Base Paper presented by - Muhammad Naveed, Shams un Nihar and Mohammad Inayatullah Babar At 2010 6th International Conference on Emerging Technologies (ICET)

1. DEPARTMENT OF COMPUTER AND SCIENCE ENGINEERING
MANIPAL INSTITUTE OF TECHNOLOGY
(A Constituent College of Manipal University)
MANIPAL – 576104, KARNATAKA, INDIA
Seminar
On
Network Intrusion Prevention
by Configuring ACLs
on the Routers, based on Snort IDS alerts
Base Paper presented by-
Muhammad Naveed, Shams un Nihar and Mohammad Inayatullah Babar
At 2010 6th International Conference on Emerging Technologies (ICET)
By –
Disha Bedi
Roll no 104
Section B

2. CONTENTS
 Abstract
 Keywords
 Introduction
 Background
 Motivation
 Objective
 Experimental setup
 Methodology
 Results
 Analysisand discussion of results
 Advantages of the presented system
 Limitation
 Possible improvements
 Conclusion
 References

3. Abstract
Intrusion detection and prevention is necessary for the security of any
network. Initiallyfirewallwas considered essential to provide security
for the network but now IDS (Intrusion Detection System) and IPS
(Intrusion Prevention System) are the mainstream devices along with
firewalls.
Snort is used as IDS and alerts are logged to a databasefrom where
they are read and router Access Control List (ACL) rules are generated
based on Snort intrusion alerts and then these ACL rules are configured
on the Cisco router to block the potentialintrusions.

4. Keywords
Intrusion Prevention;
Snort;
Router;
Access Control List (ACL);
ACL Generation;
Router Configuration

5. Introduction
Intrusion prevention is very important for the defence in depth
approachto network security along with firewalls and intrusion
detection systems. Guardianis a software system which also provides a
mechanism for using Snort alerts for blocking the potentialintrusions,
but, the system can only work in Linux and FreeBSD.
Our proposed system is almost independentof the underlying
operating system and runs on every operating system. Snort can run on
many operating systems and also PHP and Perl are compatiblewith
nearly all operating systems. Guardianalso uses relatively complex
approach,with difficult configuration. The proposed approachis simple
and can be easily configured.

6. Background
Intrusion detection system
Intrusion detection system includesis a set of techniques and
methods that are used to detect suspiciousactivity both at the
network and host level.
Intruders have signatures that can be detected. Based upon a set
of signatures and rules, the intrusion detection system (IDS) is able
to find and log suspiciousactivity and generate alerts.

7. Intrusion prevention system
Intrusion Prevention System on the other hand provides the
capabilityto prevent intrusions.

8. Snort
Snort is an open source network intrusion preventionsystem
(NIPS) and network intrusion detection system (NIDS).
It hasthe abilityto perform real-time traffic analysisand packet
logging on Internet Protocol (IP) networks.
Snort is primarily a rule-based IDS. Snort reads these rules at the
start-up time and buildsinternal data structures or chainsto apply
these rules to captured data.
Components of snort

9. Motivation
Almost all networks are potentiallyvulnerable to network
intrusionsdespite of all security measures. Thus good security
measures are needed to keep our system secured.
Also I did my summer internship on Network intrusiondetection
so I wanted to learn how Network intrusionprevention works.

10. Objective
Intrusion Prevention System provides the capabilityto prevent
intrusionsbut because of its cost, it is not the option for many
small businesses and home users.
Hence, using a lightweight and free Intrusion Detection System
such as Snort, integrating it with a Cisco router and enhancingits
abilityto provide a prevention mechanism provides a good
solutionfor this problem.
Router and computer (to be used as a sensor) are fundamental
componentsof every major network, so, the proposed system
does not need any additionalhardware.
This study proposes a very basic way to prevent intrusionswithout
any additionalcost.

11. Experimental Setup
The systems used for the implementationwas a Core 2 Duo computer
with 2 GB RAM and Cisco 2691 Router with standard hardware
configuration.Operating system installedon the computer was Fedora
12 x86_64 and router was installedwith Cisco IOS Software Version
12.4(13b).
The software was written in PHP and Perl, so PHP and Perl were also
installedon the system. Snort version installedwas Snort 2.8.6 (Build
38). As the main aim of the software was to configure ACL rules based
on the Snort alerts, so, we used 1998 MIT DARPA Intrusion detection
data to test the proposed system and it is sufficient to provide a valid
testing environment for our proposed idea in every aspect as the basic
traffic analysisand intrusiondetection is performed by Snort, which is
just used as a readymade IDS software.
Snort should be built with MySQL capabilityand then installedon the
system. Buildingwith MySQL capabilityintegrates MySQL to Snort and
enables Snort to log the alerts to a MySQL database,from where the
alerts can be used by our proposed system.
The experiments were performed using MIT DARPA 1998 intrusion
detection data to test our software.

12. Methodology
Whenever Snort will run in IDS mode all of the alerts will be logged to a
MySQL database. This database can be used to generate ACL rule for
every alert logged to the database, which in a fine tuned IDS system
represents a potentialattack. After generating the ACL rules the router
configurationmodule access the router automaticallyusing telnet and
configure the ACL rules on it. ACL rules can also be removed after the
attack is over or if the configured ACL rules have some undesired effect
on the network.

13. There are two stages of the complete process:
 Intrusion detection
 Intrusion prevention
A. Intrusion Detection
Snort is used as an intrusion detection system to provide alerts for the
potentialintrusions. The alerts are automaticallylogged by Snort to
MySQL database from where they are read by the proposed software
and are used to prevent the potentialintrusion. It was very important
that Snort should be fine tuned for the network because only then false
alarms will be minimum and almost all the alerts indicate potential
intrusions. Hence, proposed system can work at its best to block
illegitimatetraffic while allowinglegitimate traffic to enter network
easily.
B. Intrusion Prevention
This is the main part of the proposed system and it is made up of
following two modules which work together to prevent a potential
intrusion.
The study proposes software havingtwo modules:
 ACL Generation Module
 Router ConfigurationModule

14. ACL Generation Module
ACL Generation Moduleis written in PHP and is used to access the
database to read the alerts and based on the alerts generate Cisco ACL
rules. Snort’s databasehas source and destinationIP addresses and
ports for each and every alert generated by Snort. This informationcan
be easily accessed from the databaseand used to generate a specific
ACL rule to block the incoming packets from the potentialintruder.
Snort generates alerts whenever it detects a potentialintrusion and in
fine-tuned Snort deployment almost all of the alerts will indicatean
intrusion. These alerts can be logged to a MySQL databasethrough
proper configuration.ACL GenerationModule connects to this
database and check for any new alerts generated by Snort. If there is
any new alert it queries the database for the “iphdr” table in the
database, which containsinformationabout the IP header of the
packets that generated the alert. After query, IP header of every alert is
fetched. The “Protocol” field in the IP header is checked to find the
upper layer protocol and according to the value of the field and
corresponding upper layer protocol, table is selected to gather
additional informationaboutthe source of intrusion as shown. After
retrieving all the pertinent informationfrom the database, the
corresponding alert is marked as checked so it should not be processed
again. With all the relevant information,an extended Cisco ACL rule is
generated, and then Router ConfigurationModuleis used to connect
to the router and configure the ACL rule on it and hence block the
source of potentialintrusion.
The followingflow chart represents this process:

16. Router Configuration Module
Router ConfigurationModuleis basicallydesigned to access the router
and configure it automatically.Routerconfiguration module is written
in Perl. For using telnet in a Perl script, Perl telnet module is needed. By
using this module, the router can be accessed and commandscan be
entered to configure the router.
Access lists that will be used to configure the router based on Snort
alerts should be already appliedto the interface connected to
untrusted networks. They should also be configured properly to permit
all traffic initiallyor according to network requirement can be initially
configured to block the known sources of dangerousor illegitimate
traffic.
The main aim of the study is to execute the ACL rules based on Snort
alerts on the router to stop the potentialintrusion.After ACL
Generation Modulegenerates an ACL rule based on the Snort alert, it
should be configured on the router. Router ConfigurationModuleis
used to access the router and configure the required ACL rule in the
correct mode. First of all we need to instantiate Net::Telnet object and
specify a timeout in case the expected prompt does not match to the
router prompt. All methods used in this module are of the Net::Telnet
object. To connect to router using telnet open() method is used. Router
ConfigurationModulethen waits for the vty (virtual terminal)
“Password: ” prompt on the router. Password is provided by the script
to the router and router enters into “User Mode”. In “User Mode” we
do not have access to configure the router, so, now we should switch
to “Privileged Mode”. Now the Router ConfigurationModulesends
“enable” command to the router to switch to “Privileged
Exec Mode”, the router asks for the “Privileged Exec Mode” password,
which the moduleprovides. Now we have to switch to “Global
ConfigurationMode”, using “configure terminal” command. Now, in
this mode the access list rule can be configured on the router by simply
sending the string (i.e. an extended ACL rule based on Snort alert)
passed to Router ConfigurationModuleby ACL GenerationModule to
the router and returning result of the operation to the ACL Generation
Module.The following flow chart represents this process:

18. ACL Rules Removal Mechanism
ACL rules should be removed from the router in case of false alarms.
Furthermore, after the attack is over the administratormight want to
remove the ACL rules to prevent the router from unnecessary
processing.
Every ACL rule that needs to be configured on the router is saved in the
database and can be used later to remove the ACLs from the router.
The ACL command when executed with “no” in start removes the
configured ACL rule. The web browser output showing the configured
ACL rules on the router have a hyperlinkin front of it, which
administratorcan use to remove the ACL rule. Hyperlinkjust callsa
script that in turn callsthe Router ConfigurationModule just like it is
called to configure ACL rule, but this time with “no” to remove the ACL
rule.

19. Interface Between ACL Generation Module and
Router Configuration Module
As ACL Generation Moduleis written in PHP while Router Configuration
Moduleis written in Perl, Router ConfigurationModuleshould be
integrated with the ACL Generation Moduleas the ACL rules are
generated by the ACL Generation Moduleand they are executed on the
router using Router ConfigurationModule. To integrate the Router
ConfigurationModulewith the ACL Generation Modulewe use php’s
shell_exec() method to access the shell and pass the string containing
Cisco ACL rule to the Router Configuration Module. PHP’s shell_exec()
method works as an interface between Router ConfigurationModule
and ACL Generation Modules.

20. RESULT
All the results were obtainedby blocking the source IP of the intrusive
packet of potentialintrusion for all destinations.
All the incoming traffic from the IP addresses, which are the source of
potentialintrusion will be blocked and hence our system has
successfully prevented intrusioninto the network.

21. Analysis and discussion of results
Results were obtainedusing 1998 MIT DARPA Intrusion Detection
Training data. The table shows the traffic statistics (breakdown by
protocol includingrebuild packets) as detected by the Snort.
Snort detected 871 alerts and all of the alerts were logged to the
database. Alerts statistics as given by Snort are shown by the following
table.

22. The next table shows the types of alerts logged by the Snort, listed with
corresponding Snort Signature ID and Signature Group ID. Alert
Classification column provides enough detailsto understandthe nature
of the each type of intrusion.
Cisco ACL rules executed on the router and obtainedfrom the router
using “show access-lists” command are as follows:
Extended IP access list 103
10 deny tcp host 197.218.177.69 any
20 deny tcp host 172.16.112.50 any
30 deny tcp host 196.227.33.189 any
40 deny tcp host 172.16.112.207 any
50 deny tcp host 172.16.113.84 any
60 deny tcp host 194.27.251.21 any
70 deny tcp host 135.13.216.191 any
80 deny tcp host 172.16.114.168 any
90 deny tcp host 195.73.151.50 any
100 deny tcp host 172.16.114.207 any

23. 110 deny tcp host 194.7.248.153 any
120 deny tcp host 197.182.91.233 any
130 deny tcp host 135.8.60.182 any
140 deny tcp host 172.16.114.148 any
150 deny tcp host 172.16.113.204 any
160 deny tcp host 152.169.215.104 any
170 deny tcp host 172.16.112.149 any
180 deny tcp host 172.16.113.105 any
190 deny tcp host 172.16.114.169 any
200 deny tcp host 172.16.113.50 any
210 deny tcp host 196.37.75.158 any
220 deny tcp host 195.115.218.108 any
230 deny tcp host 172.16.112.194 any
240 deny udp host 152.169.215.104 any

24. Advantages of the presented
system
The system can be implementedon a variety of platforms
Has a very simple approach
Is easy to configure
Does not incur any cost for implementation asboth routers and
computer are already there in the network
Does not need any specialized person for its operation.

25. Limitations
The system might not be suitablewith current implementationfor
networks using DHCP (Dynamic Host ConfigurationProtocol).
Intrusions containedin a single packet can intrude the network.

26. Possible improvement
The work can be extended from centralized to distributedsystem
to extend its capabilities.
The system can be modifiedto act as a host intrusion prevention
system and can work without any router to block intrusionson a
host.
The system can also be enhanced, so that it can be suitable for
networks using DHCP (Dynamic Host ConfigurationProtocol).

27. Conclusion
Using Snort as IDS to detect intrusionsand using Snort alerts to
generate Cisco ACL to block the potentialintrusionsprovides a very
cost effective way to prevent intrusion. The approachis very simple, it
does not need any special hardware and uses what is already present in
every major network i.e. a router and a computer which is used as an
intrusion sensor.
Provided Snort is fine-tuned for the network to be secured the
proposed system will provide very good performance to prevent
intrusionsinto the network.

28. References
[1]Aurobindo Sundaram, “An Introduction to Intrusion Detection,” 1996,
http://www.alexeng.edu.eg/~sghanem/network-security/IDS-Intro.pdf
[2] Karen Scarfone, Peter Mell, “Guide to Intrusion Detection and Prevention Systems (IDPS),” 2007, Special
Publication 800-94, Recommendations of the National Institute of Standards and Technology.
[3] Snort IDS Softwrae, “http://www.snort.org”
[4] Configuring IP Access Lists, Cisco Document ID: 23602
“http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.sht
ml”
[5] Net-Telnet-3.03 “http://search.cpan.org/~jrogers/Net-Telnet- 3.03/lib/Net/Telnet.pm”
[6] PHP Manual, shell_exec(), “http://php.net/manual/en/function.shellexec.php”
[7] 1998 DARPA Intrusion Detection Evaluation Data Set,
“http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1998data.html”
[8] Martuza Ahmed, Rima Pal, Md. Mojammel Hossain, Md. Abu Naser Bikas, and Abdullahil Baki Md.
Ruhunnabi, “PID: A packet based approach to network intrusion detection and prevention”, in Proc. Of
International Conference on Information Management and Engineering, 2009, pp. 124- 127
[9] Alexander Krizhanovsky and Alexander Marasanov, “An Approach for Adaptive Intrusion Prevention
Based on The Danger Theory”, in Proc. of The Second International Conference on Availability, Reliability
and Security, 2007, pp. 1135 - 1142.
[10] Xinyou Zhang and Chengzhong Li, Wenbin Zheng, "Intrusion Prevention System Design," cit, pp.386-
390, Fourth International Conference on Computer and Information Technology (CIT'04), 2004
[11] Kuo Zhao, Fei Ren, Nurbol and Liang Hu, “LDLB: A Light Intrusion Prevention System in Data Link
Layer”, in Proc. of 2nd International Confrerence on Anti-counterfeiting, Security and Identification, 2008,
pp. 112-122.
[12] H. Bos and Kaiming Huang, “Towards Software-Based Signature Detection for Intrusion Prevention on
the Network Card”, Springer- Verlag Berlin Heidelberg, 2006, vol LNCS 3858, pp. 102–123.
[13] Chih-Chiang Wu, Sung-Hua Wen, and Nen-Fu Huang, “HuangTowards Software-Based Signature
Detection for Intrusion Prevention on the Network Card”, Springer-Verlag Berlin Heidelberg, 2006, vol LNCS
4301, pp. 318–328..
[14] L. Tan, B. Brotherton and T. Sherwood, “Bit-split string-matching engines for intrusion detection and
prevention,” ACM Trans. Architecture and Code Optimization, vol. 3, no. 1, pp. 3-34, 2006.
[15] Y. Weinsberg, S. Tzur-David, D. Dolev and T. Anker, “High performance string matching algorithm for a
network intrusion prevention system (NIPS),” in Proc. IEEE 2006 workshop on high performance switching
and routing, 2006.
[16] L. Tan and T. Sherwood, “A high throughput string matching architecture for intrusion detection and
prevention,” in Proc. 32nd annual international symposium on computer architecture, 2005, pp.112-122.
[17] N. Weaver, V. Paxson and J. M. Gonzalez, “The shunt: an FPGAbased accelerator for network iintrusion
prevention,” in Proc. 2007 ACM/SIGDA 15th international symposium on field programmable gate arrays,
Monterey, California, USA, 2007, pp. 199-206.
[18] Nick Moore, “Snort 2.8.4 Installation on FC11” Snort setup guides,
http://www.snort.org/assets/110/Snort_2.8.4.1_FC11.pdf
[19] Patrick Harper, “Snort and BASE Install on CentOS 4, RHEL 4 or Fedora Core” Snort setup guides,
http://assets.sourcefire.com/snort/setupguides/Snort_Base_Minimal.pdf
[20] Kerry J. Cox, Christopher Gerg, “Managing Security with Snort and IDS Tools”, O'Reilly, 2004, Chapter 3
[21] Guardian Active Response for Snort “http://www.chaotic.org/guardian/”