MEENAKSHI SUNDARARAJAN ENGINEERING COLLEGE

#363, Arcot Road, Kodambakkam, Chennai – 600024, Tamil Nadu, India

Department: Computer Science & Engineering Register No.:311521104035

EX. NO : 08 DEMONSTRATE INTRUSION DETECTION SYSTEM

USING ANY TOOL

AIM:

To implement Intrusion Detection System using Snort tool.

OBJECTIVE:

To learn and understand about implementing Intrusion Detection System using Snort tool.

SOFTWARE REQUIRED:

Snort tool.

INTRUSION DETECTION SYSTEM:

An intrusion detection system (IDS) is a network security tool that monitors network traffic and devices
for known malicious activity, suspicious activity or security policy violations.

It observes network traffic for malicious transactions and sends immediate alerts when it is observed.

Each illegal activity or violation is often recorded either centrally using a SIEM system or notified to an
administration.

Working of an IDS:

 An IDS (Intrusion Detection System) monitors the traffic on a computer network to detect any
suspicious activity.
 It analyzes the data flowing through the network to look for patterns and signs of abnormal
behavior.
 The IDS compares the network activity to a set of predefined rules and patterns to identify any
activity that might indicate an attack or intrusion.
 If the IDS detects something that matches one of these rules or patterns, it sends an alert to the
system administrator.
 The system administrator can then investigate the alert and take action to prevent any damage or
further intrusion.

Page No.:
 MEENAKSHI SUNDARARAJAN ENGINEERING COLLEGE

#363, Arcot Road, Kodambakkam, Chennai – 600024, Tamil Nadu, India

Department: Computer Science & Engineering Register No.:311521104035

IDS Detection Methods:

 Signature-based detection system: A signature-based IDS monitors inbound network traffic,

looking for specific patterns and sequences that match known attack signatures. While it is
effective for this purpose, it is incapable of detecting unidentified attacks with no known patterns.
 Anomaly-based detection system: The anomaly-based IDS is a relatively newer technology
designed to detect unknown attacks, going beyond the identification of attack signatures. This type
of detection instead uses machine learning to analyze large amounts of network data and traffic.
Anomaly-based IDS creates a defined model of normal activity and uses it to identify anomalous
behavior. However, it is prone to false positives.

Types of IDS:

1)Network-based intrusion detection system (NIDS):

A network IDS monitors a complete protected network. It is deployed across the infrastructure at strategic
points, such as the most vulnerable subnets. The NIDS monitors all traffic flowing to and from devices on
the network, making determinations based on packet contents and metadata.

2)Host-based intrusion detection system (HIDS):

A host-based IDS monitors the computer infrastructure on which it is installed. It is deployed on a specific
endpoint to protect it against internal and external threats. The IDS accomplishes this by analyzing traffic,
logging malicious activity and notifying designated authorities.

3)Protocol-based (PIDS):

A protocol-based intrusion detection system is usually installed on a web server. It monitors and analyzes
the protocol between a user/device and the server.

4)Application protocol-based (APIDS)

An APIDS is a system or agent that usually sits inside the server party. It tracks and interprets
correspondence on application-specific protocols.

5)Hybrid intrusion detection system

A hybrid intrusion detection system combines two or more intrusion detection approaches. This detection
system is more powerful compared to other systems.

Page No.:
 MEENAKSHI SUNDARARAJAN ENGINEERING COLLEGE

#363, Arcot Road, Kodambakkam, Chennai – 600024, Tamil Nadu, India

Department: Computer Science & Engineering Register No.:311521104035

Snort:

Snort is based on libpcap(library packet capture), a tool widely used in TCP/IPtraffic sniffers and
analyzers. Through protocol analysis, content searching and matching, Snort detects attack methods,
including denial of service, buffer overflow, CGI attacks, stealthport scans, and SMB probes.

When suspicious behavior is detected, Snort sends a real-time alert to syslog, a separate ‘alerts’ file, or to a
pop-up window.

Snort is currently the most popular free network intrusion detection software.

It is ease of configuration. Rules are very flexible, easily written, and easily inserted into the rule base.
Another advantage of snort is that it allows for raw packet data analysis.

Installation of Snort:

Step 1: Visit the website https://www.snort.org/downloads and download Snort tool.

Step 2: Select “I agree” → Select Snort, Dynamic modules, Documentation → Next.

Step 3: Choose a destination folder by clicking on Browse button, the default path is

“C:/Snort”

Step 4: In command prompt, type the snort path. “cd \snort”

Step 5: Type “snort –V” in command prompt to check the version of Snort tool.

Step 6: Download the Snort rules from https://www.snort.org/downloads ,Click sign in.

A compressed folder “snortrules-snapshot- 29161.tar.gz” will be downloaded.

Page No.:
 MEENAKSHI SUNDARARAJAN ENGINEERING COLLEGE

#363, Arcot Road, Kodambakkam, Chennai – 600024, Tamil Nadu, India

Department: Computer Science & Engineering Register No.:311521104035

Step 7: Open the “snortrules-snapshot-29161.tar” folder and find “rules” folder. Open the “rules” folder
and copy all the rules present inside it.

Step 8: Go to “C:\Snort\rules” and paste all the rules files.

Step 9: To edit the snort.conf file, Go to “C:\Snort\etc” to open the snort.conf file

Step 10: Open the command prompt and type “ipconfig”.

Step 11: Set the network variables of snort.conf file by typing the IP address (10.0.0.2).

Set up the external network address as home network ($HOME_NET).

Step 12: Set up the network address to be protected.

Ipvar HOME_NET 10.0.0.2

Step 13: Set up the External Network Address as HOME_NET.

Ipvar EXTERNAL_NET $HOME_NET

Step 14: Set the path of the rules files as “C:\Snort\rules” and “C:\Snort\preproc_rules”.

Set the white list and black list path as to “C:\Snort\rules”.

Step 15: Configure the decoder of snort.conf file by setting the path of the log directory

as “C:\Snort\log”

Page No.:
 MEENAKSHI SUNDARARAJAN ENGINEERING COLLEGE

#363, Arcot Road, Kodambakkam, Chennai – 600024, Tamil Nadu, India

Department: Computer Science & Engineering Register No.:311521104035

Configure dynamic loaded libraries by setting the path of the dynamic preprocessor libraries as “C:\Snort\
lib\snort_dynamicpreprocessor”,base preprocessor engine as “C:\Snort\lib\snort_dynamicengine\
sf_engine.dll”.

Step 16: Configure preprocessors by removing the “\” and putting decompress_swf and decompress_pdf in
comments. Also, edit the preprocessor bo in comments. Delete comment from preprocessor sfportscan.

Step 17: Set path to white list and black list, Create new, Save files in directory.

Step 18: Customize the forward slash “/” with backslash “\”.

Step 19: Customize preprocessor and decoder alerts by replacing the forward slash “/” with backslash “\”.

Page No.:
 MEENAKSHI SUNDARARAJAN ENGINEERING COLLEGE

#363, Arcot Road, Kodambakkam, Chennai – 600024, Tamil Nadu, India

Department: Computer Science & Engineering Register No.:311521104035

Step 20: Open the command prompt and go to “C:\Snort\bin” and type “snort –W” to

check the available interface.

Step 21: Execute the Snort tool in the command prompt by typing “snort –I 2 –c C:\Snort\etc\snort.conf” .

I – interface ; c – configuration file.

Page No.:
 MEENAKSHI SUNDARARAJAN ENGINEERING COLLEGE

#363, Arcot Road, Kodambakkam, Chennai – 600024, Tamil Nadu, India

Department: Computer Science & Engineering Register No.:311521104035

Step 22: Rules to detect scanning attacks. After running Snort in IDS mode, the next step is to write rules
in “local.rules” file, the following rules can be added to detect SYN attack, UDP scan, PINK scan, FIN
scan, NULL scan, XMAS scan, and TCP scan.

 alert tcp any any -> any any (msg: “SYN attack”; flags: S,12; sid: 10000005;)
 alert udp any any -> 192.168.43.160 any (msg: “UDP Scan”; sid: 10001;rev: 1;)
 alert icmp any any -> 192.168.43.160 any (msg: “PING Scan”; dsize:0;sid:10002; rev:1;)
 alert tcp any any -> $HOME_NET any (msg: “FIN Scan”; flags: F; sid: 10003;rev: 1;)
 alert tcp any any -> $HOME_NET any (msg: “NULL Scan”; flags: 0; sid: 10004;rev: 1;)
 alert tcp 192.168.43.160 any -> $HOME_NET 22 (msg: “XMAS Scan”; flags: FPU; sid:
10005;rev: 1;)
 alert tcp 192.168.43.160 any -> 192.168.43.160 any (msg: “TCP Scan”; flags: S,12; sid:
10006;rev: 1;)

Step 23: Execute Snort in IDS mode by typing “snort –I 1 –c C:\Snort\etc\snort.conf –A console” in the
command prompt and press Enter.

Step 24: Perform network scanning attacks with nmap by typing “nmap –p 1-65535 –v 10.0.0.2” in the
command prompt where p is the port number and v is the verbose mode. The network scanning attacks can
be performed with Zenmap tool.

Page No.:
 MEENAKSHI SUNDARARAJAN ENGINEERING COLLEGE

#363, Arcot Road, Kodambakkam, Chennai – 600024, Tamil Nadu, India

Department: Computer Science & Engineering Register No.:311521104035

Step 25: The network scanning attacks are detected by Snort IDS as shown.

Page No.:
 MEENAKSHI SUNDARARAJAN ENGINEERING COLLEGE

#363, Arcot Road, Kodambakkam, Chennai – 600024, Tamil Nadu, India

Department: Computer Science & Engineering Register No.:311521104035

RESULT:

Thus, the Intrusion Detection System using Snort tool has been implemented successfully.

Page No.: