See

discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/265795180

OPEN SOURCE INTRUSION DETECTION SYSTEM

USING SNORT

Conference Paper · May 2013

DOI: 10.13140/2.1.4576.8962

CITATIONS READS

0 705

2 authors:

Ibrahim Kinal Kemal Hajdarevic

International BURCH University University of Sarajevo
1 PUBLICATION 0 CITATIONS 30 PUBLICATIONS 31 CITATIONS

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Proactive Security Metrics for Bring Your Own Device (BYOD) in ISO 27001 Supported Environments View
project

All content following this page was uploaded by Kemal Hajdarevic on 19 September 2014.

The user has requested enhancement of the downloaded file.

 The 4th International Symposium on Sustainable Development (ISSD2013)
SOC-1441

OPEN SOURCE INTRUSION DETECTION SYSTEM USING SNORT

Ibrahim Kinal, Kemal Hajdarevic

International Burch University, Faculty of Engineering and Information Technologies,

71000, Sarajevo, Bosnia and Herzegovina
Email: ikinal@ibu.edu.ba, khajdarevic@ibu.edu.ba

ABSTRACT

Software and hardware components are parts of almost every Intrusion Detection System (IDS)
which is able to monitor computer networks for any possible security incidents. Using Internet
resources all over the world has been becoming as one of the most popular task among all people
and this usage and connection to Internet creates security risk for many different network attacks.
This is because these attacks and threats can strongly affects network security.
IDS system became one of the most useful network security mechansinms which protect users`s
valuable resources and confidentialy, integrity and availability of information and information
assets located in the protected part of any organization’s computer network. Therefore, IDS
systems have a very significant role in protecting users, companies or any institutions againist
cyber attacks.
IDS can be designed as signature-based or anomaly-based detection system. Signature-based
system (Misuse-based IDS) is only eligible to detect attacks which are already known and
anomaly-based systems are eligible to detect unknown attacks which give them functionality to
be proactive i.e. to resolve attack before it harm specific protected system. In this paper are
presented already available classification of IDS and general capabilities of SNORT open source
IDS solution.
Keywords: Snort, IDS, Intrusion Detection System, Intrusion, Signature-based IDS, Anomaly-
based IDS,

1. INTRODUCTION

Nowadays security is one of the biggest issues for almost all networks in any field. There are
countless malicious attempts to reach to companies’ private information, networks and web
services therefore many different methods have been used by different companies to provide

1
 The 4th International Symposium on Sustainable Development (ISSD2013)
SOC-1441

tools, hardware and software components such as firewalls, encryption mechanisms and virtual
private networks to protect these personal information.
In the modern time, there is huge tendency to have Intrusion Detection System on any network
because; attacks and threats create potential risk for network and computer system. IDS can face
a great deal of challenge for the sudden change in intrusion categories as well as big
computational power. Intrusion detection systems are “systems that collect information from a
variety of system and network sources, and then analyses the information for signs of intrusion
and misuse” (Proctor, 2001).
The most important advantage of using IDS is that IDS to provides knowledge if there is an
attack launched against specific system, through the IDS users are aware of what kind of risk and
threat they are in. Multiple tools can be used to protect specific system such as firewalls, IDS
SNORT, etc. Snort which is an open source Intrusion Detection System (Sourcefire, 2013) and it
is available at http://www.snort.org. Snort is as open source solution and has a simple installation
process and it is to set it up and running with the minimal amount of difficulties. Snort intrusion
detection system requires to be installed with other tools, and applications such as Banyard,
WinPCap. Snort might be used on Linux, UNIX and Windows. Patterns for recognizing new
viruses can be created or downloaded and as well as new generations of the attacks which can be
updated automatically using Snort services (Tenhunen, 2008).

2. INTRUSION DETECTION SYSTEM

2.1 What is Intrusion Detection?

Intrusion Detection is kind of software and hardware network component that can be used for
detection and the finding any suspicious or real threat activity in the system or network.
Depending on the specific situation IDS can take preventive action to detect malicious traffic by
blocking user activity or blocking network IP address.
As a result, IDS is an important security mechanism of any organization. Cyber attacks are
potential threats for privacy and accessibility. These attacks can be used to use to attempt to
obtain the rights of super users/administrators. The aim of IDS is to observe and identify the
attacks what is stated by (Bace R, 2000), (Scarfone K, Mell P, 2007), (Bace R, Mell P, 2001).

2.2 IDS Classification

IDS systems can be classified in various ways which depend on specific principle such as
information source, type of analyses, type of reply and detection time according to Common
Intrusion Detection Framework (CIDF)); that describes to function of Intrusion Detection System
(as seen in Figure 1).

2
 The 4th International Symposium on Sustainable Development (ISSD2013)
SOC-1441

Figure 1: IDS Classification (Lunt, Teresa F, 1993)

3. IDS Types

Type of analyses is one of branches of trees and also Snort can be analyzed under the Misuse-
based detection IDS. Misuse-based and Anomaly-based methods are two methods of IDS for
analyses of the events (Stillerman et al., 1999).

3.1. Anomaly-based Detection IDS

With regard to Anomaly-based detection, it identifies abnormal activities and highlights these
activities as threats. These treats are completely different from casual threats. Anomaly-based
detection focuses on normal behavior of user or network instead of abnormal activities when
evaluating this method.

Advantages of anomaly-based IDS:

 Have capability of detecting unusual activities, in that way these activities are identified
and stopped.
 Generate information which is necessary to describe new samples for signature detection

Disadvantages of anomaly-based IDS:

 When anomalies or different activities are detected in the system. IDS can generate a lot
of false alarms because they are not always known before what is called false positive
attack.

3
 The 4th International Symposium on Sustainable Development (ISSD2013)
SOC-1441

 Requires needed training to construct currently unknown patterns of normal behavior

profile.

3.2. Misuse-based Detection IDS

Misuse-based Detection IDS is crucial system for classical or new virus scanning, this type of
IDS attempts to distinguish a pattern among different these activities and attacks or threats that
are known form before by system, stated by (Mukherjee B, Hebertein LT, Levitt KN, 1994),
(Bace R, 2000), (Scarfone K, Mell P, 2007).
Misuse-based intrusion detection system is also called as Signature-based IDS identified by (M.
Bishop, 2002), (E. Cole, R. L. Krutz, and J. Conley, 2007).

Advantages:

 Misuse detectors are very successful at detecting threats and attacks by giving the true
signal.
 Misuse detectors; detect constructed intrusion tools and procedures rapidly.
 Misuse detectors are eligible for system administrators to operate system easily and to
monitor system.

Disadvantages:

 Misuse detectors can just determine known threats and attacks, and database of attacks
should be renewed to expend knowledge about new threats, attacks by frequent updating.
 Misuse detectors are planned to discover threats, attacks which already have pattern in
database.
 Another disadvantage of Misuse detectors is that the detection rate of attacks is relatively
low.
 Also, Misuse-based IDSs cannot detect a new attack if a signature is not yet installed in
the database.

3.3. Snort

Snort is one of most significant Intrusion Detection System because it is an open-source system
that is improved and sustained by Sourcefire according to (Sourcefire), Research projects and
Commercial products which supports Snort make it easy to use and adaptable for different
systems. When it comes to real time analysis, Snort is suitable of performing, matching content
and detecting different types of attacks and threats. Although there are a lot of different usages
and detection abilities of Snort (Tenhunen, 2008).
Alarms which are generated by Snort in detecting misuses are performed by using rules defined
before. Binary tcpdumpt-formatted files or plain text files can be used in order to obtained,
network traffic which can analyzed by SNORT.
Network packets are obtained from computer network through Tcpdump (Tcpdump, 2013) or
Wireshark (Wireshark, 2013) software program; they are stored in tcpdump-formatted files. Snort

4
 The 4th International Symposium on Sustainable Development (ISSD2013)
SOC-1441

comprises language for definition of new rules because it is rule-based or missus IDS. It also has
architecture to enable new functionalities when compiling it, (Roesch M. 1999), (Rusell R. 2003).

3.3.1 Components of Snort

Snort has specific components that work together to determine and identify attacks and threats
which are presented below, (Rehman RU, 2003).

1-Packetcapture-decode engine: The libpcap packet-capturing need to be used by Snort`s

packet-capturing engine. Decoding engine functions captures packets, decoded for different
higher level protocols which could be routing protocols, TCP and UDP.

2-Preprocessor: The purpose of component is to investigate packets before they are sent to
detection engine. They do not do any modification to packets after these packets are sent to
detection engine which can create alert for specific packet.

3-Detection engine: This component is the most important component because it detects known
potential intrusion activity in the packet. Detection engine runs for a number of attributes in Snort
rule definition file. Extra detection function might be supplied by Detection engine.

4-Logging and Alerting System: This component is in charge for generating alerts and logging
messages. What is found inside of packet depends on packet. Every packet is used to log activity
or to create an alert. All log files are placed under /var/log/snort folder as default. The location of
the log files can be configured through the use of command line.

5-Output plug-ins: Output modules can control the output from detection engine. Alarms
created from detection engine, preprocessor or decoding engine can be accepted by this plug-ins.
This plug-ins checks the output generated by logging and alerting system.

Figure 2: Components of Snort (Rafeeq, 2003)

In figure 2 Snort process is demonstrated. Any data coming to inside of packet decoder from
the internet. On the way of output modules, it is either fallen or alert is generated. show

5
 The 4th International Symposium on Sustainable Development (ISSD2013)
SOC-1441

4. CONCLUSION

Intrusion Detection System detects attacks using signatures that carry malicious and harmful
attacks.
Signature-based IDS can be used to detect known attacks, on the other hand unknown attacks are
detected trough Anomaly-based IDS. Anomaly-based IDS enables attack detection that have
signatures which are not in the database of already available attack patterns.
Snort is open-source IDS solution which is not only used for detecting attacks it can be used for
preventive actions too, for instance, as soon as attacks are detected connection can be blocked
immediately to stop entering any malicious and attacks to the network system. As a result Snort
should be updated frequently because it has to be familiar with new attacks and threats. Snort can
be used for protection of network systems from any potential attacks or threats before they create
any damage to network system.

5. REFERENCES

1. Bace, R., Mell, P., 2001. NIST special publication on intrusion detection systems. DTIC
Document.
2. Bace, R.G., 2000. Intrusion detection. Sams.
3. Bishop, M.A., 2002. The Art and Science of Computer Security.
4. Cole, E., Krutz, R.L., Conley, J., Reisman, B., Ruebush, M., Gollmann, D., 2007. Wiley
Pathways Network Security Fundamentals. Wiley.
5. Kohlenberg, T., Alder, R., Carter, E.F., Foster, J.C., Jonkman, M., Marty, R., Poor, M., 2007.
Snort IDS and IPS Toolkit. Syngress.-2007.-ISBN 978–1.
6. Lunt, T.F., 1993. A survey of intrusion detection techniques. Computers & Security 12, 405–
418.Proctor, P.E., n.d. Practical intrusion detection handbook. 2001. Upper Saddle River, NJ:
Prentice Hall.
7. Mukherjee, B., Heberlein, L.T., Levitt, K.N., 1994. Network intrusion detection. Network,
IEEE 8, 26–41.
8. Rehman, R.U., 2003. Intrusion Detection with SNORT: Advanced IDS Techniques Using
SNORT, Apache, MySQL, PHP, and ACID. Prentice Hall PTR.
9. Roesch, M., 1999. Snort-lightweight intrusion detection for networks, in: Proceedings of the
13th USENIX Conference on System Administration. pp. 229–238.
10. Russell, R., n.d. Snort Intrusion Detection 2.0 [WWW Document]. CERN Document Server.
URL http://cds.cern.ch/record/1085088 (accessed 5.12.13).
11. Scarfone, K., Mell, P., 2007. Guide to intrusion detection and prevention systems (idps).
NIST Special Publication 800, 94.
12. Snort :: Home Page [WWW Document], n.d. URL http://www.snort.org/ (accessed 5.12.13a).

6
 The 4th International Symposium on Sustainable Development (ISSD2013)
SOC-1441

13. Snort :: License [WWW Document], n.d. URL http://www.snort.org/snort/license (accessed

5.18.13).
14. Stillerman, M., Marceau, C., Stillman, M., 1999. Intrusion detection for distributed
applications. Communications of the ACM 42, 62–69.
15. Sourcefire | Network Security Solutions [WWW Document], n.d. URL
http://www.sourcefire.com/ (accessed 5.12.13).
16. TCPDUMP/LIBPCAP public repository [WWW Document], n.d. URL
http://www.tcpdump.org/ (accessed 5.18.13).

17. Tenhunen, T., 2008. Implementing an Intrusion Detection System in the MYSEA
architecture. DTIC Document.
18. Wireshark · Go deep. [WWW Document], n.d. URL http://www.wireshark.org/ (accessed
5.18.13).

View publication stats