A Study on Wireless Intrusion Prevention System based on Snort

International Journal of Software Engineering and Its Applications Vol. 9, No. 2 (2015), pp. 1-12 http://dx.doi.org/10.14257/ijseia.2015.9.2.01

A Study on Wireless Intrusion Prevention System based on Snort Jong-Moon Kim, A-Yong Kim, Jung-Soo Yuk and Hoe-Kyung Jung* PaiChai University, Doma2-Dong, SeoGu, DaeJeon, Korea [email protected], [email protected], [email protected], [email protected] Abstract Due to the increased use of information and communication technology development of portable devices, the wireless network is on the rise. Wireless networks spread in areas of without physical access to reach the available smart phone or laptop network, as well as meet the needs of convenience. Although wireless networks send and receive data wirelessly, they can be intercepted when compared to a vulnerable wired network security. In this paper, the signature-based detection with Snort Wireless and ipTables uses Wireless attack detection and prevention measures to implement a wireless intrusion prevention system. Additionally, to validate the performance of a wireless intrusion prevention system a mock hacking can be conducted. Keywords: ipTables, Kali Linux, Snort, Snort Wireless

1. Introduction Portable Equipment Use Increase Due to Wireless Network Usage Increasing A wireless Network Cable Network Physical Connection Without Internet Use Possible That Convenience and Cable Network and Analogous Quality Provides but Wireless Network Propagation Using the Data, Send and receive Because of Such Features of the Security Vulnerability to Implies A. Security Vulnerability to Complement For Certification and Encryption Techniques [1] But Attack Of technologies Development of Due to Security Technology Limit Had reached [2]. Wireless Invasion Prevention System [3] Outside Invasions Detection and by blocking Inside System Protect and Wireless Use Specific Environment Based on Operation [4]. Commercial Wireless Invasion Prevention System Wireless Network Required Cost Reduction was not suitable. This Paper Open Sources Using the Built and simulated Hack Conducted by Invasion Prevention System Requirements Meets Verified.

2. Related Researches 2.1 Snort Wireless Snort Wireless [5] is a "Sniffer and more" the At the end of Was derived Network Protocol Analysis and Data Content Search, rules Matching the Worms, vulnerability Attacks, port Scan, the buffer Overflow And so on Various Attacks Detection. Of Snort Wireless Function Packet Sniffer Mode, the packet Loader Mode, intrusion Detection System Mode, intrusion Prevention System Mode Classification [6]. Packet Sniffer Mode - the basic Applications Programs and networks Packets Collect and Screen Outputs. Packet Loader Mode - a network of Traffic Read after Inspection for Database Recorded.

*

Corresponding Author

ISSN: 1738-9984 IJSEIA Copyright ⓒ 2015 SERSC

International Journal of Software Engineering and Its Applications Vol. 9, No. 2 (2015)

Invasion Detection System Mode-invasive Detection System Function Conducted, packet Analysis Based on The Rules Taking advantage of Performed. Invasion Prevention System Mode - a network of Packets Rules and If the matching That Packets Block Number So Allow Mode Of Snort Wireless Structure [7] Other Invasion Detection System Similar to the Snort Wireless Structure Figure 1 Same.

Figure 1. Snort Wireless Configuration Snort Wireless is Signature Based on Navigation and Malicious Activities and Suspect Activities Rules By writing Detection. Snort Wireless is Wireless Network Invasion Detection Protocol for Wi-Fi Using the Rules Create Number Rules and Wi-Fi Option Table 1 Same. Table 1. Snort Wireless Wi-Fi Rule Option frame_control type stype from_ds to_ds more_frags retry pwr_mgmt more_data wep order duration_id bssid seqnum fragnum addr4 ssid

Description tests the entire frame control field tests the 802.11 frame's type tests the 802.11 frame's subtype tests the from distribution system frame control flag tests the to distribution system frame control flag tests the more fragments frame control flag tests the retry frame control flag tests the power management frame control flag tests the more data frame control flag tests the wep frame control flag tests the order frame control flag tests the frame's duration/id field tests the frame's BSSID tests the frame's sequence number tests the frame's fragment number tests the frame's 4th address field tests the frame's SSID

2.2 ipTables ipTables [8] is Four filters Project Developed in Linux Firewall Used. ipTables the Tables and Chain Configure the Number And System Authority Root privileges required to You must run The. ipTables the Linux Kernel Various Packet Treatment Cycle Powerful Directive Connect Figure 2 shows ipTables and Relevant Kernel Tables are Which Point and Gives a connected About Structure diagram.

2

Copyright ⓒ 2015 SERSC


Figure 2. Connect the Kernel Structures with ipTables IpTables of Table Packet Filtering and NAT functions A wide range of Categories Technical and Filter, NAT, Mangle, Raw has four Table [9] Each Table contains the Specific Packet Rules Set The "Chain" is Objects Included in the And Own Unique Chain Set Have in Table 2 of the ipTables Function Chain. Table 2. ipTables of Tables and Chains 테이블 Filter (Default)

기능

체인 INPUT

Packet filtering / firewall

FORWARD OUTPUT PREROUTING

NAT

Network Address Translation

INPUT OUTPUT POSTROUTING PREROUTING INPUT

Mangle

Packet modification

FORWARD OUTPUT POSTROUTING INPUT

Security

Mandatory Access Control

FORWARD OUTPUT

Raw


Bypass “conntrack” for corner

PREROUTING OUTPUT

3


The administrator Common Tagged with Relevant Rule Set Making For User Definition Chain Create a Number A packet Filtering Beforehand Defined in the INPUT, OUTPUT, FORWARD chain Exist. INPUT chain Kernel inside Routing Calculated after Packets Destination OUTPUT chain transfer and Linux systems Itself Create a Packets for Reserved FORWARD chain in the Linux system will Passing Packets Management. IPTables of Packet Flowchart Figure 3 Same.

Figure 3. IpTables Packet Flow Chart

3. Wireless Invasion Prevention System Design and Building 3.1 Wireless Invasion Prevention System Design Wireless Invasion Prevention System Requirements Wireless Network DoS attacks and attack invading Fake AP, WEP cracking Attack, WPA Cracking Attack, MAC Spoofing Attacks Same Hack Defend. Also, an administrator of Identification and Authentication Through Just Only users with Access to Allowed Threats or Hacking The Security Thanks Function You must create The. Offer Wireless Invasion Prevention System Configuration Figure 4 Same.

Figure 4. Wireless Intrusion Prevention System Configuration

4



Wireless Invasion Prevention Linux-based systems Building Packet Collection System Detection System, the block System Composed. Offer Wireless Invasion Prevention System Schematic is Figure 5 Same.

Figure 5. Wireless Intrusion Prevention System Structures Wireless Invasion Prevention System Treatment Flow Figure 6 The same Packets Libpcap library Using the Log files collect and Stores and Log files Analysis of the Snort rules Create a Invasions Detect whether Checked. Detection Snort rule identified, IpTables rules based on by writing Invasions Blocked.

Figure 6. Process Flow Chart of Wireless Intrusion Prevention System 3.2 Wireless Invasion Prevention System Building Wireless Invasion Prevention System Building Used OS is CentOS 6.4 (32bit) and installed Snort Before Relevant Libraries which are Daq, Libdnet, PCRE, Libpcap, Tcpdump to First Must be installed The. Based on the Snort Snort Wireless Operates Snort is used Figure 7 Version 2.9.5.5 and 2.9.5.5 as the Rules Was used.


5


Figure 7. Snort-2.9.5.5 and Snort-2.9.5.5 Rules Snort's Fundamental Installation Path "/ Etc / snort /" and that Path Rules Copy the Apply also, Libpcap of Collected Log file packets Stored Fundamental Path "/ Var / log / snort /" is. Snort Wireless version is 2.4.3-alpha04 Install, "wifi.rules" rules Snort rules Path Copy the Wireless Invasions Detection Number So Applied. Of Snort Wireless Run For Wireless LAN Cards Activate the If you run Figure 8. Same.

Figure 8. Snort Wireless Launch Screen To the CentOS ipTables Installation At Included in the Installation and, if this ipTables Installed Not If the Terminal "Yum-y install iptables" command Enter the Installed. ipTables the Figure 9 As Services Register If you run The.

6



Figure 9. IpTables Service Registration and Execution

4. Experimental 4.1 mesons Attack Experiments Meson Attack Imitation Hack The Detection and Block Experiments Progress. Attacks in Kali Linux Included in the To the Ettercap Was used. Ettercap is a GUI function Support Execution How to Figure 10 as Executed Methods and Terminal "Ettercap-G" to Input How to Be.

Figure 10. Ettercap Execution Path


7


Figure 11. Unified Sniffing Sniffing Run Instantly Figure 11 As "Unified sniffing" the Run the Wireless Interface Selected. "Host" tab The "Scan for hosts" to if you run Full Network Explore and "Host List" to If you choose Figure 12 As Navigate to the Found Network List Screen Outputs.

Figure 12. Host List Output Network From the list of Host to target Select to ARP Poisoning If you run Meson Attack Carried out in Figure 13 is Meson Attacks Being the Screen.

8



Figure 13. Host List 4.2 mesons Attack Experiment Result Of Snort Wireless Execution Terminal "Snort-vde-w-i-wlan0-A full-K pcap-l / var / log / snort /" to If you enter The. Log pcap format file Log path stored Stored. Stored in Log files Wireshark Open Figure 14 The same Packets Analysis.

Figure 14. Host List ARP Poisoning a certain amount of time each packet retransmissions and retransmits a packet based on a Snort rules to be written. Snort rules are written the same as in Figure 15.

Figure 15. Writing Snort Rules Snort rules are applied to create a man-in-the-middle attack is detected, re-tests check whether the invasion. Created Alert Log files are the same as in Figure 16.


9


Figure 16. Snort Alert Log File List

Figure 17. Writing ipTables Rules Snort rules based on the detection and confirmation ipTables rules to be written. The rules are the same as in Figure 17 ipTables written. IpTables rules to create and activate a given interval when the retransmission of packets is cut off by a man-in-the-middle attack can be prevented.

5. Conclusion Wireless Network Use With increased Together Security Vulnerability to Exploit Crime and Damage to Increasing A wireless Network Characteristics Cable Network Than Security Vulnerable to Users Indiscreet The use of a wireless AP By Crime Exposed to Damage Also Mouth Number Be an existing Wireless Invasion Prevention System Commercial System Building Operated these Commercial System Wireless Network Required Cost Reduce the Not suitable Is not. This Paper Open Source the Wireless Invasion Prevention System Building Room about Research and Proposed. Simulation Hack the Proposition the Wireless Invasion Prevention System Performance Assessed, wireless Invasion Methods and Block Methodology Presented by Paper Excellence Was verified. Limiting Wireless Invasion Detection System Costs Savings Effects Existing the commercial system, and Performance and Compatibility In terms of Replacement Possible by Judged. Future School of zero Wireless Invasion Prevention System Driving in Overload Prevention Snort for the Sensors Dispersion Place Packets By collecting Mid Server Transfer, server Forwarding Received Packets Dispersion Treatment Approach The Analysis And Detection and Block Dispersion Arrangement System Ways to apply The Student Needed.

References

10



[1]. S. H. Kwon and D. W. Park, "Hacking and Security of Encrypted Access Points in Wireless Network", Journal of Information and Communication Convergence Engineering, vol. 10, no. 2, (2012), pp. 156161. [2]. Y. N. Choi and S. M. Cho, "The Risk of Wardriving Attack Against Wireless LAN and its Counterplan", JKIICE, vol. 13, no. 10, (2009), pp. 2121-2128. [3]. J. Timofte, "Wireless intrusion prevention systems," Revista Informatica Economica, vol. 47, (2008), pp. 129-132. [4]. B. Potter, "Wireless intrusion detection," Network Security, (2004), pp. 4-5. [5]. A. Lockhart, "Snort-wireless," http://www.snort-wireless.org/. [6]. D. Gullett, "Snort 2.9. 3 and Snort Report 1.3. 3 on Ubuntu 12.04 LTS Installation Guide". [7]. D. S. Lakra, "HSNORT: A Hybrid Intrusion Detection System using Artificial Intelligence with Snort," Computer Technology & Applications, vol. 4, (2013), pp. 466-470. [8]. O. Andreasson, "Iptables Tutorial 1.2". [9]. W. Sun, W. Wang and H. Han, "Building traversing NAT IPv6 tunnel gateway system relies on Netfilter / iptable framework," Computer Engineering and Design, vol. 6, (2007).

Authors Jong Moon Kim, he received the M.S. degrees from the Department of Computer Engineering of Paichai University, Korea in 2012. From 1992 to 2003, he worked for Elcomtech System CO., Ltd. Inc. as a CEO. Since 2003, he has worked in ELCOMTECH CO., Ltd. Inc. as a CEO. He is currently a Ph.D. in Department of Computer Engineering of Paichai Universit y. His current research interests include Digital Multimedia Broadcasting, Internet Protocol Television, MPEG. A Yong Kim, he is received B.S. degrees in Department of computer engineering from Paichai University in 2013. And currently under M.S course in the Department of Computer Engineering at the Paichai University. His research interests are multimedia information processing, Hadoop, Lucene and Search engine.

Jung Soo Yuk, he received a B.S degree in the Department of Information and Communication on Engineering Gyeongsang National University, Tongyeong, Korea, in 2000. He is currently pursuing a M.S. degree in Department of Computer Engineering, Paichai University, Daejeon, Korea. His research interests are multimedia information processing, Multimedia information processing. Hoe Kyung Jung, he received the M.S. degree in 1987 and Ph. D. degree in 1993 from the Department of Computer Engineering of Kwangwoon University, Korea. He has worked in the Department of Computer Engineering at Paichai University, where he now works as a professor. His current research interests include multimedia document architecture modeling, information processing, information retrieval, and databases.


11


12
