Choosing Snort IDS: Implementation and Comparison Report

Verified

Added on 2020/04/13

AI Summary

This report provides a comprehensive analysis of the Snort Intrusion Detection System (IDS), arguing for its selection as the best choice for a client. The justification for choosing Snort includes its lightweight nature, ease of deployment across various operating systems (Linux, UNIX, and Windows), and packet payload detection capabilities superior to Tcpdump. The report details the implementation of Snort, including rule configuration and real-time console alerts, demonstrating how ICMP rules generate intrusion alerts. It then differentiates between IDS and Intrusion Prevention Systems (IPS), outlining the pros and cons of each, and highlighting the benefits of both in detecting and preventing network intrusions. The report concludes by providing a list of references used for the analysis, supporting the arguments presented and offering further resources for the reader to explore the topic of network security and intrusion detection.

BEST CHOICE FOR CLIENT IS SNORT SYSTEM
Justification for choosing Snort as IDS
Snort is a lightweight IDS that can be easily deployed on a network with minimal disruptions to
operations. Snort support various operating system such as Linux, UNIX and Windows. Snort
has a capability of packet payload detection which Tcpdump does not have. Also its decoded
display output is more user friendly than Tcpdump. Snort support MYSQL database therefore all
the events can be stored in a database. This will allow a user to search, view and profile the event
at any time. Also snort is an open source back by the cisco and the community therefore it has a
large support from the community.
After installation Snort Rule is 0
List of Snort decoder preprocessor engines
ICMP and TCP Snort protocol rules
ICMP and TCP Snort protocol rule added

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Running Snort with real time console alert
ICMP rule were added so by Pinging from another computer in the network, the snort
generates positive alert of intrusion in the network. The IP of a client who is pinging has been
shown as 192.168.43.47
Intrusion detection program vs an intrusion prevention system
Snort -- The poor man's intrusion-detection system. (2017) IPS is similar to IDS except that IPS is
able to block threat. IPS monitor, logs and report activities similarly to IDS but they are also
capable of stopping potential threat without system administrator.
The Pros & Cons of Intrusion Detection Systems. (2017) Both Intrusion detection program and
intrusion prevention system are important to any organization by offering the following benefits:
 Detecting intrusion in real time.
 Ability to analyze large data.
 Automated action and responses such as blocking potential threat and alerting
administrator of any intrusion respectively.
 Real time reporting capabilities.
 Through data analysis network rules and policies can be derived from it.

Pros for Intrusion detection program
 IDS can detect internal and external attacks.
 IDS can be scale easily to cover entire networks.
 It offers centralized management for correlational attacks.
 Tracking of virus propagation in the network
 Keep data for forensic analysis
Cons for Intrusion detection program
 Generate a lot of data to be analyzed.
 It cannot analyze encrypted messages
 It only reacts to attacks by sending alerts and cannot prevent the attack from taking place.
 Generates false alarms and false negative of intrusion detections
 It require full time monitoring and skilled personnel to interpret the data.
 Expensive to implement over a complex network
Pros for Intrusion prevention system
 React to potential threat and prevent attacks
 Provide depth defenses in the network.
 Real time event analysis
 Does not require administrative personnel since it make decision based on the rules
provided
Cons for Intrusion prevention system
 If an IPS is not tuned correctly, it can also deny legitimate traffic causing denial of
resource to an application.
 Create network bottleneck since all traffics must pass through the IPS system in order to
be analyze.
 Generate false positive alarms which can lead to problem if automated system responses
are enabled.
 Expensive to implement in an organization with complex network design.
References
Snort -- The poor man's intrusion-detection system. (2017). SearchSecurity. Retrieved 15 November
2017, from http://searchsecurity.techtarget.com/tip/Snort-The-poor-mans-intrusion-detection-system
» The Pros & Cons of Intrusion Detection Systems. (2017). » The Pros & Cons of Intrusion Detection
Systems. Retrieved 15 November 2017, from https://komunity.komand.com/learn/featured/the-pros-
cons-of-intrusion-detection-systems/
Top Free Network-Based Intrusion Detection Systems (IDS) for the Enterprise. (2017). Upguard.com.
Retrieved 15 November 2017, from https://www.upguard.com/articles/top-free-network-based-
intrusion-detection-systems-ids-for-the-enterprise
Understanding Intrusion Detection | Part I - Intrusion Detection: Primer. (2017). Flylib.com. Retrieved 15
November 2017, from http://flylib.com/books/en/2.352.1/understanding_intrusion_detection.html

Write Your Own Snort Rules. (2017). Archive.oreilly.com. Retrieved 15 November 2017, from
http://archive.oreilly.com/pub/h/1393
Cite a Website - Cite This For Me. (2017). Snort.datanerds.net. Retrieved 15 November 2017, from
http://snort.datanerds.net/lisapaper.txt