Implementing Snort Intrusion Prevention System (IPS) for Network Forensic Analysis

TL;DR

This paper presents the implementation of Snort IPS on PfSense to detect, prevent, and investigate network attacks on an e-learning server, demonstrating effective attack detection and forensic analysis capabilities.

Contribution

It introduces a comprehensive security system integrating Snort IPS with PfSense for attack detection, prevention, and forensic investigation in an organizational network.

Findings

Snort in IPS mode effectively detects attacks on e-learning servers.

Automatic IP blocking prevents further malicious activities.

Network forensic analysis aids in accurate attack reporting.

Abstract

The security trade confidentiality, integrity and availability are the main pillar of the information systems as every organization emphasize of the security. From last few decades, digital data is the main asset for every digital or non-digital organization. The proliferation of easily accessible attack software on the internet has lowered the barrier for individuals without hacking skills to engage in malicious activities. An Industrial organization operates a server that (Confluence) serves as a learning platform for newly hired employees or Management training officers, thereby making it vulnerable to potential attacks using readily available internet-based software. To mitigate this risk, it is essential to implement a security system capable of detecting and preventing attacks, as well as conducting investigations. This research project aims to develop a comprehensive security system that can detect attack attempts, initiate preventive measures, and carry out investigations by analyzing attack logs. The study adopted a survey methodology and spanned a period of four months, from March 1, 2023, to June 31, 2023. The outcome of this research is a robust security system that effectively identifies attack attempts, blocks the attacker's IP address, and employs network forensic techniques for investigation purposes. The findings indicate that deploying Snort in IPS mode on PfSense enables the detection of attacks targeting e-learning servers, triggering automatic preventive measures such as IP address blocking. The alerts generated by Snort facilitate investigative actions through network forensics, allowing for accurate reporting on the detrimental effects of the attacks.