An Open Source Network Intrusion Detection System - Article Example

What is Snort? It is defined as “An open source network intrusion detection system (NIDS) that is noted for its effectiveness. Developed by Martin Roesch, Snort can also be used just as a packet logger or packet sniffer” (Snort.2011).  Initially, Snort was used as a packet sniffer tool, in order to analyze and detect data packets on the network. However, as the tool matures, it was transformed as an Intrusion detection system. Moreover, the architecture of Snort comprises of four components i.e. packet decoder, preprocessor, detection engine and module with the features of logging and alerts.

The injection of Snort starts with the insertion of data packets via a network interface card along with the module named as ‘packet capture’. Likewise, the packet decoder determines the protocol of the packet. This process is conducted to check whether the protocol is matching the required proposal of protocols. However, in some cases, the packet decoder can construct a message if the packet header is abnormal or distorted, packet exceeds the size limit, parameters defining inappropriate protocols and vice versa (Paulauskas & Skudutis, 2008).

  As per the scenario, Snort will facilitate the investigation team with the following features: Snort will allow the investigation team to analyze in-depth network threats by detecting buffer overflows, port scanning, CGI attacks, SMB probing, NetBIOS requests and NMAP.  Likewise, the team will also be able to construct new signatures, in order to detect weaknesses in the system. Moreover, the team will translate packets in a human readable form from the IP addresses. Furthermore, the tool will deploy a passive trap for recording the current network traffic (What are the various features of snort? n.d).

A functional view of Snort is represented as Forensic investigators only have log files, audit trails and some physical evidences. However, any unusual activity in logs or audit trails indicates and provides sufficient information before a security breach takes place. Likewise, in order to evaluate live network traffic, a system is required to be configured on the network for monitoring live network traffic. Snort collects raw data packets from different network interfaces i.e. LAN, WAN, SLIP, PPP, VPN by deploying kernel named as ‘Libpcap’, in order to get prepared for preprocessing mechanism in the packet decoder.

Likewise, the preprocessor modifies data packets prior to their way to the detection engine, in order to analyze them and generate alerts for any possible anomalies associated with headers of the packets. Likewise, the core function of a preprocessor is to prepare or shape the network traffic for applying rules that are applicable at the next stage that is detection engine. This is usually called as packet defragmentation. Moreover, Snort also provides opportunities for investigators to decode HTTP, re construct TCP streams that are used for eliminating attacks.

The detection engine is based on time and operates in an extensive evidence collection mechanism. It is time- based because, if many rules are applied, the packet processing will consume time. In some cases, network transmission is too high and may result in packet drop. This will not make an investigation effective. The detection engine of Snort, stops’ processing, whenever, a rule is matched.  According to the defined parameters of a specific rule, the detection engine will log the packet or else generate an alert.

Consequently, before Snort generates an alert, it makes sure that all rules are matched. The next component of Snort known as the collection engine will collectivizes evidence from the hosts and networks that is an input for a forensic investigation team. However, the secondary data that can be used also as an input will probably the log files and audit trails which can be achieved from the applications. ‘Windup’ is a “freeware tool for Windows that is a protocol analyzer that can monitor network traffic on a wire” (Windump.2007). The primary focus is to analyze and report issues related to packet headers in network traffic.

The tool is specifically developed for supporting functions related to digital forensics investigation. The tool can specifically analyze traffic broadcasting from workstation that has a malware installed in it. Likewise, it extracts the source information from the packet header in terms of IP addresses. Moreover, the tool can also facilitate the investigation tem to filter the required information. For instance, investigation team is currently analyzing SSL packets because of an online crime.

Consequently, the tool will only provide information related to SSL packets only and ignore the rest.