Implemetation of Snort Ips Using Pfsense As Network Forensic in SMK Xyz
Implemetation of Snort Ips Using Pfsense As Network Forensic in SMK Xyz
Implemetation of Snort Ips Using Pfsense As Network Forensic in SMK Xyz
4th Sulistiyono
Program Studi Informatika
Fakultas Teknologi Informasi
Universitas Serang Raya
Kota Serang Indonesia
Abstract—The rise of attack software that can be easily attack, it is necessary to identify the attack in order to
accessed from the internet, makes anyone who doesn’t ability to maximize the infrastructure in the network.
hack can do it. SMK Negeri 2 Pandeglang has a server that is Therefore, a network-based IPS (NIPS) based security
used as a learning for all students. This encourages vulnerability system is needed using Snort installed on PfSense to block
to e-learning server attacked using software from the internet.
So that a security system can detect attacks and take preventive
and investigate alerts for network forensic purposes.
actions and can carry out an investigation. This study aims to II. METHOD
prevent any attempt to attack, detect and take preventive action
against the attacker to carry out an investigation of the attack’s The problem that occurs at SMK Negeri 2 Pandeglang is
log. This research was conducted using survey methods. The the emergence of vulnerability to e-learning servers that have
study was conducted for four months from April 1, 2019 to July data about learning material and some teaching and learning
31, 2019. The result of this research is a security system that can activities shared through that server. The rise of software on
detect an attack attempt and block the attacker’s IP Address the internet that is used to carry out attacks makes someone
and conduct investigations using network forensic.Based on the
who does not have the expertise to do attack techniques. This
result of the study it can be concluded that by using Snort with
IPS mode stored on PfSense can detect attack aimed at e- resulted in the vulnerability of SMK Negeri 2 Pandeglang
learning servers and PfSense automatically takes preventive servers in these activities.
measures in the form of blocking of the attacker’s IP Address. Alternative solutions that can be done are by
From the alert generated by Snort, investigative action can be implementing a network security system using Snort tools to
taken using network forensics so that reporting if the effects of detect every activity that is on the network, installing Snort
the attack are detrimental. tools on the PfSense open source firewall in order to take
preventive measures, namely blocking IP Addresses to
Keywords: network forensic, Snort, PfSense attackers and conducting investigative activities against
I. INTRODUCTION attacks using a branch of network forensic science.
The very rapid development of technology demands an III. RESULT AND DISCUSSION
increase in the quality of network security. Especially with The network at SMK Negeri 2 Pandeglang is complex but
the increasingly open knowledge about hacking and cracking has vulnerabilities due to servers that can be accessed from
which is supported by tools that can be obtained easily and outside. From this vulnerability an attack can occur which can
for free. Tools that are used can be a network tool that is be detrimental. For this reason, the authors make a proposal
commonly used and tools used to carry out attacks. by adding a forensic network server using the PfSense open
Network forensic is one of the methods used to carry out source firewall and Snort tools in the network infrastructure.
network security. When an attack occurs on a computer It serves to analyze and investigate the source of the attack
network, an investigation is needed. An investigation was and can take preventive measures in the form of blocking IP
conducted to find and collect evidence related to the attack. Address against the IP Address that is indicated as an
The potential for an attack to be directed at the SMK attacker.
Negeri 2 Pandeglang server is very large because there is
important data on a server and there is a server that often
needs to be accessed by both teachers and students. In the
event of an attack and not handled properly will cause
obstruction of teaching and learning activities. After an
The reporting stage is carried out to write a report 2) Denial of Services (DoS). Denial of services is done to
about the inspection process and information disable the e-learning server with IP Address 192.168.88.46.
obtained from the previous stages. DoS is done from a client PC that uses the Debian Server
operating system.
187
Advances in Social Science, Education and Humanities Research, volume 410
3) Port Scan is performed to detect several open ports so that they are vulnerable to an attack. Port scans are performed
using Zenmap software installed on the client PC. Port scans are for forensic servers.
188
Advances in Social Science, Education and Humanities Research, volume 410
Alerts generated by Snort are used as material for analysis using network forensics.
4) ARP Spoofing is done for sniffing data packets ARP spoofing. ARP spoofing is done from a PC client with
intended for victim PCs from client PCs. In this test, Snort the Ubuntu operating system using the Ettercap application.
provides rules preprocs and has provided rules for detecting
189
Advances in Social Science, Education and Humanities Research, volume 410
The results obtained in the Snort test that the alerts network forensic purposes.
generated by the Snort log have detected every packet of data Every attack or assault attempt made from a PC client
that made an attack attempt or carried out an attack. PfSense affects traffic on PfSense. The traffic is appropriate from the
will automatically block both the attack IP Address. Log attack source interface.
alerts and blocked logs on Snort can be downloaded for
190
Advances in Social Science, Education and Humanities Research, volume 410
Attempts to attack made from the client come from the Respone Team On Internet Infrastructure/ Coordination Center”.
Akademi Telkom Sandhy Putra Jakarta. Vol V, No. (9). 16-23
LAN interface which means it is still in the school network.
[3] Caswell, Brian. dan Beker, Andrew. (2007). Snort IDS and IPS
Seen on the LAN graph, traffic reaching 12 Mbps indicates Toolkit. USA: Syngress
an activity on the interface. The traffic also experienced a [4] Clarke, Justin. (2012). SQL Injection Attack And Defense. British:
noticeable increase until finally it was constant at 12 Mbps. Elsevier
[5] Dewi, Kusuma, et al. (2017). “Analisis Log Snort Menggunakan
When compared with normal traffic which means that there
Network Forensic”. Jurnal Ilmiah Penelitian dan Pembelajaran
is not a large activity or an attack attempt, the resulting traffic Informatika. Vol. 2, No. (2). 72-79
will not reach 12 Mbps. [6] Dewi, Kusuma, et al. (2017). “Snort IDS Sebagai Tools Forensik
The alerts generated by Snort are material for network Jaringan Universitas Nusantara PGRI Kediri”. Seminar Nasional
Inovasi Teknologi.
forensic investigations. From this information, an
[7] Diansyah, Mohd. (2015). “Analisa Pencegahan Aktivitas Ilegal Di
administrator can find out what is happening on a computer Dalam Jaringan Menggunakan Wireshark”. Jurnal Times Medan. Vol.
network so that he can track the data of the attack and attack IV, No. (2). 20-23
attempt. [8] Erza, Muhammad. (2013). Menangani Serangan Intrusi
Menggunakan IDS dan IPS. [Online]. Tersedia: https://keamanan-
IV. CONCLUSION informasi.stei.itb.ac.id [14 November 2018]
[9] Fadlil, Abdul, et al. (2017). “Pengembangan Sistem Pengaman
The construction of a forensic server using PfSense and Jaringan Komputer Berdasarkan Analisis Forensik Jaringan”. Jurnal
Snort is able to prevent and investigate attacks and take Ilmu Teknik Elektro Komputer dan Informatika .Vol. 3, No. (1)
[10] Fahrianah. (2019). Backhaul. [Offline]. Tersedia:
preventive actions on the network because it has a package www.scribd.com/backhaul [26 Januari 2019]
manager to detect attacks. By activating the rules that suit [11] Hypernet. (2018). Jenis-jenis Router. [Online]. Tersedia:
your needs, Snort is able to identify each attack and PfSense https://hypernet.co.id [14 November 2018]
will automatically take preventive measures in the form of [12] PFire. (2018). Features. [Online]. Tersedia: www.ipfire.org [14
November 2018]
blocking and alerts generated by Snort that can be used as an [13] Kurniawan, Agus. (2012). Network Forensic Panduan Analisis &
analysis for the network forensic investigation process. Investigasi Paket Data Jaringan Menggunakan Wireshark.
Yogyakarta: Penerbit Andi
ACKNOWLEDGMENTS [14] Komputer, Teori. (2017). Topologi Jaringan Extended Star. [Online].
Tersedia: www.teorikomputer.com/2017/02/topologi-jaringan-
Researchers realized that during the process of this extended-star.html [26 Januari 2019]
research found many difficulties. These difficulties will not [15] Komputer, Wahana. (2006). Menginstalasi Perangkat Jaringan
be resolved by researchers without the help and Komputer. Jakarta: PT. Elex Media Komputindo
encouragement of various parties. [16] Komputer, Wahana. (2010). Tutorial Lima Hari Belajar Hacking Dari
Nol. Yogyakarta: Penerbit Andi
REFERENCES [17] Knowledge, Raf. (2010). Trik Monitoring Jaringan. Jakarta: PT. Elex
Media Komputindo
[1] Bintara, Hengky. (2017). Mengenal Snort Sebagai Network Intrusion [18] Mikrotik. (2019). Interkoneksi Jaringan Dengan Tunnel. [Online].
Detection System (IDS). [Online]. Tersedia: https://netsec.id/snort- Tersedia: http://www.mikrotik.co.id/artikel_lihat.php?id=91 [08
nids/ [22 April 2018] April 2019]
[2] Budiharjo, Suyatno, et al. (2014). “Forensik Jaringan Pada Lalu Lintas [19] Netgate. (2019). Configuring the Snort Package. [Online]. Tersedia:
Data Dalam Jaringan Honeynet di Indonesia Security Incident docs.netgate.com [29 Mei 2019]
191
Advances in Social Science, Education and Humanities Research, volume 410
192