STES SINHGAD INSTITUTE OF TECHNOLOGY, LONAVALA

EXPERIMENT NO. : 05

Name of the student:-

Roll no Subject:- Information and Cyber Security

Date of practical performed: - Staff signature with date & Marks

Title:-
Configure and demonstrate use of vulnerability assessment tool like Wireshark or SNORT

Theory:-
Intrusion Detection Systems with Snort Tool

Introduction

Security is a big issue for all networks in today's enterprise environment. Many methods have
been developed to secure the network infrastructure and communication over the Internet.
One relatively new method is intrusion detection methods, which started appearing in the last
few years. Using intrusion detection methods, you can collect and use information from
known types of attacks and find out if someone is trying to attack your network or particular
hosts.
A comprehensive security system consists of multiple tools, including:
Firewalls that are used to block unwanted incoming as well as outgoing traffic of data.
Intrusion detection systems (IDS) that are used to find out if someone have gotten into or are
trying to get into your network.
Vulnerability assessment tools that are used to find and plug security holes present in your
network.

These tools can work together and exchange information with each other. Intrusion Detection
System (IDS) is software, hardware or combination of both used to detect intruder activity.
There are two types of IDS. One is Network Intrusion Detection System (NIDS) that capture
data packets traveling on the network media and match them to a database of signatures. The
other is Host-based Intrusion Detection System (HIDS) that are installed as agents on a host.
This system can look into system and application log files to detect any intruder activity.
Snort is an open source NIDS which is available free of cost.
In a Snort based Intrusion Detection System, first Snort captured and analyze data. Then, it
stores this data in the MySQL database using the database output plug-in. Apache web server
takes help from ACID, PHP, ADODB and JPGraph packages to display the data in a browser
window when a user connects to Apache. A user can then make various type of operations to
analyze, archive, graph and delete data.
An essence, an IDS building on a single computer is shown below:

A network intrusion detection system in a single machine

n the enterprise environment, multiple Snort sensors are used behind every router or firewall.
In that case, a single centralized database is used to collect data from all of the sensors.
Figure2 shows the architecture used in such a system.

Multiple Snort sensors logging to a centralized database server

1. Installation

Snort can be downloaded from it’s official website at http://www.snort.org. Snort is

supported on a number of hardware platforms and operating systems. These include:

 Linux
 OpenBSD
 FreeBSD
 NetBSD
 Solaris (both Sparc and i386)
  HP-UX
 AIX
 IRIX
 MacOS
 Windows
In this report, we downloaded the source file package and compiled from scratch, however,
Snort website also provide binary version for linux and windows platforms.

1.1 Softwares Installed Before Snort

Before compile and install snort, we have to first install the related software and libraries, this
includes:

 Zlib1.2.1 (http://www.gzip.org/zlib/)
 LibPcap0.7.2 (http://www.tcpdump.org/release/libpcap-0.7.2.tar.gz)
 MySQL4.0.15 (http://downloads.mysql.com/archives.php?p=mysql-4.0&o=linux-)
 Apache2.0.52 (http://httpd.apache.org/download.cgi)
 PHP4.3.3 (http://www.php.net/distributions/php-4.3.3.tar.gz)
For detailed description about the installation of these softwares, please read the article:
”Snort, Apache, PHP, MySQL and Acid Install on RH9.0”
(http://www.infosecwriters.com/text_resources/pdf/snort_acid_rh9.pdf

Acid main page displaying the alerts from MySQL database

2 Components of Snort
A Snort-based IDS contains the following components:

Packet Decoder
 Preprocessors
Detection Engine
Logging and Alerting System
Output Modules
Below shows how these components work together to detect particular attacks and to
generate output. Any data packet coming from the Internet enters the packet decoder.
On its way towards the output modules, it is either dropped, logged or an alert is
generated.

Components of Snort

2.1 Packet Decoder

In an organization’s network, the network interface can be Ethernet, SLIP, or PPP and
so on. The packet decoder takes packets from different types of network interfaces
and prepares the packets to be preprocessed or to be sent to the detection engine.
2.2 Preprocessors

Preprocessors are components that can be used to arrange or modify data packets before the
detection engine does some operation to find out if the packet is being used by an intruder.
Hackers use different techniques to fool an IDS in different way, these may include:

Exact match: For examples, you may have created a rule to find a signature “httpd/conf” in
HTTP packets. If you are matching this string exactly, a hacker can easily fool you by
modifying the string as “httpd/./conf” or “httpd../httpd/conf”. In addition, since the web
servers usually understand hexadecimal characters or Unicode characters, hackers can also
inset these kinds of characters into the web URI. This also makes the exact match rule void.
A preprocessor can rearrange the string so that it is detectable by the IDS.
Packets fragmentation: When a large data chunk is transferred to a host, the packet is usually
fragmented into multiple data packets so that each packet fragment satisfies the requirement
of default maximum length of some particular network interface. Later, the receiving systems
need to reassemble these smaller units to form the original data packets. Hackers can use
fragmentation to hide a signature into several small units to fool the IDS. A Preprocessor can
reassemble these small units first and send the whole packet to the detection engine for
signature testing.
2.3 The Detection Engine

The detection engine is the most important part of Snort. Its responsibility is to detect if any
intrusion activity exists in a packet. The detection engine employs Snort rules for this
purpose. The rules are read into internal data structures or chains where they are matched
against all packets. If a packet matches any rule, Snort will send alerts to system logs or
output plug-ins; otherwise the packet is dropped. The detection engine is the time-critical part
of Snort. The load on it depends on the following factors:

Number of rules
Power of the machine on which Snort is running
Speed of internal bus used in the Snort machine
Load on the network
Note that the detection engine can dissert a packet and apply rules on different parts of the
packet. These parts may be:

The IP header of the packet

The Transport layer header: This header includes TCP, UDP or other transport layer headers.
It may also work on the ICMP header.

The application layer level header: Application layer headers include, but are not limited to,
DNS header, FTP header, SNMP header, and SMTP header. You may have to use some
indirect methods for application layer headers, like offset of data to be looked for.
Packet payload. This means that you can create a rule that is used by the detection engine to
find a string inside the data that is present inside the packet.

2.4 Logging and Alerting System

Depending on what the detection engine finds inside a packet, the packet may be used to log
the activity or generate an alert. Logs are kept in simple text files, tcpdump-style files or
some other form. All of the log files are stored under /var/log/snort folder by default. You can
use –l command line options to modify the location of generating logs and alerts. Many
command line options discussed in the next chapter can modify the type and detail of
information that is logged by the logging and alerting system.
.5 Output Modules
Output modules or plug-ins can do different operations depending on how you want to save
output generated by the logging and alerting system of Snort. Basically these modules control
the type of output generated by the logging and alerting system. Depending on the
configuration, output modules can do things like the following:

 Simply logging to /var/log/snort/alerts file or some other file

 Sending SNMP traps
 Sending messages to syslog facility
 Logging to a database like MySQL or Oracle.
 Generating eXtensible Markup Language (XML) output
 Modifying configuration on routers and firewalls
 Sending Server Message Block (SMB) messages to Microsoft Windows-based
machines
Other tools can also be used to send alerts in other formats such as e-mail messages or
viewing alerts using a web interface.

3 Snort Modes

Snort operates in two basic modes:

Sniffer mode
NIDS mode
It can be used as a packet sniffer, like tcpdump or snoop. When sniffing packets, Snort can
also log these packets to a log file. The file can be viewed later on using Snort or tcpdump.
No intrusion detection activity is done by Snort in this mode of operation. Using Snort for
this purpose is not very useful as there are many other tools available for packet logging. For
example, all Linux distributions come with the tcpdump program which is very efficient.

When you use Snort in network intrusion detection (NIDS) mode, it uses its rules to find out
if there is any network intrusion detection activity.
3.1 Network Sniffer Mode

In the network sniffer mode, Snort acts like the commonly used program tcpdump. You don’t
need a configuration file to run Snort in the sniffing mode. With the capacity of parameters,
you can capture and display network packets with different levels of detail.

Figure5 is a network sniffing mode test. In this test, I start Snort server that is running as a
network sniffer by typing the following command:
  Shell> snort –v
 Shell> ping www.yahoo.com
Snort will continue to display captured packets on the screen until you break using Ctrl-C. At
the time Snort terminates, it will display statistical information.

Note the above information is not all the packets information on the network. In order to
capture all of them, showing the data link layer headers and application layer payload, you
have to use parameter dev. This command displays captured data in hexadecimal as well as
ASCII format.

4 Working With Rules

Most intruder activity will leave some kind of footprint, this footprint is called signature in
the Snort jargon. Snort rules are created based on these signatures. These signatures may be
present in the header parts of a packet or in the payload. Snort rules can be used to check
various parts of a data packet including both network layer protocols and application layer
protocols.

structure of Snort rule header

4.1 Structure of a Rule

A Snort rule is divided into two parts: rule header and rule options. The rule header contains
information about what action a rule takes. It also contains criteria for matching a rule against
data packets. The general structure of a Snort rule header is shown in Figure10.

The options part contains additional criteria for matching a rule against data packets. A rule
may detect one type or multiple types of intrusion activity. Intelligent rules should be able to
apply to multiple intrusion signatures.

Rule options are enclosed inside a pair of parentheses. There may be one or many and the
options are separated with a semicolon. In general, an option may have two parts: a keyword
and an argument. Arguments are separated from the option keyword by a colon.

4.2 Using ACID With Snort

Analysis Console for Intrusion Database (ACID) is a tool used to analyze and present Snort
data using a web interface. It is written in PHP. It works with Snort and databases like
MySQL. A user will use a web browser to interact with ACID.
The following test is to show you how user customized rules are used by Snort and how we
use ACID to analysis Snort alerts from MySQL database. The first test is as follow:

First you need to delete all the build-in rules used by Snort in the snort.conf configuration
file, and then add the following rule to the snort.conf file rules part:

alert ip any any -> any any (msg: “IP Packet detected”;)

This rule will generate an alert message for every captured IP packet. The ACID main page
provides an overview of currently available data. It has different sections to display
information in groups. You can view traffic profiles by different protocols, get a snapshot of
sensors, search data and so on.

From the main page, you can click on a protocol to get information about packets logged fro
that particular protocol. Figure12 shows a screen shot for TCP protocol. The bottom part of
the screen shows the last fifteen individual packets that have been logged into the database.

You can click on any one of these lines at the bottom to find out more details about a
particular packet. Figrue13 shows details about a particular TCP packet

TCP alert detail

One important feature of ACID is that it can be used to search the captured alert data.
Figure14 is the screen shot for some searching procedure. All the criteria that you specify in
this screen are translated to a SQL statement that is passed to the MySQL database server.
Figure15 is the result of this query.

Conclusion

Intrusion Detection System look for attack signatures, which are specific patterns that usually
include malicious or suspicious intent. Network-based Intrusion Detection Systems (IDS) use
raw network packets as the data source. Snort is a light weight IDS, which uses a bunch of
build-in rules and user customized rules to prevent prospective intruder from intruding in a
network system. This report discussed installation procedure for Snort as well as other
products that work with Snort, components of Snort, and most frequently used functions.
Finally, we gave a comprehensive test in RedHat9 Linux system about how to use ACID to
analyze alerts generated by Snort based on some specific rules.