Study Report D

  • October 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Study Report D as PDF for free.

More details

  • Words: 5,565
  • Pages: 34
Telecommunication placement

Installation of an Intrusion Detection System

08/05/06 – 07/07/06

Practising lecturer: Øyvind Hallsteinsen Telecom-Lille tutor: Willy Longueville

David Férot FI 2009 Year 2005-2006

Høgskolen I Sør-Trøndelag Avdeling for Informatikk og e-Læring

Telecom-Lille

Telecommunication placement

Installation of an Intrusion Detection System

Practising Lecturer: Øyvind Hallsteinsen Telecom-Lille Tutor: Willy Longueville

David Férot FI 2009

Acknowledgments

First of all, I would like to thank a lot Mr Øyvind Hallsteinsen who was my practicing tutor during this work placement. He helped me to discover Linux and the network knowledge. He always was available and patient for explanations and did his best to make sure my stay was as enjoyable as possible.

I am also very grateful to Mr Willy Longueville, my Telecom-Lille tutor, for his advice and his monitoring during these 9 weeks.

Thanks to the ENIC, our school, for giving us the opportunity to achieve such a training period, particularly Martine Ducornet who helped us with all the administrative papers.

Finally, I want to thank Mr Jan Nilsen, the international coordinator of the Faculty of Informatics and e-Learning for his help the first days and helping me to discover Trondheim.

4

Table of contents Introduction..................................................................................................................6 I. Presentation .............................................................................................................7 A. Norway........................................................................................................7 B. Trondheim ...................................................................................................8 C. The Sør-Trøndelag University College.....................................................9 D. The Faculty of Informatics and e-Learning .........................................10 E. The network of the school ......................................................................12 II. Before use Snort....................................................................................................14 A. Introduce Snort ........................................................................................14 What is an IDS? ....................................................................................14 What is Snort? ......................................................................................15 B. Discover Debian Linux.............................................................................16 Windows mode ...................................................................................16 Shell mode ...........................................................................................17 C. Install Snort ...............................................................................................19 III. Snort.......................................................................................................................21 A. Before use Snort as an IDS......................................................................21 First uses of Snort..................................................................................21 Snort as sniffer and logger .................................................................22 B. Snort as an IDS ..........................................................................................24 C. User’s quick manual ...............................................................................26 Conclusion .................................................................................................................28 Glossary ......................................................................................................................29 Bibliography and links...............................................................................................30 Appendix....................................................................................................................31

5

Introduction

After having already done several placements in France, one of my first goals for this telecommunication placement was to discover another culture. It was really a great opportunity to come studying 9 weeks in the Faculty of Informatics and e-Learning.

The objectives of this placement consisted of implementing a Network Intrusion Detecting System (NIDS) based on the software Snort, documenting it and establishing procedures to support it. This subject was unknown to me and before beginning the installation of Snort, I had to learn how to use Linux with the Shell.

But another important aspect of this training period was also to discover an unknown part of Europe, and to see by myself the reality of the Norwegian economy and way of life. I learned a lot from my experience as I shared my daily life with Norwegian students.

6

I. Presentation

As this country was unknown to me before I came here, I will introduce it to you, as I will describe Trondheim, the University, the Faculty and the networks of the Faculty, connected to the national universities network.

A. Norway

Before I came, Norway was to me a raw country of Scandinavia with a great standard of living. Norway is a very elongated

country

(2000km between north and south). It receives the Gulf Stream in the southwest coast and the weather is temperate in the south part of the country. It is subarctic in the north. Norway is populated by 4.5 millions inhabitants in 325,000 km² (half of France). It is a constitutional monarchy with a parliamentary system of government. This is a social democracy where the state interferes in the capitalism expansion to create the country with the highest Human Development Index in the world. Norway is not a part of the European Union but the country takes part on an active cooperation with it. The government held two referendums to join the EU but the result was always “no”. The Norwegian foreign policy is 7

based on an active international cooperation. It is a member of the United Nations and the North Atlantic Treaty Organisation. It is very easy to live in Norway for a simple reason: everybody speaks English and is ready to help you.

B. Trondheim

As said previously, my training period took place in one of the faculties of Trondheim. I will introduce the city to you in some words. Trondheim was founded in 997 by the Viking king Olav Tryggvason who named it Kaupangen, “The Trade Place”. Olav Tryggvason is still in the center of the city, as a statue on the top of a column, like Nelson in London. Trondheim is located in the county of Sør-Trøndelag. It is situated 500 km from Oslo and 500 km from the Arctic Circle. It is located on the west coast, where the river Nidelva meets the Trondheimsfjorden. Trondheim is the third largest Norwegian Town after Oslo and Bergen. It counts 160,000 inhabitants and about 30,000 students.

8

Trondheim takes up around 350km² (for comparison, Lille takes up 40km² and counts 230,000 inhabitants). So it has all the charm of a small town (with low density) but the facilities of a city. Crime is fortunately rare and the social atmosphere is friendly. You can find a lot of quiet places in the city, especially along the well preserved coast of the fjord and, as in most parts of Norway, mountains, forests and fjords are close at hand. Trondheim has been a regional trading and communication centre for more than 1000 years, and has a long tradition of science and education. Norway's first school was established in Trondheim in 1210. The school still exists as an upper secondary school. In 1760, the Royal Norwegian Society of Sciences and Letters was established as an academic institution that still is Norway's most prestigious institution. Norway's first technical school was established in Trondheim in 1870 and, after many name changes, it become a part of the university college in 1996 as the faculty of informatics and elearning, where I was for these two months.

C. The Sør-Trøndelag University College

Sør-Trøndelag University College was established in 1994 by merging eight colleges in Trondheim. With 8 000 students it is the third largest university college in Norway, and one of the two dominant academic institutions in Trondheim. The college offers a wide range of bachelor's and master's programmes as well as continuing education programmes and other courses.

9

The University College has seven faculties, located at five different campuses in Trondheim. They teach Health Education and Social Work, Nursing, Teacher Education and Deaf Studies, Technology, Food Science and Medical Technology, Business Administration and, which we are interested in, Informatics and e-Learning.

D. The Faculty of Informatics and e-Learning

The Faculty of Informatics and e-Learning, called Avdeling for Informatikk og e-Læring (AITeL) in Norwegian, counts approximately 475 students and about 40 employees. In colleges

co-operation and

with

universities,

other this

university

faculty

has

managed to become the largest provider of distance learning via Internet in Norway. Last year, 1500 students were in the distance education program.

The

faculty

teaches

principally

three

undergraduate

study

programmes: a 3-year IT-supported Business Administration, a 3-year Network Administration Programme and a 3-year Computer Engineering Programme. They also teach a 3-year Information Technology Programme and a 2-year Master programme in Software engineering but there are fewer students who choose them and I will

not

speak

postgraduate

about

programmes,

them there

here.

For

exist

two

programmes: one in computer science and one in Web-design and e-commerce. 10

The bachelor in IT-supported Business Administration focuses on how to use IT to improve business. In order to do it, this programme gives to students the necessary background in economics and business. In brief, this programme

covers

three

areas

of

subjects:

business

development

(economics, product development, etc.), organization (cooperation, project management, etc.) and informatics (lighter subjects such as web publishing and basic security). The bachelor in Network Administration Programme gives the students the background needed to administer computer systems and networks. During the second and third year, the students get a combination of theoretical and practical knowledge in subjects such as network management, service management, different types of services (file, print, databases, web servers, email etc.). Typical jobs include systems administrator, network administrator, user support and similar. The bachelor in Computer Engineering, the most popular at AITeL, teaches the students how to create software. In order to achieve this, the programme includes ability to communicate (with human beings and organizations),

has

lessons

about

user

interface

design,

significant

knowledge in code (Java, OpenGL, C, C++, etc.) and courses about testing a programme system and maintaining it, with correct runtime errors and ability to add improved functionality and extensions. Job advertisements might say

programmer,

programme

developer,

system

or

software

developer or computer consultant.

11

E. The network of the school

In Norway, there is a company owned by the Norwegian Ministry of Education and Research which supplies network and network services for Norwegian universities, university colleges and research institutions. This is the UNINETT Group. The whole group is located in Trondheim. All the Norwegian colleges and universities are connected, and any non-commercial research or educational institution such as libraries, archives and schools may be connected for a yearly fee. You can find a map of this network in the appendix. The backbones of UNINETT are typically 1 or 2.5 Gbit/s fiber optic links. For institutions not near the backbone, the maximum capacity is 155 Mbit/s. UNINETT is connected to other similar networks in Nordic countries via NORDUnet, which is connected to the European project GEANT.

The

University

College

is

connected to the UNINETT Network via a router (mtfs-gw.uninett.no) which

distinguishes

the

several

faculty networks. The faculty of Informatics installed

a

and

e-Learning

router

has

(Kalvskinnet-

gsw.hist.no) to join the internal networks

with

the

University

network. Communication room in the faculty

12

There exist twenty Networks at the faculty, with dedicated users for each

over:

students,

teachers,

administration, Wireless LAN, etc.

And one of these Networks is dedicated to test. It is separated from the rest of the network by a router with firewall. The Intrusion Detection System had to be implemented on this router.

This network is made up of Optic Fiber between buildings and floors and the connections on a same floor are performed by Ethernet cables.

13

II. Before use Snort

The project for this work placement consisted of implementing the NIDS Snort on a test computer, in order to install it on a server as soon as possible. But before I managed to use Snort, I had to master some knowledge.

A. Snort introduction What is an IDS? An Intrusion Detection System is a software intended to locate abnormal or suspectious activities on a network or a host.

There are two great distinct families of IDS: The Network Intrusion Detection System (NIDS) and the Host Intrusion Detection System (HIDS). A NIDS is based on libraries of signatures. The analysis is similar with that of the antiviruses (if they are based on signatures of attacks). A NIDS is situated at choke points in the network, typically connected with router or switch. It identifies intrusions by examining the network traffic. A NIDS is not limited to inspecting incoming network traffic only. Often valuable information about an ongoing intrusion can be learned from outgoing or local traffic as well. 14

Some attacks might even be staged from the inside of the monitored network or network segment, and are therefore not regarded as incoming traffic at all. A HIDS consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modification (binaries, password files, etc.) and other host activities and state. Much as a NIDS will dynamically inspect network packets, a HIDS may detect which program accesses what resources and assures that a word-processor hasn't suddenly and inexplicably started modifying the system password-database. Similarly a HIDS may look at the state of a system, its stored information, whether in RAM, in the file-system, or elsewhere; and checks that the contents of these appear as expected.

What is Snort? Snort is an

open

source network

intrusion prevention and detection system utilizing

a

rule-driven

language,

which

combines the benefits of signature, protocol and anomaly based inspection methods. Originally it is written by Martin Roesch, nowadays owned and operated by Sourcefire®, (which Martin Roesch founded). Snort is capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, amongst other features. The system can be used for intrusion prevention purposes too. With millions of downloads, Snort is the most widely deployed intrusion detection system and prevention technology in the world. 15

B. Discovering Debian Linux

The servers where Snort had had to be installed run Debian Linux. For me, it was the first difficulty I encountered. Before this work placement, I always used computers under Windows®, from 95 to XP, and Linux was completely new in two different ways. The first was, of course, the discovery of a new Operating System. The second, the most difficult to get over, was the continuous usage of the shell.

Windows mode The day I received the computer, Øyvind helped me install and configure Linux and he installed a window mode named KDE. This was very helpful. So, for the beginning, I learnt how to use Linux with windows.

It

is

not

very

different from Windows®: you can find a Start Menu (even if the name is different) with all the software installed, you have

a

taskbar

in

the

bottom of your screen (you can put it where you want) which includes a quick launch space and a lot of options you can configure. The main difference with Windows® is a bigger flexibility and, I think, less gadgets for a better efficiency.

16

Something I had to understand was the architecture of directories. The root folder is / and inside, you can find /home for the personal documents (folder subdivided in a directory per user: /home/root, /home/david, etc.), /tmp for the temporary files, and so on. To install a software, you have two choices. The first way (the simplest) consists on using the Package Manager (KPackage with KDE interface or the function aptitude in the shell). But most of the Linuxers prefer use the second way: download the source code in a tar.gz archive, compile it and install it by themselves. This is harder and you need to know how your computer operates but it is more configurable and flexible.

Shell mode As I said it, the biggest difficulty for me was the shell. To allow me to use it easier, I always used the terminal program in window mode, which allows me to use the shell with more safety and which also let me to use several shells in the same time (helpful to keep an eye on the help file when you run a software). I also use a little program running under Windows®, called PuTTY, which let me get the control of the Linux machine with my laptop, using a SSH secured connection.

Since the beginning, Øyvind gave me a book called The Debian system to help me to understand and use Debian. It was helpful to begin, but the second was better: Linux in a Nutshell. This book is a quick reference with all common commands for Linux. During the first weeks, I discovered the main functions of Debian with the help of the books and, at the same time, I wrote the most useful commands for me in a text file. 17

I will describe some of the commands I often used: •

cd : it is the function to browse the different directories.

cd directory puts you in the directory specified. cd – changes to the previous directory and cd .. changes to parent directory. •

ls : a function to list the contents or a directory. There exist a lot

of options but the most used are ls –a which also list the hidden files and ls --color which colorize the names of files depending on their type. •

more : this function displays a file on the screen. I never used

any options but some commands: Q to quit, /word to search word, v to invoke the text editor vi. •

cp : the command to copy a file, in the same directory or in

another. The option –r copies a directory and all its contents and subdirectories and –l not copies the file but creates a hard-link

18

C. Installing Snort

When I was accustomed with the shell mode, I installed Snort with its source code (it was possible also with Debian Packages but we wanted the latest version, which was only available by source code). It was not so easy and I spent a lot of hours to do it. I will sum up here the main steps to install snort, with some of the main problems I encountered.

To begin, I needed to download the source code. For Linux, the code is downloadable in an archive tar.gz. So, I went to the snort website, with a web browser and I download it in /usr/local/src/gz. After this, I unpacked it with the command tar zxf. tar is a command for archives, z is the option for the gz compression, x for extract and f to create a new directory before unzip. In the new folder where the files had been extracted, a file was very useful: INSTALL. This file explained how to install snort and its first warning was about the libpcap library. I needed it but I didn’t manage to find it on the computer. In the website Debian.org, there is a search engine to know in which packages we can find a file. So, I installed a package with the libpcap library. The first step invokes the command ./configure. This command is a shell script that goes up and looks for software and even tries various things to see what works. It then takes its instructions from Makefile.in and builds Makefile (and possibly some other files) that work on the current system. But on the computer, there was no C compiler found by configure so I needed to install one. I chose g++, which package name is gcc.

19

With advice of Øyvind, I used the --prefix=/usr/local/snort option which defines the path where we want to install Snort. This is very useful to find the files because they all are in the same directory. It helps you if you want to uninstall the software (which I did several times) but it involves building some links by yourself. The second step uses the command make. This command reads the Makefile (made by configure) and compiles the source code to build the executable program. The third step, make install, again invokes make, which finds the target install in Makefile and files the directions to install the program. These three steps, “configure, make, make install” are common for most software under Linux and are very famous, even if I discovered them for the first time in this placement. After this, I had all the installed files in /usr/local/snort (excepted rules files that I found later in /etc/snort/rules) but if I tried to run snort by the usual command snort, it didn’t run. I had to type the entire path: /usr/local/snort/bin/snort. This occurred because, when you want to run a software, Debian looks after it in some directories and, as I installed Snort in a specific directory, it was not in the usual directories for Debian. I needed to tell it where was Snort, I chose to create a hard link copy of /usr/local/snort/bin/snort in /usr/bin (one of the directories where Debian looks after the softwares).

It was only after all this I could start to use Snort, and I will explain this in the third main part of this report.

20

III. Snort

Snort can run in three different modes: as a packet sniffer, a packet logger or a NIDS. Here I will present how I used Snort, with the first steps, the problems encountered, how to use Snort easily as a NIDS and I will introduce quickly the manual I wrote for the users.

A. Before using Snort as an IDS

When I managed to install Snort, I began to discover it only with the command snort --help which prints out on the screen all the options for Snort. This way, I discovered some functions of Snort by myself and, moreover, I fixed a lot of problems. The usual command was snort –v –c snort.conf. The option –v means “verbose mode”, which prints in the screen all the packets sniffed. The option –c indicates the rules file to use. In fact, Snort.conf is not really a rules file but a configuration file. It is a really well written file, with a lot of comments which explain you very well the few code lines.

First uses of Snort The main problem I encountered was bad definitions in Snort.conf because it is in this file you define all the variables and location of each file Snort needs.

21

The first of them was the Network definition: where are the internal network (defined by the variable HOME_NET) and the external network (defined by EXTERNAL_NET). To create an internal and an external networks for the tests, we installed a second network card on the computer (with some hardware difficulties) and we configured the computer as a gateway between my personal laptop and the school network. This way, the Linux machine was like a server with my laptop as the internal network and the school network as the external network. To define the networks, I chose the easiest and most complete solution: all traffic by each card was considered like a network (it is also possible to analyse traffic coming from a list of IP addresses). Another problem which occurred a lot of times was the definition of the dynamic pre-processors and dynamic engines. Despite my searches, I never managed to find any file for this. With the help of the Internet, I found the

solution:

uninstall

Snort

and

reinstall

it

with

the

option

--enable-dynamicplugin. After this, the files for dynamic definitions were just

in

/usr/local/snort/lib,

separated

in

two

directories:

snort_dynamicengine and snort_dynamipreprocessor, so it was easy to define the correct path in Snort.conf.

After I had fixed a lot of problems by myself, I discovered a file named USAGE between all the Snort documentation. This is a How-to made by Martin Roesch for the beginners on Snort.

Snort as sniffer and logger The USAGE file is a very well written help for beginners which explains step by step how to use Snort, from the simplest way to the most completed functions. 22

The simplest mode in Snort is the sniffer mode which just prints out the TCP/IP packet headers to the screen. The simplest command in this mode is snort –v: this runs Snort and just shows the IP address and the TCP/IP packet headers on the screen, nothing else. If you want to see the payload data in transit, you can type snort –vd (or snort –v –d, it is the same). This prints out the packet data as well as the headers. And if you want an even more descriptive display, showing the data link layer headers, type snort –vde. The option –e display the layer 2 packet header data. To stop Snort, just press ctrl + C. If you want to record the packets to the disk, you need to specify a logging directory and Snort will automatically know to go into packet logger mode. For example, you create a directory log in your current directory (using the command mkdir log) and after, you can run snort with this options: snort –vde –l ./log. The –vde option still does the same thing and the –l option tells to Snort where it has to stock the logs. If you are on a high speed network or if you want to log the packets into a more compact form for later analysis, you can log in “binary mode”. Binary mode logs the packets in pcap format (common for tcpdump, Ethereal) to a single binary file in the logging directory specified. To use the binary mode, type snort – l ./log –b (-b for binary). Here, we don’t use the –vde option because it is not useful and, with high speed network, it is even a little bit dangerous because of the slowness of the verbose mode, which will drop packets (not many, but some).

In reality, I didn’t use the logger mode. I used the sniffer mode to see whether there was some bug and, as soon as all the bugs were fixed, I used the IDS mode.

23

B. Snort as an IDS

As I said it earlier, I tested Snort on a Debian machine with two network cards to simulate a server with its internal and external Networks, my laptop working as the internal network, communicating with the Internet through the Debian machine.

Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. By choosing rules, you decide which traffic is allowed in your network and which is not. To enable the NIDS mode on Snort, you just have to use the option –c with the name of the rule file behind. As I already said, I used the snort.conf file. It is very useful because it contains all the variable definitions and, moreover, it enables to launch several rules files at the same time. To do this, you have to place all the rules files in the same directory. By default, some common rules files are in /etc/snort/rules (these are just some common rules but you can download or write a lot of rules files by yourself). Because it is more convenient, I copied the rules directory in /usr/local/snort, with all the other Snort files. After this, you have to define in snort.conf what is the rule path (not necessary but highly advisable) and, at the end of snort.conf, you will find some lines like include $RULE_PATH/rules.rules where rules is the name of the rule. To decide which rules must be applied and which must not, just put a # at the beginning of the lines which you do not want to apply (that will comment the line and, so, won’t apply it).

24

When you have chosen your rules files, type snort –c snort.conf. This runs Snort with the configuration chosen in snort.conf and logs the alerts in /var/log/snort. If you want to stock them in another folder, tell it using the option –l (the same as in logger mode). When Snort runs like this, it logs the packets creating directory hierarchy based upon the IP address of one of the hosts in the datagram and it logs the alerts in a single file named alert. If you want to print out the alerts to the screen (not all the packet but just the alerts), use the option –A console. You can also run Snort in Daemon mode, using the option –D (running in background). When you quit Snort, typing ctrl + C, a statistic table appears which tells you the number of packets sniffed, their type and their ratio, and the number of alerts (logged or passed).

25

To test the rules and see if Snort really did its work, the concept was simple: I run Snort on the Debian machine and, with my laptop, I did something wrong. With this, I just had to see if Snort logged my outlaw packets. I did it for the most of the rules.

C. User’s quick manual

When I understood how to run Snort, I needed to write a manual for the next users. I asked to Øyvind how I had to write it (text document, Microsoft word document, etc.) and he answered me he would like an html document, very basic with no graphics and just the necessary.

As I never used html before this placement, I preferred to use a WYSIWYG editor (What You See Is What You Get: this type of editor provides an editing interface which allows you to create html pages without knowledge at html code). With advice from Øyvind, I installed Nvu (pronounced N-view), an open source editor for Windows, Linux and Mac.

Nvu is based on the Composer component of Mozilla application suite. It is probably the best open source alternative to Microsoft FrontPage and Adobe Macromedia Dreamweaver. As you can see on the screenshot, Nvu is an instinctive software and it is easy to use it (moreover when you just have to type some text and build few links).

26

I decided to split the tutorial in three parts. To begin, how to install and configure Snort. Then, how to run snort. And I chose to explain the rules system.

In the entire manual, I spoke for Debian user and I based it on my own experience. So I explain the bugs I encountered. The manual is for nonEnglish people so I used an English as unsophisticated as possible, trying to conduct users during their first steps. The objective of this tutorial is not to be a complete manual or help but just a little help to begin, according to the use of Snort at the faculty. As it is an online tutorial, with links between pages, I chose not to print it on the appendix but you can find it on the internet, at this address: http://aitel.hist.no/labben/snort/.

27

Conclusion

This training period has been for me an incredible experience, speaking of the knowledge acquired, but also of the personal part of it. Indeed, from many points of view, it was different from the previous ones.

I would like to thank again Øyvind for his help, his patience and his attendance during this entire placement in the all day work as much as in the discovery of Norwegian life.

It

was

for

me

the

first

true

contact

with

the

world

of

telecommunications, doing practical things instead of the theory seen at the school. I was able to extend the basic knowledge acquired during the little introductions at Telecom-Lille, especially in the domain of the security in networks.

I am sure this placement will be helpful for me and will have a great impact in the future.

28

Glossary

HIST: Høgskolen I Sør-Trøndelag, The University College of the County Sør-Trøndelag, in Trondheim AITeL: Avdeling for InformaTikk og e-Læring, the Faculty of Informatics

and

e-Learning,

part

of

the

University

College

of

Sør-Trøndelag. UNINETT: The Norwegian government-owned company responsible for a national computer network for universities and research. NORDUnet: It is an international collaboration between the Nordic national computer networks for research and education. The five members are: Sweden, Norway, Finland, Denmark and Iceland. GEANT: It is the main European multi-gigabit computer network for research and education purposes. 32 countries take part on this project. KDE: K Desktop Environment. It is a free desktop environment for Unix and Unix-like systems. IDS: Intrusion System Detection. There exist two types of IDS: NIDS, Network Intrusion System Detection and HIDS, Host Intrusion System Detection.

29

Bibliography and links

Books: The Debian System, Concepts and Techniques; Martin F. Krafft Linux in a Nutshell, A desktop quick reference; O’Reilly

Websites: www.hist.no www.aitel.hist.no www.uninett.no www.debian.org www.snort.org www.wikipedia.org

30

Appendix

Map of the UNINETT network

p32

Links to the manual website

p33

31

32

The manual I wrote for AITeL users had to be reachable only for

authorized

available

for

people everybody

in

an and

internal you

can

webpage reach

it

but

it

at

this

is

finally

address:

http://aitel.hist.no/labben/snort/. I could have printed it in this appendix but I think it is better to see it online. That's the reason why there is only these few lines here and not the entire tutorial.

33

David Férot

08/05 – 07/07/2006

FI 2009

Placement at the faculty of informatics and e-learning in Trondheim

A lifetime experience This training period was my first real stay abroad. I had the opportunity to discover an unknown country, its way of life, culture and language and I discovered what Norway is, falling stereotypes. Norway is a welcoming country with open-minded people and it was easy to meet them. IDS An intrusion detection system inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. It is a good complement to a firewall.

In a network-based system (NIDS), the individual packets flowing through a network are analyzed. The NIDS can detect malicious packets that are designed to be overlooked by a firewall’s simplistic filtering rules. In a host-based system (HIDS), the IDS examines the activity on each individual computer or host.

Snort at AITeL AITeL decided to implement an IDS on its Network to update the security level. They did not choose a solution like a proxy because they do not want to block the freedom of the students who need to test protocols for their studies. Snort will analyse the traffic and log it. This way, teachers will be able to see exactly what traffic passes through the network. The next step is rating its data in order to treat them in a single sight.

Sector: Telecommunications Keywords: IDS, Security, Snort, Debian Linux

Field: Network Security

Related Documents

Study Report D
October 2019 10
Study Report
October 2019 18
Bannister Report D
November 2019 7
Experiment D Report-sml08
November 2019 6
Subgroup D Report
November 2019 7