IDS Systems - Snort and Bro - Case Study Example

Analytical Reseach paper on IDS systems SNORT Vs Bro Jeri R. Bridgeford of Maryland College March 2, Introduction The intrusion detection is an act of detecting activities and actions that can compromise the integrity, confidentiality or availability of network resources in any information technology structure (Helman, Liepins, & Richards, 1992; Silberschatz, Galvin, & Gagne, 2004; Anderson, 1980). In fact, intrusion detection can be an automatic system that takes preventive and stooping measures without requiring direct human intervention. This automatic prevention and intrusion detection measures make the intrusion detection more effective for the network security management. Intrusion detection can be carried out automatically as well as manually (Sundaram, 1996). At the present, there exist a large number of intrusion detection systems (IDS). Some intrusion detection systems are available in the open source environment, which make it easier for the organizations to adopt them according to their needs. The basic objective of this research is to provide an analysis of two open source intrusion detection systems: Snort and Bro. The structure of this paper is as follows: first of all an overview of the intrusion detection system is provided, next two sections present an overview of the two IDS systems and after that a comparison of these two IDSs is presented. Purpose of IDSs and Detection Techniques Basically, an intrusion detection system is an application or device utilized to scrutinize the entire network traffic and notify the administrator or user when there has been an illegal effort or access. There are two major techniques of network traffic monitoring, one is anomaly-based and other is signature-based. Relying on the application or device utilized the intrusion detection system that would be able to either simply observe the administrator or user or it could be placed up to automatically respond in some way or block specific traffic (Bradley, 2015). In this scenario, anomaly based detection in the IDS that compares present network traffic to a known-good baseline to appear for something out of the normal. The intrusion detection system can be placed deliberately on the communication network as a network based intrusion detection or NIDS. This NIDS scrutinizes the entire communication network traffic. It can be installed on every individual communication system like a host-based intrusion detection or HIDS that scrutinizes traffic to as well as from that specific device (Bradley, 2015). SNORT IDS Martin Roesch developed a NIDS (network intrusion detection system), which is mainly an open source NIDS, and called as Snort. It is basically a packet sniffer, which is involved in checking the network traffic simultaneously, dissecting every packet meticulously in order to identify any precarious load or distrustful abnormalities. Snort is centered on advice used extensively for evaluation and analysis in TCP/IP Traffic Sniffers, and called as libpcap, abbreviation of “for library packet capture”. In the course of evaluating the protocol as well as searching for the content and corresponding data, it can identify the ways of infecting used by the attackers, which includes the rejection of service, CGI attacks, stealth port shots, excess of safeguard and SMB probes. In case of detection of any distrustful conduct, the Snort propels an immediate signal for warning of such conduct to syslog, which is a distinct folder of warnings, or otherwise it sends the warning to a self-opening window (Rouse, 2005). Regarding the reliability of the Snort, it was tested by a NSS Group, which is a European network security investigating firm that evaluated the Snort in conjunction with the products of intrusion detection system. In this test, there were IDS products from 15 most important dealers consisting of Symantec, Cisco, and Computer Associates. The results show that Snort as being an open source freeware product exclusively, and it unmistakably surpassed all the exclusive products on the basis of performance, as reported by NSS (Rouse, 2005). In addition, Snort is capable of carrying out an immediate traffic evaluation, and also to do packet logging on the IPS networks (Internet Protocol). It can also perform protocol inquiry, searching for the content and its matching with corresponding data. The Snort is also capable of identifying any mistrustful enquiries and the attacks, which includes the fingerprinting tries in the OS (operating system), collective entry crossing points, defense excesses, server message chunk enquiries, and stealth port probes. The capabilities of the Snort are not only limited to these, but are much more than these. Snort is such a program that can be constructed in three different modes, either as a sniffer, or a packet logger, or else a network intrusion detection (Mehra, 2012; Richard, 2001). When the Snort is configured in the Sniffer modes, then it has the capability to scan the network packets as well as the demonstration of these packets on the support in an uninterrupted stream. In case of the Packet logger mode, it can feed these network packets into the disk. While the Network intrusion detection method is considered to be the most complicated mode, where it has the ability to check the network traffic, and also evaluate it as per the conditions and regulations predetermined by the user. After analysis and identification of any mistrustful conduct, this mode also perform a particular response to that dangerous act identified (Mehra, 2012). Components of Snort There are a number of components in which the Snort can be reasonably separated. All of these parts of the Snort function in conjunction with each other for identifying the specific spasms and also to gain the output in a prerequisite organization from the recognition system. An IDS centered on the Snort comprises of a number of main components, which are as follows (Rajesh, 2005; Yuan, Tan, & Le, 2013): Packet Decoder Preprocessors Detection Engine Logging and Alerting System Output Modules Packet Decoder The first component is the packet decoder, which is involved in capturing the packets from diverse forms of network interfaces. Then it puts the packets in order for making it a preprocessed packet, or else it can be transmitted to the detection engine. These diverse network interfaces may include the SLIP, PPP, Ethernet, and so on. Preprocessors or Input Plug-ins Another component is called as Preprocessors or plug-ins that are used along with the Snort, which has the capability to put the packets in order and also can amend these data packets sooner than the detection engine do some function for identifying the case if these data packets are being used or altered by any invader. In addition to these, these preprocessors are also employed to regularize the protocol shots, to identify the irregularities, to reconvene the packet as well as the reassembly of the TCP stream. Detection Engine Further most significant and central component of the Snort is the detection engine. It is concerned with the identification of any irregularities, as if there is any interruption is happening in the data packet. The detection engine in order to identify such interruptions, used the basic rules employed by Snort. These rules are declaimed within the inner data structures or chains in which they are checked in contrast to the corresponding packets. If there is any packet corresponding to the rule, then it takes any proper action, but if not, then the packet is released. These proper functions may include the creation of warnings or alerts, or also it can be the packet logging. Logging and Alerting System The next component is the Logging and Alerting Setup, where this system creates the warning alerts plus the log messages on the basis of the issues or irregularities in the data packets as identified by the detection engine. Output Modules Output modules or plug-ins are the components that are involved in processing the warning signals and logs, and also in generating the ultimate output. Figure 1Process of Snort, Image Source: (Mehra, 2012) The Snort program has support for many hardware platforms and operating systems. While the snort is existing and supported for many operating systems contemporarily, which include the NetBSD, Linux, FreeBSD, OpenBSD, Solaris (both Sparc and i386), AIX, IRIX, HP-UX, MacOS, and Windows. As a result, the Snort program has the capability to run on all the hardware and operating system either old or new. It also assists in fixing up a number of network issues and other identification of irregularities (Mehra, 2012). Bro IDS Another open source NIDS system (Network Intrusion Detection System), which is centered on a UNIX system that is involved in reflexively checking the network traffic and identifying any mistrustful action. It identifies the interruptions by deconstructing the network traffic in the first step, for the purpose of taking out its semantics on the level of application. Then in the next step, it executes the event-oriented evaluators that contrast all the actions with arrangements considered to be wearisome. The investigation performed by Bro consists of the recognition of particular spasms comprising those demarcated by signs, but these also include those interruptions that are explained in the footings of such events and uncommon activities, for instance, particular hosts linking to the particular services, or configurations of unsuccessful linking efforts (Varadarajan & Pelaez, 2015). In addition, Bro uses a particular policy language, which permits a location to adapt or modify the Bros operation, when there is need to modify, as whenever the site rules are changed or in case of any new irregularities and spams detected. When the Bro identifies any interruption or something important to consider, it can then order or command to create a log entry, or to warn the operator for signaling any issue, or to perform an operating system’s order (for instance, to dismiss the link or to stop a harmful or dangerous host on-the-fly). Furthermore, Bros comprehensive log records can be predominantly advantageous for forensics (Varadarajan & Pelaez, 2015). The Bro program was formed by Vern Paxson, who was a member of the Network Research Group at Lawrence Berkley National Lab, and it was made in 1998 under the research held by the International Computer Science Institute. The Bro program can function or do the evaluation on the basis of multiple layers, such as policy based spams identification, behavioral checking, policy enforcement, and the logging network activity. It detects spams by deconstructing the network traffic for the purpose of taking out its semantics on the level of application, and then it executes the event-oriented evaluators that contrast all the actions with arrangements considered to be wearisome. Its investigation comprises the identification of particular attacks or spams, like those demarcated by the signs and also those that are explained in the terms of events. In addition, it also identifies any unfamiliar actions, for instance, any specific host linking to particular services or when they are made patterns of many tries to develop a link but fail (Mehra, 2012). There are three main steps in which the Bro scrutinizes the traffic. At the first step, it screens the traffic, and delete all the components of negligible standing and cannot be considered to be part of the evaluation. Then the residual data is transmitted to the event engine in which the Bro understands the assembly of the network data packets and conceptualizes these packets by putting them in an order and produce such a high-level event that can be used to explain the whole activity. As a final point, it implements the policy writings in contrasts to the flow of events for the purpose of identifying the activity that is indicated in the policy, so that it could create any warning or alerts to take a specific corrective action, such as potential interruptions (Mehra, 2012; Sommer, 2015). Components of Bro There are following major components of the Bro IDS as explained by (Sommer, 2015): libpcap Event Engine Policy Script Interpreter Figure 2Process of Bro, Image Source: (Mehra, 2012) Libpcap Libpcap means the pcap library, which is a requirement for the functioning of Bro, where it is used to acquire the data packets from the network crossing points. Just like the system of Unix called WinPcap in the Windows, the name for this API used here if LibPcap. It extracts all the important data packets and manage the whole stream of the traffic coming from the network layer and screens out the unnecessary components of packets. After selecting the necessary data packets, this stream is transmitted to the Event Engine. Event Engine Another important component of the BRO is the event engine. It extracts all the data packets from the library pcap, and arrange them in an order, so that the events can be recognized in a way to explain the whole activity happened. While this component is written in the language of C++. Policy Script Interpreter The third component called as Policy Script Interpreter, which captures the high-level events that the event engine creates and contrasts these events with the rules and predetermined policy writings in the system. These events are categorized in the FIFO list, abbreviated of First in First out, which indicates that the event coming at first are processed firstly. Policy Script Interpreter performs a corrective action in case of identification of any mistrustful and hazardous actions, in addition, it deletes those events that are not termed or explained in the policy writings. It can also identify the traffic stream that seems to be a spam but actually they are not negative, and such can be identified at this point, on the other hand, if the rules or the policy writings are worthy and up-to-date, then such issues are marginal. While the script is written in the Bro language (Sommer, 2015). For running the Bro in any network of computer, it is a requirement that the computer should have a UNIX based system. Such system can function the Solaris distribution, Linux, and FreeBSD. The main aim of the Bro is to identify the high volume and high speed (Gbps) spams or interruptions. It is envisioned to be employed by positions that are calling for adaptable and highly customizable interruption recognition. Mainly, the bro program has been advanced as an examination policy for interruption identification and traffic enquiry (Mehra, 2012; Sommer, 2015). COMPARISON OF SNORT AND BRO IDS In this section, the both programs Snort and Bro are contrasted on the basis of diverse factors, for instance speed, flexibility, signatures, interface, deployment, and operating system capability (Mehra, 2012; Moya, 2008): Speed Regarding the speed of the program, Bro IDS is capable of functioning in high speed environments and it is quite efficient in extracting the data from GBPs networks. It makes this program more appropriate for large scale networks, while the Snort IDS is not capable of functioning perfectly in high speed environments without plummeting the data packets or decelerating the traffic. Signatures From the perspectives of the signatures for identifying the spams, the Bro program’s signatures are more refined and modified than the Snort. Flexibility In terms of flexibility, the Bro contains a more flexible interruption identification system, which can be arranged and modified and then can be stated for its envisioned computer network. Bro contains the already written policy writings that can be employed accurately out of the box and can also identify easily the most unidentified events. In case when the users require to add more events expected or features or possible spams, then they can develop their own policy rules based on their customized policy, thus fostering the flexibility. On the other hand, the Snort has no facility for such customized policy writing, thus it lags behind the Bro in terms of flexibility. First-hand and customized features in Bro are added with the help of policy writings that are scripted in Bro Language. But in Snort, such new features are added with the C language. Deployment Snort is considered to be more plug-and-play system, and provides more easiness in use, while the Bro system is quite complicated and takes much time and effort to install and to comprehend. Interface There is a graphical user interface used in Snort that is more attractive and make it more widespread. While there is lack of good user interface in Bro that can be reflected as a drawback, subsequently, there must be a good understanding of the functionality of a UNIX system and the management of this system. Operating System Compatibility: The Snort is compatible with all of the contemporary most prevalent operating systems and is not restricted to a completely assigned server hardware policy, while Bro is limited to UNIX based operating systems. Conclusion In current market of IDS system, there are many systems prevalent in the market that are open source and without any fees, but some are not without charges. Snort and Bro are IDS system that are without any cost and are existed to be downloaded by any users on Webpages. While other IDS systems present for money-making can be very costly, thus the Snort, Bro and supplementary freeware IDS systems can be approached in case when the user don’t want to invest a lot in such programs. For selecting an interruption identification system, the user should not opt for Bro system, if the user is not specialized in UNIX based system and require to implement a core IDS system for the computer network. Alternatively, as the vendors have explained, Bro IDS is a system that is used for testing. Consequently, if a user needs to test or needs an additional Interruption Detection System as an enhancement to central IDS, then the user must opt for the Bro system. If the user needs to tailor the IDS system right in accordance with his network, then again he can opt for Bro. Bro is much efficient for Gbps networks in contrast to the Snort. For high speed environment, the Snort is not a good option, and also it is not a system for testing and modifying. Snort stresses on enactment and effortlessness that makes it a good option to be chosen for any OS, and it is also one of the best choice for insubstantial IDS. Snort can effortlessly be organized on any knob of a computer network, with trifling disturbances to processes. References Anderson, J. (1980). Computer Security Threat Monitoring and Surveillance. Technical report, . James P Anderson Co., Fort Washington, Pennsylvania. Bradley, T. (2015). IDS. Retrieved from About.com: http://netsecurity.about.com/cs/generalsecurity/g/def_ids.htm Helman, P., Liepins, G., & Richards, W. (1992). Foundations of Intrusion Detection. Computer Security Foundations Workshop V, 1992. Proceedings. (pp. 114-120). Franconia, NH, USA: IEEE. Mehra, P. (2012). A brief study and comparison of Snort and Bro Open Source Network Intrusion Detection Systems. International Journal of Advanced Research in Computer and Communication Engineering, Volume 1 Issue 6, pp.383-386. Moya, M. A. (2008). Analysis And Evaluation Of The Snort And Bro Network Intrusion Detection Systems. Madrid: Comillas Pontifical University. Rajesh, K. (2005). Snort – Open Source Intrusion Detection System. Retrieved from excITingIP.com: http://www.excitingip.com/636/snort-open-source-intrusion-detection-system/ Richard, M. (2001, April 05). Intrusion Detection FAQ: Are there limitations of Intrusion Signatures? Retrieved from SANS.Org: http://www.sans.org/security-resources/idfaq/limitations.php Rouse, M. (2005, September). Snort. Retrieved from TechTarget.com: http://searchmidmarketsecurity.techtarget.com/definition/Snort Silberschatz, A., Galvin, P. B., & Gagne, G. (2004). Operating System Concepts (7th Edition). New York: Wiley. Sommer, R. (2015). Bro: An Open Source Network Intrusion Detection System. Retrieved from http://subs.emis.de/LNI/Proceedings/Proceedings44/GI-Proceedings.44.innen-15.pdf Sundaram, A. (1996). An introduction to intrusion detection. Crossroads - Special issue on computer security, Volum 2 Issue 4, pp. 3-7. Varadarajan, G. K., & Pelaez, M. H. (2015). Web Application Attack Analysis Using Bro IDS. The SANS Institute. Yuan, W., Tan, J., & Le, P. D. (2013). Distributed Snort Network Intrusion Detection System with Load Balancing Approach. Retrieved from http://worldcomp-proceedings.com/proc/p2013/SAM9750.pdf Read More