Skip to main content

Mastering in Intrusion Detection System Part - 1


  
  Introduction to Detection & Prevention Systems

Introduction

Welcome to the first module of this workshop. This module will explain the concept of intrusion detection and prevention systems in these days of information security. The role played by such systems in the events of hacking will be discussed. We will explore the types of these two systems and demonstrate Snort as an Intrusion detection System.

Pre-requisites

• Sound knowledge of TCP/IP protocols
• Prior strong experience in Linux operating system
• Prior hands-on experience with iptables
• Prior experience with any firewall [iptables preferred]
• OSI Layers and formation and deformations of TCP / IP Packets
• Understands the general concepts exploits and how they work

What is covered?

We will cover the theoretical part on the IDS & IPS Systems and will demonstrate how to work with Snort as Intrusion detection and prevention system.

What is not covered?

This workshop will not cover end to end on the Intrusion detection & prevention systems; however, it will master you on the core concepts and practical experience in working with Snort [the de-facto standard].

What is Intrusion Detection System [IDS]?

We will not go in the very technical definitions on IDS; however, we will mention the industry standard definitions.

SANS Institute Says: Intrusion Detection can be defined as “...the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource, more specifically, the goal of intrusion detection is to identify entities attempting to subvert in-place security controls” (Sans.org, 2014).

Did you get what they are trying to explain rather than define? Good!

NIST Says: “Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices” (Sgu.ac.id, 2014)

Did you get what they are trying to explain rather than define? Hmm better?

Okay, let us quickly make you understand what IDS is, “it’s nothing but a mechanism that helps you in detecting something abnormal i.e. intrusion into your defined boundaries which constitute a system.”

To detect something abnormal, you should teach your IDS what is abnormal so it can detect this abnormality.

The teaching part is the methodology on which your intrusion detection system mainly works.

Intrusion Detection Methodology

There are three types of methodologies used to gear up your intrusion detection system, and commonly intrusion detection systems rely on any of these types of approaches or sometimes a combination of these technologies.

The three methodologies

1. Stateful protocol analysis
2. Anomaly based detection
3. Signature based detection

Signature Based Detection

The simplest and very effective method of detecting known threats. Signature is a pattern that corresponds to a known threat; it’s a process of comparing signatures against observed events to identify possible incidents.

Anomaly Based Detection

Anomaly based detection is the process of comparing the definitions of what activity is considered normal against the observed events to detect or identify the significant deviation. Anomaly based intrusion detection systems used profiles that represent the normal behavior of such things as users, hosts, network connections or applications (Ijarcce.com, 2014). Monitoring of typical activity over a period of time basically develops these profiles.

The most major benefit of anomaly-based detection systems is that they can be much effective at detecting previously unknown threats. For example, suppose that a computer becomes infected with a new type of malware.

However, signature based detection system does not support this technique of detecting previously unknown threats.

Stateful Protocol Analysis

In comparison with Anomaly based intrusion detection systems, which uses the host or networkspecific profiles, the Stateful Protocol Analysis methodology basically relies on vendor-developed comprehensive profiles that identify how particular protocols should or should not be used.

Therefore, we can define Stateful Protocol Analysis as a basic process, which compares the predetermined profiles of generally accepted definitions to identify deviations.

The Types of Intrusion Detection & Prevention Systems

So far we have spoken about the methods on which these systems works. Based on the types of intrusions they monitor, IDS & IPS can be categorized into:

1. Network Based
2. Wireless
3. Network Behavior Analysis
4. Host Based

The most common and widely used are host and network based intrusion detection systems, and in our workshop we will explore Network Based Intrusion Detection System i.e. Snort!

Host Based Intrusion Detection System (HIDS)

Host based intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior on a specific device only rather than on network.

HIDS generally involves an agent installed on each system, monitoring and alerting on local OS and application activity, uses a combination of signatures, rules, and heuristics to identify unauthorized activity. The role of a host IDS is passive, only gathering, identifying, logging, and alerting.

Network Based Intrusion Detection System [NIDS}

Network based intrusion detection identify unauthorized, illicit, and anomalous behavior based solely
on network traffic. 

They use a network tap, span port, or hub and collect packets that traverse a given network and use the captured data and flag any suspicious traffic. An intrusion detection system does not actively block network traffic. The role of a network IDS is passive, only gathering, identifying, logging and alerting.

What is Intrusion Prevention System?

So far, we have been explaining to you more on intrusion detection systems. If you have a clear concept of how intrusion detection system works, then it’s much easy for you to understand how intrusion prevention system works. 
  Intrusion prevention system is a step ahead of intrusion detection systems. The role of intrusion detection prevention system is to stop any invasion. However, on the other side intrusion detection system alerts when there is any intrusion in the system.

“Intrusion prevention follows the same process of gathering and identifying data and behavior, with the added ability to block (prevent) the activity. This can be done with Network and Host based intrusion detection systems” (Sans.org, 2014).

Architecture of Intrusion Detection & Prevention Systems

The main question is how these systems are designed or how they work? The architecture of the intrusion detection systems comprises of different essential components. 

Architecture components

There are four (4) main components of the architecture:

1. Sensor or Agent
2. Database server
3. Management Server
4. Console

Sensors

Their job is to monitor and analyze activities. The term sensor applies for both intrusion detection and prevention systems, which control networks. There can be multiple sensors configured within one network, and i.e. based on the system architecture.

Management Server

A management server is a device, which works centrally receiving information from the sensor and manages them.

Database Server

Its job is to store the events information recorded by the sensors to be used later at the time of reporting and performing different analysis for any security purposes.

Console

Provides access to intrusion detection and prevention system; can further be described as an interface for administration or related activities and tasks.

Most consoles offer many features to assist administrators in their daily tasks. For example, drilldown capabilities where users examine alerts. For senior management presentation, different types of graphs with available information in layers are drawn.

What is usually logged or detector IDS & IPS

This can be customized based on the type and features of your device. However, intrusion detection and prevention systems, usually, store the following types of information.

• Timestamp (usually date and time)
• Connection or session ID (typically a consecutive or unique number assigned to each TCP connection     or to like groups of packets for connectionless protocols)
• Event or alert type21
• Rating (e.g., priority, severity, impact, confidence)
• Network, transport, and application layer protocols
• Source and destination IP addresses
• Source and destination TCP or UDP ports, or ICMP types and codes
• Number of bytes transmitted over the connection
• Decoded payload data, such as application requests and responses
• State-related information (e.g., authenticated username)
• Prevention measured which they performed in case of IPS

Keeping your Box up to date

It is important to ensure that your intrusion detection and prevention systems are up to date with the newest feed released by your vendor. This could include both software update fixes for your IDS or IPS itself or it can be a new update in their signatures to detect more new threats and attack vector. An intrusion detection or prevention system without the latest feeds cannot help you in securing your network or systems.

 This is an introduction to the types, design and methodologies which intrusion detection and prevention systems comprise of. It provides you with a clear concept into the forms and core systems on which these devices work. The best industry leaders in the field of information security weights what we have explained in this module. Upcoming module will cover Snort as an example product, which is used as intrusion detection and prevention system. However, we will focus on the architecture and design part of snort in module 2.


Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more