A design for building and implementation of Network based intrusion detection and prevention system (NIDPS) using open source products

Abstract

An IPS or Intrusion Prevention System can be an important component for protecting systems on a network. An IPS is based upon an IDS or Intrusion Detection System with the added component of taking some action, often in real time, to prevent an intrusion once detected by the IDS. This thesis describes a design, show how to build, run and manage an IPS using all Open Source products. At a high level an IPS consist of a Network Intrusion Detection System (NIDS) to capture all network traffic flows, analyze the content of individual packets for malicious traffic and generate security events. Then a central rules engine will capture the security events and generate alerts based on the events received. It also have a console to monitor events, alerts and control the NIDS. Lastly, IPS that will take action based on the alerts and attempt to block the malicious traffic. For this design, the Snort IDS [1] provided the base IDS system and rules engine, Snortsam [2] a plug-in for Snort provided the IPS function and BASE [3] an open source PHP application provided the console function. The IPS design described in this thesis integrates a distributed Snort IDS sensor with a Snortsam output plug-in and Snortsam agents running on Linux hosts with IPTables. With this configuration, intrusions are detected at a network level and prevented at a host level. This design could be applied to any small to medium sized network and is written for technical integrators who are interested in building their own IPS without incurring software licensing costs.