Professional Documents
Culture Documents
maintenance permeate all facets of business and, therefore, have led to an increase in the
development of strategic ways to mount malicious attacks on both public and personal
malevolent activities and attacks on computer systems and networks have evolved
quickly in recent years. Intrusion Detection System (IDS) have become a critical means
intrusions before systems can be affected by malicious actions. They accomplish this by
system. While IDS tools have become prevalent in today’s market, they are still not
The intention of this project was to investigate selected existing network intrusion
detection tools and techniques, and to review the strategies, which they employ. The
selected freeware tools, Snort and Sax2 were tested to analyze their behavior when
ii
TABLE OF CONTENTS
Abstract............................................................................................................................... ii
List of Figures.................................................................................................................... vi
1. Introduction .................................................................................................................. 1
iii
1.8 Some of the Important Definitions to Understand This Paper .............................. 16
3. Research ................................................................................................................... 30
iv
3.2.2.3 Bro-IDS ............................................................................................ 57
6. Conclusion.....................................................................................................................74
Acknowledgement.............................................................................................................75
v
LIST OF FIGURES
vi
Figure 3.13 Firestorm Analyst console – displaying packets....................................... 50
vii
LIST OF TABLES
Table 1.1 A Glance at Various Attacks During the Years 2004-2008 ........................... 5
Table 3.3 Summary of comparison among Snort, Sax2, Firestorm, Strata Guard and
Bro ……………………………………………………………………….61
viii
1. INTRODUCTION
become a topic of great importance for research. Threats against private and public
networks are mounting daily thereby, increasing the need for Intrusion Detection Systems
(IDS) on network systems throughout the corporate world. IDS serve as a means of
network.
each and every packet, traveling through a given network in efforts to detect intrusions.
This monitoring process provides better security than a mere firewall could. IDS handle
network and have proven to be a viable measure for securing the information
management of organizations. IDS afford precious support for diagnosing and reviewing
security threats.
IDS systems come in different types based upon their function. Software
developers around the world are continuously reconstructing their programs to keep up
with the need to cover evolving malicious efforts of intrusion creators. The purpose of
this research is to put some existing IDS tools, available in today’s market, to the test and
ultimately determine their efficacy as well as their ease of use. The paragraphs that
follow will define and describe different types of intrusions and introduction to IDS.
1
1.1 Intrusion
Merriam-Webster Online Search dictionary defines the term ‘intrude’ as the act of
network terms, intrusion is defined as an event which breaks into a particular system or
network without authorization. While the application differs from a physical intrusion
into a place or situation to the electronic intrusion into a digital environment they have
the same significance. The following is a conceptual definition for intrusion: “Any set of
[UCR 2008]. Broken down semantic ally are the data properties affected by a system
intrusion.
unauthorized persons
information assurance secured system and together they are referred to by the acronym
CIA. If any or all three properties are compromised, it implies that the security of the
Intrusions can take on many forms. The most common forms are engineered
viruses or worms and password theft. More sophisticated forms can occur during a file
transfer session that does not use encryption, commonly known as “hijacked terminal”.
2
Intrusions are qualified as any kind of unauthorized access to information by insiders and
outsiders.
service (DoS) attack, User to Root Attacks (U2R) and Remote to User Attack (R2L).
The evasion attack is planned with prior knowledge about the IDS in place. The
intruder studies attack signatures upon which the IDS will alarm and thus tries to evade
The Insertion intruder behaves intelligently. Generally, IDS accepts packets that
are rejected by an end-system. “IDS that does this, makes the mistake of believing that
the end-system has accepted and processed the packet when it actually hasn't” [Ptacek
1998]. The intruder then exploits this situation by sending packets to an end-system that
will reject them, where the IDS presume that they are valid. This means that the intruder
accomplishes the attack by way of inserting data into IDS [Ptacek 1998].
The Port Scanning intruder scans the ports on a network to see which are open, so
that they can break into it. “A Port scan is like ringing the doorbell to see whether
someone's at home” [AMP 2008]. This is done by sending a message to all ports in the
network. By doing this, the intruder knows which ports are busy, already used and free.
The intruder then probes the network further to find a weakness and once found the
A Denial of service (DoS) attack makes the system resources unavailable to its
legitimate (authorized) users. For example blocking access to email, specific sites, and
3
User to Root Attacks (U2R) deal with a local user (intruder) trying to gain
unauthorized root access to a central machine and exploiting user vulnerabilities [Chou
2007].
Remote to User Attack (R2L) deal with an intruder gaining unauthorized local
access from a remote machine and exploiting the machine’s vulnerabilities [Chou 2007].
titled, “Computer Crime and Security Survey”, in which information was gathered from
data security professionals throughout the United States. The goal of the survey is to
increase security awareness as well as to “help determine the scope of computer crime in
the U.S” [Richardson 2008]. According to the CSI’s survey, 47% out of 250 polled had
experienced at least one incident, with the highest number of incidents reaching 5. Figure
1.1 shows a gradual decrease in the number of security intrusion victims who experienced
6-10 incidents during the years from 2004 to 2007. In 2008, the number increased
slightly but is still better than past years. Based on the graph below, 13% of those polled
professionals. The survey shows a gradual decrease in the number of victims per attack
4
during the past years. Table 1.1 shows that many victims encountered virus and insider
Table 1.1 A glance at various attacks during the years 2004-2008 [Richardson 2008]
security tools available on the market. The tools listed in Table 1.2 were developed to
means of security and therefore the table indicates that they have the highest percentage
of usage among other tools. Though IDS are efficient network security tools, they are not
widely used because of their cost. Based on the data obtained in the survey demonstrates
that users want to be safe from intrusions rather than identifying them and being
5
responsible to protect against individual attacks. Since firewalls provide basic security,
such as blocking threatening IP addresses, they are used more commonly than IDS tools.
This survey reflects the fact that when compared to the previous years, year 2008
has experienced improvement when it comes to blocking intrusions. This is evidence that
6
the innovative solutions introduced into the corporate market are more successful at
network administrator of any attempts to compromise a system. There are many technical
definitions for IDS in computer network terms. The following is a breakdown of the
“An IDS gathers and analyzes information from various areas within a computer
(attacks from outside the organization) and misuse (attacks from within the
Intrusion Detection System is any system or set of systems that has the ability to
An intrusion detection system inspects all inbound and outbound network activity
and determines distrustful patterns that may be a sign of a network attack from
Every definition listed above, is based on the premise that IDS could be either
7
attempting to compromise its security. IDS identify many types of vulnerabilities, present
1.3 Firewall
Basically a firewall can be defined as a first line of defense for a network with the
key purpose of securing a network from unauthorized access. A firewall can be either a
software program or hardware device, placed on a network, which acts like a watch guard
for all inbound and outbound traffic on that network. The users have a choice to allow or
block certain traffic by establishing certain rules on their private network. Based on the
type of firewall installed on the network, users could block the access to certain domain
names or IP addresses and could restrict certain traffic by blocking TCP/IP ports they use
Firewalls basically use four mechanisms to restrict traffic. These mechanisms are
8
1.3.1 Packet Filtering
A packet filter evaluates source and destination IP addresses, and their port
numbers. This is the criterion used to block and access by certain IP addresses [QED
2005].
A circuit-level gateway blocks all inbound traffic. “The client machines run
software to allow them to establish a connection with the circuit-level gateway machine.
To the outside world, it appears that all communication from the internal network is
This proxy server is used to boost the performance of a network. A proxy server
hides internal IP addresses on a network. Therefore, to the outside world, it appears as all
This is another form of a proxy server. To the outside world, it appears that all
between the client and the application gateway. The application gateway decides whether
Firewalls were known as the vital solution in preventing network intrusions. But,
it does not provide the capability to respond or detect an intrusion attempts. IDS, on the
9
other hand, provide continual real-time monitoring of a host or a network with an
Network Security is the primary purpose for the existence of both firewalls and
IDS, however their function is different. Firewalls look into the traffic coming from
outside and react according to the rules to decide whether to accept or block the
communication so that it prevents intrusions. But IDS detect the intrusion initiated from
inside the network and come into the action after the suspected intrusion has taken place
on the network [Wiki 2008]. IDS detect and warn the users about the intrusion, whereas
firewalls just block the attack without a warning according to the predefined rules written
into it.
monitoring the traffic on the network. Firewalls implement the policies programmed and
contained in its configuration, and log any events that demonstrate policy violations, with
as much information and detail as possible by guarding the borders of the network.
Having both an IDS and a Firewall on a network, provide better security when
considering their particular functions and their advantages. Systems containing both, IDS
that warns the administrator of intrusions, and a firewall that blocks the attacks, provide a
more secure network environment. Some Firewalls and IDS' are joined into a single
internet security program, for example Norton Internet Security. This is a very well
IDS have existed approximately 20 years. The notion of intrusion detection was
introduced in 1980 with James Anderson's paper, titled “Computer Security Threat
10
Monitoring and Surveillance” (which was written for a government organization)
[Sommer 2006]. After the release of this paper, ‘detecting misuse’ has gained an
interesting focus and auditing data and its advantages achieved much progress. Since
then, IDS’ have advanced and recently have gained great popularity in computer network
In the early 1990s, the commercial development of IDS technology began and
IDS tools were developed. The first commercial vendor of IDS tools was Haystack Labs.
Later other tools were designed to monitor traffic and report misuse.
IDS’ have become a part of every major company and organization’s security
system. They reduce risks of intrusions and prevent serious malicious attempts at
attacking by alerting the system’s administrators. IDS have the capability of detecting
preambles to malicious attacks by intruders and through this process they help the
In order to enhance the IDS performance, IDS have a key capability to correlate
different priorities to different logs for distinctive malicious attacks. This is called as
‘prioritization’. For the security system of an organization, IDS serve as a quality control
mechanism providing diagnosis, causes and details about different aspects of the security
system. “IDS can detect when an attacker has penetrated a system by exploiting an
protection, by bringing the fact that the system has been attacked to the attention of the
administrators who can control and recover any damage that results. IDS verify, itemize,
and characterize the threat from both outside and inside your organization’s network,
assisting user in making sound decisions regarding your allocation of computer security
11
resources” [CD 2001]. In a system without IDS, the adversaries are free to examine the
Figure 1.3 describes the simple process model for IDS. This block diagram
IDS have 3 phases of functioning. First it captures the data passing into and
outside a network. Then it watches and analyses the data about its behavior, so that it can
know whether it is malicious or not. If it detects that the data is malicious, then it
responds to that, for example, blocking the data to protect from future damages.
There are ‘signature-based IDS vs. anomaly-based IDS’, ‘misuse detection vs.
anomaly detection’, and ‘passive system vs. reactive system’ [JC 2007]. The deployment
of IDS can be done in two forms one is network-based IDS and the other is host-based
12
IDS. Host based IDS protects the system by auditing and event logs. Network-based IDS
There are two popular types of IDS as mentioned above, and they are
HIDS is a software product, resides on a specific machine called host, and does its
job by protecting the entire system and discloses if a system has been compromised. It
monitors the file system integrity, system register state system logs of the host machine to
find the evidence of suspicious activity if any. If any user attempts to access authorized
content on the host in a shared network, HIDS identifies and collects the relevant data in
a quickest possible manner [Innella 2006]. HIDS only look for the intrusions on the
Snort, Dragon Squire, Tripwire, AIDE, and Emerald eXpert-BSM etc., are some
13
1.6.2 Network-based IDS (NIDS)
Detecting intrusions Good at insider detection and Good at outsider detection and
bad at outsider detection bad at insider detection
Preventing intrusions Good at prevention for insiders Good at prevention for outsiders
Response to attacks Weak real time response but Strong response against
good for long term attacks outsiders
Damage Assessment Excellent for determining extent Very weak damage assessment
of compromise capabilities
14
1.7 PROS and CONS of IDS
As everything, IDS tools also have its pros and cons. But it can be said for sure,
that the IDS concerns the network security more than a firewall.
harm – by automatic or manual intervention. IDS discover innovative attack patterns and
watches application logs and user actions. Then it blocks the attacks aimed against an
Even though IDS is capable of identifying the encrypted data and activities, it is
not 100% secured. This is one of the major arguments going on about IDS. But the future
IDS products can be of a great and central role in network security. Another issue of
using IDS if it gets compromised is that the data collected by these systems may itself
have been compromised before the attack was discovered or investigated. This is an
issue, that IDS log files will not distinguish between the legitimate and unwanted traffic.
There are many of the products yet, which are not able to cope up with huge
massive traffic and processing of the packets with high speed connection and bandwidth.
The performance of IDS logs is limited in auditing the events because of massive traffic.
Though IDS detects each packet on a network, it gives alerts after the attack has been
The Network security managers have to procure and assimilate point solutions
15
coverage’. The category Signature-based IDS, needs a regular updating of their signature
IDS log files might fail to identify the hackers and have been tempered or altered.
A major argument is now going on about IDS that it generates too many false alarms.
IDS give attention to only on detection of attacks and attempts, but it can not provide
prevention which would make it more efficient tool. IDS also used as evidence in the
prosecution of cyber crimes. An IDS also has good importance in computer networks as
network elements. This is achieved by having a SNMP agent in the network. Many
SNMP TRAP
management system.
16
ACL (Access Control List)
states who and what is to be allowed in order to access the object. And also indicates
Packet defragmentation
When large data has been sent to a host, then the packet usually fragmented in to
multiple packets.
17
2. NETWORK INTRUSION DETECTION SYSTEM
The IDS concept has been around for nearly 20 years. It has become more popular
recently and begun incorporation into the information security infrastructure. Figure 2.1
The notion of IDS was introduced in 1980, with James Anderson's paper
‘Computer Security Threat Monitoring and Surveillance’, which was written for a
government organization. With the publishing of this paper, the concept of "detecting"
misuse and specific user events emerged. This work was the beginning of Host-based
After three years, in 1983, SRI International and Dr. Dorothy Denning worked
development with a goal to analyze audit trails from government mainframe computers
18
and create user profiles based upon their activities. One year later, in 1984, Dr. Denning
made efforts to develop the first model for IDS, known as the Intrusion Detection Expert
System (IDES), providing the foundation for IDS technology development [Innella
2001].
version of IDS at this laboratory for the US Air Force in 1988. The goal of this project
developers from the Haystack project. It released Stalker, the last generation of the
capabilities to manually and automatically query the audit data [Innella 2001]".
Todd Heberlein. Heberlein developed a Network Security Monitor (NSM), the first
network intrusion detection system. The first notion of hybrid intrusion detection was
introduced by Heberlein along with the Haystack team. These discoveries brought great
revolution in IDS into the commercial world. Haystack Labs was the first commercial
company, the Wheel Group, and released its first commercially viable network intrusion
19
Around 1997, IDS began gaining popularity in the market. ISS developed
network-based IDS called RealSecure. In 1998, Cisco owned the Wheel Group.
Since 1999, IDS has boomed. Currently, IDS is the best-selling security tool on
the market, as per the market statistics. IDS tools have been evolving with automated
for doubtful activities which could be attacks, such as unauthorized access, virus or
intrusion. In addition to network traffic monitoring, NIDS checks system files for
unauthorized events in order to maintain files, thus data integrity. It is also capable of
detecting changes in core components of the server and scans sever logs [RTEinc 2008].
placing the network interface card (NIC) in promiscuous mode in order to capture all
network traffic that crosses its network segment. Network traffic on other segments and
traffic on other means of communication (like phone lines) can not be monitored, which
is a disadvantage of NIDS. Here the network segment means that particular server,
There are four major points which illustrate the need for NIDS. Those points are
threat assessment and analysis, asset identification, valuation, vulnerability analysis and
risk evaluation.
20
Threat assessment and analysis plays a major role by providing a guess about
types of intrusion, which helps in defining rules when deploying an NIDS on a network.
The most popular threats currently known are outsider attack from the network and
telephone, insider attack from local network and local machine, and attack from
malicious code. A firewall operates the way its user instructs it to function. A firewall can
fail to block outsider attack from the network, malicious code and insider attack from a
machine on the same network, which is a local machine. NIDS might detect such attacks.
It even has predefined rules set up within which operate as a firewall; the knowledge base
Asset identification results in protecting sensitive data. For example, the Office of
Admission and Records in an educational institution possesses all the sensitive data
pertinent to students, such as a student’s social security number. This data must be given
high priority when comes to security. Educational institutions should identify the
machines dealing with such data and implement NIDS at major locations. NIDS should
to it.
assessment tools are available on the market including network-based, phone line and
scanning to check for missing patches, open ports and any other security holes [Northcutt
2002].
21
The above discussion recommends organizations utilize NIDS to protect their
networks from intrusion. The following section describes mechanism used by NIDS to
NIDS monitors packets coming into the network and determines whether an
intruder is cracking into a system, as on a system watching for large a number of TCP
anyone is trying a TCP port scan. For many people, it can be confusing where on the
network to place NIDS. It can be placed either on the target system, which monitors its
traffic, or can be on a separate machine with in the network (hub, router, or probe), which
between the internal and external network. If more than two systems are connected on the
administrative side of IDS, then it is said to be an internal network. The external network
means that the non-administrative side of IDS is a public network. IDS are comprised of
a console on which to monitor activities and alerts and control the sensors, and
a central device that files activities logged by the sensors in a database, then
22
Figure 2.2 demonstrates the above description.
contains decision-making mechanisms about intrusions. Sensors obtain raw data from
information sources, which are on the IDS knowledge base; syslog and audit trails.
Figure 2.3 clearly shows how sensors work in IDS. For example, syslog includes
configuration of file systems, user authorizations, etc. This data thus creates the
foundation for a decision-making process. Figure 2.2 depicts that the sensor is integrated
with another component responsible for data collection, known as an event generator.
The event generator creates a policy for a set of events that may be a log or audit of
system events.
A sensor filters data, ignoring any irrelevant data obtained, to detect suspicious
activities. To achieve this, the analyzer uses the detection policy database. The sensor
maintains its own database which contains the dynamic history of possible intrusions.
23
Figure 2.3 A sample IDS. The arrow width is proportional to the amount of
Following are the primary methods used by NIDS to report and block intrusions
[Larrieu 2003]:
NIDS sends a command to a third party device, such as a packet filter or firewall,
reconfiguration is possible by sending data explaining the alert in the packet header.
This is achieved by sending an alert with details on the data involved in the form
24
Sending an email to one or more users
severe intrusion.
In this method, IDS saves the details of the alert in a central database, including
information such as the timestamp, IP address of the intruder, IP address of the target, the
Opening an application
The actions include sending an SMS text message, or playing a sound to indicate an alert.
Each system has its own advantages and disadvantages. Host-based IDS is
preferred for a complete system security solution and Network-based IDS is desirable for
25
a LAN (Local Area Network) solution. The following table summarizes the comparison
between Host-based and Network-based IDS. The left column describes the function to
be performed on network and right column describes the behavior of HIDS and NIDS
Protection off LAN Only HIDS protects the network off the LAN
The admin of NIDS and HIDS is equal from a central admin
Ease of
perspective.
Administration
Price HIDS are more affordable systems if the right product is chosen.
Ease of Both NIDS and HIDS are equal form a central control
Implementation perspective
Little Training
HIDS requires less training than NIDS
required
Total cost of
HIDS costs less to own in the long run
ownership
Bandwidth
requirements on NIDS uses up LAN bandwidth. HIDS does not.
(LAN)
The NIDS has double the total network bandwidth requirements
Network overhead
from any LAN
Bandwidth
Both IDS need internet bandwidth to keep the pattern files
requirements
current
(internet)
Spanning port
NIDS requires that port spanning be enabled to ensure that LAN
switching
traffic is scanned.
requirements
Update frequency to
HIDS updates all of the clients with a central pattern file.
clients
Cross platform
NIDS are more adaptable to cross platform environments.
compatibility
Logging Both systems have logging functionality
26
Local machine
Only HIDS can do these types of scans.
registry scans
It is easier to upgrade software than hardware. HIDS can be
Upgrade potential upgraded through a centralized script. NIDS is typically flashed
onto the flash memory and has low overhead.
Alarm functions Both systems alert the individual and the administrator.
NIDS failure rate is much higher than HIDS failure rate. NIDS
Disable risk factor
has one point of failure.
This phase deals with the study of IDS tools and comparing their features.
There are two key approaches for analyzing the events to detect attacks. Based on
systems use this technique. Anomaly detection analysis checks for irregular patterns of
activity. As with everything, IDS also has strengths and weaknesses associated with each
approach, and it appears that the most effective IDS use largely employ misuse detection
27
methods with a few anomaly detection components. More details about these approaches
Misuse Detection
In this practice, detectors study the system’s activity and collect the necessary
information and keep them in audit logs. Then IDS looks for events that match a
reason that misuse detection is sometimes called signature-based detection. The misuse
detection identifies each pattern of events related to an attack as a separate signature. This
category has advantages, such as being very successful at detecting attacks without
generating a great number of false alarms and being able to diagnose the use of a specific
attack technique in a very fast and reliable way. It also has disadvantages, they are able to
detect only those attacks they know about. So they must be updated frequently with
Anomaly Detection
anomalies. They function on the theory that attacks are different from normal activity and
can therefore be detected by systems which identify these differences. Anomaly detectors
These profiles are built from data collected over a period of usual operation. The
detectors then collect event data and apply a variety of measures to determine when
28
Figure 2.4 Comparison of Knowledge-Based and Behavior-Based IDS [Chou 2007]
29
3. RESEARCH
As networks are generally connected for 24 hours, the potential for attack is continual.
Attacks mostly occur in late hours of the night, relative to the position of the server [MCP
2008].
Depending on the cost and the availability of the tool, operating systems used by
intruders vary. Macintosh is the least preferable platform for an Intruder as there are not
enough tools available for MacOS, and whatever tools are available are of great trouble
to the network ports. LINUX has become the most frequent platform used by intruders, as
it is available at low cost. A book of Linux cost around $40 including a cd-rom. The
majority of good tools can be easily ported to UNIX platform as they are mostly written
In the beginning of internet days, most Intruders were youngsters who had very
limited access to internet. The one place where they could easily access internet was
universities, which influenced the origin of attack and timing of the attack. Today’s
Intruders have become more serious, they can break in to network from their
home/office. These serious Intruders use AOL as their provider rather than the American
online, Prodigy or Microsoft networks. The reason Intruders avoid these providers is they
30
rollover Intruders to the authorities. One simple reason why big providers are easy for
Intruders to utilize is they allow spammers into their internet with largely unwanted
Most Intruders are able to do any three of the following [MCP 2008]:
There are several reasons for an Intruder to attack a network. Listed below are a few of
(Profit)
Some people actually just want to know how this works out or to explore new
things (Curiosity)
The following section deals with four popular network attack types. These four
types of attacks together comprise solid evaluation criteria to test the performance of IDS.
They are probing, Denial of Service, User to remote access and local to remote access.
31
3.1.5 Attacks
This section explains some examples of attacks. Explained below are the complex
attacks IDS may detect. In recent years, a large number of victims have suffered these
attacks. Table 3.1 displays popular attacks from the following attacks categories.
Probing
These attacks are the most commonly known and they requires very little
DoS are a class of attacks whereby an intruder renders the resource too busy to handle
legitimate requests with some work load, resulting in denying legitimate users access to a
machine. There are several procedures to launch DoS attacks, some of them by:
This class of attacks is categorized based on the services that an intruder makes the
32
Definition for Denial of service (DoS) Attack
Denial of Service attack. For example; blocking access to email, specific sites, and other
denial-of-service attack. There may be many reasons, like a technical problem with a
whether a DoS attack is taking place or not, here are some symptoms which may indicate
Unfortunately, there are no absolute means to avoid being the victim of DoS
attack. But there are some precautions to reduce the chances that an intruder will use to
attack computers:
33
Following good security measures for distributing user’s email address to reduce
spam by applying spam filters will help some extent to manage unwanted traffic
with access to a normal user account on the system and exploits vulnerability in order to
obtain root access to the machine. The most common exploits here are regular buffer
machine’s vulnerabilities to gain unauthorized local access as a user. There are several
34
3.2 Research on freeware NIDS
can easily be deployed on most any node of a network, with minimal disruption to
signature and anomaly based detection. Many researchers agree that Snort is the best IDS
available. With millions of downloads to date, Snort is the most widely deployed
intrusion detection system worldwide and has become the de facto standard for the
industry [Snort 2008]. Many IDS use Snort’s rules in them, and act as front-ends with
It is a fact that in 2003, 500,000 networks had Snort sensors and in November of
2003, Snort website informed that 70,000 users downloaded Snort-IDS [QOD 2004]. The
scrubber, Inline firewall, etc. It has a huge user-base that updates signatures all the time,
is open source so if user ever need to edit the code for a specific reason the code is
protocol analysis, and logs full packets and many to name. Snort can be used in three
35
Packet logger
Snort Architecture
Packet Decoder
Preprocessors
Detection Engine
Output Modules
Packet Decoder
It takes packets from different network interfaces. Then it prepares the packets to
be preprocessed, and then sends to detection engine. Here, interfaces are like Ethernet,
36
Figure 3.2 Packet Capture in real-time Using Ethereal. Ethereal is a GUI-based
Preprocessors
These are the plug-ins used to deal with packets such as arranging and modifying
before the detection engines touches them. They may also identify intrusions by looking
at packet headers and then generating alerts. Preprocessor is a vital component, among
[Rehman 2003]. It does packet defragmentation, decodes Http URL, TCP streams
reassembling, etc.
Detection Engine
This is responsible for detecting the intrusion existing in a packet. It uses rules to
do this. If a match occurs, it takes proper action like logging the packet, alert generation
37
etc., otherwise it drops the packet. Rules written to IDS, power of the system, speed of
internal bus and load on the network determine the load on the detection engine [Rehman
2003].
Output plug-ins
Here it outputs the alerts generated from preprocessors or the detection engine.
Advantages of Snort-IDS
Snort is a lightweight tool (easy deployment on a system) and works on all major
operating systems
Snort provides extremely flexible detection and reporting. Its decoded output
display is more user-friendly and understandable than other tools, like tcpdump.
User can customize rules in an advanced rule set for better security
[Roesch 1999]
38
Snort performs focused monitoring (monitoring a single node (system) on
Snort is well suited to both small and large organizations as security solutions
Disadvantages
When things go wrong when using this product, there are no formal technical
Snort does not have good user understandable management and configuration
interface.
advanced protocol analysis and automatic expert detection. It provides 24/7 internal and
external real-time attack detection. It monitors the network traffic and analyzes it to
check for security breaches, if any, and looks for possible signs of attack in the network
system. Then it captures the data packets and blocks such events to protect from danger.
39
The operation of Sax2 is completely dependant on analysis of internet protocols.
Sax2 Architecture
packet capturing
matching rules
protocol analysis
comprehensive diagnosis
incident response
policy management
logs
40
Sax2 accomplishes data capture, analysis and incident response of IDS with all the
above modules working together. Figure 3.4 shows the main console of Sax2 IDS.
The left side pane outlined in the red rectangle is known as Nodes Explorer and is
shown clearly in figure 3.5. This displays all the network IP addresses involved in the
communication with the network. If a particular node is selected, then it shows all the
41
Figure 3.5 Node Explorer Window - displaying all the IP addresses involved in
Network Communication [Ax3Soft 2008]
Figure 3.6 describes the statistics view of Sax2 IDS. It is clearly showing that it
has very rich statistics. Almost 100 statistical counters are provided in the console for
42
In Figure 3.7, the blue rectangular box represents the conversation associated with
an IP address. This is known as conversation view described in figure 3.5. This is a more
important part of Sax2 IDS. This includes IP, TCP, UCP and ICMP information and
count of its source address, destination address, the data packets of conversation and the
size of these data packets includes other information. Figure 3.8 is the event log pane of
Its main purpose is to focus on checking events. It has two parts; one is the
invasion event pane and the other is the invasion log pane. The first shows event statistics
with the classification of the current network in all the statistical value of the event. The
All traffic on a monitored network will be recorded into logs, which can be
observed in the log view. It collects all data and filters, checking whether it is an HTTP
request, e-mail message (using SMTP/POP3) or FTP transmission etc as shown in Figure
3.9. All logs will be saved on the hard disk for records.
43
Figure 3.8 Event View [Ax3Soft 2008]
The purple box in figure 3.4 represents the status of the current monitor
performing on network. It shows the start time, duration, packets captured, packets get
accepted (highlighted in green), packets got lost, buffer usage and traffic changes.
44
Figure 3.10 shows how the knowledge base is represented in Sax2. By default,
Sax2 provides more than 1,500 security policies and provides the flexibility to customize
Another important module of Sax2 IDS is the Detection Expert Settings. This
analyzes the traffic at an expert level and reports the malicious incidents to the
45
Figure 3.11 Detection Expert Settings [Ax3Soft 2008]
Sax2 is capable of capturing traffic on more than one network adapter, if any are
present. A real test is performed on Sax2 IDS using Nmap tool. This is discussed in later
sections.
All of its features are great assets and makes it advantageous when compared to
other tools. Sax2 does not have a proper website structure which makes users disappoint
46
3.2.2 Research on Linux-based NIDS
3.2.2.1 Firestorm
analysis, does reporting and remote console. It is more flexible because it is fully
‘www.scaramanga.co.uk/firestorm/download.html’.
regulation that only one capture can be used at a time to write extensions to capture from
a new data source. It is also capable of supporting high-speed operating system specific
capture plug-ins.
are:
Sensor (Firestorm-NIDS)
Stormwall
Console
Sensor
The function of the sensor is to sniff network traffic on the network, analyze the
traffic, and later spool the alerts in an extended log in a specific elog format. Firestorm
47
Firestorm is capable of performing Stateful Analysis. In this phase, Firestorm
attacks such as snot and stick, TCP stream reassembly and application layer Stateful
Analysis. Firestorm is able to decode application layer protocols. This is known as ‘Full
Application Layer Decode’. Until now, only HTTP protocol has been tested and
Firestorm team is working on support for other protocols. Firestorm is compatible with
Snort rules, protects the network from DoS attack and also supports anomaly detection
[Leach 2003]. Firestorm IDS is easy to use because it has only one configuration file.
within, which tells firestorm how to behave. In that sense, all the settings have to be
defined in this file, like capture settings, telling from where to capture, time limit, where
to log, etc. Snort rules also have to be defined in this file. Thereby, complete behavior of
Stormwall
Its goal is to monitor alert spools as well as to perform actions when new elog
files appear. The sensor is responsible for notifying Stormwall if any changes to the spool
Extended Logs
information. This log file contains information about packet, alert, decode, and state
tracking and other Meta data. Elogs is an advantageous format as it keeps all data in
48
single file. Firestorm does automatic log rotation until either the logs reach definite file
Figure 3.12 shows how elog files can be viewed. Ethereal interface is one of the
applications used to access and view elog files. It also shows the viewers that elog files
record time source of the event, destination, protocol information and brief description of
Figure 3.12 Viewing .elog files using Ethereal Interface [Leach 2003]
Console
It allows user to search, sort, filter, correlate and extract data from sensors. As of
49
Figure 3.13 Firestorm Analyst console – displaying packets [Leach 2003]
decodes
It is fully pluggable
this, the capture block of .conf file should be modified to “capture pcap if =
‘linux’ “.
50
Full IP defragmentation
Enhanced and advanced logging format for ease of analysis, which elog (extended
log) files
This section presents a case study results on Snort 1.8.3 and Firestorm 0.4.6.
paper, Network-Based IDS Evaluation, through a short term experiment script. This
analysis took place with three different traffic bandwidths. They are 4, 6 and 8 Mbps.
Figure 3.14 describes the attacks performed on the network and X represents that the IDS
detected the attack and space in the box represents that respective IDS did not detect the
attack. In figure 3.14, Snort detected all the attacks, and Firestorm did also, except one
Figure 3.15 represents the traffic bandwidth and detection analysis of Snort and
Firestorm for various attacks. The percentages were obtained by dividing the logs stored
by the number of maximum alarms expected [Fagundes 2006]. This comparison reveals
that Snort has better performance and detection ability than Firestorm.
51
Figure 3.14 Detection Capabilities Analysis Results [Fagundes 2006]
52
3.2.2.2 Strata Guard
System. It provides real-time security protection from network intrusions and malicious
traffic. Strata Guard possesses the following features in order to protect the network
[StillSecure 2008]:
Features
Detects anomalous activity such as spoofed attack source addresses, TCP state
Eliminates false-positives
Ultra fast initial device discovery – large networks are scanned rapidly.
Centralized administration
53
Strata Guard uses six different intrusion detection tools for complete network
inspection, and protocol anomaly analysis, Strata Guard terminates network, application,
and service level attacks including worms, Trojans, spyware, port scans, DoS and DDoS
(Dynamic DoS) attacks, server exploit attempts, and viruses before they gain access to
Highly automated tool particularly developed and designed for ease of use
54
Toward DoS attacks, Strata Guard takes a multi-tiered approach. The defense
against DoS attacks has two different levels. One level regulates traffic then limits the
traffic to suppress DoS attacks. On the Strata Guard website, it is mentioned that it
Strata Guard uses open-source Snort. It uses Snort as a component within its
structure. It does not work well in adhoc network. It needs a real network to test, as it
Figure 3.17 explains how attack activity is logged and can be viewed on console.
By possessing extraordinary features, Strata Guard provides many benefits over other
55
Advantages
Simplified administration
Disadvantages
Needs a dedicated machine, Host should be of Stillsecure OS, which installs with
56
Strata Guard is a recommended product for good security measures because of its
wide range of features and benefits. It is an efficient tool for larger networks.
Vern Paxson at Lawrence Berkeley National Lab and the International Computer Science
Institute. As all NIDS, Bro monitors the network traffic to look for any suspicious
activity. It parses the network traffic to dig out its application-level semantics and then
suspicious activity is found on the network, IDS logs them, and those activities are used
Features of Bro
network-based IDS
57
Bro detects definite and abnormal activities, such as certain hosts connecting to
certain services, using signatures, and patterns of failed connection attempts. As Bro logs
targets high speed, high volume intrusion, and detects using powerful packet filtering
First, it filters the network traffic and then the remaining information is sent to its
event engine, where Bro interprets the structure of the network packets and abstracts them
into higher-level events describing the activity. Lastly, Bro implements policy scripts
Policy scripts
“Bro uses a specialized policy language that allows a site to tailor Bro's
operation, both as site policies evolve and as new attacks are discovered” [Bro 2007].
These scripts are program written in Bro language and have all the rules describing the
types of events which are potential intrusions and these policy scripts analyze the
activities then initiate actions based on the analysis. It records the activities seen on the
network as files and also generates alerts [Bro 2007]. It is a good idea to consider “Why
Bro needs a special language”, because this is a language which understands specific
notions such as ports, IP addresses, connections, etc., and has different a approach to
analyzing the network to make the task easy. Users of Bro need not to learn the Bro
58
These scripts take action such as follows.
generating output files which have recorded events on the monitored network
network and reports that particular signature’s instances. Bro is almost the same, but
instead of considering them as fixed strings, it treats them as regular expressions. Bro is
compatible with Snort signatures. It converts them in to Bro signatures using a script
called snort2bro. Including this, Bro also analyzes the network with deep levels of
abstraction and stores all the past activities and integrate with new ones [Bro 2007]. This
Mr. Massicotte, Mr. Gagnon and Mr. Labiche did a case study on Snort 2.3.2 and
Bro 0.9a9 on Linux systems. This is comparative study evaluating both alongside each
other. Figure 3.18 shows results from the case study. VEP in table refers to Vulnerability
Exploitation Program. The table shows the data set used for the case study. Notations in
59
Table 3.2 Notations
Alarm. & Compl. Det. to Part. Alarm. & Alarmist & Complete Detection to Partial
Compl. Det. Alarmist & Complete Detection
Alarm. & Compl. Det. to Quiet & Compl. Det Alarmist & Complete Detection to Quiet &
Complete Detection
Part. Alarm. & Compl Det. to Quit & Compl Partial Alarmist & Complete Detection to
Det. Quiet & Complete Detection
Part. Alarm. & Compl. Det. Partial Alarmist & Complete Detection
Alarm. (Failed Only) to Part. Alarm. (Failed Alarmist (Failed Only) to Partial Alarmist
Only) (Failed Only)
Alarm. (Failed Only) to Quiet (Failed Only) Alarmist (Failed Only) to Quiet Alarmist
(Failed Only)
60
Figure 3.19 shows the success and failure rate measures in detecting attacks
which are false positives, false negatives, true positives and true negatives. In figure 3.19,
figure (a) shows that Snort has better performance than Bro at successful attacks. Figure
(b) shows that Bro raised fewer false alarms than Snort.
Table 3.3 Summary of comparison among Snort, Sax2, Firestorm, Strata Guard and
Bro
61
Real-time Yes Yes Yes Yes Yes
traffic analysis
62
3.3 Writing Rules
Rules define what IDS should watch for. It defines what and who constitute an
intrusion. Defining a rule is telling the IDS what to do, i.e., what traffic to consider
doubtful and which are safe. Rules can be defined to be very specific, searching very
specific criteria about certain packer attributes or pay load, particular IP address or port.
Snort rules are simple at their syntax, easy to read, create and understand and they
are customizable. As they are simple, sometimes Snort does not identify certain types of
attacks efficiently, but it covers almost all major intrusions. They have great flexibility in
single packet analysis. Snort rules are capable of identifying packet headers and pay load.
A rule has two general parts; first is a rule header (a rule must have it) and the
Rule Header
A rule header contains rule action, protocol, IP addresses and port numbers of
63
Figure 3.22 Rule header attributes of a snort rule
There are various rule actions. Table 3.3 shows the rule options with their
description. Protocol field contains various protocols TCP, UDP, ICMP, IP, ARP, IGRP,
GRE, OSPF, RIP and IPX, etc. Currently Snort analyzes TCP, UDP, ICMP and IP
protocols only, in the future Snort may support the remaining protocols. The direction
operator -> indicates traffic direction from the source host (IP address and port number
on left side) to the destination host (IP address and port number on the right side). To
indicate bidirectional traffic, <> operator is used, telling Snort to consider that the pair of
IP addresses exist on the left and right of the operator. There is no such operator like <- to
64
Rule options
“Rule options form the heart of Snort's intrusion detection engine, combining ease
of use with power and flexibility” [Sturges 2008]. Semicolon (;) is used to separate two
rule options. Colon (:) is used to separate the rule option’s keywords from their
arguments.
tells Snort to flag TCP flag bits SYN (Synchronize sequence numbers) and FIN (Final -
No more data from sender). Message part is to alert the logging and alerting engine about
65
4. TESTING AND EVALUATION
Testing and Evaluating IDS deal with many things in terms of hardware and
software. In order to follow the security restriction rules and to be safe, it is always
advisable to perform the evaluation on an adhoc network rather than a real network. A
group of computers should be connected to a hub in a network. Figure 4.1 shows how it
looks.
The testing criteria should include a very specific set of date entry, which means
specific set of tools used to plan an attack. IDS evaluation can be divided in to two
general categories:
Detection
Response
66
4.1 Detection
This test was carried out by planning attacks on IDS. Specific attacks are used to
test the performance of IDS in terms of its ability to identify attack. In the comparative
analysis shown in 3.12, the categories of intrusions considered are Evasion, Insertion,
Port scanning and Denial of Service. Specific attack tools are run on the network and
tested to determine whether IDS is seeing the events. If it is successful in logging all the
events planned by those attack tools, then that IDS is said to have good detection ability.
Good IDS should be able to handle high bandwidth traffic. It should be able to
analyze all the traffic coming in and going out through the network. This feature can be
tested by creating traffic on the network and increasing it by running some network
scanning tools like Nmap, Wireshark, etc. Intruders use this technique to make a network
so busy that an IDS cannot handle the traffic and will therefore break down. Then
Intruders do their work on the network. This is known as a ping of death attack, and
comes under the Denial of Service. Figure 4.2 shows creating traffic using Nmap tool.
When Nmap is started, it scans for the IPs, ports in the network and it scans those
ports. This tool is a network monitoring tool and indirectly creates the traffic on the
network. An IDS should be strong enough to deal with the high bandwidths of traffic.
Figure 4.3 shows Snort capturing the traffic as IDS center as front end.
Figure 4.4 shows network monitoring by Sax2 IDS. This has 100% packet capturing with
0% loss. It summarizes the captured network as shown in Figure 4.5. This summarizes
the events as warnings (yellow triangle), information (with blue ‘i’), notice (green ones)
67
and critical event (with red symbol). Depending on this, administrator takes decisions to
68
Figure 4.4 Network monitoring by Sax2 NIDS
69
Both Snort and Sax2 NIDS were good at monitoring and logging the network
Hackers send a lot of traffic to the victim system so that it cannot handle the
traffic and performance goes down, thus denying access to services. So IDS should be
able to predict a DoS attack when it sees the large amount of traffic from a single or
several different IP address or port numbers. This is how IDS is able to detect a DoS
attack.
To test whether the IDS is able to detect the DoS attack, a high bandwidth of
traffic should be created by a system. In order to break in to the victim’s network within a
given time before the victim observes unknown activity on his system, the attacker must
have a higher-speed internet connection than the victim. The attacker has to scan for open
ports to break easily into the network. As most systems have a specific built-in DoS
detection feature, it should be able to report to the administrator of the system about the
attack by raising an alarm. Udpstorm, Teardrop, Mailbomb etc., are various popular DoS
This measurement determines whether the IDS can verify the success of attacks
from remote sites that give the attacker higher level privileges on the attacked system.
Many IDS do not differentiate the failed from the successful attacks. The capability to
find an successful attack is crucial for the analysis of the attack correlation and the attack
scenario. This measure requires the information about failed attacks as well as successful
70
4.1.5 Ability to Detect Never Before Seen Attacks
This measurement tells how well an IDS can detect attacks that have not yet
occurred. In general, systems detecting attacks that had never been detected before
produce more false positives than those that do not have this feature. This measure
identifies the tools with higher numbers of false positives [Hu 2002].
4.2 Response
After detecting the attack, IDS has to respond fast, letting the administrator know
about the attack. Generally, most of the IDS raise alarm with a sound like ‘ding’ or
Of these four, false positives and false negatives are most popularly discussed
because they deal with intrusions and these two are potential measures to evaluate an
IDS. “A False positive is defined as the frequency with which the IDS reports malicious
activity in error and frequency with which the IDS fails to raise an alert when malicious
activity actually occurs is a False negative” [Chapple 2003]. A good IDS must have low
71
4.3 Other Evaluation measures
System Security
This tells the level of security provided by IDS. Understanding the nature and
type of attack differs from one IDS to another. If IDS has a counteraction for every attack
This tells whether IDS needs very specific network media to be in the network.
User Interface
This is measure of comfort to the user for use of the console to understand the
IDS activities. A good user interface contains all the information easily accessed by the
user.
72
5. FUTURE WORK
Due to the limited resources and the University’s security regulations, Snort and
Sax2 were able to test. As part of future work for this research and analysis, testing the
ability of detecting DoS, User to Remote (U2R) and Local to Remote (L2R) access
attacks can be performed on Snort, Sax2 NIDS and also Strata Guard and Bro if resources
are available. With good test criteria with a proper data set, these performance tests can
be achieved successfully. Though many IDS systems use Snort rules as security policies,
a few others, such as Sax2 IDS use different policies. Therefore, this research has a good
73
6. CONCLUSION
Advantages and disadvantages of few IDS as discussed in this research have been
summarized and presented in it. This research also provided a good survey on computer
security. Architectures and behavior of Snort, Sax2, Firestorm, Bro and Strata Guard is
provided. A test has been performed on Snort and Sax2 to check the ability of capturing
network traffic using Nmap tool. Basic rule anatomy is discussed to understand syntax of
rules which helps in customizing the rules for greater security of network.
74
ACKNOWLEDGEMENT
Installing, testing and evaluation of tools discussed in this project would not have
been completed with out the support, patience and guidance of Mr. Steve Alves. I owe
75
REFERENCES AND BIBLIOGRAPHY
[Ax3Soft 2008] Ax3 Soft Expert IDS. Sax2-IDS. Available from www.ids-
sax2.com/Screenshot.htm (visited on Oct. 20, 2008).
[Bro 2007] Bro.Bro Intrusion Detection System. Lawrence Berkeley National Laboratory.
National Science Foundation (2007) Available from www.bro-ids.org (visited
Sept. 15, 2008).
[Caswell 2003] Caswell, B. Snort 2.0 Intrusion Detection. Syngress Publishing, Inc.,
Rockland, MA, pp 55-73.
[Chou 2007] Chou, T., Ensemble Fuzzy Belief Intrusion Detection Design. Available
from www.proquest.umi.com (Visited Sept. 15, 2008).
[CISSP 2008] CISSP 2008. Examining Different Types of Intrusion Detection Systems.
Wiley Publishing, Inc. (2008). Available from
www.dummies.com/WileyCDA/DummiesArticle/Examining-Different-Types-of-
Intrusion-Detection-Systems.id-5278.html (visited Jun. 18, 2008).
76
[DSL 2003] Broadband DSL Reports. Is there a difference between a IDS and a
firewall?. Available from www.dslreports.com/faq/6036 (visited Aug. 26, 2008).
[Fagundes 2006] Fagundes, L.L. and Gaspary, L.P. Network-based Intrusion Detection
Systems Evaluation Through a Short Term Experimental Script. J. Ascenso et
al.(eds), e-Business and Telecommunication Networks 159-165. Springer,
Netherlands (2006).
[Gerg 2004] Gerg, C. and Cox, K. J. Managing Security with Snort and IDS Tools,
O’Reilly Media, Inc. Sebastopol, CA (Aug, 2004).
[JC 2007] Jupitermedia Corporation. Intrusion Detection System (2007). Available from
http://www.webopedia.com/TERM/I/intrusion_detection_system.html (visited
Aug. 26, 2007).
[Kazienko 2003] Kazienko, P., Dorosz, P. Intrusion Detection Systems (IDS) Part I -
(network intrusions; attack symptoms; IDS tasks; and IDS architecture).
Available from
www.windowsecurity.com/articles/Intrusion_Detection_Systems_IDS_Part_I__n
etwork_intrusions_attack_symptoms_IDS_tasks_and_IDS_architecture.html
(Visited Jun.12, 2008)
[Massicotte 2006] Massicotte, F., Gagnon, F., and Labiche, Y. Automatic Evaluation of
Intrusion Detection Systems. Proceedings of the 22nd Annual Computer Security
Applications Conference (ACSAC'06).
77
[McDowell 2004] McDowell, M., Understanding Denial-of-Service Attack. Available
from www.us-cert.gov/cas/tips/ST04-015.html (Visited May. 25, 2008).
[Mukkamala 2003] Mukkamala, S., and Sung, A. H. Intrusion Detection System Using
Adaptive Regression Splines. Available from http://salford-
systems.com/doc/ICEIS-final.pdf (visited on Sept. 5, 2008)
[Northcutt 2002] Northcutt, S. and Novak, J. Network Intrusion Detection, 3rd Edition,
New Riders Publishing, September 2002.
[Ptacek 1998] Ptacek, T.H. and Newsham, T.N. Insertion, Evasion, and Denial of
Service: Eluding Network Intrusion Detection. Available from
www.insecure.org/stf/secnet_ids/secnet_ids.html (visited Sept. 23, 2008).
[QED 2005] Quality Education Division, Educational and Manpower Bureau, The
Government of HKSAR. A closed look at Internet Firewalls. Available from
www.edb.gov.hk/FileManager/EN/Content_4833/internet%20firewall%20%5Bno
v%2005%5D.pdf (Visited Jun. 18, 2008)
[QOD 2004] QoDwriting. A look into IDS/Snort. Available from
www.freewebs.com/talug/Snort.pdf (visited Sept. 15, 2008)
[Richardson 2008] Richardson, R. CSI Computer Crime & Security Survey. Computer
Security Institute (2008).
[Snort 2008] Snort.org. Available from www.snort.org (visited Oct 12, 2008).
78
[StillSecure 2008] StillSecure. Strata Guard Flexible, easy to use IDS/IPS. Available
from http://www.stillsecure.com/strataguard/ (visited Oct 23, 2008)
[StillSecure 2008] StillSecure. VAM. Available from
www.sunworks.ch/datasheets/21b.pdf (visited Oct 23, 2008).
[Sturges 2008] Sturges, S. Writing Snort Rules: How to Write Snort Rules and Keep Your
Sanity. Available from
www.snort.org/docs/snort_htmanuals/htmanual_283/snort_manual.html (visited
Aug. 09, 2008).
79