Scribd
Upload
22 views

Implementing IDs

This document provides instructions for implementing the open source intrusion detection system (IDS) Snort on Windows Server and Ubuntu Server. It describes installing and configuring Snort on Windows Server to monitor network traffic using rules defined in a local.rules file to detect SYN and ACK scans. The document also includes executing an Nmap scan from Ubuntu Server, which should generate alerts on the Windows Server Snort instance. The goal is to capture network data using Snort for analysis and demonstration of its intrusion detection capabilities.

Uploaded by

Gaurav Sharma
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
22 views

Implementing IDs

This document provides instructions for implementing the open source intrusion detection system (IDS) Snort on Windows Server and Ubuntu Server. It describes installing and configuring Snort on Windows Server to monitor network traffic using rules defined in a local.rules file to detect SYN and ACK scans. The document also includes executing an Nmap scan from Ubuntu Server, which should generate alerts on the Windows Server Snort instance. The goal is to capture network data using Snort for analysis and demonstration of its intrusion detection capabilities.

Uploaded by

Gaurav Sharma
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 13

 

Implementing IDS
Many vendors supply IDSs, and each of these systems has its own strengths and
weaknesses. Deciding which system is best for a particular environment depends
on many factors, including the network environment, security level required,
budget constraints, and the skill level of the person who will be working directly
with the IDS.

4.3.1 Snort

Snort is perhaps the most well-known open source IDS available. It is a software
implementation installed on a server to monitor incoming traffic. It typically works
with a host-based firewall in a system in which both the firewall software and
Snort run on the same machine. Snort is available for UNIX, Linux, Free BSD, and
Windows. The software is free to download, and documentation is available at the
website: www.snort.org. Snort works in one of three modes: sniffer, packet
logger, and network intrusion-detection.

4.3.1.1 Sniffer

In packet sniffer mode, the console (shell or command prompt) displays a


continuous stream of the contents of all packets coming across that machine. This
can be a very useful tool for a network administrator. Finding out what traffic is
traversing a network can be the best way to determine where potential problems
lie. It is also a good way to check whether transmissions are encrypted.

4.3.1.2 Packet Logger

Packet logger mode is similar to sniffer mode. The difference is that the packet
contents are written to a text file log rather than displayed in the console. This can
be more useful for administrators who are scanning a large number of packets for
specific items. Once the data is in a text file, users can scan for specific
information using a word processor’s search capability.

4.3.1.3 Network Intrusion-Detection

In network intrusion-detection mode, Snort uses a heuristic approach to detecting


anomalous traffic. This means it is rule-based and it learns from experience. A set
of rules initially governs a process. Over time, Snort combines what it finds with
the settings to optimize performance. It then logs that traffic and can alert the
network administrator. This mode requires the most configuration because the user
can determine the rules that wishes to implement for the scanning of packets. Snort
works primarily from the command line (Shell in Unix/Linux, command prompt in
Windows). 
Configuring Snort is mostly a matter of knowing the correct commands to enter
and understanding their output. Anyone with even moderate experience with either
Linux shell commands or DOS commands can quickly master the Snort
configuration commands. Snort is a good tool when used in conjunction with host-
based firewalls or as an IDS on each server to provide additional security.

4.3.2 Cisco Intrusion Detection and Prevention

The Cisco brand is widely recognised and well respected in the networking
profession. Along with their firewalls and routers, Cisco has several models of
intrusion detection, each with a different focus/purpose. In the past, Cisco had two
specific, widely used IDS products, the Cisco IDS 4200 Series Sensors and Cisco
Catalyst 6500 Series Intrusion-Detection System (IDSM-2) Services Module.

There are a number of products in this group, notably the Firepower 4100 series,
the Firepower 8000 series, and the Firepower 9000 series. All the products include
malware protection as well as sandboxing. These Cisco products also integrate
cyber threat intelligence features.

The 4100 series is meant for small networks and the 9000 series is designed for
large scale networks. One of the chief benefits of using Cisco security products is
their widespread use across the industry and the availability of good training. The
fact that so many organisations use Cisco indicates a high level of successful field
testing, which generally indicates a reliable product. Cisco also sponsors a range of
certifications on its products, making it easier to determine whether someone is
qualified on a particular Cisco product.

 Guided Exercise: Implementing an IDS


Resources
Files None
Machines Windows Server, Ubuntu Server

In this exercise you are required to install Snort on Windows Server and capture
data for analysis.

Login to Windows Server and open the desktop folder Exercises -> Snort. Double
click the Snort Installer file to install it. 

Accept the License Agreement by clicking I Agree.


Click Next on the Choose Components window.
Click Next on the Choose Install Location.
Click Close once the installation finishes and then OK on the Snort Setup.

Copy the file snort.conf from the Desktop folder Exercises -> Snort to C:\Snort\etc
and overwrite the file that is already there. Copy the file local.rules from the
Desktop folder Exercises -> Snort to C:\Snort\rules.

Open the file local.rules using WordPad. Under the LOCAL RULES section there
are different rules having a header and a body. The first rule detects a SYN scan
and the second rule detects an ACK scan.
 

On the folder Exercises -> Snort double click the file WinPcap to install it. Click
Next on the WinPcap Setup window and then click I Agree. Click Install on the
next window and leave the check mark on Automatically start the WinPcap driver
at boot time.
 
Once the installation finishes click on Finish.

Open a command prompt by right clicking the Start button and select Command
Prompt (Admin).  

Type cd C:\Snort\bin where bin is the default directory where the snort executable
resides.
Type the following command “snort –c C:\Snort\etc\snort.conf –i1 –l C:\Snort\log
–A console” and press enter. The option –c tells Snort to find the configuration
file. The option –i1 tells Snort to capture on interface 1. The –l option tells Snort to
log alerts and where to save them. The –A console option tells Snort to send alerts
also to the console. This option is normally not used because it slows down
detection and Snort may drop
packets. 

Login to Ubuntu Server and run the comannd nmap –A 192.168.1.20. Allow the
scan to complete and then check the Snort command prompt on Windows Server.
Switch to the Windows Server and on the Snort command prompt you should see 5
SYN scan alerts and 5 ACK scan allerts. Press Control + C to stop Snort.

Once you stop Snort a list with different statistics will be


revealed. 

You might also like