I NTRUSION D ETECTION U SING S NORT

R S IVA G IRISH P ROF. P RASAD B H ONNAVALLI G AURAV C.G

PES U NIVERSITY B ENGALURU
D EPARTMENT OF I NFORMATION S ECURITY A ND C YBER R ESILIENCE
I NTRODUCTION R ULE S ET D ESCRIPTION
SNORT is an open-source network intrusion detec- Snort is an open source software but the rulesets
tion system. Network intrusion detection systems are to detect various attacks are not necessarily open
used to monitor network traffic, analyse incoming source.There are a lot of rules contributed by the open
packets and determine whether the incoming traffic is source community but a fair amount of the are un-
healthy traffic for the network or simply a malicious able to serve their purpose to detect the attack they
request by an attacker. Network intrusions can be are supposed to detect. Our goal was to develop our
of various forms such as a denial of service, man in own open source rule set to detect a few selected at-
the middle or network scans. Snort when equipped tacks. In the process we have managed to detect man
with a robust ruleset can handle these attacks and in the middle attacks , a few types of DOS and nmap
can also be programmed to alert or drop malicious scans. We have tested these rules by attacking a host
packets as the case may be. Our rule set consists using a VM running Kali Linux which is one of the
of rules to detect man in the middle attacks, usage most advanced open source penetration testing soft-
of reconnaissance tools like Nmap and variations ware.
Figure 1: Snort - Architecture Source : Martin Roesch
of denial of service attacks (DDoS).Our ruleset is Based on the gravity of the attack the user can decide Figure 2: A Few Rules Handpicked from our Ruleset based
Snort is comprised of a sniffing mechanism which sniffs all
available on to drop those incoming requests and proceed to ser- the packets along the input stream and sends it to the various on nmap scans.
https://github.com/sivagirish81/Intrusion- vice other meaningful requests from legitimate users. plugins which perform specific operations and then unifies The above picture illustrates the rule header format.
Detection-Using-Snort . Rules have been written for below range of attacks - : the output of all the plugins and alerts the corresponding Nmap is an advanced Reconnaisance tool to detect the na-
1.Nmap Scans violated rule ture of active devices connected to the same network
2.Denial Of Service
O BJECTIVES 3.Man in the middle
Network intrusion detection in the modern world is In Snort, the rules are divided into two parts. M AN IN THE MIDDLE D ENIAL O F S ERVICE (DOS)
of paramount importance. As the number of peo- Header section and option section. Man in the middle attacks involves a third party that A DOS attack is one of the well-known threats,
ple connected to the internet is increasing every day The header section consists of type of output, the pro- positions itself between one end host and another which focuses on stalling the server from servicing
the potential threats such as cybercrimes are also con- tocol, destination/source IP address along with their thereby illegally spying or modifying the packets. The legitimate requests and sometimes cause complete
stantly on the rise. Therefore it is important to know ports(ranging from 1 - 65535) followed by direction goal of this attack is to either eavesdrop or imperson- shut down of the system. Few of the attacks for which
whether the network a person is connected to is se- operator and dest/src IP address and port number. ate another end host with intent to gain confidential these rules are developed are listed below.
cure or not. The cheapest and most feasible solution The option section contains various option fields like information about the compromised users. This type
to this problem is to have a NIDS that can detect ma- msg to output the characters which are given as val- of attack poses an immense danger to the end-users SYN flood - Detected by checking the SYN re-
licious packets, requests and drop any further request ues to this field, content field to check for the given and hence must be prevented at all costs. The ap- quests sent from a particular source, if a certain
from the user that is sending them. text in the message section of the packet, flag field to proach we used to tackle this problem was based on threshold is crossed then we alert such packets.
check if packet is a SYN/FIN/PSH, flow field which is the ICMP protocol. The ICMP Protocol is designed
attached to the pre-processor section of Snort compo- in such a way that it has the capability to detect the FIN flood - Detected the same way as above but
C HALLENGES nent, sid field which is a unique value given to each shortest pathway in the network between two end with the flag set to FIN.
rule of snort which indicates the process number of hosts. Since in all cases of a man in the middle, the
One of the challenges faced was to understand the the rule and many more.
concept of Computer Networks, cause most of the in- alternate host is introduced by the attacker and all the Ping of Death - it causes failure at the server by
trusions that are performed are due to the vulnerabil- packets are being redirected to another host machine. sending fragmented ICMP packets to the server. By
ities in the current TCP/IP model. This indicates that a longer route is being used de- sending fragments which would total up to more
The other challenge we faced was to perform the at- spite the fact that a shorter route is available. Based than 65535bytes, the server would be overflowed
tacks. In our work we have used a few tools. In order on this concept we used Snort to detect ICMP packets when trying to combine these fragments which stops
to use these tools one had to have sufficient knowl- of code 1 under type 5 which indicates that the data- the functionality of the server.Detected by seeing the
edge of these tools work, their effectiveness and per- grams have been redirected despite a shorter route be- size of each fragment and the number of fragments
formance. ing available. received. If this count is higher we alert such packets.
Understanding the inner workings of snort enabled
us to understand how rules had to be written.

O NGOING R ESEARCH
R EFERENCES The very existence of internet and it’s exponential increase in traffic presents us with a unique challenge of
curbing illegal attempts to access confidential information being transmitted across the web . We intend to write
[1] Jay and Caswell. Snort2.1 intrusion detection.
rules to detect Nmap scripted scans,complex man in the middle attacks as well us other more sophisticated
[2] Rafeeq Ur Rehman. Advanced ids techniques using snort, apache, mysql, php, and acid. variations of the distributed denial of service attacks.