Implementation of Signature-based Detection System using Snort in Windows

Transcription

1 Implementation of Signature-based Detection System using Snort in Windows Prerika Agarwal Sangita Satapathy Ajay Kumar Garg Engineering College, Ghaziabad Abstract: Threats of attacks are increasing day by day with the rapid use of internet technology. Intrusion Detection Systems (IDS) are the key components in ensuring the safety of systems and networks. These systems enforce a security policy by inspecting arriving packets for known signatures (patterns). Signature-based detection is used for detecting known attacks as many attacks have distinct signatures. Signatures may be present in different parts of a data packet depending upon the nature of the attack. In this paper signature based detection system has been implemented using intrusion detection tool i.e. Snort. This paper will enable users to understand the working of Snort on Windows platform. Keywords: Intrusion Detection System; Snort; WinPcap; Wireshark I. INTRODUCTION Internet connectivity is becoming a critical aspect day by day. With the advent of new technologies, the risks associated with it are also increasing exponentially. When we are working on internet we not only provide access to normal user but to malicious user as well. There needs to be some kind of security to the private resources from Internet as well as from malicious user. Most of the attacks happen from inside users for the very fact that they know the systems much more than an outsider knows and access to information is easier for an insider. It then becomes our responsibility to make network secure by using Network monitoring tools and some security settings. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. It secures the network, as well as protecting and overseeing operations being done. Network security tools like firewall, antivirus, honeypots, etc are not able to cover all security risks. Rather an Intrusion Detection System can do it. It identifies intrusion in the network by collection of information from the network; process it and then alert for possible attack. Intrusion detection technology can be divided into two categories: Signature based detection Anomaly detection Signature-based Intrusion Detection Systems references a database of previous attack signatures and known system vulnerabilities. It is mainly used of most commercial intrusion detection systems, by matching the current data and signature-known type of attack found. Anomaly-based Intrusion Detection Systems captures the network traffic activity and creates a profile representing its stochastic behavior. This profile is based on metrics such as the traffic rate, 120

2 the number of packets for each protocol. Anomaly-based intrusion detection triggers an alarm on the IDS when some type of unusual behavior occurs on your network. To provide useful information about intrusions that do take place, allowing improved finding, improvement, and correction of contributing factors NEED OF INTRUSION DETECTION The Importance of network Security is therefore growing; one of the ways of malicious activity detection on a network is by using Intrusion Detection System. An Intrusion detection system (IDS) is a security system that monitors computer systems and network traffic and analyzes that traffic for possible hostile attacks originating from outside the organization and also for system misuse or attacks originating from inside the organization. Intrusion detection system s main role in a network is to help computer systems to prepare and deal with the network attacks. Intrusion Detection System includes: Analysis of abnormal activity patterns Analyzing system configurations and vulnerabilities Ability to recognize patterns typical of attacks Monitoring and analyzing both user and system activities Assessing system and file integrity Intrusion Detection System is needed: To detect attacks that are not prevented by other security measures To detect and deal with attacks To perform as quality organize for security design and administration, especially of large and complex enterprises 121 This paper focuses on analyzing the abnormal activity that has been detected by our Intrusion Detection System using Snort and WinPcap. Snort is a popular NIDS that is used to audit network packets and compare those packets with the database of known attack signature and this attack signature database must be updated time by time. The paper is organized as follows. Section 2 describes the Signature Based Intrusion detection systems in some detail. In section 3 we have discuss about tools that were used in developing IDS system, such as Snort, WINPCAP and describes the SNORT and its components in detail. Section 4 describes implementation of Signature Based IDS System and describes the process of packet flow over network. Finally, conclusion and future work is presented in section 5. II. SIGNATURE BASED DETECTION A signature-based IDS analyzes the network traffic looking for patterns that match a library of known signatures. The signatures are composed by many elements that identify traffic. They usually examine the network traffic with predefined signatures and each time database is updated. Attacks follow well-defined patterns and signatures that exploit system weaknesses and application software. Since these attacks follow well-defined patterns and signatures, they are usually encoded in advance and thereafter used to match against the user behavior. It implies that misuse detection requires specific knowledge of given intrusive behavior. In a signature based detection a predetermined attack patterns in the form of signatures and these

3 signatures are further used to determine the network attacks. They usually examine the network traffic with predefined signatures and each time database is updated. An example of Signature based Intrusion Detection System is SNORT[6]. A. Advantages Signature definitions are modeled on known intrusive activity. So, the user can examine the signature database, and quickly determine which intrusive activity the misuse detection system is programmed to alert on. Misuse detection system begins protecting your network immediately upon installation. There are low false positives as long as attacks are clearly defined in advance. When an alarm fires, the user can relate this directly to a specific type of activity occurring on the network. Signature-Based Detection is easy to use. B. Disadvantages However misuse detection systems have number of weaknesses. One of the biggest problems for Signature based NIDS is how to keep up with large volume of incoming traffic when each packet needs to be compared with every signature in the database. So, processing the whole traffic is so time-consuming and will slow down the throughput of the system. Misuse detection system must have a signature defined for all of the possible attacks that an attacker may launch against your network. This leads to the necessity for frequent signature updates to keep the signature database of your misuse detection system up-to-date. Misuse detection has a well-known problem of raising alerts regardless of the outcome. For example a window worm trying to attack a Linux system, the misuse IDS will send so many alerts for unsuccessful attacks which may be hard to manage. III. TOOLS Network Security tools used for Signature based Intrusion Detection System are Snort, WinPcap, Wireshark. A. Snort Snort is a signature-based IDS that allows to monitor the status of a network. It analyzes all the network traffic looking for any type of intrusion and operated in various aspects with sniffers. Snort is an open source network intrusion prevention and detection system. It is available under GPL, is free and runs under Windows and GNU/Linux. It implements a detection engine that allows registering, warning and responding to predefined attack. ARCHITECTURE OF SNORT Snort is basically the combination of multiple components. All the component work together to find a particular attack and then take the corresponding action that is required for that particular attack. Basically it consists of following major components as shown in figure[17]: 1. Packet Decoder 2. Preprocessors 3. Detection Engine 4. Logging and Alerting System 5. Output Modules 122

4 123 Fig 1: Snort Components Packet Decoder The packet decoder captures packets from network interfaces and setup the packets to be preprocessed or to be sent to the detection engine. Preprocessors A preprocessor captures the raw packet and check them against certain plug-ins. These plugins check for a certain type of behavior from the packets. Preprocessor detects anomalies in packet headers and then generate alerts. Preprocessors are very important for any IDS to prepare data packets to be analyzed against rules in the detection engine. Hackers use different techniques to fool IDS in different ways. Detection Engine Once packets have been handled by all enabled preprocessors, they are handed off to the detection engine. The detection engine is the meat of the signature-based IDS in Snort. The detection engine takes the data that comes from the preprocessor and its plug-ins, and that data is checked through a set of rules. If the rules match the data in the packet, they are sent to the alert processor. The detection engine is the time-critical part of Snort. It may take different amounts of time to respond for different packets irrespective of how powerful our machine is and how many rule we define. The load on the detection engine depends on: Number of rules Power of the machine on which Snort is running Speed of internal bus used in the Snort machine Load on the network Logging and Alerting System Generation of alerts and logging of packets and messages are done in this system. According to what a detection engine find in a packet, packet is used to log activity or generate alert. Logs are kept in simple text files or tcp-dump style files. The location of logs and alerts can be modified using l command in the command prompt. Output Modules Output module saves the output generated by the logging and alerting system of Snort. Depending on the configuration, functions of output modules are following: Simply logging to /var/log/snort/alerts file or some other file Sending SNMP traps Sending messages to syslog facility Logging to a database like MySQL or Oracle. Generating extensible Markup Language (XML) output Modifying configuration on routers and firewalls. Sending Server Message Block (SMB) messages to Microsoft Windows-based machines B. WinPcap WinPcap is an open source library for packet capture and network analysis for the Win32 platforms[16]. It provides facilities to: capture raw packets, both the ones destined to the machine where it's running and the ones exchanged by other hosts (on shared media)

5 Filter the packets according to userspecified rules before dispatching them to the application. Transmit raw packets to the network. Gather statistical information on the network traffic. IV. IMPLEMENTATION DETAILS To implement signature-based NIDS; we need to install the tools, such as Snort, WinPcap, Wireshark. Snort is an open source network intrusion detection and prevention system. However, it is a strong Intrusion Detection System; the problem is that snort system is not familiar with Windows Operating System. In this paper, Signature-based Network Intrusion Detection System has been implemented and configured with windows-based environment. A. Working of Snort Snort operated in three modes: 1. Packet Sniffer In sniffer mode, snort acts like the commonly used program tcpdump. It can capture and display packets from the network with different levels of details on the console. # snort -d -e v -v Put Snort in packet-sniffing mode (TCP headers only) -d Include all network layer headers (TCP, UDP, and ICMP) -e Include the data link layer headers Fig 2: Snapshot of Sniffer Mode 2. Packet Logger Snort has built-in packet-logging mechanisms that we can use to collect the data as a file, sort it into directories, or store the data as a binary file. # snort -dev -l {logging-directory} -h {home-subnet-slash-notation} If we wanted to log the data into the directory /var/adm/snort/logs with the home subnet /24, you would use the following: # snort -dev -l /var/adm/snort/logs -h /24 The binary format makes packet collection much faster for Snort, because Snort doesn't have to translate the data into human- readable format immediately. # snort -b -L {log-file} for reading the log file # snort [-d e] -r {log-file} [tcp udp icmp] 3. Network Intrusion Detection 124

6 In intrusion detection mode(nids), Snort does not log the captured packet, instead it applies rule on the packet. If the packet matches a rule, only then it is logged or an alert is generated, otherwise packet is dropped. #snort c /opt/snort/etc/snort.conf starts Snort in NIDS mode The following command will display logged data on the console screen. written, using WinPcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that WinPcap use can be read by applications that understand that format, such as tcpdump, Wireshark. The working snapshot of Wireshark has been shown below: #snort dev l /var/log/snort c /etc/snort/snort.conf Fig 4: Snapshot of packet capturing using Wireshark 125 Fig 3: Snapshot of NIDS mode B. Winpcap Winpcap provide the packet-capture and filtering engines of many open source and commercial network tools including protocol analyzers (packet sniffers), network monitors, network intrusion detection systems, traffic-generators and network-testers. It also supports saving captured packets to a file, and reading files containing saved packets; applications can be As soon as we start the internet, the host systems on which we access this module start capturing the packets. It shows the source and destination address of the packet, protocol, information of the packet and so on. We are able to see the details of the packet i.e. the header field and the payload, by selecting any packet. The header part consists of source and destination IP address, protocol, time to live field, version of a protocol, header length and various type of services and the total length field. The data of the header field is shown in the decimal form whereas the data of the payload is display in the hexadecimal form.

7 V. CONCLUSION AND FUTURE WORK Security is a big issue for all networks in today's enterprise environment. This paper discusses Intrusion Detection Systems and Prevention systems using SNORT tool which is capable of performing real-time traffic analysis and packet logging. The paper shows that it is possible to configure snort IDS with Windows and it can be configured as a firewall. We have studied and observed the attacks on different ports like TCP, UDP etc. and alert the administrator about the illegal activities by the intruder in home network. Snort can detect and analyze the intrusion in real time network traffic. Once the Snort will identify any intrusion then it will send alert to security person and security person will take required action immediately. The future work is to develop a network intrusion detection system which can integrate Signaturebased system with Anomaly-based detection system in order to improve the detection rate of new malicious packet and hence reduce excessive false alarm rate. References [1] D. E. Denning. An Intrusion-Detection Model. IEEE transactions on software engineering, Volume: 13 Issue: 2, February [2] Guan Xin and Li Yun-jie, A new Intrusion Prevention Attack System Model based on Immune Principle, International Conference on e-business and Information System Security (EBISS), in IEEE, pp. 1-4, [3] Hwang,K., Cai,M., Chen,Y and Qin,M., Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes, IEEE Transactions on Dependable Computing, Volume: 4 Issue: 1, pp , [4] J.P. Anderson, Computer security technology planning study. Technical Report, ESDTR-73-51, United States Air Force, Electronic Systems Division, October [5] J.P. Anderson, Computer Security Threat Monitoring and Surveillance. Technical Report, James P. Anderson Company, Fort Washington, Pennsylvania, April [6] Kumar.V, Sangwan.O.P.: Signature Based Intrusion Detection System Using SNORT, International Journal of Computer Applications & Information Technology (ISSN: ) Vol. I, Issue III, November 2012 [7] Kurundkar.G.D., Naik N.A, Dr.Khamitkar S.D.: Network Intrusion Detection using SNORT, International Journal of Engineering Research and Applications (IJERA) ISSN: Vol. 2, Issue 2,Mar-Apr 2012 [8] Shah.S.N, Singh.P.: Signature-Based Network Intrusion Detection System Using SNORT And WINPCAP, International Journal of Engineering Research & Technology (IJERT) ISSN: Vol. 1 Issue 10, December [9] Vinod Kumar, Vinay Pathak, Dr. Om Prakash Sangwan, Evaluation of Buffer Overflow and NIDPS, International Journal on Computer Science and Emerging Trends (IJCSET), August issue, [10] Basic Analysis and Security Engine (BASE) project (2012). Available: [11] HowtoForge (2012), Installation manual of Snort, available: snort_base_postgresql_ubuntu6.06. [12] Jay Beale(2007), Snort: IDS and IPS Toolkit, available: IDS-and-IPS-Toolkit-Jay-Beale-s-Open-Source- Security-Repost-_ html. 126

8 [13] Martin Roesch (2009), Snort User Manual 2.8.5,available: /125/snort_manual-2_8_5_1.pdf. [14] MIT Lincon Laboratory (1999), 1999 DARPA Intrusion Detection Evaluation Data Set, available: /communications/ist/corpora/ideval/data/1999da ta.html. [15] Tcpreplay Pcap editing & replay tools for *NIX(2010). Available: [16] Winpcap(2010), The industry-standard windows packet capture library, Available: [17] Rafeeq A. (2003). Intrusion Detection Systems with Snort advance IDS technique Using Snort, Apache, MySQL, PHP, and ACID. Publication Pearson Education. Upper Saddle River, New Jersey. 127