Now Accepting Apple Pay

Apple Pay is the easiest and most secure way to pay on StudyMoose in Safari.

Odt Enhanced Agent Based Intrusion Detection System Computer Science Essay


This coursework covers the different some of the most common onslaughts perform by hackers like Tenel, FTP onslaught, some Reconnaissance techniques and Denial of service onslaughts. The lab scenario is build by utilizing vmware to make practical machines moving as mark systems, Wire shark as sniffing tools and some other hacking tools like namp are used to execute different onslaughts, Snort regulations are applied in execution subdivision to tune Snort to observe the onslaughts and bring forth the qui vives which are so logged into the log file.

In Evaluation subdivision the output/alerts generated by snicker regulations are explained.


With current enlargement of webs in term of the design and complexness assorted factors need to maintain in head while planing the web in footings of security. The security menaces are non merely external but can be internal besides, frequently administrations are concern about the security menaces from user sitting inside the web, now a yearss the involvement is non limited to extenuate the menace but besides to observe it so that state of affairs can be analysed and farther actions can be taken.

Get quality help now
Prof. Finch
Verified writer

Proficient in: Computer Networking

4.7 (346)

“ This writer never make an mistake for me always deliver long before due date. Am telling you man this writer is absolutely the best. ”

+84 relevant experts are online
Hire writer

This sensing system is frequently called interloper sensing system or IDS. IDS provide assorted schemes to observe these menaces and onslaughts. Menaces can be attacker, hacker, virus, undercover agent ware, worms and many more. This article covers some of the most common 1s and how Snort can be configured/tuned as IDS to observe and describe them to web decision maker.

IDS can be categorised into to chief classs HIDS and NIDS

Host Based Intrusion Detection System ( HIDS ) : A particular agent is installed on the possible victim system to observe the onslaughts performed onto it.

Get to Know The Price Estimate For Your Paper
Number of pages
Email Invalid email

By clicking “Check Writers’ Offers”, you agree to our terms of service and privacy policy. We’ll occasionally send you promo and account related email

"You must agree to out terms of services and privacy policy"
Check writers' offers

You won’t be charged yet!

Network-Based Intrusion Detection Systems ( NIDS ) : A particular agent is installed on a waiter in the web which sniffs all the packages come ining the web and so look for peculiar form fiting to a menace profile, one time a menace is detected it is so reported to web. Although NIDS is easy to implement and much scalable but still it can non feel the menaces come ining the web via encrypted tunnels aiming the victim host sitting inside the web.

The lab scenario used in this article is build to utilize Snort as HIDS, Snot is installed and configured on each of the host systems to observe the menaces.


Snicker can work as both NIDS to supervise your web and HIDS to supervise your system. Snort is easy configurable ; Configuration and regulations files can be easy opened in notepad and edited harmonizing to the demands. The advantages of utilizing Snort as IDS are listed below.

Snort is unfastened beginning package and it ‘s free.

Snort is widely in usage by unfastened beginning community for proving, development and in usage by endeavors as IDS, This can be checked on demoing 1000s of downloads.

Snort is invariably updated.

Snicker regulations are on a regular basis updated and new signatures are available for download

Snicker can be installed on multiple environments Linux every bit good Windows

Requirements Analysis and Design

The below diagram shows the lab design, here practical machine package called vmware has been used to run Windows 2003 and Ubuntu server as possible mark machine and both waiters are running Snort as IDS.

The chief machine is physical machine puting on the same web of mark machine from here intruder attempt to chop into its marks, on vmware practical Ethernet connects to the chief machine on external web and marks on internal. In window waiter FTP service is non installed by default so it has been enabled via add/remove plan in control panel. Wireshark is used as whiffing in this scenario on victim Windowss server practical machine to give to capture the activities of the interloper.

Snicker Requirements

Snicker can besides be used like a whiffing tool like wireshark to whiff the package ( capturing web traffic ) of the system interface, Snort needs application programming interface ( API ) called pcap.The pcap library is implemented in the unix system called Libpcap. On window operating system winPcap must be installed before snicker, The WinPcap library supports the economy of the captured package to a file and one can read these saved files for analysis.


In this subdivisions different onslaughts like telnet, file transfer protocol, host scanning and Denial of service onslaughts are discussed in this subdivision, these onslaughts are foremost generated from a practical machine and so some regulations are discussed here which are used in Snort to observe these onslaughts so that they can be prevented.

File transfer protocol Attacks

FTP is one of the most common, simple and powerful protocol which is used to reassign files over the web. FTP is based on Client / Server architecture where a client starts an FTP connexion on TCP port and first sends the control information which contains userid, watchword, mark file and the action needs to be done, and so in 2nd TCP connexion the information is downloaded, Although Snort simple, strong and with no operating expenses but at the same clip its rather venerable because all informations including control ( userid, watchword ) are sent in clear text with no encoding.

This are easy clear from the packages captured utilizing any sniffer tool ( here used wire shark ) when the topology machine attempts to FTP the practical machine.

So we need some encoding mechanism to be in topographic point so that the sniffed information can non be used even in it is hacked.


When utilizing regulations for Snort as IDS they can non forestall the hacker to see the information from the sniffed package, everything in control and informations will travel as it is in clear text but utilizing the regulations discussed below an qui vive is generated in event when hacker is seeking different watchwords to login ( which is called Brute force onslaught )

watchful transmission control protocol any 21 – & gt ; any any ( monosodium glutamate: ” person has tried come ining five times in 60 seconds ” ; content: ” 530 Login incorrect. “ ; threshold: type threshold, path by_dst, count 5, seconds 30 ; sid:970 ; )


Brute force Attack – In this when an aggressor tries to acquire into the system by seeking 5 times incorrect password the regulation generates the undermentioned qui vive.

Using these logs the web decision maker can maintain an oculus on hacker activity and can take the necessary actions.

Telnet Attacks

Telnet is a protocol really similar to FTP but alternatively of giving entree to a file or booklet to download ( or cancel or anything ) it gives user ability to login remotely to the system and give entree to all the informations and plans installed at that place. The chief security issue with telnet is besides the same i.e. it sends the userid and password information in clear text which can be read by the interloper utilizing any sniffing tool. That ‘s why now a yearss SSH is chiefly used as an option as it is much secure than telnet.

By analyzing sniffed packages when a endowment petition is made the interloper can easy cognize all the characters in the watchword as shown.


This subdivision explains both types of TELNET onslaughts and Snort regulations to observe them

Brute force onslaught – In this arak the interloper seek different watchwords from the lexicon ( same as in FTP ) . Below Snort regulations alerts/ logs can be genrated to give warning to the web decision maker about this activity.

watchful transmission control protocol any 23 – & gt ; any any ( monosodium glutamate: ” person tries to link five times in 60 seconds ” ; content: ” Login wrong ” ; threshold: type threshold, path by_dst, count 5, seconds 30 ; sid:991 ; )

Entree of the root user to the system – Whenever anybody logs on to the system utilizing root as watchword the regulation below will bring forth the message to inform the web decision maker about the same.


Brute force attack- Below qui vive is generated in the log file of Snort for 5 telnet efforts in 30 seconds

Entree of the root user to the system – Once the interloper has hacked into the mark system and so seek to login as ace user the below qui vive is generated in the log file.


Reconnaissance techniques are widely used by hackers to garner the information about the unrecorded IP references, their active and running ports and the OS running on them and their related services. These are loosely classified into Host scanning and Port scanning classs in this subdivision both onslaughts are discussed, scanning tool called nmap is used to execute them.

Host Scanning – Gathering information about the unrecorded systems on the web ad is done utilizing procedure of ping expanse, here the interloper pings the web IP reference so that ICMP petition is sent to multiple hosts and all the unrecorded systems will return the with ICMP ECO answer hnce giving interloper information about the unrecorded hosts.


Using nmap the interloper can easy detect the unrecorded systems on the web

Below regulation is applied on Snort to observe a host scans, the ICMP ECO answer type is 8 and content is “ abcdefghikklmnop ” , when Snort matches this content an qui vive is so generated

watchful icmp any any – & gt ; any any (

monosodium glutamate: ” ICMP Echo Reply “ ; itype:8 ; content: ” abcdefghijklmnop ” ;

depth:16 ; sid:999 ; )


The qui vive generated by Snort in the log file when an ICMP Ping is detected is shown below

[ ** ] ICMP Echo Reply [ ** ]

04/15-00:14:03.821509 – & gt ;

ICMP TTL:128 TOS:0x0 ID:485 IpLen:20 DgmLen:60

Type:0 Code:0 ID:1 Seq:62 ECHO REPLY


These qui vives can inform web decision maker about the host scan done on the web

Port scanning

Port scanning is a techniques used by hackers to look into for all the unfastened ports on the mark systems and hence they can cognize about the running services, the port scan package scans for all the ports by directing series of messages and acquire the undermentioned response from the mark system

Open or Accepted -the mark host tell that these ports are unfastened and in usage

Closed or Denied or Not Listening -the mark host tell that these ports are non in usage

Filtered, Dropped or Blocked -when there is no answer from the host from these ports

Although the most common pattern for port scanning is TCP scan where the interloper uses any TCP scanning tool to direct series of petition messages to the mark system and the mark system will finish the three manner TCP handshaking and so drop the connexion, giving the interloper about all the information about the unfastened ports.


When a port scan is applied to the mark system utilizing nmap, the interloper can acquire information about all the unfastened ports and services running on it, as shown

In Sort there are built-in mechanisms called softportscan preprocessor and stream5 to protect the system from TCP and UDP port scans shown supra. Preprocessor has got three constituents which can be configured to observe port scan onslaughts

Here the preprocessor expression for all specified the protocols which Snort needs to subtract with a sense degree and so consequence is logged into the portscan.log file


When a port scan is detected on the host a prtscan.log file is genrated in Snot by preprocessor.

Denial of service onslaught ( DOS )

In DOS attack the interloper can do the system unserviceable by overloading the resources and finally decelerating it down, Here interloper purpose is non to acquire entree to the system but to crash it, Although there are different types of DOS onslaughts normally used by hacker but merely SYN implosion therapy is discussed in this subdivision

SYN deluging Attack

A TCP session is established utilizing three manner handshaking, as shown in below diagram in ruddy

Host X send the SYN package to bespeak a TCP session,

Host A sends back SYN/ACK to admit this petition

This is so acknowledged back by Host X and TCP session is established

When Host A receives the SYN petition from X, it keeps path of the partially opened connexion in a “ listen waiting line ” for at least listen waiting line for at least 75 2nd, the interloper can work this little size of listen queue directing multiple SYN petitions to a host, but ne’er answering to the SYN & A ; ACK. Since victim can manage a limited figure of TCP connexion petitions in one clip its waiting line is so rapidly filled up and it will get down dropping the farther TCP connexion petitions which can be of legitimate user.


The SYN inundation is applied to the mark system utilizing a tool called Longcat, when this tool run it inquire for the mark information science reference and the port no of the victum machine and so it ask the no of menaces ( syn inundations ) to be generated as this tools starts it is observed that the cpu use of the practical machine goes on increasing to 90 %

The packages are analyzed in wireshark as shown, it can be seen that there is a series of SYN and SYN, ACK traveling on with no concluding ACK coming back to set up the TCP session on port 80.

To observe the SYN inundation ( dos onslaught ) the snicker is configured with the regulation to fit

transmission control protocol inundation package more than 20 times in one second and if it detects as syn inundation DOS onslaught rise a qui vive is generated

Alert tcp any any – & gt ; any any ( monosodium glutamate ” TCP SYN inundation ( DOS ) ” ; flags: s,12 ; threshold: type threshold, path by_dst, count 20, seconds 1 ; sid:989 ; )


Log below shows how Snort has detected the SYN inundation in the log files


This class work no merely provides exposure on Snort working and covering with the onslaughts but besides shows in item how these onslaughts can be performed and menace to any organisation. Although it can be bit boring to run Snort for the first clip as it need some tweaking in.config file to do it work decently still its one of the most simple and easy configurable IDS about. This article explains how Snort can move as HIDS can easy observe even the onslaughts performed by interlopers via encrypted tunnels. All the different types of onslaughts are explained, performed, analyzed and so Snort is configured to observe them.

This article uncovers the exposures of FTP and Telnet protocols being directing everything in clear text. Using nmap for demoing Reconnaissance techniques has besides shed some visible radiation on how an interloper can garner the information about unrecorded web systems and their ports. Apart from that the wireshark logs has proved to be rather ready to hand to analyse TCP three manner handshaking, clear text informations in FTP and telnet, looking into these logs make it easy to understand web communications and how regulations can be developed to observe different sort of menaces. Practically put ining running these onslaughts on practical machine can turn out to do the system spot slowl specially while executing DOS onslaughts.

All these tools can assist in understanding menaces in a better manner and finally can assist in developing regulations for Snort doing it even more strong IDS, In the terminal it can be concluded that Snort configured decently could turn out to be a great IDS doing it much easier for web decision maker covering with security menaces.


ttp: //

hypertext transfer protocol: //

E_Security class book by Module Leader: McCarra Greg, Merchiston C.38,

Module Author: Prof. Buchanan William J.

Module Number: CSN11102

Version: Semester 2, 2009/2010

hypertext transfer protocol: //

hypertext transfer protocol: //

Cite this page

Odt Enhanced Agent Based Intrusion Detection System Computer Science Essay. (2020, Jun 02). Retrieved from

👋 Hi! I’m your smart assistant Amy!

Don’t know where to start? Type your requirements and I’ll connect you to an academic expert within 3 minutes.

get help with your assignment