Download - Final Report

Page 1: Final Report


Page 1




“Autonomous Rule Creation For IDS”






Under the Guidance


Prof. Gayatri Naik




Page 2: Final Report


Page 2





This is to certify that





Have satisfactorily completed the requirements of




“Autonomous Rule Creation For IDS”

Submitted in fulfilment of the requirement of University of Mumbai

Department of Computer Engineering

Prof. Gayatri Naik Prof. Vaishali Londhe (Internal Guide) (Head of Department)

Dr. Rajendra Prasad (External Examiner) (Principal)

College Stamp

Page 3: Final Report


Page 3


It is matter of great satisfaction and pleasure to present seminar on

“Autonomous Rule Creation Of Intrusion Detection System” We wish to express our

sincere thanks and gratitude to our honorable guide Mrs. Prof. Gayatri Naik for his

constant guidance and motivation. We also thank her for her valuable support and

encouragement through out the preparation of seminar without which the seminar would have

not been completed. We wish to express our sincere thanks to H.O.D. Mrs. Prof. Vaishali

Londhe who extended their valuable support during the course of seminar. We also thank

our colleagues who have helped in successful completion of the seminar. Last but not least

we would like to thank all our friends, who helped us not directly or indirectly. Helpful hand

rendered by all of them will remain for long time in our memory. Finally we admit the

cooperation, coordination & hard work are our keywords for success.

Thanking You!

Page 4: Final Report


Page 4


Intrusion Detection Systems (IDSs) provide an important layer of security for computer

systems and networks. An IDS’s responsibility is to detect suspicious or unacceptable system

and network activity and to alert a systems administrator to this activity. The majority of IDSs

use a set of signatures that define what suspicious traffic is, and SNORT is one popular and

actively developing open-source IDS that uses such a set of signatures known as SNORT

rules. Our aim is to identify a way in which SNORT could be developed further by

eneralising rules to identify novel attacks. In particular, we attempted to relax and vary the

conditions and parameters of current SNORT rules, using a similar approach to classic rule

learning operators such as generalisation and specialisation. We demonstrate the ffectiveness

of our approach through experiments with standard datasets and show that we are able to

detect previously undetected variants of various attacks. Nowadays it is very important to

maintain a high level security to ensure safe and trusted communication of information

between various organizations. But secured data communication over internet and any other

network is always under threat of intrusions and misuses. So Intrusion Detection Systems

have become a needful component in terms of computer and network security. There are

arious approaches being utilized in intrusion detections, but unfortunately any of the systems

so far is not completely flawless. So, the quest of betterment continues. In this progression,

here we present an Intrusion Detection System (IDS), by applying genetic algorithm (GA) to

efficiently detect various types of network intrusions. Parameters and evolution processes for

GA are discussed in details and implemented. This approach uses evolution theory to rmation

evolution in order to filter the traffic data and thus reduce the complexity. To implement and

measure the performance of our system we used the KDD99 benchmark dataset and obtained

reasonable detection rate.

Page 5: Final Report


Page 5




Certificate 01

Acknowledgement 02

Abstract 03


1.1 Definition of IDS 06


2.1 Evolution of IDS


3.1 Types of Intrusion Detection System 12

3.2 Implementation Approaches of IDS -: 15

3.3 Autonomous rule creation for Signature based IDS









Page 6: Final Report


Page 6



1.1 Definition of IDS

An intrusion detection system (IDS) is a device or software application that monitors network or

system activities for malicious activities or policy violations and produces reports to a

management station. IDS come in a variety of ―flavors‖ and approach the goal of detecting

suspicious traffic in different ways. Intrusion detection (ID) is a type of security management

system for computers and networks. An ID system gathers and analyzes information from

various areas within a computer or a network to identify possible security breaches, which

include both intrusions (attacks from outside the organization) and misuse (attacks from within

the organization). ID uses vulnerability assessment (sometimes refered to as scanning), which is

a technology developed to assess the security of a computer system or network.

Intrusion detection functions include:

Monitoring and analyzing both user and system activities

Analyzing system configurations and vulnerabilities

Assessing system and file integrity

Ability to recognize patterns typical of attacks

Analysis of abnormal activity patterns

Tracking user policy violations

ID systems are being developed in response to the increasing number of attacks on major sites

and networks, including those of the Pentagon, the White House, NATO, and the U.S. Defense

Department. The safeguarding of security is becoming increasingly difficult, because the

possible technologies of attack are becoming ever more sophisticated; at the same time, less

technical ability is required for the novice attacker, because proven past methods are easily

accessed through the Web. Typically, an ID system follows a two-step process. The first

procedures are host-based and are considered the passive component, these include: inspection

of the system's configuration files to detect inadvisable settings; inspection of the password files

to detect inadvisable passwords; and inspection of other system areas to detect policy violations.

The second procedures are network-based and are considered the active component:

mechanisms are set in place to reenact known methods of attack and to record system

Page 7: Final Report


Page 7

responses.An intrusion detection system (IDS) is a type of security software designed to

automatically alert administrators when someone or something is trying to compromise

information system through malicious activities or through security policy violations. An IDS

works by monitoring system activity through examining vulnerabilities in the system, the

integrity of files and conducting an analysis of patterns based on already known attacks. It also

automatically monitors the Internet to search for any of the latest threats which could result in a

future attack. An intrusion detection system (IDS) inspects all inbound and outbound network

activity and identifies suspicious patterns that may indicate a network or system attack from

someone attempting to break into or compromise a system. There are several ways to categorize

an IDS:misuse detection vs. anomaly detection: in misuse detection, the IDS analyzes the

information it gathers and compares it to large databases of attack signatures. Essentially, the

IDS looks for a specific attack that has already been documented. Like a virus detection system,

misuse detection software is only as good as the database of attack signatures that it uses to

compare packets against. In anomaly detection, the system administrator defines the baseline, or

normal, state of the network’s traffic load, breakdown, protocol, and typical packet size. The

anomaly detector monitors network segments to compare their state to the normal baseline and

look for anomalies. An intrusion detection system (IDS) is an active process or device that

analyzes system and network activity for unauthorized entry and/or malicious activity. The way

that an IDS detects anomalies can vary widely; however, the ultimate aim of any IDS is to catch

perpetrators in the act before they do real damage to resources. An IDS protects a system from

attack, misuse, and compromise. It can also monitor network activity, audit network and system

configurations for vulnerabilities, analyze data integrity, and more. Depending on the detection

methods you choose to deploy, there are several direct and incidental benefits to using an IDS.

The intrusion detection system architectures commonly used in commercial and research

systems have a number of problems that limit their configurability, scalability or efficiency. The

most common shortcoming in the existing architectures is that they are built around a single

monolithic entity that does most of the data collection and processing. In this paper, we review

our architecture for a distributed intrusion detection system based on multiple independent

entities working collectively. We call these entities autonomous agents. This approach solves

some of the problems previously mentioned. We present the motivation and description of the

approach, partial results obtained from an early prototype, a discussion o f design and

implementation issues, and directions for future work.

Page 8: Final Report


Page 8

1.2 The Need of Intrusion Detection System :

The question is, where does the Intrusion detection system fit in the design. To put it in simpler

terms, an Intrusion detection system can be compared with a burglar alarm. For example, the

lock system in a car protects the car from theft. But if somebody breaks the lock system and

tries to steal the car, it is the burglar alarm that detects that the lock has been broken and alerts

the owner by raising an alarm. The Intrusion detection system in a similar way complements the

firewall security. The firewall protects an organization from malicious attacks from the Internet

and the Intrusion detection system detects if someone tries to break in through the firewall or

manages to break in the firewall security and tries to have access on any system in the trusted

side and alerts the system administrator in case there is a breach in security. Moreover,

Firewalls do a very good job of filtering incoming traffic from the Internet; however, there are

ways to circumvent the firewall. For example, external users can connect to the Intranet by

dialing in through a modem installed in the private network of the organization. This kind of

access would not be seen by the firewall. Therefore, an Intrusion detection system (IDS) is a

security system that monitors computer systems and network traffic and analyzes that traffic for

possible hostile attacks originating from outside the organization and also for system misuse or

attacks originating from inside the organization.

Page 9: Final Report


Page 9



2.1 Evolution of IDS –:

In 1987 Dorothy E. Denning proposed intrusion detection as is an approach to counter

the computer and networking attacks and misuses . Intrusion detection is implemented by

an intrusion detection system and today there are many commercial intrusion detection

systems available. In general, most of these commercial implementations are relative

ineffective and insufficient, which gives rise to the need for research on more dynamic

intrusion detection systems. Generally an intruder is defined as a system, program or person

who tries to and may become successful to break into an information system or perform an

action not legally allowed We refer intrusion as any set of actions that attempt to compromise

the integrity, confidentiality, or availability of a computer resource . The act of detecting actions

that attempt to compromise the integrity, confidentiality, or availability of a computer resource

can be referred as intrusion detection . An intrusion detection system is a device or software

application that monitors network and/or system activities for malicious activities or policy

violations and produces International Journal of Network Security & Its Applications (IJNSA),

Vol.4, No.2, March 2012 110. Computer attacks, e.g. the use of specialised methods to

circumvent the security policy of an organisation, are becoming more and more common. IDSs

are installed to identify such attacks and to react by usually generating an alert or blocking

suspicious activity. IDSs come in many forms which we overview in the following section. The

work presented here is based on a popular network intrusion detection system (NIDS) called

SNORT (2006). SNORT detects attacks by comparing live Internet traffic against signatures that

define known attacks. SNORT is an open-source GNU (2006) NIDS and an example of a

system that uses signatures, in this case known as SNORT rules. The aim of this paper is to

determine the effectiveness of generalisation when applied to the matching of Internet traffic

against SNORT’s rule signatures. Internet is a global public network. With the growth of the

Internet and its potential, there has been subsequent change in business model of organizations

across the world. More and more people are getting connected to the Internet every day to take

advantage of the new business model popularly known as e-Business. Internetwork connectivity

has therefore become very critical aspect of today's e_business. There are two sides of business

on the Internet. On one side, the Internet brings intremendous potential to business in terms of

Page 10: Final Report


Page 10

reaching the end users. At the same time it also brings in lot of risk to the business. There are

both harmless and harmful users on the Internet. While an organization makes its information

system available to harmless Internet users, at the same time the information is available to the

malicious users as well. Malicious users or hackers can get access to an organization’s internal

systems in various reasons. These are,

· Software bugs called vulnerabilities

· Lapse in administration

· Leaving systems to default configuration

The malicious users use different techniques like Password racking, sniffing unencrypted or

clear text traffic etc. to exploit the system vulnerabilities mentioned above and compromise

critical systems. Therefore, there needs to be some kind of security to the organization’s private

resources from the Internet as well as from inside users as survey says that eighty percent of the

attacks happen from inside users for the very fact that they know the systems much more than an

outsider knows and access to information is easier for an insider. Different organizations across

the world deploy firewalls to protect their private network from the Public network. But, when it

comes to securing a Private network from the Internet using firewalls, no network can be

hundred percent secured. This is because; the business requires some kind of access to be

granted on the Internal systems to Internet users. .The firewall provides security by allowing

only specific services through it. The firewall implements a policy for allowing or disallowing

connections based on organizational security policy and business needs. The firewall also

protects the organization from malicious attack from the Internet by dropping connections from

unknown sources.

One preliminary IDS concept consisted of a set of tools intended to help administrators review

audit trails.User access logs, file access logs, and system event logs are examples of audit trails.

Fred Cohen noted in 1984 that it is impossible to detect an intrusion in every case, and that the

resources needed to detect intrusions grow with the amount of usage. Dorothy E. Denning,

assisted by Peter G. Neumann, published a model of an IDS in 1986 that formed the basis for

many systems today. Her model used statistics for anomaly detection, and resulted in an early

IDS at SRI International named the Intrusion Detection Expert System (IDES), which ran

on Sun workstations and could consider both user and network level data. IDES had a dual

approach with a rule-based Expert System to detect known types of intrusions plus a statistical

Page 11: Final Report


Page 11

anomaly detection component based on profiles of users, host systems, and target systems. Lunt

proposed adding an Artificial neural network as a third component. She said all three

components could then report to a resolver. SRI followed IDES in 1993 with the Next-

generation Intrusion Detection Expert System (NIDES). The Multics intrusion detection and

alerting system (MIDAS), an expert system using P-BEST and Lisp, was developed in 1988

based on the work of Denning and Neumann. Haystack was also developed this year using

statistics to reduce audit trails. Wisdom & Sense (W&S) was a statistics-based anomaly detector

developed in 1989 at the Los Alamos National Laboratory. W&S created rules based on

statistical analysis, and then used those rules for anomaly detection. In 1990, the Time-based

Inductive Machine (TIM) did anomaly detection using inductive learning of sequential user

patterns in Common Lisp on a VAX 3500 computer. The Network Security Monitor (NSM)

performed masking on access matrices for anomaly detection on a Sun-3/50 workstation.The

Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety

of strategies including statistics, a profile checker, and an expert system. ComputerWatch

at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detection.

Then, in 1991, researchers at the University of California, Davis created a prototype Distributed

Intrusion Detection System (DIDS), which was also an expert system. The Network Anomaly

Detection and Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at

the Los Alamos National Laboratory's Integrated Computing Network (ICN), and was heavily

influenced by the work of Denning and Lunt.NADIR used a statistics-based anomaly detector

and an expert system. The Lawrence Berkeley National Laboratory announced Bro in 1998,

which used its own rule language for packet analysis from libpcap data. Network Flight

Recorder (NFR) in 1999 also used libpcap. APE was developed as a packet sniffer, also using

libpcap, in November, 1998, and was renamed Snort one month later. APE has since become

the world's largest used IDS/IPS system with over 300,000 active users.

The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump to build profiles of

rules for classifications In 2003, Dr. Yongguang Zhang and Dr. Wenke Lee argue for the

importance of IDS in networks with mobile nodes.

Page 12: Final Report


Page 12



3.1 Types of Intrusion Detection System

There are three main types of Intrusion Detection Systems:

• Host Based

• Network Based

• Stack Based

• Signature Based

• Anomaly Based

Host Based IDS -:

Intrusion Detection System is installed on a host in the network. HIDS collects and

analyzes the traffic that is originated or is intended to that host. HIDS leverages their

privileged access to monitor specific components of a host that are not readily accessible

to other systems. Specific components of the operating system such as passwd files in

UNIX and the Registry in Windows can be watched for misuse. There is great risk in

making these types of components available to NIDS to monitor. Although HIDS is far

better than NIDS in detecting malicious activities for a particular host, they have limited

view of entire network topology and they cannot detect attack that is targeted for a host

in a network which does not have HIDS installed.

Page 13: Final Report


Page 13

Network Based IDS -:

Network IDSs (NIDS) are placed in key areas of network infrastructure and monitors the

traffic as it flows to other host. Unlike HIDS, NIDS have the capability of monitoring the

network and detecting the malicious activities intended for that network. Monitoring

criteria for a specific host in the network can be increased or decreased with relative ease.

NIDS should be capable of standing against large amount number of network traffic to

remain effective. As network traffic increases exponentially NIDS must grab all the

traffic and analyze in a timely manner

Signature-Based IDS -:

Signature-Based IDS use a rule set to identify intrusions by watching for patterns of

events specific to known and documented attacks. It is typically connected to a large

database which houses attack signatures. It compares the information it gathers against

those attack signatures to detect a match. These types of systems are normally presumed

to be able to detect only attacks ―known‖ to its database. Thus, if the database is not

updated with regularity, new attacks could slip through. It can, however, detect new

attacks that share characteristics with old attacks, e.g., accessing 'cmd.exe' via a HTTP

Page 14: Final Report


Page 14

Figure : Common Anomaly Based Network Intrusion detection System

GET request. But, in cases of new, uncataloged attacks, this technique is pretty porous.

Also, signature based IDS’s may affect performance in cases when intrusion patterns

match several attack signatures. In cases such as these, there is a noticeable performance

lag. Signature definitions stored in the database need to be specific so that variations on

known attacks are not missed. This sometimes leads to building up of huge databases

which eat up a chunk of space.

Anomaly Based IDS -:

Anomaly-Based IDS examines ongoing traffic, activity, transactions and behavior in

order to identify intrusions by detecting anomalies. It works on the notion that ―attack

behavior‖ differs enough from ―normal user behavior‖ such that it can be detected by

cataloging and identifying the differences involved. In most anomaly-based IDS’s the

system administrator defines the baseline of normal behavior. This includes the state of

the network's traffic load, breakdown, protocol, and typical packet size. Anomaly

detectors monitor network segments to compare their state to the normal baseline and

look for current behavior which deviate statistically from the normal. This capability

theoretically gives anomaly-based IDSs abilities to detect new attacks that are neither

known nor for which signatures have been created. On the other hand, anomaly-based

IDS systems have been known to be prone to a lot of false positives. In these cases, the

attacks are reported based on changes to the current system on which the IDS is

installed. This is because there is a change in the normal state of the system which is not

perceived by the IDS.

Page 15: Final Report


Page 15

3.2 Implementation Approaches of IDS -:

Techniques used: The implementation of an intrusion detector is based on two important

aspects. Main approaches: According to its internal architecture, an intrusion detection

system is based on a well-defined approach. There are here are two main approaches:

- Behavioral Approach:

This approach is based on tracking the behavior of a user, service or any application to infer a

probable intrusion. If any of the entities mentioned above changes its behavior or the habits

of its operation, the detector deduced that There's suspicious behavior and eventually

transmit early warning. This approach itself uses either a probabilistic method in order to

estimate a suspect traffic or a statistical method whose principle is to compare quantitatively

the behavior of parameters related to the user such as the occupancy rate of bandwidth or

the number of network access per day.

- Scenario based approach:

The principle of this proach is based on known techniques used by hackers to perform

intrusions, already enrolled in a signature, for comparison with the behavior of the user in

question without recourse to its history and determine if this behavior is legal or not. The

signature is actually a series of rules for analyzing packets that flow through the network

(pattern matching) or the compliance of the protocol (protocol approach). The use of both

approaches in parallel will serve as a powerful solution for intrusion detection.

Page 16: Final Report


Page 16

3.3 Autonomous rule creation for Signature based IDS Using SNORT.

Working of Signature based IDS -:

From the figures referred from given below concept of signature based IDS can easily

understand. It is clear that when any person sends data inside the network so first of all it goes

to server and server check and if found malicious then server discards the packet otherwise

send to destination system.

Figure 1: Snort working in network

In figure 1 system-I sends packet to system-A but before reaching the packet to destination

server checks that packet and if packet is malicious then server discards the packet otherwise

send packet to system-A and in figure 2 working of server is clearly mention that how server

checks the packet. So, when a packet comes to server then server use comparing tool to check

that packet from the database of signature stored in server and if server get result that packet

is matched from the database then server discard the packet otherwise server sends the packet

to destination system.

Page 17: Final Report


Page 17

Figure 2: Snort Signature Database

Snort -: Snort is an open source network intrusion detection and prevention system (available at It can analyze real-time traffic

analysis and data flow in network. It is able to check protocol analysis and can detect

different type of attack. In NIDS snort basically checks packet against rule written by user.

Snort rules can be written in any language, its structure is also good and it can be easily read

and rules can be modify also. In buffer overflow attack, snort can detect the attack by

matching the previous pattern of attacks and then will take appropriate action to prevent from

attack. In signature based IDS system if pattern matches then attack can be easily found but

when a new attack comes then system fails but snort overcome this limitation by analyzing

the real- time traffic. Whenever any packet comes into network then snort checks the behavior

of network if performance degrades of network then snort stop the processing of packet,

discards the packet and stores its detail in the signature database.

Component of Snort Snort is basically the combination of multiple components. All the component work together

to find a particular attack and then take the corresponding action that is required for that

particular attack. Basically it consists of following major components as shown in figure 3

1. Packet Decoder

2. Preprocessors

3. Detection Engine

4. Logging and Alerting System

5. Output Modules

Page 18: Final Report


Page 18

Figure 3: Component of Snort

Packet comes from internet and enters into packet decoder and it goes through several phases,

required action is taken by snort at every phase like if detection engine found any

miscellaneous content in packet then it drop that packet and in the way towards output

module packet is logged in or alert is generated.

1. Packet decoder The packet decoder collects packet from different-2 network interfaces and then send to be

preprocessor or sent to the detection engine. Network interface might be Ethernet, SLIP, PPP

and so on.

2. Preprocessors It works with snort to modify or arrange the packet before detection engine to apply some

operation on packet if packet is corrupted. Sometimes they also generate alert if any

anomalies found in the packet. Basically it matches the pattern of whole string so, by

changing the sequence or by adding some extra value intruder can fool the IDS but

preprocessor re- arranges the string and IDS can detect the string. Preprocessor does one very

important task i.e. defragmentation. Because sometimes intruder break the signature into two

parts and send them in two packets so, before checking the signature both packet should be

defragmented and only then signature can be found and this is done by preprocessor.

Page 19: Final Report


Page 19

3. The Detection Engine Its main work is to find out intrusion activity exits in packet with the help of snort rules and if

found then apply appropriate rule otherwise it drops the packet. It takes different time to

respond different packet and also depends upon the power of machine and number of rules

defines in the system.

4. Logging and Alerting System Whatever detection engine finds in the packet, it might generate an alert or used to log

activity. All log files are kept by default under /var/log/snort folder and by using –l command

line option, location can be changed.

5. Output Modules Output modules or plug- ins save output generated by the logging and alerting system of Snort

depending on how user wants for different operation. Mainly it controls the different output

due to logging and alerting system. Output modules can do things like the following

depending on the configuration Simply logging to /var/log/snort/alerts file or some other file

Sending SNMP traps Sending messages to syslog facility Can Generate XML output SMB

messages to Microsoft Windows-based machines

Autonomous Rule structure of snort

Basically rules are created by known intrusion signature system. It is divided into two parts:

rule header and rule option and rules can be modifying according to need.

Rule header follows this pattern: Action + protocol + source address+ S-port + direction +

destination address + D-port Alert ip any any -> any any (msg : ―IP Packet Detected ―;)

Rule header Rule Option

Ex. -

Page 20: Final Report


Page 20


We start by designing a conceptual framework of a signature based intrusion detection

system. The frameworks will show the flow of packet into the network. Here we will flow

data using TCP Replay within two systems inside the network. And then we will check the

outcome in graphical form using Basic Analysis and Security Engine.

Data Collection and Analysis This work was done on open source intrusion detection system. Snort was configured to log

the traffic flowing into Lab network from to Then collected data

is used to see the relevance of an IDS system on to the protected network. And we used Snort


Snort is an open source intrusion detection system. It is therefore useful where it is

not cost efficient to apply NIDS sensors.

Snort is lightweight application. It is also economical when it comes to resource

utilization. Snort can be used as a intrusion detection as well as intrusion prevention


Snorts rule can be changed if needed. Its rules are flexible. Snort has more than 2500

rules in its database . And people can modify rule according to need of their network


Snort is available for Linux as well as for Windows. It is most widely used for

intrusion detection in network.

The Network Setup Intrusion detection system can be deployed to protect the network. It can be deployed

between to hosts, between two switches or even the server firms. In our work we will place

snort between two hosts. Configuration and Validation of the IDS We are using Linux box running debian operating system to detect intrusion into o ur system

placed inside the network. Whenever any intrusion will be detected by Snort, it will generate

an alert. And if system successfully generates an alert then that means network will have been

well configured and traffic monitoring is taking place. Installation of Snort, PostgreSQL and BASE In Debian operating system, configuration are made for snort-pgsql, Basic Analysis and

Security Engine(BASE) to provide a user friendly web front end to simplify querying and

Page 21: Final Report


Page 21

analysis of alerts, PostgreSQL database that is an open source Relational Database

Management System (RDBMS), Apache a widely available http server that supports PHP

languages, Secure Shell(SSL) to enable secure remote login into the network, and PHP a

hyper text preprocessor enables creation of dynamic content and interaction with databases.

Snort's uses

Snort basically used in three categories

1. A packet sniffer In its simplest form, snort is a packet sniffer. That said, its the easiest way to start. # snort -d -e -v -v Put Snort in packet-sniffing mode (TCP headers only) -d Include all network layer headers

(TCP, UDP, and ICMP) -e Include the data link layer headers

2. Packet logger Snort has built- in packet- logging mechanisms that you can use to collect the data as a file,

sort it into directories, or store the data as a binary file.

# snort -dev - l {logging-directory} -h {home-subnet-slash-notation}

If you wanted to log the data into the directory /var/adm/snort/logs with the home subnet, you would use the following:

# snort -dev - l /var/adm/snort/logs -h

for logging in binary format, don’t need all options. The binary format makes packet

collection much faster for Snort, because Snort doesn't have to translate the data into human-

readable format immediately.

# snort -b -L {log-file}

for reading the log file

# snort [-d|e] -r {log-file} [tcp|udp|icmp]

Here last item in line is optional, because if you want to filter the packets based on packet

type like tcp , udp or icmp

Page 22: Final Report


Page 22

3. As a Network Intrusion Detection System To make Snort an IDS, just add one thing to the packet- logging function: the configuration file. # snort -dev - l /var/adm/snort/logs -h -c /root/mysnort.conf

Basic Analysis and Security Engine (BASE) -: BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis

Console for Intrusion Databases (ACID) project. This application provides a web front-end to

query and analyze the alerts coming from a SNORT IDS system. BASE is a web interface to

perform analysis of intrusions that snort has detected on your network. It uses a user

authentication and role-base system; so that you as the security admin can decide what and

how much information each user can see. It also has a simple to use, web-based setup

program for people not comfortable with editing files directly . BASE is PHP based analysis

engine for managing a database of security events. These events can be from IDS's (such as

Snort) as well as from firewall, network monitoring tools and even pcap files.


For flow the traffic over network, first of all snort should be in running mode and after that

we can send the traffic from one host to another by using TCP Replay. We can also send

packet using snort and can check the alerts in Basic Analysis and Security Engine (BASE).

We can flow the traffic by two methodologies given below.

TCP Replay -: It is suite of utilities for Unix system for editing and replacing network traffic, which was

previously captured by tools like tcpdump and ethernal/wiershark.

It provides the ability to classify traffic as a client or server, edit packets at layer 2-4 and

replay the traffic at arbitrary speed onto a network for sniffing through a device.

There is a three step process for this:

1. Determine which packets are client->server and server->client

2. Rewrite IP addresses based on their direction

3. Send packets through inline device

Page 23: Final Report


Page 23

Step 1: Use tcpprep to split traffic based on the source/destination port:

$ tcpprep --port --cachefile=example.cache -- pcap=example.pcap

In this case, all the packets directed to a TCP or UDP port < 1024 are considered client-

>server, while other packets are server->client. This information is stored in a tcpprep

cache file called example.cache for later use.

Step 2: Use tcprewrite to change the IP addresses to the local network: $ tcprewrite –endpoints= - -cachefile=example.cache --

infile=example.pcap -- outfile=new.pcap

Here, we want all traffic to appear to be between two hosts: and We want one IP to be the "client" and the other IP the "server", so we

use the cache file created in the last step

Step 3 Use tcpreplay to send the traffic through the IPS: # tcpreplay --intf1=eth0 --intf2=eth1 -- cachefile=example.cache new.pcap

Here we send the traffic. Since we want to split traffic between two interfaces (eth0

and eth1), we use the cache file created in Step #1 with the new.pcap created in Step

#2. We can use the cache file for different pcap files because while the IP addresses of

the packets have changed, their order and semantics have not.

5.2 Using snort In this method we just pass the name of tcpdump file and alerts can directly be seen in the

Basic Analysis and Security Engine (BASE).

$ snort --pcap-single=outside.tcpdump -c /etc/snort/snort.conf Where outside.tcpdump is

testing DARPA dataset. This is used for generating alerts in BASE

Page 24: Final Report


Page 24


The Center for Education and Research in Information Assurance and Security (CERIAS) has

produced a review of IDS research prototypes ,and a few are now commercial products.

Approaches for misuse detection

Approaches for the misuse detection model are :

o expert systems, containing a set of rules that describe attacks

o signature verification, where attack scenarios are translated into sequences of audit


o petri nets, where known attacks are represented with graphical petri nets

o sate-transition diagrams, representing attacks with a set of goals and transitions

The common approach for misuse detection concerns « signature verification », where a

system detects previously seen, known attacks by looking for an invariant signature left by

these attacks. This signature is found in audit files, in host-intrused machine, or in sniffers

looking for packets inside or outside of the attacked machine.

Limitation of this approach is due to :

o frequent false-alarm detection

o the need to specify a signature of the attack, and then to update signature of attacks on

every IDS tool. A signature of an attack may not be easily discovered.

o new attack signatures are not automatically discovered without update of the IDS

Approaches for anomaly detection

Anomaly Detection in Network-based or Host-based IDS includes :

o threshold detection detecting abnormal activity on the server or network, for


abnormal consumption of the CPU for one server, or abnormal saturation of the


o statistical measures, learned from historical values

o rule-based measures, with expert systems

o non-linear algorithms such as Neural Networks or Genetic algorithms

Page 25: Final Report


Page 25


To protect a network against attacks including intrusion, we must study its architecture,

analyse vulnerabilities, up to date with new threats, a purpose to minimize the risks that may

occur. In this paper, we proposed and implemented a solution for securing a network based on

intrusion detection systems. We performed several experiments to validate our solution.This

paper proposes the implementation process of Snort in Debian. This IDS System

demonstrated that it can detect and analyze the intrusion in real time network traffic. Once the

Snort will identify any intrusion then it will send alert to security person and security person

will take required action immediately. The future work is to develop a prototype model to

filter, delete and quarantine the intrusion attack automatically in real time network.

Page 26: Final Report


Page 26


1. Kreibich, C and Crowcrowft, J. 2004. Honeycomb: creating intrusion detection signatures

using honeypots. ACM SIGCOMM Computer Communication Review. 34 (1). pp. 51-56.

2.Kreugel, C. et al. 2002. Stateful intrusion detection for high-speed networks. In:

Proceedings of the 2002 IEEE Symposium on Security and Privacy. May 2002. pp. 285-


3.Paxson, V. 1999. Bro: a system for detecting network intruders in real- time. Computer

Networks.31(23-24).December1999.pp.2435-2463. 4.Roesch, M. 1999. Snort—lightweight intrusion detection for networks. In: Proceedings of

LISA ’99. 7-12 November 1999. USENIX. pp. 229-238.

5. Sommer, R and Paxson, V. 2003. Enhancing byte- level network intrusion detection

signatures with context. In: Proceedings of the 10th ACM conference on Computer and Communications Security. October 2003. ACM. pp. 262-271.

6. Totsuka, A et al. 2000. Network-based intrusion detection—modeling for a larger picture. Proceedings of LISA 2000. 3- 8 November 2000. USENIX. pp. 227-232. 68




Top Related