Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Transcription

1 Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of Department Computer Science Suresh Gyan Vihar University Jaipur, India Abstract: Today, organizations find it necessary to protect your valuable information and internal resources from unauthorized as the deployment of firewall access. As use of the Internet is growing rapidly the possibility of attack is also growing in this. Signatures may be present in different parts of the data packet depending on the nature of the attack. The main role intrusion detection systems on the network to help computer systems to prepare for and cope with network attacks. Intrusion Detection Systems (IDS) have become the key to the security of systems and network components. These systems ensure compliance with security policies by checking the arriving packets for known signatures (patterns). Snort is mostly used signature-based IDS, because the software is open source and easy. Basic Analysis and Security Engine (BASE) is also used to view alerts generated by Snort. In this work, we launched intrusion detection signature-based network using Snort and WinPcap. I. INTRODUCTION: As the use of technology increases, the risk associated with the technology also increases. Network security is a big issue among researchers. People working in the field of network security since 1987, when Dorothy Denning published a model of intrusion detection [1]. But so far we have received no perfect solution. While the presence of constant communication has created many new opportunities, it also brought new opportunities for attackers. Thus, the importance of network security is growing; One way to detect malicious activity on the network using an intrusion detection system The main function of network intrusion detection to help computer systems to prepare for and deal with network attacks. Features include intrusion detection system [2]: Analysis of abnormal activity patterns. Analysis of system configurations and Vulnerabilities. Opportunity to identify typical patterns attacks. Monitoring and analysis of the user and Operation System. Assessment system and the integrity of files. Intrusion Detection System (IDS) Check incoming packets for malicious content (the signature), as defined by the security policy. Unfortunately, the comparison of packet headers and equipment against the policies can be complicated and time consuming. For example, it has been found that matching content (scan signatures) is more than 70% of the time the packet processing [3] and [4]. This article deals with the analysis of abnormal activity was detected in our system using Snort 1924

2 Intrusion Detection and WinPcap. Snort is a popular intrusion detection used to verify the network packets and compares these packages with a database of known attack signatures database the attack signature must be updated from time to time. II. SIGNATURE-BASED NETWORK IDS Signature-based intrusion detection examines the current traffic activity, transaction, or behavior is consistent with the known models of known attacks of certain events. As in the case of anti-virus software, signature-based intrusion detection requires access to current database of attack signatures and somehow actively compare and contrast the current behavior with a large collection of signatures. Detection systems based on signatures (also called inadequate basis), this type of detection is very effective against known attacks [5]. This means that detection of abuse requires special knowledge of intrusive. Primer electronic signature SNORT intrusion detection system based Advantages [6]: Definitions Signature modeled known intrusive activity. Thus, the user can view the signature database, and quickly identify which activities intrusive system abuse detection programmed to alert. Detection system misuse to protect your network starts immediately after installation. There are a number of false positives, provided that the attacks were clearly defined in advance. When the alarm, the user can connect it directly to a specific activity occurring in the network. can run against your network. This leads to the need for frequent updates firms maintain its signature database misuse detection system to date. Detection of abuse is well known, issue warnings, regardless of the problem outcomes. For example, the window, the worm tries to attack the system Linux, identifiers bad use many alerts sent to unsuccessful attacks, which can be difficult to manage. Someone can configure the system to detect incorrect in his lab and deliberately try to find ways to launch attacks that bypass the detection by the detection of abuse. Knowledge about the attacks largely depends on the version of the operating system and applications, therefore linked to specific environments III. Component of Snort Snort is basically a combination of several components. All components work together to find a specific attack, and then take the appropriate measures necessary for the particular attack. It basically consists of the following components, as shown in Figure 1 [7]: 1. Packet Decoder 2. Preprocessor 3. Detection Engine 4. Logging and Alerting System 5. Output Modules Disadvantages [6]: One of the biggest challenges for signaturebased IDS, how to keep up with the large volume of incoming traffic when each packet must be compared with all signatures in the database. Therefore, the processing of all traffic is so long and slow operation. Abuse detection system must have a certain signature for any possible attack, an attacker Figure 1 [7] 1925

3 Package comes from the Internet and packet decoder enters and passes through several stages required actions taken by snorting at each stage, as if the scan engine to find different contents in the package and then the package and fall path of the output packet module is written in or warning is generated. 1. Packet Decoder: Packet decoders collects packets of various network interfaces, and then send the preprocessor to be or sent to the detection engine. The network interface may be Ethernet, SLIP, PPP, and so on. 2. Preprocessor: Works with Snort, to change or fix pack detection mechanism before applying any actions parcel if the package is damaged. Sometimes also generate alerts if they find any anomaly in the package. Basically, this corresponds to the entire circuit pattern. Thus, the change in the sequence or by adding additional value can fool intruders IDS, but the preprocessor will organize a chain and IDS can detect the network. The preprocessor does one very important task that defragmentation. Because sometimes the offender violating the company into two parts and send in two packages. So, before you check the package as a signature must be defragmented and only if the firm can be found, and this is done by the preprocessor. 3. Detection Engine: Its main task is to find a way intrusive activity complete with the help of Snort rules, and if found, then apply the appropriate rule otherwise, the packet is dropped. It takes time to react differently on different packages, and also depends on the capacity of the machine and the number of rules defined in the system. 4. Logging and Alerting System: This system is responsible for generating Notification and logging and messages. Depending on the scanning unit inside a package, the package may be used to record activity or generate an alarm. All log files are stored in the default preset. This place can be configured using command line parameters. There are many command line options to change the type and details of the information recorded in the system log and alert. All log files are stored by default in C: enter the folder \ Snort \ and using the -l command line option, the location can be changed. 5. Output Modules: Output modules or plug-ins to save the generated code by logging and warning system Snort depending on how the user wants for different operations. Mainly due to the different production logging and alarm systems monitored. Depending on the configuration, the output modules can send a number of other areas. More output modules are used: Database module is used to store the output Snort in databases such as MySQL, MSSQL or Oracle, SNMP module may be used to send Snort alert as traps to the management server, Module Server Message Block (SMB) Notification can send notifications machines Microsoft Windows, as arising alert windows SMB, The module registers the syslog messages to the syslog utility (use this module can log messages to a central server log.) IV. Rule structure of snort All the rules of IDS have two logical parts: rule header and the rule option [8]. This is shown in Figure 2. Figure 2: Basic Structure of IDS Rules Header information contains a rule that the rule action occurs. Also contains criteria to meet any rules on data packets. The option part usually contains an alert message and information about which part of the packet should be used to generate the alert message. The options part contains additional criteria for matching a rule against data packets. A rule may detect one type or multiple types of 1926

4 intrusion activity. Intelligent rules should be able to apply to multiple intrusion signatures. Figure3: Structure of IDS rule header The action part of the rule defines the type of actions to be taken when setting criteria and rules exactly matches against data packet. Among the activities that generate a warning or a record or run another rule. Part of the protocol used for the installation of the rules only for the specific protocol. This is the first criterion mentioned in the rule. Examples of protocols used are IP, ICMP, UDP, etc. The address part to determines the source and destination addresses. The address can be a host, multi-host or network address. Scholars can also use these parts to prevent any direction of the whole network. The source and destination address is determined on the basis of the address field. For example, if the address field "->", the left direction is the source address and destination on the right side. If the TCP or UDP protocol port of the definition of the ports of departure and destination of the packet in which the rule applies. In the case of network layer protocols, such as IP number, and ICMP port does not matter. Address of the rule actually determines the address and port number is used as the source and destination. Snort uses a pattern model corresponding to the detection network attack signatures using identifiers such as field TCP, IP addresses, TCP / UDP port, ICMP type / code, and circuits contained in the packet payload. For example, Snort rules can be like this: Alert tcp $HOME_NET > $EXTERNAL_NET any (msg: IDS80- BACKDOOR ACTIVITY- Possible Netbus/Gabanbus ;flags: SA) This rule is a template for NETBUS Troy. Violation of this rule, to understand how packets Snort engine recognizes the signature. Alert: Tcp: protocol. this is an alert message. snort will be focused on the IP $HOME_NET: HOME_NET is a variable set to an organization s IP address range 12345: destination TCP port no of original SYN packet from $EXTERNAL_NET. This represents the SYN/ACK portion of TCP handshake. -> : Specify that the traffic will be followed by IP source and destination IP HOME_NET, EXTERNAL_NET. $EXTERNAL_NET: EXTERNAL_NET a set of variables in the range of IP- addresses to be agreed. For example, it may be configured to if the IDS is to connect to the Internet. Any: Any keyword refers to the TCP source port number for the originator of the connection. Msg : printing. The log file is a message snort.alert Flags: SYN and ACK flags set. Other flags such as PSH, FIN, RST, URG, and can also be defined as part of the firm. V. Snort NIDS Topology From the figures presented [7], the concept of IDS signature based can easily understand specified. It is clear that when a person sends data over the network, so in the first place, it will be the Gateway and check the rule, and if it is malicious then discards the packet otherwise send to the target system. 1927

5 Figure 4: Snort NIDS Topology[7] Figure 5: Snort Signature Database [7] Figure 4 Snort IDS computer is connected via the Internet. Network packet Snort IDS devices. Before reaching the destination packages, sending monitors default gateway, if the package is malicious Snort IDS device drops the packet otherwise send packets to a device and if the figure 5 working device IDs makes it clear that the device checks how packets. Therefore, when a packet arrives at the comparing device, then use the tool to verify that the package database is stored in the phone IDS signature, and the best result is obtained if this packet is the basic data Then, the system discards the packet IDS otherwise sends the packet to the target system. VI. TOOLS USED IN SIGNATURE- BASED NIDS SYSTEM To implement a network intrusion detection system based on signature; we need to install some tools, such as Snort, base and WinPcap. Snort[9] Snort is a detection system and intrusion prevention systems with open source network [9] (available at: // You can analyze traffic analysis in real time stream data network. This is an opportunity to test and protocol analysis can detect various types of attacks. In NDI I snorted package mainly tested for user-written application. Snort rules can be written in any language, its structure as well and is easy to read and the rules can be changed too. In buffer overflow attacks, snort can detect the attack by comparing the previous pattern of attacks, and then take appropriate measures to prevent attacks. In signature-based system IDS, if the pattern matches, the attack can be easy to find, but when the system is not yet Snort another attack occurs overcome this limitation by analyzing the traffic in real time. Each time a packet enters the network, snort verifies the behavior of the network if the network performance degrades after Snort stop processing packets, the packet is dropped and keeps your data in the database Signature [10]. WinPcap WinPcap is an open source library for packet capture and network analysis [11] for the platform Win32. The purpose of WinPcap on this type of access to applications Win32; offering opportunities for: Raw capture packets for both the machine that is running and exchanged for other guests (in Shared Media) Packet filters in accordance with the user these rules before sending application. Transfer raw packets on the network. Collection of statistical information about the traffic on the network. Basic Analysis and Security Engine (BASE) [12] BASE is a web-based interface for analyzing Snort network intrusion detection. This application provides a web interface to query and analyze the alerts from the system Snort IDS. It uses the user authentication system and role of the base; so that 1928

6 you, as the security administrator can decide what and how much information each user can see. It also has an easy to use, setting via the Web interface of people are not comfortable editing files directly [12]. m_monitor = new Socket (AddressFamily.InterNetwork, ProtocolType.IP); SocketType.Raw, VII. IMPLEMENTATION DETAILS Engines Winpcap provide packet capture and filtering of many open source and commercial network tools, including protocol analyzer (packet sniffer), Network Monitor, intrusion detection systems, network traffic generators and network testers also saves the captured packets to a file [13] and read files containing the stored packets; applications can be written using WinPcap, to be able to capture and analyze network traffic, or to read a saved capture and analysis, using the same analysis koda.fayl recording is saved in a format that can be read using WinPcap in applications that understand this format For example, tcpdump, Wireshark, CA NETMASTER. Snapshot Figure 6: Packet Details As soon as we started the Internet host systems we have access to this module start capturing packets. Displays data in decimal format. Details of captured packets are shown in the snapshot. Default gateway is used to capture and control package is as follows: Get the IP-address to track / monitor. Figure7: Packet Information and Hex Data Once we select any package by double-clicking on it, as shown in the first picture, able to see the details of the package that is header fields and useful payload. Header part is IP-address of the source and destination IP address, protocol name, the time field, protocol version, header length, different types of services and the total length of the field in the air. Header field of the data shown in decimal form, and payload data is displayed in hexadecimal. VIII. CONCLUSION AND FUTURE WORK Safety is a big issue for all networks today business environment. Hackers and cybercriminals are many successful attempts to overthrow high profile business networks and web services. Snort is a free and powerful program that can analysis of real-time traffic and logging. It is considered the heart of intrusion detection systems. After identifying the Snort Intrusion then send notifications in the field of human security and human security are required to take immediate action. However, a strong intrusion detection system Snort; The problem is that the system Snort are not familiar with the operating system Windows. In this article, we have implemented a signature-based network intrusion detection system Snort and 1929

7 configured with the environment based on Windows. The results show that Snort IDS can be configured with Windows, and can be installed as a firewall. Future work is to develop a parallel technique(parallelization) to improve performance Intrusion detection system based on a network of signatures and reduces the traffic handling. REFERENCES [1] D. E. Denning. An Intrusion-Detection Model. IEEE transactions on software engineering, Volume : 13 Issue: 2, February [2] Harley Kozushko, Intrusion Detection: Host-Based and Network-Based Intrusion Detection Systems, on September 11, [3] S. Antonatos K.G. Anagnostakis and E. P. Markats. Generating realistic workloads for network intrusion detection systems. In Proceedings ACM Workshop on Software and Performance., [4] Mike Fisk and George Varghese. Fast content-based packet handling for intrusion detection. Technical report, University of California at San Diego,