Вы находитесь на странице: 1из 6


discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/301325633

Automatic SNORT IDS rule generation based on

honeypot log

Conference Paper · October 2015

DOI: 10.1109/ICITEED.2015.7409013


2 433

1 author:

A. Sagala
Institut Teknologi Del


Some of the authors of this publication are also working on these related projects:

Industrial Control System Security-Malware Botnet Detection View project

All content following this page was uploaded by A. Sagala on 05 July 2016.

The user has requested enhancement of the downloaded file.

Automatic SNORT IDS Rule Generation Based on
Honeypot Log
Albert Sagala
Cyber Security Research Centre
Faculty of Informatics & Electrical, Del Institute of Technology
Toba Samosir, Indonesia

Abstract— The main objective of this research is to integrate In this study, we did honeypot and IDS systems
honeypot and IDS, which can generate and activate snort rule integration. Rule on IDS will be generated based on the logs
automatically based on the data sending by honeypot server. The new that captured by the honeypot. The automatically rule
technic is present in this paper, honeypot will collect the data, send generated will enhance the security on the IDS server. So
the data to IDS, and then IDS will evaluate and generate the rules those, this new approach can mitigate the new attack pattern.
automatically. Rule that has been made will be active to filter packets
sent by the user on the network. We compare rule generated Our contribution in this research is the automation of rule
automatically with default rule in snort system for the same pattern. generated on IDS server. This automation will give beneficial
The performance of the proposed technique was evaluated by effect, so that IDS server instantly can mitigate the attacker;
measuring the effectiveness of IDS server from the attacking. stop the attacker access the production server.
Keywords—SNORT, HONEYPOT, IDS, IDPS, Network The rest of this paper will be explained as below: Section 2
Security will give explanation about related work, snort and honeyd
technology, Section 3 will describe the design and
I. INTRODUCTION implementation; Section 4 is result and discussion, and the last
The growing world of technology has enable people to is Section 5 will make a conclusion and further research.
exchange information over a local network or the Internet. II. RELATED WORK
Information sent over the network can be either public or
private. For information that is private, with hacking Snort rule generation based on honeypot log has been
technology, an intruder can infiltrate and take over systems developed at various university and national labs research
that illegally obtained confidential. Infiltration attempt made cyber security concerns. Department of Computer
for a specific purpose, such as to modify the information in the Engineering, King Saud University [1] develops a web based
server, damaging the network, stealing the critical information honeypot to generate SNORT intrusion detection system
and others. signature (Rules) for HTTP traffic automatically. These new
rules are integrated into the IDS signatures database.
Intrusion detection is an attempt to monitor and detect
illegal data stream. This is one way that can be used to reduce Collaboration research also conducted between
the illegal actions enters the network. The data flow to be Northwestern University (USA) and Tsinghua University
detected is divided into two categories, namely Signature (China) [2], the research was to detect zero-day polymorphic
Based intrusion and Anomaly Based intrusions. The model worms, it generate the rules to the edge network gateways or
systems which have function to detect and prevent illegal honeynet so that they can prevent the worms from
traffic are called IDPS system. IDS itself has database of rule, propagating at their early phase.
rule on the IDS functions to determine what services will be NISlab-Norwegian Information Security Laboratory [3]
provided if an incoming request to the server. To cut off the develop a research focus on seeing how much user inter-
flow of data that strange, it will be integrated with the IPS action is needed to generate new signature rules for new
(Intrusion Prevention System). IPS serves to prevent actions attacks, and what type of honeypot is best suited for obtaining
which disrupt the system. One very popular IDS and quite useful data. This will be based on data collected by a network
powerful in IT security is Snort. Snort was widely used intrusion detection system named SNORT, honeyd and
because these powerful tools and distributed as open-source.
Honeypot is a server that is installed to be the target of the
attackers. In our research, we implement low interaction A. Intrusion Detecting System Using Snort
honeypot using honeyd so that the attack would not harm the An intrusion detection system (IDS) is a device or software
original/production server. Any data that is entered into the application that monitors network or system activities for
honeypot system will be recorded for further analysis. Usually malicious activities or policy violations and produces reports
to a management station. IDS come in a variety of “flavors”
and approach the goal of detecting suspicious traffic in seems to contain information or a resource of value to
different ways. attackers. This is similar to the police baiting a criminal and
then conducting undercover surveillance.
Honeypots can be classified based on their deployment
(use/action) and based on their level of involvement. Based on
deployment, honeypots may be classified as production
honeypots or research honeypots
Production honeypots are easy to use, capture only limited
information, and are used primarily by companies or
corporations. Production honeypots are placed inside the
Figure 1 IDS System Block Diagram production network with other production servers by an
organization to improve their overall state of security.
Intrusion detection systems are of two main types, network Normally, production honeypots are low-interaction
based (NIDS) and host based (HIDS) intrusion detection honeypots, which are easier to deploy. They give less
systems. Host intrusion detection systems are installed locally information about the attacks or attackers than research
on host machines making it a very versatile system compared honeypots do.
to NIDS. HIDS can be installed on many different types of Research honeypots are run to gather information about
machines namely servers, workstations and notebook the motives and tactics of the Blackhat community targeting
computers. Doing so gives you the edge that NIDS does not different networks [7], [8]. These honeypots do not add direct
have especially if you have a segment that you NDIS cannot value to a specific organization; instead, they are used to
reach beyond. Traffic transmitted to the host is analyzed and research the threats that organizations face and to learn how to
passed onto the host if there are not potentially malicious better protect against those threats. Research honeypots are
packets within the data transmission. HIDS are more focused complex to deploy and maintain, capture extensive
on the local machines changing aspect compared to the NIDS. information, and are used primarily by research, military, or
NIDS focus more greatly on the network those specific hosts government organizations.
themselves. HIDS is also more platforms specific and caters
strongly in the windows market of the computing world Based on design criteria, honeypots can be classified as:
however there are products available that function in the (1) pure honeypots, (2) high-interaction honeypots and (3)
UNIX and other OS topology environments. low-interaction honeypots.
Snort's open source network-based intrusion detection In our research, we focus on low-interaction honeypots
system (NIDS) has the ability to perform real-time traffic using Honeyd. Low-interaction honeypots simulate only the
analysis and packet logging on Internet Protocol (IP) services frequently requested by attackers. Since they
networks. Snort performs protocol analysis, content searching consume relatively few resources, multiple virtual machines
and matching [4], [5]. These basic services have many can easily be hosted on one physical system, the virtual
purposes including application-aware triggered quality of systems have a short response time, and less code is required,
service, to de-prioritize bulk traffic when latency-sensitive reducing the complexity of the virtual system's security.
applications are in use.
The program can also be used to detect probes or attacks,
including, but not limited to, operating system fingerprinting The network topology as shown on Figure 2 consists of
attempts, common gateway interface, buffer overflows, server three important factors. We assume that our honeypot work
message block probes, and stealth port scans. well, so that the attacker got trapped. Attacker will do
anything that they want; all the activity will be logged and
Snort can be configured in three main modes: sniffer, saved. Then the saved log will be sent to the IDPS server, in
packet logger, and network intrusion detection. In sniffer our experiment we use snort. After that, information or logs
mode, the program will read network packets and display that have been saved will be taken some specific information.
them on the console. In packet logger mode, the program will Information taken in the form of source IP, destination IP,
log packets to the disk. In intrusion detection mode, the destination port, and protocol used by the number of requests
program will monitor network traffic and analyze it against a that are sent. The number of requests in question is a request
rule set defined by the user. The program will then perform a that comes from the same source IP address to the same
specific action based on what has been identified. The destination IP address with the same port. In the design of the
popularity and many feature of SNORT [6], so that we choose system is developed, created a script that is able to retrieve the
it as IDS tools in our research. needed information from existing logs on Honeyd.
B. Honeypot
A honeypot is a trap set to detect, deflect, or, in some
manner, counteract attempts at unauthorized use of
information systems. Generally, a honeypot consists of a
computer, data, or a network site that appears to be part of a
network, but is actually isolated and monitored, and which
B. Implementation
To implement the design, we need hardware and software as
shown on TABLE 1

TABLE 1 H/W and S/W Requirement

No Item Description Description
1 Server Honeypot Laptop Dell inspiron Backtrack5,
N4050, Processor VMWare,
Core i3, Harddisk 500 Honeyd version
GB, RAM 4 GB 1.5 c
Figure 2 Topology our Experiment 2 Server IDS Laptop Dell inspiron Backtrack 5,
N4050, Processor VMWare,
Core i3, Harddisk 500 Snort version
GB, RAM 4 GB 2.9.7
3 Real Server Laptop Dell inspiron Backtrack 5,
N4050, Processor VMWare
Figure 3 Block Diagram Snort-Honeypot Integration Core i3, Harddisk 500
A. Designing Generate Rule in Snort Automatically 4 PC-Attacker Laptop Dell inspiron Backtrack 5,
Figure 4 describes the manufacturing process design rule N4050, Processor VMWare
automatically by IDS systems. IDS servers will check whether Core i3, Harddisk 500
a file is received from the server Honeyd. If there are files GB, RAM 4 GB
received server Honeyd the IDS system will analyze incoming
packets, to determine if the incoming packet is a packet illegal After the software and hardware available, then we do the
or not. For a package that is illegal, IDS will generate new configuration of the server that will be used. On Honeyd
rule, and then will be compared whether preexisting rule server will be provided a directory used to store the log, then
stored in the IDS system. If the rule already exists, the new the script will be made to separate the required fields of the
rule generated will be ignored. However, if the rule had not log entry, after which the field will be saved into a file and
been there before, then the rule will be recorded in the IDS. posted on the IDS server. For automatically, the file delivery
For packages that are not illegal, then the packet is forwarded schedule is using cron jobs.
to the original server. The process will be carried back
repeatedly from checking new file. In the Snort system checks On the server IDS, snort service will be enabled but the
new file will be scheduling, checking the new files that will be condition of the default rule will be deactivated. The
done is every one minute. unavailability of the system snort rule will facilitate the
implementation of pilot testing on assault on the server
honeypot. On implementation, the rule should be generated on
the server IDS as a result of the attacks that occurred on the
server honeypot.
C. Files and Directories Structures on Honeypot Server
1. /root/honeypotTA
In the directory, we make a Honeyd2.conf
configuration as script below:
create default
set default default tcp action block
set default default udp action block
set default default icmp action block

Figure 4 A Flowcharts to Generate Rule create windows

set windows personality "Microsoft Windows XP
Professional SP1"
set windows default tcp action reset
add windows tcp port 135 open
add windows tcp port 139 open
add windows tcp port 445 open Also, in /etc/snort will make coba.py which has function to
set windows ethernet "08:00:27:4d:bd:05" generate rule automatically. The script can be shown below.
#dhcp windows on eth0
bind windows
#!usr.bin/env python
In honeyd, we made one virtual PC using Microsoft Windows with open('honeyd.txt', 'r') as infile:
XP Professional SP1. We open three ports, 135, 139 and 445. for index, line in enumerate(infile, 1):
We make the port open for the scanning. with open('TA_rule_{}.rules'.format(index),
'w') as outfile:
2. /root/Dekstop/cobaperl outfile.write('alert {} {} any -> {}
{}(msg:"Possible SCAN"; classtype:networkscan;
This directory contains files splitfile.pl. Splitfile.pl is a sid:1; rev:1;)\n'.format(*line.split()))
script file that is used to separate the required field of IDS to
create a rule. For this publication, the file will not be exposed.
3. /root/Dekstop/checkfile
Below is the example of rule generated
This directory contains configuration files for checking files.
The script checks the file used to identify whether there is the alert tcp any -> 82
value of splitfile.pl file. (msg:"Possible SCAN"; classtype:network-scan;
sid:1; rev:1;)
4. /usr/local/share/honeyd/logs
This directory is a directory for storing folders and files as Rule generated will be saved in the directory using the
script below.
#!usr.bin/env python
TABLE 2 File in directory /root/local/share/honeyd/logs with open("snort-TA.conf", "a") as myfile:
No File Description for index in range(1,4):
1 Folder log Folder log activity from the myfile.write('include
attacker /etc/snort/rules/TA_rule_{}.rules\n'.format(index))
2 Folder backup Folder to backup the folder log.
3 Folder final Folder to save the final log that
will be sent to the snort server Files and directories that we need to implement for
4 File demoTA.log File log captured by Honeypot automatically rule generated, as below.
5 File demoTAsplit.log File log contains fields that had 1. Direktori /etc/snort/backup
been separated from file
This directory used to save backup file of
6 File File used to save list of opened
demoTAsplittemporary.log port base. 2. Directory /etc/snort/backup/Sat Jun 6 22:56:01 2015/
7 File Result of log had been This folder is a folder backup at Saturday, June 6 2015 at
demoTAsplit_finalef compressed. 22:56 o’clock.
ile.log 3. Directory /etc/snort/
This directory contains file as shown on TABLE 2..
D. Files and Directories Structures on IDS Server TABLE 3 File in directory /etc/snort
No File Description
A new file send from Honeypot is file.log contain field
1 File checknewfile.pl Script to check new file
which is need to make a new rule. In /etc/snort directory will
2 File mkrule.pl Script to generate rule
be make a new script to check a new file. The script check.sh 3 File counter.txt File static variable used to naming
is shown in figure below. rules.
#!/bin/bash 4 File Snort-TA.conf Script used to differ attacking with
the rules.
if [ -f /etc/snort/honeyd.txt ]
then 4. Directory /etc/snort/rules
python generate.py
mv *.rules /etc/snort/rules This directory used to save new rules generated.
python include.py In directory, the list of rules generated as shown below.
snort -c /etc/snort/snort-TA.conf -l
/var/log/snort/ TA_rule_1.rules
TA_rule_3.rules V. CONCLUSION AND
TA_rule_[n].rules Making the new rule autom matically from server honeyd to
server IDS Honeypot was succcessfully. Logs obtained from
the server Honeypot IDS succcessfully sent to the server, and
ONS then based on the log that is obtained
o by IDS server created
After doing some kind of attack to honeypot server, then rule. In this paper a successfuul rule generated is still in the
log on to the server will be sent to the servver Honeypot IDS. form of alerts if any illegal acctivity coming into the network,
Later in the IDS server will be made in accordance with the is expected to further the deveelopment of systems that can be
rule logs obtained. The following figure is a rule that has been made a rule to block illegal actiivity.
successfully generated using the system builtt. New attack pattern will em merge; still, this attack was not
handling by the snort rule. This
T traffic will need to further
investigation, so that can ressult with a new rule. In this
research, we only make a siimple statistics to analyze the
traffics, further research, neew approach which is more
effective and efficient should be
b done for accuracy.

Figure 5 Rule Generated
On figure 5, there are three rules gennerated, they are [1] H.Altwaijry, K.Shahbar,"(WHA ASG) Automatic SNORT Signatures
TA_rule_1.rules; TA_rule_2.rules and TA_ruule_3.rules. Generation by Using Honeypot"", Journal of Computers, Vol.8 No.12,
The rules that are generated are as follows: December 2013.
[2] Zhichun Li, Lanjia Wang, Yaan Chen and Zhi,"Network-based and
attack-resilent Length Signature Generation for Zero-day Polymorphic
Worms", http://www.cs.northwesstern.edu.
[3] V.Ajaxon,"Building IDS rules by means of a honeypot", NISlab-
Norwegian Information Security Laboratory,2005.
Figure 6 Example: Rule Generrated [4] Writing Snort Rules | How to write
w Snort rules and keep your sanity
We carried out tests on the generated ruule. The following Current as of version By martin
m Roesch.
image is a display in the form of alerts to inncoming attacks in [5] Ur Rehman Rafeeq. 2003. Advvanced IDS Techniques Using Snort,
accordance with the new rule that has happenned generate. Apache, MySQL, and ACID.
[6] J. Patel Hemangini(May 2014). A Survey on Intrusion Detection System
in Cloud. In Internationl Jouurnal of Engineering and Technical
Research(IJETR) Volume-2, Issuue-5, 2321-0869.
[7] Prof. Jawale Smita,et al,"Intrussion Detection System Using Virtual
Honeypots", International Jouurnal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622, 30 March 2012
[8] Jacob Benoit (December 2011).. Automatic XSS Detection and Snort
Signatures/ ACLs Generation byy the Means of a Cloud-Based Honeypot

View publication stats