ids (intrusion detection system)

IDS (Intrusion detection system)

An IDS (Intrusion detection system) is a device or software application that monitors network or system

activities for malicious activities or policy violations and produces reports to a management station. IDS

come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways.

There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may

attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.

An IDS (Intrusion detection system) is designed to monitor all inbound and outbound network activity

and identify any suspicious patterns that may indicate a network or system attack from someone

attempting to break into or compromise a system. IDS is considered to be a passive-monitoring system,

since the main function of an IDS product is to warn you of suspicious activity taking place − not prevent

them.

An IDS specifically looks for suspicious activity and events that might be the result of a virus, worm or

hacker. This is done by looking for known intrusion signatures or attack signatures that characterize

different worms or viruses and by tracking general variances which differ from regular system activity.

The IDS is able to provide notification of only known attacks.

The network administrator can configure the IDS system to choose the appropriate response to various

threats. When packets in a session match a signature, the IDS system can be configured to take these

actions:

Send an alarm to a syslog server or a Cisco Secure IDS Director (centralized management

interface)

Drop the packet

Reset the TCP connection

Figure 1 IDS (Intrusion detection system)


The information provided by the IDS will help the security and network management teams uncover, as

a start:

Security policy violations, such as systems or users who are running applications against policy

Infections, such as viruses or Trojan horses that have partial or full control of internal systems,

using them to spread infection and attack other systems

Information leakage, such as running spyware and key loggers, as well as accidental information

leakage by valid users

Configuration errors, such as applications or systems with incorrect security settings or

performance-killing network misconfiguration, as well as misconfigured firewalls where the rule

set does not match policy

Unauthorized clients and servers including network-threatening server applications such as

DHCP or DNS service, along with unauthorized applications such as network scanning tools or

unsecured remote desktop.

Network Intrusion Detection Systems

Network Intrusion Detection Systems (NIDS) are placed at a strategic point or points within the network

to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the

entire subnet, works in a promiscuous mode, and matches the traffic that is passed on the subnets to

the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can

be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls

are located in order to see if someone is trying to break into the firewall. Ideally one would scan all

inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall

speed of the network. OPNET and NetSim are commonly used tools for simulation network intrusion

detection systems.

Host Intrusion Detection Systems

Host Intrusion Detection Systems (HIDS) run on individual hosts or devices on the network. A HIDS

monitors the inbound and outbound packets from the device only and will alert the user or

administrator if suspicious activity is detected. It takes a snapshot of existing system files and matches it

to the previous snapshot. If the critical system files were modified or deleted, an alert is sent to the

administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which

are not expected to change their configurations.

Intrusion detection systems can also be system-specific using custom tools and honeypots.

Misuse Detection vs. Anomaly Detection

In misuse detection, the IDS analyzes the information it gathers and compares it to large databases of

attack signatures. Essentially, the IDS look for a specific attack that has already been documented. Like


a virus detection system, detection software is only as good as the database of intrusion signatures that

it uses to compare packets against. In anomaly detection, the system administrator defines the baseline,

or normal, state of the network's traffic load, breakdown, protocol, and typical packet size. The anomaly

detector monitors network segments to compare their state to the normal baseline and look for

anomalies.

Passive vs. Reactive Systems

In a passive system, the IDS detect a potential security breach, logs the information and signals an alert.

In a reactive system, the IDS respond to the suspicious activity by logging off a user or by

reprogramming the firewall to block network traffic from the suspected malicious source.

False Positive and Negatives

The term false positive itself refers to security systems incorrectly seeing legitimate requests as spam or

security breaches. Basically, the IDS will detect something it is not supposed to. Alternatively, IDS is

prone to false negatives where the system fails to detect something it should. Both of these problematic

problems are associated with IDS, but are issues vendors spend a lot of time working on, and as a result,

it is not believed that IDS detects a high percentage of false positive or false negatives. Still, it is a topic

worth consideration when looking at different IDS solutions.

IDS Detection Techniques

HIDS and NIDS can come in a number of types of intrusion systems as well. All Intrusion Detection

Systems use one of three detection techniques:

Statistical anomaly-based IDS

An IDS which is anomaly based will monitor network traffic and compare it against an established

baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is

generally used, what protocols are used, what ports and devices generally connect to each other- and

alert the administrator or user when traffic is detected which is anomalous, or significantly different,

than the baseline. The issue is that it may raise a False Positive alarm for a legitimate use of bandwidth if

the baselines are not intelligently configured.

Signature-based IDS

A signature based IDS will monitor packets on the network and compare them against a database of

signatures or attributes from known malicious threats. This is similar to the way most antivirus software

detects malware. The issue is that there will be a lag between a new threat being discovered in the wild

and the signature for detecting that threat being applied to your IDS. During that lag time your IDS

would be unable to detect the new threat.


Rule based

Rule based systems are more advanced and cleverly built systems. A knowledge base programmed as

rules will decide the output alongside an inference engine. If the defined rules for example all match, a

certain assumption can be determined in which an action may take place. This assumption is the power

of the inference engine. The inference engine can assume an attack may be occurring because of so

many factors; this is unique and is very much behaving like the human mind. In normal computing

assumptions cannot be made, its either yes or no, but the inference engine adds a different level of

thinking; it also adds the “Probably” to the list, like humans. If it rains and is warm, we can assume it

may thunder. If more traffic was leaving the company than usual, as well as coming from a certain

server, the inference engine may assume, the server could be compromised by a hacker.

Cisco IOS Firewall IDS Signature List

The following is a complete list of Cisco IOS Firewall IDS signatures. A signature detects patterns of

misuse in network traffic. In Cisco IOS Firewall IDS, signatures are categorized into four types:

Info Atomic

Info Compound

Attack Atomic

Attack Compound

An info signature detects information-gathering activity, such as a port sweep.

An attack signature detects attacks attempted into the protected network, such as denial-of-service

attempts or the execution of illegal commands during an FTP session.

Info and attack signatures can be either atomic or compound signatures. Atomic signatures can detect

patterns as simple as an attempt to access a specific port on a specific host. Compound signatures can

detect complex patterns, such as a sequence of operations distributed across multiple hosts over an

arbitrary period of time.

The intrusion-detection signatures included in the Cisco IOS Firewall were chosen from a broad cross-

section of intrusion-detection signatures as representative of the most common network attacks and

information-gathering scans that are not commonly found in an operational network.

The following signatures are listed in numerical order by their signature number in the Cisco Secure IDS

Network Security Database. After each signature's name is an indication of the type of signature (info or

attack, atomic or compound).


Cisco Secure IDS Components

The Cisco Secure IDS consists of three components:

Sensor

Director

Post Office

Cisco Secure IDS Sensors, which are high-speed network appliances, analyze the content and context of

individual packets to determine if traffic is authorized. If a network's data stream exhibits unauthorized

or suspicious activity, such as a SATAN attack, a ping sweep, or the transmission of a secret research

project code word, Cisco Secure IDS Sensors can detect the policy violation in real time, forward alarms

to a Cisco Secure IDS Director management console, and remove the offender from the network.

The Cisco Secure IDS Director is a high-performance, software-based management system that centrally

monitors the activity of multiple Cisco Secure IDS Sensors located on local or remote network segments.

The Cisco Secure IDS Post Office is the communication backbone that allows Cisco Secure IDS services

and hosts to communicate with each other. All communication is supported by a proprietary,

connection-based protocol that can switch between alternate routes to maintain point-to-point

connections.

Limitations

Noise can severely limit an intrusion detection system's effectiveness. Bad packets generated

from software bugs, corrupt DNS data, and local packets that escaped can create a significantly

high false-alarm rate.

It is not uncommon for the number of real attacks to be far below the number of false-alarms.

Number of real attacks is often so far below the number of false-alarms that the real attacks are

often missed and ignored.

Many attacks are geared for specific versions of software that are usually outdated. A constantly

changing library of signatures is needed to mitigate threats. Outdated signature databases can

leave the IDS vulnerable to newer strategies.

For signature-based IDSes there will be lag between a new threat discovery and its signature

being applied to the IDS. During this lag time the IDS will be unable to identify the threat.

It cannot compensate for a weak identification and authentication mechanisms or for

weaknesses in network protocols. When an attacker gains access due to weak authentication

mechanism then IDS cannot prevent the adversary from any malpractice.

Encrypted packets are not processed by the intrusion detection software. Therefore, the

encrypted packet can allow an intrusion to the network that is undiscovered until more

significant network intrusions have occurred.


Intrusion detection software provides information based on the network address that is

associated with the IP packet that is sent into the network. This is beneficial if the network

address contained in the IP packet is accurate. However, the address that is contained in the IP

packet could be faked or scrambled.

Due to the nature of NIDS systems, and the need for them to analyse protocols as they are

captured, NIDS systems can be susceptible to same protocol based attacks that network hosts

may be vulnerable. Invalid data and TCP/IP stack attacks may cause an NIDS to crash.

Evasion Techniques

There are a number of techniques which attackers are using, the following are considered ‘simple’

measures which can be taken to evade IDS:

Fragmentation: by sending fragmented packets, the attacker will be under the radar and can

easily bypass the detection system's ability to detect the attack signature.

Avoiding defaults: The TCP port utilised by a protocol does not always provide an indication to

the protocol which is being transported. For example, an IDS may expect to detect a trojan on

port 12345. If an attacker had reconfigured it to use a different port the IDS may not be able to

detect the presence of the trojan.

Coordinated, low-bandwidth attacks: coordinating a scan among numerous attackers (or

agents) and allocating different ports or hosts to different attackers makes it difficult for the IDS

to correlate the captured packets and deduce that a network scan is in progress.

Address spoofing/proxying: attackers can increase the difficulty of the ability of Security

Administrators to determine the source of the attack by using poorly secured or incorrectly

configured proxy servers to bounce an attack. If the source is spoofed and bounced by a server

then it makes it very difficult for IDS to detect the origin of the attack.

Pattern change evasion: IDS generally rely on ‘pattern matching’ to detect an attack. By

changing the data used in the attack slightly, it may be possible to evade detection. For example,

an IMAP server may be vulnerable to a buffer overflow, and an IDS is able to detect the attack

signature of 10 common attack tools. By modifying the payload sent by the tool, so that it does

not resemble the data that the IDS expects, it may be possible to evade detection.

Free Intrusion Detection Systems

ACARM-ng

AIDE

Bro NIDS

Fail2ban

OSSEC HIDS

Prelude Hybrid IDS

Samhain


Snort

Suricata

Cisco IOS Firewall Intrusion Detection System Commands

(Note: 12.0(5)T- These commands were introduced.)

clear ip audit configuration

To disable Cisco IOS Firewall IDS, remove all intrusion detection configuration entries, and release

dynamic resources, use the clear ip audit configuration EXEC command.

clear ip audit statistics

To reset statistics on packets analyzed and alarms sent, use the clear ip audit statistics EXEC command.

ip audit

To apply an audit specification created with the ip audit command to a specific interface and for a

specific direction, use the ip audit interface configuration command. To disable auditing of the interface

for the specified direction, use the no version of this command.

ip audit audit-name {in | out}

no ip audit audit-name {in | out}

ip audit attack

To specify the default actions for attack signatures, use the ip audit attack global configuration

command. To set the default action for attack signatures, use the no form of this command.

ip audit attack {action [alarm] [drop] [reset]}

no ip audit attack

ip audit info

To specify the default actions for info signatures, use the ip audit info global configuration command. To

set the default action for info signatures, use the no form of this command.

ip audit info {action [alarm] [drop] [reset]}

no ip audit info


ip audit name

To create audit rules for info and attack signature types, use the ip audit name global configuration

command. To delete an audit rule, use the no form of this command.

ip audit name audit-name {info | attack} [list standard-acl] [action [alarm] [drop] [reset]]

no ip audit name audit-name {info | attack}

ip audit notify

To specify the method of event notification, use the ip audit notify global configuration command. To

disable event notifications, use the no form of this command.

ip audit notify {nr-director | log}

no ip audit notify {nr-director | log}

ip audit po local

To specify the local Post Office parameters used when sending event notifications to the NetRanger

Director, use the ip audit po local global configuration command. To set the local Post Office parameters

to their default settings, use the no form of this command.

ip audit po local hostid id-number orgid id-number

no ip audit po local [hostid id-number orgid id-number]

ip audit po max-events

To specify the maximum number of event notifications that are placed in the router's event queue, use

the ip audit po max-events global configuration command. To set the number of recipients to the

default setting, use the no version of this command.

ip audit po max-events number-of-events

no ip audit po max-events

ip audit po protected

To specify whether an address is on a protected network, use the ip audit po protected global

configuration command. To remove network addresses from the protected network list, use the no

form of this command. If you specify an IP address for removal, that address is removed from the list. If

you do not specify an address, then all IP addresses are removed from the list.

ip audit po protected ip-addr [to ip-addr]

no ip audit po protected [ip-addr]


ip audit po remote

To specify one or more set of Post Office parameters for NetRanger Directors receiving event

notifications from the router, use the ip audit po remote global configuration command. To remove a

NetRanger Director's Post Office parameters as defined by host ID, organization ID, and IP address, use

the no form of this command.

ip audit po remote hostid host-id orgid org-id rmtaddress ip-address localaddress ip-address [port port-

number] [preference preference-number] [timeout seconds] [application {director | logger}]

no ip audit po remote hostid host-id orgid org-id rmtaddress ip-address

ip audit signature

To attach a policy to a signature, use the ip audit signature global configuration command. You can set

two policies: disable a signature or qualify the audit of a signature with an access list. To remove the

policy, use the no form of this command. If the policy disabled a signature, then the no form of this

command reenables the signature. If the policy attached an access list to the signature, the no form of

this command removes the access list.

ip audit signature signature-id {disable | list acl-list}

no ip audit signature signature-id

ip audit smtp

To specify the number of recipients in a mail message over which a spam attack is suspected, use the ip

audit smtp global configuration command. To set the number of recipients to the default setting, use

the no form of this command

ip audit smtp spam number-of-recipients

no ip audit smtp spam

show ip audit configuration

To display additional configuration information, including default values that may not be displayed using

the show run command, use the show ip audit configuration EXEC command.

show ip audit configuration

show ip audit interface

To display the interface configuration, use the show ip audit interface EXEC command.

show ip audit interface


show ip audit statistics

To display the number of packets audited and the number of alarms sent, among other information, use

the show ip audit statistics EXEC command.

show ip audit statistics

ids (intrusion detection system)

Technology