Johnny Blogger

Johnny Blogger has moved to johnnyblogger.net, please update you bookmarks and RSS feed so you don’t miss out on the Johnny Blogger experience. The new site isn’t just a new layout and domain, but also new writers and more great stuff you’ve come to expect from Johnny Blogger, hit the link to see the

NEW JOHNNY BLOGGER SITE.

Setting Up an Intrusion Detection System On A Business or Home Network At Zero Cost

Summary

What is an Intrusion Detection System (IDS)?

An IDS detects unwanted manipulations to computer systems, mainly through the Internet. The manipulations may take the form of attacks by hackers.

An intrusion detection system is used to detect many types of malicious network traffic and computer usage that can’t be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).

An IDS is composed of several components: Sensors which generate security events, a Console to monitor events and alerts and control the sensors, and a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In this case all three components will be combined into a single machine.

Objective

The main purpose of implementing an IDS into the network is to remove any vulnerabilities that are currently being exploited on the network and to prevent future exploitations. This will improve overall performance of the entire network, thus maximizing productivity for all users.

Technologies Used

SNORT – Network intrusion prevention and detection system software utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. Free to download.

Sawmill – A powerful, hierarchical log analysis tool that runs on every major platform. It is particularly well suited to web server logs, but can process almost any log. The reports that Sawmill generates are hierarchical, attractive, and heavily cross-linked for easy navigation. Free 30-day trial available here.

IDS Machine – Computer with 2 network cards.

10/100/1000 Network TAP – Duplicates all traffic on the network so it can be monitored without causing any slowdown. Note: Still needs to be purchased, will be discussed in more detail below.

Implementation

SNORT Configuration:

Snort will continually monitor the network and generate an alert log that will be manually processed through Sawmill. Snort can be run on Windows and Linux. For more information on how to use Snort, click here. *Note: Snort is configured by default for Linux machines , you need to manually configure the Snort config file to run Snort on Windows. You can download my edited Snort config file for Windows HERE, but you will still need to change basic information relating to the specific network you are monitoring.

 

To run Snort in IDS mode on WINDOWS:

1) Open CMD window

2) CD to Snort Directory –> C:\Snort\bin

3) Run: snort –d –i2 –h 192.168.1.0/24 –l c:\snort\log –c c:\snort\etc\snort.conf

***Note: -i2 refers to Network interface to monitor, view possibilities with following command: snort –W

***Note: To monitor multiple interfaces use –i any

To run Snort in IDS mode in Linux:

Same procedure as above, but you will need to refer to the Linux paths for where Snort has been installed.

***Note: In Linux the direction of the [slashes] will be reversed, so ‘\’ will become ‘/’.

Sawmill Configuration:

Sawmill will be run from the administrators computer and will use a copy of the alert log generated by the snort program to outline what is happening on the network, where traffic is going and coming from, what types of vulnerabilities exist on the network and are being exploited. From this information the network administrator can work towards “filling in the holes” and removing the exploits from the network as well as safeguard against future vulnerabilities. Running Sawmill itself is as simple as installing and loading your log files into Sawmill’s Analysis Wizard. Sawmill will generate all the reports automatically for you.

Network TAP Implementation:

Tap stands for “Test Access Port”. Network taps allow all traffic on a network device (such as a switch) to be passively monitored. They are relatively inexpensive, reliable, and provide permanent access ports to monitor traffic through. In this case the network TAP will monitor the connection between two point, a router and a switch for example. The reason a network tap is used is because it is able to give the IDS the ability to view both sides of a full duplex conversation, reduce packet loss due to network hardware completely, and view all packets that are transmitted across the line. It is able to accomplish all of this in a passive mode that does not affect the network structure as a whole. The network TAP has four ports; there are in/out ports for the network traffic to flow through and then two tap ports which mirror the traffic. There are two tap ports as the tap monitors traffic in both directions.

Conclusion

The benefits of using an IDS are clear; faster network processes, reduced network downtime and knowing exactly what is happening on the network at all times.