Early Intrusion Detection System (IDS) using Snort and Telegram approach

— Computer network security is an important factor that must be considered. Guaranteed security can avoid losses caused by attacks on the network security system. The most common prevention against network attacks is to place an administrator, but problems will arise when the administrator is not supervising the network, so to overcome these problems a system called IDS (Intrusion Detection System) can detect suspicious activity on the network through automating the work functions of an administrator. Snort is one of the software that functions to find out the intrusion. Data packets that pass through network traffic will be analyzed. Data packets detected as intrusion will trigger alerts which are then stored in log files. Thus, administrators can find out intrusions that occur on computer networks, and the existence of instant messaging applications can help administrators to get realtime notifications, one of which is using the Telegram application. The results of this study are, Snort able to detect intrusion of attacks on computer networks and the system can send alerts from snort to administrators via telegram bot in real-time .


I. INTRODUCTION
Security could be a huge issue for all networks in today's enterprise domain.Hackers and intruders have created several fortunate efforts to bring down company organization and network services.Several strategies are developed to secure the network infrastructure and communication over the web, among them the utilization of firewalls, encryption, and virtual non-public networks.Intrusion detection could be a comparatively new addition to such techniques.
Intrusion Detection System began disclosure over the foremost recent number of years.Utilizing interruption location techniques, you will be able to gather and use knowledge from sorts of disruptions and see whether or not someone is trying to assault your system or specific hosts.The data gathered on these lines are often used to solidify your system security, even as for legitimate functions.Various weak appraisal instruments are too accessible inside the advertising that may be used to survey distinctive types of security gaps show in your organization.
The suggested work is to scale back the malicious activities by characteristic the intruders early in network done through the observance of the node behavior/features with Snort and wire.During this paper, we tend to designed efficient intrusion detection.The system contains 3 phases like feature choice, outlier detection, and classification.The primary contribution of this paper is that the introduction of a brand new feature choice formula referred to as intelligent complete feature choice that helpful|is beneficial|is helpful} for recommending the useful options.The second phase of this paper is the introduction of a brand new detection methodology referred to as an entropy-based weighted outlier detection methodology for removing the useless records.The third contribution of this paper is that the use of the prevailing classification formula referred to as showing an intelligence layered approach for effective classification.The most advantage of this projected work is to pick out the helpful options that are helpful to boost the classification (intrusion detection) accuracy.
The rest of this paper is managed as follows: Section two provides the literature survey and system development model.Section three demonstrates the results and discussion.Section four provides a conclusion and also the future works

II. LITERATUR REVIEW
The early analysis was explicit that Intrusion Detection System (IDS) datasets that were created in university Lincoln Laboratories are wont to assess the performance of Snort [1] [2].The analysis of snort is completed supported the detection rate.It's been found and concludes that snort detection rate is required to boost and additionally the false alert ought to be reduced to boost the general performance of snort.Here, Snort is evaluated on week three, week 4, and week five knowledge.The week three data is attack free and able to train Snort.Week four and week five data include attacks and are utilized in the testing part.Throughout the testing part, Snort generates many alarms: Nevertheless, Rishab stated [3] that snort can show all matches packet outlined by the administrator.The data stored in MySQL database that we have created a UI to show all the required data regarding the alert generated.The knowledge includes supply IP, Destination IP, Alert generated, Date, and Time of once the packet was received.
Natawat [4] in his research built a snort system using IDS as a result of Intrusion detection systems are efficient network security tools for detective work and observance network traffic knowledge.They generate associate alert once abnormal behavior patterns are matched to existing rules.However, as a result of the IDS could have high false positive and false negative values, we have proposed another system, incorporating data processing of the association rules inside the Snort IDS.The system was completely tested and compared to the first Snort IDS Rules also as icmp.rulesand ICMP-info.rulesinside the Snort IDS, the system proven to be more useful and more precise.

A. Intrusion Detection System
The intrusion detection system (IDS) is often defined as a tool or associate application that detects malicious activities or policy violations inside the network.IDS has been widely utilized in recent years united of the most network security parts.The target of this study is to search out the best-fit approach that might considerably scale back the number of options.Besides, the approach would result in high classification accuracy with less process time [5].In order to avoid computer users from malicious effects, IDS (intrusion detection system) is is meant to seem out network activities and manufacture alerts to several persons like administrative and others [6].IDS is used for two purposes: one methodology is used to identify known attacks, and the other method is used for unknown attacks.The implementation of the second technique isn't simple, and therefore the system ought to come with the correct learning and testing method.

B. Snort
Snort is that the form of the Intrusion Detection System that's used for scanning databases flowing on the network [7], [8].Snort logically divided into multiple components.Snort logically divided into multiple parts.These parts work along to find specific attacks and generate output into a needed format from the detection system [9].A snort-based IDS consists of following major components as shown in the table:   The Snort IDS rules exhibitions were assessed by utilizing the precision comparisons method.Appropriate parameters, as seen in Table 2, layout the Grunt IDS rules as appeared in Figure 1.

C. Scanning
Port scanning is a process of finding out which ports are open on a particular host or all hosts on a network [9].The first step in any intruder activity is usually to find out what services are running on a network.Once an intruder has found this information, attacks for known vulnerabilities for these services are tried.The portscan preprocessor is designed to detect port scanning activities.The preprocessor can be used to log the port scanning activities to a particular location in addition to standard logging.Hackers can use multiple port scanning methods.Refer to man pages or documentation of the Nmap utility [10] to learn more about port scanning methods.The Nmap utility is a widely used tool for port scanning.
The following is the general format of the preprocessor used in the snort.conffile. preprocessor

portscan: <address> <ports> <time period> <file>
There are four arguments to the preprocessor.
• The address range of IP addresses to monitor is a single IP address or network address.The range is specified using the CIDR block.
• The number of ports accessed within a certain period can be specified.For example, a number 5 means that if five ports are scanned within the time period specified, an alert is generated.
• The period is the number of seconds that defines the period used for the threshold.
• The path of the file name where the activity should be logged

D. Rapid Prototyping Model
Rapid prototyping is an effective approach to requirements validation and evolution via an executable model of a software system to demonstrate concepts, discover requirements errors and find possible fixing solutions, and discover and discover missing requirements [11][12], [13][14].
Besides the implementation of main system functionalities, a prototype has a User Interface (UI) that allows the client to validate their requirements visually, make it easy to find out faults in the requirements, and then fix them [15][16].

III. METHOD
In this section, we present system development methods.As mentioned in the previous chapter (Literatur Review), this research built on prototype software development model, the phase of a prototype are: a. analysis At this stage, the activities carried out are to analyze the purposes contained in the existing problems.Researchers define the whole object of which is to identify all the requirements, among others: (a) analysis of the problem, (b) analysis of needs, (c) an analysis of the user b.Design The activities carried out are researchers create design drawings in the wake of the network topology.This topology design created using Microsoft Visio c. Implementation The activities carried out are the development of the overall device and troubleshooting plan.At this stage in the form of an actual implementation.The result of this phase is a device that is ready to be tested.

d. Evaluation
The security monitoring network attack simulation.The author tested a new system simulation for the user to determine whether the new system simulation gives satisfactory results.If so, then it will proceed to the next stage of the use of the new system.If not, the author will make revisions to return to stages 1, 2, and 3 with a better understanding of the needs of the user.
e. Results Network monitoring systems have been successful.In this step, it is necessary for the maintenance of the new system so that the system can run properly and the user can feel the comfort in using the network attack monitoring system.
The overall process of the research development method displayed in Figure 2.

IV. RESULTS AND DISCUSSION
In this part, we display the result of IDS using Snort and Telegram.
A. Network architecture Network architecture was designed based on the general framework of the system before the evaluation.To link all the network, this procedure clarified how the network addressing system and router configuration: The following command in table 2 is essential to call the library inside Ubuntu repository, proceed with the next phase is Snort configuration.

V. CONCLUSION
Snort supported IDS to detect early intrusion and notified to the server administrator through Telegram application.
The IDS system could detect for Port scanning attack, FTP brute force, SSH brute force, and DDoS attack.For further research, we suggest adding more rules scenario on Snort to get better security in the network system.

Figure 1
Figure1shows the Snort IDS rules generator procedure.The association rules of the defined parameter's entries are used to generate the Snort IDS rules by the MinSIC module for detecting network probe attacks.

Figure 1
Figure 1 Snort IDS generator rules

Figure 3 .
Figure 3. Network architecture Figure 2 describes a simulation of monitoring evaluation between the attacker and the embedded Snort server.This simulation conducted in a local network and using Virtual Box.

Figure 10 .
Figure 10.FTP access attack IDS system automatically acknowledges the intrusion because it identified to access FTP without authorization from eligible IP and defined it as an attack.

Figure 13 .
Figure 13.Evaluation system From all performed tests, we got a result as expected.The system detected the intrusion done by the attacker.Intrusion detection by the rules made from port scanning, FTP Access, SSH access, and DDoS.D. Telegram Notification Notification from a server to Telegram was configured before the testing.

Figure 14 .
Figure 14.Detection information For every test performed, Telegram receives a notification toward any intrusion that came to a server, e.g: intrusion from DDoS test, Telegram automatically notified as displayed in figure 12.

Figure 15 .
Figure 15.Telegram notification This notification directly sent to an administrator to inform an activity from unknown sources.

Table 2
Components of Snort

Table 3
snort configuration //Membuat user dan group snort #groupadd snort #useradd snort //membuat direktori dan file untuk rule #mkdir /etc/snort #mkdir /etc/snort/rules #touch /etc/snort/rules/nmap.rules#touch/etc/snort/rules/ftp.rules#touch /etc/snort/rules/ssh.rules #touch /etc/snort/rules/ddos.rules#touch/etc/snort/sid-msg.map*.conf*/etc/snort#sudo cp *.map /etc/snort #sudo cp *.dtd /etc/snort This function begins with creating a user and snort group, creating rules directory, creating logging snort directory, giving access to snort directory, and copying file configuration.The snort configuration phase proceeds with Installation and Configuration Barnyard2, Implementation Database and the last is Snort Rule Implementation.Snort Rules are the rules that are used to detect intrusion and suspicious activities.Here are a few snort rules from the official website which is implemented in this study: a. Rule Port Scanning