User:Syeda Sonia/sandbox

All detailed information about IDS/IPS and Snort tool IDS (Intrusion Detection System) An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and restricting computer systems, mainly through a network, such as the Internet. • Intrusion detection can be performing by implement some significant tasks on the host computer and network itself like real time traffic analysis and packet login on the IP networks • IDS can be composed of several components: 	Sensors which generate security events, 	Console to monitor events and alerts and control the sensors, and 	Central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorize an IDS system: Misuse Detection vs. Anomaly Detection •	In misuse detection, the IDS examines the information it gathers and compares it to large databases of attack signatures. •	In anomaly detection, the system administrator describes the baseline or normal, state of the network's traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network sections to compare their state to the normal baseline and look for anomalies.

Passive Vs. Reactive Systems •	In a passive system, the IDS detects a possible security breach, logs the information and signals an alert. •	In a reactive system, the IDS replies to the doubtful activity by logging off a user or by reprogramming the firewall to block network traffic from the supposed malicious source.

Network-based vs. Host-based IDS •	Network-based IDS systems (NIDS), are often separate hardware applications that include network intrusion detection abilities. It will usually consist of: 	hardware sensors located at various points along the network or 	software that is installed to system computers connected to your network, which analyzes data packets entering and leaving the network •	Host-based IDS systems (HIDS), do not offer true real-time detection, but if configured correctly are close to true real-time. Host-based IDS systems consist of software agents installed on individual computers within the system. Intrusion Prevention System(IPS) An intrusion prevention system, is certainly the next level of security technology with its ability to provide security at all system levels from the operating system kernel to network data packets. •	It brings policies and rules for network traffic along with an IDS for warning system or network administrators to mistrustful traffic, but permits the administrator to provide the action upon being alerted. Where IDS informs of a potential attack, an IPS makes attempts to stop it. •	Currently, there are two types of IPSs that are similar in nature to IDS and it consist of host-based intrusion prevention systems (HIPS) products and network-based intrusion prevention systems (NIPS). Network-based vs. Host-based IPS •	Host-based intrusion prevention systems are used to protect both servers and workstations through software that runs between your system's applications and OS kernel. It monitors activities such as 	application or data requests, 	 network connection attempts, and 	read or write efforts to name a few. •	Network-based intrusion prevention systems (often called inline prevention systems) is a solution for network-based security. It will stop all network traffic and monitor it for suspicious activity and events, either blocking the requests or passing it along should it be considered genuine traffic.

Difference between IDS & IPS: •	IDS will send an alert to an administrator who can then take action to prevent the exploit or minimize the damage. •	 IPS runs similar to IDS with one grave difference: 	IPS can block the attack itself; while an IDS sits outside the line of traffic and observes, an IPS sits directly in line of network traffic. Any traffic the IPS identifies as malicious is prohibited from entering the network.

SNORT Snort is an open source network intrusion detection system (NIDS). Snort is a packet sniffer that monitors network traffic in real time, examining each packet closely to detect a dangerous load or suspicious anomalies.

The following are the major components of Snort: •	Packet Decoder. •	Preprocessors. •	Detection Engine. •	Logging and Alerting System. •	Output Modules

MODES OF SNORT Snort is a single-threaded application, which can be organized to operate in four modes: i.	Packet Sniffer Mode: It simply reads the packets off of the network and displays them in a constant stream on the console (screen). ii. Packet logger Mode: It logs the packets to disk. To record the packets to the disk, specify a logging directory and Snort will automatically know to go into packet logger mode. When Snort runs in this mode, it collects every packet it sees and places it in a directory order based upon the IP address of one of the hosts in the datagram. iii. Detection Mode: It allows Snort to examine network traffic for matches against a user-defined rule set and performs several actions based upon what it sees. iv. Prevention Mode: It prevents the network threats and sometimes it also known as inline mode. SCENARIO: In this project, we pretend the interactions between two machines (e.g. FTP server and FTP client) and monitor the traffic with network based intrusion detection system. Using another machine as intruder we try to manipulate the traffic and implement a man-in-the middle attack using Ettercap or other tool. And demonstrate how the NIDS (SNORT) can detect the intrusion. •	Next step is to setting up the experiment environment and then we will attack the network with at least one bad package for each rule we selected, IDS center alerts all these bad packages successfully. For the meantime, we also send the good packages (e.g., ping request) to the network, and IDS center allows these good packages to pass without an alert.

Typical Network architecture: Here, we have created a architecture of NIDS with VISIO, which involves a host attacker, an internal network which consists of host NIDS and target. •	Host NIDS, which is basically works as an intrusion detection system and it tries to protect host inside the internal network. •	Host attacker, acts as an external intruder who tries to attack the host in the internal network. •	Host target, act as an internal host in the internal network and is protected by NIDS from attacker.

Link to typical network architecture:

https://www.dropbox.com/s/o890luwotrwdvv8/Drawing2.jpg?dl=0

According to this architecture, no branch bank will have a DMZ which will be protected by a firewall and IDPS. The same protection will be available on original servers of bank. The different departments are connected in a VLAN architecture.

Blue-Print for the project:

https://www.dropbox.com/s/wfy0nqybsbohwnu/Drawing3.jpg?dl=0