1.4 What Is NIDS (and What Is an Intrusion)?

On a basic level, network intrusion detection is exactly what it sounds like: the process of determining when unauthorized people are attempting to break into your network. Keeping those attackers out or extracting them from the network once they've gotten in is a different problem. Obviously, keeping intruders out of your network is a meaningless task if you don't know when they're breaking in.

Detecting unauthorized connections is a good start, but it is not the whole story. Network intrusion detection systems like Snort are great at detecting attempts to login to your system, access unprotected network shares, and things like that. But there are other kinds of intrusion that are not as clear-cut as an outsider walking past the receptionist at the front desk and sitting down at a computer. Is a denial of service attack—one that operates by sending a carefully crafted sequence of packets to a network server and ultimately crashing it—an intrusion? No one has literally gained access to your machine's physical resources. However, bandwidth, CPU time, and hard-drive space on your IDS are all consumed by the attack. Denial of service is considered a successful attack because it occupies resources that would have been employed somewhere else. Does someone probing your networks with port scans or pings constitute an intrusion? Perhaps not, but it is a sign that she may soon start doing something more hostile. So we also consider probing an intrusion, and expect our intrusion detection system to warn us whenever things such as these happen.

Generally speaking, an intrusion detection system like Snort scans network traffic looking for suspicious activity based on the signatures of bad packets. You are probably already familiar with tools like tcpdump and ethereal, which display all the traffic flowing on your network within a specific subnet. An intrusion detection system is essentially an automated tcpdump, a packet sniffer that sniffs in the background and does not require you to watch or analyze the traffic yourself. Tools like ethereal work well for debugging; for instance, when you have to look at each packet to figure out what might be wrong. But on any real network, there is just too much traffic to watch for suspicious activity. That is what computers are good for: doing a very boring job repetitively, and alerting you when something interesting comes along.

An IDS watches the packets traversing your network and decides whether anything is suspicious. How does it know what is suspicious? Snort bases its analysis on the signatures of bad packets: essentially, a list of descriptions of the types of packets that indicate the system is under attack or a successful attack has already taken place. For example, if you receive an ICMP packet that is abnormally large, you may infer somebody is trying the antiquated ping of death attack against a host on the network. If you see fragmented packets that are extremely short, you may also infer that somebody is trying one of the many attacks that rely on fragmentation to sneak by firewalls. Snort (and other intrusion detection systems) comes with thousands of signatures, based on attacks that have been observed "in the wild." The list grows longer every day and updates are constantly posted to the Snort web site. Part of the job (and one that is managed nicely by the tool we will soon discuss) is keeping your signature list up-to-date.

Snort and other intrusion detection systems thus provide an important first line of defense against attacks. If an intruder manages to login to your network server, you might be able to find the evidence in system logs, although a smart cracker would delete your logfiles. The host intrusion detection system watches for unauthorized activity on an individual system. If someone manages to compromise the same server using a fragmentation attack, you might be able to figure out what happened after the fact by looking at logs, but you might not—and at that point, it is too late.

While it is too optimistic to talk about "real-time" intrusion detection, it is extremely important that an IDS detect attacks early, before any damage can be done, and that it send notifications to you and to a secure database. We discuss "invisible" or stealthy methods of logging Snort's warnings and alerts to a database elsewhere. If you can head off an attack, so much the better—but even if you cannot, an IDS might be the only way to figure out what happened and prevent it from happening again.