Intrusion Detection System (IDS)


Feb 16, 2014 (7 years and 8 months ago)



To study the scope and importance of Intrusion detection systems


Intrusion Detection System (IDS)


An intrusion detection system (IDS) inspects all inbound and outbound network activity and
identifies suspicious patterns that may

indicate a network or system attack from someone
attempting to break into or compromise a system.

Intrusion detection functions include:

Monitoring and analyzing both user and system activities

Analyzing system configurations and vulnerabilities

g system and file integrity

Ability to recognize patterns typical of attacks

Analysis of abnormal activity patterns

Tracking user policy violations

ID systems are being developed in response to the increasing number of attacks on major sites
and networks,

including those of the Pentagon, the White House, NATO, and the U.S. Defense
Department. The safeguarding of security is becoming increasingly difficult, because the
possible technologies of attack are becoming ever more sophisticated; at the same time, l
technical ability is required for the novice attacker, because proven past methods are easily
accessed through the Web.

There are several ways to categorize
an IDS


(Network Intrusion Detection Systems)

Network Intrusion Detection Systems are placed at a strategic point or points within the
network to monitor traffic to and from all devices on the network. Ideally you would scan
all inbound and outbound traffic, however doing so might create a bottleneck
that would
impair the overall speed of the network.


(Host Intrusion Detection Systems)

Host Intrusion Detection Systems are run on individual hosts or devices on the network.
A HIDS monitors the inbound and outbound packets from the device only and w
ill alert
the user or administrator of suspicious activity is detected

Signature Based

A signature based IDS will monitor packets on the network and compare them against a

of signatures or attributes from known malicious threats. This is similar to the
way most antivirus software detects malware. The issue is that there will be a lag between
a new threat being discovered in the wild and the signature for detecting that thre
at being
applied to your IDS. During that lag time your IDS would be unable to detect the new

Anomaly Based

An IDS which is anomaly based will monitor network traffic and compare it against an
established baseline. The baseline will identify what
is “normal” for that network

sort of bandwidth is generally used, what protocols are used, what ports and devices
generally connect to each other

and alert the administrator or user when traffic is
detected which is anomalous, or significantly diffe
rent, than the baseline.

Passive system vs. Reactive system:

In a passive system, the IDS detects a potential security breach, logs the information and
signals an alert. In a reactive system, the IDS responds to the suspicious activity by
logging off a us
er or by reprogramming the firewall to block network traffic from the
suspected malicious source.

n IDS differs from a firewall
. F
irewall looks out for intrusions in order to stop them from
happening. The firewall limits the access between networks in or
der to prevent intrusion and
does not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it
has taken place and signals an alarm. An IDS also watches for attacks that originate from within
a system.


Snort® is an open source network intrusion prevention and detection system (IDS/IPS)
developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly
inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With
millions of
downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.

Components of Snort

Snort is logically divided in to the following five major components.

Packet Decoder:

A Packet Decoder is the first component w
hich collects packets from different network
interfaces and prepares the packets to be preprocessed.


The second component, Pre
processors are used to arrange and modify packets before
being analysed by the detection engine. There are pre
ocessors that detect some basic
anomalies by de
fragmenting packets (which are fragmented by hackers as a method of
deception), HTTP URL Decoding (If hexadecimal characters are used by hackers as a
method of deception). There are pre
processors that detect

and log port scanning
activities, detect anomalies in ARP packets (to identify ARP spoofing), etc.

Detection Engine:

The third component, the Detection engine is the heart of Snort. Its responsibility is to

all the packets passing through it for signs of intrusion by using certain pre
defined rules. It can dissect a packet and apply rules to different parts of the packet like
IP header, transport layer header, application layer header and packet payload.

gging and Alerting System:

The fourth component is the Logging and Alerting System

Upon the detection of
intrusion by the detection engine, either the activity is logged for the perusal of the
network engineers or an alert is generated.

Output modules or


The fifth component, Output modules or plug
ins are used to control the type of output
produced by the logging and alerting system. Some of its functions may be generating log
reports, logging alert reports in a file, sending SNMP traps, logging in to a database (like
MySQL), sending a message to Syslog server, etc.

In some installations, some additional tools might be used along with snort like MySQL database
to log the alert
data, Apache could act as the web server, PHP could be the interface between the
web server and MySQL database, a PHP package like ACID could be used to view and analyse
Snort data, etc.

Snort is a single
threaded application, which can be configured to o
perate in four modes:

Packet Sniffer Mode

Packet Sniffer mode simply reads the packets off of the network and displays them in a
s stream on the console

Packet logger Mode

Packet Logger mode logs the packets to disk. To record the packets to the

disk, specify a
logging directory and Snort will automatically know to go into packet logger mode. A
directory named log in the current directory would be created. When Snort runs in this
mode, it collects every packet it sees and places it in a directory

hierarchy based upon the
IP address of one of the hosts in the datagram.

Detection Mode

Network Intrusion Detection System (NIDS) mode allows Snort to analyze network
traffic for matches against a user
defined rule set and performs several actions based
pon what it sees.

Prevention Mode/ Inline Mode

It prevents the network threats. Snort Inline obtains packets from IP tables instead of
libpcap and then uses new rule types to help IP tables pass or drop packets based on Snort


of Snort

Snort captures raw packets with libpcap

and then it decodes and preprocesses them prior to
forwarding them to the detection engine. The preprocessing includes early packet droppings,
classification, layer three IP fragment reassembly,

layer four TCP session reconstructions and so
forth. The detection engine checks packet headers as well as payloads

against several thousands
of rules stored in a database of pre
defined attack signatures, as shown in figure 1.

In figure 2, the text up t
o the first parenthesis is the rule header and the section enclosed in
parenthesis is the rule options. The words before the colons in the rule options section are called
option keywords.

Snort rules

are divided into two logical sections, the rule header a
nd the rule
options. The rule header contains the rule's action, protocol, source and destination IP addresses
and net masks, and the source and destination ports information. The rule option section contains
alert messages and information on which parts o
f the packet should be inspected to determine if
the rule action should

be taken. If one rule matches, an action is taken depending on the rule
configuration for the action. Two of the most

commonly used actions are “alert” and “log”
. The


exists to report that a suspicious packet has been detected. The logging facility
exists to log full packet information.
Snort is capable of outputting “alert” and “log”

data in a
variety of output formats and methods.


formats include binary
, libp
cap and ASCII. Binary format offers speed and flexibility,
whereas ASCII format is easier to work with. Output methods include writing to a file, console
or screen, syslog
, or SQL database plugins. The “alert”

action in Snort is hard coded to perform
rily two actions in sequence: write an event to the alerting facility, and log as much as
possible. The ‘log’ action logs the packet to the logging facility without generating an alert.


Thus we have studied the

scope and importance

Intrusion detection systems