A Study on Intrusion Detection Systems with a Practical Experiment on Snort - Vigneshwar Sethuraman

hello all uh hope all of you are doing well in this pandemic situation a quick introduction about myself i am vignesh for say the raman i did my masters in information system security management from concordia university of edmonton while doing my uh masters like research in masters i performed an experiment on snot intrusion detection system where i was running a multiple test case scenarios and deployed it in multiple environments and testing it out and unchecking out whether how much efficient it is able to perform in each environment and then i i was writing the rule sets for a different traffic and i was checking out with multiple attack cases like that so today uh presentation is about my uh research

work that i performed as part of my coursework so uh yeah let's jump to the presentation so today's agenda is going to be like uh overview of intrusion detection systems snort snort implementation test case scenarios existing vulnerabilities and then propose solution like in proposed solution i just came up with a simple solution that i uh proposed in my research work so i am going to share that one um yeah so overview of intrusion detection system like there are multiple uh types of intrusion detection system like the most common one or uh a network based intrusion detection system host based intrusion detection system hybrid based intrusion detection system so network security like it has surpassed whole security with the

increase of networks globally and the need for package to reach worldwide network intrusion detection systems can detect a broad range of malicious and unwanted attacks compromising the application network and transport links together with unexpected uh services supported multiple applications and network-based intrusion detection system is mostly for network-based attacks or like uh it will be placed in the uh main situation where we want to monitor the network traffic and what the content that is being passing in the network side whereas if you come to host based intrusion detection system like we have in comparison network based host base will mostly focus on the particular host or particular endpoint in the network so the host will just monitor the functions or processes

system process traffic going in and out of that particular host like host based is just confined to towards that and it won't do anything more than that so as opposed to the detection of the network-based intrusion host based in intrusion detection it protects the individual endpoint system in the network it inspects the network interfaces malicious file access modification configuration changes application activity on the host and then it later analyzes the log that each component generated from then it will compare it with our own trained datasets if the match happens then it will alert the administrator about that then okay there comes a situation where we might be we cannot just uh use nads or hid as separately we might need

both 1080s and hids in that case so instead of using it both like we came up with hybrid based intrusion detection system which has both the functionalities of network based under a host based system so yeah so that is what hybrid based uh intrusion detection system and uh snot yeah so the snort is an open source intuition detection system that is a rule-based intrusion detection system uh the local rule set we will define will be before handedly configured uh if i mean from the the traffic that is going to pass so we will be sitting and analyzing it the traffic and then we will come up with the rules we will mention it among our roots not

rules file our rule uh section so that's not can able to see and compare the traffic with our only own defined rule set and then it will generate the alert accordingly so snort can be deployed deployed in three modes like package sniffer packet logger and network traffic debugging snot can also enable application detection and then also filtering so this is my snot implementation that i performed in my local environment so here you can see that uh snot has two things preprocessors detection engine and then it also has rules so snort will invoke rules from this rule section and it has both preprocessor and detection engine which will uh pass the rule section and it will

process all the traffic that comes in the system and it it uses preprocessors and detection engine to process it and it will give a unified output from that uh which will be given as an input to bonnie r2 so bonnier2 will then generate the output and it will give a load the output into the mysql server from mysql server we can able to view the uh slot output data in uh browser our web browser like we have um several um engines like base kibana like that from which we can able to view our non-produced output in a more user-friendly manner so that's what we are using and we are using web server for that purpose

so these are some of the screenshots i kept uh like here i i i installed snot in kali linux so i am verifying that smart has been installed perfect i mean properly or not like i verified that using snort hyphen v command and then this is my uh snort uh dot config not configuration file so here we will mention the ip address of your home network ipad software external network and then dns smtp port address like we will mention everything uh according to our environment configuration in this not configuration file so that snort can be able to know which more network it is monitoring which host it is monitoring and what environment it is currently monitoring

like that and this is the my sequel database i created so the table file which has several true uh columns in it like data detail encoding like that so the uh snot comes along with pre-installed with schema our database schema so we don't need to create a newly uh database table from scratch we can just invoke the database schema that's not comes with into our mysql database creation and all the fields or columns will be automatically uh built in this table and uh this is my uh snort log directory so here you can see slash where slash logs not

so i kept that screenshot

so this is my our local rule file that i may have kept so here i wrote some rules for my uh lab environment so you can see that alert icmp ne to any and i kept a message inside it along with snort id and division number so what it will do is it does not see any icmp traffic that is going in our network from any destination i uh source ip address source port number two any destination ip address any destination uh port address it will give this message like icmp testing rule and uh yeah that's how we will get an alert in our mission the uh smart adian revision number is like not a reason unique which will identify

the particular snort rule in our uh machine and the revision number is like if you have um uh forex for instance if we create this not uh rule set or rule file right now and after a few months if you want to update or modify the uh already uh written uh alert role file then yeah we can mention that one as the revision number two because in order for us to easily differentiate between the multiple versions of our rules that we are going or writing in the whole set so that's what these fields are about and then uh yeah so these are the test case scenarios i perform like four test cases scenarios for this presentation

so uh my the attacker appears i i used was like it has like letters of 192 168 72.134 and the snot install type address was 16192.168.72.138. so the first test case scenario was in map tcp scan so here you can see that i perform the end map or tcp scan with port 20 22 on attack our snort installed machine so i'm getting the status of that port i mentioned like here iphone 422 which says that it is closed and i am i can see that uh this thing it came up here like nmap tcp scan alert has been generated in our snort installed machine along with the ip address from where the request came to where like source and ip source and

destination ip address along with the port address of that request so this is my first test case scenario so second test case scenario was like i did a in map xml scan so what the what is that nmap xms scan was uh usually the tcp handshake involves three plugs like synthetic and dac but if we are if we can able to do any map xml scan which is kind of a stealthy mode uh where we can able to deceive the receiving and about the kind of nmap scan that we are performing in order for you know to easily avoid the uh security control that we kept so for that case where we can use nmf xms

scan so it uses three flags like fin psh and your urge flags so yeah this is that uh nmap xml scan that we performed so here i am doing nmap along with the options of iphone s6 and i am using same port 22 and does not install like the ip address and i am getting the response backers the port is closed and along with the service that is running in that so here i can able to see that uh dollar see here um in map xmas tree scan tcp along with the source ip address and destination episode port address of the corresponding traffic this is my uh second test case and my third test case was i am doing

ftp connection from my attacker mission to the uh snot installed machine here i'm doing ftp giving the ipad of this not installed mission and i'm getting the response back as ftp connection refused so i can show you that the alert has been uh triggered here like ftp connection attempt along with the ip address port number of the source and i create a support number of the destination machine this is my third test case and my fourth one is denial of service attack where i am uh flooding the snort installed mission with uh more number of packets that it can able to process it and eventually it will be get over exhausted with too much of package that it can able to

process and uh that's how the denial of service attack will happen so here i'm using hping3 from my attacker machine along with the port 80 and then i am using flint then i am using hyphen rand so so i am generating a random source ip address in order to you know not get noted from the snort installed machine so here i can see the possible tcp does unless was triggered with the if you can see there are multiple tcp duos our rule has been alert has been created in which each time a new ip address has been source api address was created and it has been shown here so this is my uh fourth uh

test case scenario and then the uh i'm using i mean i performed base also i installed a base in it so here you can see the base i performed in my local browser using localhost 127.0.0.1 so i can show you the tcpa traffic udp traffic icmp traffic and the source ip address destination like it can show you the overview of how much traffic has been generated and how many hours has been created in the last 24 hours and then last 72 hours like that so i it it will give you much more user friendly uh view of the alert or traffic that has been uh present in our system and then uh okay then existing

vulnerabilities so the first one will be uh they're like it is difficult to maintain like huge set of uh rules that that we are writing in our environment for example uh if uh we have a like small environment then it might be much more manageable to write the snort tool set and maintain it accordingly but if it's in the case of larger environment where we have more than 1000 or 2000 systems and networks that are happening or the traffic is going on a day day by day basis then it's hard to come up with a new snort rule every day for every new attack or malware thing that is going on so in a longer run might be much more difficult

to manage and maintain it as a whole and it will be much more tedious to keep track of particular snort rule or from which snot will has been triggered like that it might be much more harder for that case and then the next one will be might generate a lot of false positives and false negatives which has to be prevented or else it might be harder for network administrators or system administrators to look over it and then find it whether the alert that was triggered is a legitimate or is it a malicious one like that and yeah the third one will be in some uh situations the attack like the attacker is assumed to be uh

directing the attacks from multiple uh sources in a layered manner so in that case the ideas cannot be able to uh properly identify the traffic or classify the traffic or else if uh attacker like advanced to persistent threats like very complicated attacks has been performed or initiated against the mission then does not cannot be able to correlate between multiple uh connection or endpoints and to form a big picture of what is happening in the network like that and the fourth one will be encryption like uh we will uh in some situations like uh ssh or recession where the traffic is uh traveling in an encrypted format yeah in that case uh ideas will be much more harder to see what is present

in the packet inside that tunneled traffic like this on the obfuscation by path manipulation uh so for instance um the path uh any path that has been mentioned in the script that is being passed from the outside network to the internal traffic if if any script is passed as the process of traffic passing uh the path a traversal has a some unique meaning for each kind of a card script that we are writing so does not might not know the exact meaning or intended meaning for the part uh command or the script that has been written so like it might consider it as a legitimate uh path traffic import script that is uh coming from the outside network and

it might even download but actually the intended meaning was something else and snot couldn't be able to differentiate between that and the hence the attack might even become successful uh yeah so a few possible or proper solution was like we can use either parallelism or multi-threaded like srikata is a multi-threaded engine which means that it has more than one core in its cpu so it can able to process the traffic much more faster and in an efficient manner and it is mostly preferred for signature based intrusion detection system because uh if you have a high network traffic where multiple a lot of traffic are passing in and out and uh it's hard for the intrusion detection

system to keep track of all the traffic that is passing on the bandwidth and the network utilization might even get deferred based on the you know the core of the cpu if it's a single threaded it might become even slower traffic increases so in that case multi-threaded is much more preferred and helpful and yeah we can use unified threat management unified threat management is like having a single uh appliance which has a multiple security features in it like for example firewalls routers uh intuition detection inclusion prevention uh url filter content inspection malware inspection like that it comes with everything in it and it's much more cheaper to use it and yeah it's much more economical and we

can also use anomaly or behavior based whereas like we will uh train the machine or like we will do a learning period for the datasets like trained datasets we will uh make the mission to observe the normal flow of the normal traffic in order to form a baseline so when it gets that baseline then it can uh easily able to identify if the uh workflow or the traffic flow uh deviates from that um [Music] baseline like comes out the baseline that is the anomaly of behavior based and yeah this is my uh possible like i came up with this like i uh gave up other solution for my research work like what i was proposed was like i

gave us interlocking system so like that central parking system will be present in intrusion detection system so in which all the individual network components such as servers host firewall monitoring devices everything it will log the data and it will pass it to the central logging system instead of like each component able to process it like individually so that is the main feature in my proposed one so and then uh because the individual component are ineffective in analyzing and categorizing it so if a center logging system is there it might it will take the final call whether the traffic that it gave is a malicious or is it a legitimate one so the uh center logging system it is

configured with a central puzzle logic server which i configured using decision tree classifier algorithm to identify and classify the possible common attacks in each host in the network and so it performs the better classification in detecting the malicious attack attempt on the missions from the attacker for instance like specific software or protocol running on any version in the operating system leaves an audit trial of data for detectors to identify so every component and sub component is a multi-threaded so that it can able to process it like more than uh one process at a time and it saves a lot of time also and it it also prevents the bottleneck situation where if all the traffic are being imposed to

just only one machine in at a time then other all the traffic has to wait until the previous one gets completed so it might create more uh bandwidth utilization and the performance will be much more impacted in that case so that's why we are using multi-threaded processor to avoid the network bottleneck situation and we are also i and i also gave load balancer and packet duplication checker in order to overcome the reputation issue so once the threshold is reached in a particular component it will redirect that packet to the next available component and that might prevent a deadlock situation from happening so several components are in installed along with this main component like if we might even have ipv6 uh

network or ipv6 ip uh i mean traffic coming uh through our network so in that case we it might even make sense if we have additional preprocessor for ipv6 encapsulated packet in an ipv4 network uh visualization platform in a snort engine for effectively managing the alerts and rules in the network reducing the rule management overhead so um yeah so this is my uh presentation for today and i hope all of you got some insight and information about snorting and i'm aware it's this is my first presentation or first talk in besides event and i'm very happy that i was part of besides vancouver and i thank the presenters and even organizers for giving me this

opportunity and i'm glad that i can even do the same thing like next year also thank you and good luck to all of you