Abstract

ABSTRACT
Rapid technological advances in the application of data processing operations and
maintenance permeate all facets of business and, therefore, have led to an increase in the
development of strategic ways to mount malicious attacks on both public and personal
computer networks/systems. Modern techniques and methodologies for detecting
malevolent activities and attacks on computer systems and networks have evolved
quickly in recent years. Intrusion Detection System (IDS) have become a critical means
to ensure the security of administrated computer networks. IDS’s seek to detect
intrusions before systems can be affected by malicious actions. They accomplish this by
logging the attempts made by an intruder to accumulate intelligence regarding a targeted
system. While IDS tools have become prevalent in today’s market, they are still not
completely foolproof and can fail to identify serious malicious attacks.
The intention of this project was to investigate selected existing network intrusion
detection tools and techniques, and to review the strategies, which they employ. The
selected freeware tools, Snort and Sax2 were tested to analyze their behavior when
confronted with particular well-known network attacks.
ii
TABLE OF CONTENTS
Abstract............................................................................................................................... ii
Table of Contents ............................................................................................................... iii
List of Figures.................................................................................................................... vi
List of Tables................................................................................................................... viii
1. Introduction .................................................................................................................. 1
1.1 Intrusion .................................................................................................................. 2
1.1.1 Popular Intrusions ...................................................................................... 3
1.1.2 Survey on Security Breach ......................................................................... 4
1.2 Intrusion Detection System ..................................................................................... 7
1.2.1 Various Definitions ..................................................................................... 7
1.3 What about a Firewall? ........................................................................................... 8
1.3.1 Packet Filtering ........................................................................................... 9
1.3.2 Circuit-level Gateway ................................................................................. 9
1.3.3 Proxy Server................................................................................................ 9
1.3.4 Application Gateway ................................................................................. 9
1.4 Comparison of IDS with a Firewall ....................................................................... 9
1.5 Evolution of IDS ................................................................................................... 10
1.6 Types of IDS ......................................................................................................... 12
1.6.1 Host-based IDS ......................................................................................... 13
1.6.2 Network-based IDS ................................................................................... 14
1.6.3 Comparison between HIDS and NIDS ..................................................... 14
1.7 PROS and CONS of IDS ...................................................................................... 15
iii
1.8 Some of the Important Definitions to Understand This Paper .............................. 16
2. Network Intrusion Detection system .......................................................................... 18
2.1 Previous Work done and Evolution of IDS .......................................................... 18
2.2 Network-based IDS ............................................................................................... 20
2.2.1 Need for NIDS ............................................................................................ 20
2.2.2 Functioning of NIDS…….............................................................................22
2.2.3 Host-based IDS vs. Network-based IDS ...................................................... 25
2.3 Analysis and Comparison of IDS Tools................................................................27
2.3.1 IDS Analysis ................................................................................................ 27
3. Research ................................................................................................................... 30
3.1 Research on Attacks ............................................................................................... 30
3.1.1 Possibility of an Attack ................................................................................ 30
3.1.2 Operating System Which Intruder Use ........................................................ 30
3.1.3 Origin of Intrusion ...................................................................................... 30
3.1.4 Reason for Hacking...................................................................................... 31
3.1.5 Attacks ......................................................................................................... 32
3.2 Research on Freeware NIDS ................................................................................. 35
3.2.1 Research on Windows-based NIDS ............................................................. 35
3.2.1.1 Snort IDS ......................................................................................... 35
3.2.1.1 Sax2 NIDS ....................................................................................... 39
3.2.2 Research on Linux-based IDS ..................................................................... 47
3.2.2.1 Firestorm .......................................................................................... 47
3.2.2.2 Strata Guard ..................................................................................... 53
iv
3.2.2.3 Bro-IDS ............................................................................................ 57
3.3 Writing Rules ........................................................................................................ 63
3.3.1 What are the Rules? ..................................................................................... 63
3.3.2 Basic Rule Anatomy .................................................................................... 63
4. Testing and Evaluation .............................................................................................. 66
4.1 Detection ............................................................................................................... 67
4.1.1 Detection Capability .................................................................................... 67
4.1.2 High Bandwidth Traffic Handling Capability ............................................. 67
4.1.3 Testing DoS Attack ...................................................................................... 70
4.1.4 Ability to Determine Attack Success ........................................................... 70
4.1.5 Ability to Detect Never Before Seen Attacks ............................................. 71
4.2 Response ............................................................................................................... 71
4.3 Other Evaluation Measures ................................................................................... 72
5. Future work ................................................................................................................. 73
6. Conclusion.....................................................................................................................74
Acknowledgement.............................................................................................................75
Bibliography and Refereces .............................................................................................. 76
v
LIST OF FIGURES
Figure 1.1 Number of Incidents by Percentage ........................................................... 4
Figure 1.2 Firewall protecting the network ................................................................. 8
Figure 1.3 IDS Block Diagram.................................................................................. 12
Figure 1.4 HIDS ......................................................................................................... 13
Figure 1.5 NIDS ......................................................................................................... 14
Figure 2.1 Evolution of Intrusion Detection System .................................................. 18
Figure 2.2 IDS Components ....................................................................................... 23
Figure 2.3 A sample IDS ........................................................................................... 24
Figure 2.4 Comparison of Knowledge-Based and Behavior-Based IDS ................... 29
Figure 3.1 Components of Snort IDS ......................................................................... 36
Figure 3.2 Packet Capture in real-time Using Ethereal .............................................. 37
Figure 3.3 Working of snort ...................................................................................... 38
Figure 3.4 Sax2 Main Console ................................................................................... 41
Figure 3.5 Node Explorer Window ............................................................................ 42
Figure 3.6 Statistic View on Main Console of Sax 2 ................................................. 42
Figure 3.7 Conversation View of Sax2 IDS ............................................................... 43
Figure 3.8 Event View................................................................................................ 44
Figure 3.9 Logs View ................................................................................................. 44
Figure 3.10 Knowledge Base Management in Sax2 IDS ............................................. 45
Figure 3.11 Detection Expert Settings ......................................................................... 46
Figure 3.12 Viewing .elog files using Ethereal Interface ............................................. 49
vi
Figure 3.13 Firestorm Analyst console – displaying packets....................................... 50
Figure 3.14 Detection Capabilities Analysis Results ................................................... 52
Figure 3.15 Scalability Analysis Report....................................................................... 52
Figure 3.16 Strata Guard network ................................................................................ 54
Figure 3.17 Account Activity Tab List View ............................................................... 55
Figure 3.18 Comparison between Snort and Bro ........................................................ 60
Figure 3.19 Detection Rate Analysis ............................................................................ 61
Figure 3.20 Rule syntax................................................................................................ 63
Figure 3.21 Sample Snort Rule ................................................................................... 63
Figure 3.22 Rule header attributes of a snort rule ....................................................... 64
Figure 3.23 Rule Options ............................................................................................ 65
Figure 4.1 IDS Testing Network ............................................................................... 66
Figure 4.2 Nmap Scan ............................................................................................... 68
Figure 4.3 Snort Capturing the Network for events .................................................. 68
Figure 4.4 Network monitoring by Sax2 NIDS ........................................................ 69
Figure 4.5 Summary of the captured network events ................................................ 69
vii
LIST OF TABLES
Table 1.1 A Glance at Various Attacks During the Years 2004-2008 ........................... 5
Table 1.1 List of Technologies used in 2008 ................................................................. 6
Table 1.3 Comparison of HIDS and NIDS .................................................................. 14
Table 2.1 Comparative Analysis of HIDS vs. NIDS ................................................... 26
Table 3.1 Popular Thirty Nine Attacks ........................................................................ 34
Table 3.2 Notations ...................................................................................................... 60
Table 3.3 Summary of comparison among Snort, Sax2, Firestorm, Strata Guard and
Bro ……………………………………………………………………….61
Table 3.4 Description of Various Rule Actions .......................................................... 64
viii
1. INTRODUCTION
The subject of Intrusion Detection Systems (IDS) on computer networks has
become a topic of great importance for research. Threats against private and public
networks are mounting daily thereby, increasing the need for Intrusion Detection Systems
(IDS) on network systems throughout the corporate world. IDS serve as a means of
identifying, monitoring, blocking and reporting anomalous behavior and unauthorized
use of data existing on computer networks. In short, IDS function is to safeguard
distributed computing environments that are managed and controlled by a particular
network.
IDS accomplish their objective by performing thorough checks on the content of
each and every packet, traveling through a given network in efforts to detect intrusions.
This monitoring process provides better security than a mere firewall could. IDS handle
traffic and information, logging every application as it travels through a particular
network and have proven to be a viable measure for securing the information
management of organizations. IDS afford precious support for diagnosing and reviewing
security threats.
IDS systems come in different types based upon their function. Software
developers around the world are continuously reconstructing their programs to keep up
with the need to cover evolving malicious efforts of intrusion creators. The purpose of
this research is to put some existing IDS tools, available in today’s market, to the test and
ultimately determine their efficacy as well as their ease of use. The paragraphs that
follow will define and describe different types of intrusions and introduction to IDS.
1
1.1 Intrusion
Merriam-Webster Online Search dictionary defines the term ‘intrude’ as the act of
thrusting oneself in without invitation, permission, or welcome. According to computer
network terms, intrusion is defined as an event which breaks into a particular system or
network without authorization. While the application differs from a physical intrusion
into a place or situation to the electronic intrusion into a digital environment they have
the same significance. The following is a conceptual definition for intrusion: “Any set of
actions that attempt to compromise integrity, confidentiality or availability of a resource”
[UCR 2008]. Broken down semantic ally are the data properties affected by a system
intrusion.
Confidentiality – Information is only accessible by authorized users and not by
unauthorized persons
Integrity – This talks about trustworthiness of information. Integrity is also known
as data consistency. Data should not be altered in unauthorized manner
Availability – Information is available to authorized users only.
These three properties can be described as the core characteristics of an
information assurance secured system and together they are referred to by the acronym
CIA. If any or all three properties are compromised, it implies that the security of the
system as a whole has been compromised.
Intrusions can take on many forms. The most common forms are engineered
viruses or worms and password theft. More sophisticated forms can occur during a file
transfer session that does not use encryption, commonly known as “hijacked terminal”.
2
Intrusions are qualified as any kind of unauthorized access to information by insiders and
outsiders.
1.1.1 Popular Intrusions
Popular intrusion types include Evasion, Insertion, Port Scanning, Denial of
service (DoS) attack, User to Root Attacks (U2R) and Remote to User Attack (R2L).
The evasion attack is planned with prior knowledge about the IDS in place. The
intruder studies attack signatures upon which the IDS will alarm and thus tries to evade
the IDS by covering up the attack.
The Insertion intruder behaves intelligently. Generally, IDS accepts packets that
are rejected by an end-system. “IDS that does this, makes the mistake of believing that
the end-system has accepted and processed the packet when it actually hasn't” [Ptacek
1998]. The intruder then exploits this situation by sending packets to an end-system that
will reject them, where the IDS presume that they are valid. This means that the intruder
accomplishes the attack by way of inserting data into IDS [Ptacek 1998].
The Port Scanning intruder scans the ports on a network to see which are open, so
that they can break into it. “A Port scan is like ringing the doorbell to see whether
someone's at home” [AMP 2008]. This is done by sending a message to all ports in the
network. By doing this, the intruder knows which ports are busy, already used and free.
The intruder then probes the network further to find a weakness and once found the
attacker breaks into the network.
A Denial of service (DoS) attack makes the system resources unavailable to its
legitimate (authorized) users. For example blocking access to email, specific sites, and
other services are considered DoS attacks [McDowell 2004].
3
User to Root Attacks (U2R) deal with a local user (intruder) trying to gain
unauthorized root access to a central machine and exploiting user vulnerabilities [Chou
2007].
Remote to User Attack (R2L) deal with an intruder gaining unauthorized local
access from a remote machine and exploiting the machine’s vulnerabilities [Chou 2007].
1.1.2 Survey on Security Breach
The Computer Security Institute (CSI) conducted an extensive survey in 2008
titled, “Computer Crime and Security Survey”, in which information was gathered from
data security professionals throughout the United States. The goal of the survey is to
increase security awareness as well as to “help determine the scope of computer crime in
the U.S” [Richardson 2008]. According to the CSI’s survey, 47% out of 250 polled had
experienced at least one incident, with the highest number of incidents reaching 5. Figure
1.1 shows a gradual decrease in the number of security intrusion victims who experienced
6-10 incidents during the years from 2004 to 2007. In 2008, the number increased
slightly but is still better than past years. Based on the graph below, 13% of those polled
had experienced more than 10 incidents.
Figure 1.1 Number of Incidents by Percentage [Richardson 2008]
Table 1.1 summarizes various types of attacks experienced by security
professionals. The survey shows a gradual decrease in the number of victims per attack
4
during the past years. Table 1.1 shows that many victims encountered virus and insider
attacks compared to the other forms of intrusions.
Table 1.1 A glance at various attacks during the years 2004-2008 [Richardson 2008]
In order to be safe from intrusions, users have started implementing various
security tools available on the market. The tools listed in Table 1.2 were developed to
solve a variety of security breach problems. Anti-virus software is preferred as a basic
means of security and therefore the table indicates that they have the highest percentage
of usage among other tools. Though IDS are efficient network security tools, they are not
widely used because of their cost. Based on the data obtained in the survey demonstrates
that users want to be safe from intrusions rather than identifying them and being
5
responsible to protect against individual attacks. Since firewalls provide basic security,
such as blocking threatening IP addresses, they are used more commonly than IDS tools.
Table 1.2 List of Technologies used in 2008 [Richardson 2008]
This survey reflects the fact that when compared to the previous years, year 2008
has experienced improvement when it comes to blocking intrusions. This is evidence that
6
the innovative solutions introduced into the corporate market are more successful at
curbing security breaches than any past attempts.
1.2 Intrusion Detection System (IDS)
An intrusion detection system inspects all inbound and outbound network
activities and identifies skeptical manipulations on a network or system, alerting the
network administrator of any attempts to compromise a system. There are many technical
definitions for IDS in computer network terms. The following is a breakdown of the
various definitions given for IDS.
1.2.1 Various definitions
Most well known definitions of IDS:
“An IDS gathers and analyzes information from various areas within a computer
or a network to identify possible security breaches, which include both intrusions
(attacks from outside the organization) and misuse (attacks from within the
organization)” [TT 2005].
Intrusion Detection System is any system or set of systems that has the ability to
detect inappropriate or malicious activity on a system or network.
An intrusion detection system inspects all inbound and outbound network activity
and determines distrustful patterns that may be a sign of a network attack from
someone attempting to break into or compromise a system [JC 2007]
Every definition listed above, is based on the premise that IDS could be either
software or hardware, which monitors network traffic to identify malicious activities
7
attempting to compromise its security. IDS identify many types of vulnerabilities, present
on a network, which cannot be identified by conventional firewalls.
1.3 Firewall
Basically a firewall can be defined as a first line of defense for a network with the
key purpose of securing a network from unauthorized access. A firewall can be either a
software program or hardware device, placed on a network, which acts like a watch guard
for all inbound and outbound traffic on that network. The users have a choice to allow or
block certain traffic by establishing certain rules on their private network. Based on the
type of firewall installed on the network, users could block the access to certain domain
names or IP addresses and could restrict certain traffic by blocking TCP/IP ports they use
[QED 2005]. Figure 1.2 shows how firewall is placed on a network.
Figure 1. 2 Firewall protecting network [Boncheva 2006]
Firewalls basically use four mechanisms to restrict traffic. These mechanisms are
explained in the following sections.
8
1.3.1 Packet Filtering
A packet filter evaluates source and destination IP addresses, and their port
numbers. This is the criterion used to block and access by certain IP addresses [QED
2005].
1.3.2 Circuit-level Gateway
A circuit-level gateway blocks all inbound traffic. “The client machines run
software to allow them to establish a connection with the circuit-level gateway machine.
To the outside world, it appears that all communication from the internal network is
originated from the circuit-level gateway” [QED 2005].
1.3.3 Proxy Server
This proxy server is used to boost the performance of a network. A proxy server
hides internal IP addresses on a network. Therefore, to the outside world, it appears as all
communication is from the proxy server address [QED 2005].
1.3.4 Application Gateway
This is another form of a proxy server. To the outside world, it appears that all
communication is from the application gateway address. A connection is established
between the client and the application gateway. The application gateway decides whether
the connection should be allowed or not. If the communication is allowed, then it
establishes a connection with the destination machine [QED 2005].
1.4 Comparison of IDS with a Firewall
Firewalls were known as the vital solution in preventing network intrusions. But,
it does not provide the capability to respond or detect an intrusion attempts. IDS, on the
9
other hand, provide continual real-time monitoring of a host or a network with an
emphasis in detecting and reporting particular intrusions [Dubrawsky 2001].
Network Security is the primary purpose for the existence of both firewalls and
IDS, however their function is different. Firewalls look into the traffic coming from
outside and react according to the rules to decide whether to accept or block the
communication so that it prevents intrusions. But IDS detect the intrusion initiated from
inside the network and come into the action after the suspected intrusion has taken place
on the network [Wiki 2008]. IDS detect and warn the users about the intrusion, whereas
firewalls just block the attack without a warning according to the predefined rules written
into it.
An IDS is a security tool that analyzes and identifies malicious events by
monitoring the traffic on the network. Firewalls implement the policies programmed and
contained in its configuration, and log any events that demonstrate policy violations, with
as much information and detail as possible by guarding the borders of the network.
Having both an IDS and a Firewall on a network, provide better security when
considering their particular functions and their advantages. Systems containing both, IDS
that warns the administrator of intrusions, and a firewall that blocks the attacks, provide a
more secure network environment. Some Firewalls and IDS' are joined into a single
internet security program, for example Norton Internet Security. This is a very well
designed combination of both a firewall and IDS [DSL 2003].
1.5 Evolution of IDS
IDS have existed approximately 20 years. The notion of intrusion detection was
introduced in 1980 with James Anderson's paper, titled “Computer Security Threat
10
Monitoring and Surveillance” (which was written for a government organization)
[Sommer 2006]. After the release of this paper, ‘detecting misuse’ has gained an
interesting focus and auditing data and its advantages achieved much progress. Since
then, IDS’ have advanced and recently have gained great popularity in computer network
security [Innella 2001].
In the early 1990s, the commercial development of IDS technology began and
IDS tools were developed. The first commercial vendor of IDS tools was Haystack Labs.
Later other tools were designed to monitor traffic and report misuse.
IDS’ have become a part of every major company and organization’s security
system. They reduce risks of intrusions and prevent serious malicious attempts at
attacking by alerting the system’s administrators. IDS have the capability of detecting
preambles to malicious attacks by intruders and through this process they help the
security team to document and present the risks and threats.
In order to enhance the IDS performance, IDS have a key capability to correlate
different priorities to different logs for distinctive malicious attacks. This is called as
‘prioritization’. For the security system of an organization, IDS serve as a quality control
mechanism providing diagnosis, causes and details about different aspects of the security
system. “IDS can detect when an attacker has penetrated a system by exploiting an
uncorrected or uncorrectable flaw. Furthermore, it can serve an important tool in system
protection, by bringing the fact that the system has been attacked to the attention of the
administrators who can control and recover any damage that results. IDS verify, itemize,
and characterize the threat from both outside and inside your organization’s network,
assisting user in making sound decisions regarding your allocation of computer security
11
resources” [CD 2001]. In a system without IDS, the adversaries are free to examine the
system thoroughly with no risk of discovery.
Figure 1.3 describes the simple process model for IDS. This block diagram
describes the overview of working of an intrusion detection system. The detailed
description will be discussed in later sections.
Capture Data Analyze Data Respond
Figure 1.3 IDS Block Diagram
IDS have 3 phases of functioning. First it captures the data passing into and
outside a network. Then it watches and analyses the data about its behavior, so that it can
know whether it is malicious or not. If it detects that the data is malicious, then it
responds to that, for example, blocking the data to protect from future damages.
1.6 Types of IDS
There are ‘signature-based IDS vs. anomaly-based IDS’, ‘misuse detection vs.
anomaly detection’, and ‘passive system vs. reactive system’ [JC 2007]. The deployment
of IDS can be done in two forms one is network-based IDS and the other is host-based
12
IDS. Host based IDS protects the system by auditing and event logs. Network-based IDS
deals with monitoring and accessing the network traffic.
There are two popular types of IDS as mentioned above, and they are
1. Host based IDS
2. Network based IDS
1.6.1 Host-based IDS (HIDS)
HIDS is a software product, resides on a specific machine called host, and does its
job by protecting the entire system and discloses if a system has been compromised. It
monitors the file system integrity, system register state system logs of the host machine to
find the evidence of suspicious activity if any. If any user attempts to access authorized
content on the host in a shared network, HIDS identifies and collects the relevant data in
a quickest possible manner [Innella 2006]. HIDS only look for the intrusions on the
single host but not on the entire network/system.
Snort, Dragon Squire, Tripwire, AIDE, and Emerald eXpert-BSM etc., are some
of the HIDS software tools.
Figure 1.4 HIDS [Magalhaes 2003]
13
1.6.2 Network-based IDS (NIDS)
In general, a network-based IDS resides some where on the network, monitoring
all the traffic over the network for malicious activities.
Figure 1.5 NIDS [Magalhaes 2003]
1.6.3 Comparison between HIDS and NIDS
Table 1.3 Comparison of HIDS and NIDS [Kozushko 2003]
Behavior Host-based IDS Network-based IDS
Detecting intrusions Good at insider detection and Good at outsider detection and
bad at outsider detection bad at insider detection
Preventing intrusions Good at prevention for insiders Good at prevention for outsiders
Response to attacks Weak real time response but Strong response against
good for long term attacks outsiders
Damage Assessment Excellent for determining extent Very weak damage assessment
of compromise capabilities
Attack Anticipation Good at trending and detecting None

suspicious behavior patterns
14
1.7 PROS and CONS of IDS
As everything, IDS tools also have its pros and cons. But it can be said for sure,
that the IDS concerns the network security more than a firewall.
IDS have the capability to counter in a timely fashion to alleviate substantive
harm – by automatic or manual intervention. IDS discover innovative attack patterns and
watches application logs and user actions. Then it blocks the attacks aimed against an
application. IDS is said to be advantageous as it drops attacks, logs packets, terminates
sessions, and modifies firewall policies and real-time alerting tools.
Even though IDS is capable of identifying the encrypted data and activities, it is
not 100% secured. This is one of the major arguments going on about IDS. But the future
IDS products can be of a great and central role in network security. Another issue of
using IDS if it gets compromised is that the data collected by these systems may itself
have been compromised before the attack was discovered or investigated. This is an
issue, that IDS log files will not distinguish between the legitimate and unwanted traffic.
There are many of the products yet, which are not able to cope up with huge
massive traffic and processing of the packets with high speed connection and bandwidth.
The performance of IDS logs is limited in auditing the events because of massive traffic.
Though IDS detects each packet on a network, it gives alerts after the attack has been
made by the intruder.
The Network security managers have to procure and assimilate point solutions
from other supplementary vendors. This can be represented as ‘Incomplete attack
15
coverage’. The category Signature-based IDS, needs a regular updating of their signature
database for better performance.
IDS log files might fail to identify the hackers and have been tempered or altered.
A major argument is now going on about IDS that it generates too many false alarms.
IDS give attention to only on detection of attacks and attempts, but it can not provide
prevention which would make it more efficient tool. IDS also used as evidence in the
prosecution of cyber crimes. An IDS also has good importance in computer networks as
well as a good research concept now a days.
1.8 Some of the Important Definitions to Understand This Paper
SNMP (Simple Network Management Protocol)
It is a protocol, which is used by network management systems to interact with its
network elements. This is achieved by having a SNMP agent in the network. Many
network tools have built-in SNMP agents in them.
SNMP TRAP
It is a message initiated by a network element and sent to the network
management system.
Examples of SNMP trap:
A router sending a message if one of it's unused power supplies fails
A printer sending an SNMP trap when paper tray is out of paper
16
ACL (Access Control List)
It is a list of permissions attached to an object (routers, firewalls etc). The list
states who and what is to be allowed in order to access the object. And also indicates
what actions are permitted to be performed on that object.
Packet defragmentation
When large data has been sent to a host, then the packet usually fragmented in to
multiple packets.
17
2. NETWORK INTRUSION DETECTION SYSTEM
2.1. Previous Work done and Evolution of IDS
The IDS concept has been around for nearly 20 years. It has become more popular
recently and begun incorporation into the information security infrastructure. Figure 2.1
explains in detail the evolution of IDS.
Figure 2.1 Evolution of Intrusion Detection System [Innella 2001]
The notion of IDS was introduced in 1980, with James Anderson's paper
‘Computer Security Threat Monitoring and Surveillance’, which was written for a
government organization. With the publishing of this paper, the concept of "detecting"
misuse and specific user events emerged. This work was the beginning of Host-based
Intrusion Detection and IDS in general.
After three years, in 1983, SRI International and Dr. Dorothy Denning worked
together on a government project which launched a fresh attempt to improve IDS
development with a goal to analyze audit trails from government mainframe computers
18
and create user profiles based upon their activities. One year later, in 1984, Dr. Denning
made efforts to develop the first model for IDS, known as the Intrusion Detection Expert
System (IDES), providing the foundation for IDS technology development [Innella
2001].
In the meantime, there was significant progress occurring at the University of
California Davis' Lawrence Livemore Laboratories. Haystack project released another
version of IDS at this laboratory for the US Air Force in 1988. The goal of this project
was to analyze audit data by comparing it with defined patterns.
Later in 1989, a commercial company, ‘Haystack Labs’, was formed by
developers from the Haystack project. It released Stalker, the last generation of the
technology; “a host-based, pattern matching system that included robust search
capabilities to manually and automatically query the audit data [Innella 2001]".
In 1990, the idea of network intrusion detection was introduced by UC Davis's
Todd Heberlein. Heberlein developed a Network Security Monitor (NSM), the first
network intrusion detection system. The first notion of hybrid intrusion detection was
introduced by Heberlein along with the Haystack team. These discoveries brought great
revolution in IDS into the commercial world. Haystack Labs was the first commercial
vendor of IDS tools.
In 1994, Automated Security Measurement System (ASIM) formed a commercial
company, the Wheel Group, and released its first commercially viable network intrusion
detection product, known as NetRanger.
19
Around 1997, IDS began gaining popularity in the market. ISS developed
network-based IDS called RealSecure. In 1998, Cisco owned the Wheel Group.
Since 1999, IDS has boomed. Currently, IDS is the best-selling security tool on
the market, as per the market statistics. IDS tools have been evolving with automated
technologies and become an integral part of the information security field.
2.2. Network-based IDS
As mentioned in earlier sections, NIDS monitors traffic on a network by looking
for doubtful activities which could be attacks, such as unauthorized access, virus or
intrusion. In addition to network traffic monitoring, NIDS checks system files for
unauthorized events in order to maintain files, thus data integrity. It is also capable of
detecting changes in core components of the server and scans sever logs [RTEinc 2008].
Monitoring the traffic on its network segment is generally accomplished by
placing the network interface card (NIC) in promiscuous mode in order to capture all
network traffic that crosses its network segment. Network traffic on other segments and
traffic on other means of communication (like phone lines) can not be monitored, which
is a disadvantage of NIDS. Here the network segment means that particular server,
switch, gateway or router.
2.2.1 Need for NIDS
There are four major points which illustrate the need for NIDS. Those points are
threat assessment and analysis, asset identification, valuation, vulnerability analysis and
risk evaluation.
20
Threat assessment and analysis plays a major role by providing a guess about
types of intrusion, which helps in defining rules when deploying an NIDS on a network.
The most popular threats currently known are outsider attack from the network and
telephone, insider attack from local network and local machine, and attack from
malicious code. A firewall operates the way its user instructs it to function. A firewall can
fail to block outsider attack from the network, malicious code and insider attack from a
machine on the same network, which is a local machine. NIDS might detect such attacks.
It even has predefined rules set up within which operate as a firewall; the knowledge base
it builds aids in detecting these types of attacks [Northcutt 2002].
Asset identification results in protecting sensitive data. For example, the Office of
Admission and Records in an educational institution possesses all the sensitive data
pertinent to students, such as a student’s social security number. This data must be given
high priority when comes to security. Educational institutions should identify the
machines dealing with such data and implement NIDS at major locations. NIDS should
be programmed so that it differentiates valuable data by appending some special strings
to it.
Vulnerability to threat is dynamic, as it changes everyday. Several vulnerability
assessment tools are available on the market including network-based, phone line and
system vulnerability scanners. Having a network-based scanner protects the network by
scanning to check for missing patches, open ports and any other security holes [Northcutt
2002].
21
The above discussion recommends organizations utilize NIDS to protect their
networks from intrusion. The following section describes mechanism used by NIDS to
implement security measures.
2.2.2 Functioning of NIDS
“Intrusion detection systems are an important component of defensive measures
protecting computer networks from abuse” [McHugh 2000].
NIDS monitors packets coming into the network and determines whether an
intruder is cracking into a system, as on a system watching for large a number of TCP
connection requests going into various ports on a destination system, to discover if
anyone is trying a TCP port scan. For many people, it can be confusing where on the
network to place NIDS. It can be placed either on the target system, which monitors its
traffic, or can be on a separate machine with in the network (hub, router, or probe), which
promiscuously monitors the entire network.
An Intrusion Detection System is composed of several components placed
between the internal and external network. If more than two systems are connected on the
administrative side of IDS, then it is said to be an internal network. The external network
means that the non-administrative side of IDS is a public network. IDS are comprised of
three main components. They are as following:
Sensors to generate activities,
a console on which to monitor activities and alerts and control the sensors, and
a central device that files activities logged by the sensors in a database, then
applies a system of rules to generate alerts from security events received.
22
Figure 2.2 demonstrates the above description.
Figure 2.2 IDS Components [Kazienko 2003]
Sensor is like a kernel of IDS, which is in charge of detecting intrusions. It
contains decision-making mechanisms about intrusions. Sensors obtain raw data from
information sources, which are on the IDS knowledge base; syslog and audit trails.
Figure 2.3 clearly shows how sensors work in IDS. For example, syslog includes
configuration of file systems, user authorizations, etc. This data thus creates the
foundation for a decision-making process. Figure 2.2 depicts that the sensor is integrated
with another component responsible for data collection, known as an event generator.
The event generator creates a policy for a set of events that may be a log or audit of
system events.
A sensor filters data, ignoring any irrelevant data obtained, to detect suspicious
activities. To achieve this, the analyzer uses the detection policy database. The sensor
maintains its own database which contains the dynamic history of possible intrusions.
23
Figure 2.3 A sample IDS. The arrow width is proportional to the amount of
information flowing between system components [Kazienko 2003]
Following are the primary methods used by NIDS to report and block intrusions
[Larrieu 2003]:
Reconfiguring third-party devices (firewall or Access Control Lists on routers)
NIDS sends a command to a third party device, such as a packet filter or firewall,
to immediately reconfigure itself in order to block an intrusion. The success of
reconfiguration is possible by sending data explaining the alert in the packet header.
Sending an SNMP trap to a third-party hypervisor
This is achieved by sending an alert with details on the data involved in the form
of an SNMP datagram to a third party console such as HP OpenView, Tivoli, and
Cabletron Spectrum, etc. [Larrieu 2003].
24
Sending an email to one or more users
This can be achieved by sending an email to one or more inboxes to report a
severe intrusion.
Logging the attack
In this method, IDS saves the details of the alert in a central database, including
information such as the timestamp, IP address of the intruder, IP address of the target, the
protocol used, and the payload [Larrieu 2003].
Saving suspicious packets
In this method, NIDS saves all raw network packets captured.
Opening an application
In this process, NIDS launches an outside program to perform a specific action.
The actions include sending an SMS text message, or playing a sound to indicate an alert.
Visual notification of an alert
Here, NIDS displays an alert on one or more management consoles. Console is an
interface to view the information of NIDS.
2.2.3 Host-based IDS vs. Network-based IDS
Each system has its own advantages and disadvantages. Host-based IDS is
preferred for a complete system security solution and Network-based IDS is desirable for
25
a LAN (Local Area Network) solution. The following table summarizes the comparison
between Host-based and Network-based IDS. The left column describes the function to
be performed on network and right column describes the behavior of HIDS and NIDS
towards that function.
Table 2.1 Comparative Analysis of HIDS vs. NIDS [Magalhaes 2003]
Function Comments on HIDS NIDS

Protection on LAN Both systems protect LAN
Protection off LAN Only HIDS protects the network off the LAN
The admin of NIDS and HIDS is equal from a central admin
Ease of
perspective.
Administration
Versatility HIDS are more versatile systems.
Price HIDS are more affordable systems if the right product is chosen.
Ease of Both NIDS and HIDS are equal form a central control
Implementation perspective
Little Training
HIDS requires less training than NIDS
required
Total cost of
HIDS costs less to own in the long run
ownership
Bandwidth
requirements on NIDS uses up LAN bandwidth. HIDS does not.
(LAN)
The NIDS has double the total network bandwidth requirements
Network overhead
from any LAN
Bandwidth
Both IDS need internet bandwidth to keep the pattern files
requirements
current
(internet)
Spanning port
NIDS requires that port spanning be enabled to ensure that LAN
switching
traffic is scanned.
requirements
Update frequency to
HIDS updates all of the clients with a central pattern file.
clients
Cross platform
NIDS are more adaptable to cross platform environments.
compatibility
Logging Both systems have logging functionality
26
Local machine
Only HIDS can do these types of scans.
registry scans
It is easier to upgrade software than hardware. HIDS can be
Upgrade potential upgraded through a centralized script. NIDS is typically flashed
onto the flash memory and has low overhead.
Alarm functions Both systems alert the individual and the administrator.
Packet rejection Only NIDS functions in this mode.
More knowledge is required when installing and understanding

Specialist knowledge
how to use NIDS from a network security perspective.
Central management NIDS are more centrally managed.
NIDS failure rate is much higher than HIDS failure rate. NIDS
Disable risk factor
has one point of failure.
PAN scan Only HIDS scans personal area networks.
Multiple LAN HIDS is a more comprehensive multiple segment detection IDS

detection nodes than NIDS
2.3 Analysis and Comparison of IDS Tools
This phase deals with the study of IDS tools and comparing their features.
2.3.1 IDS Analysis
There are two key approaches for analyzing the events to detect attacks. Based on
the use of detection techniques, intrusion detection systems are categorized as
Knowledge-based (Misuse-detection) and Behavior-based (Anomaly detection) intrusion
detection. Misuse detection analysis is aimed at malicious items. Most commercial
systems use this technique. Anomaly detection analysis checks for irregular patterns of
activity. As with everything, IDS also has strengths and weaknesses associated with each
approach, and it appears that the most effective IDS use largely employ misuse detection
27
methods with a few anomaly detection components. More details about these approaches
are described below.
Misuse Detection
In this practice, detectors study the system’s activity and collect the necessary
information and keep them in audit logs. Then IDS looks for events that match a
predefined pattern of events. If a match occurs, then it is described as a known attack.
Pattern, which corresponds to known attacks, is known as a signature. So that is the
reason that misuse detection is sometimes called signature-based detection. The misuse
detection identifies each pattern of events related to an attack as a separate signature. This
category has advantages, such as being very successful at detecting attacks without
generating a great number of false alarms and being able to diagnose the use of a specific
attack technique in a very fast and reliable way. It also has disadvantages, they are able to
detect only those attacks they know about. So they must be updated frequently with
signatures of new attacks.
Anomaly Detection
This practice is used to identify abnormal or unusual behavior, known as
anomalies. They function on the theory that attacks are different from normal activity and
can therefore be detected by systems which identify these differences. Anomaly detectors
build profiles representing normal behavior of users, hosts, or network connections.
These profiles are built from data collected over a period of usual operation. The
detectors then collect event data and apply a variety of measures to determine when
monitored activity is abnormal.
Figure 2.4 explains visually about Misuse and Anomaly detections.
28
Figure 2.4 Comparison of Knowledge-Based and Behavior-Based IDS [Chou 2007]
29
3. RESEARCH
3.1 Research on Attacks
3.1.1 Possibility of an Attack
If a network is connected to internet, there is the possibility an attack may occur.
As networks are generally connected for 24 hours, the potential for attack is continual.
Attacks mostly occur in late hours of the night, relative to the position of the server [MCP
2008].
3.1.2 Operating System Which Intruders Use
Depending on the cost and the availability of the tool, operating systems used by
intruders vary. Macintosh is the least preferable platform for an Intruder as there are not
enough tools available for MacOS, and whatever tools are available are of great trouble
to the network ports. LINUX has become the most frequent platform used by intruders, as
it is available at low cost. A book of Linux cost around $40 including a cd-rom. The
majority of good tools can be easily ported to UNIX platform as they are mostly written
under UNIX environment [MCP 2008].
3.1.3 Origin of an Intrusion
In the beginning of internet days, most Intruders were youngsters who had very
limited access to internet. The one place where they could easily access internet was
universities, which influenced the origin of attack and timing of the attack. Today’s
Intruders have become more serious, they can break in to network from their
home/office. These serious Intruders use AOL as their provider rather than the American
online, Prodigy or Microsoft networks. The reason Intruders avoid these providers is they
30
rollover Intruders to the authorities. One simple reason why big providers are easy for
Intruders to utilize is they allow spammers into their internet with largely unwanted
advertising [MCP 2008].
Most Intruders are able to do any three of the following [MCP 2008]:
Can code in C,C++ or perl
Has a depth knowledge of TCP/IP
High Internet usage
Professional computer user
Collect old, vintage or outdated computer hardware or software
3.1.4 Reasons for Hacking
There are several reasons for an Intruder to attack a network. Listed below are a few of
these reasons [MCP 2008]:
Very simply, the intruder may not like victim (Spite)
To show how weak a user’s security system is (Sport)
A intruder is paid by someone to get personal data or to ‘bring victim down’
(Profit)
Kids showing off to their friends or to become famous (Stupidity)
Some people actually just want to know how this works out or to explore new
things (Curiosity)
The following section deals with four popular network attack types. These four
types of attacks together comprise solid evaluation criteria to test the performance of IDS.
They are probing, Denial of Service, User to remote access and local to remote access.
31
3.1.5 Attacks
This section explains some examples of attacks. Explained below are the complex
attacks IDS may detect. In recent years, a large number of victims have suffered these
attacks. Table 3.1 displays popular attacks from the following attacks categories.
Probing
In a Probing attack, an Intruder scans a network to gather knowledge about known
vulnerabilities. With a map of computers and services that exists on a network, an
Intruder can use the information gathered to exploit the network.
Different types of probes are readily available, including:
abusing the computer’s legitimate features
using social engineering techniques.
These attacks are the most commonly known and they requires very little
technical expertise [Mukkamala 2003].
Denial of Service Attacks
DoS are a class of attacks whereby an intruder renders the resource too busy to handle
legitimate requests with some work load, resulting in denying legitimate users access to a
machine. There are several procedures to launch DoS attacks, some of them by:
abusing the machine’s legitimate features
targeting the implementations bugs
exploiting the system’s misconfiguration
This class of attacks is categorized based on the services that an intruder makes the
network inaccessible to authorized users [Mukkamala 2003].
32
Definition for Denial of service (DoS) Attack
Making the system resources unavailable to its legitimate (authorized) users is a
Denial of Service attack. For example; blocking access to email, specific sites, and other
services is considered to be a DoS attack [McDowell 2004].
Knowing if DoS attack is occurring
If any disturbance occurs while accessing a service, it is not always due to a
denial-of-service attack. There may be many reasons, like a technical problem with a
particular network, or system administrators performing maintenance. In order to reveal
whether a DoS attack is taking place or not, here are some symptoms which may indicate
DoS attack [McDowell 2004]:
an unusual slow network performance (opening files or accessing web sites)
unavailability of a particular Web site
inability to access any Web site
dramatic increase in the amount of spam received in account
To avoid being a DoS Victim
Unfortunately, there are no absolute means to avoid being the victim of DoS
attack. But there are some precautions to reduce the chances that an intruder will use to
attack computers:
Installing and maintaining anti-virus software
Using a firewall to curb inbound and outbound traffic
33
Following good security measures for distributing user’s email address to reduce
spam by applying spam filters will help some extent to manage unwanted traffic
User to Root Attacks
It is also known as User to super-user (U2Su) attacks. Here, an Intruder begins
with access to a normal user account on the system and exploits vulnerability in order to
obtain root access to the machine. The most common exploits here are regular buffer
overflows, which are caused by regular programming mistakes and environment
assumptions [Mukkamala 2003].
Remote to User Attacks
An Intruder sends packets to a machine over a network, and then exploits a
machine’s vulnerabilities to gain unauthorized local access as a user. There are several
kinds of R2L attacks, most using social engineering [Mukkamala 2003].
Table 3.1 Popular Thirty Nine Attacks [Chou 2007]
Probe DoS U2L R2L

Ipsweep Apache2 Buffer_overflow ftp_write,
Mscan Back Httptunnel guess_passwd, imap
Nmap Lan Loadmodule multihop, named,
Portsweep Mailbomb Perl phf, sendmail,
Saint Neptune Ps Snmpgetattack,
satan Pod Rootkit Snmpguess,
Processtable Sqlattack Spy,
Smurf xterm Warezclient,
Teardrop Warezmaster, Worm
Udpstorm Xclock, xsnoop
34
3.2 Research on freeware NIDS
3.2.1 Research on Windows-based NIDS
3.2.1.1 Snort IDS
Snort is an open source, lightweight, full-featured network intrusion detection
system, developed by Marty Rosech in 1998. “A lightweight intrusion detection system
can easily be deployed on most any node of a network, with minimal disruption to
operations” [Roesch 1999]. Snort is a rule-based language, combining the benefits of
signature and anomaly based detection. Many researchers agree that Snort is the best IDS
available. With millions of downloads to date, Snort is the most widely deployed
intrusion detection system worldwide and has become the de facto standard for the
industry [Snort 2008]. Many IDS use Snort’s rules in them, and act as front-ends with
some other features.
It is a fact that in 2003, 500,000 networks had Snort sensors and in November of
2003, Snort website informed that 70,000 users downloaded Snort-IDS [QOD 2004]. The
ultimate reason to choose Snort for an organization is as follows:
"Snort is versatile, can be used as an IDS, IPS (intrusion prevention system),
scrubber, Inline firewall, etc. It has a huge user-base that updates signatures all the time,
is open source so if user ever need to edit the code for a specific reason the code is
available, and it is free. What is there not to like?" [QOD 2004].
Snort is able to perform IP defragmentation, TCP stream reassembly, stateful
protocol analysis, and logs full packets and many to name. Snort can be used in three
primary functional modes.
Packet sniffer ( like tcpdump)
35
Packet logger
Full blown NIDS
Snort Architecture
A Snort IDS comprises of the following components.
Packet Decoder
Preprocessors
Detection Engine
Logging and Alerting System
Output Modules
Figure 3.1 Components of Snort IDS [Caswell 2003]
Packet Decoder
It takes packets from different network interfaces. Then it prepares the packets to
be preprocessed, and then sends to detection engine. Here, interfaces are like Ethernet,
etc. [Rehman 2003].
36
Figure 3.2 Packet Capture in real-time Using Ethereal. Ethereal is a GUI-based
protocol analyzer for data captured by Snort [Gerg 2004].
Preprocessors
These are the plug-ins used to deal with packets such as arranging and modifying
before the detection engines touches them. They may also identify intrusions by looking
at packet headers and then generating alerts. Preprocessor is a vital component, among
others, as it prepares packets to be analyzed against rules in the detection engine
[Rehman 2003]. It does packet defragmentation, decodes Http URL, TCP streams
reassembling, etc.
Detection Engine
This is responsible for detecting the intrusion existing in a packet. It uses rules to
do this. If a match occurs, it takes proper action like logging the packet, alert generation
37
etc., otherwise it drops the packet. Rules written to IDS, power of the system, speed of
internal bus and load on the network determine the load on the detection engine [Rehman
2003].
Output plug-ins
Here it outputs the alerts generated from preprocessors or the detection engine.
Figure 4.3 shows working of Snort using IDS-Center as front end.
Figure 3.3 Working of snort - Sequence of steps showing flow of activities
Advantages of Snort-IDS
Snort is free, open-source, portable and fast IDS tool
Snort is a lightweight tool (easy deployment on a system) and works on all major
operating systems
Snort provides extremely flexible detection and reporting. Its decoded output
display is more user-friendly and understandable than other tools, like tcpdump.
User can customize rules in an advanced rule set for better security
Snort is technically, financially and administratively easier to implement when
compared to other IDS tools [Roesch 1999]
As a sensor, it does automatic traffic classification and performs real-time alerting
[Roesch 1999]
38
Snort performs focused monitoring (monitoring a single node (system) on
network for doubtful activities) [Roesch 1999]
It is capable of logging to several databases which includes SQL Server, MySQL,
Oracle and PostGre SQL [QOD 2004]
Snort is well suited to both small and large organizations as security solutions
Performs high-speed decoding and stateless intrusion detection
Disadvantages
Snort drops packets under load
It is an IP-centric program [Roesch 2001]
Protocol addition is not greatly scalable by Snort’s internal data structures
As Snort is an open source code, it is highly configurable and customizable.
When things go wrong when using this product, there are no formal technical
resources available on which to rely.
Snort does not have good user understandable management and configuration
interface.
3.1.1.2 Sax2 NIDS
Sax2 is described as a proactive, professional windows-based NIDS with
advanced protocol analysis and automatic expert detection. It provides 24/7 internal and
external real-time attack detection. It monitors the network traffic and analyzes it to
check for security breaches, if any, and looks for possible signs of attack in the network
system. Then it captures the data packets and blocks such events to protect from danger.
39
The operation of Sax2 is completely dependant on analysis of internet protocols.
The technology is used by Sax2 is an efficient multi-pattern matching algorithm to
analyze high-speed network.
Current features of Sax2 are as follows:
improved and efficient performance using in-depth analysis of protocols
accurate network monitoring
powerful packet filtering capabilities
recognizing TCP/IP data and submitting reorganized data to detection engine
adopts multi-pattern matching algorithms
adopts protocol analysis methods for faster monitoring of network traffic
comprehensive recognition of internet attacks
flexible security policy settings
use of statistical functions
Sax2 Architecture
It is comprised of following modules in its architecture:
packet capturing
matching rules
protocol analysis
comprehensive diagnosis
incident response
policy management
logs
display for results
40
Sax2 accomplishes data capture, analysis and incident response of IDS with all the
above modules working together. Figure 3.4 shows the main console of Sax2 IDS.
Figure 3.4 Sax2 Main Console [Ax3Soft 2008]
The left side pane outlined in the red rectangle is known as Nodes Explorer and is
shown clearly in figure 3.5. This displays all the network IP addresses involved in the
communication with the network. If a particular node is selected, then it shows all the
information related such as logs, statistics and conversation, etc.
41
Figure 3.5 Node Explorer Window - displaying all the IP addresses involved in
Network Communication [Ax3Soft 2008]
Figure 3.6 describes the statistics view of Sax2 IDS. It is clearly showing that it
has very rich statistics. Almost 100 statistical counters are provided in the console for
users to see detailed statistical information.
Figure 3.6 Statistic View on Main Console of Sax 2 [Ax3Soft 2008]
42
In Figure 3.7, the blue rectangular box represents the conversation associated with
an IP address. This is known as conversation view described in figure 3.5. This is a more
important part of Sax2 IDS. This includes IP, TCP, UCP and ICMP information and
count of its source address, destination address, the data packets of conversation and the
size of these data packets includes other information. Figure 3.8 is the event log pane of
the intrusions, which is known as the Event view.
Figure 3.7 Conversation View of Sax2 IDS [Ax3Soft 2008]
Its main purpose is to focus on checking events. It has two parts; one is the
invasion event pane and the other is the invasion log pane. The first shows event statistics
with the classification of the current network in all the statistical value of the event. The
second shows the incident related to that event.
All traffic on a monitored network will be recorded into logs, which can be
observed in the log view. It collects all data and filters, checking whether it is an HTTP
request, e-mail message (using SMTP/POP3) or FTP transmission etc as shown in Figure
3.9. All logs will be saved on the hard disk for records.
43
Figure 3.8 Event View [Ax3Soft 2008]
Figure 3.9 Logs View [Ax3Soft 2008]
The purple box in figure 3.4 represents the status of the current monitor
performing on network. It shows the start time, duration, packets captured, packets get
accepted (highlighted in green), packets got lost, buffer usage and traffic changes.
44
Figure 3.10 shows how the knowledge base is represented in Sax2. By default,
Sax2 provides more than 1,500 security policies and provides the flexibility to customize
those policies to make it more suitable and fit to the network.
Figure 3.10 Knowledge Base Management in Sax2 IDS [Ax3Soft 2008]
Another important module of Sax2 IDS is the Detection Expert Settings. This
analyzes the traffic at an expert level and reports the malicious incidents to the
administrator. Figure 3.11 describes this module.
45
Figure 3.11 Detection Expert Settings [Ax3Soft 2008]
Sax2 is capable of capturing traffic on more than one network adapter, if any are
present. A real test is performed on Sax2 IDS using Nmap tool. This is discussed in later
sections.
All of its features are great assets and makes it advantageous when compared to
other tools. Sax2 does not have a proper website structure which makes users disappoint
at support. This is a disadvantage about it.
46
3.2.2 Research on Linux-based NIDS
3.2.2.1 Firestorm
Firestorm is a Unix-based GPL (General Public License) licensed tool with
tremendous performance NIDS. It appears to be a sensor providing real support for
analysis, does reporting and remote console. It is more flexible because it is fully
pluggable. Firestorm NIDS is available for download from the URL
‘www.scaramanga.co.uk/firestorm/download.html’.
Firestorm is capable of capturing network traffic from a variety of sources with a
regulation that only one capture can be used at a time to write extensions to capture from
a new data source. It is also capable of supporting high-speed operating system specific
capture plug-ins.
Firestorm NIDS comprises of four architectural components [Leach 2003]. They
are:
Sensor (Firestorm-NIDS)
Extended Logs (elog files)
Stormwall
Console
Sensor
The function of the sensor is to sniff network traffic on the network, analyze the
traffic, and later spool the alerts in an extended log in a specific elog format. Firestorm
uses Snort signatures to analyze the network traffic [Leach 2003].
47
Firestorm is capable of performing Stateful Analysis. In this phase, Firestorm
performs different actions, including analyzing state information on the network,
reassembling IP fragments, and performing TCP connection tracking to avoid DoS
attacks such as snot and stick, TCP stream reassembly and application layer Stateful
Analysis. Firestorm is able to decode application layer protocols. This is known as ‘Full
Application Layer Decode’. Until now, only HTTP protocol has been tested and
Firestorm team is working on support for other protocols. Firestorm is compatible with
Snort rules, protects the network from DoS attack and also supports anomaly detection
[Leach 2003]. Firestorm IDS is easy to use because it has only one configuration file.
Firestorm Configuration File
Firestorm configuration file, firestorm.conf, has everything it needs defined
within, which tells firestorm how to behave. In that sense, all the settings have to be
defined in this file, like capture settings, telling from where to capture, time limit, where
to log, etc. Snort rules also have to be defined in this file. Thereby, complete behavior of
Firestorm IDS is controlled and managed by the firestorm.conf file.
Stormwall
Its goal is to monitor alert spools as well as to perform actions when new elog
files appear. The sensor is responsible for notifying Stormwall if any changes to the spool
occur [Leach 2003]. At this point, it is still under development.
Extended Logs
Also known as elogs, Extended Logs is a new layout of conveying alert
information. This log file contains information about packet, alert, decode, and state
tracking and other Meta data. Elogs is an advantageous format as it keeps all data in
48
single file. Firestorm does automatic log rotation until either the logs reach definite file
size or it reaches a certain time limit [Leach 2003].
Figure 3.12 shows how elog files can be viewed. Ethereal interface is one of the
applications used to access and view elog files. It also shows the viewers that elog files
record time source of the event, destination, protocol information and brief description of
the activity. By clicking on particular activity, it displays detailed information in the
following pane of the interface.
Figure 3.12 Viewing .elog files using Ethereal Interface [Leach 2003]
Console
It allows user to search, sort, filter, correlate and extract data from sensors. As of
now, console is not completely implemented.
49
Figure 3.13 Firestorm Analyst console – displaying packets [Leach 2003]
Current Features of Firestorm, current version:
Capable of Protocol anomaly detection and performs full application layer
decodes
It is fully pluggable
Easy to configure. Has single config file
Firestorm can run as a real-time process. This is possible if it is started as root.
Performs high performance OS specific capture module for Linux. To achieve
this, the capture block of .conf file should be modified to “capture pcap if =
‘linux’ “.
provides comprehensive Snort rule support
50
Full IP defragmentation
TCP stateful inspection
GNOME2 based analyst console user interface
Enhanced and advanced logging format for ease of analysis, which elog (extended
log) files
Comparison between Snort and Firestorm
This section presents a case study results on Snort 1.8.3 and Firestorm 0.4.6.
Leonardo Fragundes and Luciano Gaspary proposed an evaluation criterion in 2006 in a
paper, Network-Based IDS Evaluation, through a short term experiment script. This
analysis took place with three different traffic bandwidths. They are 4, 6 and 8 Mbps.
Figure 3.14 describes the attacks performed on the network and X represents that the IDS
detected the attack and space in the box represents that respective IDS did not detect the
attack. In figure 3.14, Snort detected all the attacks, and Firestorm did also, except one
attack, i.e., UDP scan.
Figure 3.15 represents the traffic bandwidth and detection analysis of Snort and
Firestorm for various attacks. The percentages were obtained by dividing the logs stored
by the number of maximum alarms expected [Fagundes 2006]. This comparison reveals
that Snort has better performance and detection ability than Firestorm.
51
Figure 3.14 Detection Capabilities Analysis Results [Fagundes 2006]
Figure 3.15 Scalability Analysis Report [Fagundes 2006]
52
3.2.2.2 Strata Guard
Strata Guard IDS is an award winning Network-based Intrusion Detection
System. It provides real-time security protection from network intrusions and malicious
traffic. Strata Guard possesses the following features in order to protect the network
[StillSecure 2008]:
Features
Blocks malicious attacks, peer-to-peer file sharing, instant messaging, chat,
prohibited browsing activity, and worm propagation
Enforces network usage polices
Detects anomalous activity such as spoofed attack source addresses, TCP state
verification, and rogue services running on the network.
Eliminates false-positives
Ultra fast initial device discovery – large networks are scanned rapidly.
Comprehensive scan rule database
Automatic verification and assignment of vulnerabilities
Application accuracy by TCP, UDP port scans
Centralized administration
Web based system management interface
Authenticated proxy server support
Automatic data archiving
Multiple report output formats
53
Strata Guard uses six different intrusion detection tools for complete network
security. “With signature-based and behavior-based attack detection, deep packet
inspection, and protocol anomaly analysis, Strata Guard terminates network, application,
and service level attacks including worms, Trojans, spyware, port scans, DoS and DDoS
(Dynamic DoS) attacks, server exploit attempts, and viruses before they gain access to
the network and cause real damage” [StillSecure 2008].
Strata Guard is designed as follows [StillSecure 2008]:
Highly automated tool particularly developed and designed for ease of use
Provides streamlined administration and management
Posses’ multi-node, multi-user management to provide proper levels of control for
all users who need access to security data
Figure 3.16 Strata Guard network [StillSecure 2008]
54
Toward DoS attacks, Strata Guard takes a multi-tiered approach. The defense
against DoS attacks has two different levels. One level regulates traffic then limits the
traffic to suppress DoS attacks. On the Strata Guard website, it is mentioned that it
maintains 60 rules to identify and block DoS attacks [StillSecure 2008].
Strata Guard uses open-source Snort. It uses Snort as a component within its
structure. It does not work well in adhoc network. It needs a real network to test, as it
depends on several open source softwares.
Figure 3.17 explains how attack activity is logged and can be viewed on console.
Figure 3.17 Account Activity Tab List View [StillSecure 2008].
By possessing extraordinary features, Strata Guard provides many benefits over other
IDS. Following is list of advantages of Strata Guard IDS [StillSecure 2008].
55
Advantages
Scans multiple ports to discover hidden applications
Quickly assess and responds to changes on network
Ensures protection against the usual exploited vulnerabilities
Simplified administration
Reduces the manual work by using automated vulnerability repair
Compares vulnerability risks from multiple sources
In-depth analysis of data
Gives layered protection for the network
Securely stores historical data for audit purposes
Consolidated rule set from multiple sources
Excellent attack detection
Easy configuration user interface
Eliminates false positives
Provides gigabyte level scalability
Disadvantages
Needs a dedicated machine, Host should be of Stillsecure OS, which installs with
Strata Guard installation
Expensive commercial IDS software
Needs at least two NIC cards to run properly
Depends on various open source software tools
Needs greater storage than other IDS to store historical data
56
Strata Guard is a recommended product for good security measures because of its
wide range of features and benefits. It is an efficient tool for larger networks.
3.2.2.3 Bro IDS
Bro Intrusion Detection System
Bro is an open-source, Unix-based, Network-based IDS. It was developed by
Vern Paxson at Lawrence Berkeley National Lab and the International Computer Science
Institute. As all NIDS, Bro monitors the network traffic to look for any suspicious
activity. It parses the network traffic to dig out its application-level semantics and then
executes event-oriented analyzers to compare the activities with patterns (whenever a
suspicious activity is found on the network, IDS logs them, and those activities are used
as patterns to check for similar activities).
Features of Bro
network-based IDS
custom scripting language
Pre-defined policy scripts
snort signature compatibility support
Powerful signature matching facility
different approach of network analysis
detection follows an immediate action
57
Bro detects definite and abnormal activities, such as certain hosts connecting to
certain services, using signatures, and patterns of failed connection attempts. As Bro logs
all activities in detail, it is most useful in forensic investigations. Bro is popular, as it
targets high speed, high volume intrusion, and detects using powerful packet filtering
techniques to accomplish the essential performance.
Analyzing the traffic
First, it filters the network traffic and then the remaining information is sent to its
event engine, where Bro interprets the structure of the network packets and abstracts them
into higher-level events describing the activity. Lastly, Bro implements policy scripts
against the events, looking for possible intrusions [Bro 2007].
Policy scripts
“Bro uses a specialized policy language that allows a site to tailor Bro's
operation, both as site policies evolve and as new attacks are discovered” [Bro 2007].
These scripts are program written in Bro language and have all the rules describing the
types of events which are potential intrusions and these policy scripts analyze the
activities then initiate actions based on the analysis. It records the activities seen on the
network as files and also generates alerts [Bro 2007]. It is a good idea to consider “Why
Bro needs a special language”, because this is a language which understands specific
notions such as ports, IP addresses, connections, etc., and has different a approach to
analyzing the network to make the task easy. Users of Bro need not to learn the Bro
language to run it.
58
These scripts take action such as follows.
generating output files which have recorded events on the monitored network
generating alerts if it sees a problem
terminating the existing connections
blocking traffic by placing blocks in to router ACL
sends email messages to the user to report events
Difference between Snort and Bro
Snort is a purely signature-based IDS. It checks for very particular material in a
network and reports that particular signature’s instances. Bro is almost the same, but
instead of considering them as fixed strings, it treats them as regular expressions. Bro is
compatible with Snort signatures. It converts them in to Bro signatures using a script
called snort2bro. Including this, Bro also analyzes the network with deep levels of
abstraction and stores all the past activities and integrate with new ones [Bro 2007]. This
feature is the biggest asset to Bro IDS.
Mr. Massicotte, Mr. Gagnon and Mr. Labiche did a case study on Snort 2.3.2 and
Bro 0.9a9 on Linux systems. This is comparative study evaluating both alongside each
other. Figure 3.18 shows results from the case study. VEP in table refers to Vulnerability
Exploitation Program. The table shows the data set used for the case study. Notations in
Figure 3.18 are described in the following Table 3.2.
59
Table 3.2 Notations
Alarm. & Compl. Det. to Part. Alarm. & Alarmist & Complete Detection to Partial
Compl. Det. Alarmist & Complete Detection
Alarm. & Compl. Det. to Quiet & Compl. Det Alarmist & Complete Detection to Quiet &
Complete Detection
Part. Alarm. & Compl Det. to Quit & Compl Partial Alarmist & Complete Detection to
Det. Quiet & Complete Detection
Part. Alarm. & Compl. Det. Partial Alarmist & Complete Detection
Alarm. (Failed Only) to Part. Alarm. (Failed Alarmist (Failed Only) to Partial Alarmist
Only) (Failed Only)
Alarm. (Failed Only) to Quiet (Failed Only) Alarmist (Failed Only) to Quiet Alarmist
(Failed Only)
Figure 3.18 Comparison between Snort and Bro [Massicotte 2006]
60
Figure 3.19 shows the success and failure rate measures in detecting attacks
which are false positives, false negatives, true positives and true negatives. In figure 3.19,
figure (a) shows that Snort has better performance than Bro at successful attacks. Figure
(b) shows that Bro raised fewer false alarms than Snort.
Figure 3.19 Detection Rate Analysis [Massicotte 2006]
Table 3.3 Summary of comparison among Snort, Sax2, Firestorm, Strata Guard and
Bro
Snort Sax2 Firestorm Strata Bro

Guard
Cost Open- Shareware- Freeware Open-source: Open-source
source $69 free
Commercial- Commercial:
$399 $2500-$6000
Major OS Windows Unix Stillsecure Unix
supporting OS independe OS
nt (written
in a
interpreted
language)
Other All major None Linux, Windows, FreeBSD,
supporting OS OS FreeBSD, Linux using Linux
OpenBSD, VMware
Solaris
Protocol Yes Yes - IP, Yes Yes Yes
analysis TCP, UDP, (currently
HTTP, FTP, only HTTP is
POP3, tested)
SMTP, etc.
61
Real-time Yes Yes Yes Yes Yes
traffic analysis
Packet logging Yes Yes Yes (.elog Yes Yes

files)
Anomaly Yes Yes Not at this Yes To some
Detection time. May extent
does in future
URL encoding Yes Yes No Yes No
UDP port scan Yes Yes No Yes Yes
Fingerprinting Yes - No Yes Yes
stealth port Yes Yes Yes Yes Yes
scans
Eliminating Some Yes No Yes No

False positives what
Minimum 1 1 1 2 1
number of NIC
cards needed
Throughput 100mbps High Full disk High (>200 High
capability throughput Mbps)
without packet
loss
Rule Set Flexible >1500 Uses snort 3500+ (uses Bro signature
Rule set security rules rules in it snort rules) policies -
Converts
Snort
signatures to
Bro
Signatures
Customize rule Yes - Very Yes – Can Yes (as it Yes (uses Yes
set flexible import uses snort) snort)
policies,
update and
customize
GUI Driven No Yes No Yes No
Configuration
Ability to view No Yes No Yes No
attacks based
on severity
IPS capability Yes No No Yes No
Interface Good Very flexible Not fully Flexible No
developed
Attack Very good Very good Okay Very good good
response
62
3.3 Writing Rules
3.3.1 What are the rules?
Rules define what IDS should watch for. It defines what and who constitute an
intrusion. Defining a rule is telling the IDS what to do, i.e., what traffic to consider
doubtful and which are safe. Rules can be defined to be very specific, searching very
specific criteria about certain packer attributes or pay load, particular IP address or port.
Snort rules are simple at their syntax, easy to read, create and understand and they
are customizable. As they are simple, sometimes Snort does not identify certain types of
attacks efficiently, but it covers almost all major intrusions. They have great flexibility in
single packet analysis. Snort rules are capable of identifying packet headers and pay load.
3.3.2 Basic Rule Anatomy
A rule has two general parts; first is a rule header (a rule must have it) and the
second is an optional part which is rule options.
Figure 3.20 Rule syntax
Figure 3.21 demonstrates a sample snort rule.
Figure 3.21 Sample Snort Rule
Rule Header
A rule header contains rule action, protocol, IP addresses and port numbers of
source, destination, and direction operator.
63
Figure 3.22 Rule header attributes of a snort rule
There are various rule actions. Table 3.3 shows the rule options with their
description. Protocol field contains various protocols TCP, UDP, ICMP, IP, ARP, IGRP,
GRE, OSPF, RIP and IPX, etc. Currently Snort analyzes TCP, UDP, ICMP and IP
protocols only, in the future Snort may support the remaining protocols. The direction
operator -> indicates traffic direction from the source host (IP address and port number
on left side) to the destination host (IP address and port number on the right side). To
indicate bidirectional traffic, <> operator is used, telling Snort to consider that the pair of
IP addresses exist on the left and right of the operator. There is no such operator like <- to
tell Snort to consider traffic from right to left.
Table 3.4 Description of various rule actions [Sturges 2008]
Rule Action Description

Alert to generate an alert, later logs the packet
Log to log the packet
Pass to disregard the packet
Activate to alert, then activate another dynamic rule
Dynamic to stay inactive until activated by an activate rule
Drop to make iptables drop the packet, log it
Reject to make iptables drop the packet, log it, and then send a TCP reset if
the protocol is TCP or an ICMP, port unreachable message if the
protocol is UDP
Sdrop to make iptables drop the packet, do not log it.
64
Rule options
“Rule options form the heart of Snort's intrusion detection engine, combining ease
of use with power and flexibility” [Sturges 2008]. Semicolon (;) is used to separate two
rule options. Colon (:) is used to separate the rule option’s keywords from their
arguments.
Figure 3.23 Rule Options
‘flags’ is a keyword indicates attribute (action name), SF is attribute value. Here it
tells Snort to flag TCP flag bits SYN (Synchronize sequence numbers) and FIN (Final -
No more data from sender). Message part is to alert the logging and alerting engine about
the action taking place [Sturges 2008].
65
4. TESTING AND EVALUATION
Testing and Evaluating IDS deal with many things in terms of hardware and
software. In order to follow the security restriction rules and to be safe, it is always
advisable to perform the evaluation on an adhoc network rather than a real network. A
group of computers should be connected to a hub in a network. Figure 4.1 shows how it
looks.
Figure 4.1 IDS Testing Network
The testing criteria should include a very specific set of date entry, which means
specific set of tools used to plan an attack. IDS evaluation can be divided in to two
general categories:
Detection
Response
66
4.1 Detection
4.1.1 Detection Capability
This test was carried out by planning attacks on IDS. Specific attacks are used to
test the performance of IDS in terms of its ability to identify attack. In the comparative
analysis shown in 3.12, the categories of intrusions considered are Evasion, Insertion,
Port scanning and Denial of Service. Specific attack tools are run on the network and
tested to determine whether IDS is seeing the events. If it is successful in logging all the
events planned by those attack tools, then that IDS is said to have good detection ability.
4.1.2 High Bandwidth Traffic Handling Capability
Good IDS should be able to handle high bandwidth traffic. It should be able to
analyze all the traffic coming in and going out through the network. This feature can be
tested by creating traffic on the network and increasing it by running some network
scanning tools like Nmap, Wireshark, etc. Intruders use this technique to make a network
so busy that an IDS cannot handle the traffic and will therefore break down. Then
Intruders do their work on the network. This is known as a ping of death attack, and
comes under the Denial of Service. Figure 4.2 shows creating traffic using Nmap tool.
When Nmap is started, it scans for the IPs, ports in the network and it scans those
ports. This tool is a network monitoring tool and indirectly creates the traffic on the
network. An IDS should be strong enough to deal with the high bandwidths of traffic.
Figure 4.3 shows Snort capturing the traffic as IDS center as front end.
Figure 4.4 shows network monitoring by Sax2 IDS. This has 100% packet capturing with
0% loss. It summarizes the captured network as shown in Figure 4.5. This summarizes
the events as warnings (yellow triangle), information (with blue ‘i’), notice (green ones)
67
and critical event (with red symbol). Depending on this, administrator takes decisions to
protect the network
Figure 4.2 Nmap Scan
Figure 4.3 Snort Capturing the Network for events
68
Figure 4.4 Network monitoring by Sax2 NIDS
Fig 4.5 Summary of the captured network events
69
Both Snort and Sax2 NIDS were good at monitoring and logging the network
activity and differ in displaying them.
4.1.3 Testing DoS Attack
Hackers send a lot of traffic to the victim system so that it cannot handle the
traffic and performance goes down, thus denying access to services. So IDS should be
able to predict a DoS attack when it sees the large amount of traffic from a single or
several different IP address or port numbers. This is how IDS is able to detect a DoS
attack.
To test whether the IDS is able to detect the DoS attack, a high bandwidth of
traffic should be created by a system. In order to break in to the victim’s network within a
given time before the victim observes unknown activity on his system, the attacker must
have a higher-speed internet connection than the victim. The attacker has to scan for open
ports to break easily into the network. As most systems have a specific built-in DoS
detection feature, it should be able to report to the administrator of the system about the
attack by raising an alarm. Udpstorm, Teardrop, Mailbomb etc., are various popular DoS
attacks many attackers use these days.
4.1.4 Ability to Determine Attack Success
This measurement determines whether the IDS can verify the success of attacks
from remote sites that give the attacker higher level privileges on the attacked system.
Many IDS do not differentiate the failed from the successful attacks. The capability to
find an successful attack is crucial for the analysis of the attack correlation and the attack
scenario. This measure requires the information about failed attacks as well as successful
attacks [Mell 2002].
70
4.1.5 Ability to Detect Never Before Seen Attacks
This measurement tells how well an IDS can detect attacks that have not yet
occurred. In general, systems detecting attacks that had never been detected before
produce more false positives than those that do not have this feature. This measure
identifies the tools with higher numbers of false positives [Hu 2002].
4.2 Response
After detecting the attack, IDS has to respond fast, letting the administrator know
about the attack. Generally, most of the IDS raise alarm with a sound like ‘ding’ or
‘beep’. These responses are divided in to four types.
False positives – detecting a normal network event as an intrusion
False Negatives – detecting an intrusion as a normal network activity
True positives – detecting a network intrusion as intrusion
True Negatives – detecting a normal activity as not an intrusion
Of these four, false positives and false negatives are most popularly discussed
because they deal with intrusions and these two are potential measures to evaluate an
IDS. “A False positive is defined as the frequency with which the IDS reports malicious
activity in error and frequency with which the IDS fails to raise an alert when malicious
activity actually occurs is a False negative” [Chapple 2003]. A good IDS must have low
False negative rate and low false positive rate.
71
4.3 Other Evaluation measures
System Security
This tells the level of security provided by IDS. Understanding the nature and
type of attack differs from one IDS to another. If IDS has a counteraction for every attack
it detects, then it known to be a good IDS.
Supported Network Media
This tells whether IDS needs very specific network media to be in the network.
For example, Bro needs a Network Tap to present in the network.
User Interface
This is measure of comfort to the user for use of the console to understand the
IDS activities. A good user interface contains all the information easily accessed by the
user.
72
5. FUTURE WORK
Due to the limited resources and the University’s security regulations, Snort and
Sax2 were able to test. As part of future work for this research and analysis, testing the
ability of detecting DoS, User to Remote (U2R) and Local to Remote (L2R) access
attacks can be performed on Snort, Sax2 NIDS and also Strata Guard and Bro if resources
are available. With good test criteria with a proper data set, these performance tests can
be achieved successfully. Though many IDS systems use Snort rules as security policies,
a few others, such as Sax2 IDS use different policies. Therefore, this research has a good
scope for analyzing the security polices (rules).
73
6. CONCLUSION
This research project provides the efficacy of Network Intrusion Detection
System tools with in computer networks.
This project provides a summary of differences between HIDS and NIDS.
Advantages and disadvantages of few IDS as discussed in this research have been
summarized and presented in it. This research also provided a good survey on computer
security. Architectures and behavior of Snort, Sax2, Firestorm, Bro and Strata Guard is
provided. A test has been performed on Snort and Sax2 to check the ability of capturing
network traffic using Nmap tool. Basic rule anatomy is discussed to understand syntax of
rules which helps in customizing the rules for greater security of network.
74
ACKNOWLEDGEMENT
Installing, testing and evaluation of tools discussed in this project would not have
been completed with out the support, patience and guidance of Mr. Steve Alves. I owe
my deepest gratitude to him.
75
REFERENCES AND BIBLIOGRAPHY
[Ax3Soft 2008] Ax3 Soft Expert IDS. Sax2-IDS. Available from www.ids-
sax2.com/Screenshot.htm (visited on Oct. 20, 2008).
[AMP 2008] Audit My PC. Port Scanning. Available from

www.auditmypc.com/freescan/readingroom/port_scanning.asp (visited Oct. 15,
2008).
[Boncheva 2006] Boncheva, V., A Short Survey of Intrusion Detection Systems,

Available from www.iit.bas.bg/PECR/58/23-30.pdf (Visited Mar. 12, 2008).
[Bro 2007] Bro.Bro Intrusion Detection System. Lawrence Berkeley National Laboratory.
National Science Foundation (2007) Available from www.bro-ids.org (visited
Sept. 15, 2008).
[Caswell 2003] Caswell, B. Snort 2.0 Intrusion Detection. Syngress Publishing, Inc.,
Rockland, MA, pp 55-73.
[CD 2001] Clement Dupuis, Access control systems and Methodology,

comsec.theclerk.com/CISSP/Domain_1.doc (Apr. 2001). Available from
http://209.85.165.104/search?q=cache:JVhyh5XDrQJ:comsec.theclerk.com/CISS
P/Domain_1.doc+comsec.theclerk.com/CISSP/Domain_1.doc&hl=en&ct=clnk&c
d=1&gl=us (visited Sept. 10, 2007)
[Chapple 2003] Chapple, M. Evaluating and tuning an intrusion-detection system.

Available from
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci918619,00.html
(visited Jul. 09, 2008).
[Chou 2007] Chou, T., Ensemble Fuzzy Belief Intrusion Detection Design. Available
from www.proquest.umi.com (Visited Sept. 15, 2008).
[CISSP 2008] CISSP 2008. Examining Different Types of Intrusion Detection Systems.
Wiley Publishing, Inc. (2008). Available from
www.dummies.com/WileyCDA/DummiesArticle/Examining-Different-Types-of-
Intrusion-Detection-Systems.id-5278.html (visited Jun. 18, 2008).
[Dubrawsky 2001] Dubrawsky, I. Freeware Intrusion Detection Tools (2001). Available

from www.samag.com/documents/s=1147/sam0108o/0108o.htm (Visited Nov. 9,
2007).
76
[DSL 2003] Broadband DSL Reports. Is there a difference between a IDS and a
firewall?. Available from www.dslreports.com/faq/6036 (visited Aug. 26, 2008).
[Fagundes 2006] Fagundes, L.L. and Gaspary, L.P. Network-based Intrusion Detection
Systems Evaluation Through a Short Term Experimental Script. J. Ascenso et
al.(eds), e-Business and Telecommunication Networks 159-165. Springer,
Netherlands (2006).
[Gerg 2004] Gerg, C. and Cox, K. J. Managing Security with Snort and IDS Tools,
O’Reilly Media, Inc. Sebastopol, CA (Aug, 2004).
[Innella 2001]Innella, P. The Evolution of Intrusion Detection Systems. Tetrad Digital

Integrity, LLC. Available from www.securityfocus.com/infocus/1514 (Visited
May. 09, 2008)
[Innella 2006] Innella, P. An Introduction to Intrusion Detection System. Available from

www.securityfocus.com/infocus/1520 (Visited May. 27, 2008).
[JC 2007] Jupitermedia Corporation. Intrusion Detection System (2007). Available from
http://www.webopedia.com/TERM/I/intrusion_detection_system.html (visited
Aug. 26, 2007).
[Larrieu 2003] Larrieu, C., Prevention/Deection - IDS - Intrusion detection systems.

Available from http://en.kioskea.net/detection/ids.php3 (Visited Aug. 3, 2008).
[Leach 2003] Leach, J. Firestorm Network Intrusion Detection System (2002-2003).

Available from www.scaramanga.co.uk/firestorm/documentation/firestorm-
doc.pdf (visited Aug. 22, 2008).
[Kazienko 2003] Kazienko, P., Dorosz, P. Intrusion Detection Systems (IDS) Part I -
(network intrusions; attack symptoms; IDS tasks; and IDS architecture).
Available from
www.windowsecurity.com/articles/Intrusion_Detection_Systems_IDS_Part_I__n
etwork_intrusions_attack_symptoms_IDS_tasks_and_IDS_architecture.html
(Visited Jun.12, 2008)
[Kozushko 2003] Kozushko, H., Intrusion Detection: Host-Based and Network-Based

Intrusion Detection Systems, white paper, 2003.
[Magalhaes 2003] Magalhaes, R. M. Intrusion Detection. Available from

www.windowsecurity.com/articles/Hids_vs_Nids_Part1.html (visited Jun. 18,
2008).
[Massicotte 2006] Massicotte, F., Gagnon, F., and Labiche, Y. Automatic Evaluation of
Intrusion Detection Systems. Proceedings of the 22nd Annual Computer Security
Applications Conference (ACSAC'06).
77
[McDowell 2004] McDowell, M., Understanding Denial-of-Service Attack. Available
from www.us-cert.gov/cas/tips/ST04-015.html (Visited May. 25, 2008).
[McHugh 2000] McHugh, J. Defending Yourself: The Role of Intrusion Detection

Systems. IEEE Computer Society Press, Los Alamitos, CA (September 2000).
Volume 17, Issue 5, Pages: 42 – 51.
[MCP 2008] Macmillan Computer Publishing. Maximum Security: A Hacker’s Guide to

Protecting Your Internet Site and Network. Available from
www.newdata.box.sk/bx/hacker/index.htm (visited Oct. 23, 2008).
[Mukkamala 2003] Mukkamala, S., and Sung, A. H. Intrusion Detection System Using
Adaptive Regression Splines. Available from http://salford-
systems.com/doc/ICEIS-final.pdf (visited on Sept. 5, 2008)
[Northcutt 2002] Northcutt, S. and Novak, J. Network Intrusion Detection, 3rd Edition,
New Riders Publishing, September 2002.
[Ptacek 1998] Ptacek, T.H. and Newsham, T.N. Insertion, Evasion, and Denial of
Service: Eluding Network Intrusion Detection. Available from
www.insecure.org/stf/secnet_ids/secnet_ids.html (visited Sept. 23, 2008).
[QED 2005] Quality Education Division, Educational and Manpower Bureau, The
Government of HKSAR. A closed look at Internet Firewalls. Available from
www.edb.gov.hk/FileManager/EN/Content_4833/internet%20firewall%20%5Bno
v%2005%5D.pdf (Visited Jun. 18, 2008)
[QOD 2004] QoDwriting. A look into IDS/Snort. Available from
www.freewebs.com/talug/Snort.pdf (visited Sept. 15, 2008)
[Rehman 2003] Rehman, R. U. Intrusion Detection with SNORT: Advanced IDS

Techniques Using SNORT, Apache, MySQL, PHP, and ACID (Bruce Perens'
Open Source Series). Published by Prentice Hall, 2003.
[Richardson 2008] Richardson, R. CSI Computer Crime & Security Survey. Computer
Security Institute (2008).
[Roesch 1999] Roesch, M. Snort - Lightweight Intrusion Detection for Network.

Proceedings of LISA '99: 13th Systems Administration Conference, Seattle, 1999.
[Roesch 2001] Roesch, M. Snort. Available from www.blackhat.com/presentations/bh-
usa-01/MartyRoesch/bh-usa-01-Marty-Roesch.ppt (visited Oct. 23, 200).
[RTEinc 2008] Real Time Enterprises, Incorporated. Network Intrusion Detection

System. Available at www.real-time.com/linuxsolutions/nids.html (visited Feb.
09, 2008).
[Snort 2008] Snort.org. Available from www.snort.org (visited Oct 12, 2008).
78
[StillSecure 2008] StillSecure. Strata Guard Flexible, easy to use IDS/IPS. Available
from http://www.stillsecure.com/strataguard/ (visited Oct 23, 2008)
[StillSecure 2008] StillSecure. VAM. Available from
www.sunworks.ch/datasheets/21b.pdf (visited Oct 23, 2008).
[Sturges 2008] Sturges, S. Writing Snort Rules: How to Write Snort Rules and Keep Your
Sanity. Available from
www.snort.org/docs/snort_htmanuals/htmanual_283/snort_manual.html (visited
Aug. 09, 2008).
[TT 2005]Tech Target. Intrusion Detection (Jun. 2005). Available from

www.searchsecurity.techtarget.com/sDefinition/0,,sid14_gci295031,00.html
(visited Aug. 25, 2007).
[UCR 2008] UCRiverside Security. Security- Glossary of Terms. Available from

www.cnc.ucr.edu/security/index3.php?content=glossary.html (visited May. 23,
2009).
[Wiki 2008] Wikipedia. Intrusion Detection System. Available from

http://en.wikipedia.org/wiki/Intrusion-detection_system (visited Oct. 18, 2009).
79

Abstract

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Abstract

Uploaded by

Copyright:

Available Formats

ABSTRACT

Rapid technological advances in the application of data processing operations and

computer networks/systems. Modern techniques and methodologies for detecting

to ensure the security of administrated computer networks. IDS’s seek to detect

logging the attempts made by an intruder to accumulate intelligence regarding a targeted

completely foolproof and can fail to identify serious malicious attacks.

confronted with particular well-known network attacks.

Table of Contents ............................................................................................................... iii

List of Tables................................................................................................................... viii

1.1 Intrusion .................................................................................................................. 2

1.1.1 Popular Intrusions ...................................................................................... 3

1.1.2 Survey on Security Breach ......................................................................... 4

1.2 Intrusion Detection System ..................................................................................... 7

1.2.1 Various Definitions ..................................................................................... 7

1.3 What about a Firewall? ........................................................................................... 8

1.3.1 Packet Filtering ........................................................................................... 9

1.3.2 Circuit-level Gateway ................................................................................. 9

1.3.3 Proxy Server................................................................................................ 9

1.3.4 Application Gateway ................................................................................. 9

1.4 Comparison of IDS with a Firewall ....................................................................... 9

1.5 Evolution of IDS ................................................................................................... 10

1.6 Types of IDS ......................................................................................................... 12

1.6.1 Host-based IDS ......................................................................................... 13

1.6.2 Network-based IDS ................................................................................... 14

1.6.3 Comparison between HIDS and NIDS ..................................................... 14

1.7 PROS and CONS of IDS ...................................................................................... 15

2. Network Intrusion Detection system .......................................................................... 18

2.1 Previous Work done and Evolution of IDS .......................................................... 18

2.2 Network-based IDS ............................................................................................... 20

2.2.1 Need for NIDS ............................................................................................ 20

2.2.2 Functioning of NIDS…….............................................................................22

2.2.3 Host-based IDS vs. Network-based IDS ...................................................... 25

2.3 Analysis and Comparison of IDS Tools................................................................27

2.3.1 IDS Analysis ................................................................................................ 27

3.1 Research on Attacks ............................................................................................... 30

3.1.1 Possibility of an Attack ................................................................................ 30

3.1.2 Operating System Which Intruder Use ........................................................ 30

3.1.3 Origin of Intrusion ...................................................................................... 30

3.1.4 Reason for Hacking...................................................................................... 31

3.1.5 Attacks ......................................................................................................... 32

3.2 Research on Freeware NIDS ................................................................................. 35

3.2.1 Research on Windows-based NIDS ............................................................. 35

3.2.1.1 Snort IDS ......................................................................................... 35

3.2.1.1 Sax2 NIDS ....................................................................................... 39

3.2.2 Research on Linux-based IDS ..................................................................... 47

3.2.2.1 Firestorm .......................................................................................... 47

3.2.2.2 Strata Guard ..................................................................................... 53

3.3 Writing Rules ........................................................................................................ 63

3.3.1 What are the Rules? ..................................................................................... 63

3.3.2 Basic Rule Anatomy .................................................................................... 63

4. Testing and Evaluation .............................................................................................. 66

4.1 Detection ............................................................................................................... 67

4.1.1 Detection Capability .................................................................................... 67

4.1.2 High Bandwidth Traffic Handling Capability ............................................. 67

4.1.3 Testing DoS Attack ...................................................................................... 70

4.1.4 Ability to Determine Attack Success ........................................................... 70

4.1.5 Ability to Detect Never Before Seen Attacks ............................................. 71

4.2 Response ............................................................................................................... 71

4.3 Other Evaluation Measures ................................................................................... 72

5. Future work ................................................................................................................. 73

Bibliography and Refereces .............................................................................................. 76

Figure 1.1 Number of Incidents by Percentage ........................................................... 4

Figure 1.2 Firewall protecting the network ................................................................. 8

Figure 1.3 IDS Block Diagram.................................................................................. 12

Confidentiality – Information is only accessible by authorized users and not by

Integrity – This talks about trustworthiness of information. Integrity is also known

Availability – Information is available to authorized users only.