Real-Time Network Monitoring Using Snort IDS And IPS

Discuss your results, explaining them to those who will read your report. Be aware that you are the expert on this project and it is your responsibility to explain your results in details.

Which software was used, what the inputs to the simulations are and the results you got from the simulations. This section may contain tables,

State the objectives of the project as agreed with your lecturer and team (if a team is involved)?

Everyone need to access information over an internet. We do interact everyday with each other over the internet, working online and applying for various services from the internet providers. In this project we will be evaluating how we can monitor our network in real time. This will enable us to get informed of network activities. The network activities will be monitored in real time with the help of open source software called Snort. This involves network administrator getting notified on what is happening. In case of someone trying to perform malicious activities such as SQL injection or planting a malware attack, the administrator will be able to know through positive alerts being generated by the Intrusion Detection System in real time.

In section one preliminary review of the malware detection on cloud is undertaken. In Section two we will look at the literature review and state of the art as it is today on cloud security. Section three is the design of our cloud network security while section four provides what we covered on practical simulation of cloud network security by monitoring in real time and discussions. Section five is the summary of what we have entirely covered on this project. Finally references are given in Section six.

Using antivirus alone in the cloud as a preventive and protective measure is not enough [5]. Everyday antivirus companies are receiving tones of new malwares which antivirus databases does not have their signatures [6]. This means that even a device running updated antivirus can be exploited by the new malware. This is called zero day exploit. Installing antivirus per host machine is quite expensive since it reduce the performance of the device and also increase the network bandwidth when all the antiviruses are synchronising with the cloud database [1].

Cloud service providers can outsource services from the third party identity management. This will create a huge weakness in the security implementation in the cloud simply because if one party is not secured or vulnerable to a certain malware, cloud users will be vulnerable to the attacks posing risks of data integrity, data confidentiality cloud users. Also the performance of the cloud service will be reduce because if one service from another party is down cloud service outsourcing those service will not be able to be served with the service [2].

As we can see from the above reviews that no one has tried to enforce cloud monitoring activities, cloud providers only provide services to their clients. Since antivirus only identify thread based on the dictionary of already identified, it’s becoming hard since threads are being reported every day. If the antivirus does not have the threads signatures then a cloud node can be exploited anytime. This is what we called zero day exploit.

• To prevent unauthorized access to cloud computing infrastructure resource such infrastructure, business secrets and monitoring tools.
• To prevent unauthorised accessed of data from unauthorized personal by those access cloud computing.
• To ensure nodes are up-to date and patched from any vulnerability.
• To implement intrusion detection system and intrusion prevention system.

Challenges with Cloud Security

Weekly schedule

TIME/PERIOD	MONDAY	TUESDAY	WENESDAY	THURSDAY	FRIDAY
8.30 – 11:30	Security, load balancing and network performances	Strengthening and managing firewalls	Test of already implemented security features	Monitor traffics incoming and outgoing traffics	Main research in security
2.00 – 4.00	Secure network implementation and design	Intrusion detection system: implementing and configuring using snort	Review of security policies	Log Analysis Of snort	Test of the current snort rules

Gantt chart

	1	2	3	4	5	6	7	8	9	10	11	12
Research & project planning
Proposal writing and submission
Data collection
Data analysis
Project design
Implementation
Testing
Documentation
Project presentation

Design Methodology.

Below is the system detailed diagram and description of the hierarchy of a system's functions.

The above figure 2.0 illustrates snorts’ working principles.

The incoming traffics and outgoing traffics will be monitored by the snort in real time.

Packet sniffers are responsible for capturing data that are being transmitted on the network to the decoder.

Packet decoder will verify if the packet if crafted with any malicious payloads using its own database with attack signatures of already reported malicious packets. If the packet has the malicious activity the snort will sent an alert to the console and drop the packet from the network. It is responsible for the capture of data transmitted over the network for subsequent transmission to the decoder. Feature extraction deals with parsing the headers of captured packets, parsing them, finding anomalies and deviations from the analysis of TCP flags.

Episode mining engine also know ad detection engine are responsible for further traffic analyses. It is responsible for detecting port scans and various decoder protocols such as SSH, Telnet, IMAP, SSL, TSL and SMTP.

Normal FER Database aid the episode mining engine by validating captured traffic during analysis by the Episode mining engine.

Anomaly log file stores information of packets containing malicious activities.

Signature database collects attack signatures in a single set, optimized for further using in the subsystem for the inspection of the captured and processed traffic.

Intrusion detection engine uses the databases which consists of attacks signatures to inspect the captured and processed the traffics.

Integrated detection reports. Upon detection of attacks Snort display a message in different formats file, syslog, ASCII, PCAP, binary format.

The above figure 3.0 illustrates a secured network environment using snort as IDS and IPS.

External connections are filtered by the firewall. The purpose of the firewall is to filter unauthorised connections trying to access an internal network. Firewall cannot prevent malwares or detect therefore snort has to be install in between the router and the switch that connects to the LAN users. All the outbound and inbound traffics are analyse by the snort server. In case of malware detection snort server will generate an alert message in the console. All the alerts are displayed on a console of a Linux server. Also log files are appended to a file for further analysis by the administrator.

Before compile and install snort, we have to first install the related software and libraries, this includes:

• Zlib v1.2.1
• LibPcap V0.7.2
• MySQL v5.7
• Apache V2.0.52
• PHP V5.6

Working Principle of Snort IDS

The hardware requirements for snort are minimal. A sensor can easily run on a 1 Ghz machine with 512MB RAM and a 10GB hard disk. As with any system, more is better and a hard disk that can accommodate the amount of log data that you wish to keep online.

Pre-requisites to install snort

• Ubuntu server version 16.0.4
• Kali Linux 2017.3 release
• Snort
• PulledPork
• Base

• Wireshark which is a pre install utility in Kali Linux

Implementations start with the basic installation of Ubuntu server version 16.0.4 in an oracle Virtual box.  The platform running Oracle Virtual box is a Linux Debian based distro.  After installation of Ubuntu server. After installation I changed the Nat network to a Bridged network from the Oracle Virtual box so that the server can automatically pick an IP address from the address pool of dhcp server. On restart the Ubuntu server was connected to the internet. Installation of snort starts by downloading snort version, unpacking and rebuilding for installation. This is done by issuing Linux commands to the system. Thereafter I installed the attacker machine which runs on Kali Linux 2017.3 release (Attacker) Debian based distro. After full installation of Kali Linux I changed the Nat network to bridged network from the Oracle Virtual box preferences to enable Kali Linux pick an IP from the address pool of dhcp server.

PullPork software helps to download ruleset. By configuring PulledPork, it will enable snort to download free rulesets from online community for example Tulo.

Base tool is a web GUI for snort. It enable administrator to view reports over http by specifying the server IP address and view from another machine.

At this stage everything is installed but the snort does not have any rule loaded. This can be verified by issuing this command on the terminal 0 Snort rules read.

The above figure 3.1 illustrates a scenario in a network where an attacker tries to attack the network by injecting a malware and performing scanning on the network devices. On the other end the administrator who is monitoring the system is able to see all the events that attacker is performing on the network through the snort console running on a Linux machine.

Configuring Snort as an IDS

For this test I wired it up my Kali Linux (an attacker). I used Nmap tool to generate packets and sent it to the target to guess the current operating system running it on the server machine.

Total packets received by the snort 3122 and Total packets dropped by snort 0% packets

PROTOCOL	PACKETS	PERCENTAGE [%]
TCP	3097	99.19
UDP	1	0.032
ICMP	6	0.192
FRAGS	1	0.032
ARP	8	0.256
IPV6	1	0.032
IPX	1	0.032
OTHERS	1	0.032

Secured network environment using Snort IDS and IPS

TCP protocol received 3097 packets from the network traffics. This means that the attacker were using TCP protocol to do malicious activities in the network.

ICMP receives six packets. So the attacker tried to ping the server.

ARP received 8 packets. So means that the attacker tried to inject a payload on an arp header of packets.

FRAGS are lost packets.

Investigating on a log file generated by the Snort

Below is the log information reported by the IDS

[**] IDS05 - SCAN-Possible NMAP Fingerprint attempt [**]

27/01/18-10:05:07.959989 0:60:97:8A:F5:31-> 0:50:BA:A4:EA:97 type:0x800 len:0x4A

169.254.193.10:42856 -> 192.168.43.47:139TCP TTL:51 TOS:0x0 ID:4196

**SF*P*U Seq: 0xA5757576 Ack: 0x0 Win: 0x1000

This piece of information shows that the intruder had tried to perform scanning on port 51 on the Ubuntu server hosting IDS.

Configuring Snort as an IPS

In order for the snort to work as an IPS a network bridge need to be set. This involves creating two interfaces for example ens03, and ens04. Both of this interfaces are not assigned and IP addresses. The promiscuous mode will be enable for the two interface to run on it. When the packets are transmitted over this interfaces. One will receive packets inspect for any suspicious activity then pass to another if the packet does not have any malicious signatures. If the packet has then it will be dropped by the first interface.

TCP protocol received much packets than other protocols from the network traffics. This means that the attacker were using TCP protocol to do malicious activities in the network.

ICMP receives six packets. So the attacker tried to ping the server.

ARP received 8 packets. So means that the attacker tried to inject a payload on an arp header of packets.

FRAGS are lost packets.

This alert file contain eight entries. Here is a sample of the entry

[**] [1:1000001:0] <> Drop Telnet packets [**]

[Priority: 0]

27/01/18.995762 192.168.43.47:40145 -> 192.168.43.47

TCP TTL:64 TOS:0x10 ID:3913 IpLen:20 DgmLen:60 DF

******S* Seq: 0x5670T692G Ack: 0x0 Win: 0x16D0 TcpLen: 40

TCP Options (5) => MSS: 1460 SackOK TS: 156788324 0 NOP WS: 5

The above results are from the snort console where packets of a particular signature are analyse by the snort and drop it. This is because a snort rule has been enforced.

As we have seen from the above test the snort was able to detect malicious activities from the network when configured snort as an IDS. Snort was able to generate positive alert message of an intruder trying to fingerprint the Ubuntu server.

Pre-requisites to Install Snort

Also snort as an Intrusion Prevention System, it has been able to drop a packet trying to inject a malware into the telnet port. All the TCP packets trying to pass through the network are being dropped. This shows an effectiveness of the snort as both IPS and IDS.

Installing a snort can be time consuming and requires a lot of skills from the user who operates, able to understand the network environment and in depth of snort skills. Snort is a great tool which has third party adds-on which enables to add its flexibility of analysing and generating reports. More so snort adopt both a small and enterprise business. Sensors can be deployed to the various entry point of any network without affecting network stability. Snort can be configured to run on its own bare metal servers which will not affect the network performance or hardware performance of other nodes.

• IDS can detect internal and external attacks.
• IDS can be scale easily to cover entire networks.
• It offers centralized management for correlational attacks.
• Tracking of virus propagation in the network
• Keep data for forensic analysis

• Generate a lot of data to be analysed.
• It cannot analyse encrypted messages
• It only reacts to attacks by sending alerts and cannot prevent the attack from taking place.
• Generates false alarms and false negative of intrusion detections
• It require full time monitoring and skilled personnel to interpret the data.
• Expensive to implement over a complex network

• React to potential threat and prevent attacks
• Provide depth defences in the network.
• Real time event analysis
• Does not require administrative personnel since it make decision based on the rules provided

Cons for Intrusion prevention system

• If an IPS is not tuned correctly, it can also deny legitimate traffic causing denial of resource to an application.
• Create network bottleneck since all traffics must pass through the IPS system in order to be analyse.
• Generate false positive alarms which can lead to problem if automated system responses are enabled.
• Expensive to implement in an organization with complex network design.

Conclusions

The aim of study was to monitor network activities in the cloud for malwares detection and prevention with the IDS and IPS tools respectively. I have chosen Snort tool simply because it offer robust functionality and can be scale to suite the size of the network of any business. Also, Snort has a larger community which support, create rulesets and develop various plugins such as base, barnyard which can be integrated to the snort tool for reporting and data accessibility by various role users. Since snort is an open source tool, any business can deploy in there network as long as they have snort expertise to install, monitor and use.

References

[1]M. Watson, N. Shirazi, A. Marnerides, A. Mauthe and D. Hutchison, "Malware Detection in Cloud Computing Infrastructures", IEEE Transactions on Dependable and Secure Computing, vol. 13, no. 2, pp. 192-205, 2016.

[2]M. Ahmed and M. Ashraf Hossain, "Cloud Computing and Security Issues in the Cloud", International Journal of Network Security & Its Applications, vol. 6, no. 1, pp. 25-36, 2014.

[3]U. Service, "1-5 Major Security Objectives for Cloud Computing", 56.0.34.26, 2018. [Online]. Available: https://56.0.34.26/handbooks/as805h/as805h_c1_005.htm. [Accessed: 26- Jan- 2018].

[4]"Snort Setup Guides for Emerging Threats Prevention", Snort.org, 2018. [Online]. Available: https://www.snort.org/documents. [Accessed: 26- Jan- 2018]

[5]R. kumar, "Cloud computing and security issue", International Journal Of Engineering And Computer Science, 2016.

[6]P. SinghArneja and S. Sachdev, "Detailed Analysis of Antivirus based Firewall and Concept of Private Cloud Antivirus based Firewall", International Journal of Computer Applications, vol. 111, no. 4, pp. 16-23, 2015.

[7]P. John Stewart, "CSA Summit Cloudifying Information Security", Booth 2614 (South Hall) at the RSA Conference, 2016.