See

discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/301325633

Automatic SNORT IDS rule generation based on

honeypot log

Conference Paper · October 2015

DOI: 10.1109/ICITEED.2015.7409013

CITATIONS READS

2 433

1 author:

A. Sagala
Institut Teknologi Del
16 PUBLICATIONS 10 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Industrial Control System Security-Malware Botnet Detection View project

All content following this page was uploaded by A. Sagala on 05 July 2016.

The user has requested enhancement of the downloaded file.

 Automatic SNORT IDS Rule Generation Based on
Honeypot Log
Albert Sagala
Cyber Security Research Centre
Faculty of Informatics & Electrical, Del Institute of Technology
Toba Samosir, Indonesia
albert@del.ac.id
Abstract— The main objective of this research is to integrate
honeypot and IDS, which can generate and activate snort rule
automatically based on the data sending by honeypot server. The new
technic is present in this paper, honeypot will collect the data, send
the data to IDS, and then IDS will evaluate and generate the rules
automatically. Rule that has been made will be active to filter packets
sent by the user on the network. We compare rule generated
automatically with default rule in snort system for the same pattern.
The performance of the proposed technique was evaluated by
measuring the effectiveness of IDS server from the attacking.
Keywords—SNORT, HONEYPOT, IDS, IDPS, Network
Security
I. INTRODUCTION
The growing world of technology has enable people to
exchange information over a local network or the Internet.
Information sent over the network can be either public or
private. For information that is private, with hacking
technology, an intruder can infiltrate and take over systems
that illegally obtained confidential. Infiltration attempt made
for a specific purpose, such as to modify the information in the
server, damaging the network, stealing the critical information
and others.
Intrusion detection is an attempt to monitor and detect
illegal data stream. This is one way that can be used to reduce
the illegal actions enters the network. The data flow to be
detected is divided into two categories, namely Signature
Based intrusion and Anomaly Based intrusions. The model
systems which have function to detect and prevent illegal
traffic are called IDPS system. IDS itself has database of rule,
rule on the IDS functions to determine what services will be
provided if an incoming request to the server. To cut off the
flow of data that strange, it will be integrated with the IPS
(Intrusion Prevention System). IPS serves to prevent actions
which disrupt the system. One very popular IDS and quite
powerful in IT security is Snort. Snort was widely used
because these powerful tools and distributed as open-source.
Honeypot is a server that is installed to be the target of the
attackers. In our research, we implement low interaction
honeypot using honeyd so that the attack would not harm the
original/production server. Any data that is entered into the
honeypot system will be recorded for further analysis. Usually
In this study, we did honeypot and IDS systems
integration. Rule on IDS will be generated based on the logs
that captured by the honeypot. The automatically rule
generated will enhance the security on the IDS server. So
those, this new approach can mitigate the new attack pattern.
Our contribution in this research is the automation of rule
generated on IDS server. This automation will give beneficial
effect, so that IDS server instantly can mitigate the attacker;
stop the attacker access the production server.
The rest of this paper will be explained as below: Section 2
will give explanation about related work, snort and honeyd
technology, Section 3 will describe the design and
implementation; Section 4 is result and discussion, and the last
is Section 5 will make a conclusion and further research.
II. RELATED WORK
Snort rule generation based on honeypot log has been
developed at various university and national labs research
cyber security concerns. Department of Computer
Engineering, King Saud University [1] develops a web based
honeypot to generate SNORT intrusion detection system
signature (Rules) for HTTP traffic automatically. These new
rules are integrated into the IDS signatures database.
Collaboration research also conducted between
Northwestern University (USA) and Tsinghua University
(China) [2], the research was to detect zero-day polymorphic
worms, it generate the rules to the edge network gateways or
honeynet so that they can prevent the worms from
propagating at their early phase.
NISlab-Norwegian Information Security Laboratory [3]
develop a research focus on seeing how much user inter-
action is needed to generate new signature rules for new
attacks, and what type of honeypot is best suited for obtaining
useful data. This will be based on data collected by a network
intrusion detection system named SNORT, honeyd and
tcpdump.
A. Intrusion Detecting System Using Snort
An intrusion detection system (IDS) is a device or software
application that monitors network or system activities for
malicious activities or policy violations and produces reports
to a management station. IDS come in a variety of “flavors”
and approach the goal of detecting suspicious traffic in
different ways.
Figure 1 IDS System Block Diagram
Intrusion detection systems are of two main types, network
based (NIDS) and host based (HIDS) intrusion detection
systems. Host intrusion detection systems are installed locally
on host machines making it a very versatile system compared
to NIDS. HIDS can be installed on many different types of
machines namely servers, workstations and notebook
computers. Doing so gives you the edge that NIDS does not
have especially if you have a segment that you NDIS cannot
reach beyond. Traffic transmitted to the host is analyzed and
passed onto the host if there are not potentially malicious
packets within the data transmission. HIDS are more focused
on the local machines changing aspect compared to the NIDS.
NIDS focus more greatly on the network those specific hosts
themselves. HIDS is also more platforms specific and caters
strongly in the windows market of the computing world
however there are products available that function in the
UNIX and other OS topology environments.
Snort's open source network-based intrusion detection
system (NIDS) has the ability to perform real-time traffic
analysis and packet logging on Internet Protocol (IP)
networks. Snort performs protocol analysis, content searching
and matching [4], [5]. These basic services have many
purposes including application-aware triggered quality of
service, to de-prioritize bulk traffic when latency-sensitive
applications are in use.
The program can also be used to detect probes or attacks,
including, but not limited to, operating system fingerprinting
attempts, common gateway interface, buffer overflows, server
message block probes, and stealth port scans.
Snort can be configured in three main modes: sniffer,
packet logger, and network intrusion detection. In sniffer
mode, the program will read network packets and display
them on the console. In packet logger mode, the program will
log packets to the disk. In intrusion detection mode, the
program will monitor network traffic and analyze it against a
rule set defined by the user. The program will then perform a
specific action based on what has been identified. The
popularity and many feature of SNORT [6], so that we choose
it as IDS tools in our research.
B. Honeypot
A honeypot is a trap set to detect, deflect, or, in some
manner, counteract attempts at unauthorized use of
information systems. Generally, a honeypot consists of a
computer, data, or a network site that appears to be part of a
network, but is actually isolated and monitored, and which
seems to contain information or a resource of value to
attackers. This is similar to the police baiting a criminal and
then conducting undercover surveillance.
Honeypots can be classified based on their deployment
(use/action) and based on their level of involvement. Based on
deployment, honeypots may be classified as production
honeypots or research honeypots
Production honeypots are easy to use, capture only limited
information, and are used primarily by companies or
corporations. Production honeypots are placed inside the
production network with other production servers by an
organization to improve their overall state of security.
Normally, production honeypots are low-interaction
honeypots, which are easier to deploy. They give less
information about the attacks or attackers than research
honeypots do.
Research honeypots are run to gather information about
the motives and tactics of the Blackhat community targeting
different networks [7], [8]. These honeypots do not add direct
value to a specific organization; instead, they are used to
research the threats that organizations face and to learn how to
better protect against those threats. Research honeypots are
complex to deploy and maintain, capture extensive
information, and are used primarily by research, military, or
government organizations.
Based on design criteria, honeypots can be classified as:
(1) pure honeypots, (2) high-interaction honeypots and (3)
low-interaction honeypots.
In our research, we focus on low-interaction honeypots
using Honeyd. Low-interaction honeypots simulate only the
services frequently requested by attackers. Since they
consume relatively few resources, multiple virtual machines
can easily be hosted on one physical system, the virtual
systems have a short response time, and less code is required,
reducing the complexity of the virtual system's security.
III. DESIGN AND IMPLEMENTATION
The network topology as shown on Figure 2 consists of
three important factors. We assume that our honeypot work
well, so that the attacker got trapped. Attacker will do
anything that they want; all the activity will be logged and
saved. Then the saved log will be sent to the IDPS server, in
our experiment we use snort. After that, information or logs
that have been saved will be taken some specific information.
Information taken in the form of source IP, destination IP,
destination port, and protocol used by the number of requests
that are sent. The number of requests in question is a request
that comes from the same source IP address to the same
destination IP address with the same port. In the design of the
system is developed, created a script that is able to retrieve the
needed information from existing logs on Honeyd.
 B. Implementation
To implement the design, we need hardware and software as
shown on TABLE 1

TABLE 1 H/W and S/W Requirement

No Item Description Description
H/W S/W
1 Server Honeypot Laptop Dell inspiron Backtrack5,
N4050, Processor VMWare,
Core i3, Harddisk 500 Honeyd version
GB, RAM 4 GB 1.5 c
Figure 2 Topology our Experiment 2 Server IDS Laptop Dell inspiron Backtrack 5,
N4050, Processor VMWare,
Core i3, Harddisk 500 Snort version
GB, RAM 4 GB 2.9.7
3 Real Server Laptop Dell inspiron Backtrack 5,
N4050, Processor VMWare
Figure 3 Block Diagram Snort-Honeypot Integration Core i3, Harddisk 500
GB, RAM 4 GB
A. Designing Generate Rule in Snort Automatically 4 PC-Attacker Laptop Dell inspiron Backtrack 5,
Figure 4 describes the manufacturing process design rule N4050, Processor VMWare
automatically by IDS systems. IDS servers will check whether Core i3, Harddisk 500
a file is received from the server Honeyd. If there are files GB, RAM 4 GB
received server Honeyd the IDS system will analyze incoming
packets, to determine if the incoming packet is a packet illegal After the software and hardware available, then we do the
or not. For a package that is illegal, IDS will generate new configuration of the server that will be used. On Honeyd
rule, and then will be compared whether preexisting rule server will be provided a directory used to store the log, then
stored in the IDS system. If the rule already exists, the new the script will be made to separate the required fields of the
rule generated will be ignored. However, if the rule had not log entry, after which the field will be saved into a file and
been there before, then the rule will be recorded in the IDS. posted on the IDS server. For automatically, the file delivery
For packages that are not illegal, then the packet is forwarded schedule is using cron jobs.
to the original server. The process will be carried back
repeatedly from checking new file. In the Snort system checks On the server IDS, snort service will be enabled but the
new file will be scheduling, checking the new files that will be condition of the default rule will be deactivated. The
done is every one minute. unavailability of the system snort rule will facilitate the
implementation of pilot testing on assault on the server
honeypot. On implementation, the rule should be generated on
the server IDS as a result of the attacks that occurred on the
server honeypot.
C. Files and Directories Structures on Honeypot Server
1. /root/honeypotTA
In the directory, we make a Honeyd2.conf
configuration as script below:
create default
set default default tcp action block
set default default udp action block
set default default icmp action block

Figure 4 A Flowcharts to Generate Rule create windows

set windows personality "Microsoft Windows XP
Professional SP1"
set windows default tcp action reset
add windows tcp port 135 open
add windows tcp port 139 open
add windows tcp port 445 open Also, in /etc/snort will make coba.py which has function to
set windows ethernet "08:00:27:4d:bd:05" generate rule automatically. The script can be shown below.
#dhcp windows on eth0
bind 192.168.183.94 windows
#!usr.bin/env python
In honeyd, we made one virtual PC using Microsoft Windows with open('honeyd.txt', 'r') as infile:
XP Professional SP1. We open three ports, 135, 139 and 445. for index, line in enumerate(infile, 1):
We make the port open for the scanning. with open('TA_rule_{}.rules'.format(index),
'w') as outfile:
2. /root/Dekstop/cobaperl outfile.write('alert {} {} any -> {}
{}(msg:"Possible SCAN"; classtype:networkscan;
This directory contains files splitfile.pl. Splitfile.pl is a sid:1; rev:1;)\n'.format(*line.split()))
script file that is used to separate the required field of IDS to
create a rule. For this publication, the file will not be exposed.
3. /root/Dekstop/checkfile
Below is the example of rule generated
This directory contains configuration files for checking files.
The script checks the file used to identify whether there is the alert tcp 172.21.5.42 any -> 172.21.2.1 82
value of splitfile.pl file. (msg:"Possible SCAN"; classtype:network-scan;
sid:1; rev:1;)
4. /usr/local/share/honeyd/logs
This directory is a directory for storing folders and files as Rule generated will be saved in the directory using the
script below.
follows:
#!usr.bin/env python
TABLE 2 File in directory /root/local/share/honeyd/logs with open("snort-TA.conf", "a") as myfile:
No File Description for index in range(1,4):
1 Folder log Folder log activity from the myfile.write('include
attacker /etc/snort/rules/TA_rule_{}.rules\n'.format(index))
2 Folder backup Folder to backup the folder log.
3 Folder final Folder to save the final log that
will be sent to the snort server Files and directories that we need to implement for
4 File demoTA.log File log captured by Honeypot automatically rule generated, as below.
5 File demoTAsplit.log File log contains fields that had 1. Direktori /etc/snort/backup
been separated from file
This directory used to save backup file of
demoTA.log.
6 File File used to save list of opened
demoTAsplit_finalfile.log.
demoTAsplittemporary.log port base. 2. Directory /etc/snort/backup/Sat Jun 6 22:56:01 2015/
7 File Result of log had been This folder is a folder backup at Saturday, June 6 2015 at
demoTAsplit_finalef compressed. 22:56 o’clock.
ile.log 3. Directory /etc/snort/
This directory contains file as shown on TABLE 2..
D. Files and Directories Structures on IDS Server TABLE 3 File in directory /etc/snort
No File Description
A new file send from Honeypot is file.log contain field
1 File checknewfile.pl Script to check new file
which is need to make a new rule. In /etc/snort directory will
2 File mkrule.pl Script to generate rule
be make a new script to check a new file. The script check.sh 3 File counter.txt File static variable used to naming
is shown in figure below. rules.
#!/bin/bash 4 File Snort-TA.conf Script used to differ attacking with
the rules.
if [ -f /etc/snort/honeyd.txt ]
then 4. Directory /etc/snort/rules
python generate.py
mv *.rules /etc/snort/rules This directory used to save new rules generated.
python include.py In directory, the list of rules generated as shown below.
snort -c /etc/snort/snort-TA.conf -l
/var/log/snort/ TA_rule_1.rules
fi
TA_rule_2.rules
 TA_rule_3.rules
TA_rule_[n].rules
IV. RESULT AND DISCUSSIO
ONS
After doing some kind of attack to honeypot server, then
log on to the server will be sent to the servver Honeypot IDS.
Later in the IDS server will be made in accordance with the
rule logs obtained. The following figure is a rule that has been
successfully generated using the system builtt.
Figure 5 Rule Generated
On figure 5, there are three rules gennerated, they are
TA_rule_1.rules; TA_rule_2.rules and TA_ruule_3.rules.
The rules that are generated are as follows:
Figure 6 Example: Rule Generrated
We carried out tests on the generated ruule. The following
image is a display in the form of alerts to inncoming attacks in
accordance with the new rule that has happenned generate.
View publication stats
V. CONCLUSION AND
A SUGGESTIONS
Making the new rule autom matically from server honeyd to
server IDS Honeypot was succcessfully. Logs obtained from
the server Honeypot IDS succcessfully sent to the server, and
then based on the log that is obtained
o by IDS server created
rule. In this paper a successfuul rule generated is still in the
form of alerts if any illegal acctivity coming into the network,
is expected to further the deveelopment of systems that can be
made a rule to block illegal actiivity.
New attack pattern will em merge; still, this attack was not
handling by the snort rule. This
T traffic will need to further
investigation, so that can ressult with a new rule. In this
research, we only make a siimple statistics to analyze the
traffics, further research, neew approach which is more
effective and efficient should be
b done for accuracy.
Referrences
[1] H.Altwaijry, K.Shahbar,"(WHA ASG) Automatic SNORT Signatures
Generation by Using Honeypot"", Journal of Computers, Vol.8 No.12,
December 2013.
[2] Zhichun Li, Lanjia Wang, Yaan Chen and Zhi,"Network-based and
attack-resilent Length Signature Generation for Zero-day Polymorphic
Worms", http://www.cs.northwesstern.edu.
[3] V.Ajaxon,"Building IDS rules by means of a honeypot", NISlab-
Norwegian Information Security Laboratory,2005.
[4] Writing Snort Rules | How to write
w Snort rules and keep your sanity
Current as of version 1.3.1.2 By martin
m Roesch.
[5] Ur Rehman Rafeeq. 2003. Advvanced IDS Techniques Using Snort,
Apache, MySQL, and ACID.
[6] J. Patel Hemangini(May 2014). A Survey on Intrusion Detection System
in Cloud. In Internationl Jouurnal of Engineering and Technical
Research(IJETR) Volume-2, Issuue-5, 2321-0869.
[7] Prof. Jawale Smita,et al,"Intrussion Detection System Using Virtual
Honeypots", International Jouurnal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622, 30 March 2012
[8] Jacob Benoit (December 2011).. Automatic XSS Detection and Snort
Signatures/ ACLs Generation byy the Means of a Cloud-Based Honeypot
System.