Survey of Intrusion Detection Systems Prepared by: tahir ejaz under Supervision of: Dr. Asim karim march 09, 2005

Download 117.48 Kb.

Date	31.01.2017
Size	117.48 Kb.
	#12842

Survey of Intrusion Detection Systems

Prepared by: TAHIR EJAZ
Under Supervision of: Dr. ASIM KARIM
March 09, 2005

Chapter 1: Introduction to IDS 3

1.1-Intrusions and Intrusion Detection Systems: 3

1.2-Approaches Employed for Detection of Intruders: 3

1.3-Categories of Attacks: 4

Chapter 2: Categories of Intrusion Detection Systems 6

2.1-Network Intrusion Detection System vs. Host Intrusion Detection Systems: 6

2.2-Intrusion Detection Systems vs. Intrusion Prevention Systems: 6

2.3-Single Site IDS vs. Distributed IDS: 6

Chapter 3: An Overview of Different IDS Available Today 8

3.1-Active Scout (Stop attackers based on their “proven intent” to attack) 8

3.1.1-Architecture of Active Scout 9

3.1.2-System Requirements: 10

3.2-Attack Mitigator IPS 5500 (High Performance Inline Network and Application Layer Protection) 11

3.3-BLINK: End Point Vulnerability Prevention 13

3.3.1-System Requirements: 13

3.4-Border Guard 16

3.5-Entercept: (McAfee) 19

3.5.1-System Requirement: 20

3.6-IntruShield: (McAfee) 21

3.6.1-System Requirements: 25

3.7-Symantec Host IDS 28

3.7.1-System Requirements: 28

3.8-Symantec Intruder Alert 29

3.8.1-System Requirements: 29

3.9-Symantec Network Securit: (Formerly “Symantec ManHunt”) 30

3.9.1-System requirements: 30

3.10-iForce IDS Appliance (Powered by Sun and Symantec) 32

3.11-iForce Intrusion Management Appliance (Powered by Sun and Sourcefire) 33

3.12-SNORT 34

3.13-BRO 36

3.13.1-System Requirements: 37

Chapter 4: Summary of More IDS 39

Chapter 1: Introduction to IDS

Computer Networks have grown from collection of a few computers to nowadays prevalent world wide network of computers (i.e. Internet) comprising of millions of computers. However, the standards and protocols devised for communication among computers in early networks have not been upgraded and updated with the same pace as that of increasing sizes of computer networks. This leads us to the problem of prospective misuse and exploitation of those protocols etc. Today the most important and hottest issue of networks community is “computer network security”.

1.1-Intrusions and Intrusion Detection Systems:

How a network can be safeguarded from possible misuse? This word misuse in this question has multiple dimensions and it can adopt many definitions depending upon the situation. Some of the possible situations where this term can apply are:

Getting confidential information from a computer/network (Unauthorized Access)
Using resources of someone else without his/her consent (Unauthorized Usage)
Making a computer do malfunctioning (Viruses)
Assuming someone else’s identity in a transaction
Stopping a system from doing its routine job (DoS)

All these are the major problems to be resolved in any computer network ranging from LAN, WAN to wireless connections.

During the course of time, different solutions have emerged for these problems, e.g. use of firewalls, VPN’s etc. However, these solutions are not flexible enough. Another solution which has emerged in the recent years is known as “Intrusion Detection System” or IDS. In the perspective of IDS, every misuse of the computer network is termed as an intrusion. It is the responsibility of IDS to detect all intrusive attempts made by the malicious users.

1.2-Approaches Employed for Detection of Intruders:

There are two approaches that can be employed by an IDS for the purpose of detecting intruders:

Misuse Detection
Anomaly Detection

In case of misuse detection, the Intrusion Detection System has a database of patterns of possible misuses of the network. It simply matches each network use with its database of patterns, and if a particular network usage is matched with some pattern then it is declared as intrusion. This approach is also known as signature based intrusion detection. One problem with the signature based intrusion detection is that it can detect only known attacks/intrusions. It is unable to detect yet unknown attacks (termed as zero-day attacks), as those attacks are not present in the database of intrusion detection system.

Second approach for intrusion detection is “anomaly detection”. In this approach a normal usage pattern of the network is obtained and then every network usage that doesn’t follow that normal is considered anomalous and declared as an attack. In this approach there is no need to first establish the database of signatures. So even zero-day attacks can be detected using anomaly detection approach. Anomaly detection approach is not free of problems, however. First, it is very difficult to establish a model of the normal network usage. Second problem with anomaly detection approach is its high rate of false positive. If a non-intrusive network usage does not fit in the model, then that would also be declared as an attack.

1.3-Categories of Attacks:

Attacks are basically of two types

Targeted attacks
Mass attacks

Targeted attacks are those attacks which are done to achieve some purpose in mind (e.g. to get secret information of competitor organization), and these attacks have some known and planned destination. Whereas, mass attacks are done blindly without any specific purpose (may be just for fun).

Attacks can be viewed in another dimension:

Informed attacks
Uninformed attacks

Intruders basically exploit the weaknesses and vulnerabilities in the network. To get the information about the weak points in a network they first gather information/intelligence about the network and its weak points (known as reconnaissance or simply recon activity), and after that they launch actual attack. These kinds of attacks are known as informed attacks. There are uninformed attacks as well, when the intruder needs not to get information about the internal vulnerabilities of a network. One such kind of attacks is DoS and DDoS attacks, where the intruder simply keeps on sending network messages to some particular host and the host becomes unable to keep pace with the speed of incoming traffic and becomes operationally suspended. Targeted attacks can be informed as well as uninformed, whereas, mass attacks are usually uninformed.

All these things put a lot of pressure on an intrusion detection system and make the job of designing an IDS more challenging. In the following chapter we highlight some grounds on which intrusion detection systems can be classified.

Chapter 2: Categories of Intrusion Detection Systems

Although basic theme of all intrusion detection systems is same—to detect the exploitation of network usage, there are certain grounds on the basis of which intrusion detection systems can be classified into different categories. In rest of this chapter we will discuss some such classes of intrusion detection systems.

2.1-Network Intrusion Detection System vs. Host Intrusion Detection Systems:

Network intrusion detection systems (NIDS) are meant to serve for the security of the whole network. These systems are normally placed at network perimeters and other critical places in the network. These systems monitor all the traffic coming in and going out of the network and signal when some malicious packet arrives.

Host Intrusion Detection Systems (HIDS) are used to save a single host from possible intruders. These are installed on the asset to be saved. Normally these systems are used for the crucial assets of the organization e.g. servers etc. HIDS can be used with NIDS for additional security of key assets of an organization.

2.2-Intrusion Detection Systems vs. Intrusion Prevention Systems:

Intrusion Detection Systems (IDS) are primarily used to analyze the traffic pattern. When an intrusive packets come in these systems send alarm to the even management module.

In case of an Intrusion Prevention System (IPS), the intrusive messages are treated by IPS itself. Treatment of intrusion can range from simply dropping the malicious packets, to blocking the sender and can even take a form of some counter measure. Intrusion Prevention Systems are installed inline in on the network.

2.3-Single Site IDS vs. Distributed IDS:

As the name suggests, single site IDS are used to control the network threats on a LAN, whereas distributed IDS support the protection of wide area network and remote offices as well. Single site IDS are appropriate for small and medium enterprise. For big organizations, distributed IDS are required. One advantage the distributed IDS provide is the central management of the intrusion detection. Moreover, in a distributed environment different IDS can share the attack information among each other to make the mechanism of intrusion detection more efficient.

Chapter 3: An Overview of Different IDS Available Today

There are plenty of intrusion detection systems—ranging from host IDS to network IDS—available for enhancement of the security of individual resources as well as networks of organizations. Some of the IDS are available for free whereas others can be purchased commercially.

3.1-Active Scout (Stop attackers based on their “proven intent” to attack)

Active Scout is an automatic intrusion prevention system. It safeguards a network from prospect intrusions by actively monitoring all the incoming and outgoing traffic to and from the network. Working principle of Active Scout is based on the assumption that every attack has some pre-attack activity. Relying on this assumption it has developed its own patented technology called Active Response. Active Response technology works in three phases. In the first phase, called Reception, when an attacker conducts reconnaissance on the network, Active Scout detects that recon activity. In the second phase, called Deception, Active Scout responds to the recon activity with the required information but this information has a mark on it. In the third phase, called Interception, because of the presence of its own generated mark with the attack, Active Scout identifies the actual attack as it is launched, and immediately takes counter measures.

Active Scout system has two configurations:

Active Scout Site Solution is for the networks which have single access point to the internet. It comprises of two components:
- Scout, and
- Site Manager
Active Scout Enterprise Solution is for the networks which have multiple access points to the internet. It comprises of three components:
- Scouts,
- Server Manager, and
- Enterprise Manager

3.1.1-Architecture of Active Scout

Active Scout comprises of three components.

Scout:

Scout is a dedicated computers placed outside the firewall perimeter of the network. Monitoring of all the traffic is responsibility of this component. On the basis of this monitoring activity, the scout identifies attackers and takes counter measures.

Management Server:

This component is present in the Active Scout Enterprise Solution only. Because of multiple access points to the internet, multiple scouts are required to monitor the network traffic. Management Server is an aggregation devise which collects the attack information from individual scouts spread throughout in the organization and distributes that information to all scouts. It also provides this information to the Enterprise Manager for reporting purposes.

Site Manager / Enterprise Manager:

This component is a java-based management application which provides interface and means to manage the Scouts. It is also equipped with the reposting facility and it can provide a visual overview of the Scouts’ threat prevention activity.

Figure 3.1.1: Architecture of Active Scout Enterprise Solution (Courtesy of ForeScout Technologies Inc.)

3.1.2-System Requirements:

Active Scout Solution installed on Intel-compatible machines. There is no need for any operating system for Scouts and Management Servers, as ForeScout’s own operating system (included in the solution) will run on those machines. Following figure gives a detailed description of the system requirements of different components of Active Scout Solution.

Figure 3.1.2: System Requirements for different components of Active Scout Site/Enterprise Solution

(Courtesy of ForeScout Technologies Inc.)

3.2-Attack Mitigator IPS 5500 (High Performance Inline Network and Application Layer Protection)

Attack Mitigator IPS 5500 is an intrusion prevension system by Toplayer, which is one of the leading companies dealing in the network security products. IPS 5500 is especially good in addressing the problems of DDoS (Distributed Denial of Service), protocol attacks and application attacks etc.

Attack Mitigator is a not a software solution rather it is a hardware device and it incorporates TopFire^TM second-generation ASIC technology as well as it incorporates FPGA. Attack Mitigator is an inline IPS and it investigates not only packets with suspicious and malicious contents, but it also investigates those connections which employ extreme rates of traffic to safeguard resources from attacks like DDoS etc. Attack Mitigator performs statefull inspection of the traffic flowing through it. It uses the specialized TopInspect^TM deep packet inspection algorithm.

Following table lists protection offered by Attack Mitigator at different layers of the network:

Figure 3.2.1: Protection at different levels (Courtesy of Toplayer)

The IPS 5500 family offers three products depending on the throughput of the network.

IPS 5500-100 (for 100BASE-TX Network)
IPS 5500-500 (for Gigabit Ethernet Network with 50% load)
IPS 5500-1000 (for Gigabit Ethernet Network)

Attack Mitigator is well suited for both

Perimeter Security, and
Protection of Critical Server Resources

To manage more than one IPS 5500 devices, Top Layer’s intrusion Response Engine provides event-logging format for integration with leading event management tolls. Following figure shows IPS 5500 in action working as network IPS with two devices deployed at the perimeter:

Figure 3.2.2: Network Intrusion Prevention using 2 IPS 5500 devices at network perimeter.

IPS 5500 supports Active-Active operation with dedicated ports for state sharing, and it also incorporates the features of intelligent load sharing as well as of fail-over for non-stop protection.

3.3-BLINK: End Point Vulnerability Prevention

Blink is a product form eEye Digital Security. It is a host based intrusion prevention system. Blink agents resides on the resource to be protected (e.g a server or a workstation) and it protects that asset from intrusions and worms etc. It also curbs the attacks generated from the asset it is residing on. Basic theme of Blink is that just protecting the network perimeter is not enough; individual digital assets should also be protected in addition. Blink protects the asset by doing vulnerability assessment on a periodic basis. For the purpose of vulnerability assessment Blink uses eEye’s Retina’s vulnerability database. Blink analyzes each packet of network traffic passing through the host both at system level as well as at application level. Blink has the option for remote deployment and it has added features for centralized management of the whole network of hosts protected by Blink agents with the help of Blink’s Security Console.

3.3.1-System Requirements:

Blink:

OS Workstation: Windows NT 4 (SP6), Windows 2000 (SP3) or Windows XP
OS Server: Windows NT Server, Windows 2000 Server, Windows 2000 Advanced Server or Windows Server 2003
233 MHz or higher Intel Pentium II or compatible processor
128 MB of RAM
40 MB of free disk space

Console:

OS Workstation: Windows 2000 (SP3) or Windows XP
OS Server: Windows 2000 Server, Windows 2000 Advanced Server or Windows Server 2003
233 MHz or higher Intel Pentium II or compatible processor
256 MB RAM
50 MB hard-disk space required for installation
.Net Framework 1.1

Following figure gives a comparison of different Host based security solutions with Blink:

3.4-Border Guard

Border Guard is a product by “Still Secure”. Border Guard can be used both as an IDS as well as it can be used as an IPS, depending on the manner it is installed on the network. Following figure shows the scenario for both the cases:

Figure 3.4.1: Border Guard: Both an IDS and an IPS (Courtesy of Still Secure)

Border Guard doesn’t alarms for every considered attack, rather it employs the cycle of (Detect  Qualify  Respond  Manage & Report)

in order to eliminate false positives.

In the Detection phase, it detects different attacks using signature analysis, anomaly analysis etc. One important feature of Border Guard is that it accommodates the use of SNORT—an open source IDS—signatures.

In the Qualify phase it filters out false positives on the basis of certain criteria such as “Accessible Device Protection” etc.

In the response phase, Border Guard responds to (only) qualifying attacks. The response depends upon the manner in which Border Guard is installed i.e. whether it is working as an IDS or as an IPS.
In the Manage and Report phase, Body Guard manages errors (sorts them by type, frequency etc.) for the purpose of efficient reporting.

Figure 3.4.2: D-Q-R-M cycle used by Border Guard (Courtesy of Still Secure)

Border Guard can be placed at many places in the network; perimeter, gateway, Wireless interface etc.

Figure 3.4.3: Different places for installation of Border Guard (Courtesy of Still Secure)

In case of multiple instances of Border Guard, Border Guard’s Multi-node manager can centrally manage all the instances giving flexibility for scalability. Multi-node manager can be used to share attack information and rules among different instances of Border Guard.

In the following figures, information is given about system requirements for Border Guard and features of different versions (SMB, Enterprise etc.) of Border Guard.

Figure 3.4.4: System Requirements for Border-Guard (Courtesy of Still Secure)

Figure 3.4.5: Features of different products of Border Guard (Courtesy of Still Secure)

3.5-Entercept: (McAfee)

Entercept is the Host Intrusion Prevention System by McAfee. It employs a 3-way strategy to prevent a host from possible exploitation. Elements of this 3-way strategy are:

To detect zero-day attacks it uses a collection of behavioral rules (violation of these rules would be deemed as attack).
For known attacks, it uses signatures, to keep false negative rate down.
It uses system level firewall. However, this feature is prevalent only in Windows version.

Following figure depicts the use of 3-way strategy:

Figure 3.5.1: Use of 3-way strategy for effective protection (Couresy of McAfee)

McAfee’s Entercept is a scaleable IPS and up to 10,000 agents can be managed by a single manager. It also provides the flexibility of customizing the level of protection, which can be set ranging from logging to blocking.

Entercept comes in two versions:

McAfee Entercept Standars Multi-Platform Server Agent
McAfee Entercept Desktop Agent

The server agent supports multiple platforms, whereas, desktop agent can be use with Windows only.

3.5.1-System Requirement:

For McAfee Entercept Standars Multi-Platform Server Agent:

Figure 3.5.2: System Requirement for Server Agent (Courtesy of McAfee)

For McAfee Entercept Desktop Agent:

Figure 3.5.3: System Requirement for Server Agent (Courtesy of McAfee)

3.6-IntruShield: (McAfee)

IntruShield is the Network Intrusion Prevention System (NIPS) by McAfee. For the purpose of intrusion prevention, IntruShield uses

Patented signature
Anomaly detection, and
Denial of Service (DoS) analysis technique

A distinct feature of IntruShield is that in addition to prevention of known and zero-day attacks, it attempts to detect and prevent encrypted attacks and spyware.

IntruShield product family consists of six purpose-built network IPS sensor appliances:

IntruShield 4010
IntruShield 3000
IntruShield 1400

IntruShield 4000
IntruShield 2600
IntruShield 1200

Following figures describe briefly the key features of each of these products:

Figure 3.6.1: Salient features of IntruShield 4010 (Courtesy of McAfeee)

Figure 3.6.2: Salient features of IntruShield 4000 (Courtesy of McAfeee)

Figure 3.6.3: Salient features of IntruShield 3000 (Courtesy of McAfeee)

Figure 3.6.4: Salient features of IntruShield 2600 (Courtesy of McAfeee)

Figure 3.6.5: Salient features of IntruShield 1400 (Courtesy of McAfeee)

Figure 3.6.6: Salient features of IntruShield 1200 (Courtesy of McAfeee)

IntruShield does thorough and deep analysis of the traffic going through it. It does stateful traffic analysis by parsing of more than 100 protocols, and over 3,000 signatures. It also performs DoS statistical analysis for both clear-text as well as encrypted malicious traffic. Also, IntruShield can handle up to 1 million sessions.

For signature based detection, IntruShield employs context-sensitive signature detection. Over 3,000 signatures of IntruShield are written for protection against known vulnerabilities, as IntruShield focuses on vulnerabilities as opposed to individual exploits. By using this strategy IntruShield can detect some new attacks without requiring new signatures. For the definition of signatures, IntruShield uses proprietary, high level Signature Specification Language. It also keeps its signatures separate from the sensor software. This feature facilitates addition of new signatures with less effort. New signatures are automatically pulled by the IntruShield Manager software at customer sire and depending on the policy rules these new signatures can be pushed to individual sensors by IntruShield Manager automatically. Moreover, IntruShield Manager also provides graphic user interface for defining user-defined signatures.

IntruShield employs statistical analysis techniques for detection of anomalous behavior of the traffic. It also keeps track of protocol anomaly as well as application anomaly in the incoming traffic.

Another compelling feature of IntruShield is its treatment of DoS attacks. IntruShield Sensors can use threshold based techniques for the detection of DoS attacks and in addition use a patented algorithm using self learning, profile-based DoS attacks detection. The management of profile is highly granular. A profile can be created form a collection of IP addresses to a single host.

An IntruShield Sensor can be segmented into up to 1,000 virtual sensors each having its own security policy.

Figure 3.6.7: Virtual segmentation of IntruShield Sensor (Courtesy of McAfee)

This feature of virtual segmentation gives a lot of flexibility in implementing a heterogeneous set of security policies with single IntruShield Sensor.

Depending on the need and requirement of the organization IntruShield can be deployed in any of the following modes:

In-Line Mode
Port Clustering
High Availability with Stateful Failover
SPAN and TAP Modes

Following figure shows different deployment options for IntruShield:

Figure 3.6.8: A comprehensive snapshot of overall network (Courtesy of McAfee)

3.6.1-System Requirements:

In the following pages are the figures describing the IntruShield Sensor specifications, both hardware and software.

Figure 3.6.9: IntruShiled Sensor Specifications (Hardware) (Courtesy of McAfee)

Figure 3.6.10: IntruShiled Sensor Specifications (Software) (Courtesy of McAfee)

3.7-Symantec Host IDS

Host IDS is the name of a product by Symantec, which is used to protect the critical resources of an organization from possible exploitations. Host IDS has three components:

Process Reporter
Process Monitor
Process Blocker

Process Reporter is used to get access to the process data so that administrator be in a decisive position regarding security.

In the module named Process Monitor, the administrators can define different security configurations to govern organizations overall security policy.

And the Process Blocker takes measures against malicious processes.

Host IDS is a scalable product, and can be easily managed by a single administrative console. Moreover, administrators can automatically get new signatures through centralized management console.

3.7.1-System Requirements:

Windows 2000/Xp/Nt 4.0/2003 Enterprise Edition
- 677 MHz CPU required
- 256 MB memory required
- 70 MB free disk space
- Minimum of 1 Ethernet network card
AIX 5.1/5.2, HP-UX 11i, Red Hat Linux 7.3, Solaris 8 And 9
- 500 MHz CPU required
- 128 MB memory required
- 500 MB free disk space required
- Minimum of 1 Ethernet network card
Console Machine
- Microsoft® Internet Explorer 5.5 or higher

3.8-Symantec Intruder Alert

Symantec Intruder Alert is also a host bade intrusion detection systems. On detection of intrusion it generates an alarm so that appropriate action is taken. Following figure (by courtesy of Symantec) depicts the graphic view of Intruder Alert:

Intruder Alert can be integrated with NetProwleer SNMP capabilities and work as an IDS for protecting the enterprise network.

3.8.1-System Requirements:

Management Console: Windows Nt, Hp-Ux, Sun Solaris™
Agents: Aix, Digital Unix,™ Hp-Ux, Solaris, Windows Nt, Windows 2000, Windows Server 2003 Enterprise Edition, Netware
Manager: Aix, Hp-Ux, Solaris, Windows Nt

3.9-Symantec Network Securit: (Formerly “Symantec ManHunt”)

Symantec Network Security is a network intrusion prevention system. It uses IMUNE (Intrusion Mitigation Unified Network Engine), for detection of attacks. This engine integrates following techniques:

Protocol Anomaly
Signatures
Statistical Analysis
Vulnerability Attack Interception

Symantec Network Security is a high speed intrusion prevention system and it can do intrusion detection at speed up to 2 gigabits per second.

3.9.1-System requirements:

Symantec Network Security 4.0 (formerly Symantec ManHunt™ 3.0)

Operating System Requirements
- Sun® Solaris 9 SPARC® Platform Edition • Red Hat® Enterprise Linux® 3.0 ES (on Intel processors)
Memory Requirements
- 1 GB - 4 GB RAM based on the number of monitoring interfaces and maximum concurrent connections
Hardware Requirements
- Symantec Network Security 4.0-certified platform and hardware configuration
- 1 Network Interface for each monitored device (up to 12 fast Ethernet or 6 GB Ethernet)
- 1 Network Interface for administration/management

Symantec Network Security Management Console 4.0

Processor Intel® Pentium® or compatible
- 1.6 GHz or higher
Operating System
- Microsoft Windows 2000 or XP, Red Hat Enterprise Linux 3.0 ES
Memory
- Minimum 256 MB (512 MB recommended)
Disk Space
- 50 MB for installation, 100 MB post installation
Screen Resolution
- 1024 x 768 or higher
Java
- Sun Java™ Runtime Environment (J2RE) version 1.4.2

3.10-iForce IDS Appliance (Powered by Sun and Symantec)

iForce IDS Appliance is a preconfigured device for detection of intrusive attacks on an enterprise network. This device has emerged out of joint efforts of two leading organizations, Sun and Symantec. This appliance has pre-installed hardened Solaris OS and the Symantec ManHunt software.
Following figure gives specification of different models of this product:

(Courtesy of Sun Microsystems)

3.11-iForce Intrusion Management Appliance (Powered by Sun and Sourcefire)

iForce Intrusion Management System (IMS) is also a preconfigured device for detection of intrusive attacks on an enterprise network. This device has emerged out of joint efforts of two leading organizations, Sun and Sourcefire. iForce IMS goes beyound intrusion detection, and aims at intrusion management. It has cutom built, high performance database, which is capable of handling billions of events. Foundation of iForce IMS is based on open source SNORT. Following figure shows different aspects of iForce IMS:

(Courtesy of SUN Microsystems)

3.12-SNORT

SNORT is an open source, signature base IDS, developed by Martin Roesch. Initially it was developed to be used for personal convenience in securing the network, however, now it has emerged as a full blown NIDS. SNORT can work as either

A packet sniffer,
A packet logger, or
A network based intrusion detection system (NIDS)

In general, SNORT is used for TCP/IP suit of protocols. For other protocols, custom extensions are required in addition to SNORT software.

SNORT is compatible with the following operating systems:

Linux
Open BSD
Free BSD
Solaris
HP-UX
Mac OS X
Win 32 (Win9x/NT/2000/XP)

SNORT can accommodate up to 100 Mbps traffic load. At 200-300 Mbps its performance starts degrading and at 500 Mbps it is almost finished.

SNORT is logically divided into components. Major components are:

Packet Decoder
Preprocessors
Detection Engine
Logging and Alerting System
Output Module

Packet decoder takes packets from network interface and prepares them to be either preprocessed or sent to the detection engine

Preprocessors are plug-ins that can be used with SNORT to preprocess (e.g. normalize, defragment etc.) data packets before these are analyzed by the detection engine.

Detection engine is the central component of SNORT. And this is where the packets are matched with the rules. Efficency of detection system is very critical and it depends on

Number of rules
Processing power
Memory I/O speed
Network Load

Normally detection engine may apply rules on different parts of the packet (e.g. packet header, Packet Payload etc.).

Logging and alerting system is responsible for logging events and generating alerts on encountering a malicious packet.

Output module is also made up by plug-ins, and it can do:

Send SNMP trap
Send message to syslog facility
Log to a database (e.g. MySQL, Oracle etc.)
And many other things, depending on the configuration.

SNORT uses an n-tier architecture and is typically installed in a 3-tier architecture. The first tier comprises of SNORT sensors, second tier consists of SNORT server and third tier is made up to accommodate SNORT console.

First tier (sensor tier), is the tier where network traffic is monitored for possible exploitation. SNORT software runs on the sensors (in this tier).

Second tier (server tier), combines the alerting data from sensors and presents that in an understandable form (normally in the form of a relational database).

Third tier is basically the analysis tier. Here through management console data is analyzed and trends in data are found out. These analyses may lead to creation of new rules.

3.13-BRO

BRO is also a free, network based intrusion detection system (NIDS). BRO is UNIX based and it also detects intrusions based on the rule-base that contains rules describing intrusive traffic. On finding some malicious packet, BRO issues a log entry; however, it can also initiate some routine as well. BRO is capable to cater the needs of networks with high bandwidth requirements (Gbps).

BRO has its iwn language (BRO Language). All the scripts of BRO are written in this language. User can modify and add to these rules according to his/her network requirements. However, to learn this language is not an essential condition for the BRO user as this knowledge is only required when a modification or addition is needed to be made in the rule-base. All the already there policy script of BRO will run “out of the box”.

BRO has its own techniques for signature matching. BRO signatures are not represented as strings rather those are represented in the form of regular languages (and sting matching with regular expression is much efficient as compared to string matching against strings). BRO not only examines the contents of the network traffic but also the context of the network traffic. This functionality helps BRO in reducing its false positives. BRO doesn’t rely completely on signature matching. It can also analyze network protocols, connections, data amount etc. It also has functionality of storing information about past events which is then used to analyze future events.

An important feaure of BRO is that it SNORT rules can be used with BRO. BRO has a tool “snort2bro” which can convert SNORT signatures into BRO signatures. During the conversion process, this tool makes enhancements to SNORT signatures so that the benefit of BRO’s contextual power is taken.

On detection of malicious packets, BRO can do a lot of things ranging from making log entry at one extreme to blocking the traffic at the other extreme.

Following figure shows a network having BRO as its IDS:

(Courtesy of http://www.bro_ids.org)

3.13.1-System Requirements:

Processor

1 GHz CPU (for 100 BT Ethernet with average packet rate <= 5,000 packets/second)
2 GHz CPU (for 1000 BT Ethernet with average packet rate <= 10,000 packets/second)
3 GHz CPU (for 1000 BT Ethernet with average packet rate <= 20,000 packets/second)
4 GHz CPU (for 1000 BT Ethernet with average packet rate <= 50,000 packets/second)
(Note: these are very rough estimates, and much depends on the types of traffic on the network (e.g.: http, ftp, mail, etc.).

Operating System

FreeBSD 4.10 (http://www.freebsd.org/). BRO works with Linux and Solaris as well, but the performance is best under FreeBSD. In particular there are some performance issues with packet capture under Linux.

Memory

1 GB RAM is the minimum needed, but 2-3 GB is recommended

Hard disk

10 GByte minimum, 50 GByte or more for log files recommended

User privileges

superuser to install BRO, then BRO runs as user bro

Network Interfaces

3 interfaces are required: 2 for packet capture (1 for each direction), and 1 for host management. Capture interfaces should be identical

Chapter 4: Summary of More IDS

Following table gives a summarized view of all the IDS discusses in the previous chapter. In addition, this table and also gives a brief description of some other IDS’s which are not covered in previous chapter.

PRODUCT	SITE ADDRESS	FEATURES	FREE
Active Scout	http://www.forescout.com/activescout.html	The ActiveScout Enterprise consists of three components Scouts Management Server Enterprise Manager Network attacks follow a consistent pattern. Potential intruders perform reconnaissance—scanning and probing for vulnerabilities and configuration details. The information received is then used to launch exploits based on the unique structure and characteristics of the targeted network. ActiveScout uses patented ActiveResponse technology to counteract this attack process with a completely unique strategy, using a three-phase approach.	NO
Attack Mitigator	http://www.toplayer.com/content/products/intrusion_detection/attack_mitigator.jsp	This is an IPS. It s especially good for tackling the DDoS attacks. As it is an IPS so it works by sitting inline the traffic path. It is equivalently suitable for perimeter security as well as for the protection of critical server resources.	NO
AAFID	http://www.cerias.purdue.edu/research/aafid/	The Autonomous Agents for Intrusion Detection Group is composed of a number of students and faculty within the CERIAS at Purdue University who are interested in studying novel distributed methods of Intrusion Detection. Instead of a monolithic Intrusion Detection System (IDS) design, they propose a distributed architecture that utilizes small independent entities, known as Agents, to detect anomalous or malicious behavior. The first complete specification of the AAFID architecture has been finished and proposed in a paper. On the implementation front, the second release of the system implemented using the AAFID architecture, called AAFID2, has been released to the public. AAFID2 is implemented completely in Perl5. (There has not been much activity in the group in recent years.)	YES
Blink	http://www.eeye.com/html/products/blink/	Blink is a host based intrusion detection system. Blink Agent resides on the asset – Server, workstation, laptop etc. and shields the asset from intrusion – worms and targeted attacks. It also prevents asset from unauthorized connections to other machines and stops unauthorized applications from being deployed. Blink requires no user intervention or security expertise	NO
Border Guard	http://www.stillsecure.com/products/bg/	Cost-effective and easy to use, Border Guard offers unparalleled flexibility in responding to attacks, from instantly dropping attack packets or blocking IP addresses, to sending alerts and notifications. As such, Border Guard can function as an intrusion prevention system (IPS) or as an intrusion detection system (IDS), depending upon the configuration.	NO
Bro	http://bro-ids.org/	Bro is a free, network intrusion detection system. Bro is a rule based intrusion detection system. Bro scripts are made up of event handlers that specify what to do whenever a given event occurs. Bro scripts are written in it proprietary ‘Bro Lnaguage’.	YES
Captus 4000	http://www.captusnetworks.com/products/ips_4000.html	The Captus IPS 4000 series is a combined solution for network management and network security. It prevents network attacks including DDoS attacks, port scans, and exploits from unknown worms as well as unsanctioned traffic, such as file-swapping. At the same time, it optimizes the performance and management of valid traffic, including surges in customer traffic.	NO
CISCO	http://www.cisco.com/en/US/products/	Cisco is not a product rather an organization. There are many commercial network security solution and products in the arsenal of Cisco.	NO
Data Sentinel	http://www.ionx.co.uk/html/products/data_sentinel/index.php	Data Sentinel is a highly advanced host based intrusion detection system (HIDS) that empowers user with the ability to maintain the integrity of business critical data, and detect unauthorized access by hackers or viruses.	NO
Dragon Intrusion Defense	http://www.enterasys.com/products/ids/	Designed specifically to meet the unique security requirements of the enterprise environment, Enterasy’s Dragon Intrusion Defense System offers comprehensive features that bring improved security to the enterprise. Dragon, with its unique network-based detection and active response capabilities, modular host intrusion detection components, server management, and event management provides a reliable solution for detecting and responding to the broad array of attacks present in today's constantly changing security landscape.	NO
Emerlad	http://www.sdl.sri.com/projects/emerald/	EMERALD represents state-of-the art in research and development of systems and components for anomaly and misuse detection in computer systems and networks. It aims at: Scalable Network Surveillance High-volume Event Analysis Light-weight Distributed Sensors Generic Infrastructure and Pluggable Components Easy Customization to New Targets and Specific Policies	NO
Entercept IDS	http://www.nai.com/us/products/mcafee/host_ips/category.htm	Award-winning, intrusion prevention solutions of Entercept—a product by McAfee—provides enterprise-class security that is manageable, more cost-effective than detection and monitoring and effectively defends the critical assets of user’s business from malicious attacks like buffer overflows and worm including Code Red, Nimda and the recent SQL Slammer.	NO
eTRUST	http://www3.ca.com/Solutions/Product.asp?ID=163	eTrust Intrusion Detection is a complete session security solution that incorporates three key security capabilities into one package — a comprehensive network intrusion management and prevention system, real-time session monitoring and Internet web filtering. These solutions work together to address specific security requirements, forming a complete network defense without the high-cost, administrative overhead and non-integrative approach associated with separate products from different vendors.	NO
FireProof	http://www.radware.com/content/products/fp/default.asp	FireProof enables the full availability of all best-of-breed security tools including firewalls, Virtual Private Networks and intrusion detection by transforming independent enterprise security tools into a unified switched-based architecture. Extending centralized security resource management, FireProof enables the seamless addition of new security tools, for complete security vendor freedom, with no performance integration overhead. FireProof has won Network Computing Asia Product of the Year.
Firestorm NIDS	http://www.scaramanga.co.uk/firestorm/	Firestorm is a high performance network intrusion detection system (NIDS). At the moment it just a sensor but plans are to include real support for analysis, reporting, remote console and on-the-fly sensor configuration. It is fully pluggable and hence extremely flexible. Firestorm has a comprehensive support for Snort rules.	YES
GFI LANguard SELM	http://www.gfi.com/lanselm/	GFI LANguard S.E.L.M. ships with a security event analysis engine which takes into account the type of security event, security level of each computer, when event occurred (outside or during operating hours), role of computer (workstation, member server or domain controller) and its operation system. Based on this information, GFI LANguard S.E.L.M. can decide whether the security event is critical, high, medium or low. Now user can quickly respond to important security events without being an event log guru and knowing the ins and outs of each Windows event. This is a product for Windows platform.	NO
Host IDS	http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=48	Symantec Host IDS is highly scalable and easily managed from a single administrative console. Administrators can create and deploy monitoring and response policies, collect and archive audit logs for incident analysis and reporting, and automatically receive the latest intrusion signatures through a centralized management console. And the solution includes specialized software agents that support a variety of server platforms.	NO
IDSA	http://jade.cs.uct.ac.za/idsa/	The IDSA project tries to help programmers add a simple form of security awareness to their applications. IDSA does this by providing an integrated reference monitor, logger and IDS which is accessible to applications through a simple API. Applications can use this infrastructure to delegate access control and intruder detection to IDSA	YES
iForce Intrusion Detection Appliance	http://www.sun.com/executives/iforce/security/Symantec/	iForce Intrusion Detection Appliance powered by Sun and Symantec is a comprehensive, pre-configured security solution that offers "out-of-the-box" experience, ease of use, and simplified daily operations to help lower TCO (Total Cost of Ownership). The Sun LX50 server, running the enterprise-class Solaris OS x86, the powerful, two-way server for compute-intensive environments, coupled with Symantec ManHunt security software enables enterprise-wide multi-source event collection. The solution provides a highly effective and coordinated approach to managing intrusion detection security. Symantec ManHunt, a network-based intrusion detection system, protects vital information infrastructures with enterprise-wide high-speed gigabit detection, real-time threat analysis, and policy-based responses to guard against intrusions and attacks. The iForce IDS Appliance gathers intelligence from across the enterprise to quickly identify and respond to both known and unknown (or zero-day) attacks.	NO
iForce Intrusion Management Appliance	http://www.sun.com/executives/iforce/security/sourcefire/index.html	iForce Intrusion Management Appliance, Powered by Sun and Sourcefire is a complete intrusion detection system - delivering all of the capabilities needed to proactively defend against intruders. Sourcefire offers a comprehensive system that gives granular flexibility, scalability, and complete data management.	NO
iForce Intrusion Prevention Appliance (Sleuth 9)	http://www.deepnines.com/	Sleuth9 is a new, proactive, intelligent, intrusion prevention and anti-virus solution specifically designed to stop complex, blended threats. Sleuth9 sits in front of the router and evaluates all network traffic at the packet level, both ingress and egress, to determine what is valid and what is malicious. Sleuth9 detects and automatically prevents cyber attacks from entering or leaving a network by forming a new perimeter of defense against DoS, DDoS, port scans, Trojan horses, self-propagating attacks, worms and viruses, as well as other attacks launched from infected internal or external computers. Sleuth9 is a product of Sun and DeepNine.	NO
Intruder Alert	http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=171	Symantec Intruder Alert is a host-based, real-time intrusion monitoring system that detects unauthorized activity and security breaches and responds automatically. If Intruder Alert detects a threat, it sounds an alarm or takes other countermeasures according to pre-established security policies in order to prevent information loss or theft.	NO
Network Security	http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=156	Symantec Network Security (formerly ManHunt) provides high-speed, network intrusion detection, real-time analysis and correlation, and proactive prevention and response to protect enterprise networks against internal and external intrusions and denial-of-service attacks. The ability to detect unknown threats, using protocol anomaly detection, helps eliminates network exposure and the vulnerability inherent in traditional signature-based IDS products. Symantec Network Security traffic rate monitoring capability allows for detection of stealth scans and denial-of-service attacks that can cripple even the most sophisticated networks.	NO
Shoki IDS	http://shoki.sourceforge.net/	Shoki is a free, open source network intrusion detection system for conducting traffic analysis. The fundamental design goals of shoki are: 1) Simplicity: The components of shoki are designed to be as straightforward (and therefore as easy to understand) as possible. 2) Modularity: The functionalities provided by the various components of shoki are intended to be as decoupled from each other as practically possible. Major features include: Signature matching using libpcap-style filter expressions, Support for searches using POSIX extended regular expressions, Optional support for searches using Perl-compatible regular expressions, Dynamic rule-based signature generation, and Correlation of data from multiple sources.	YES

[Note: The products which are under-lined are discussed in more detail in chapter 3.]

Download 117.48 Kb.

Share with your friends: