packets and messages.Depending upon what the detection engine findsinside a packet, the packet may be used to log theactivity or generate an alert. All of the log files arestored under a preconfigured location by default.This location can be configured using commandline options. There are many command line optionsto modify the type and detail of information that islogged by the logging and alerting system. All logfiles are kept by default under C:\Snort\log folderand by using –l command line option, location canbe changed.part usually contains an alert message andinformation about which part of the packet shouldbe used to generate the alert message. The optionspart contains additional criteria for matching a ruleagainst data packets. A rule may detect one type ormultiple types of intrusion activity. Intelligent rulesshould be able to apply to multiple intrusionsignatures.Figure 3: Structure of IDS rule headerThe action part of the rule determines the type ofaction taken when criteria are met and rule isexactly matched against a data packet. Typicalactions are generating an alert or log message orinvoking another rule.i.IIJJEERRTT5. Output Modules:Output modules or plug-ins save output generatedby the logging and alerting system of Snortdepending on how user wants for differentoperation. Mainly it controls the different outputdue to logging and alerting system. Depending onthe configuration, output modules can send outputmessages a number of other destinations.Commonly used output modules are: The database module is used to store Snortoutput data in databases, such as MySQL,MSSQL or Oracle, The SNMP module can be used to sendSnort alerts in the form of traps to amanagement server, The Sending Server Message Block(SMB) alerts module can send alerts toMicrosoft Windows machines in the formof pop-up SMB alert windows, The syslog module logs messages to thesyslog utility (using this module you canlog messages to a centralized loggingserver.)Pass – This action tells Snort to ignore thepacket. This action plays an importantrole in speeding up Snort operation incases where you don’t want to applychecks on certain packets. For example, ifyou have a vulnerability assessment hoston your own network that you use to findpossible security holes in your network,you may want Snort to ignore any attacksfrom that host. The pass rule plays animportant part in such a case.Log – The log action is used to log apacket. Packets can be logged in differentways, as discussed later in this book. Forexample, a message can be logged to logfiles or in database. Packets can be loggedwith different levels of detail dependingon the command line arguments andconfiguration file.Alert – The alert action is used to send analert message when rule conditions aretrue for a particular packet. An alert canbe sent in multiple ways. For example,you can send an alert to a file or to aconsole. The functional differencebetween Log and Alert actions is thatAlert actions send an alert message andthen log the packet. The Log action onlylogs the packet.IV.ii.iii.Rule structure of snortAll IDS rules have two logical parts: rule headerand rule option [8]. This is shown in Figure 2.Figure 2: Basic Structure of IDS RulesThe rule header contains information about whataction a rule takes. It also contains criteria formatching a rule against data packets. The optionsThe protocol part is used to apply the rule onpackets for a particular protocol only. This is thefirst criterion mentioned in the rule. Someexamples of protocols used are IP, ICMP, UDP andetc.The address part define source and destinationaddress. Address may be a single host, multiplehost or network address. The researcher can alsouse these parts to exclude some address from awww.ijert.org3
International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 1 Issue 10, December- 2012complete network. Source and destination addressare determined based on direction field. As anexample, if the direction field is “- ”, the addresson the left side is source and the address at theright side is destination.In case of TCP or UDP protocol, the port partsdetermine the source and destination ports of apacket on which the rule is applied. In case ofnetwork layer protocols like IP and ICMP, portnumbers have no significance.the originator of the connectionMsg “ ”: this message is printed to thesnort.alert log file.Flags: SYN and ACK flags are set.Other flags such as PSH, FIN,RST, and URG could also bespecified as part of a signature.V.The direction part of the rule actually determineswhich address and port number is used as sourceand which as destination. Snort utilizes a patternmatching model for detection of network attacksignatures using identifiers such as TCP fields, IPaddresses, TCP/UDP port numbers, ICMPtype/code, and strings contained in the packetpayload. For example, Snort may have a rule suchas the following:Alerttcp HOME NET EXTERNAL NETanyBACKDOORACTIVITYNetbus/GabanBus”; flags: SA)Snort NIDS TopologyFrom the figures referred from [7] given belowconcept of signature based IDS can easilyunderstand. It is clear that when any person sendsdata inside the network so first of all it goes toDefault gateway and check rule and if foundmalicious then it discards the packet otherwise sendto destination system.12345- (msg:”IDS80PossibleIIJJEERRTTThis is the pattern-matching rule for the NetbusTrojan. Let us break this rule down to understandhow the Snort packet engine recognizes signatures.Alert: this is an alert messageTcp: snort will be focused on the IPprotocol HOME NET : HOME NET is a variable set toan organization’s IP addressrange (for example 10.0.0.0/16)12345: destination TCP port number oforiginal SYN packet from EXTERNAL NET.ThisrepresentstheSYN/ACKportion of the TCP handshake.- : Indicate that traffic will bematched for source IP ofHOME NET and destination IPof EXTERNAL NET.Figure 4: Snort NIDS Topology [7]Figure 5: Snort Signature Database [7] EXTERNAL NET :EXTERNAL NET is avariable set to an IP addressrange to be matched. Forinstance, this might be set to0.0.0.0 if the IDS is placedat an Internet connection.Any: the “any” keyword refers toTCP source port number forIn figure 4 Snort IDS computer is connectedthrough the internet. Networks send packets tosnort IDS devices. Before reaching the packet todestination, default gateway checks that packet andif packet is malicious then snort IDS devicediscards the packet otherwise send packet todevices and if in figure 5 working of IDS device isclearly mention that how device checks the packets.So, when a packet comes to device then it usecomparing tool to check that packet from thedatabase of signature stored in IDS device and if itget result that packet is matched from the databasewww.ijert.org4
International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 1 Issue 10, December- 2012then IDS system discard the packet otherwise itsends the packet to destination system.VI.TOOLS USED IN SIGNATUREBASED NIDS SYSTEMTo implement signature-based network Intrusiondetection System; we need to install some tools,such as Snort, BASE and WinPcap.BASE is a web interface to perform analysis ofintrusions that snort has detected on the network.This application provides a web front-end to queryand analyze the alerts coming from a SNORT IDSsystem. It uses a user authentication and role-basesystem; so that you as the security admin candecide what and how much information each usercan see. It also has a simple to use, web-basedsetup program for people not comfortable withediting files directly [12].Snort [9]VII.IMPLEMENTATION DETAILSWinPcap provide the packet-capture and filteringengines of many open source and commercialnetwork tools, including protocol analyzers (packetsniffers), network monitors, network intrusiondetection systems, traffic-generators and networktesters. It also support saving captured packets to afile [13], and reading files containing savedpackets; applications can be written, usingWinPcap, to be able to capture network traffic andanalyze it, or to read a saved capture and analyze it,using the same analysis code. A capture file savedin the format that WinPcap use can be read byapplications that understand that format, such astcpdump, Wireshark, CA NetMaster.IIJJEERRTTSnort is an open source network intrusion detectionand prevention system [9] (available at http://www.snort.org/snort-downloads?). It can analyzereal-time traffic analysis and data flow in network.It is able to check protocol analysis and can detectdifferent type of attack. In NIDS snort basicallychecks packet against rule written by user. Snortrules can be written in any language, its structure isalso good and it can be easily read and rules can bemodify also. In buffer overflow attack, snort candetect the attack by matching the previous patternof attacks and then will take appropriate action toprevent from attack. In signature based IDS systemif pattern matches then attack can be easily foundbut when a new attack comes then system fails butsnort overcome this limitation by analyzing thereal-time traffic. Whenever any packet comes intonetwork then snort checks the behaviour ofnetwork if performance degrades of network thensnort stop the processing of packet, discards thepacket and stores its detail in the signature database[10].SnapshotWinPcapWinPcap is an open source library forpacketcapture and network analysis [11] for the Win32platforms.The purpose of WinPcap is to give this kind ofaccess to Win32 applications; it provides facilitiesto: capture raw packets, both the onesdestined to the machine where it's runningand the ones exchanged by other hosts (onshared media)Filter the packets according to userspecified rules before dispatching them tothe application.Transmit raw packets to the network.Gather statistical information on thenetwork traffic.Basic Analysis and Security Engine (BASE) [12]Figure 6: Packet DetailsAs soon as we start the internet, the host systemson which we access this module start capturing thepackets. It shows the data in the decimal format.The details of the captured packets are shown in thesnapshot. The Default Gateway used to capture andmonitor the packet is as follows: Getting IPaddress to Keep watch / monitor.m Monitor newSocket(AddressFamily.InterNetwork, SocketType.Raw,ProtocolType.IP);www.ijert.org5
International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 1 Issue 10, December- 2012REFERENCES[1]D. E. Denning. “An Intrusion-DetectionModel”. IEEE transactions on softwareengineering, Volume : 13 Issue: 2,February 1987.[2]Harley Kozushko, “Intrusion Detection:Host-Based and Network-Based IntrusionDetection Systems”, on September 11,2003.[3]S. Antonatos K.G. Anagnostakis and E. P.Markats. Generating realistic workloadsfor network intrusion detection systems. InProceedings ACM Workshop on Softwareand Performance., 2004.[4]Mike Fisk and George Varghese. Fastcontent-based packet handling forintrusion detection. Technicalreport,University of California at SanDiego,2001.[5]D. E. Denning, "An intrusion-detectionmodel." IEEE Transactions on SoftwareEngineering, Vol.SE-13(No.2):222-232,Feb. 1987.Figure 7: Packet Information and Hex DataVIII.IIJJEERRTTOnce we select any packet by double click on itthat is shown in the first snapshot, we are able tosee the details of the packet i.e. the header field andthe payload. The header part is consist of source IPaddress and destination IP address, name of theprotocol, Time to live field, version of a protocol,Header length, various type of services and thetotal length field. The data of the header field isshown in the decimal form whereas the data of thepayload is display in the hexadecimal form.CONCLUSION AND FUTURE WORKSecurity is a big issue for all networks in today'senterprise environment. Hackers and intruders havemade many successful attempts to bring downhigh-profile company networks and web services.Snort is free and powerful software that capable ofperforming real-time traffic analysis and packe
Signature based detection system (also called misuse based), this type of detection is very effective against known attacks [5]. It implies that misuse detection requires specific knowledge of given intrusive behaviour. An example of Signature based Intrusion Detection System is SNORT. 1. Packet Decoder Advantages [6]:
c. Plan, Deploy, Manage, Test, Configure d. Design, Configure, Test, Deploy, Document 15. What are the main types of intrusion detection systems? a. Perimeter Intrusion Detection & Network Intrusion Detection b. Host Intrusion Detection & Network Intrusion Detection c. Host Intrusion Detection & Intrusion Prevention Systems d.
called as behaviour-based intrusion detection. Fig. 2: Misuse-based intrusion detection process Misuse-based intrusion detection is also called as knowledge-based intrusion detection because in Figure 2. it depicts that it maintains knowledge base which contains the signature or patterns of well-known attacks. This intrusion
Intrusion Detection System Objectives To know what is Intrusion Detection system and why it is needed. To be familiar with Snort IDS/IPS. What Is Intrusion Detection? Intrusion is defined as “the act of thrusting in, or of entering into a place or state without invitation, right, or welcome.” When we speak of intrusion detection,
Intrusion Prevention: Signature Policies 201 Intrusion Prevention: Signature Policies - New 203 Intrusion Prevention: Sensors 204 Intrusion Prevention: Sensor - New 205 Intrusion Prevention: Sensor - Associating Sensor to a Firewall Policy 206 Intrusion Prevention: Alerts and Reports 208 Intrusion Prevention: View Rule File 210
There exists a number of intrusion detection systems particularly those that are open-source. These intrusion detection systems have their strengths and weaknesses when it comes to intrusion detection. This work compared the performance of open-source intrusion detection systems namely Snort, Suricata and Bro.
(NIDS). Intrusion detection for network security demands high performance. This paper describes of the available approaches for a network intrusion detection system in both software and hardware implementation. This paper describes of the structure of Snort rule set which is a very popular software signature and anomaly-based Intrusion
some open-source intrusion detection software tools are integrated for use as security sensors [13], such as Bro [19] and Snort [20]. Techniques proposed in this paper are part of the IIDS research efforts. 1.2.1 Common types of Intrusion Detection: 1.2.1.1 Network Based (Network IDS) Network based intrusion detection attempts to identify
British Association of Social Workers (2014) The Code of Ethics for Social Work. Birmingham: BASW First published: January 2012 Updated: October 2014 Typographically reset: 2018 . 3 The Code is binding on all social workers who are BASW members in all roles, sectors and settings in the UK. Social workers have a responsibility to promote and work to the Code of Ethics in carrying out their .
