![Technology Used
Linux Mint
Ubuntu
12.04 Server
Edition
Windows 8
Windows XP
BackTrack 5
[ ATTACKER ]
GNS3 Virtual Box
Snort IDS
/IPS](https://image.slidesharecdn.com/intrusiondetectionandpreventionsystem-130518035126-phpapp02/75/Intrusion-detection-and-prevention-system-4-2048.jpg)
![Requirements &
Specifications• DISK SPACE & MEMORY REQUIREMENTS
• PROCESSER REQUIREMENTS :
Intel / AMD processors (32 bit or 64 bit) with Virtualization Technology
VIRTUAL BOX DISK SPACE
REQUIREMENT
MEMORY REQUIREMENT
UBUNTU SERVER [SNORT] 5 GB 512 MB
WINDOWS XP [VICTIM] 3 GB 256 MB
LINUX MINT [VICTIM] 5 GB 512 MB
BACKTRACK [ATTACKER] 15 GB 512 MB
WINDOWS 8 [HOST] 20 GB 1.5 GB](https://image.slidesharecdn.com/intrusiondetectionandpreventionsystem-130518035126-phpapp02/75/Intrusion-detection-and-prevention-system-5-2048.jpg)
Uploaded byNikhil Raj
Intrusion detection and prevention system
The document outlines the project profile for an Intrusion Detection and Prevention System (IDPS) led by a team of five members under Mr. Simanta Hazra using various technologies including Linux Mint, Ubuntu, and Backtrack. It details the requirements for implementing the system, types of intrusions and attacks, classifications of IDPS, and the functionalities of the open-source Snort software, which operates in different modes to monitor and analyze network traffic for threats. Additionally, it provides scenarios for internal and external attacks, emphasizing the importance of access control lists and best practices for protecting the IDPS.
More Related Content
![Essential Guide to Protect Your Data [Key Management Techniques]](https://cdn.slidesharecdn.com/ss_thumbnails/keymanagementtechniques-sisapresentationatgesconference-150514060435-lva1-app6891-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Intrusion detection and prevention system
![Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck](https://cdn.slidesharecdn.com/ss_thumbnails/ilovepdfmerged12-251029161756-3b829161-thumbnail.jpg?width=640&height=640&fit=bounds)
Intrusion detection and prevention system
- 1. Intrusion Detection &Prevention System
- 2. PROJECT PROFILE • IntrusionDetection & Prevention SystemProject Title • Mr. Simanta HazraProject Guide • 5 MembersTeam Strength
- 3. TEAM MEMBERS Deepak KrSaw Nikhil Raj Praveen Jha Rahul Kumar Sharma Rajesh Kumar
- 4. Technology Used Linux Mint Ubuntu 12.04Server Edition Windows 8 Windows XP BackTrack 5 [ ATTACKER ] GNS3 Virtual Box Snort IDS /IPS
- 5. Requirements & Specifications• DISKSPACE & MEMORY REQUIREMENTS • PROCESSER REQUIREMENTS : Intel / AMD processors (32 bit or 64 bit) with Virtualization Technology VIRTUAL BOX DISK SPACE REQUIREMENT MEMORY REQUIREMENT UBUNTU SERVER [SNORT] 5 GB 512 MB WINDOWS XP [VICTIM] 3 GB 256 MB LINUX MINT [VICTIM] 5 GB 512 MB BACKTRACK [ATTACKER] 15 GB 512 MB WINDOWS 8 [HOST] 20 GB 1.5 GB
- 6. Terminology • ROUTERS Layer3 networking device that is used to put packet in the correct route to reach its final destination • FIREWALL Hardware / software device installed between internal network and rest of the internet that allows or denies any traffic depending upon the predefined rule. • SWITCHES Layer 2 networking device that is for node to node delivery of packet • IDS / IPS SENSOR Intrusion Detection System / Intrusion Prevention System Sensor are dedicated appliance for analyzing the traffic it receives.
- 7. What is Intrusion? Anybody trying to gain unauthorized access to the network. Virus, Trojans and Worms replicating in the network. Sending specially crafted packets to exploit any specific vulnerability. Attacks that would make the services unresponsive even for legitimate clients.
- 8. Types of Intrusion/ Attacks Web Based Attacks • Sql Injection, Web Shells • LFI , RFI and XSS Attacks. Network Based Attacks • Unauthorized Login • Denial Of Service attacks. • Scanning ports and services. • Replication of Worms, Trojan, Virus. • Spoofing Attacks ( Arpspoof, Dns spoof Attacks ). Triggering Vulnerabilities • Exploiting Buffer Overflow attacks. Zero Day Attacks • Attacks that aren’t known.
- 9. Intrusion Detection System An Intrusion detection system (IDS) is software or hardware designed to monitor, analyze and respond to events occurring in a computer system or network for signs of possible incidents of violation in security policies. It is more advanced packet filter than conventional firewall. Analyses payload of each packet with predefined signature or anomaly and flags the traffic as good or malicious . Malicious packets logged for further analyses by network administrator
- 10. SNORT : OpenSource IDS / IPS • Open source, freely available IDS software except for rules • Installed as dedicated server on Windows and Linux, Solaris operating systems • Placed as network sensor in a network • Rules are set of instructions defined to take certain action after matching some sort of signatures • Works in three modes • Sniffer Mode : sniffs each packet receiced • Packet Logger Mode : logs packets to a file • Intrusion Detection / Prevention Mode : each packet is compared with signature and if match found, flagged as alert.
- 11.
- 12. Signature Based IDS Workssimilar to Antivirus Low false positive rates Highly effective towards well known attack Fails to identify Zero Day Attacks, Advanced Malware Attacks. Can be Bypassed by changing the signature of attack. Signature Based IDS analyses content of each packet at Layer 7 and compares it with a set of predefined signatures.
- 13. Anomaly Based IDS Monitors network traffic and compares it against an established baseline for normal use and classifying it as either normal or anomalous. Based on rules, rather than patterns or signatures. Can be accomplished using Artificial Intelligence and strict mathematical modelling technique. Prone to high false positive rate
- 14.
- 15. Host Based IDS •Software (Agents) installed on computers to monitor input and output packets from device • It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. • Examples: • Cisco Security Agent (CSA) , Tripwire web server
- 16. Host Based IDS Firewall AgentAgent Agent Agent Agent Agent DNS server Agent Agent Internet WWW Server
- 17. Network Based IDS •Connected to network segments to monitor, analyse and respond to network traffic. • A single IDS sensor can monitor many hosts • NIDS sensors are available in two formats • Appliance: It consists of specialized hardware sensor and its dedicated software. The hardware consists of specialized NIC’s, processors and hard disks to efficiently capture traffic and perform analysis. • Examples: Cisco IDS 4200 series, IBM Real Secure Network • Software: Sensor software installed on server and placed in network to monitor network traffic. • Examples: Snort
- 18.
- 19. Passive Detection Mode: IDS DNS server WWW server Sensor Firewall Management System Router Switch Internet Internal Network Configured as span port
- 20. Inline Mode :IPS TargetManagement System The sensor resides in the data forwarding path. If a packet triggers a signature, it can be dropped before it reaches its target. An alert can be sent to the management console. Sensor Attacker
- 21. Access Control ListRule • List of conditions that controls access to any network resource, filter unwanted traffic and used to implement security policy. • Used to filter traffic at any interface on the basis of source ip, protocol, destination port, destination ip etc. • Example : config # access-list 25 permit 192.168.1.0 0.0.0.255 config # access-list 102 deny ip any any • These ACL must be associated with the interface where filter needs to be applied. config # inter f0/0 (config-if) # ip access-group 25 out
- 22. Scenario I :Internal Attack Firewall Management Server Router Switch CONFIGURED AS SPAN PORT Internet Attacker Ubuntu Windows ATTACKER (BACKTRACK) & VICTIM (UBUNTU , WINDOWS) ARE CONNECTED TO SAME NETWORK ATTACKER TRYING TO FINGERPRINT THE VICTIM USING NMAP IDS SENSOR WILL RECEIVE A COPY OF EACH PACKET SEND AND RECEVIED BY ATTACKER THROUGH SPAN PORT IDS SENSOR ANALYSES CONTENT OF EACH PACKET , IF THE PAYLOAD MATCHES WITH PREDEFINED SIGNATURE. THEN , IT IS FLAGGED AS AN ALERT AND DETAILS ARE SAVED IN THE MYSQL DATABASE MANAGEMENT SERVER IS USED TO VIEW THESE ALERTS VIA WEB INTERFACE BY THE NETWORK ADMINISTRATOR NETWORK ADMIN CAN FIRE ACCESS CONTROL LIST RULE (ACL) ON THE SWITCH TO BLOCK THE ATTACKER NOW WHEN ATTACKER TRIES TO REACH THE VICTIM (WINDOWS), HIS PACKETS WILL BE DISCARDED IDS Sensor ACL RULE UPDATED SUCCESSFULLY
- 23. Scenario II :External Attack Firewall Router Switch CONFIGURED AS SPAN PORT Mac Ubuntu Windows Internet ATTACKER SENDS MALICIOUS PACKET INTO THE NETWORK IDS RECEVIES THE TRAFFIC, ANALYSES IT AND IF MALICIOUS STORES ALERT IN DATABASE. NETWORK ADMIN TRIGGERS ACL RULE TO BLOCK THE ATTACKER IDS SensorManagement Server Attacker ADMIN CAN VIEW ALERT VIA WEB CONSOLE ATTACKER IS CONNECTED VIA INTERNET ( OR OTHER UNTRUSTED NETWORK) ACL RULE UPDATED SUCCESSFULLY NOW WHEN ATTACKER AGAIN TRIES TO ACCESS THE VICTIM, HIS PACKETS ARE DISCARDED
- 24. How to protectIDS / IPS ? • Don't run any service on your IDS sensor. • The platform on which you are running IDS should be patched with the latest releases from your vendor. • Configure the IDS machine so that it does not respond to ping (ICMP Echo-type) packets. • User accounts should not be created except those that are absolutely necessary.
- 25. Conclusion • Intrusion detectionsystem (IDS) is software or hardware designed to monitor, analyze and respond to network traffic . • Can be classified as Profile or Signature based intrusion detection. • IDS is used as promiscuous mode protection • IPS is used as Inline mode protection for securing internal network • Cisco 4200 series IDS and IPS sensors offer rich set of features for IDS and IPS • Snort is an open source, free IDS and can operate in sniff , logging and Intrusion detection/prevention modes. Snort uses rules to analyze traffic. • Each packet is inspected by IDS, if found malicious is flagged as alert and saved in MySql Database. • Network Administrator can view these alerts using Snort Report and trigger Access Control List rule to block the Attacker.
- 26.