Scribd
Upload
10 views

Ids

The document provides an overview of firewalls and intrusion detection systems (IDS), explaining their functions, types, and evaluation metrics. It details different types of IDS, including host-based and network-based systems, as well as signature-based and anomaly-based detection methods. Additionally, it discusses the Snort IDS, its rule structure, and the importance of accurate and precise detection in cybersecurity.

Uploaded by

Olabayo Ishola
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views

Ids

The document provides an overview of firewalls and intrusion detection systems (IDS), explaining their functions, types, and evaluation metrics. It details different types of IDS, including host-based and network-based systems, as well as signature-based and anomaly-based detection methods. Additionally, it discusses the Snort IDS, its rule structure, and the importance of accurate and precise detection in cybersecurity.

Uploaded by

Olabayo Ishola
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Lab 8: Firewalls & Intrusion

Detec6on Systems

Fengwei Zhang

Wayne State University CSC Course: Cyber Security Prac6ce 1


Firewall & IDS
• Firewall
– A device or applica6on that analyzes packet headers and enforces
policy based on protocol type, source address, des6na6on address,
source port, and des6na6on port. Packets that do not match policy are
rejected
• Intrusion Detec6on System (IDS)
– A device or applica6on that analyzes whole packets, both header and
payload, looking for known events. When a known event is detected, a
log message is garneted detailing the event
• Intrusion Prevent System (IPS)
– A device or applica6on that analyzes whole packets, both header and
payload, looking for known events. When a known event is detected,
the packet is rejected
• Modern devices combines all of these func6ons in a single device/
applica6on (Smart Firewall)

Wayne State University CSC Course: Cyber Security Prac6ce 2


Types of IDS
• Host-based IDS (HIDS)
– Installed locally on machines
– Monitoring local user security
– Monitoring program execu6on
– Monitoring local system logs
• Network-based IDS (NIDS)
– Sensors are installed on the network
– Monitor network ac6vity (deep packet inspec6on)

Wayne State University CSC Course: Cyber Security Prac6ce 3


Types of Network-based IDS
• Signature-based IDS
– Compares incoming packets with known
signatures
– E.g., Snort, Bro, Suricata
• Anomaly-based IDS
– Leans the normal behavior of the system
– Generates alerts on packets that are different
form the normal behavior

Wayne State University CSC Course: Cyber Security Prac6ce 4


Signature-based IDS
• An6-virus tools

• Problems
– “Zero-day” a^acks
– Polymorphic a^acks

Wayne State University CSC Course: Cyber Security Prac6ce 5


Anomaly-based IDS
• Anomaly-based IDS is capable of iden6fying
“Zero-day” a^acks

• Problems
– High false posi6ve rates
– Labeled training data

Wayne State University CSC Course: Cyber Security Prac6ce 6


IDS Evalua6on Metrics
• True Posi6ves (TP)
– A genuine a^ack is detected
• True Nega6ves (TN)
– Benign traffic iden6fied as benign
• False Posi6ves (FP)
– Harmless behavior is misclassified as an a^ack
• False nega6ves (FN)
– A genuine a^ack is not detected

• An intrusion detec6on system is:


– Accurate: if it detects all genuine a^acks
– Precise: if it never reports legi6mate behavior as an a^ack

Wayne State University CSC Course: Cyber Security Prac6ce 7


IDS Evalua6on Metrics
• The true posi6ve rate is: TP / (TP + FN)
– TP is the number of the true posi6ves
– FN is the number of the false nega6ves
– TP + FN is the total number of posi6ves

• The false posi6ve rate: FP / (FP + TN)


– FP is the number of the false posi6ves
– TN is the number of the true nega6ves
– FP + TN is the total number of nega6ves

Wayne State University CSC Course: Cyber Security Prac6ce 8


IDS Evalua6on Metrics
• An undetected a^ack might lead to severe
problems; frequent false alarms can lead to the
system being disabled or ignored. A perfect IDS
would be both accurate and precise
• Suppose that only 1% of traffic are actually
a^acks; the detec6on accuracy of your IDS is
90%; the false posi6ve rate is 10%
• If you have an alarm, what is the chance that it is
a false alarm?
Wayne State University CSC Course: Cyber Security Prac6ce 9
IDS Evalua6on Metrics
• Suppose that only 1% of traffic are actually a^acks
– 1000 events: 990 benign; 10 a^acks
• The detec6on accuracy of your IDS is 90%
– True posi6ve rate: 90%
– True posi6ve number: 10*90%=9 true alarms
• The false posi6ve rate is 10%
– False posi6ve rate: 10%
– False posi6ve number: 990*10%=99 false alarms

• P (a^acks/alarms) = 9/(9+99) = 0.083333


• There is approximately 92% chance that a raised alarm is
false

Wayne State University CSC Course: Cyber Security Prac6ce 10


Snort
• Signature-based IDS
• Can be run as IPS or IDS
• First released in 1997 but s6ll updated and
maintained today
• Latest version Snort 2.9.8.2

Wayne State University CSC Course: Cyber Security Prac6ce 11


Snort Rules
alert tcp $EXTERNAL_NET any -> $HOME_NET
any (msg:"SCAN SYN FIN";flags:SF; reference:
arachnids,198; classtype:a^empted-recon; sid:
624; rev:1;)

rule header ( rule op6ons )

Wayne State University CSC Course: Cyber Security Prac6ce 12


Snort Rule Header
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN SYN FIN";flags:SF; reference: arachnids,
198; classtype:a^empted-recon; sid:624; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any


Src IP Src Port Dst IP Dst Port

ac6on protocol
Direc6on

Wayne State University CSC Course: Cyber Security Prac6ce 13


Snort Rule Header Ac6on
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN SYN FIN";flags:SF; reference: arachnids,198;
classtype:a^empted-recon; sid:624; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any


Src IP Src Port Dst IP Dst Port

ac6on protocol
Direc6on
1. alert: Alerts and logs the packet when triggered.
2. log: Only logs the packet when triggered.
3. pass : Ignores or drops the packet or traffic matching.
4. ac0vate : Alerts then ac6vates a dynamic rule or rules.
5. dynamic : Ignores, un6l started by the ac6vate rule, at which 6me, acts as a log rule.
6. drop : block and log the packet
7. reject : block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port
unreachable message if the protocol is UDP.
8. sdrop : block the packet but do not log it.
Wayne State University CSC Course: Cyber Security Prac6ce 14
Snort Rule Header Procotol
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN SYN FIN";flags:SF; reference: arachnids,
198; classtype:a^empted-recon; sid:624; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any


Src IP Src Port Dst IP Dst Port

ac6on protocol
Direc6on

Protocols: TCP, UDP, ICMP, and IP


Future may include: ARP, IGRP, GRE, OSPF, RIP, IPX, etc.

Wayne State University CSC Course: Cyber Security Prac6ce 15


Snort Rule Header IP

Src IP Src Port Dst IP Dst Port


alert tcp $EXTERNAL_NET any -> $HOME_NET any
alert tcp 192.168.1.0/24 any -> 192.168.1.0/24 1:1024
alert tcp ![192.168.1.0/24,10.1.1.0/24] any -> 192.168.1.44
• $EXTERNAL_NET is a config value set in snort.conf
• IP is specified also as do^ed nota6on with CIDR masks.
“any” is also valid
• ! is the nega6on operator
• Mul6ple IP specifica6ons can be included using square
brackets [ ] and comma-separa6ng. Do not add spaces

Wayne State University CSC Course: Cyber Security Prac6ce 16


Snort Rule Header Port

Src IP Src Port Dst IP Dst Port


alert tcp $EXTERNAL_NET any -> $HOME_NET any
alert tcp 192.168.1.0/24 any -> 192.168.1.0/24 1:1024
alert tcp ![192.168.1.0/24,10.1.1.0/24] any -> 192.168.1.44

Port can be specified as:


any -- any port
1:1024 -- ports 1 to 1024 inclusive
55: -- ports 55 and higher
:55 -- ports 0 to 55 (inclusive)

nega6on s6ll works:


!6000:6001 - matches any port except 6000 and 6001
Wayne State University CSC Course: Cyber Security Prac6ce 17
Snort Rule Header Direc6on

Src IP Src Port Dst IP Dst Port


alert tcp $EXTERNAL_NET any -> $HOME_NET any
alert tcp 192.168.1.0/24 any -> 192.168.1.0/24 1:1024
alert tcp ![192.168.1.0/24,10.1.1.0/24] any -> 192.168.1.44

Direc6on can be specified as:


-> From right IP/Port (source) to ley IP/Port (des6na6on)
<> Any direc6on

Note: <- does not exist… so the snort rules always read
consistently.

Wayne State University CSC Course: Cyber Security Prac6ce 18


Snort Rule Op6on
alert tcp $EXTERNAL_NET any -> $HOME_NET any \
(msg:"SCAN SYN FIN";flags:SF; reference: arachnids,198; \
classtype:a^empted-recon; sid:624; rev:1;)

name:value;

msg: <sample message> Logs message into /var/snort/log


flags: <AFPRSU210> Matches specific TCP flags
content: <text> Matches specified text in packet
content: |<hexadecimal>| Matches specified hex chars
sid: <snort ID> Unique number to iden6fy rules easily. Your rules
should use SIDs > 1,000,000
rev: <revision #> Rule revision number
reference:<ref> Where to get more info about the rule
gid:<generator ID> Iden6fies which part of Snort generated the alert.
See /etc/snort/gen-msg.map for values
Wayne State University CSC Course: Cyber Security Prac6ce 19
Snort
• More in the lab 8 instruc6on!

Wayne State University CSC Course: Cyber Security Prac6ce 20

You might also like