Study Report

Telecommunication placement

Installation of an Intrusion Detection System

08/05/06 – 07/07/06

Practising

lecturer:

Øyvind

Hallsteinsen Telecom-Lille tutor: Willy Longueville

David Férot FI 2009 Year 2005-2006

Høgskolen I Sør-Trøndelag Avdeling for InformaTikk og e-Læring

Telecom-Lille

Telecommunication placement

Installation of an Intrusion Detection System

Practising

Lecturer:

Øyvind

Hallsteinsen Telecom-Lille Tutor: Willy Longueville

David Férot FI 2009

Acknowledgments

First of all, I would like to thank a lot Mr Øyvind Hallsteinsen who was my practicing tutor during this work placement. He helped me to discover Linux and the network knowledge. He always was available and patient for explanations and did his best to make sure my stay was as enjoyable as possible.

I am also very grateful to Mr Willy Longueville, my Telecom-Lille tutor, for his advice and his monitoring during these 9 weeks.

Thanks to the ENIC, our school, for giving us the opportunity to achieve such a training period, particularly Martine Ducornet who helped us with all the administrative papers.

Finally, I want to thank Mr Jan Nilsen, the international coordinator of the Faculty of Informatics and e-Learning for his help the first days and helping me to discover Trondheim.

5

Table of contents Introduction................................................................................................7 I. Presentation...........................................................................................8 A. Norway...............................................................................8 B. Trondheim..........................................................................9 C. The Sør-Trøndelag University College...............................10 D. The Faculty of Informatics and e-Learning.......................11 E. The network of the school................................................13 II. Before use Snort .................................................................................15 A. Introduce Snort................................................................15 What is an IDS?............................................................15 What is Snort?..............................................................16 B. Discover Debian Linux.....................................................17 Windows mode.............................................................17 Shell mode....................................................................18 C. Install Snort.....................................................................20 III. Snort...................................................................................................22 A. Before using Snort as an IDS...........................................22 First uses of Snort.........................................................22 Snort as sniffer and logger...........................................23 B. Snort as an IDS................................................................24 C. User’s quick manual........................................................26 Conclusion................................................................................................29 Glossary....................................................................................................30 Bibliography and links .............................................................................31 Books:....................................................................................31 Websites:...............................................................................31 Appendix .................................................................................................32

6

Introduction

After having already done several placements in France, one of my first goals for this telecommunication placement was to discover another culture. It was really a great opportunity to come studying 9 weeks in the Faculty of Informatics and e-Learning.

The objectives of this placement consisted of implementing a Network Intrusion Detecting System (NIDS) based on the software Snort, documenting it and establishing procedures to support it. This subject was unknown to me and before beginning the installation of Snort, I had to learn how to use Linux with the Shell.

But another important aspect of this training period was also to discover an unknown part of Europe, and to see by myself the reality of the Norwegian economy and way of life. I learned a lot from my experience as I shared my daily life with Norwegian students.

7

I. Presentation As this country was unknown to me before I came here, I will introduce it to you, as I will describe Trondheim, the University, the Faculty and the networks of the Faculty, connected to the national universities network.

A. Norway

Before I came, Norway was to me a raw country of Scandinavia with a great standard of living. Norway is a very elongated

country

(2000km between north and south). It receives the Gulf Stream in the southwest coast and the weather is temperate in the south part of the country. It is subarctic in the north. Norway is populated by 4.5 millions inhabitants in 325,000 km² (half of France). It is a constitutional monarchy with a parliamentary system of government. This is a social democracy where the state interferes in the capitalism expansion to create the country with the highest Human Development Index in the world. Norway is not a part of the European Union but the country takes part on an active cooperation with it. The government held two referendums to join the EU but the result was always “no”. The Norwegian 8

foreign policy is based on an active international cooperation. It is a member of the United Nations and the North Atlantic Treaty Organisation. It is very easy to live in Norway for a simple reason: everybody speaks English and is ready to help you.

B. Trondheim

As said previously, my training period took place in one of the faculty of Trondheim. I will introduce it to you in some words. Trondheim was founded in 997 by the Viking king Olav Tryggvason who named it Kaupangen, “The Trade Place”. St Olav is still in the center of the city, as a statue on the top of a column, like Nelson in London. Trondheim is located in the county of Sør-Trøndelag. It is situated to 500 km from Oslo and 500 km from the Arctic Circle, on the west coast, where the river Nidelva meet the Trondheimsfjorden. Trondheim is the third largest Norwegian Town after Oslo and Bergen. It counts 160,000 inhabitants and about 30,000 students.

9

Trondheim takes up around 350km² (for comparison, Lille takes up 40km² and counts 230,000 inhabitants). So it has all the charm of a small town (with low density) but the facilities of a city. Crime is fortunately rare and the social atmosphere is friendly. You can find a lot of quiet places in the city, especially along the well preserved coast of the fjord and

as

in

most

parts

of

Norway,

mountains, forests and fjords are close at hand. Trondheim has been a regional trading and communication centre for more than 1000 years, and has a long tradition of science and education. Norway's first school was established in Trondheim in 1210. The school still exists as an upper secondary school. In 1760, the Royal Norwegian Society of Sciences and Letters was established as an academic institution that still is Norway's most prestigious institution. Norway's first technical school was established in Trondheim in 1870. What is today the Norwegian University of Science and Technology (NTNU) was established in Trondheim in 1910 as the Norwegian Institute of Technology.

C. The Sør-Trøndelag University College

Sør-Trøndelag University College was established in 1994 by merging eight colleges in Trondheim. With 8 000 students it is the third largest university college in Norway, and one of the two dominant academic institutions in Trondheim. The college offers a wide range of bachelor's and master's programmes as well as continuing education programmes and other courses. The University College has seven faculties, located at five different campuses in Trondheim. They teach about Health Education and Social 10

Work, Nursing, Teacher Education and Deaf Studies, Technology, Food Science and Medical Technology, Business Administration and, which we are interested in, Informatics and e-Learning.

D. The Faculty of Informatics and e-Learning

The

Faculty

of

Informatics

and

e-

Learning, called Avdeling for InformaTikk og eLæring

(AITeL)

in

Norwegian,

counts

approximately 475 students and about 40 employees. In co-operation with other university colleges and universities, this faculty has managed to become the largest provider of distance learning via Internet in Norway. Last year, 1500 students were in the distance education program.

The

faculty

teaches

principally

three

undergraduate

study

programmes: a 3-year IT-supported Business Administration, a 3-year Network Administration Programme and a 3-year Computer Engineering Programme. They also teach a 3-year Information Technology Programme and a 2-year Master programme in Software engineering but there are fewer students who choose them and I will not speak about them here. For postgraduate programmes, there exist

two

science

programmes:

and

one

in

one

in

Web-design

computer and

e-

commerce.

11

The bachelor in IT-supported Business Administration focuses on how to use IT to improve business. In order to do it, this programme gives to students the necessary background in economics and business. In brief,

this

programme

development

covers

(economics,

three

product

areas

of

development,

subjects: etc.),

business

organization

(cooperation, project management, etc.) and informatics (lighter subjects such as web publishing and basic security). The bachelor in Systems Maintenance gives the students the background needed to administer computer systems and networks. During the second and third year, the students get a combination of theoretical and practical knowledge in subjects such as network management, service management, different types of services (file, print, databases, web servers, email etc.).

Typical

jobs

include

systems

administrator, network administrator, user support and similar. The bachelor in Computer Engineering, the most popular in AITeL, teaches to the students how to create software. In order to achieve this, the programme includes ability to communicate (with human beings and organizations), lessons about user interface design, significant knowledge in code (Java, OpenGL, C, C++, etc.) and courses about testing a programme system and maintaining it, with correct runtime errors and ability to add improved functionality and extensions. Job advertisements might say programmer, programme developer, system or software developer or computer consultant.

12

E. The network of the school

In Norway, there is a company owned by the Norwegian Ministry of Education and Research which supplies network and network services for Norwegian universities, university colleges and research institutions. This is the UNINETT Group. The whole Group is located in Trondheim. All the Norway's colleges and universities are connected, and any non-commercial research or educational institution such as libraries, archives and schools may be connected for a yearly fee. You can find the map of this network in the appendix. The backbones of UNINETT are typically 1 or 2.5 Gbit/s fiber optic links. For institutions not near the backbone, the maximum capacity is 155 Mbit/s. UNINETT is connected to other similar networks in Nordic countries via NORDUnet, which is connected to the European project GEANT.

The University is connected to the UNINETT Network via a router (mtfs.gw.uninett.no) which distinguishes the several faculty networks.

The

faculty

of

Informatics and e-Learning has installed a router (Kaluskinnetgsw.hist.no) to join the internal networks

with

the

University

exist

twenty

network. There Networks

at

the

faculty,

with

Communication room in the faculty

dedicated users for each over: students, teachers, administration, Wireless LAN, etc. 13

And Networks

one is

of

these

dedicated

to

UNINETT

test. It is separated from the rest of the network by a router

with

firewall.

The

Intrusion Detection System had to be implemented on this router.

Mtfs-gw.uninett.no Faculties Networks AITeL Kaluskinnet-gsw.hist.no

This network is made up of Optic Fiber between buildings and floors and the

Other Networks br280-sw.hist.no

connections on a same floor are performed by Ethernet cables.

Test Network

14

II. Before use Snort The project for this work placement consisted of implement the NIDS Snort on a test computer, in order to install it on a server as soon as possible. But before I managed to use Snort, I had to master some knowledge.

A. Introduce Snort What is an IDS? An Intrusion Detection System is a software intended to locate abnormal or suspect activities on a network or a host.

There are two great distinct families of IDS: The Network Intrusion Detection System (NIDS) and the Host Intrusion Detection System (HIDS). A NIDS is based on libraries of signatures. The

analysis

is

similar

with

that

of

the

External Network

antiviruses (if they are based on signatures of attacks). A NIDS is situated at choke points in the network, typically connected with router or switch. It identifies intrusions by examining the network traffic. A NIDS is not limited to inspecting

incoming

network

traffic

Oftentimes

valuable

information

about

NIDS

only. an

ongoing intrusion can be learned from outgoing

Internal Network

or local traffic as well. Some attacks might

15

even be staged from the inside of the monitored network or network segment, and are therefore not regarded as incoming traffic at all. A HIDS consists of an agent on a host which identifies intrusions by analyzing

system

calls,

application

logs,

file-system

modification

(binaries, password files, etc.) and other host activities and state. Much as a NIDS will dynamically inspect network packets, a HIDS may detect which program accesses what resources and assures that a wordprocessor hasn't suddenly and inexplicably started modifying the system password-database. Similarly a HIDS may look at the state of a system, its stored information, whether in RAM, in the file-system, or elsewhere; and checks that the contents of these appear as expected.

What is Snort? Snort is an open source network intrusion prevention and detection system utilizing combines

a

rule-driven the

language,

benefits

of

which

signature,

protocol and anomaly based inspection methods. Originally it is written by Martin Roesch, nowadays owned and operated by Sourcefire®, (which Martin Roesch founded). Snort is capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, amongst other features. The system can be used for intrusion prevention purposes too. With millions of downloads, Snort is the most widely deployed intrusion detection system and prevention technology in the world.

16

B. Discover Debian Linux

The servers where Snort had had to be installed run under Linux, in distribution Debian and, for me, it was the first difficulty I encountered. Before this work placement, I always used computers under Windows®, from 95 to XP, and Linux was completely new by two different ways. The first was, of course, the discovery of a new Operating System. The second, the most difficult to get over, was the continuous usage of the shell.

Windows mode The day I received the computer, Øyvind helped me to install and configure Linux and he installed a window mode named KDE. This was very helpful. So, for the beginning, I learnt how to use Linux with windows. It is not very different

from

Windows®:

you can find a Start Menu (even

the

name

different)

with

all

software

installed,

have

if

a

taskbar

in

is the you the

bottom of your screen (you can put it where you want) which includes a quick launch space and a lot of options you can configure. The main difference with Windows® is a bigger flexibility and, I think, less gadgets for a better efficiency. 17

Something I had to understand was the architecture of directories. The root folder is / and inside, you can find /home for the personal documents (folder subdivided in a directory per user: /home/root, /home/david, etc.), /tmp for the temporary files, and so on. To install a software, you have two choices. The first way (the simplest) consists on using the Package Manager (KPackage with KDE interface or the function aptitude in the shell). But most of the Linuxers prefer use the second way: download the source code in a tar.gz archive, compile it and install it by themselves. This is harder and you need to know how your computer operates but it is more configurable and flexible.

Shell mode As I said it, the biggest difficulty for me was the shell. To allow me to use it easier, I always used the terminal program in window mode, which allows me to use the shell with more safety and which also let me to use several shells in the same time (helpful to keep an eye on the help file when you run a software). I also use a little software running under Windows®, called PuTTY, which let me get the control of the Linux machine with my laptop, using SSH secured connection.

Since the beginning, Øyvind gave me a book called The Debian system to help me to understand and use Debian. It was helpful to begin but the second was better: Linux in a Nutshell. This book is a quick reference with all common commands for Linux. During the first weeks, I discovered the main functions of Debian with the help of the books and, in the same time, I wrote the most useful commands for me in a text file. I will describe some of the commands I often used: 18

•

cd : it is the function to browse the different directories. cd directory puts you in the directory specified. cd

–

changes to the previous directory and cd .. changes to parent directory. •

ls : a function to list the contents or a directory. There exist a lot of options but the most used are ls –a which also list the hidden files and ls --color which colorize the names of files depending on their type.

•

more : this function displays a file on the screen. I never used any options but some commands: Q to quit, /word to search word, v to invoke the text editor vi.

•

cp : the command to copy a file, in the same directory or in another. The option –r copies a directory and all its contents and subdirectories and –l not copies the file but creates a hard-link

19

C. Install Snort

When I was accustomed with the shell mode, I installed Snort with its source code. It was not so easy and I spent a lot of hours to do it. I will sum up here the main steps to install snort, with some of the main problems I encountered.

To begin, I needed to download the source code. For Linux, the code is downloadable in an archive tar.gz. So, I went to the snort website, with a web browser and I download it in /usr/local/src/gz. After this, I unpacked it with the command tar zxf. tar is a command for archives, z is the option for the gz compression, x for extract and f to create a new directory before unzip. In the new folder where the files had been extracted, a file was very useful: INSTALL. This file explained how to install snort and its first warning was about the libpcap library. I needed it but I didn’t manage to find it on the computer. In the website Debian.org, there is a search engine to know in which packages we can find a file. So, I installed a package with the libpcap library. The first step invokes the command ./configure. This command is a shell script that goes up and looks for software and even tries various things to see what works. It then takes its instructions from Makefile.in and builds Makefile (and possibly some other files) that work on the current system. But on the computer, there was no C compiler found by configure so I needed to install one. I chose g++, which package name is gcc. With advice of Øyvind, I used the --prefix=/usr/local/snort option which defines the path where we want to install Snort. This is very useful to find the files because they all are in the same directory. It helps

20

you if you want to uninstall the software (which I made several times) but it involves building some links by yourself. The second step uses the command make. This command reads the Makefile (made by configure) and compiles the source code to build the executable program. The third step, make install, again invokes make, which finds the target install in Makefile and files the directions to install the program. These three steps, “configure, make, make install” are common for the most software under Linux and are very famous, even if I discovered them for the first time in this placement. After this, I had all the installed files in /usr/local/snort (excepted rules files that I found later in /etc/snort/rules) but if I tried to run snort by the usual command snort, it didn’t run. I had to type the entire path: /usr/local/snort/bin/snort. This occurred because, when you want to run a software, Debian looks after it in some directories and, as I installed Snort in a specific directory, it was not in the usual directories for Debian. I needed to tell it where was Snort, I chose to create a hard link copy of /usr/local/snort/bin/snort in /usr/bin (one of the directories where Debian looks after the softwares).

It was only after all this I could start to use Snort, and I will explain this in the third main part of this report.

21

III. Snort Snort can be run under three different modes: as a packet sniffer, a packet logger or a NIDS. Here I will present how I used Snort, with the first steps, the problems encountered, how to use Snort easily as NIDS and I will introduce quickly the manual I wrote for the users.

A. Before using Snort as an IDS

When I managed to install Snort, I began to discover it only with the command snort --help which prints out on the screen all the options for Snort. By this way, I discovered some functions of Snort by myself and, moreover, I fixed a lot of problems. The usual command was snort –v –c snort.conf. The option –v means “verbose mode”, which prints in the screen all the packets sniffed. The option –c indicates the rules file to use. In fact, Snort.conf is not really a rules file but a configuration file. It is a really well written file, with a lot of comments which explain you very well the few code lines.

First uses of Snort The main problem I encountered was bad definitions in Snort.conf because it is in this file you define all the variables and location of each files Snort needs.

The first of them was the Network definition: where are the internal network (defined by the variable HOME_NET) and the external network 22

(defined by EXTERNAL_NET). To create an internal and an external networks for the tests, we installed a second network card on the computer (with some hardware difficulties) and we configured the computer as a gateway between my personal laptop and the network school. By this way, the Linux machine was like a server with my laptop as the internal network and the school network as the external network. To define the networks, I chose the easiest and most complete solution: all traffic by each card was considered like a network (it is also possible to analyse traffic coming from a list of IP addresses). Another problem which occurred a lot of times was the definition of the dynamic pre-processors and dynamic engines. Despite my searches, I never managed to find any file for this. With the help of the Internet, I found the

solution:

uninstall

Snort

and

reinstall

it

with

the

option

--enable-dynamicplugin. After this, the files for dynamic definitions were just in /usr/local/snort/lib, separated in two directories: snort_dynamicengine and snort_dynamipreprocessor, so it was easy to define the correct path in Snort.conf.

After I had fixed a lot of problems by myself, I discovered a file named USAGE between all the Snort documentation. This is a How-to made by Martin Roesch for the beginners on Snort.

Snort as sniffer and logger The USAGE file is a very well written help for beginners which explains step by step how to use Snort, from the simplest way to the most completed functions. The simplest mode in Snort is the sniffer mode which just prints out the TCP/IP packet headers to the screen. The simplest command in this mode is snort –v: this runs Snort and just shows the IP address and the 23

TCP/IP packet headers on the screen, nothing else. If you want to see the payload data in transit, you can type snort –vd (or snort –v –d, it is the same). This prints out the packet data as well as the headers. And if you want an even more descriptive display, showing the data link layer headers, type snort –vde. The option –e display the layer 2 packet header data. To stop Snort, just press ctrl + C. If you want to record the packets to the disk, you need to specify a logging directory and Snort will automatically know to go into packet logger mode. For example, you create a directory log in your current directory (using the command mkdir log) and after, you can run snort with this options: snort –vde –l ./log. The –vde option still does the same thing and the –l option tells to Snort where it has to stock the logs. If you are on a high speed network or if you want to log the packets into a more compact form for later analysis, you can log in “binary mode”. Binary mode logs the packets in tcpdump format to a single binary file in the logging directory specified. To use the binary mode, type snort –l ./log –b (-b for binary). Here, we don’t use the –vde option because it is not useful and, with high speed network, it is even a little bit dangerous because of the slowness of the verbose mode, which will drop packets (not many, but some).

In reality, I didn’t use the logger mode. I used the sniffer mode to see whether there was some bug and, as soon as all the bugs were fixed, I used the IDS mode.

B. Snort as an IDS

As I said it earlier, I tested Snort on a Debian machine with two network cards to simulate a server with its internal and external 24

Networks, my laptop working as the internal network, communicating with the Internet through the Debian machine.

Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. By choosing rules, you decide which traffic is allowed in your network and which is not. To enable the NIDS mode on Snort, you just have to use the option – c with the name of the rule file behind. As I already said, I used the snort.conf file. It is very useful because it contains all the variable definitions and, moreover, it enables to launch several rules files at the same time. To do this, you have to place all the rules files in a same directory. By default, some common rules files are in /etc/snort/rules (these are just some common rules but you can download or write a lot of rules files by yourself). Because it is more convenient, I copied the rules directory in /usr/local/snort, with all the other Snort files. After this, you have to define in snort.conf what is the rule path (not necessary but highly advisable) and, at the end of snort.conf, you will find some lines like include $RULE_PATH/rules.rules where rules is the name of the rule. To decide which rules must be applied and which must not, just put a # at the beginning of the lines which you do not want to apply (that will comment the line and, so, won’t apply it). When you have chosen your rules files, type snort –c snort.conf. This runs Snort with the configuration chosen in snort.conf and logs the alerts in /var/log/snort. If you want to stock them in another folder, tell it using the option –l (the same as in logger mode). When Snort runs like this, it logs the packets creating directory hierarchy based upon the IP address of one of the hosts in the datagram and it logs the alerts in a single file named alert. If you want to print out the alerts to the screen 25

(not all the packet but just the alerts), use the option –A console. You can also run Snort as Daemon mode, using the option –D. When you quit Snort, typing ctrl + C, a statistic table appears which tells you the number of packets sniffed, their type and their ratio, and the number of alerts (logged or passed).

To test the rules and see if Snort really did its work, the concept was simple: I run Snort on the Debian machine and, with my laptop, I did something wrong. With this, I just had to see if Snort logged my outlaw packets. I did it for the most of the rules.

C. User’s quick manual

26

When I understood how to run Snort, I could write a manual for the next users. I asked to Øyvind how I had to write it (text document, Microsoft word document, etc.) and he answered me he would like an html document, very basic with no graphics and just the necessary.

As I never used html before this placement, I preferred use a WYSIWYG editor (What You See Is What You Get: this type of editor provides an editing interface which allows you to create html pages without knowledge in html code). With advice of Øyvind, I installed Nvu (pronounced N-view), an open source editor for Windows, Linux and Mac.

Nvu is based on the Composer component of Mozilla application suite. It is probably the best open source alternative to Microsoft FrontPage and Adobe Macromedia Dreamweaver. As you can see on the screenshot, Nvu is an instinctive software and it is easy to use it (moreover when you just have to type some text and build few links).

27

I decided to split the tutorial in three parts. To begin, how to install and configure Snort. Then, how to run snort. And I chose to explain the rules system.

In the entire manual, I spoke for Debian user and I based it on my own experience. So I explain the bugs I encountered. The manual is for non-English people so I used an English as unsophisticated as possible, trying to conduct users during their first steps. The objective of this tutorial is not to be a complete manual or help but just a little help to begin, according to the use of Snort at the faculty. As it is an online tutorial, with links between pages, I chose not to print it on the appendix but you can find it on the internet, at this address: http://aitel.hist.no/labben/snort/.

28

Conclusion

This training period has been for me an incredible experience, speaking of the knowledge acquired, but also of the personal part of it. Indeed, from many points of view, it was different from the previous ones.

I would like to thank again Øyvind for his help, his patience and his attendance during this entire placement in the all day work as much as in the discovery of Norwegian life.

It

was

for

me

the

first

true

contact

with

the

world

of

telecommunications, doing practical things instead of the theory seen at the school. I was able to extend the basic knowledge acquired during the little introductions at Telecom-Lille, especially in the domain of the security in networks.

I am sure this placement will be helpful for me and will have a great impact in the future.

29

Glossary • HIST:

Høgskolen I

Sør-Trøndelag,

The

University

of

the

County

Sør-Trøndelag, in Trondheim • AITeL: Avdeling for InformaTikk og e-Læring, the Faculty of Informatics and e-Learning, part of the University of Sør-Trøndelag. • UNINETT: The Norwegian government-owned company responsible for a national computer network for universities and research. • NORDUnet: It is an international collaboration between the Nordic national computer networks for research and education. The five members are: Sweden, Norway, Finland, Denmark and Iceland. • GEANT: It is the main European multi-gigabit computer network for research and education purposes. 32 countries take part on this project. • KDE: K Desktop Environment. It is a free desktop environment for Unix and Unix-like systems. • IDS: Intrusion System Detection. There exist two types of IDS: NIDS, Network Intrusion System Detection and HIDS, Host Intrusion System Detection.

30

Bibliography and links

Books: The Debian System, Concepts and Techniques; Martin F. Krafft Linux in a Nutshell, A desktop quick reference; O’Reilly

Websites: www.hist.no www.aitel.hist.no www.uninett.no www.debian.org www.snort.org www.wikipedia.org

31

Appendix

Map

of

the

UNINETT

network

p32 p33

Links to the manual website

32

33

The manual I wrote for AITeL users had to be reachable only for authorized people in an internal webpage but it is finally available

for

everybody

and

you

can

reach

it

at

this

address:

http://aitel.hist.no/labben/snort/. I could have printed it in this appendix but I think it is better to see it online. That's the reason why there is only these few lines here and not the entire tutorial.

34

David Férot

08/05 – 07/07/2006

FI 2009

Placement at the faculty of informatics and e-learning in Trondheim

A lifetime experience This training period was my first real stay abroad. I had the opportunity to discover an unknown country, its way of life, culture and language and I discovered what Norway is, falling stereotypes. Norway is a welcoming country with open-minded people and it was easy to meet them. IDS An intrusion detection system inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. It is a good complement to firewall.

External Network

NIDS

Internal Network

In a network-based system (NIDS), the individual packets flowing through a network are analyzed. The NIDS can detect malicious packets that are designed to be overlooked by a firewall’s simplistic filtering rules. In a host-based system (HIDS), the IDS examines at the activity on each individual computer or host.

Snort at AITeL AITeL decided to implement an IDS on its Network to update the security level. They did not choose a solution like proxy because they do not block the freedom of the students who need to test protocols for their studies. Snort will analyse the traffic and log it. By this way, teachers will be able to see exactly what traffic passes through the network. The next step is rating its data in order to treat them in a single sight. Sector: Telecommunications Keywords: IDS, Security, Snort, Debian Linux

Field: Network Security