Telecommunication placement

Installation of an

Intrusion Detection System

08/05/06 – 07/07/06

Practising lecturer: Øyvind

Hallsteinsen
David Férot
Telecom-Lille tutor: Willy Longueville
FI 2009

Year 2005-2006
 Høgskolen I Sør-Trøndelag

Avdeling for InformaTikk og e-Læring

Telecom-Lille

Telecommunication placement

Installation of an Intrusion Detection System

Practising Lecturer: Øyvind David Férot

Hallsteinsen FI 2009
Telecom-Lille Tutor: Willy Longueville
 Acknowledgments

First of all, I would like to thank a lot Mr Øyvind Hallsteinsen who

was my practicing tutor during this work placement. He helped me to
discover Linux and the network knowledge. He always was available and
patient for explanations and did his best to make sure my stay was as
enjoyable as possible.

I am also very grateful to Mr Willy Longueville, my Telecom-Lille

tutor, for his advice and his monitoring during these 9 weeks.

Thanks to the ENIC, our school, for giving us the opportunity to

achieve such a training period, particularly Martine Ducornet who helped
us with all the administrative papers.

Finally, I want to thank Mr Jan Nilsen, the international coordinator

of the Faculty of Informatics and e-Learning for his help the first days and
helping me to discover Trondheim.

5
 Table of contents
Introduction................................................................................................7
I. Presentation...........................................................................................8
A. Norway...............................................................................8
B. Trondheim..........................................................................9
C. The Sør-Trøndelag University College...............................10
D. The Faculty of Informatics and e-Learning.......................11
E. The network of the school................................................13
II. Before use Snort .................................................................................15
A. Introduce Snort................................................................15
What is an IDS?............................................................15
What is Snort?..............................................................16
B. Discover Debian Linux.....................................................17
Windows mode.............................................................17
Shell mode....................................................................18
C. Install Snort.....................................................................20
III. Snort...................................................................................................22
A. Before using Snort as an IDS...........................................22
First uses of Snort.........................................................22
Snort as sniffer and logger...........................................23
B. Snort as an IDS................................................................24
C. User’s quick manual........................................................26
Conclusion................................................................................................29
Glossary....................................................................................................30
Bibliography and links .............................................................................31
Books:....................................................................................31
Websites:...............................................................................31
Appendix .................................................................................................32

6
 Introduction

After having already done several placements in France, one of my

first goals for this telecommunication placement was to discover another
culture. It was really a great opportunity to come studying 9 weeks in the
Faculty of Informatics and e-Learning.

The objectives of this placement consisted of implementing a

Network Intrusion Detecting System (NIDS) based on the software Snort,
documenting it and establishing procedures to support it. This subject
was unknown to me and before beginning the installation of Snort, I had
to learn how to use Linux with the Shell.

But another important aspect of this training period was also to

discover an unknown part of Europe, and to see by myself the reality of
the Norwegian economy and way of life. I learned a lot from my
experience as I shared my daily life with Norwegian students.

7
 I. Presentation

As this country was unknown to me before I came here, I will

introduce it to you, as I will describe Trondheim, the University, the
Faculty and the networks of the Faculty, connected to the national
universities network.

A. Norway

Before I came, Norway was to me a raw

country of Scandinavia with a great standard of
living.

Norway is a very elongated country

(2000km between north and south). It
receives the Gulf Stream in the south-
west coast and the weather is
temperate in the south part of the
country. It is subarctic in the north.

Norway is populated by 4.5

millions inhabitants in 325,000 km²
(half of France). It is a constitutional monarchy with a parliamentary
system of government. This is a social democracy where the state
interferes in the capitalism expansion to create the country with the
highest Human Development Index in the world.

Norway is not a part of the European Union but the country takes
part on an active cooperation with it. The government held two
referendums to join the EU but the result was always “no”. The Norwegian

8
foreign policy is based on an active international cooperation. It is a
member of the United Nations and the North Atlantic Treaty Organisation.

It is very easy to live in Norway for a simple reason: everybody

speaks English and is ready to help you.

B. Trondheim

As said previously, my training period took place in one of the

faculty of Trondheim. I will introduce it to you in some words.

Trondheim was founded in 997 by the Viking king Olav Tryggvason

who named it Kaupangen, “The Trade Place”. St Olav is still in the center
of the city, as a statue on the top of a column, like Nelson in London.

Trondheim is located in the county of Sør-Trøndelag. It is situated to

500 km from Oslo and 500 km from the Arctic Circle, on the west coast,
where the river Nidelva meet the Trondheimsfjorden.

Trondheim is the third largest Norwegian Town after Oslo and

Bergen. It counts 160,000 inhabitants and about 30,000 students.

9
 Trondheim takes up around 350km² (for comparison, Lille takes up
40km² and counts 230,000 inhabitants). So it has all the charm of a small
town (with low density) but the facilities of
a city. Crime is fortunately rare and the
social atmosphere is friendly. You can find
a lot of quiet places in the city, especially
along the well preserved coast of the fjord
and as in most parts of Norway,
mountains, forests and fjords are close at hand.

Trondheim has been a regional trading and communication centre

for more than 1000 years, and has a long tradition of science and
education. Norway's first school was established in Trondheim in 1210.
The school still exists as an upper secondary school. In 1760, the Royal
Norwegian Society of Sciences and Letters was established as an
academic institution that still is Norway's most prestigious institution.
Norway's first technical school was established in Trondheim in 1870.
What is today the Norwegian University of Science and Technology
(NTNU) was established in Trondheim in 1910 as the Norwegian Institute
of Technology.

C. The Sør-Trøndelag University College

Sør-Trøndelag University College was established in 1994 by

merging eight colleges in Trondheim. With 8 000 students it is the third
largest university college in Norway, and one of the two dominant
academic institutions in Trondheim. The college offers a wide range of
bachelor's and master's programmes as well as continuing education
programmes and other courses.

The University College has seven faculties, located at five different

campuses in Trondheim. They teach about Health Education and Social

10
Work, Nursing, Teacher Education and Deaf Studies, Technology, Food
Science and Medical Technology, Business Administration and, which we
are interested in, Informatics and e-Learning.

D. The Faculty of Informatics and e-Learning

The Faculty of Informatics and e-

Learning, called Avdeling for InformaTikk og e-
Læring (AITeL) in Norwegian, counts
approximately 475 students and about 40
employees.

In co-operation with other university

colleges and universities, this faculty has managed to become the largest
provider of distance learning via Internet in Norway. Last year, 1500
students were in the distance education program.

The faculty teaches principally three undergraduate study

programmes: a 3-year IT-supported Business Administration, a 3-year
Network Administration Programme and a 3-year Computer Engineering
Programme. They also teach a 3-year Information Technology Programme
and a 2-year Master programme in Software
engineering but there are fewer students who
choose them and I will not speak about them
here. For postgraduate programmes, there
exist two programmes: one in computer
science and one in Web-design and e-
commerce.

11
 The bachelor in IT-supported Business Administration focuses on
how to use IT to improve business. In order to do it, this programme gives
to students the necessary background in economics and business. In
brief, this programme covers three areas of subjects: business
development (economics, product development, etc.), organization
(cooperation, project management, etc.) and informatics (lighter subjects
such as web publishing and basic security).

The bachelor in Systems Maintenance gives the students the

background needed to administer computer systems and networks.
During the second and third year, the students get a combination of
theoretical and practical knowledge in
subjects
such as network management, service
management, different types of services
(file, print, databases, web servers, email
etc.). Typical jobs include systems
administrator, network administrator, user
support and similar.

The bachelor in Computer Engineering, the most popular in AITeL,

teaches to the students how to create software. In order to achieve this,
the programme includes ability to communicate (with human beings and
organizations), lessons about user interface design, significant knowledge
in code (Java, OpenGL, C, C++, etc.) and courses about testing a
programme system and maintaining it, with correct runtime errors and
ability to add improved functionality and extensions. Job advertisements
might say programmer, programme developer, system or software
developer or computer consultant.

12
 E. The network of the school

In Norway, there is a company owned by the Norwegian Ministry of

Education and Research which supplies network and network services for
Norwegian universities, university colleges and research institutions. This
is the UNINETT Group. The whole Group is located in Trondheim.

All the Norway's colleges and universities are connected, and any
non-commercial research or educational institution such as libraries,
archives and schools may be connected for a yearly fee. You can find the
map of this network in the appendix.

The backbones of UNINETT are typically 1 or 2.5 Gbit/s fiber optic

links. For institutions not near the backbone, the maximum capacity is
155 Mbit/s. UNINETT is connected to other similar networks in Nordic
countries via NORDUnet, which is connected to the European project
GEANT.

The University is connected

to the UNINETT Network via a
router (mtfs.gw.uninett.no) which
distinguishes the several faculty
networks. The faculty of
Informatics and e-Learning has
installed a router (Kaluskinnet-
gsw.hist.no) to join the internal
networks with the University
network.

There exist twenty

Communication room in the faculty
Networks at the faculty, with
dedicated users for each over: students, teachers, administration,
Wireless LAN, etc.
13
 And one of these
Networks is dedicated to
UNINETT
test. It is separated from the
rest of the network by a
router with firewall. The
Intrusion Detection System Mtfs-gw.uninett.no
had to be implemented on Faculties
Networks
this router. AITeL

Kaluskinnet-gsw.hist.no
This network is made
Other
up of Optic Fiber between
Networks
buildings and floors and the br280-sw.hist.no
connections on a same floor
are performed by Ethernet
cables.

Test Network

14
 II. Before use Snort

The project for this work placement consisted of implement the

NIDS Snort on a test computer, in order to install it on a server as soon as
possible. But before I managed to use Snort, I had to master some
knowledge.

A. Introduce Snort

What is an IDS?

An Intrusion Detection System is a software intended to locate

abnormal or suspect activities on a network or a host.

There are two great distinct families of IDS: The Network Intrusion
Detection System (NIDS) and the Host Intrusion Detection System (HIDS).

A NIDS is based on libraries of signatures.

The analysis is similar with that of the External Network
antiviruses (if they are based on signatures of
attacks). A NIDS is situated at choke points in
the network, typically connected with router or
switch. It identifies intrusions by examining the
NIDS
network traffic. A NIDS is not limited to
inspecting incoming network traffic only.
Oftentimes valuable information about an
Internal Network
ongoing intrusion can be learned from outgoing
or local traffic as well. Some attacks might

15
even be staged from the inside of the monitored network or network
segment, and are therefore not regarded as incoming traffic at all.

A HIDS consists of an agent on a host which identifies intrusions by

analyzing system calls, application logs, file-system modification
(binaries, password files, etc.) and other host activities and state. Much
as a NIDS will dynamically inspect network packets, a HIDS may detect
which program accesses what resources and assures that a word-
processor hasn't suddenly and inexplicably started modifying the system
password-database. Similarly a HIDS may look at the state of a system,
its stored information, whether in RAM, in the file-system, or elsewhere;
and checks that the contents of these appear as expected.

What is Snort?

Snort is an open source network

intrusion prevention and detection system
utilizing a rule-driven language, which
combines the benefits of signature,
protocol and anomaly based inspection
methods. Originally it is written by Martin Roesch, nowadays owned and
operated by Sourcefire®, (which Martin Roesch founded). Snort is capable
of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be
used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts,
amongst other features. The system can be used for intrusion prevention
purposes too. With millions of downloads, Snort is the most widely
deployed intrusion detection system and prevention technology in the
world.

16
 B. Discover Debian Linux

The servers where Snort had had to be installed run under Linux, in
distribution Debian and, for me, it was the first difficulty I encountered.

Before this work placement, I always used computers under

Windows®, from 95 to XP, and Linux was completely new by two different
ways. The first was, of course, the discovery of a new Operating System.
The second, the most difficult to get over, was the continuous usage of
the shell.

Windows mode

The day I received the computer, Øyvind helped me to install and

configure Linux and he installed a window mode named KDE. This was
very helpful.

So, for the beginning,

I learnt how to use Linux
with windows. It is not very
different from Windows®:
you can find a Start Menu
(even if the name is
different) with all the
software installed, you
have a taskbar in the
bottom of your screen (you
can put it where you want)
which includes a quick launch space and a lot of options you can
configure.

The main difference with Windows® is a bigger flexibility and, I

think, less gadgets for a better efficiency.

17
 Something I had to understand was the architecture of directories.
The root folder is / and inside, you can find /home for the personal
documents (folder subdivided in a directory per user: /home/root,
/home/david, etc.), /tmp for the temporary files, and so on.

To install a software, you have two choices. The first way (the
simplest) consists on using the Package Manager (KPackage with KDE
interface or the function aptitude in the shell). But most of the Linuxers
prefer use the second way: download the source code in a tar.gz archive,
compile it and install it by themselves. This is harder and you need to
know how your computer operates but it is more configurable and
flexible.

Shell mode

As I said it, the biggest difficulty for me was the shell. To allow me
to use it easier, I always used the terminal program in window mode,
which allows me to use the shell with more safety and which also let me
to use several shells in the same time (helpful to keep an eye on the help
file when you run a software). I also use a little software running under
Windows®, called PuTTY, which let me get the control of the Linux
machine with my laptop, using SSH secured connection.

Since the beginning, Øyvind gave me a book called The Debian

system to help me to understand and use Debian. It was helpful to begin
but the second was better: Linux in a Nutshell. This book is a quick
reference with all common commands for Linux.

During the first weeks, I discovered the main functions of Debian

with the help of the books and, in the same time, I wrote the most useful
commands for me in a text file.

I will describe some of the commands I often used:

18
• cd : it is the function to browse the different directories.
cd directory puts you in the directory specified. cd –
changes to the previous directory and cd .. changes to
parent directory.

• ls : a function to list the contents or a directory. There exist a

lot of options but the most used are ls –a which also list the
hidden files and ls --color which colorize the names of files
depending on their type.

• more : this function displays a file on the screen. I never used

any options but some commands: Q to quit, /word to search
word, v to invoke the text editor vi.

• cp : the command to copy a file, in the same directory or in

another. The option –r copies a directory and all its contents
and subdirectories and –l not copies the file but creates a
hard-link

19
 C. Install Snort

When I was accustomed with the shell mode, I installed Snort with
its source code. It was not so easy and I spent a lot of hours to do it. I will
sum up here the main steps to install snort, with some of the main
problems I encountered.

To begin, I needed to download the source code. For Linux, the code
is downloadable in an archive tar.gz. So, I went to the snort website, with
a web browser and I download it in /usr/local/src/gz. After this, I
unpacked it with the command tar zxf. tar is a command for archives, z
is the option for the gz compression, x for extract and f to create a new
directory before unzip.

In the new folder where the files had been extracted, a file was very
useful: INSTALL. This file explained how to install snort and its first
warning was about the libpcap library. I needed it but I didn’t manage to
find it on the computer. In the website Debian.org, there is a search
engine to know in which packages we can find a file. So, I installed a
package with the libpcap library.

The first step invokes the command ./configure. This command is

a shell script that goes up and looks for software and even tries various
things to see what works. It then takes its instructions from Makefile.in
and builds Makefile (and possibly some other files) that work on the
current system. But on the computer, there was no C compiler found by
configure so I needed to install one. I chose g++, which package name
is gcc.

With advice of Øyvind, I used the --prefix=/usr/local/snort

option which defines the path where we want to install Snort. This is very
useful to find the files because they all are in the same directory. It helps

20
you if you want to uninstall the software (which I made several times) but
it involves building some links by yourself.

The second step uses the command make. This command reads the
Makefile (made by configure) and compiles the source code to build the
executable program.

The third step, make install, again invokes make, which finds the
target install in Makefile and files the directions to install the program.

These three steps, “configure, make, make install” are common for
the most software under Linux and are very famous, even if I discovered
them for the first time in this placement.

After this, I had all the installed files in /usr/local/snort

(excepted rules files that I found later in /etc/snort/rules) but if I tried
to run snort by the usual command snort, it didn’t run. I had to type the
entire path: /usr/local/snort/bin/snort. This occurred because, when
you want to run a software, Debian looks after it in some directories and,
as I installed Snort in a specific directory, it was not in the usual
directories for Debian. I needed to tell it where was Snort, I chose to
create a hard link copy of /usr/local/snort/bin/snort in /usr/bin
(one of the directories where Debian looks after the softwares).

It was only after all this I could start to use Snort, and I will explain
this in the third main part of this report.

21
 III. Snort

Snort can be run under three different modes: as a packet sniffer, a

packet logger or a NIDS. Here I will present how I used Snort, with the first
steps, the problems encountered, how to use Snort easily as NIDS and I
will introduce quickly the manual I wrote for the users.

A. Before using Snort as an IDS

When I managed to install Snort, I began to discover it only with the

command snort --help which prints out on the screen all the options for
Snort. By this way, I discovered some functions of Snort by myself and,
moreover, I fixed a lot of problems.

The usual command was snort –v –c snort.conf. The option –v

means “verbose mode”, which prints in the screen all the packets sniffed.
The option –c indicates the rules file to use. In fact, Snort.conf is not
really a rules file but a configuration file. It is a really well written file, with
a lot of comments which explain you very well the few code lines.

First uses of Snort

The main problem I encountered was bad definitions in Snort.conf

because it is in this file you define all the variables and location of each
files Snort needs.

The first of them was the Network definition: where are the internal
network (defined by the variable HOME_NET) and the external network

22
(defined by EXTERNAL_NET). To create an internal and an external
networks for the tests, we installed a second network card on the
computer (with some hardware difficulties) and we configured the
computer as a gateway between my personal laptop and the network
school. By this way, the Linux machine was like a server with my laptop
as the internal network and the school network as the external network.
To define the networks, I chose the easiest and most complete solution:
all traffic by each card was considered like a network (it is also possible to
analyse traffic coming from a list of IP addresses).

Another problem which occurred a lot of times was the definition of

the dynamic pre-processors and dynamic engines. Despite my searches, I
never managed to find any file for this. With the help of the Internet, I
found
the solution: uninstall Snort and reinstall it with the option
--enable-dynamicplugin. After this, the files for dynamic definitions
were just in /usr/local/snort/lib, separated in two directories:
snort_dynamicengine and snort_dynamipreprocessor, so it was easy
to define the correct path in Snort.conf.

After I had fixed a lot of problems by myself, I discovered a file

named USAGE between all the Snort documentation. This is a How-to
made by Martin Roesch for the beginners on Snort.

Snort as sniffer and logger

The USAGE file is a very well written help for beginners which
explains step by step how to use Snort, from the simplest way to the
most completed functions.

The simplest mode in Snort is the sniffer mode which just prints out
the TCP/IP packet headers to the screen. The simplest command in this
mode is snort –v: this runs Snort and just shows the IP address and the
23
TCP/IP packet headers on the screen, nothing else. If you want to see the
payload data in transit, you can type snort –vd (or snort –v –d, it is the
same). This prints out the packet data as well as the headers. And if you
want an even more descriptive display, showing the data link layer
headers, type snort –vde. The option –e display the layer 2 packet
header data. To stop Snort, just press ctrl + C.

If you want to record the packets to the disk, you need to specify a
logging directory and Snort will automatically know to go into packet
logger mode. For example, you create a directory log in your current
directory (using the command mkdir log) and after, you can run snort
with this options: snort –vde –l ./log. The –vde option still does the
same thing and the –l option tells to Snort where it has to stock the logs.
If you are on a high speed network or if you want to log the packets into a
more compact form for later analysis, you can log in “binary mode”.
Binary mode logs the packets in tcpdump format to a single binary file in
the logging directory specified. To use the binary mode, type snort –l
./log –b (-b for binary). Here, we don’t use the –vde option because it is
not useful and, with high speed network, it is even a little bit dangerous
because of the slowness of the verbose mode, which will drop packets
(not many, but some).

In reality, I didn’t use the logger mode. I used the sniffer mode to
see whether there was some bug and, as soon as all the bugs were fixed,
I used the IDS mode.

B. Snort as an IDS

As I said it earlier, I tested Snort on a Debian machine with two

network cards to simulate a server with its internal and external

24
Networks, my laptop working as the internal network, communicating
with the Internet through the Debian machine.

Snort uses a flexible rules language to describe traffic that it should

collect or pass, as well as a detection engine that utilizes a modular plug-
in architecture. By choosing rules, you decide which traffic is allowed in
your network and which is not.

To enable the NIDS mode on Snort, you just have to use the option –
c with the name of the rule file behind. As I already said, I used the
snort.conf file. It is very useful because it contains all the variable
definitions and, moreover, it enables to launch several rules files at the
same time.

To do this, you have to place all the rules files in a same directory.
By default, some common rules files are in /etc/snort/rules (these are
just some common rules but you can download or write a lot of rules files
by yourself). Because it is more convenient, I copied the rules directory in
/usr/local/snort, with all the other Snort files. After this, you have to
define in snort.conf what is the rule path (not necessary but highly
advisable) and, at the end of snort.conf, you will find some lines like
include $RULE_PATH/rules.rules where rules is the name of the rule.
To decide which rules must be applied and which must not, just put a # at
the beginning of the lines which you do not want to apply (that will
comment the line and, so, won’t apply it).

When you have chosen your rules files, type snort –c snort.conf.
This runs Snort with the configuration chosen in snort.conf and logs the
alerts in /var/log/snort. If you want to stock them in another folder, tell
it using the option –l (the same as in logger mode). When Snort runs like
this, it logs the packets creating directory hierarchy based upon the IP
address of one of the hosts in the datagram and it logs the alerts in a
single file named alert. If you want to print out the alerts to the screen

25
(not all the packet but just the alerts), use the option –A console. You
can also run Snort as Daemon mode, using the option –D.

When you quit Snort, typing ctrl + C, a statistic table appears which
tells you the number of packets sniffed, their type and their ratio, and the
number of alerts (logged or passed).

To test the rules and see if Snort really did its work, the concept was
simple: I run Snort on the Debian machine and, with my laptop, I did
something wrong. With this, I just had to see if Snort logged my outlaw
packets. I did it for the most of the rules.

C. User’s quick manual

26
 When I understood how to run Snort, I could write a manual for the
next users. I asked to Øyvind how I had to write it (text document,
Microsoft word document, etc.) and he answered me he would like an
html document, very basic with no graphics and just the necessary.

As I never used html before this placement, I preferred use a

WYSIWYG editor (What You See Is What You Get: this type of editor
provides an editing interface which allows you to create html pages
without knowledge in html code). With advice of Øyvind, I installed Nvu
(pronounced N-view), an open source editor for Windows, Linux and Mac.

Nvu is based on the Composer component of Mozilla application

suite. It is probably the best open source alternative to Microsoft
FrontPage and Adobe Macromedia Dreamweaver. As you can see on the
screenshot, Nvu is an instinctive software and it is easy to use it
(moreover when you just have to type some text and build few links).

27
 I decided to split the tutorial in three parts. To begin, how to install
and configure Snort. Then, how to run snort. And I chose to explain the
rules system.

In the entire manual, I spoke for Debian user and I based it on my

own experience. So I explain the bugs I encountered. The manual is for
non-English people so I used an English as unsophisticated as possible,
trying to conduct users during their first steps. The objective of this
tutorial is not to be a complete manual or help but just a little help to
begin, according to the use of Snort at the faculty.

As it is an online tutorial, with links between pages, I chose not to

print it on the appendix but you can find it on the internet, at this
address: http://aitel.hist.no/labben/snort/.

28
 Conclusion

This training period has been for me an incredible experience,

speaking of the knowledge acquired, but also of the personal part of it.
Indeed, from many points of view, it was different from the previous ones.

I would like to thank again Øyvind for his help, his patience and his
attendance during this entire placement in the all day work as much as in
the discovery of Norwegian life.

It was for me the first true contact with the world of

telecommunications, doing practical things instead of the theory seen at
the school. I was able to extend the basic knowledge acquired during the
little introductions at Telecom-Lille, especially in the domain of the
security in networks.

I am sure this placement will be helpful for me and will have a great
impact in the future.

29
 Glossary

• HIST: Høgskolen I Sør-Trøndelag, The University of the County

Sør-Trøndelag, in Trondheim

• AITeL: Avdeling for InformaTikk og e-Læring, the Faculty of Informatics

and e-Learning, part of the University of Sør-Trøndelag.

• UNINETT: The Norwegian government-owned company responsible for

a national computer network for universities and research.

• NORDUnet: It is an international collaboration between the Nordic

national computer networks for research and education. The five
members are: Sweden, Norway, Finland, Denmark and Iceland.

• GEANT: It is the main European multi-gigabit computer network for

research and education purposes. 32 countries take part on this project.

• KDE: K Desktop Environment. It is a free desktop environment for Unix

and Unix-like systems.

• IDS: Intrusion System Detection. There exist two types of IDS: NIDS,
Network Intrusion System Detection and HIDS, Host Intrusion System
Detection.

30
 Bibliography and links

Books:
The Debian System, Concepts and Techniques; Martin F. Krafft

Linux in a Nutshell, A desktop quick reference; O’Reilly

Websites:
www.hist.no

www.aitel.hist.no

www.uninett.no

www.debian.org

www.snort.org

www.wikipedia.org

31
 Appendix

Map of the UNINETT p32

network p33
Links to the manual website

32
33
 The manual I wrote for AITeL users had to be reachable only
for authorized people in an internal webpage but it is finally
available for everybody and you can reach it at this address:
http://aitel.hist.no/labben/snort/.

I could have printed it in this appendix but I think it is better to see

it online. That's the reason why there is only these few lines here and not
the entire tutorial.

34
 David Férot 08/05 – 07/07/2006 FI 2009
Placement at the faculty of informatics
and e-learning in Trondheim

A lifetime experience

This training period was my first real stay abroad. I had the opportunity
to discover an unknown country, its way of life, culture and language and I
discovered what Norway is, falling stereotypes. Norway is a welcoming
country with open-minded people and it was easy to meet them.

IDS

An intrusion In a network-based
detection system system (NIDS), the
inspects all inbound and External Network individual packets flowing
outbound network through a network are
activity and identifies analyzed. The NIDS can
suspicious patterns that detect malicious packets
may indicate a network NIDS that are designed to be
or system attack from overlooked by a firewall’s
someone attempting to simplistic filtering rules. In a
Internal Network
break into or host-based system (HIDS),
compromise a system. It the IDS examines at the
is a good complement activity on each individual
to firewall. computer or host.

Snort at AITeL

AITeL decided to implement an IDS on its Network to update the security

level. They did not choose a solution like proxy because they do not block the
freedom of the students who need to test protocols for their studies.
Snort will analyse the traffic and log it. By this way, teachers will be able
to see exactly what traffic passes through the network. The next step is rating
its data in order to treat them in a single sight.

Sector: Telecommunications Field: Network Security

Keywords: IDS, Security, Snort, Debian Linux