CT-556

Intrusion Detection

Instructor:
M. Hassan Nasir
 Lecture # 02

ID Products and
Components
OUTLINE
▪ Selection of IDS Tool
▪ IDS Tools
▪ Snort
▪ Installation
▪ Configuration
▪ Testing
Selecting IDS Tool

Management

Network / Information
System Security
Admin Team

Selecting
IDS

Database Owner of
Admin Critical Data
Selecting IDS Tools

• How to monitor the system for intrusion attempts

• What traffic should be monitored.

• How to log intrusion attempts.

• What to do when an intrusion attempt is detected

Some Famous IDS Tools

IDS

NIDS HIDS Hybrid

IBM
Snort Zeek Suricata OSSEC Samhain Solarwinds Sagan Splunk
QRadar
Snort
• Leading NIDS
• Windows/ Linux Based
• Signature/Rule Based
• Customizable
• Packet Logging, Sniffing as well as ID
• Supports TCP, UDP, ICMP, & IP
Components of Snort
Packet decoder
• Decoding is one of the first processes a packet
goes through in Snort.
• The decoder operations:
▫ Determine underlying protocols
▫ Location of the payload/application-data in the
packet (which it doesn’t try to decode)
▫ Size of this payload for use by the preprocessor
and detection engines.
▫ Inspects Packet Header for anomaly.
Preprocessor

• Preprocessor gives Snort the ability to handle

data stretched over multiple packets.

• Snort uses preprocessors to canonicalize data in

protocols where data can be represented in
multiple ways.
Detection engine

• Primary Snort component. It has two major

functions:
▫ Rules parsing
▫ Signature detection.

• The detection engine builds attack signatures by

parsing Snort rules. Snort rules are read line by
line, and are loaded into an internal data
structure.
Logging & Alerting
Output modules

• Responsible for generating flexible outputs.

• Multiple output plugins may be specified in the

Snort configuration file.
▫ When multiple plugins of the same type (log,
alert) are specified, they are stacked and called in
sequence when an event occurs. The output
plugins send their data to log directory or a user
directed directory (using the -l command line
switch).
Output alert/ log to file

• The Outputs can be in the form of:

▫ Displaying Alert messages
▫ Sending Alerts to Network / SIEM Administrator
▫ Storing/saving logs in a file.
Snort Installation steps
Step- I : Downloading Windows Executable
Step- II: Downloading Snort rules
Rule Directories
Step- III: Downloading NPCAP
Installing Snort on Kali Linux

• Step-I Update the database

▫ Sudo apt-get update or sudo apt update
• Step-II Install Snort
▫ Sudo apt –y install snort

▫ Snort will be installed in /etc/snort folder

Configure Snort (Windows)

• Open C:\snort\etc\ Snort.conf file

• Set Internal and External Networks
▫ Ipvar HOME_NET 10.129.0.0/16
▫ Ipvar EXTERNAL_NET !$HOME_NET
• For windows replace path with back-slashes (\)
• Set Whitelist/Blacklist file paths
Displaying Snort’s Version

• snort -V
Testing Configuration
• Snort –i 1 –c c:\snort\etc\snort.conf –T (Windows)
• Snort –i eth0 ./snort.conf –T (Linux)
Running Snort
• Snort –i 1 –c c:\snort\etc\snort.conf –A console (win)
• Snort –i eth0 ./snort.conf –A console (Linux)
Running Snort (Cont…’d)
• Ctrl + C to exit
 Running Snort (Linux)

• Snort –i eth0 –c ./snort.conf –A console –l/logs

Questions / Queries