Snort, Intrusion Detection, and Unauthorized Use

What Is an Intrusion Detection System?

Alt-text: an illustration of the flow of the intrusion detection system, where the IDS comes between the local computers and the firewall.

Source

An intrusion detection system (IDS) is used to detect attacks against a network or a computer system at an early stage. The necessary IDS software can be installed on the computer system to be monitored on a separate device. Many vendors offer pre-configured IDS software that is relatively expensive. IDSs monitor and analyze all network activity to detect unusual traffic and warn the user in such a case. Thus, this allows users to react to attempts to access the system from intruders and prevent an attack. 

Operation of Modern Attack Detection Systems

Current IDSs generally combine the two approaches to ensure an even higher attack detection rate. This hybrid system is characterized by a centralized management system fed with the corresponding information by network-based and host-based software. Three basic components are involved in the detection process:

Data monitoring

The data monitor has the task of collecting and pre-filtering all relevant and necessary data to unmask intruders. This is the previously mentioned audit data like log files from computer systems and security applications and system information like CPU load, number of active network connections, or number of repeated connection attempts. Additionally, the network-based IDS sensor analyses data about TCP / IP connections, such as source/destination addresses and other information about sent and sent packets.

Analysis

Upon collection and prefiltering the data, the monitor sends them to the analyzer. Otherwise, the break-in attempts will not be foiled, as the information obtained must be processed and evaluated in real-time because of this, the underlying hardware (in particular the CPU and memory) is subjected to relatively high demands. In giant corporate networks, the scaling of the IDS component is more complex but also the most important task to ensure the system’s function. A data analyzer can evaluate data in two different ways:

In the event of ” Misuse Detection”, the analyzer tries to recognize known attack patterns, called signatures, in the data received. This information is stored in a separate database called the signature library, which is regularly updated. Database entries also provide details about the severity of the attack associated with each signature. However, an access pattern that is not stored in the signature library remains hidden from this detection method.

There is another anomaly detection method that assumes unauthorized access leads to unusual behavior and deviations from the standards defined previously. It is possible to configure the analyzer to send an alert whenever CPU load or page access rate exceeds a certain threshold (statically). He can also include in his assessment the chronological sequence of events (logical approach). Although anomaly detection can detect new and unknown attacks, this detection method can also generate alerts in certain cases of unusual system conditions that are not caused by a hacker or an attack.

Transmission of results

In the last step, the intrusion detection system informs the network administrator in the event of an attack detected or suspicious behavior of the system. Depending on each level of dangerousness, there are several possibilities for the notification. For example, the defense system can:

  • Send an email with the nature of the attack
  • Trigger a local alarm as a pop-up window in the security console.
  • Or send an alert notification to a mobile device.

At the level of anomaly detection, the degree of risk is calculated according to the degree of deviation from the corresponding standard value. At the same time, the procedure for detecting misuse is recommended for the classification of the library of signatures.

What Is an Intrusion Prevention System?

an illustration of the functioning of an intrusion prevention system in which a firewall divides the router and internet from the switch, server, and IPS,

Source

As the name suggests, intrusion prevention systems (IPSs) go even further than IDSs: after detecting a potential attack, they not only notify the administrator but also immediately put appropriate countermeasures into action. This avoids having too long a delay between detecting a problem and the reaction to it, unlike what can happen with an IDS software. 

However, there is virtually no difference between the two network protection mechanisms regarding the analysis methods used. Like in an IDS, a modern IPS is used to host and network sensors to record and evaluate system data and network packets.

An IPS must generally be individually configurable to prevent the user’s current actions from being classified as dangerous and, therefore, blocked by the anomaly detector. This allows you to implement both prevention and detection in many programs and choose between active blocking and pure monitoring. 

It is, therefore, conceivable to have a system combining the two approaches or using two distinct systems. The latter variant is recommended because filtering and blocking can be distributed in different hardware environments.

Snort: Flexible Rules to Secure a Network

omepage of the Snort website as available to users.

As early as 1998, programmer Martin Roesch released Snort security software in a Unix version. Since 2013, Cisco Systems has been responsible for the development of the multi-platform and GPL-licensed program. It offers different models of commercial subscriptions for this free software. These subscriptions allow individuals and businesses to update the rules faster and provide additional user support. 

Snort offers you the ability to create powerful network IPSs. However, you can also configure the software to allow simple monitoring of the respective components and serve as the basis of an IDS.

Snort checks network traffic in real-time and uses Misuse Detection Engine BASE for analysis. He compares the packet’s inbound and outbound data with the signing of inputs named in the rules. Cisco Systems regularly adds recently discovered attack patterns to this ruleset. Customers who pay for a subscription receive updates more quickly. You can also define your own rules to improve the detection capabilities of your Snort system. The possible attacks that an IDS must detect are:

  • Passive attacks, such as sniffing, which consists of spying on the traffic of others that crosses an element of the network.     
  • Active attacks, such as routing attacks (illicitly changing the correct routing of a portion of network traffic), spoof attacks (when the attacker communicates with a server on the network posing as an authorized computer), and denial of service attacks.

In summary, the basic requirements of a good IDS are as follows:

  • A system must recognize any suspicious activity or event that could potentially be an attack.
  • Intruder behavior should be detected at the lowest possible level.
  • The system must be able to adapt to changes in attack methods.
  • The system must be capable of handling multiple attacks.
  • The system must be scalable and easily upgradeable to reflect changes in the network.
  • The system must be able to protect itself from intrusion.

Assuming that all intrusive activities are necessarily anomalous, systems that adopt an anomaly detection technique essentially perform a statistical analysis to find deviations from a basic behavior. These types of systems have the advantage of detecting new single or cooperative attacks. However, they also have the problem of generating false positives and false negatives.

Snort Rules

There are a number of guidelines to follow when writing new rules. They must be written on a single line. In fact, the Snort parser does not recognize rules written on multiple lines. The rules must be divided into two logical sections:

  • Header: It contains the action of the rule, protocol, source and destination IP address, and port information. It contains the information that defines the “who, where, and what to do” of the packages.
  • Options: This contains alerts and information on which parts of the packages should be analyzed to determine if the action rules should be executed. This section is not specifically required by all rules.

A Snort rule is composed as follows:

Func:

It indicates the action of the rule and can take the following values:

  • Alert – generate an alert using the selected alert method, and then log the package
  • Log – log the package
  • Pass – ignore the packet
  • Activate – generates an alert is triggered action 
  • Dynamic – remains inactive until it is activated by an action—then it acts as a log

Protocol:

It indicates the protocol used by the packet, which can be TCP, UDP, or ICMP;

  • sorg_ip/mask, dest_ip/mask: 

It respectively indicates the packet’s source and destination IP address and the CIDR block indicating the netmask used. In particular, the block CIDR/24 indicates a Class C network, /16 a Class B network, and /32  a specific machine address. For example, the combination sorg_ip/mask  192.168.1.0/24 refers to the block of addresses from 192.168.1.1 to 192.168.1.255.

  • sorg_port, dest_port: 

This indicates the decimal number of the source and destination port, respectively. An interval can also be indicated using the “:” operator. Regarding IP addresses and ports, the word “any” can be used, which indicates that any value is accepted.

  • -> : 

It indicates the direction of traffic (from source to destination), which can also be reverse ( <- ) or bidirectional ( <> ).