Implementation of IDS Using Snort with Barnyard2 Visualization for Network Monitoring in The Informatics Engineering Computer Lab at Muhammadiyah University Surakarta

- The recent surge in cyberattacks should not be taken lightly, especially by large enterprises with sensitive data. Intrusion Detection Systems (IDS) are becoming a critical component for detecting network anomalies. One such network anomaly detection tool is SNORT, with a BASE (Basic Analysis and Security Engine) frontend for efficient data processing. Acting as a bridge between SNORT and BASE, the author uses barnyard2 as a backend to store logs obtained from SNORT into the database. The implementation methodology used in this research is an experimental approach, where the authors conduct experiments through trial and error to achieve the desired results. This IDS system was tested using two types of attacks, namely DDoS and SQL-Injection. The DDoS attack trial uses tools found in Kali Linux, namely Hping3 with 6 scenarios namely FIN, ACK, RST, UDP, SYN, and ICMP with the results detected in the snort database. SQL-Injection attack test using the DVWA vulnerable website with the result detected in the snort database when the attack is carried out. This proves that the accuracy level of the system reaches close to 100% with the rules given and the penetration testing given.


I. INTRODUCTION
In this era of digitalization, cyber crime attacks are becoming more prevalent.This makes companies and organizations take proactive steps to improve information system security.Network security is very important to pay attention to especially in the era of technology.Many institutions or organizations are not concerned with security issues.However, when the network is attacked and the system fails, the cost of repairing the system will be high.Therefore, more attention should be paid to investing in network security to prevent damage from attack threats, which are increasingly diverse.[1] One way to improve information system security is to use an Intrusion Detection System (IDS).IDS is a security system that aims to detect attacks on computer networks and provide notifications to administrators to take appropriate action.
Informatics Engineering study program of Universitas Muhammadiyah Surakarta (UMS) has a local network that can be accessed by UMS Informatics Engineering students.High activity in accessing the local network results in increased potential for attacks on users of the local network.So an effort is needed to secure the local network in the UMS Informatics Engineering study program.
Guaranteeing and analyzing network data packets to be monitored from things that endanger network connectivity, a system is needed that can detect and prevent attacks, as well as display and send alerts to network admins when an intrusion occurs.Network admins are responsible for all conditions that occur on the network they manage, especially for the network security system.Even though in general a network is equipped with a firewall, this requires the admin to be on standby to monitor log files regularly.[2] One of the popular IDSs used is Snort.Snort is open source IDS software that is capable of detecting attacks on computer networks in real-time.Snort allows administrators to monitor network traffic and detect attacks based on predefined patterns.[3] However, Snort is not able to analyze large network traffic efficiently.Therefore, Barnyard2 is used, an open source application that allows Snort to analyze network traffic efficiently and store the analysis results in a database.
The implementation of Snort as an Intrusion Detection System (IDS) represents a groundbreaking advancement in enhancing server security on Ubuntu.Rigorous testing conducted in this research demonstrates the tangible benefits of deploying Snort IDS, showcasing increased resilience against cyber threats within the network infrastructure.This solution's remarkable versatility is a key innovation, proving its efficacy across various operating systems and highlighting its adaptability to diverse IT environments.The research emphasizes Snort's swift detection and response capabilities, positioning it as a reliable and agile tool for proactive threat management.
Furthermore, the study underscores the user-friendly configuration of Snort IDS, making it accessible and manageable for network administrators, irrespective of their expertise levels.
In addition to its rapid response and user-friendly attributes, the open-source nature of Snort represents a significant innovation.This characteristic not only offers transparency, flexibility, and collaborative opportunities for ongoing improvement but also aligns the solution with the dynamic landscape of cybersecurity challenges.By providing an in-depth understanding of Snort and Barnyard2 in IDS implementation, this research not only addresses network security issues but also delivers innovative solutions.The versatility, quick response capabilities, user-friendly configuration, and open-source nature collectively contribute to a comprehensive enhancement in server security on Ubuntu, offering valuable insights into the realm of Intrusion Detection Systems for computer networks.

II. RESEARCH METHODS
Researchers used the experimental method with the aim of implementing IDS using SNORT and Barnyard2 for network monitoring in the Computer LAB of Informatics Engineering, Universitas Muhammadiyah Surakarta.The experimental method facilitates trial and error techniques, allowing researchers to repeat steps that are less precise.[4] In the implementation stage, the author installs and configures SNORT and Barnyard2 on the prepared system, followed by testing the functionality and performance of the system.[5] Figure 1.Method workflow

System Design
Here is the design of some software and hardware.a. Snort Component In Figure 3 describes the sequence of detection systems using SNORT which begins with the attacker trying to carry out several attacks on the ubuntu server, before the attack reaches the server, SNORT first detects any unusual attempts that occur on the network.After SNORT successfully detects the attempt, it will then provide output in the form of a log, the log contains anything the attacker does to launch an attack.The form of the log obtained is then visualized using Barnyard2 so that reading the log is easier to understand.Intrusion detection systems with snort are placed in the network to detect intrusions on the monitored system.Therefore, snort must be able to intercept all data from the monitored system, both incoming and outgoing data.IDS snort is connected to the span port of the switch that can capture data traffic from the monitored network.[6] c. Email Alerting The author uses email to send notifications when an attack occurs, starting from snort capturing anomalies that occur on the network which are forwarded to the snort database via barnyard2, when the event in the database increases, the python script automatically runs and sends a message to the email that has been prepared.[7]

System Testing
System testing is carried out to determine the functionality and performance of the system that has been implemented.The attacks to test the system to be implemented are as follows: a. DoS or Denial-of-Service is an attack that aims to make a service or network inaccessible to legitimate users.This attack is usually carried out by sending many unauthorized requests or consuming network resources, so that the service becomes dysfunctional [8].
b. SQL Injection is an attack technique on web applications that exploits weaknesses in the input data received by the application to execute unwanted SQL commands.In a SQL Injection attack, the attacker inserts SQL code into the input received by the application so that the code is executed by the database without adequate validation or sanitization.The impact of SQL Injection attacks can vary from illegal access to the database, data tampering, to system takeover.[9] III.RESULT AND ANALYSIS

System Implementation
System implementation is done by installing and configuring hardware and software.Based on the device requirements listed in Table 1 and Table 2, the installation process steps can be described as follows.a. Ubuntu Installation The author uses Ubuntu 20.04 LTS and installed on a virtualbox on the PC Lab to run the IDS system.5 explains that the installation of ubuntu on the virtualbox was successful.The selection of the Ubuntu distribution as the IDS installation platform in this study was based on practical considerations including availability, popularity, and ease of use.With its high popularity, Ubuntu offers extensive access to community resources, a comprehensive application repository, and abundant online support.In addition, its intuitive user interface and regular security update support provide stability and security that are important in the context of implementing a security system, such as an IDS, which requires a high level of reliability.In this research, Ubuntu is used as a solid foundation for implementing and running an IDS, making it a suitable choice for achieving the research objectives.

• Snort installation
The author uses snort version 2.9.20 which is obtained from the official snort website, there are several components used for snort installation, among others: -DAQ 2.0.7 (Data Acquisition) -libpcap 1.8.1 -libdnet 1.11 -LuaJIT 2.0.5 Figure 6.snort-2.9.20 installed successfully in Figure 6 proves that snort was successfully installed, the next step is to configure the rules so that snort can filter packets entering the server.Figure 7 shows that barnyard2 was successfully installed into the system, using barnyard2 allows log packets received by snort to be sent to the database used to visualize using the BASE front-end.

• BASE Installation Figure 8. BASE installation successfully
The Basic Analysis and Security Engine (BASE) is a web interface to access stored alerts and provides features to analyze, report, and visualize data from Snort through Barnyard2.Statistics of network activity can be recorded and visualized through graphs as shown below.
Figure 9. Kali linux on PC attacker Figure 9 shows that the installation of kali linux was successful on the attacker's pc, kali linux is used to become an attacker on the system circuit created, kali linux has many tools that are useful for launching attacks and penetration testing, one of the tools used in this experiment is hpin3, where hping3 allows to launch DoS attacks.DoS attacks allow attackers to flood packets to the server in very large quantities so that server performance drops.[11]

System Testing
Installation and configuration have been completed at the previous stage, followed by the Snort testing stage whether it can detect intruders or not.In this trial, the modelling used is a client/server network model.Where the server becomes the receiver while the client becomes the sender of packets to the server.From the explanation above, the experiments carried out in this study are simulated in the form of attacks from client computers to server computers.The send email programme will send an email automatically when snort detects an attack.
The first experiment carried out was to detect a DoS attack given from the attacker's pc to the server pc that had IDS installed, the attack was launched using hping3 with the command a. DoS FIN flag The next experiment is sql injection, the experiment uses a vulnerable web, namely DVWA "Damn Vulnerable Web Application", where the website is provided with many loopholes to be used as a security test on a web server, here is the sql injection used by the author for the attack test.

Result Analysis
The results of several attacks launched are known that the system test runs as expected, can be grouped with the table below.The system test results in the table above show appropriate performance.The system is able to detect attacks successfully according to predefined rules.The accuracy of the implemented system shows very high success and is almost close to 100%, this shows the effectiveness of using IDS to monitor networks in the campus environment for prevention efforts so that unwanted things do not happen.

Figure 2 .Figure 3 .
Figure 2. Snort ComponentIn Figure2there are several important components for running Snort, especially in the Snort rules section, in this section it functions to regulate what actions can be captured using Snort.Snort then produces output in the form of a log file and is then processed using the barnyard2 application so that it can be read and easily viewed what types of packets are sent or received by the server.[6]

Figure 5 .
Figure 5. Ubuntu-20.04LTS Installation on Virtualbox in Figure5explains that the installation of ubuntu on the virtualbox was successful.The selection of the Ubuntu distribution as the IDS installation platform in this study was based on practical considerations including availability, popularity, and ease of use.With its high popularity, Ubuntu offers extensive access to community resources, a comprehensive application repository, and abundant online support.In addition, its intuitive user interface and regular security update support provide stability and security that are important in the context of implementing a security system, such as an IDS, which requires a high level of reliability.In this research, Ubuntu is used as a solid foundation for implementing and running an IDS, making it a suitable choice for achieving the research objectives.[10]

[ 10 ]
Figure 5. Ubuntu-20.04LTS Installation on Virtualbox in Figure5explains that the installation of ubuntu on the virtualbox was successful.The selection of the Ubuntu distribution as the IDS installation platform in this study was based on practical considerations including availability, popularity, and ease of use.With its high popularity, Ubuntu offers extensive access to community resources, a comprehensive application repository, and abundant online support.In addition, its intuitive user interface and regular security update support provide stability and security that are important in the context of implementing a security system, such as an IDS, which requires a high level of reliability.In this research, Ubuntu is used as a solid foundation for implementing and running an IDS, making it a suitable choice for achieving the research objectives.[10]

1. Requirement Analysis there
are several hardware and software used for system implementation shown in table1 and table 2.

Table 1 .
Hardware Component

Table 2 .
Software Component

Table 3 .
Result of Test

International Journal of Computer and Information System (IJCIS)
/ijcis.net/index.php/ijcis/indexTHANK-YOU NOTE Thank you to the IJCIS Team for taking the time to create this template.