-
Notifications
You must be signed in to change notification settings - Fork 13
Network Traffic Analysis
Mahesh Shukla - JailBreaker edited this page Jun 12, 2024
·
5 revisions
### Introduction to IDS and IPS
Before diving into Snort and traffic analysis, let's have a brief overview of what an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) are. Both can be configured in your network infrastructure, but it's crucial to understand their differences.
---
### Intrusion Detection System (IDS)
**IDS** is a passive monitoring solution that detects possible malicious activities, abnormal incidents, and policy violations. It generates alerts for each suspicious event.
#### Types of IDS:
- **Network Intrusion Detection System (NIDS):**
- Monitors traffic flow across various network areas.
- Investigates traffic on the entire subnet.
- Generates alerts when a signature is identified.
- **Host-based Intrusion Detection System (HIDS):**
- Monitors traffic flow from a single endpoint device.
- Investigates traffic on a particular device.
- Generates alerts when a signature is identified.
---
### Intrusion Prevention System (IPS)
**IPS** is an active protection solution that prevents malicious activities, abnormal incidents, and policy violations. It stops/prevents/terminates suspicious events as soon as they are detected.
#### Types of IPS:
- **Network Intrusion Prevention System (NIPS):**
- Monitors traffic flow across various network areas.
- Protects traffic on the entire subnet.
- Terminates connections when a signature is identified.
- **Behaviour-based Intrusion Prevention System (Network Behaviour Analysis - NBA):**
- Monitors traffic flow across various network areas.
- Protects traffic on the entire subnet.
- Requires a training period ("baselining") to learn normal traffic patterns and differentiate malicious traffic.
- **Wireless Intrusion Prevention System (WIPS):**
- Monitors traffic flow from wireless networks.
- Protects wireless traffic.
- Terminates connections when a signature is identified.
- **Host-based Intrusion Prevention System (HIPS):**
- Protects traffic flow from a single endpoint device.
- Terminates connections when a signature is identified.
---
### Detection/Prevention Techniques
#### Techniques Used in IDS and IPS:
- **Signature-Based:**
- Relies on rules to identify specific patterns of known malicious behavior.
- Effective for detecting known threats.
- **Behaviour-Based:**
- Identifies new threats with new patterns that pass through signatures.
- Compares known/normal with unknown/abnormal behaviors.
- Effective for detecting previously unknown threats.
- **Policy-Based:**
- Compares detected activities with system configuration and security policies.
- Effective for detecting policy violations.
---
### Summary
IDS can identify threats but requires user assistance to stop them. IPS can identify and block threats with less user assistance at the time of detection.
---
### Introduction to Snort
**Snort** is an open-source, rule-based Network Intrusion Detection and Prevention System (NIDS/NIPS). Developed by Martin Roesch, it is maintained by open-source contributors and the Cisco Talos team.
#### Capabilities of Snort:
- Live traffic analysis
- Attack and probe detection
- Packet logging
- Protocol analysis
- Real-time alerting
- Modules & plugins
- Pre-processors
- Cross-platform support (Linux & Windows)
#### Snort's Three Main Use Models:
- **Sniffer Mode:** Reads IP packets and displays them in the console.
- **Packet Logger Mode:** Logs all IP packets (inbound and outbound) that visit the network.
- **NIDS/NIPS Modes:** Logs or drops packets deemed malicious according to user-defined rules.
---
By understanding IDS, IPS, and Snort, you can better secure your network against malicious activities.
1. **Verbose Mode (-v)**: Use the `-v` flag to run Snort in verbose mode, which displays TCP/IP output in the console similar to tcpdump. This mode is useful for seeing detailed information about the packets being processed.
2. **Packet Data Mode (-d)**: The `-d` flag enables packet data mode, which displays the packet data or payload. This mode is helpful for analyzing the content of packets, especially when dealing with protocols like HTTP or DNS.
3. **Link-Layer Header Mode (-e)**: With the `-e` flag, Snort displays the link-layer headers (such as Ethernet, TCP, UDP, ICMP headers). This mode provides insight into the lower-level details of network traffic.
4. **Full Packet Details in HEX Mode (-X)**: Using the `-X` flag, Snort shows the full packet details in hexadecimal format. This mode is useful for a deep dive into packet structures and contents.
5. **Interface Specification (-i)**: You can specify a network interface with the `-i` flag to instruct Snort to listen and sniff on a specific interface. This is particularly useful when you have multiple network interfaces.
# logger mode
Here are the steps and explanations for running Snort in Logger Mode and using various parameters:
1. **Logger Mode and Default Output Directory**:
- Snort can be run in Logger mode using the `-l` parameter followed by the target log and alert output directory.
- By default, the output folder is `/var/log/snort`. The default action is to dump packets in tcpdump format in this directory.
2. **Packet Logger Parameters**:
- `-K ASCII`: Logs packets in ASCII format.
- `-r`: Reading option to read dumped logs in Snort.
- `-n`: Specifies the number of packets to process/read. Snort stops after reading the specified number of packets.
3. **File Ownership and Permissions**:
- Snort needs superuser (root) rights to sniff traffic, so running Snort with `sudo` makes the root account the owner of the generated log files.
- You can either elevate your privileges (`sudo command`) or change the ownership of files/directories (`sudo chown username file`).
4. **Logging with `-l` Parameter**:
- Start Snort in packet logger mode using `sudo snort -dev -l .`.
- Generate ICMP/HTTP traffic to see Snort in action.
- Check the generated log file, which will be in binary/tcpdump format.
5. **Logging with `-K ASCII` Parameter**:
- Start Snort in packet logger mode with ASCII format using `sudo snort -dev -K ASCII`.
- Generate traffic and check the generated log files, which will be in human-readable ASCII format and categorized by IP addresses.
6. **Reading Generated Logs with `-r` Parameter**:
- Start Snort in packet reader mode using `sudo snort -r snort.log`.
- Snort reads and displays the log file similar to how it does in sniffer mode.
- You can also use tcpdump or Wireshark to open and analyze the log file.
7. **Filtering Logs with `-r` Parameter**:
- You can filter binary log files using `-r` parameter and Berkeley Packet Filters (BPF) with commands like `sudo snort -r logname.log icmp` or `sudo snort -r logname.log 'udp and port 53'`.
Understanding these parameters and modes helps you effectively log and analyze network traffic using Snort.