Most of today’s defensive technologies are almost completely useless against network intruders. Things like antivirus software, intrusion detection systems, and even firewalls are considered absolutely necessary for most organizations and see widespread deployment. However, they don’t actually provide much of an obstacle of shield a network for an intruder but give a great deal of notification in case intrusions take place and alert network administrators on on-going activities over the network.
Antivirus software is a perfect example of a necessary defense that simply doesn’t hold up against hacker. You definitely don’t want to run systems without antivirus software, but you’re not using antivirus software to prevent attacks from hackers. Most antivirus technologies are signature based, meaning that if a file or executable matches a specific signature, it is flagged and acted upon. However, this relies on the fact that a signature has been created for any given malicious program.
On 16th August 2018, Apple was reportedly hacked and 90 GB of its classified information from its private sector was stolen as reported on the Australian paper on that day. After bypassing security measures, the hacker was able to tunnel in the secure system and download realms of information on the company. But since his activity prevailed not normal to the daily activities and logs in the system, Apple eventually noticed the hacker’s activity from the intrusion detection systems and caught on, blocked his access, and alerted the FBI and to this he pleaded guilty to the criminal intrusion in an Australian court.
Attackers gather a lot of information about their targets and relying only on the most common ports can be ironically ineffective. By identifying uncommon ports in use, hackers find strange or neglected services, which can provide good data or possible attack paths. The attacker’s goal in information gathering is to be as thorough as possible and scan all 65,535 ports.
When performing a full-blown scan, hackers work so hard to stay anonymous in order to identify as much information as possible and this is catastrophic if at the target there is no good intrusion detection system to detect the activities of the attacker.
In most cases, hackers will probably want to try at least three scans from different source networks: one slow or very slow scan, one normal scan, and one very fast scan to avoid easy detection. And by performing these scans from different source networks, hackers can be sure that they are getting the most accurate information and accounting for the possibility that one of their scans might be identified and present inaccurate information.
Malicious traffic detection with SNORT intrusion detection system
Snort is an open source network intrusion and detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and used to detect SMB probes, OS fingerprinting attempts, and much more.
Snort can be installed on Linux OSes among which are, Centos, Debian, Fedora, Slackware, Open BSD, Ubuntu among other Linux versions.
And using the commands below, will install snort on the OS and initialize snort.
Sudo apt-get update
Sudo apt-get install snort*
When snort is initialized and started, its configuration file is opened in an editor to setup a Home network or a network range that snort will detect any intrusions and then snort initialization restarted using the commands below.
Snort is started on the terminal using the command below in order to start intrusion detection on the provided network interface.
Snort -A console -I wlan0 -c /etc/snort/snort.conf
When any intrusions are made towards the machine or network selected on the configuration file;
Say a ping command to the machine or nmap command or other tools that send requests on the side of the target, with snort all these attempts are noticed and reported on the machine with snort.
More of the roles of intrusion detection can be accomplished with SNORT and information like sources of intrusion, protocol used, time and dates of the intrusion can be retrieved.
Join Summit Consulting Ltd in partnership with IFIS on our annual cyber-security awareness and risk management conference, which is scheduled to take place from the 16th – 18th October 2019. You need to get sensitized about who is sniffing around your secure zone, and who is launching which attacks from where and at what time the attacks are launched.
For more details and registration procedure, please click here