Research and Analysis of Network Intrusion Detection Systems GRADUATE PROJECT REPORT Submitted to the Faculty of The Department of Computing Sciences Texas A&M University-Corpus Christi Corpus Christi, Texas In Partial Fulfillment of the Requirement for the Degree of Master of Science in Computer Science By Bhavani Sunke Fall 2008 Committee Members Dr. Mario Garcia Committee Chairperson Dr. Dulal C. Kar Committee Member Dr. David Thomas Committee Member
ABSTRACT Rapid technological advances in the application of data processing operations and maintenance permeate all facets of business and, therefore, have led to an increase in the development of strategic ways to mount malicious attacks on both public and personal computer networks/systems. Modern techniques and methodologies for detecting malevolent activities and attacks on computer systems and networks have evolved quickly in recent years. Intrusion Detection System (IDS) have become a critical means to ensure the security of administrated computer networks. IDS s seek to detect intrusions before systems can be affected by malicious actions. They accomplish this by logging the attempts made by an intruder to accumulate intelligence regarding a targeted system. While IDS tools have become prevalent in today s market, they are still not completely foolproof and can fail to identify serious malicious attacks. The intention of this project was to investigate selected existing network intrusion detection tools and techniques, and to review the strategies, which they employ. The selected freeware tools, Snort and Sax2 were tested to analyze their behavior when confronted with particular well-known network attacks. ii
TABLE OF CONTENTS Abstract... ii Table of Contents... iii List of Figures... vi List of Tables... viii 1. Introduction... 1 1.1 Intrusion... 2 1.1.1 Popular Intrusions... 3 1.1.2 Survey on Security Breach... 4 1.2 Intrusion Detection System... 7 1.2.1 Various Definitions... 7 1.3 What about a Firewall?... 8 1.3.1 Packet Filtering... 9 1.3.2 Circuit-level Gateway... 9 1.3.3 Proxy Server... 9 1.3.4 Application Gateway... 9 1.4 Comparison of IDS with a Firewall... 9 1.5 Evolution of IDS... 10 1.6 Types of IDS... 12 1.6.1 Host-based IDS... 13 1.6.2 Network-based IDS... 14 1.6.3 Comparison between HIDS and NIDS... 14 1.7 PROS and CONS of IDS... 15 iii
1.8 Some of the Important Definitions to Understand This Paper... 16 2. Network Intrusion Detection system... 18 2.1 Previous Work done and Evolution of IDS... 18 2.2 Network-based IDS... 20 2.2.1 Need for NIDS... 20 2.2.2 Functioning of NIDS...22 2.2.3 Host-based IDS vs. Network-based IDS... 25 2.3 Analysis and Comparison of IDS Tools...27 2.3.1 IDS Analysis... 27 3. Research... 30 3.1 Research on Attacks... 30 3.1.1 Possibility of an Attack... 30 3.1.2 Operating System Which Intruder Use... 30 3.1.3 Origin of Intrusion... 30 3.1.4 Reason for Hacking... 31 3.1.5 Attacks... 32 3.2 Research on Freeware NIDS... 35 3.2.1 Research on Windows-based NIDS... 35 3.2.1.1 Snort IDS... 35 3.2.1.1 Sax2 NIDS... 39 3.2.2 Research on Linux-based IDS... 47 3.2.2.1 Firestorm... 47 3.2.2.2 Strata Guard... 53 iv
3.2.2.3 Bro-IDS... 57 3.3 Writing Rules... 63 3.3.1 What are the Rules?... 63 3.3.2 Basic Rule Anatomy... 63 4. Testing and Evaluation... 66 4.1 Detection... 67 4.1.1 Detection Capability... 67 4.1.2 High Bandwidth Traffic Handling Capability... 67 4.1.3 Testing DoS Attack... 70 4.1.4 Ability to Determine Attack Success... 70 4.1.5 Ability to Detect Never Before Seen Attacks... 71 4.2 Response... 71 4.3 Other Evaluation Measures... 72 5. Future work... 73 6. Conclusion...74 Acknowledgement...75 Bibliography and Refereces... 76 v
LIST OF FIGURES Figure 1.1 Number of Incidents by Percentage... 4 Figure 1.2 Firewall protecting the network... 8 Figure 1.3 IDS Block Diagram... 12 Figure 1.4 HIDS... 13 Figure 1.5 NIDS... 14 Figure 2.1 Evolution of Intrusion Detection System... 18 Figure 2.2 IDS Components... 23 Figure 2.3 A sample IDS... 24 Figure 2.4 Comparison of Knowledge-Based and Behavior-Based IDS... 29 Figure 3.1 Components of Snort IDS... 36 Figure 3.2 Packet Capture in real-time Using Ethereal... 37 Figure 3.3 Working of snort... 38 Figure 3.4 Sax2 Main Console... 41 Figure 3.5 Node Explorer Window... 42 Figure 3.6 Statistic View on Main Console of Sax 2... 42 Figure 3.7 Conversation View of Sax2 IDS... 43 Figure 3.8 Event View... 44 Figure 3.9 Logs View... 44 Figure 3.10 Knowledge Base Management in Sax2 IDS... 45 Figure 3.11 Detection Expert Settings... 46 Figure 3.12 Viewing.elog files using Ethereal Interface... 49 vi
Figure 3.13 Firestorm Analyst console displaying packets... 50 Figure 3.14 Detection Capabilities Analysis Results... 52 Figure 3.15 Scalability Analysis Report... 52 Figure 3.16 Strata Guard network... 54 Figure 3.17 Account Activity Tab List View... 55 Figure 3.18 Comparison between Snort and Bro... 60 Figure 3.19 Detection Rate Analysis... 61 Figure 3.20 Rule syntax... 63 Figure 3.21 Sample Snort Rule... 63 Figure 3.22 Rule header attributes of a snort rule... 64 Figure 3.23 Rule Options... 65 Figure 4.1 IDS Testing Network... 66 Figure 4.2 Nmap Scan... 68 Figure 4.3 Snort Capturing the Network for events... 68 Figure 4.4 Network monitoring by Sax2 NIDS... 69 Figure 4.5 Summary of the captured network events... 69 vii
LIST OF TABLES Table 1.1 A Glance at Various Attacks During the Years 2004-2008... 5 Table 1.1 List of Technologies used in 2008... 6 Table 1.3 Comparison of HIDS and NIDS... 14 Table 2.1 Comparative Analysis of HIDS vs. NIDS... 26 Table 3.1 Popular Thirty Nine Attacks... 34 Table 3.2 Notations... 60 Table 3.3 Summary of comparison among Snort, Sax2, Firestorm, Strata Guard and Bro.61 Table 3.4 Description of Various Rule Actions... 64 viii
1. INTRODUCTION The subject of Intrusion Detection Systems (IDS) on computer networks has become a topic of great importance for research. Threats against private and public networks are mounting daily thereby, increasing the need for Intrusion Detection Systems (IDS) on network systems throughout the corporate world. IDS serve as a means of identifying, monitoring, blocking and reporting anomalous behavior and unauthorized use of data existing on computer networks. In short, IDS function is to safeguard distributed computing environments that are managed and controlled by a particular network. IDS accomplish their objective by performing thorough checks on the content of each and every packet, traveling through a given network in efforts to detect intrusions. This monitoring process provides better security than a mere firewall could. IDS handle traffic and information, logging every application as it travels through a particular network and have proven to be a viable measure for securing the information management of organizations. IDS afford precious support for diagnosing and reviewing security threats. IDS systems come in different types based upon their function. Software developers around the world are continuously reconstructing their programs to keep up with the need to cover evolving malicious efforts of intrusion creators. The purpose of this research is to put some existing IDS tools, available in today s market, to the test and ultimately determine their efficacy as well as their ease of use. The paragraphs that follow will define and describe different types of intrusions and introduction to IDS. 1
1.1 Intrusion Merriam-Webster Online Search dictionary defines the term intrude as the act of thrusting oneself in without invitation, permission, or welcome. According to computer network terms, intrusion is defined as an event which breaks into a particular system or network without authorization. While the application differs from a physical intrusion into a place or situation to the electronic intrusion into a digital environment they have the same significance. The following is a conceptual definition for intrusion: Any set of actions that attempt to compromise integrity, confidentiality or availability of a resource [UCR 2008]. Broken down semantic ally are the data properties affected by a system intrusion. Confidentiality Information is only accessible by authorized users and not by unauthorized persons Integrity This talks about trustworthiness of information. Integrity is also known as data consistency. Data should not be altered in unauthorized manner Availability Information is available to authorized users only. These three properties can be described as the core characteristics of an information assurance secured system and together they are referred to by the acronym CIA. If any or all three properties are compromised, it implies that the security of the system as a whole has been compromised. Intrusions can take on many forms. The most common forms are engineered viruses or worms and password theft. More sophisticated forms can occur during a file transfer session that does not use encryption, commonly known as hijacked terminal. 2
Intrusions are qualified as any kind of unauthorized access to information by insiders and outsiders. 1.1.1 Popular Intrusions Popular intrusion types include Evasion, Insertion, Port Scanning, Denial of service (DoS) attack, User to Root Attacks (U2R) and Remote to User Attack (R2L). The evasion attack is planned with prior knowledge about the IDS in place. The intruder studies attack signatures upon which the IDS will alarm and thus tries to evade the IDS by covering up the attack. The Insertion intruder behaves intelligently. Generally, IDS accepts packets that are rejected by an end-system. IDS that does this, makes the mistake of believing that the end-system has accepted and processed the packet when it actually hasn't [Ptacek 1998]. The intruder then exploits this situation by sending packets to an end-system that will reject them, where the IDS presume that they are valid. This means that the intruder accomplishes the attack by way of inserting data into IDS [Ptacek 1998]. The Port Scanning intruder scans the ports on a network to see which are open, so that they can break into it. A Port scan is like ringing the doorbell to see whether someone's at home [AMP 2008]. This is done by sending a message to all ports in the network. By doing this, the intruder knows which ports are busy, already used and free. The intruder then probes the network further to find a weakness and once found the attacker breaks into the network. A Denial of service (DoS) attack makes the system resources unavailable to its legitimate (authorized) users. For example blocking access to email, specific sites, and other services are considered DoS attacks [McDowell 2004]. 3
User to Root Attacks (U2R) deal with a local user (intruder) trying to gain unauthorized root access to a central machine and exploiting user vulnerabilities [Chou 2007]. Remote to User Attack (R2L) deal with an intruder gaining unauthorized local access from a remote machine and exploiting the machine s vulnerabilities [Chou 2007]. 1.1.2 Survey on Security Breach The Computer Security Institute (CSI) conducted an extensive survey in 2008 titled, Computer Crime and Security Survey, in which information was gathered from data security professionals throughout the United States. The goal of the survey is to increase security awareness as well as to help determine the scope of computer crime in the U.S [Richardson 2008]. According to the CSI s survey, 47% out of 250 polled had experienced at least one incident, with the highest number of incidents reaching 5. Figure 1.1 shows a gradual decrease in the number of security intrusion victims who experienced 6-10 incidents during the years from 2004 to 2007. In 2008, the number increased slightly but is still better than past years. Based on the graph below, 13% of those polled had experienced more than 10 incidents. Figure 1.1 Number of Incidents by Percentage [Richardson 2008] Table 1.1 summarizes various types of attacks experienced by security professionals. The survey shows a gradual decrease in the number of victims per attack 4
during the past years. Table 1.1 shows that many victims encountered virus and insider attacks compared to the other forms of intrusions. Table 1.1 A glance at various attacks during the years 2004-2008 [Richardson 2008] In order to be safe from intrusions, users have started implementing various security tools available on the market. The tools listed in Table 1.2 were developed to solve a variety of security breach problems. Anti-virus software is preferred as a basic means of security and therefore the table indicates that they have the highest percentage of usage among other tools. Though IDS are efficient network security tools, they are not widely used because of their cost. Based on the data obtained in the survey demonstrates that users want to be safe from intrusions rather than identifying them and being 5
responsible to protect against individual attacks. Since firewalls provide basic security, such as blocking threatening IP addresses, they are used more commonly than IDS tools. Table 1.2 List of Technologies used in 2008 [Richardson 2008] This survey reflects the fact that when compared to the previous years, year 2008 has experienced improvement when it comes to blocking intrusions. This is evidence that 6
the innovative solutions introduced into the corporate market are more successful at curbing security breaches than any past attempts. 1.2 Intrusion Detection System (IDS) An intrusion detection system inspects all inbound and outbound network activities and identifies skeptical manipulations on a network or system, alerting the network administrator of any attempts to compromise a system. There are many technical definitions for IDS in computer network terms. The following is a breakdown of the various definitions given for IDS. 1.2.1 Various definitions Most well known definitions of IDS: An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization) [TT 2005]. Intrusion Detection System is any system or set of systems that has the ability to detect inappropriate or malicious activity on a system or network. An intrusion detection system inspects all inbound and outbound network activity and determines distrustful patterns that may be a sign of a network attack from someone attempting to break into or compromise a system [JC 2007] Every definition listed above, is based on the premise that IDS could be either software or hardware, which monitors network traffic to identify malicious activities 7
attempting to compromise its security. IDS identify many types of vulnerabilities, present on a network, which cannot be identified by conventional firewalls. 1.3 Firewall Basically a firewall can be defined as a first line of defense for a network with the key purpose of securing a network from unauthorized access. A firewall can be either a software program or hardware device, placed on a network, which acts like a watch guard for all inbound and outbound traffic on that network. The users have a choice to allow or block certain traffic by establishing certain rules on their private network. Based on the type of firewall installed on the network, users could block the access to certain domain names or IP addresses and could restrict certain traffic by blocking TCP/IP ports they use [QED 2005]. Figure 1.2 shows how firewall is placed on a network. Figure 1. 2 Firewall protecting network [Boncheva 2006] Firewalls basically use four mechanisms to restrict traffic. These mechanisms are explained in the following sections. 8
1.3.1 Packet Filtering A packet filter evaluates source and destination IP addresses, and their port numbers. This is the criterion used to block and access by certain IP addresses [QED 2005]. 1.3.2 Circuit-level Gateway A circuit-level gateway blocks all inbound traffic. The client machines run software to allow them to establish a connection with the circuit-level gateway machine. To the outside world, it appears that all communication from the internal network is originated from the circuit-level gateway [QED 2005]. 1.3.3 Proxy Server This proxy server is used to boost the performance of a network. A proxy server hides internal IP addresses on a network. Therefore, to the outside world, it appears as all communication is from the proxy server address [QED 2005]. 1.3.4 Application Gateway This is another form of a proxy server. To the outside world, it appears that all communication is from the application gateway address. A connection is established between the client and the application gateway. The application gateway decides whether the connection should be allowed or not. If the communication is allowed, then it establishes a connection with the destination machine [QED 2005]. 1.4 Comparison of IDS with a Firewall Firewalls were known as the vital solution in preventing network intrusions. But, it does not provide the capability to respond or detect an intrusion attempts. IDS, on the 9
other hand, provide continual real-time monitoring of a host or a network with an emphasis in detecting and reporting particular intrusions [Dubrawsky 2001]. Network Security is the primary purpose for the existence of both firewalls and IDS, however their function is different. Firewalls look into the traffic coming from outside and react according to the rules to decide whether to accept or block the communication so that it prevents intrusions. But IDS detect the intrusion initiated from inside the network and come into the action after the suspected intrusion has taken place on the network [Wiki 2008]. IDS detect and warn the users about the intrusion, whereas firewalls just block the attack without a warning according to the predefined rules written into it. An IDS is a security tool that analyzes and identifies malicious events by monitoring the traffic on the network. Firewalls implement the policies programmed and contained in its configuration, and log any events that demonstrate policy violations, with as much information and detail as possible by guarding the borders of the network. Having both an IDS and a Firewall on a network, provide better security when considering their particular functions and their advantages. Systems containing both, IDS that warns the administrator of intrusions, and a firewall that blocks the attacks, provide a more secure network environment. Some Firewalls and IDS' are joined into a single internet security program, for example Norton Internet Security. This is a very well designed combination of both a firewall and IDS [DSL 2003]. 1.5 Evolution of IDS IDS have existed approximately 20 years. The notion of intrusion detection was introduced in 1980 with James Anderson's paper, titled Computer Security Threat 10
Monitoring and Surveillance (which was written for a government organization) [Sommer 2006]. After the release of this paper, detecting misuse has gained an interesting focus and auditing data and its advantages achieved much progress. Since then, IDS have advanced and recently have gained great popularity in computer network security [Innella 2001]. In the early 1990s, the commercial development of IDS technology began and IDS tools were developed. The first commercial vendor of IDS tools was Haystack Labs. Later other tools were designed to monitor traffic and report misuse. IDS have become a part of every major company and organization s security system. They reduce risks of intrusions and prevent serious malicious attempts at attacking by alerting the system s administrators. IDS have the capability of detecting preambles to malicious attacks by intruders and through this process they help the security team to document and present the risks and threats. In order to enhance the IDS performance, IDS have a key capability to correlate different priorities to different logs for distinctive malicious attacks. This is called as prioritization. For the security system of an organization, IDS serve as a quality control mechanism providing diagnosis, causes and details about different aspects of the security system. IDS can detect when an attacker has penetrated a system by exploiting an uncorrected or uncorrectable flaw. Furthermore, it can serve an important tool in system protection, by bringing the fact that the system has been attacked to the attention of the administrators who can control and recover any damage that results. IDS verify, itemize, and characterize the threat from both outside and inside your organization s network, assisting user in making sound decisions regarding your allocation of computer security 11
resources [CD 2001]. In a system without IDS, the adversaries are free to examine the system thoroughly with no risk of discovery. Figure 1.3 describes the simple process model for IDS. This block diagram describes the overview of working of an intrusion detection system. The detailed description will be discussed in later sections. Capture Data Analyze Data Respond Figure 1.3 IDS Block Diagram IDS have 3 phases of functioning. First it captures the data passing into and outside a network. Then it watches and analyses the data about its behavior, so that it can know whether it is malicious or not. If it detects that the data is malicious, then it responds to that, for example, blocking the data to protect from future damages. 1.6 Types of IDS There are signature-based IDS vs. anomaly-based IDS, misuse detection vs. anomaly detection, and passive system vs. reactive system [JC 2007]. The deployment of IDS can be done in two forms one is network-based IDS and the other is host-based 12
IDS. Host based IDS protects the system by auditing and event logs. Network-based IDS deals with monitoring and accessing the network traffic. There are two popular types of IDS as mentioned above, and they are 1. Host based IDS 2. Network based IDS 1.6.1 Host-based IDS (HIDS) HIDS is a software product, resides on a specific machine called host, and does its job by protecting the entire system and discloses if a system has been compromised. It monitors the file system integrity, system register state system logs of the host machine to find the evidence of suspicious activity if any. If any user attempts to access authorized content on the host in a shared network, HIDS identifies and collects the relevant data in a quickest possible manner [Innella 2006]. HIDS only look for the intrusions on the single host but not on the entire network/system. Snort, Dragon Squire, Tripwire, AIDE, and Emerald expert-bsm etc., are some of the HIDS software tools. Figure 1.4 HIDS [Magalhaes 2003] 13
1.6.2 Network-based IDS (NIDS) In general, a network-based IDS resides some where on the network, monitoring all the traffic over the network for malicious activities. Figure 1.5 NIDS [Magalhaes 2003] 1.6.3 Comparison between HIDS and NIDS Table 1.3 Comparison of HIDS and NIDS [Kozushko 2003] Behavior Host-based IDS Network-based IDS Detecting intrusions Good at insider detection and bad at outsider detection Good at outsider detection and bad at insider detection Preventing intrusions Good at prevention for insiders Good at prevention for outsiders Response to attacks Damage Assessment Attack Anticipation Weak real time response but good for long term attacks Excellent for determining extent of compromise Good at trending and detecting suspicious behavior patterns Strong response against outsiders Very weak damage assessment capabilities None 14
1.7 PROS and CONS of IDS As everything, IDS tools also have its pros and cons. But it can be said for sure, that the IDS concerns the network security more than a firewall. IDS have the capability to counter in a timely fashion to alleviate substantive harm by automatic or manual intervention. IDS discover innovative attack patterns and watches application logs and user actions. Then it blocks the attacks aimed against an application. IDS is said to be advantageous as it drops attacks, logs packets, terminates sessions, and modifies firewall policies and real-time alerting tools. Even though IDS is capable of identifying the encrypted data and activities, it is not 100% secured. This is one of the major arguments going on about IDS. But the future IDS products can be of a great and central role in network security. Another issue of using IDS if it gets compromised is that the data collected by these systems may itself have been compromised before the attack was discovered or investigated. This is an issue, that IDS log files will not distinguish between the legitimate and unwanted traffic. There are many of the products yet, which are not able to cope up with huge massive traffic and processing of the packets with high speed connection and bandwidth. The performance of IDS logs is limited in auditing the events because of massive traffic. Though IDS detects each packet on a network, it gives alerts after the attack has been made by the intruder. The Network security managers have to procure and assimilate point solutions from other supplementary vendors. This can be represented as Incomplete attack 15
coverage. The category Signature-based IDS, needs a regular updating of their signature database for better performance. IDS log files might fail to identify the hackers and have been tempered or altered. A major argument is now going on about IDS that it generates too many false alarms. IDS give attention to only on detection of attacks and attempts, but it can not provide prevention which would make it more efficient tool. IDS also used as evidence in the prosecution of cyber crimes. An IDS also has good importance in computer networks as well as a good research concept now a days. 1.8 Some of the Important Definitions to Understand This Paper SNMP (Simple Network Management Protocol) It is a protocol, which is used by network management systems to interact with its network elements. This is achieved by having a SNMP agent in the network. Many network tools have built-in SNMP agents in them. SNMP TRAP It is a message initiated by a network element and sent to the network management system. Examples of SNMP trap: A router sending a message if one of it's unused power supplies fails A printer sending an SNMP trap when paper tray is out of paper 16
ACL (Access Control List) It is a list of permissions attached to an object (routers, firewalls etc). The list states who and what is to be allowed in order to access the object. And also indicates what actions are permitted to be performed on that object. Packet defragmentation When large data has been sent to a host, then the packet usually fragmented in to multiple packets. 17
2. NETWORK INTRUSION DETECTION SYSTEM 2.1. Previous Work done and Evolution of IDS The IDS concept has been around for nearly 20 years. It has become more popular recently and begun incorporation into the information security infrastructure. Figure 2.1 explains in detail the evolution of IDS. Figure 2.1 Evolution of Intrusion Detection System [Innella 2001] The notion of IDS was introduced in 1980, with James Anderson's paper Computer Security Threat Monitoring and Surveillance, which was written for a government organization. With the publishing of this paper, the concept of "detecting" misuse and specific user events emerged. This work was the beginning of Host-based Intrusion Detection and IDS in general. After three years, in 1983, SRI International and Dr. Dorothy Denning worked together on a government project which launched a fresh attempt to improve IDS development with a goal to analyze audit trails from government mainframe computers 18
and create user profiles based upon their activities. One year later, in 1984, Dr. Denning made efforts to develop the first model for IDS, known as the Intrusion Detection Expert System (IDES), providing the foundation for IDS technology development [Innella 2001]. In the meantime, there was significant progress occurring at the University of California Davis' Lawrence Livemore Laboratories. Haystack project released another version of IDS at this laboratory for the US Air Force in 1988. The goal of this project was to analyze audit data by comparing it with defined patterns. Later in 1989, a commercial company, Haystack Labs, was formed by developers from the Haystack project. It released Stalker, the last generation of the technology; a host-based, pattern matching system that included robust search capabilities to manually and automatically query the audit data [Innella 2001]". In 1990, the idea of network intrusion detection was introduced by UC Davis's Todd Heberlein. Heberlein developed a Network Security Monitor (NSM), the first network intrusion detection system. The first notion of hybrid intrusion detection was introduced by Heberlein along with the Haystack team. These discoveries brought great revolution in IDS into the commercial world. Haystack Labs was the first commercial vendor of IDS tools. In 1994, Automated Security Measurement System (ASIM) formed a commercial company, the Wheel Group, and released its first commercially viable network intrusion detection product, known as NetRanger. 19
Around 1997, IDS began gaining popularity in the market. ISS developed network-based IDS called RealSecure. In 1998, Cisco owned the Wheel Group. Since 1999, IDS has boomed. Currently, IDS is the best-selling security tool on the market, as per the market statistics. IDS tools have been evolving with automated technologies and become an integral part of the information security field. 2.2. Network-based IDS As mentioned in earlier sections, NIDS monitors traffic on a network by looking for doubtful activities which could be attacks, such as unauthorized access, virus or intrusion. In addition to network traffic monitoring, NIDS checks system files for unauthorized events in order to maintain files, thus data integrity. It is also capable of detecting changes in core components of the server and scans sever logs [RTEinc 2008]. Monitoring the traffic on its network segment is generally accomplished by placing the network interface card (NIC) in promiscuous mode in order to capture all network traffic that crosses its network segment. Network traffic on other segments and traffic on other means of communication (like phone lines) can not be monitored, which is a disadvantage of NIDS. Here the network segment means that particular server, switch, gateway or router. 2.2.1 Need for NIDS There are four major points which illustrate the need for NIDS. Those points are threat assessment and analysis, asset identification, valuation, vulnerability analysis and risk evaluation. 20
Threat assessment and analysis plays a major role by providing a guess about types of intrusion, which helps in defining rules when deploying an NIDS on a network. The most popular threats currently known are outsider attack from the network and telephone, insider attack from local network and local machine, and attack from malicious code. A firewall operates the way its user instructs it to function. A firewall can fail to block outsider attack from the network, malicious code and insider attack from a machine on the same network, which is a local machine. NIDS might detect such attacks. It even has predefined rules set up within which operate as a firewall; the knowledge base it builds aids in detecting these types of attacks [Northcutt 2002]. Asset identification results in protecting sensitive data. For example, the Office of Admission and Records in an educational institution possesses all the sensitive data pertinent to students, such as a student s social security number. This data must be given high priority when comes to security. Educational institutions should identify the machines dealing with such data and implement NIDS at major locations. NIDS should be programmed so that it differentiates valuable data by appending some special strings to it. Vulnerability to threat is dynamic, as it changes everyday. Several vulnerability assessment tools are available on the market including network-based, phone line and system vulnerability scanners. Having a network-based scanner protects the network by scanning to check for missing patches, open ports and any other security holes [Northcutt 2002]. 21
The above discussion recommends organizations utilize NIDS to protect their networks from intrusion. The following section describes mechanism used by NIDS to implement security measures. 2.2.2 Functioning of NIDS Intrusion detection systems are an important component of defensive measures protecting computer networks from abuse [McHugh 2000]. NIDS monitors packets coming into the network and determines whether an intruder is cracking into a system, as on a system watching for large a number of TCP connection requests going into various ports on a destination system, to discover if anyone is trying a TCP port scan. For many people, it can be confusing where on the network to place NIDS. It can be placed either on the target system, which monitors its traffic, or can be on a separate machine with in the network (hub, router, or probe), which promiscuously monitors the entire network. An Intrusion Detection System is composed of several components placed between the internal and external network. If more than two systems are connected on the administrative side of IDS, then it is said to be an internal network. The external network means that the non-administrative side of IDS is a public network. IDS are comprised of three main components. They are as following: Sensors to generate activities, a console on which to monitor activities and alerts and control the sensors, and a central device that files activities logged by the sensors in a database, then applies a system of rules to generate alerts from security events received. 22
Figure 2.2 demonstrates the above description. Figure 2.2 IDS Components [Kazienko 2003] Sensor is like a kernel of IDS, which is in charge of detecting intrusions. It contains decision-making mechanisms about intrusions. Sensors obtain raw data from information sources, which are on the IDS knowledge base; syslog and audit trails. Figure 2.3 clearly shows how sensors work in IDS. For example, syslog includes configuration of file systems, user authorizations, etc. This data thus creates the foundation for a decision-making process. Figure 2.2 depicts that the sensor is integrated with another component responsible for data collection, known as an event generator. The event generator creates a policy for a set of events that may be a log or audit of system events. A sensor filters data, ignoring any irrelevant data obtained, to detect suspicious activities. To achieve this, the analyzer uses the detection policy database. The sensor maintains its own database which contains the dynamic history of possible intrusions. 23
Figure 2.3 A sample IDS. The arrow width is proportional to the amount of information flowing between system components [Kazienko 2003] Following are the primary methods used by NIDS to report and block intrusions [Larrieu 2003]: Reconfiguring third-party devices (firewall or Access Control Lists on routers) NIDS sends a command to a third party device, such as a packet filter or firewall, to immediately reconfigure itself in order to block an intrusion. The success of reconfiguration is possible by sending data explaining the alert in the packet header. Sending an SNMP trap to a third-party hypervisor This is achieved by sending an alert with details on the data involved in the form of an SNMP datagram to a third party console such as HP OpenView, Tivoli, and Cabletron Spectrum, etc. [Larrieu 2003]. 24
Sending an email to one or more users This can be achieved by sending an email to one or more inboxes to report a severe intrusion. Logging the attack In this method, IDS saves the details of the alert in a central database, including information such as the timestamp, IP address of the intruder, IP address of the target, the protocol used, and the payload [Larrieu 2003]. Saving suspicious packets In this method, NIDS saves all raw network packets captured. Opening an application In this process, NIDS launches an outside program to perform a specific action. The actions include sending an SMS text message, or playing a sound to indicate an alert. Visual notification of an alert Here, NIDS displays an alert on one or more management consoles. Console is an interface to view the information of NIDS. 2.2.3 Host-based IDS vs. Network-based IDS Each system has its own advantages and disadvantages. Host-based IDS is preferred for a complete system security solution and Network-based IDS is desirable for 25
a LAN (Local Area Network) solution. The following table summarizes the comparison between Host-based and Network-based IDS. The left column describes the function to be performed on network and right column describes the behavior of HIDS and NIDS towards that function. Table 2.1 Comparative Analysis of HIDS vs. NIDS [Magalhaes 2003] Function Protection on LAN Protection off LAN Ease of Administration Versatility Price Ease of Implementation Little Training required Total cost of ownership Bandwidth requirements on (LAN) Network overhead Bandwidth requirements (internet) Spanning port switching requirements Update frequency to clients Cross platform compatibility Logging Comments on HIDS NIDS Both systems protect LAN Only HIDS protects the network off the LAN The admin of NIDS and HIDS is equal from a central admin perspective. HIDS are more versatile systems. HIDS are more affordable systems if the right product is chosen. Both NIDS and HIDS are equal form a central control perspective HIDS requires less training than NIDS HIDS costs less to own in the long run NIDS uses up LAN bandwidth. HIDS does not. The NIDS has double the total network bandwidth requirements from any LAN Both IDS need internet bandwidth to keep the pattern files current NIDS requires that port spanning be enabled to ensure that LAN traffic is scanned. HIDS updates all of the clients with a central pattern file. NIDS are more adaptable to cross platform environments. Both systems have logging functionality 26
Local machine registry scans Upgrade potential Alarm functions Packet rejection Specialist knowledge Central management Disable risk factor PAN scan Only HIDS can do these types of scans. It is easier to upgrade software than hardware. HIDS can be upgraded through a centralized script. NIDS is typically flashed onto the flash memory and has low overhead. Both systems alert the individual and the administrator. Only NIDS functions in this mode. More knowledge is required when installing and understanding how to use NIDS from a network security perspective. NIDS are more centrally managed. NIDS failure rate is much higher than HIDS failure rate. NIDS has one point of failure. Only HIDS scans personal area networks. Multiple LAN detection nodes HIDS is a more comprehensive multiple segment detection IDS than NIDS 2.3 Analysis and Comparison of IDS Tools This phase deals with the study of IDS tools and comparing their features. 2.3.1 IDS Analysis There are two key approaches for analyzing the events to detect attacks. Based on the use of detection techniques, intrusion detection systems are categorized as Knowledge-based (Misuse-detection) and Behavior-based (Anomaly detection) intrusion detection. Misuse detection analysis is aimed at malicious items. Most commercial systems use this technique. Anomaly detection analysis checks for irregular patterns of activity. As with everything, IDS also has strengths and weaknesses associated with each approach, and it appears that the most effective IDS use largely employ misuse detection 27
methods with a few anomaly detection components. More details about these approaches are described below. Misuse Detection In this practice, detectors study the system s activity and collect the necessary information and keep them in audit logs. Then IDS looks for events that match a predefined pattern of events. If a match occurs, then it is described as a known attack. Pattern, which corresponds to known attacks, is known as a signature. So that is the reason that misuse detection is sometimes called signature-based detection. The misuse detection identifies each pattern of events related to an attack as a separate signature. This category has advantages, such as being very successful at detecting attacks without generating a great number of false alarms and being able to diagnose the use of a specific attack technique in a very fast and reliable way. It also has disadvantages, they are able to detect only those attacks they know about. So they must be updated frequently with signatures of new attacks. Anomaly Detection This practice is used to identify abnormal or unusual behavior, known as anomalies. They function on the theory that attacks are different from normal activity and can therefore be detected by systems which identify these differences. Anomaly detectors build profiles representing normal behavior of users, hosts, or network connections. These profiles are built from data collected over a period of usual operation. The detectors then collect event data and apply a variety of measures to determine when monitored activity is abnormal. Figure 2.4 explains visually about Misuse and Anomaly detections. 28
Figure 2.4 Comparison of Knowledge-Based and Behavior-Based IDS [Chou 2007] 29
3. RESEARCH 3.1 Research on Attacks 3.1.1 Possibility of an Attack If a network is connected to internet, there is the possibility an attack may occur. As networks are generally connected for 24 hours, the potential for attack is continual. Attacks mostly occur in late hours of the night, relative to the position of the server [MCP 2008]. 3.1.2 Operating System Which Intruders Use Depending on the cost and the availability of the tool, operating systems used by intruders vary. Macintosh is the least preferable platform for an Intruder as there are not enough tools available for MacOS, and whatever tools are available are of great trouble to the network ports. LINUX has become the most frequent platform used by intruders, as it is available at low cost. A book of Linux cost around $40 including a cd-rom. The majority of good tools can be easily ported to UNIX platform as they are mostly written under UNIX environment [MCP 2008]. 3.1.3 Origin of an Intrusion In the beginning of internet days, most Intruders were youngsters who had very limited access to internet. The one place where they could easily access internet was universities, which influenced the origin of attack and timing of the attack. Today s Intruders have become more serious, they can break in to network from their home/office. These serious Intruders use AOL as their provider rather than the American online, Prodigy or Microsoft networks. The reason Intruders avoid these providers is they 30
rollover Intruders to the authorities. One simple reason why big providers are easy for Intruders to utilize is they allow spammers into their internet with largely unwanted advertising [MCP 2008]. Most Intruders are able to do any three of the following [MCP 2008]: Can code in C,C++ or perl Has a depth knowledge of TCP/IP High Internet usage Professional computer user Collect old, vintage or outdated computer hardware or software 3.1.4 Reasons for Hacking There are several reasons for an Intruder to attack a network. Listed below are a few of these reasons [MCP 2008]: Very simply, the intruder may not like victim (Spite) To show how weak a user s security system is (Sport) A intruder is paid by someone to get personal data or to bring victim down (Profit) Kids showing off to their friends or to become famous (Stupidity) Some people actually just want to know how this works out or to explore new things (Curiosity) The following section deals with four popular network attack types. These four types of attacks together comprise solid evaluation criteria to test the performance of IDS. They are probing, Denial of Service, User to remote access and local to remote access. 31
3.1.5 Attacks This section explains some examples of attacks. Explained below are the complex attacks IDS may detect. In recent years, a large number of victims have suffered these attacks. Table 3.1 displays popular attacks from the following attacks categories. Probing In a Probing attack, an Intruder scans a network to gather knowledge about known vulnerabilities. With a map of computers and services that exists on a network, an Intruder can use the information gathered to exploit the network. Different types of probes are readily available, including: abusing the computer s legitimate features using social engineering techniques. These attacks are the most commonly known and they requires very little technical expertise [Mukkamala 2003]. Denial of Service Attacks DoS are a class of attacks whereby an intruder renders the resource too busy to handle legitimate requests with some work load, resulting in denying legitimate users access to a machine. There are several procedures to launch DoS attacks, some of them by: abusing the machine s legitimate features targeting the implementations bugs exploiting the system s misconfiguration This class of attacks is categorized based on the services that an intruder makes the network inaccessible to authorized users [Mukkamala 2003]. 32
Definition for Denial of service (DoS) Attack Making the system resources unavailable to its legitimate (authorized) users is a Denial of Service attack. For example; blocking access to email, specific sites, and other services is considered to be a DoS attack [McDowell 2004]. Knowing if DoS attack is occurring If any disturbance occurs while accessing a service, it is not always due to a denial-of-service attack. There may be many reasons, like a technical problem with a particular network, or system administrators performing maintenance. In order to reveal whether a DoS attack is taking place or not, here are some symptoms which may indicate DoS attack [McDowell 2004]: an unusual slow network performance (opening files or accessing web sites) unavailability of a particular Web site inability to access any Web site dramatic increase in the amount of spam received in account To avoid being a DoS Victim Unfortunately, there are no absolute means to avoid being the victim of DoS attack. But there are some precautions to reduce the chances that an intruder will use to attack computers: Installing and maintaining anti-virus software Using a firewall to curb inbound and outbound traffic 33
Following good security measures for distributing user s email address to reduce spam by applying spam filters will help some extent to manage unwanted traffic User to Root Attacks It is also known as User to super-user (U2Su) attacks. Here, an Intruder begins with access to a normal user account on the system and exploits vulnerability in order to obtain root access to the machine. The most common exploits here are regular buffer overflows, which are caused by regular programming mistakes and environment assumptions [Mukkamala 2003]. Remote to User Attacks An Intruder sends packets to a machine over a network, and then exploits a machine s vulnerabilities to gain unauthorized local access as a user. There are several kinds of R2L attacks, most using social engineering [Mukkamala 2003]. Table 3.1 Popular Thirty Nine Attacks [Chou 2007] Probe DoS U2L R2L Ipsweep Mscan Nmap Portsweep Saint satan Apache2 Back Lan Mailbomb Neptune Pod Processtable Smurf Teardrop Udpstorm Buffer_overflow Httptunnel Loadmodule Perl Ps Rootkit Sqlattack xterm ftp_write, guess_passwd, imap multihop, named, phf, sendmail, Snmpgetattack, Snmpguess, Spy, Warezclient, Warezmaster, Worm Xclock, xsnoop 34
3.2 Research on freeware NIDS 3.2.1 Research on Windows-based NIDS 3.2.1.1 Snort IDS Snort is an open source, lightweight, full-featured network intrusion detection system, developed by Marty Rosech in 1998. A lightweight intrusion detection system can easily be deployed on most any node of a network, with minimal disruption to operations [Roesch 1999]. Snort is a rule-based language, combining the benefits of signature and anomaly based detection. Many researchers agree that Snort is the best IDS available. With millions of downloads to date, Snort is the most widely deployed intrusion detection system worldwide and has become the de facto standard for the industry [Snort 2008]. Many IDS use Snort s rules in them, and act as front-ends with some other features. It is a fact that in 2003, 500,000 networks had Snort sensors and in November of 2003, Snort website informed that 70,000 users downloaded Snort-IDS [QOD 2004]. The ultimate reason to choose Snort for an organization is as follows: "Snort is versatile, can be used as an IDS, IPS (intrusion prevention system), scrubber, Inline firewall, etc. It has a huge user-base that updates signatures all the time, is open source so if user ever need to edit the code for a specific reason the code is available, and it is free. What is there not to like?" [QOD 2004]. Snort is able to perform IP defragmentation, TCP stream reassembly, stateful protocol analysis, and logs full packets and many to name. Snort can be used in three primary functional modes. Packet sniffer ( like tcpdump) 35
Packet logger Full blown NIDS Snort Architecture A Snort IDS comprises of the following components. Packet Decoder Preprocessors Detection Engine Logging and Alerting System Output Modules Figure 3.1 Components of Snort IDS [Caswell 2003] Packet Decoder It takes packets from different network interfaces. Then it prepares the packets to be preprocessed, and then sends to detection engine. Here, interfaces are like Ethernet, etc. [Rehman 2003]. 36
Figure 3.2 Packet Capture in real-time Using Ethereal. Ethereal is a GUI-based protocol analyzer for data captured by Snort [Gerg 2004]. Preprocessors These are the plug-ins used to deal with packets such as arranging and modifying before the detection engines touches them. They may also identify intrusions by looking at packet headers and then generating alerts. Preprocessor is a vital component, among others, as it prepares packets to be analyzed against rules in the detection engine [Rehman 2003]. It does packet defragmentation, decodes Http URL, TCP streams reassembling, etc. Detection Engine This is responsible for detecting the intrusion existing in a packet. It uses rules to do this. If a match occurs, it takes proper action like logging the packet, alert generation 37
etc., otherwise it drops the packet. Rules written to IDS, power of the system, speed of internal bus and load on the network determine the load on the detection engine [Rehman 2003]. Output plug-ins Here it outputs the alerts generated from preprocessors or the detection engine. Figure 4.3 shows working of Snort using IDS-Center as front end. Figure 3.3 Working of snort - Sequence of steps showing flow of activities Advantages of Snort-IDS Snort is free, open-source, portable and fast IDS tool Snort is a lightweight tool (easy deployment on a system) and works on all major operating systems Snort provides extremely flexible detection and reporting. Its decoded output display is more user-friendly and understandable than other tools, like tcpdump. User can customize rules in an advanced rule set for better security Snort is technically, financially and administratively easier to implement when compared to other IDS tools [Roesch 1999] As a sensor, it does automatic traffic classification and performs real-time alerting [Roesch 1999] 38
Snort performs focused monitoring (monitoring a single node (system) on network for doubtful activities) [Roesch 1999] It is capable of logging to several databases which includes SQL Server, MySQL, Oracle and PostGre SQL [QOD 2004] Snort is well suited to both small and large organizations as security solutions Performs high-speed decoding and stateless intrusion detection Disadvantages Snort drops packets under load It is an IP-centric program [Roesch 2001] Protocol addition is not greatly scalable by Snort s internal data structures As Snort is an open source code, it is highly configurable and customizable. When things go wrong when using this product, there are no formal technical resources available on which to rely. Snort does not have good user understandable management and configuration interface. 3.1.1.2 Sax2 NIDS Sax2 is described as a proactive, professional windows-based NIDS with advanced protocol analysis and automatic expert detection. It provides 24/7 internal and external real-time attack detection. It monitors the network traffic and analyzes it to check for security breaches, if any, and looks for possible signs of attack in the network system. Then it captures the data packets and blocks such events to protect from danger. 39
The operation of Sax2 is completely dependant on analysis of internet protocols. The technology is used by Sax2 is an efficient multi-pattern matching algorithm to analyze high-speed network. Current features of Sax2 are as follows: improved and efficient performance using in-depth analysis of protocols accurate network monitoring powerful packet filtering capabilities recognizing TCP/IP data and submitting reorganized data to detection engine adopts multi-pattern matching algorithms adopts protocol analysis methods for faster monitoring of network traffic comprehensive recognition of internet attacks flexible security policy settings use of statistical functions Sax2 Architecture It is comprised of following modules in its architecture: packet capturing matching rules protocol analysis comprehensive diagnosis incident response policy management logs display for results 40
Sax2 accomplishes data capture, analysis and incident response of IDS with all the above modules working together. Figure 3.4 shows the main console of Sax2 IDS. Figure 3.4 Sax2 Main Console [Ax3Soft 2008] The left side pane outlined in the red rectangle is known as Nodes Explorer and is shown clearly in figure 3.5. This displays all the network IP addresses involved in the communication with the network. If a particular node is selected, then it shows all the information related such as logs, statistics and conversation, etc. 41
Figure 3.5 Node Explorer Window - displaying all the IP addresses involved in Network Communication [Ax3Soft 2008] Figure 3.6 describes the statistics view of Sax2 IDS. It is clearly showing that it has very rich statistics. Almost 100 statistical counters are provided in the console for users to see detailed statistical information. Figure 3.6 Statistic View on Main Console of Sax 2 [Ax3Soft 2008] 42
In Figure 3.7, the blue rectangular box represents the conversation associated with an IP address. This is known as conversation view described in figure 3.5. This is a more important part of Sax2 IDS. This includes IP, TCP, UCP and ICMP information and count of its source address, destination address, the data packets of conversation and the size of these data packets includes other information. Figure 3.8 is the event log pane of the intrusions, which is known as the Event view. Figure 3.7 Conversation View of Sax2 IDS [Ax3Soft 2008] Its main purpose is to focus on checking events. It has two parts; one is the invasion event pane and the other is the invasion log pane. The first shows event statistics with the classification of the current network in all the statistical value of the event. The second shows the incident related to that event. All traffic on a monitored network will be recorded into logs, which can be observed in the log view. It collects all data and filters, checking whether it is an HTTP request, e-mail message (using SMTP/POP3) or FTP transmission etc as shown in Figure 3.9. All logs will be saved on the hard disk for records. 43
Figure 3.8 Event View [Ax3Soft 2008] Figure 3.9 Logs View [Ax3Soft 2008] The purple box in figure 3.4 represents the status of the current monitor performing on network. It shows the start time, duration, packets captured, packets get accepted (highlighted in green), packets got lost, buffer usage and traffic changes. 44
Figure 3.10 shows how the knowledge base is represented in Sax2. By default, Sax2 provides more than 1,500 security policies and provides the flexibility to customize those policies to make it more suitable and fit to the network. Figure 3.10 Knowledge Base Management in Sax2 IDS [Ax3Soft 2008] Another important module of Sax2 IDS is the Detection Expert Settings. This analyzes the traffic at an expert level and reports the malicious incidents to the administrator. Figure 3.11 describes this module. 45
Figure 3.11 Detection Expert Settings [Ax3Soft 2008] Sax2 is capable of capturing traffic on more than one network adapter, if any are present. A real test is performed on Sax2 IDS using Nmap tool. This is discussed in later sections. All of its features are great assets and makes it advantageous when compared to other tools. Sax2 does not have a proper website structure which makes users disappoint at support. This is a disadvantage about it. 46
3.2.2 Research on Linux-based NIDS 3.2.2.1 Firestorm Firestorm is a Unix-based GPL (General Public License) licensed tool with tremendous performance NIDS. It appears to be a sensor providing real support for analysis, does reporting and remote console. It is more flexible because it is fully pluggable. Firestorm NIDS is available for download from the URL www.scaramanga.co.uk/firestorm/download.html. Firestorm is capable of capturing network traffic from a variety of sources with a regulation that only one capture can be used at a time to write extensions to capture from a new data source. It is also capable of supporting high-speed operating system specific capture plug-ins. Firestorm NIDS comprises of four architectural components [Leach 2003]. They are: Sensor (Firestorm-NIDS) Extended Logs (elog files) Stormwall Console Sensor The function of the sensor is to sniff network traffic on the network, analyze the traffic, and later spool the alerts in an extended log in a specific elog format. Firestorm uses Snort signatures to analyze the network traffic [Leach 2003]. 47
Firestorm is capable of performing Stateful Analysis. In this phase, Firestorm performs different actions, including analyzing state information on the network, reassembling IP fragments, and performing TCP connection tracking to avoid DoS attacks such as snot and stick, TCP stream reassembly and application layer Stateful Analysis. Firestorm is able to decode application layer protocols. This is known as Full Application Layer Decode. Until now, only HTTP protocol has been tested and Firestorm team is working on support for other protocols. Firestorm is compatible with Snort rules, protects the network from DoS attack and also supports anomaly detection [Leach 2003]. Firestorm IDS is easy to use because it has only one configuration file. Firestorm Configuration File Firestorm configuration file, firestorm.conf, has everything it needs defined within, which tells firestorm how to behave. In that sense, all the settings have to be defined in this file, like capture settings, telling from where to capture, time limit, where to log, etc. Snort rules also have to be defined in this file. Thereby, complete behavior of Firestorm IDS is controlled and managed by the firestorm.conf file. Stormwall Its goal is to monitor alert spools as well as to perform actions when new elog files appear. The sensor is responsible for notifying Stormwall if any changes to the spool occur [Leach 2003]. At this point, it is still under development. Extended Logs Also known as elogs, Extended Logs is a new layout of conveying alert information. This log file contains information about packet, alert, decode, and state tracking and other Meta data. Elogs is an advantageous format as it keeps all data in 48
single file. Firestorm does automatic log rotation until either the logs reach definite file size or it reaches a certain time limit [Leach 2003]. Figure 3.12 shows how elog files can be viewed. Ethereal interface is one of the applications used to access and view elog files. It also shows the viewers that elog files record time source of the event, destination, protocol information and brief description of the activity. By clicking on particular activity, it displays detailed information in the following pane of the interface. Figure 3.12 Viewing.elog files using Ethereal Interface [Leach 2003] Console It allows user to search, sort, filter, correlate and extract data from sensors. As of now, console is not completely implemented. 49
Figure 3.13 Firestorm Analyst console displaying packets [Leach 2003] Current Features of Firestorm, current version: Capable of Protocol anomaly detection and performs full application layer decodes It is fully pluggable Easy to configure. Has single config file Firestorm can run as a real-time process. This is possible if it is started as root. Performs high performance OS specific capture module for Linux. To achieve this, the capture block of.conf file should be modified to capture pcap if = linux. provides comprehensive Snort rule support 50
Full IP defragmentation TCP stateful inspection GNOME2 based analyst console user interface Enhanced and advanced logging format for ease of analysis, which elog (extended log) files Comparison between Snort and Firestorm This section presents a case study results on Snort 1.8.3 and Firestorm 0.4.6. Leonardo Fragundes and Luciano Gaspary proposed an evaluation criterion in 2006 in a paper, Network-Based IDS Evaluation, through a short term experiment script. This analysis took place with three different traffic bandwidths. They are 4, 6 and 8 Mbps. Figure 3.14 describes the attacks performed on the network and X represents that the IDS detected the attack and space in the box represents that respective IDS did not detect the attack. In figure 3.14, Snort detected all the attacks, and Firestorm did also, except one attack, i.e., UDP scan. Figure 3.15 represents the traffic bandwidth and detection analysis of Snort and Firestorm for various attacks. The percentages were obtained by dividing the logs stored by the number of maximum alarms expected [Fagundes 2006]. This comparison reveals that Snort has better performance and detection ability than Firestorm. 51
Figure 3.14 Detection Capabilities Analysis Results [Fagundes 2006] Figure 3.15 Scalability Analysis Report [Fagundes 2006] 52
3.2.2.2 Strata Guard Strata Guard IDS is an award winning Network-based Intrusion Detection System. It provides real-time security protection from network intrusions and malicious traffic. Strata Guard possesses the following features in order to protect the network [StillSecure 2008]: Features Blocks malicious attacks, peer-to-peer file sharing, instant messaging, chat, prohibited browsing activity, and worm propagation Enforces network usage polices Detects anomalous activity such as spoofed attack source addresses, TCP state verification, and rogue services running on the network. Eliminates false-positives Ultra fast initial device discovery large networks are scanned rapidly. Comprehensive scan rule database Automatic verification and assignment of vulnerabilities Application accuracy by TCP, UDP port scans Centralized administration Web based system management interface Authenticated proxy server support Automatic data archiving Multiple report output formats 53
Strata Guard uses six different intrusion detection tools for complete network security. With signature-based and behavior-based attack detection, deep packet inspection, and protocol anomaly analysis, Strata Guard terminates network, application, and service level attacks including worms, Trojans, spyware, port scans, DoS and DDoS (Dynamic DoS) attacks, server exploit attempts, and viruses before they gain access to the network and cause real damage [StillSecure 2008]. Strata Guard is designed as follows [StillSecure 2008]: Highly automated tool particularly developed and designed for ease of use Provides streamlined administration and management Posses multi-node, multi-user management to provide proper levels of control for all users who need access to security data Figure 3.16 Strata Guard network [StillSecure 2008] 54
Toward DoS attacks, Strata Guard takes a multi-tiered approach. The defense against DoS attacks has two different levels. One level regulates traffic then limits the traffic to suppress DoS attacks. On the Strata Guard website, it is mentioned that it maintains 60 rules to identify and block DoS attacks [StillSecure 2008]. Strata Guard uses open-source Snort. It uses Snort as a component within its structure. It does not work well in adhoc network. It needs a real network to test, as it depends on several open source softwares. Figure 3.17 explains how attack activity is logged and can be viewed on console. Figure 3.17 Account Activity Tab List View [StillSecure 2008]. By possessing extraordinary features, Strata Guard provides many benefits over other IDS. Following is list of advantages of Strata Guard IDS [StillSecure 2008]. 55
Advantages Scans multiple ports to discover hidden applications Quickly assess and responds to changes on network Ensures protection against the usual exploited vulnerabilities Simplified administration Reduces the manual work by using automated vulnerability repair Compares vulnerability risks from multiple sources In-depth analysis of data Gives layered protection for the network Securely stores historical data for audit purposes Consolidated rule set from multiple sources Excellent attack detection Easy configuration user interface Eliminates false positives Provides gigabyte level scalability Disadvantages Needs a dedicated machine, Host should be of Stillsecure OS, which installs with Strata Guard installation Expensive commercial IDS software Needs at least two NIC cards to run properly Depends on various open source software tools Needs greater storage than other IDS to store historical data 56
Strata Guard is a recommended product for good security measures because of its wide range of features and benefits. It is an efficient tool for larger networks. 3.2.2.3 Bro IDS Bro Intrusion Detection System Bro is an open-source, Unix-based, Network-based IDS. It was developed by Vern Paxson at Lawrence Berkeley National Lab and the International Computer Science Institute. As all NIDS, Bro monitors the network traffic to look for any suspicious activity. It parses the network traffic to dig out its application-level semantics and then executes event-oriented analyzers to compare the activities with patterns (whenever a suspicious activity is found on the network, IDS logs them, and those activities are used as patterns to check for similar activities). Features of Bro network-based IDS custom scripting language Pre-defined policy scripts snort signature compatibility support Powerful signature matching facility different approach of network analysis detection follows an immediate action 57
Bro detects definite and abnormal activities, such as certain hosts connecting to certain services, using signatures, and patterns of failed connection attempts. As Bro logs all activities in detail, it is most useful in forensic investigations. Bro is popular, as it targets high speed, high volume intrusion, and detects using powerful packet filtering techniques to accomplish the essential performance. Analyzing the traffic First, it filters the network traffic and then the remaining information is sent to its event engine, where Bro interprets the structure of the network packets and abstracts them into higher-level events describing the activity. Lastly, Bro implements policy scripts against the events, looking for possible intrusions [Bro 2007]. Policy scripts Bro uses a specialized policy language that allows a site to tailor Bro's operation, both as site policies evolve and as new attacks are discovered [Bro 2007]. These scripts are program written in Bro language and have all the rules describing the types of events which are potential intrusions and these policy scripts analyze the activities then initiate actions based on the analysis. It records the activities seen on the network as files and also generates alerts [Bro 2007]. It is a good idea to consider Why Bro needs a special language, because this is a language which understands specific notions such as ports, IP addresses, connections, etc., and has different a approach to analyzing the network to make the task easy. Users of Bro need not to learn the Bro language to run it. 58
These scripts take action such as follows. generating output files which have recorded events on the monitored network generating alerts if it sees a problem terminating the existing connections blocking traffic by placing blocks in to router ACL sends email messages to the user to report events Difference between Snort and Bro Snort is a purely signature-based IDS. It checks for very particular material in a network and reports that particular signature s instances. Bro is almost the same, but instead of considering them as fixed strings, it treats them as regular expressions. Bro is compatible with Snort signatures. It converts them in to Bro signatures using a script called snort2bro. Including this, Bro also analyzes the network with deep levels of abstraction and stores all the past activities and integrate with new ones [Bro 2007]. This feature is the biggest asset to Bro IDS. Mr. Massicotte, Mr. Gagnon and Mr. Labiche did a case study on Snort 2.3.2 and Bro 0.9a9 on Linux systems. This is comparative study evaluating both alongside each other. Figure 3.18 shows results from the case study. VEP in table refers to Vulnerability Exploitation Program. The table shows the data set used for the case study. Notations in Figure 3.18 are described in the following Table 3.2. 59
Table 3.2 Notations Alarm. & Compl. Det. to Part. Alarm. & Compl. Det. Alarm. & Compl. Det. to Quiet & Compl. Det Part. Alarm. & Compl Det. to Quit & Compl Det. Part. Alarm. & Compl. Det. Alarm. (Failed Only) to Part. Alarm. (Failed Only) Alarm. (Failed Only) to Quiet (Failed Only) Alarmist & Complete Detection to Partial Alarmist & Complete Detection Alarmist & Complete Detection to Quiet & Complete Detection Partial Alarmist & Complete Detection to Quiet & Complete Detection Partial Alarmist & Complete Detection Alarmist (Failed Only) to Partial Alarmist (Failed Only) Alarmist (Failed Only) to Quiet Alarmist (Failed Only) Figure 3.18 Comparison between Snort and Bro [Massicotte 2006] 60
Figure 3.19 shows the success and failure rate measures in detecting attacks which are false positives, false negatives, true positives and true negatives. In figure 3.19, figure (a) shows that Snort has better performance than Bro at successful attacks. Figure (b) shows that Bro raised fewer false alarms than Snort. Figure 3.19 Detection Rate Analysis [Massicotte 2006] Table 3.3 Summary of comparison among Snort, Sax2, Firestorm, Strata Guard and Bro Cost Major supporting OS Other supporting OS Protocol analysis OS independe nt (written in a interpreted language) All major OS Yes Snort Sax2 Firestorm Strata Guard Opensource Freeware Shareware- $69 Commercial- $399 Open-source: free Commercial: $2500-$6000 Windows Unix Stillsecure OS None Yes - IP, TCP, UDP, HTTP, FTP, POP3, SMTP, etc. Linux, FreeBSD, OpenBSD, Solaris Yes (currently only HTTP is tested) Windows, Linux using VMware Yes Bro Open-source Unix FreeBSD, Linux Yes 61
Real-time traffic analysis Yes Yes Yes Yes Yes Packet logging Yes Yes Yes (.elog files) Anomaly Yes Yes Not at this Detection time. May Yes Yes Yes To some extent does in future URL encoding Yes Yes No Yes No UDP port scan Yes Yes No Yes Yes Fingerprinting Yes - No Yes Yes stealth port scans Eliminating False positives Minimum number of NIC cards needed Throughput capability without packet loss Rule Set Customize rule set Yes Yes Yes Yes Yes Some Yes No Yes No what 1 1 1 2 1 100mbps High Full disk throughput Flexible Rule set Yes - Very flexible >1500 security rules Yes Can import policies, update and customize Uses snort rules in it Yes (as it uses snort) High (>200 Mbps) 3500+ (uses snort rules) Yes (uses snort) High GUI Driven No Yes No Yes No Configuration Ability to view No Yes No Yes No attacks based on severity IPS capability Yes No No Yes No Interface Good Very flexible Not fully Flexible No developed Attack response Very good Very good Okay Very good good Bro signature policies - Converts Snort signatures to Bro Signatures Yes 62
3.3 Writing Rules 3.3.1 What are the rules? Rules define what IDS should watch for. It defines what and who constitute an intrusion. Defining a rule is telling the IDS what to do, i.e., what traffic to consider doubtful and which are safe. Rules can be defined to be very specific, searching very specific criteria about certain packer attributes or pay load, particular IP address or port. Snort rules are simple at their syntax, easy to read, create and understand and they are customizable. As they are simple, sometimes Snort does not identify certain types of attacks efficiently, but it covers almost all major intrusions. They have great flexibility in single packet analysis. Snort rules are capable of identifying packet headers and pay load. 3.3.2 Basic Rule Anatomy A rule has two general parts; first is a rule header (a rule must have it) and the second is an optional part which is rule options. Figure 3.20 Rule syntax Figure 3.21 demonstrates a sample snort rule. Figure 3.21 Sample Snort Rule Rule Header A rule header contains rule action, protocol, IP addresses and port numbers of source, destination, and direction operator. 63
Figure 3.22 Rule header attributes of a snort rule There are various rule actions. Table 3.3 shows the rule options with their description. Protocol field contains various protocols TCP, UDP, ICMP, IP, ARP, IGRP, GRE, OSPF, RIP and IPX, etc. Currently Snort analyzes TCP, UDP, ICMP and IP protocols only, in the future Snort may support the remaining protocols. The direction operator -> indicates traffic direction from the source host (IP address and port number on left side) to the destination host (IP address and port number on the right side). To indicate bidirectional traffic, <> operator is used, telling Snort to consider that the pair of IP addresses exist on the left and right of the operator. There is no such operator like <- to tell Snort to consider traffic from right to left. Table 3.4 Description of various rule actions [Sturges 2008] Rule Action Alert Log Pass Activate Dynamic Drop Reject Sdrop Description to generate an alert, later logs the packet to log the packet to disregard the packet to alert, then activate another dynamic rule to stay inactive until activated by an activate rule to make iptables drop the packet, log it to make iptables drop the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP, port unreachable message if the protocol is UDP to make iptables drop the packet, do not log it. 64
Rule options Rule options form the heart of Snort's intrusion detection engine, combining ease of use with power and flexibility [Sturges 2008]. Semicolon (;) is used to separate two rule options. Colon (:) is used to separate the rule option s keywords from their arguments. Figure 3.23 Rule Options flags is a keyword indicates attribute (action name), SF is attribute value. Here it tells Snort to flag TCP flag bits SYN (Synchronize sequence numbers) and FIN (Final - No more data from sender). Message part is to alert the logging and alerting engine about the action taking place [Sturges 2008]. 65
4. TESTING AND EVALUATION Testing and Evaluating IDS deal with many things in terms of hardware and software. In order to follow the security restriction rules and to be safe, it is always advisable to perform the evaluation on an adhoc network rather than a real network. A group of computers should be connected to a hub in a network. Figure 4.1 shows how it looks. Figure 4.1 IDS Testing Network The testing criteria should include a very specific set of date entry, which means specific set of tools used to plan an attack. IDS evaluation can be divided in to two general categories: Detection Response 66
4.1 Detection 4.1.1 Detection Capability This test was carried out by planning attacks on IDS. Specific attacks are used to test the performance of IDS in terms of its ability to identify attack. In the comparative analysis shown in 3.12, the categories of intrusions considered are Evasion, Insertion, Port scanning and Denial of Service. Specific attack tools are run on the network and tested to determine whether IDS is seeing the events. If it is successful in logging all the events planned by those attack tools, then that IDS is said to have good detection ability. 4.1.2 High Bandwidth Traffic Handling Capability Good IDS should be able to handle high bandwidth traffic. It should be able to analyze all the traffic coming in and going out through the network. This feature can be tested by creating traffic on the network and increasing it by running some network scanning tools like Nmap, Wireshark, etc. Intruders use this technique to make a network so busy that an IDS cannot handle the traffic and will therefore break down. Then Intruders do their work on the network. This is known as a ping of death attack, and comes under the Denial of Service. Figure 4.2 shows creating traffic using Nmap tool. When Nmap is started, it scans for the IPs, ports in the network and it scans those ports. This tool is a network monitoring tool and indirectly creates the traffic on the network. An IDS should be strong enough to deal with the high bandwidths of traffic. Figure 4.3 shows Snort capturing the traffic as IDS center as front end. Figure 4.4 shows network monitoring by Sax2 IDS. This has 100% packet capturing with 0% loss. It summarizes the captured network as shown in Figure 4.5. This summarizes the events as warnings (yellow triangle), information (with blue i ), notice (green ones) 67
and critical event (with red symbol). Depending on this, administrator takes decisions to protect the network Figure 4.2 Nmap Scan. Figure 4.3 Snort Capturing the Network for events 68
Figure 4.4 Network monitoring by Sax2 NIDS Fig 4.5 Summary of the captured network events 69
Both Snort and Sax2 NIDS were good at monitoring and logging the network activity and differ in displaying them. 4.1.3 Testing DoS Attack Hackers send a lot of traffic to the victim system so that it cannot handle the traffic and performance goes down, thus denying access to services. So IDS should be able to predict a DoS attack when it sees the large amount of traffic from a single or several different IP address or port numbers. This is how IDS is able to detect a DoS attack. To test whether the IDS is able to detect the DoS attack, a high bandwidth of traffic should be created by a system. In order to break in to the victim s network within a given time before the victim observes unknown activity on his system, the attacker must have a higher-speed internet connection than the victim. The attacker has to scan for open ports to break easily into the network. As most systems have a specific built-in DoS detection feature, it should be able to report to the administrator of the system about the attack by raising an alarm. Udpstorm, Teardrop, Mailbomb etc., are various popular DoS attacks many attackers use these days. 4.1.4 Ability to Determine Attack Success This measurement determines whether the IDS can verify the success of attacks from remote sites that give the attacker higher level privileges on the attacked system. Many IDS do not differentiate the failed from the successful attacks. The capability to find an successful attack is crucial for the analysis of the attack correlation and the attack scenario. This measure requires the information about failed attacks as well as successful attacks [Mell 2002]. 70
4.1.5 Ability to Detect Never Before Seen Attacks This measurement tells how well an IDS can detect attacks that have not yet occurred. In general, systems detecting attacks that had never been detected before produce more false positives than those that do not have this feature. This measure identifies the tools with higher numbers of false positives [Hu 2002]. 4.2 Response After detecting the attack, IDS has to respond fast, letting the administrator know about the attack. Generally, most of the IDS raise alarm with a sound like ding or beep. These responses are divided in to four types. False positives detecting a normal network event as an intrusion False Negatives detecting an intrusion as a normal network activity True positives detecting a network intrusion as intrusion True Negatives detecting a normal activity as not an intrusion Of these four, false positives and false negatives are most popularly discussed because they deal with intrusions and these two are potential measures to evaluate an IDS. A False positive is defined as the frequency with which the IDS reports malicious activity in error and frequency with which the IDS fails to raise an alert when malicious activity actually occurs is a False negative [Chapple 2003]. A good IDS must have low False negative rate and low false positive rate. 71
4.3 Other Evaluation measures System Security This tells the level of security provided by IDS. Understanding the nature and type of attack differs from one IDS to another. If IDS has a counteraction for every attack it detects, then it known to be a good IDS. Supported Network Media This tells whether IDS needs very specific network media to be in the network. For example, Bro needs a Network Tap to present in the network. User Interface This is measure of comfort to the user for use of the console to understand the IDS activities. A good user interface contains all the information easily accessed by the user. 72
5. FUTURE WORK Due to the limited resources and the University s security regulations, Snort and Sax2 were able to test. As part of future work for this research and analysis, testing the ability of detecting DoS, User to Remote (U2R) and Local to Remote (L2R) access attacks can be performed on Snort, Sax2 NIDS and also Strata Guard and Bro if resources are available. With good test criteria with a proper data set, these performance tests can be achieved successfully. Though many IDS systems use Snort rules as security policies, a few others, such as Sax2 IDS use different policies. Therefore, this research has a good scope for analyzing the security polices (rules). 73
6. CONCLUSION This research project provides the efficacy of Network Intrusion Detection System tools with in computer networks. This project provides a summary of differences between HIDS and NIDS. Advantages and disadvantages of few IDS as discussed in this research have been summarized and presented in it. This research also provided a good survey on computer security. Architectures and behavior of Snort, Sax2, Firestorm, Bro and Strata Guard is provided. A test has been performed on Snort and Sax2 to check the ability of capturing network traffic using Nmap tool. Basic rule anatomy is discussed to understand syntax of rules which helps in customizing the rules for greater security of network. 74
ACKNOWLEDGEMENT Installing, testing and evaluation of tools discussed in this project would not have been completed with out the support, patience and guidance of Mr. Steve Alves. I owe my deepest gratitude to him. 75
REFERENCES AND BIBLIOGRAPHY [Ax3Soft 2008] Ax3 Soft Expert IDS. Sax2-IDS. Available from www.idssax2.com/screenshot.htm (visited on Oct. 20, 2008). [AMP 2008] Audit My PC. Port Scanning. Available from www.auditmypc.com/freescan/readingroom/port_scanning.asp (visited Oct. 15, 2008). [Boncheva 2006] Boncheva, V., A Short Survey of Intrusion Detection Systems, Available from www.iit.bas.bg/pecr/58/23-30.pdf (Visited Mar. 12, 2008). [Bro 2007] Bro.Bro Intrusion Detection System. Lawrence Berkeley National Laboratory. National Science Foundation (2007) Available from www.bro-ids.org (visited Sept. 15, 2008). [Caswell 2003] Caswell, B. Snort 2.0 Intrusion Detection. Syngress Publishing, Inc., Rockland, MA, pp 55-73. [CD 2001] Clement Dupuis, Access control systems and Methodology, comsec.theclerk.com/cissp/domain_1.doc (Apr. 2001). Available from http://209.85.165.104/search?q=cache:jvhyh5xdrqj:comsec.theclerk.com/ciss P/Domain_1.doc+comsec.theclerk.com/CISSP/Domain_1.doc&hl=en&ct=clnk&c d=1&gl=us (visited Sept. 10, 2007) [Chapple 2003] Chapple, M. Evaluating and tuning an intrusion-detection system. Available from http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci918619,00.html (visited Jul. 09, 2008). [Chou 2007] Chou, T., Ensemble Fuzzy Belief Intrusion Detection Design. Available from www.proquest.umi.com (Visited Sept. 15, 2008). [CISSP 2008] CISSP 2008. Examining Different Types of Intrusion Detection Systems. Wiley Publishing, Inc. (2008). Available from www.dummies.com/wileycda/dummiesarticle/examining-different-types-of- Intrusion-Detection-Systems.id-5278.html (visited Jun. 18, 2008). [Dubrawsky 2001] Dubrawsky, I. Freeware Intrusion Detection Tools (2001). Available from www.samag.com/documents/s=1147/sam0108o/0108o.htm (Visited Nov. 9, 2007). 76
[DSL 2003] Broadband DSL Reports. Is there a difference between a IDS and a firewall?. Available from www.dslreports.com/faq/6036 (visited Aug. 26, 2008). [Fagundes 2006] Fagundes, L.L. and Gaspary, L.P. Network-based Intrusion Detection Systems Evaluation Through a Short Term Experimental Script. J. Ascenso et al.(eds), e-business and Telecommunication Networks 159-165. Springer, Netherlands (2006). [Gerg 2004] Gerg, C. and Cox, K. J. Managing Security with Snort and IDS Tools, O Reilly Media, Inc. Sebastopol, CA (Aug, 2004). [Innella 2001]Innella, P. The Evolution of Intrusion Detection Systems. Tetrad Digital Integrity, LLC. Available from www.securityfocus.com/infocus/1514 (Visited May. 09, 2008) [Innella 2006] Innella, P. An Introduction to Intrusion Detection System. Available from www.securityfocus.com/infocus/1520 (Visited May. 27, 2008). [JC 2007] Jupitermedia Corporation. Intrusion Detection System (2007). Available from http://www.webopedia.com/term/i/intrusion_detection_system.html (visited Aug. 26, 2007). [Larrieu 2003] Larrieu, C., Prevention/Deection - IDS - Intrusion detection systems. Available from http://en.kioskea.net/detection/ids.php3 (Visited Aug. 3, 2008). [Leach 2003] Leach, J. Firestorm Network Intrusion Detection System (2002-2003). Available from www.scaramanga.co.uk/firestorm/documentation/firestormdoc.pdf (visited Aug. 22, 2008). [Kazienko 2003] Kazienko, P., Dorosz, P. Intrusion Detection Systems (IDS) Part I - (network intrusions; attack symptoms; IDS tasks; and IDS architecture). Available from www.windowsecurity.com/articles/intrusion_detection_systems_ids_part_i n etwork_intrusions_attack_symptoms_ids_tasks_and_ids_architecture.html (Visited Jun.12, 2008) [Kozushko 2003] Kozushko, H., Intrusion Detection: Host-Based and Network-Based Intrusion Detection Systems, white paper, 2003. [Magalhaes 2003] Magalhaes, R. M. Intrusion Detection. Available from www.windowsecurity.com/articles/hids_vs_nids_part1.html (visited Jun. 18, 2008). [Massicotte 2006] Massicotte, F., Gagnon, F., and Labiche, Y. Automatic Evaluation of Intrusion Detection Systems. Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC'06). 77
[McDowell 2004] McDowell, M., Understanding Denial-of-Service Attack. Available from www.us-cert.gov/cas/tips/st04-015.html (Visited May. 25, 2008). [McHugh 2000] McHugh, J. Defending Yourself: The Role of Intrusion Detection Systems. IEEE Computer Society Press, Los Alamitos, CA (September 2000). Volume 17, Issue 5, Pages: 42 51. [MCP 2008] Macmillan Computer Publishing. Maximum Security: A Hacker s Guide to Protecting Your Internet Site and Network. Available from www.newdata.box.sk/bx/hacker/index.htm (visited Oct. 23, 2008). [Mukkamala 2003] Mukkamala, S., and Sung, A. H. Intrusion Detection System Using Adaptive Regression Splines. Available from http://salfordsystems.com/doc/iceis-final.pdf (visited on Sept. 5, 2008) [Northcutt 2002] Northcutt, S. and Novak, J. Network Intrusion Detection, 3 rd Edition, New Riders Publishing, September 2002. [Ptacek 1998] Ptacek, T.H. and Newsham, T.N. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Available from www.insecure.org/stf/secnet_ids/secnet_ids.html (visited Sept. 23, 2008). [QED 2005] Quality Education Division, Educational and Manpower Bureau, The Government of HKSAR. A closed look at Internet Firewalls. Available from www.edb.gov.hk/filemanager/en/content_4833/internet%20firewall%20%5bno v%2005%5d.pdf (Visited Jun. 18, 2008) [QOD 2004] QoDwriting. A look into IDS/Snort. Available from www.freewebs.com/talug/snort.pdf (visited Sept. 15, 2008) [Rehman 2003] Rehman, R. U. Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID (Bruce Perens' Open Source Series). Published by Prentice Hall, 2003. [Richardson 2008] Richardson, R. CSI Computer Crime & Security Survey. Computer Security Institute (2008). [Roesch 1999] Roesch, M. Snort - Lightweight Intrusion Detection for Network. Proceedings of LISA '99: 13 th Systems Administration Conference, Seattle, 1999. [Roesch 2001] Roesch, M. Snort. Available from www.blackhat.com/presentations/bhusa-01/martyroesch/bh-usa-01-marty-roesch.ppt (visited Oct. 23, 200). [RTEinc 2008] Real Time Enterprises, Incorporated. Network Intrusion Detection System. Available at www.real-time.com/linuxsolutions/nids.html (visited Feb. 09, 2008). [Snort 2008] Snort.org. Available from www.snort.org (visited Oct 12, 2008). 78
[StillSecure 2008] StillSecure. Strata Guard Flexible, easy to use IDS/IPS. Available from http://www.stillsecure.com/strataguard/ (visited Oct 23, 2008) [StillSecure 2008] StillSecure. VAM. Available from www.sunworks.ch/datasheets/21b.pdf (visited Oct 23, 2008). [Sturges 2008] Sturges, S. Writing Snort Rules: How to Write Snort Rules and Keep Your Sanity. Available from www.snort.org/docs/snort_htmanuals/htmanual_283/snort_manual.html (visited Aug. 09, 2008). [TT 2005]Tech Target. Intrusion Detection (Jun. 2005). Available from www.searchsecurity.techtarget.com/sdefinition/0,,sid14_gci295031,00.html (visited Aug. 25, 2007). [UCR 2008] UCRiverside Security. Security- Glossary of Terms. Available from www.cnc.ucr.edu/security/index3.php?content=glossary.html (visited May. 23, 2009). [Wiki 2008] Wikipedia. Intrusion Detection System. Available from http://en.wikipedia.org/wiki/intrusion-detection_system (visited Oct. 18, 2009). 79