| Introduction: | | | | off of the network and displays them for you in a |
| Hello folks, these days' intrusions are occurring in more | | | | continuous stream on the console (screen).o Packet |
| part as compare to the previous years, there are | | | | Logger mode, which logs the packets to disk.o |
| many reasons behind the scene. This article in more | | | | Network Intrusion Detection System (NIDS) mode, the |
| generic form explains what the intrusion actually is? Or | | | | most complex and configurable configuration, which |
| why intrusions? Answer is MOM! We will also discuss | | | | allow Snort to analyze network traffic for matches |
| how to analysis intrusions at packet level. Let me | | | | against a user-defined rule set and performs several |
| explain "MOM" first, well it is 'Motive', 'opportunity' and | | | | actions based upon what it sees.o Inline mode, which |
| 'Mean' I would say where ever 'MOM' exists there is a | | | | obtains packets from iptables instead of from libpcap |
| possibility for intrusions into your network infrastructure. | | | | and then causes iptables to drop or pass packets |
| If there is motivation there must be a mean and if | | | | based on Snort rules that use inline-specific rule types. |
| some one gets opportunity than chances for intrusion | | | | These are the basic modes of snort in which you can |
| increase. | | | | use it to detect intrusions and to perform analysis on |
| What Is Hacktivism? Reason for intrusions: | | | | them. There are many add-ons for snort which helps in |
| Hacktivism refers to hacking for a cause. These | | | | analyzing the packets your snort will capture. |
| hackers usually have a social or political agenda. Their | | | | BASE is one of them. |
| intent is to send a message through their hacking | | | | What is BASE? |
| activity while gaining visibility for their cause and | | | | BASE is the Basic Analysis and Security Engine. It is |
| themselves. Many of these hackers participate in | | | | based on the code from the Analysis Console for |
| activities such as defacing websites, creating viruses, | | | | Intrusion Databases (ACID) project. This application |
| DoS, or other disruptive attacks to gain notoriety for | | | | provides a web front-end to query and analyze the |
| their cause. Hacktivism commonly targets government | | | | alerts coming from a SNORT IDS system BASE is a |
| agencies, political groups, and any other entities these | | | | web interface to perform analysis of intrusions that |
| groups or individuals perceive as "bad" or "wrong. | | | | snort has detected on your network. It uses a user |
| An intrusion can be defined as an unwanted activity | | | | authentication and role-base system; so that you as |
| into your network infrastructure which can lead to | | | | the security admin can decide what and how much |
| compromise of confidentiality, integrity and availability of | | | | information each user can see. It also has a simple to |
| your resources. | | | | use, web-based setup program for people not |
| Detecting Intrusions: | | | | comfortable with editing files directly. BASE is |
| To detect intrusions there are two major types of | | | | supported by a group of volunteers. They are available |
| intrusion detection systems.a. Network intrusion | | | | to answer any questions you may have or help you |
| detection systemsb. Host based intrusion detection | | | | out in setting up your system. They are also skilled in |
| systems | | | | intrusion detection systems and make use of that |
| In order to detect intrusions in network infrastructure | | | | knowledge in the development of BASE. |
| we use network based intrusion detection systems | | | | BASE shows packet level intrusions analysis on your |
| and to detect intrusions in a single machine or system | | | | network; it shows traffic profile by protocols like ICMP, |
| we use host based intrusion detection systems. There | | | | TCP, UDP, and Port Scans for nmap, Nessus and |
| are many vendors offering NIDS/HIDS but here I will | | | | other scanners as well. You can also analysis the |
| focus on how to build your own intrusion detection | | | | most recent attacks, attacks in last 24 hours; you can |
| system while using the power of open source. | | | | also view the complete packets for the attacks which |
| Snort is the de-facto standard for intrusion detection | | | | your snort box has detected. |
| systems, snort is easily available on its complete | | | | Summary |
| manual for installation, configuration and troubleshooting | | | | In short, you can build your complete network intrusion |
| is also available there. You can use snort in many | | | | detection system by using open source tools like snort |
| different ways to detect intrusions, snort can also be | | | | and BASE, you can use snort as detection engine and |
| used to analysis the intrusions. | | | | BASE as analysis engine for analyzing intrusion into |
| Analyzing Intrusion: | | | | your network, you can also develop intrusion |
| Snort runs in four different modes which are as | | | | prevention system while using snort with iptables. |
| follows.o Sniffer mode, which simply reads the packets | | | | |