Is Intrusion Detection Important? February 11, 2008

Intrusion detection is essential in today’s world of insecure networks and the need for data confidentiality is steadily increasing. Unfortunately there is only a small percentage of small to mid-sized organizations that employ host based or network based intrusion detection systems (IDS). It is no longer enough to just use a firewall and expect the network to be secure. There is a need to see what is going on inside the network and identify potential threats.

Before going any further it is important to understand what an IDS is, and why it is important. An IDS detects attacks against a computer network. The benefits to having an IDS are detecting attacks, enforcing policies, providing an audit trail, and resource justification. An IDS can detect attacks and tell if computer systems have been compromised. Internal behavior can be monitored to ensure compliance with the acceptable use policies. After the attack an audit trail can show how far an attack went and where it came from. An IDS can show just how well the firewall is working and the information on attacks can be used as justification for a firewall upgrade.

In order to decide what type of IDS to employ one must understand how the IDS detects attacks. There are a couple of ways an IDS can detect attacks on the network. Signature detection matches network traffic against a list of known signature attacks. This is effective against known attacks but may not detect newly developed attacks. Anomaly detection works by learning what normal traffic looks like and will then alert you when it sees abnormal traffic. This works great but may be high on false positives. Snort uses primarily signature detection.

Snort is quickly becoming the industry standard for network intrusion detection systems. Furthermore, it is open source and freely available. What really sets Snort apart from other NIDS is Snort’s configurability and ability to be run on multiple platforms. Snort’s configuration files can be fine-tuned to specific network architectures and custom rules can even be made. Another big factor is that Snort is constantly updated with new attack signatures.

Before installing Snort, it is important to consider what resources are to be protected and what kind of bandwidth will be monitored. If the network has a firewall and DMZ, it is common to place the Snort sensor between the DMZ network and the switch facing the internet. Snort puts a network card in promiscuous mode so it sees all network traffic. If the network traffic is too much for one Snort sensor it will drop packets increasing the likelihood of a false negative. It is important to have a Snort system that is fast enough to handle network traffic. If this is not possible multiple Snort sensors can be used. An example would be using separate Snort sensors for each subnet.

Snort can log its output in several ways tcpdump binary, ASCII logging, and logging to a database. Tcpdump binary is very fast but logs data in binary format. “There are 10 kinds of people in the world: those who understand binary data, and those who don’t.” ASCII logging is slower but easier to read. Logging to a database is a great tool for creating easy to read visual reports using additional programs such as ACID (The Analysis Console for Intrusion Detection).

The kinds of information logged are alerts that contain what kind of attack, where it’s coming from, where it’s going, and where to find more information. The actual packets of the attack will record MAC addresses, IP addresses, packet payload, timestamp, and TCP flags. Alerts to watch for are attempted-admin, attempted-user, successful-admin, successful-user, shellcode-detect, suspicious-login, attempted dos, and denial-of-service.

Once Snort is up and logging alerts to a MySQL database, other software can be utilized to see visual reports of the data. ACID is an open source analysis console specifically tailored to Snort. With ACID one can view Snort alerts according to various criteria, use information from security web site such as Bugtraq and ArachNIDS, Put alert information in graphical format, and search functions for all Snort data in the database.

So now the IDS, database, and analysis console is set up and working. Now comes the fun part, the rule set of the IDS must be fine-tuned to reduce false positives and eliminate false negatives. “Tuning Snort is like Goldilocks faced with her choices: start with the bed that’s way too big and then keep refining until its jusssst right.” There are many default rules that may be unnecessary and should be removed to increase efficiency.

In the event of a real attack, an incident response plan is crucial in getting up and running as soon as possible. It’s important to have a plan in place to respond to an attack, find out how far the attacker got, recover from the attack, and learn from the attack so that it won’t happen again. If a real-time attack is identified the attack must be stopped immediately. This can be done by pulling the network plug, or pulling the power cord. Pulling the network cable out is a quick and easy way to knock a logged-in intruder off of the system. Furthermore, it keeps programs running for further investigation and prevents the system from being the launching point of further attacks. Pulling the power cord (not the power switch) is important to preserve evidence for a court case. Using the operating systems shutdown function could cause more harm if the intruder left something behind that is triggered by a shutdown command.

Updating Snort, as with any system, is important to keep the system up to date and patch known exploits. Oinkmaster is a Perl script that downloads updated rules files from Snort.org. Snort updates, modifies, and makes minor changes daily so it can be an overwhelming job to make all the changes by hand. Oinkmaster automates the process.

The designers of Snort knew that it would not be feasible to integrate everything (administration, visualizations, and remote management) into one program. With this in mind they made Snort the best IDS sensor it could be and left the other functions to external programs. This is what makes Snort so configurable but also very intimidating. There are a lot of options to consider before setting up a Snort IDS.

REFERENCES

Scott C. (2004). Snort for Dummies

Intrusion Detection System (2007). Wikipedia. Retrieved October 17, 2007, from http://en.wikipedia.org/wiki/Intrusion-detection_system.

Network Intrusion Detection System (2007). Wikipedia. Retrieved October 17, 2007, from http://en.wikipedia.org/wiki/Nids.

Snort(software) (2007). Wikipedia. Retrieved October 17, 2007, from http://en.wikipedia.org/wiki/Snort_%28software%29.

About Snort (2007). Snort.org. Retrieved October 17, 2007, from http://snort.org/about_snort/