ANALYSIS AND EVALUATION SNORT, BRO, AND SURICATA AS INTRUSION DETECTION SYSTEM Analysis And Evaluation Snort, Bro, And Suricata As Intrusion Detection System Based On Linux Server.
ANALYSIS A
AND EVALUATION SNORT,, BRO,
B
AND
SURICATA AS
A INTRUSION DETECTION
NS
SYSTEM
B
BASED
ON LINUX SERVER
FINAL PROJECT REPORT
Submi
mitted as One of Fulfillment of the Requiremen
ent
for Gettin
ting Bachelor Degree in Department of Informa
matics
Universitas Muhammadiyah Surakarta
By:
M. Faqih Ridho
L200090136
DE
EPARTMENT OF INFORMATICS
FACULTY OF
F COMMUNICATIONS AND INFOR
ORMATICS
UNIVERSI
SITAS MUHAMMADIYAH SURAKA
KARTA
2014
ii
iii
iv
MOTTO
for pleasure but looking for a change for a bett
etter life “
“Life is nott fo
( Arba’atin)
“Indeed, those who
ho have believed and done righteous deeds will
ill have gardens
beneath
th which
w
rivers flow. That is the great attainmen
ent.”
(Qs. Al Buruj:11)
v
DEDICATION
As my thankful, the author dedicated this final project to:
1. My lovely parents, Mr. Widodo and Mrs. Siti Aminah for the unlimited
love, every advices, every pray that always given to me to be successful
person and also for the support that never unforgettable.
2. My lovely brother and sister; Artati, Kosim, Ami and Listanto that always
give me the best support.
3. My beloved, Nur Fajarwati Halimah that always be my dearest supporter,
friend of discussion, sharing, and my best future.
4. My classmates in class A; Rijal, Novel, Galuh, Sofyan, Septiawan, Budi
and Ida. My friends that accompany me in the happiness and sadness for 4
years.
5. My MATIKEP’s friends (Mahasiswa TI Kelas E Punya), my friends in the
early study in college.
6. My HIMATIF UMS’s friends, the first place that the author recognize
organization of development myself.
7. The big family in Informatics Engineering Department – UMS, Laboratory
of Informatics Engineering Department – UMS and all of my practicum
friends for the all valuable thing that given to me.
8. The big family of IT-UMS and IT-Helpdesk that always give me the
support and the place for sharing.
9. The last, thanks to everyone that always beside me.
vi
ACKNOWLEDGEMENT
Praise be to Allah the Almighty who has given His blessing so that the
author can finally finished this final project report entitled “ANALYSIS AND
EVALUATION
SNORT,
BRO,
AND
SURICATA
AS
INTRUSION
DETECTION SYSTEM BASED ON LINUX SERVER” as one of fulfillment in
achieving the Bachelor Degree of Informatics Engineering Department.
The author realizes that this final project report could not be achieved
without the help and assistance from others. Therefore, in this occasion the author
would give her appreciation to the individuals and institutions who have given
their help during the process of writing so that this final project report is finally
finished. She would like to express her deepest gratitude to the following:
1. Mr. Husni Thamrin, S.T MT, Ph.D as Dean of Faculty of Communications
and Informatics, Universitas Muhammadiyah Surakarta.
2. Mr. Dr. Heru Supriyono, S.T M.Sc. as Head of Department of Informatics,
Universitas Muhammadiyah Surakarta.
3. Mrs. Endah Sudarmilah, S.T, M.Eng as the Academic Advisor along the
study.
4. Mr. Fatah Yasin, S.T, M.T. and Mr. Yusuf Sulistyo Nugroho S.T M.Eng
as the final project advisor that give the guidance and advice. So, the
author finished this final project.
vii
5. All the lecturer and employees of Informatics Engineering Department for
the help and knowledge that given to author along the study. So, the author
gets the bachelor degree.
6. My parents that always give me the pray, support and motivation to the
author.
7. Everyone that can’t be mentioned one by one that help the author finished
the final project.
At last but definitely not least, hopefully this final project report
will be a beneficial contribution to the future research.
Surakarta,
May 2014
The author
viii
TABLE OF CONTENTS
TITLE........................................................................................................................i
APPROVAL ............................................................................................................ ii
VALIDATION ........................................................................................................ iii
MOTTO...................................................................................................................iv
DEDICATION ......................................................................................................... v
ACKNOWLEDGEMENT ......................................................................................vi
TABLE OF CONTENTS ..................................................................................... viii
LIST OF TABLES.................................................................................................xiv
LIST OF FIGURES................................................................................................ xv
ABSTRACT ....................................................................................................... xviii
CHAPTER I: INTRODUCTION ......................................................................... 1
A. Background of the Study ......................................................................... 1
B. Problem Statement .................................................................................. 2
C. Limitation of the Study............................................................................ 2
D. Objective of the Study ............................................................................. 3
E. Benefit of the Study ................................................................................. 3
F. Systematical of Writing ............................................................................ 4
CHAPTER II: REVIEW OF LITERATURE...................................................... 5
A. Research Study ........................................................................................ 5
B. Basic Theory ........................................................................................... 6
ix
1. Network Security ............................................................................ 6
2. Linux Ubuntu .................................................................................. 7
3. Intrusion Detection System ............................................................. 8
4. Snort .............................................................................................. 11
5. Bro ................................................................................................. 12
6. Suricata.......................................................................................... 13
7. Malware......................................................................................... 14
CHAPTER III: RESEARCH METHOD ........................................................... 15
A. Time and Place ...................................................................................... 15
B. Tools ...................................................................................................... 15
1. Software ........................................................................................ 15
2. Hardware ....................................................................................... 16
C. Research Method ................................................................................... 16
1. Ubuntu Server Installation ............................................................ 22
2. Installing Supporting System ........................................................ 24
3. Installing and Configuring Snort ................................................... 26
4. Installing and Configuring Bro ..................................................... 27
5. Installing and Configuring Suricata .............................................. 27
CHAPTER IV: RESULTS AND DISCUSSION ................................................ 28
A. Research Result ..................................................................................... 28
1. Scanning ........................................................................................ 28
2. Penetration..................................................................................... 29
3. The Use of Resource ..................................................................... 30
x
4.Warning Detection ......................................................................... 34
B. Discussion .............................................................................................. 38
CHAPTER V: CONCLUSION AND SUGGESTION ...................................... 41
5.1 Conclusions .......................................................................................... 41
5.2 Suggestions .......................................................................................... 41
BIBLIOGRAPHY ................................................................................................ 42
APPENDIX ........................................................................................................... 44
xi
LIST OF TABLES
Table 3.1 : Hardware Spesification to test IDS ................................................ 16
Table 3.2 : Package which is needed by IDS .................................................. 24
Table 4.1 : Event of Snort ................................................................................ 35
Table 4.2 :Event of Suricata ............................................................................. 37
Table 5.1 : Comparison Snort, Bro and Suricata ............................................ 42
xii
LIST OF FIGURES
Figure 2.1 : The Structure of Bro System ....................................................... 13
Figure 3.1 : The Flowchart of the Research .................................................... 18
Figure 3.2 : Armitage ...................................................................................... 19
Figure 3.3 : The Scheme network of IDS testing ........................................... 21
Figure 3.4 : The Process to chose a software in Ubuntu server installation ... 22
Figure 3.5 : Snort ............................................................................................ 26
Figure 3.6 : Bro .............................................................................................. 27
Figure 3.7 : Suricata ....................................................................................... 27
Figure 4.1 : Result of Scanning ....................................................................... 28
Figure 4.2 : the use of hail mary to do penetration ......................................... 29
Figure 4.3 : the use of resources in normal condition .................................... 30
Figure 4.4 : the use of Snort resource before testing ...................................... 31
Figure 4.5 : the use of Snort resource when testing ....................................... 31
Figure 4.6 : the use of Bro resource before testing ........................................ 32
Figure 4.7 : the use of Bro resource when testing .......................................... 32
Figure 4.8 : the use of Suricata resource before testing ................................. 33
Figure 4.9 : the use of Suricata resource before testing ................................. 33
Figure 4.10 : Snort alert .................................................................................. 34
Figure 4.11 : Bro alert .................................................................................... 36
xiii
Figure 4.12 : Suricata alert .............................................................................. 36
Figure 4.13 : Log Snort .................................................................................. 39
Figure 4.14 : Suricata Log .............................................................................. 39
Figure 4.15 : Bro Log ...................................................................................... 40
xiv
ABSTRACT
Security and confidentiality of data on computer networks is currently a
problem that continues to grow. Installation of firewalls, antivirus, IDS (Intrusion
Detection System) / IPS (Intrusion Prevention System) and various other security
applications often require the best available installation cost is not small. Open
source is the best solution to address the security issues that expensive. Intrusion
Detection System is a system designed to collect information about the activities
in the network, analyzing information, and give a warning. Snort, Bro and
Suricata is an open source Intrusion Detection System. By comparing how the
installation, configuration, warnings are displayed, and the resulting information
can to know the advantages and disadvantages of snort Snort, Bro and Suricata as
Intrusion Detection System.
There are two stages of testing, such as scanning and penetration. Phase
scanning is a scan of all ports, scanning is done by using NMAP application
which is found on Armitage. Stage penetration is done by using the menu hail
mary which is contained in Attack tab, hail mary is used to try all the exploits
against computer target.
Based on Scanning and penetration process, Snort detects 926 alert,
Suricata detects 1218 alerts and Bro detects 128 low alerts. Snort and Suricata
ease to install and update rule, Bro requires the least amount of resources.
Key words: Bro, Intrusion Detection System, Snort, Suricata
xv
AND EVALUATION SNORT,, BRO,
B
AND
SURICATA AS
A INTRUSION DETECTION
NS
SYSTEM
B
BASED
ON LINUX SERVER
FINAL PROJECT REPORT
Submi
mitted as One of Fulfillment of the Requiremen
ent
for Gettin
ting Bachelor Degree in Department of Informa
matics
Universitas Muhammadiyah Surakarta
By:
M. Faqih Ridho
L200090136
DE
EPARTMENT OF INFORMATICS
FACULTY OF
F COMMUNICATIONS AND INFOR
ORMATICS
UNIVERSI
SITAS MUHAMMADIYAH SURAKA
KARTA
2014
ii
iii
iv
MOTTO
for pleasure but looking for a change for a bett
etter life “
“Life is nott fo
( Arba’atin)
“Indeed, those who
ho have believed and done righteous deeds will
ill have gardens
beneath
th which
w
rivers flow. That is the great attainmen
ent.”
(Qs. Al Buruj:11)
v
DEDICATION
As my thankful, the author dedicated this final project to:
1. My lovely parents, Mr. Widodo and Mrs. Siti Aminah for the unlimited
love, every advices, every pray that always given to me to be successful
person and also for the support that never unforgettable.
2. My lovely brother and sister; Artati, Kosim, Ami and Listanto that always
give me the best support.
3. My beloved, Nur Fajarwati Halimah that always be my dearest supporter,
friend of discussion, sharing, and my best future.
4. My classmates in class A; Rijal, Novel, Galuh, Sofyan, Septiawan, Budi
and Ida. My friends that accompany me in the happiness and sadness for 4
years.
5. My MATIKEP’s friends (Mahasiswa TI Kelas E Punya), my friends in the
early study in college.
6. My HIMATIF UMS’s friends, the first place that the author recognize
organization of development myself.
7. The big family in Informatics Engineering Department – UMS, Laboratory
of Informatics Engineering Department – UMS and all of my practicum
friends for the all valuable thing that given to me.
8. The big family of IT-UMS and IT-Helpdesk that always give me the
support and the place for sharing.
9. The last, thanks to everyone that always beside me.
vi
ACKNOWLEDGEMENT
Praise be to Allah the Almighty who has given His blessing so that the
author can finally finished this final project report entitled “ANALYSIS AND
EVALUATION
SNORT,
BRO,
AND
SURICATA
AS
INTRUSION
DETECTION SYSTEM BASED ON LINUX SERVER” as one of fulfillment in
achieving the Bachelor Degree of Informatics Engineering Department.
The author realizes that this final project report could not be achieved
without the help and assistance from others. Therefore, in this occasion the author
would give her appreciation to the individuals and institutions who have given
their help during the process of writing so that this final project report is finally
finished. She would like to express her deepest gratitude to the following:
1. Mr. Husni Thamrin, S.T MT, Ph.D as Dean of Faculty of Communications
and Informatics, Universitas Muhammadiyah Surakarta.
2. Mr. Dr. Heru Supriyono, S.T M.Sc. as Head of Department of Informatics,
Universitas Muhammadiyah Surakarta.
3. Mrs. Endah Sudarmilah, S.T, M.Eng as the Academic Advisor along the
study.
4. Mr. Fatah Yasin, S.T, M.T. and Mr. Yusuf Sulistyo Nugroho S.T M.Eng
as the final project advisor that give the guidance and advice. So, the
author finished this final project.
vii
5. All the lecturer and employees of Informatics Engineering Department for
the help and knowledge that given to author along the study. So, the author
gets the bachelor degree.
6. My parents that always give me the pray, support and motivation to the
author.
7. Everyone that can’t be mentioned one by one that help the author finished
the final project.
At last but definitely not least, hopefully this final project report
will be a beneficial contribution to the future research.
Surakarta,
May 2014
The author
viii
TABLE OF CONTENTS
TITLE........................................................................................................................i
APPROVAL ............................................................................................................ ii
VALIDATION ........................................................................................................ iii
MOTTO...................................................................................................................iv
DEDICATION ......................................................................................................... v
ACKNOWLEDGEMENT ......................................................................................vi
TABLE OF CONTENTS ..................................................................................... viii
LIST OF TABLES.................................................................................................xiv
LIST OF FIGURES................................................................................................ xv
ABSTRACT ....................................................................................................... xviii
CHAPTER I: INTRODUCTION ......................................................................... 1
A. Background of the Study ......................................................................... 1
B. Problem Statement .................................................................................. 2
C. Limitation of the Study............................................................................ 2
D. Objective of the Study ............................................................................. 3
E. Benefit of the Study ................................................................................. 3
F. Systematical of Writing ............................................................................ 4
CHAPTER II: REVIEW OF LITERATURE...................................................... 5
A. Research Study ........................................................................................ 5
B. Basic Theory ........................................................................................... 6
ix
1. Network Security ............................................................................ 6
2. Linux Ubuntu .................................................................................. 7
3. Intrusion Detection System ............................................................. 8
4. Snort .............................................................................................. 11
5. Bro ................................................................................................. 12
6. Suricata.......................................................................................... 13
7. Malware......................................................................................... 14
CHAPTER III: RESEARCH METHOD ........................................................... 15
A. Time and Place ...................................................................................... 15
B. Tools ...................................................................................................... 15
1. Software ........................................................................................ 15
2. Hardware ....................................................................................... 16
C. Research Method ................................................................................... 16
1. Ubuntu Server Installation ............................................................ 22
2. Installing Supporting System ........................................................ 24
3. Installing and Configuring Snort ................................................... 26
4. Installing and Configuring Bro ..................................................... 27
5. Installing and Configuring Suricata .............................................. 27
CHAPTER IV: RESULTS AND DISCUSSION ................................................ 28
A. Research Result ..................................................................................... 28
1. Scanning ........................................................................................ 28
2. Penetration..................................................................................... 29
3. The Use of Resource ..................................................................... 30
x
4.Warning Detection ......................................................................... 34
B. Discussion .............................................................................................. 38
CHAPTER V: CONCLUSION AND SUGGESTION ...................................... 41
5.1 Conclusions .......................................................................................... 41
5.2 Suggestions .......................................................................................... 41
BIBLIOGRAPHY ................................................................................................ 42
APPENDIX ........................................................................................................... 44
xi
LIST OF TABLES
Table 3.1 : Hardware Spesification to test IDS ................................................ 16
Table 3.2 : Package which is needed by IDS .................................................. 24
Table 4.1 : Event of Snort ................................................................................ 35
Table 4.2 :Event of Suricata ............................................................................. 37
Table 5.1 : Comparison Snort, Bro and Suricata ............................................ 42
xii
LIST OF FIGURES
Figure 2.1 : The Structure of Bro System ....................................................... 13
Figure 3.1 : The Flowchart of the Research .................................................... 18
Figure 3.2 : Armitage ...................................................................................... 19
Figure 3.3 : The Scheme network of IDS testing ........................................... 21
Figure 3.4 : The Process to chose a software in Ubuntu server installation ... 22
Figure 3.5 : Snort ............................................................................................ 26
Figure 3.6 : Bro .............................................................................................. 27
Figure 3.7 : Suricata ....................................................................................... 27
Figure 4.1 : Result of Scanning ....................................................................... 28
Figure 4.2 : the use of hail mary to do penetration ......................................... 29
Figure 4.3 : the use of resources in normal condition .................................... 30
Figure 4.4 : the use of Snort resource before testing ...................................... 31
Figure 4.5 : the use of Snort resource when testing ....................................... 31
Figure 4.6 : the use of Bro resource before testing ........................................ 32
Figure 4.7 : the use of Bro resource when testing .......................................... 32
Figure 4.8 : the use of Suricata resource before testing ................................. 33
Figure 4.9 : the use of Suricata resource before testing ................................. 33
Figure 4.10 : Snort alert .................................................................................. 34
Figure 4.11 : Bro alert .................................................................................... 36
xiii
Figure 4.12 : Suricata alert .............................................................................. 36
Figure 4.13 : Log Snort .................................................................................. 39
Figure 4.14 : Suricata Log .............................................................................. 39
Figure 4.15 : Bro Log ...................................................................................... 40
xiv
ABSTRACT
Security and confidentiality of data on computer networks is currently a
problem that continues to grow. Installation of firewalls, antivirus, IDS (Intrusion
Detection System) / IPS (Intrusion Prevention System) and various other security
applications often require the best available installation cost is not small. Open
source is the best solution to address the security issues that expensive. Intrusion
Detection System is a system designed to collect information about the activities
in the network, analyzing information, and give a warning. Snort, Bro and
Suricata is an open source Intrusion Detection System. By comparing how the
installation, configuration, warnings are displayed, and the resulting information
can to know the advantages and disadvantages of snort Snort, Bro and Suricata as
Intrusion Detection System.
There are two stages of testing, such as scanning and penetration. Phase
scanning is a scan of all ports, scanning is done by using NMAP application
which is found on Armitage. Stage penetration is done by using the menu hail
mary which is contained in Attack tab, hail mary is used to try all the exploits
against computer target.
Based on Scanning and penetration process, Snort detects 926 alert,
Suricata detects 1218 alerts and Bro detects 128 low alerts. Snort and Suricata
ease to install and update rule, Bro requires the least amount of resources.
Key words: Bro, Intrusion Detection System, Snort, Suricata
xv