Snort
Intrusion Detection Systems (IDS) are one of the most dynamic technologies in the field of network security. There are two types of IDS: the first are programs that detect abnormalities in the functioning of the protected system, the second is IDS, whose job is to find known signs of attack. Modern intrusion detection systems such as Snort can not only detect intrusion into the system, but also warn about impending invasion. Snort has been chosen as a research subject for several reasons. Snort is a free open source program. This system combines methods such as traffic signature analysis, protocol-based analysis and behavioral analysis, making it the most popular IDS in the world. Snort also provides the ability to write personal rules that serve to determine the most common attacks when analyzing traffic. The functionality of the system can be expanded by connecting third-party modules to detect network attacks and threats. Snort is able to work on a large number of hardware platforms in operating systems (OS) Linux, Windows, * BSD.
Intrusion detection system is a software or hardware / software system designed to detect and, if possible, prevent actions that threaten the security of an information system.
The first prototypes of SOA appeared in the early 1980s and were aimed primarily at protecting autonomous computers that were not networked. Attack detection was performed by analyzing event logs post factum. Modern systems are mainly focused on protection against threats directed from the network; therefore, their architecture has changed significantly. However, the main approaches to detecting attacks remained the same. Snort is usually called the “lite” NIDS, because it is designed primarily for small networks. The program can perform protocol analysis and can be used to detect various attacks and investigate problems, such as buffer overflow, hidden port views, CGI attacks, attempts to determine the OS, etc. Snort uses the ‘rules’ (specified in the ‘rules’ files) to know which traffic to skip and which to delay. The tool is flexible, allowing to write down new rules and follow them. The program also has a ‘detection mechanism’, which uses a modular plug-in architecture, whereby certain program additions can be added or removed from the ‘detection mechanism’.
Get Help With Your Essay
If you need assistance with writing your essay, our professional essay writing service is here to help!
The main approaches to detecting attacks have practically not changed in the last quarter of a century, and, despite the loud statements by developers, it can be said with confidence that conceptually the detection of attacks is based either on signature analysis methods or on anomaly detection methods (Kuvaiskii, Somnath, Vij.) The signature analysis is based on the assumption that the attack scenario is known and an attempt to implement it can be detected in the event logs or by analyzing network traffic. Ideally, the information system administrator should eliminate all known vulnerabilities. In practice, however, this requirement may be impracticable, since as a result, the functionality of the IP can be significantly affected. It is also possible that the human and material costs necessary to eliminate these vulnerabilities may exceed the cost of information processed by the system. Attack detection systems that use signature analysis methods are designed to solve the indicated problem, since in most cases they allow not only detecting, but also preventing the attack from occurring at the initial stage of its execution.
The process of detecting attacks in these systems is reduced to the search for a previously known sequence of events or a string of characters in an ordered stream of information. The search mechanism is determined by the description of the attack. Snort logs, analyzes, searches content, and is also widely used for blocking or passively detecting a variety of attacks and probes, such as attempting buffer overflow attacks, hidden port scanning, web application attacks, SMB probing, and operating system. The software is mainly used to prevent penetration, block attacks, if they occur. It can work in conjunction with other software, such as SnortSnarf, OSSIM and BASE (providing a visual representation of the intrusion data). With additions from Bleeding Edge Threats, it supports antivirus scanning of ClamAV packet streams and the analysis of SPADE network anomalies at the network and transport layers of the network, possibly taking into account the change history.
The simplest is to describe an attack using a set of rules (conditions). For network packet analysis, these rules may include certain values of individual packet header fields (IP address and source or destination port, set flags, packet size, etc.). When analyzing event logs, rules can limit the time a user is logged on to the system, the number of attempts to incorrectly enter a password for a short period of time, and the presence of changes in critical system files. Thus, the description of the attack reflects, firstly, the nature of the transmitted information and, secondly, the set of system responses to the implementation of the attack.
IDS Snort identifies the following types of threats:
– use of exploits (software vulnerability scanner); – system scan (OS ports, users, etc.); – attacks: against services such as Telnet, FTP, DNS, etc. DoS / DdoS; connected with web-servers (cgi, php, frontpage, iss, etc.);
– to SQL, Oracle databases, etc .; via SNMP, NetBios, ICMP protocols; on SMTP, imap, pop2, pop3; various backdoors; – web-filters.
Most of the attacks on the system are known and are developing in similar scenarios. IDS has its own knowledge base, where all existing types of network threats are collected. The basic principle of Snort is to analyze the intercepted packets and search for signatures in them that are similar to invasion signatures. To identify a new threat, users can develop their own extension module and integrate it into an already running system.
Snort supports such main modes of operation:
– in sniffer mode (traffic analyzer) network traffic is read and displayed on the screen;
in packet logger mode, Snort writes network traffic to a log file;
– in intrusion detection mode, the system monitors network traffic and analyzes it, taking into account a set of rules defined by the user; performs specific actions based on what has been detected and uses an alert system.
Also, Snort-inline module is built into IDS Snort, designed to detect intrusions and respond to them in automatic mode, so It performs the functions of intrusion prevention systems (IPS).
Authors describe the current state of the information system as a set of attribute-value pairs, and present the events as actions related to the change of these attributes, then the theory of finite automata can be used to describe the attack (Mahmoud, Abdelmgeid, Elshafie). In this case, the implementation of each attack corresponds to a sequence of transitions from the “initial” state of the system to its “final” state, which characterizes the implementation of this attack. The conditions and direction of the transition are determined by a set of rules, as described above. Such an approach to describing an attack scenario is more accurate than describing using a set of rules, since it allows to take into account the dynamics of attack development and to identify attempts to launch attacks hidden in an intensive stream of events generated by an attacker to cover up their real attacks. intentions. Snort includes the following components: – packet decode engine (decoders); – preprocessor plug-ins (preprocessors, so-called modules that are capable of performing: assembling a TCP stream, scanning ports, defragmentation, etc.); – detection engine (detection modules or detectors performing matching with a set of rules: the rule header sets the action in case of a match); – output plug-ins (output modules, provide an entry to the file and issue warnings). The main purpose of using real-time attack detection systems is to respond quickly to attempts to launch attacks, including stopping these attempts. In connection with this, typical procedures for these systems are the analysis and filtering of traffic at the network and transport layers of the OSI model. To reduce production costs, often only packet headers are considered, and their contents are “discarded”. This, obviously, significantly reduces the list of detectable attacks. In addition, if the discovery system is installed on a gateway providing access from the local network to the Internet, then by filtering unwanted packets, this local network can be protected from external attacks. It turns out that in this case, Snort performs the functions of the firewall (or controls it). Thus, network intrusion detection systems find their application in information systems, where installing specialized software on users’ computers is difficult, and where it is necessary to isolate the network segment from external threats. It should be noted that the analysis of intensive data flow requires significant computational costs, so the hardware requirements for the node on which such Snort is installed can be very high. This problem becomes most critical when attempting to protect a network containing several hundred computers and having access to the Internet. This class includes most networks of large enterprises.
Find Out How UKEssays.com Can Help You!
Our academic experts are ready and waiting to assist with any writing project you may have. From simple essay plans, through to full dissertations, you can guarantee we have a service perfectly matched to your needs.
View our academic writing services
The use of signature analysis methods requires the SOA developer to select or create a special language that allows one to describe the events registered by the system and also to establish correspondences between them. The universality and completeness of this language are the decisive factors for the effective operation of the detection system, since ultimately the rules will be formulated in this language by which an attack is detected.
Responding to an attempted attack may include both a simple notification of the information system administrator and more active measures: breaking the established connection, disabling the vulnerable service, reprogramming the firewall to discard packets received from the attacker detected by the system, as well as other measures These are the “successful” completion of the attack. Means of checking can be from the simplest – checking by file size and time – to complex ones when using a hash, not only from the contents of the file, but also from its location on the disk. The response to a change in a file can be different from running a predefined script to replacing the file with a “new” one. For example, Windows, if it detects that some of its files are replaced by someone else, can restore them without the user’s knowledge. This is not always convenient, for example, if users mistakenly change the folder with user documents as the system one. Therefore, more often than not, such tools do not go without human control – they send warnings to the administrator, and he himself decides what to do.
As an example that demonstrates the convenience and visibility of data protection, users can consider the case of organizing a web server, thus protected from hacking. To do this, install two computers. One with access to the outside world, on which a potentially cracked http-server is running, and the other to update, it doesn’t have an http-server service, perhaps it doesn’t have access to the external network either. Periodically, the second computer on the internal communication channel checks the contents of the first and uploads changes there. Thus, once replaced files will survive until the first check, after which the changes will be restored and a message will be sent to the administrator about the need for its further intervention. This scheme is not sufficiently reliable due to the fact that the vulnerability is not closed and the server can be broken again, but it is still implemented in some cases.
It should be noted that a large percentage of incidents are not recorded; therefore, many attacks are unrecorded. The total number of attacks grows day by day with an enviable constancy. The appearance of unwanted traffic to the host is already normal, and various scans are no longer considered as incidents requiring immediate intervention due to the fact that there are a very large number of them, but finding and proving the evil intent of an intruder is not an easy task. There is a question of choosing the means for screening more dangerous events from less dangerous ones. Host-oriented SOA by examining log files and means of monitoring the integrity of file systems cannot always draw conclusions about the beginning of an attack before its consequences become tangible. In order not to put existing systems at great risk, other means should be chosen. Such means can be virtual traps. Having entered Snort, the packet passes through decoders and preprocessors successively and only then it enters the detector, which begins to apply the rules.
The task of decoders is to obtain data from the data link layer (Ethernet, PPP) of the network and transport layer (IP, TCP, UDP). Snort preprocessors are of two types. The first type is designed to detect suspicious activity, and the second type is intended to modify transport and network layer protocol packets for subsequent processing by detection modules. (This process is called normalization of traffic and allows to detect attacks that manipulate the appearance of traffic for greater secrecy.) The process of applying the rules comes down to searching in the “combined packets” defined in the rule of signatures. The rules themselves consist of a description of the traffic, the desired signature, a description of the threat and a description of the reaction to detection. If the detection module determines that the packet satisfies the specified rule, then it generates an event that is further transmitted to the Snort output modules. Output modules are used by Snort to record security events, logging, etc. into various devices and data stores. It is possible to configure the system for logging to a separate database, binary and text files of various formats.
If the attacker begins to investigate the vulnerability of the system using port scanning, that is, attempts to implement a “port scan” attack, the number of rejected TCP connections will increase dramatically. Such a jump can be detected in various ways. First, the statistical criterion for the equality of the mean values of two random variables can be applied. To use it, however, it is necessary to make two rather ambiguous assumptions: on the normality of the distributions of random variables and on the equality of their variances. Secondly, which seems more appropriate, mathematical methods known under the general name of “fusion detection methods” can be applied. These methods were specially developed to solve this class of problems, initially connected with the control of tracking and control systems. Third, mathematical pattern recognition methods can be used. Developments using neural network analysis methods are also known, however, the practical implementation of these methods in commercial software products is still not reported (Karim, et al.). Many things are quite difficult or inefficient to implement using packet filters, for example, if users need to allow visiting a site, but at the same time prohibit visiting a part of it, then this task will require a parser and packet analyzer, etc. In the end, users get something like a transparent application gateway. Therefore, it is better to immediately notice that application gateways can easily cope with this task. According to the established practice, no one calls gateways firewalls, although they are their subtype. There are also many application gateways, as well as applications that use them. The most popular http-proxy server, as they are popular, as often they are subjected to various attacks. Among the open source software products distributed under the GNU Public License, the squid package is the most popular. Among software products with closed code, it is difficult to list the most commonly used products.
A properly configured proxy server can protect against many attacks. First, in addition to protection, it can simply speed up work by caching various data. Secondly, it can hide the user, being anonymizing proxy. An attacker will have to first break the proxy server before it gets to what is behind it. Quite often, proxy servers are installed on gateways. Also, proxy servers can deal with unauthorized users without skipping packets from them. Since the proxy server itself establishes a connection at the application level, there are additional opportunities for changing the transmitted content. Before transferring data to the user, they can be checked for a virus on the fly and blocked or changed depending on the results of the checks (Khamphakdee, Benjamas, Saiyod).
Delayed processing systems analyze the contents of event logs or an array of pre-recorded traffic, and real-time systems analyze the incoming stream of events from software sensors. It is obvious that an adequate response to an attempt to launch an attack, including its prevention, is possible only with the use of real-time systems. At the same time, this does not mean that real-time SOA is “better” than pending processing systems. Thus, real-time SOA, which has no functions to prevent attacks, is obviously less effective than a similar system with deferred processing, since in a real-time system, one of the main performance criteria is the simplicity of the algorithms used, rather than their optimality from the standpoint of reliability appearance of attacks. Therefore, the choice of one or another type of SOA should be made on the basis of the analysis of tasks that are put before the detection system.
All SOA that use the method of detecting attacks by signature have a database of known attacks (their signatures). Obviously, one of the principal shortcomings of the considered class of SOA is the inability to detect attacks whose signatures are missing in the database. Therefore, to ensure the effective operation of the detection system, this database should be regularly updated. Usually the possibility of updating, including automatic, is provided by the developers of the system. The advantages of systems that use signature-based analysis are the low probability of a “false alarm” (erroneous detection of an attack in its absence), as well as the relative ease of setup.
The Snort distribution includes specifications and recommendations for the development of plug-ins designed for third-party authors. Snort supports three types of plugins: detection, preprocessors, and information output modules. It should be noted that if the recorded data is noisy due to variations in the actions of the offender during an attack or scenario mutations, direct comparison of the invasion signature is ineffective. Thus, the signature analysis method involves the use of artificial intelligence methods, which indicates a wide area for studying possible improvements to the existing modules of the functionality extension. Research and development of improving such modules is a topic for further research. Most intruders initially try to attack the nodes with already known attacks, since the probability of the existence of vulnerabilities for these attacks is greater, but the probability of the presence of this attack in the signature database is also high, therefore Snort detect such attacks. So, any scan is recognized almost correctly. In response to some event, Snort can transfer control to any previously written script that can initiate closing a connection with an attacking node or change the packet filtering policy. It follows from the latter that Snort is very closely shared with firewalls. The absence of data in the traffic that correlates with one or another of the signatures does not indicate the absence of violators, therefore, these tools use information from different places. Data collection in the network is carried out by means of sensors – small programs or devices located near the places to be heard and providing various information about the state of the object being listened to. An object can be both a connection and a log file of the work of a program. Means analyzing log files are not historically called sensors. In fact, the sensor is a small copy of Snort that sends data to a common center — the core of Snort analysis. All of the above can be located on one node, and then it is difficult to separate some functions from others, and in different places of the network.
Works Cited
- Karim, Imdadul, et al. “A comparative experimental design and performance analysis of Snort-based Intrusion Detection System in practical computer networks.” Computers 6.1 (2017): 6.
- Khamphakdee, Nattawat, Nunnapus Benjamas, and Saiyan Saiyod. “Improving intrusion detection system based on snort rules for network probe attack detection.” Information and Communication Technology (ICoICT), 2014 2nd International Conference on. IEEE, 2014.
- Kuvaiskii, Dmitrii, Somnath Chakrabarti, and Mona Vij. “Snort Intrusion Detection System with Intel Software Guard Extension (Intel SGX).” arXiv preprint arXiv:1802.00508 (2018).
- Mahmoud, Tarek M., Abdelmgeid A. Ali, and Hussein M. Elshafie. “A Hybrid Snort-Negative Selection Network Intrusion Detection Technique.” International Journal of Computer Applications 146.5 (2016).
Cite This Work
To export a reference to this article please select a referencing style below: