Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort

1
Lessons Learned from Teaching Intrusion Detection
and Intrusion Prevention with Snort

• Dr. Jim Chen, Victor Tsao, Barry Williams,
  Tokunbo Olojo, John Smet, Nicole Regobert, Lamin
  Kamara, Michael Hughes
• March 2006

2
CSMN683 Intrusion Detection, Incident Response,
and Computer Forensics Course Description

• The theory, skills, and tools needed in
  intrusion detection and computer forensics are
  the major themes in this course. The course
  discusses techniques for identifying vulnerable
  target systems and types of malicious code, for
  mitigating security risks, and for recognizing
  attack patterns. It also presents the conceptual
  and operational tools necessary for analysis and
  resolution of problems with respect to effective
  filters and firewalls, attack tracing, system
  recovery, continuity of operation, evidence
  collection, evidence analysis, and prosecution.

3
Student Background

• 38.09 students heard about at least one
  intrusion detection system.
• 14.28 students heard about Snort.
• 61.91 students never played with any intrusion
  detection system
• 90.47 students never saw a signature or a rule
  within an intrusion detection system
• 85.71 students never saw a log analyzer

4
Challenges

• (1) How to explain intrusion?
• (2) How to explain detection?
• (3) How to show detection methods?
• (4) How to demonstrate the limitations in some
  detection methods?
• (5) How to encourage students to figure out ways
  of overcoming the limitations?

5
Solution

• Selected Snort since it is an open source product
• Designed and developed some hands-on laboratory
  exercises using Snort

6
Snort

• Snort is an open source network intrusion
  prevention and detection system utilizing a
  rule-driven language, which combines the benefits
  of signature, protocol and anomaly based
  inspection methods. With millions of downloads to
  date, Snort is the most widely deployed intrusion
  detection and prevention technology worldwide and
  has become the de facto standard for the
  industry.
• from http//www.snort.org/

7
4 Lab Exercises Using Snort

• Lab 1 Shows the intrusion and the detection of
  the intrusion addressing Challenges (1) (2)
• Lab 2 Shows the detection method using signature
  technology and its limitations addressing
  Challenges (3) (4)
• Lab 3 Shows the analysis of Intrusion Detection
  System logs using an analysis engine addressing
  Challenge (5)
• Lab 4 Show one way of improving the IDS by
  writing plug-ins addressing Challenge (5)

8
Objectives of Lab 1

• Show an intrusion
• Show the issues in detecting the intrusion
• Detect the intrusion

9
Lab 1 Intrusion Detection

• One computer with Snort running on it
• Another computer with an intrusion software tool
  running on it
• Connect the two computers together to form a
  network

10
Intrusion Detection

• Demo

11
Lab 1 Lesson Learned

• It is not difficult to explore a vulnerability
  within a computer system.
• By default, some intrusions may not be detected
  using Snort.
• With appropriate signatures and rules, some
  intrusions can be detected.

12
Objectives of Lab 2

• Discuss the benefits and limitations of using
  signatures and rules
• Explain the syntax of rules in Snort
• Learn to modify the existing rules and write new
  rules

13
Lab 2 Signatures for Intrusion Detection

• What is a signature?
• Why are signatures needed in an intrusion
  detection system?
• What is a rule in Snort?
• What is the syntax of a rule in Snort?
• How do Snort rules work?

14
Anatomy of a Rule

• Rule header Contains the rules action,
  protocol, source IP address, source port number,
  destination IP address, destination port number,
  etc.
• Rule body Consists of keywords and arguments
  used to trigger an alert, etc.

15
Signatures for Intrusion Detection

• Demo

16
Writing Rules

• Identify the characteristics of the suspicious
  traffic
• Write rules based on the characteristics
• Implement the rules
• Test the rules to see if it can capture the
  suspicious traffic
• Modify the rules accordingly
• Test and modify the rules again

17
Lab 2 Lesson Learned

• It is important to identify the characteristics
  of the suspicious traffic before writing any
  rules.
• Rules need to be tested, modified, and further
  tested and modified again in order to reduce
  false positives and false negatives.
• It is also significant to know the limitations of
  signature technology.

18
Objectives of Lab 3

• Discuss the importance of using a log analyzer,
  such as BASE (Basic Analysis and Security Engine)
  or ACID (Analysis Console for Intrusion
  Databases)
• Learn to use BASE to analyze log files

19
Lab 3 Intrusion Detection log Analysis

• Use BASE (Basic Analysis and Security Engine) to
  analyze log files
• Show the different functionalities of BASE

20
Basic Analysis and Security Engine

• Written in PHP programming language
• Analyzes intrusion logs
• Displays information from a database in a
  Web-based format
• Generates graphs and alerts based on the sensor,
  time, signature, and protocol
• Displays on the main page a summary of currently
  logged alerts as well as various alert summary
  breakdowns and links to graphs
• Can be administered based on categories such as
  alert groups, false positives, and e-mail alerts

21
Basic Analysis and Security Engine

• Demo

22
(No Transcript)
23
Lab 3 Lesson Learned

• It is important to identify the trend of
  suspicious traffic.
• Log analyzers can help us to identify the trend
  since they can display log data in a graphical
  and easy-to-understand format.
• Log analyzers should be further improved to
  handle logs in different formats.

24
Objectives of Lab 4

• Discuss the importance of using plug-ins
• Learn to write plug-ins

25
Lab 4 Plug-Ins

• Learn the functions of plug-ins
• Write plug-ins

26
Categories of Plug-Ins

• Output mechanism
• Complex protocol decoder
• Detection plug-ins

27
Lab 4 Lesson Learned

• It is important to realize that the functions of
  an intrusion detection system are still limited.
• Designing, writing, testing, modifying, further
  testing and modifying plug-ins can help students
  to improve their critical thinking skills and
  creativity.
• Meanwhile, new functionality can be added into
  the existing system, including the functionality
  for the intrusion prevention system.

28
Student Survey

• After finishing the first three lab exercises
• 100 students were exposed to at least one
  intrusion detection system.
• 28.57 students felt very familiar with
  signatures or rules within an intrusion detection
  system, 61.9 students felt somewhat familiar
  with them, and 9.53 students felt somewhat
  unfamiliar with them.
• 19.05 students felt very familiar with a log
  analyzer, 52.38 students felt somewhat familiar
  with it, 23.81 students felt somewhat unfamiliar
  with it, and 4.76 students did not provide the
  answer.

29
Student Survey

• After finishing the first three lab exercises
• 95.24 students thought the lab exercises would
  be beneficial academically towards their learning
  in the class, 4.76 students did not provide the
  answer.
• 95.24 students thought the lab exercises would
  be beneficial in their workplace in regards to
  network security, 4.76 students did not provide
  the answer.

30
Comments from Students

• Good exercises. Hands-on definitely reinforces
  theories read and discussed in class.
• Lab is helpful. Reinforces the lectures. Having
  hands on is very important to understand IDS.
• Labs are great to learn with. They should
  continue to be offered.
• More time to work with other tasks not covered
  in lab to date.
• More lab time within the class.
• Etc.

31
Lesson Learned

• Appropriate signatures in rules can help to
  detect some intrusions.
• Good rules can reduce false positives and false
  negatives.
• There are limitations in rules.
• Log analyzers can help to identify the trend.
• Log analyzers need to be further improved.
• Plug-ins can add new functionality into the
  existing system.

32
Pedagogical Implication

• The challenges in teaching intrusion detection
  and intrusion prevention can be addressed using
  hands-on labs, especially Snort labs.
• Critical thinking skills and creativity are
  promoted in putting students in an environment in
  which they need to find out the limitations of
  current IDS technologies and figure out their new
  solutions.
• Different perspectives need to be explored to
  make sure that students are really familiar with
  the intrusion detection and intrusion prevention
  technologies.
• More hands-on labs need to be designed and
  developed to enhance student learning.

33
Summary

• Hands-on lab exercises can enhance student
  learning.
• Hands-on lab exercises using Snort are good tools
  in learning intrusion detection and intrusion
  prevention.

34
References

• Beale, J., Baker, A., Caswell, B., Poor, M., and
  others. (2004). Snort 2.1 Intrusion Detection
  (2nd Edition). Rockland, MA Syngress Publishing,
  Inc.
• Cox, K. Gerg, C. (2004). Managing Security with
  Snort and IDS Tools. Sebastopol, CA OReilly
  Media, Inc.
• Smith, P. Ragan, T. (1999). Instructional
  Design. Hoboken, NJ John Wiley Sons, Inc.
• http//www.snort.org