Need help?

Our experts will login to your server within 30 minutes to fix urgent issues.

Customer support or server support, make your own solution using our support configuration wizard.

IDS (Intrusion Detection System)

Has your data been stolen? Did you even notice it? Prevention is better than cure. A good intrusion detection system that detects stealthy movements will help you.

Intrusions to your corporate network can be blocked by the implementation of IDS. It can be very powerful if it is implemented the right way. Intrusion Detection System(IDS) is a system that will constantly monitor the corporate networks from all types of attacks and vulnerabilities. IDS looks for the attack signatures which are specific patterns that usually indicate malicious or suspicious event.

Different types of IDS

There are two different types of IDS system. Software IDS which is specific for different operating systems and Hardware IDS which has dedicated real type operating system of its own and it works independently with any type of operating system. The hardware IDS is much more reliable than the software IDS. It can identify about 1500 attack and info signatures. What is a attack and information signature? Attack signatures are those which can pose a threat to the networks, while information signature need not necessarily be a harmful one. In case of software firewall there are chances that we cannot cover all the loop holes of an operating system i.e we have different flavors of Linux and there are chances that all the pitfalls of different flavors might not be identified. An important point that has to be noted, is that an IDS alarms you of the possible attacks but in order to prevent attacks we need some other devices like firewall. It is better to go for a hardware IDS. If finances do not allow, then go for a software IDS that best suites your operating system.

IDS is at its best when placed at the gateway of the network that is at the point where the corporate network is connected to the outside world. It is the most ideal place where an IDS has to be kept.We have three types of IDS.

1) Network Based IDS

2) Host Based IDS

3) Stack-based IDS

Network Based IDS:

This type of IDS typically uses a network adapter in promiscuous mode that will analyze the network traffic in real time. Now let us define what a promiscuous mode is? Promiscuous mode, in computing, refers to a configuration of a network card wherein a setting is enabled so that the card passes all traffic it receives to the CPU rather than just packets addressed to it, a feature normally used for packet sniffing. Many operating systems require superuser privileges to enable promiscuous mode.

Host Based IDS:

This type of IDS can be used to monitor the system specific logs. While in most flavors like Unix they use sys log and OS specific files. As soon as there is a change detected the host based IDS compares it with the security policies that has been defined and then responds to the change accordingly.

Stack Based IDS:

This is the newest IDS technology and varies dramatically from vendor to vendor. Stack-Based IDS works by integrating closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI Layers. Watching the packets in this way allows the IDS to pull the packets from the stack before the OS or the Application have a chance to process the packets.

Software IDS (snort-2.6.1.2 installed in Fedora Linux)

First of all we will be dealing with the software IDS. The software which I am about to describe is SNORT which I feel is one of the best IDS software for Linux operating systems.

Snort is very useful intrusion detecting system distributed under the GNU GPL license by the author Martin Roesch. Snort is a lightweight network IDS, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching. It can be used to detect a variety of attacks and probes.Snort has real-time alerting capability as well, incorporating alerting mechanisms for Syslog, user- specified files, a UNIX socket, or WinPopup messages to Windows clients using Samba’s smbclient. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump or as a packet logger that is useful for network traffic debugging. It can also be used as a full blown network intrusion detection system.

Snort logs packets in either tcpdump binary format or in Snort’s decoded ASCII format to logging directories that are named based on the IP address of the foreign host.

The installation of the SNORT is pretty simple.I have tested this on the Fedora machine.

wget http://www.snort.org/dl/current/snort-2.6.1.2.tar.gz
tar -xvzf snort-2.6.1.2.tar.gz
cd snort-2.6.1.2
./configure
make
make install

This will set up Snort for you in the system. Snort can be configured in three modes.

1)Sniffer mode:

To print out the TCP/IP packet headers to the screen which is also known as sniffer mode. You can just go to the location where the binary files are located and then execute it

cd snort-2.6.1.2
cd src
./snort -v

Below is part of the output of this command

12/26-01:53:01.528869 192.168.1.37:22 -> 192.168.1.78:49614
TCP TTL:64 TOS:0x10 ID:43000 IpLen:20 DgmLen:100 DF
***AP*** Seq: 0x6EBF4676  Ack: 0xF56DCB77  Win: 0xAA8  TcpLen: 32
TCP Options (3) => NOP NOP TS: 95144702 596697068
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

*** Caught Int-Signal

=============================================================================

Snort received 4459 packets
    Analyzed: 1972(44.225%)
    Dropped: 2420(54.272%)
    Outstanding: 67(1.503%)
=============================================================================
Breakdown by protocol:
    TCP: 1968       (99.797%)
    UDP: 2          (0.101%)
   ICMP: 0          (0.000%)
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
ETHLOOP: 0          (0.000%)
    IPX: 0          (0.000%)
   FRAG: 0          (0.000%)
  OTHER: 2          (0.101%)
DISCARD: 0          (0.000%)
=============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0

At the top see how a TCP segment has been tracked by snort. It actually specifies all the TCP segment fields like TTL, Sequence number, Windowing size, Acknowledgment bit, tcp length etc.

2)Packet Logger Mode:

If you want to record the packets to the disk, you need to specify a logging directory and Snort will automatically know to go into packet logger mode:

./snort -dev -l ./log -h 192.168.1.0/24

This command will work only if there is a log folder created in this path. So create a folder called log and then use this command. This rule tells Snort that you want to print out the data link and TCP/IP headers as well as application data into the directory log, and you want to log the packets relative to the 192.168.1.0 class C network. In my system it is logged in a file like this

snort.log.1166824939.

Now the packets have been logged in a binary format and is not readable. We can make it readable by issuing the command

./snort -dv -r log/snort.log.1166824939

3) Network Intrusion Detection System Mode:

To enable NIDS mode so that you don’t record every single packet sent down the wire you can use this command. ./snort -dev -l ./log -h 192.168.1.0/24 -c /etc/snort.conf

where /etc/snort.conf is the name of your rules file. This will apply the rules configured in the snort.conf file to each packet to decide if an action based upon the rule type in the file should be taken. If you don’t specify an output directory for the program, it will default to /var/log/snort. For any specific alerts this Will logged in a file called alerts.Now the file /etc/snort.conf wont be there when you install the snort. We have to create one. I have created a basic file which looks very simple. This is what I have set for my local machine.

##
#       Define our network and other network
#
var INSIDE 192.168.1.0/24
var OUTSIDE !$INSIDE
var NIDSHOST 192.168.1.38
var PORTS 10
var SECS 3
##
#       Log rules
##
log tcp $OUTSIDE any -> $INSIDE 23
log tcp $OUTSIDE any -> $INSIDE 21
log tcp $OUTSIDE any -> $INSIDE 79
##
#       Alert Rules
##
alert udp any any -> $INSIDE 53
alert tcp any any -> $INSIDE 53
alert tcp any any -> $INSIDE 80
##
#       Load portscan pre-processor for portscan alerts
##
preprocessor sfportscan: proto { all } scan_type { all } sense_level { low }
##
#       Pass Rules (Ignore)
##
pass tcp $INSIDE any -> $OUTSIDE 80
pass udp any 1024:  <> any 1024:
pass tcp any 22 -> $NIDSHOST 22
"/etc/snort.conf" 32L, 727C                                                                 24,1          Top

This is just a basic configuration file. You can create your own rules basing on the needs of your network. Here in this configuration file I have specified my local network, the host IP and also the outside networks. The next step is to log the data. There are alerts which will work when something unusual is found against normal process. Also I have enabled a preprocessor that will check for any port scanning in the local machine and last one of course mentions about those that can be ignored.

4) Inline mode:

It obtains packets from iptables instead of from libpcap and then causes iptables to drop or pass packets based on Snort rules that use inline-specific rule types.

You can verify if your snort is working properly or not by using this command

./snort -dev -l /var/log/snort/ -h 192.168.1.0/24 -c /etc/snort.conf -T

The output should be some thing like this.

Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort/
Verifying Preprocessor Configurations!
0 out of 512 flowbits in use.
Decoding LoopBack on interface NULL
Data link layer header parsing for this network  type isn't implemented yet

        --== Initialization Complete ==--

   ,,_      Snort!
  o"  )~   Version 2.6.1.2 (Build 34)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2006 Sourcefire Inc., et al.

Snort sucessfully loaded all rules and checked all rule chains!
Snort exiting

For more details of the rules you can download the rules from http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_os/snortrules-snapshot-CURRENT.tar.gz

Also if you are planning for a customized configuration I bet you would surely like to go through the doc files available along with the software. They are pretty good and easy to read as many options has been explained in the doc file that will secure your network from different types of attacks.

Hardware IDS (Implementing the Secure IDS in Cisco PIX Hardware Firewall 501 series)

Now here comes my favourite, hardware IDS. Basically there are many dedicated IDS systems that are right now available in the market. But what Iam going to tell you is an implementation of IDS in PIX hardware firewall. Even though you cannot call it as an dedicated hardware but still I prefer it because we can set to take action when an attack is identified.Here I will be mentioning the details of IDS configuration in the PIX 501 series. PIX 501 series is a firewall which is used in SOHO and the ROBO scenarios. It is the smallest of the hardware firewall in the Cisco series.

Also the commands that I specify here is related to Finesse operating system 6.x version . Of course there won’t be much difference in the later versions. One of the advantage of the this firewall is you can implement IDS as well use the firewall to drop the attack but the disadvantage is that the Cisco Pix 501 series firewall can only support from 50 to 70 signatures which is very less when compared to the 1500 signatures supported by the Cisco IDS.Also there are no options to built the customized IDS signatures.

The Cisco Secure IDS features provide the following:
* Traffic auditing. Application level signatures will only be audited as part of an active session.
* Apply the audit to an interface.
* Support different audit policies. Traffic matching a signature triggers a range of configurable actions.
* Disable the signature audit.
* Enable IDS and still disable actions of a signature class (informational, attack). PIX Firewall supports both inbound and outbound auditing.

Also we need to log the messages. One is you can enable logging in the firewall itself and the next thing is you can use a third party software to log the messages. I would prefer using a third party software because it will not eat up the memory of the firewall. One good syslog software is Kiwi syslog which is free to download and easy to configure.

Let us just take a look at the commands that will enable the IDS in the hardware firewall. “ip audit” is the command that is used to enable the IDS in the firewall.

As I have already mentioned that there are two types of signatures. One is attack and the other one is Info. Each signature is identified by a number. Below is just is a few list of the IDS signatures supported by PIX.

PIX Firewall lists some of the following single-packet IDS signature messages: 1000-1006, 1100, 1102, 1103, 2000-2012, 2150, 2151, 2154, 3040-3042, 4050-4052, 6050-6053, 6100-6103, 6150-6155, 6175, 6180, and 6190

You can disable a signature using this command

 ip audit signature 4050 disable

This will disable this particular signature from auditing. Now let us see how we can define the info signatures and the attack signatures

ip audit name attack1 info
ip audit name attack2 attack

I have defined a policy named attack1 which audit the info signatures and attack2 which will audit the attack signatures. In addition, we can set different actions to be taken when an signature is tracked or identified.

ip audit name attack2 attack action drop

This command will drop a connection if it finds a attack signature that has been found matching by the device.

Now after we have defined the attack and the info signatures the next thing we have to do is to apply to a particular interface. Either you can apply it to the inbound interface or outbound. The commands that is shown below help in setting a policy to an interface

ip audit interface outside attack1
ip audit interface inside attack2

You can foil the attempts of many a hackers if carefully taken considerations of the follwing things.
* Network traffic
* Failed login attempts;
* Modifications made to the file system;
* Applications and services currently running;

There are lots of vulnerabilities that appear on a regular basis. Engineers are working round the clock to patch the loop holes. Some may be very simple like dictionary attack while others may be one that can bring the whole network down.The best way to stop them is to think like them and always be one step ahead. What I have mentioned here is just basics of implementing network security using both software and hardware IDS. IDS along with strongfirewalls can provide great security to the Corporate networks.

Reference:
http://www.snort.org/docs/snort_htmanuals/htmanual_261/
http://www.snort.org/docs/iss-placement.pdf
http://www.cisco.com/
http://www.freeos.com/articles/3496/
http://en.wikipedia.org/wiki/Intrusion-detection_system
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslog/pixemint.htm



Articles by Shyam About the author:
Shyam P. K works as engineer in Bobcares. He primarily works on administering cPanel and Linux servers.


Security
Bobcares
Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.
MORE ABOUT BOBCARES