University of Oxford
Network Intrusion Detection Systems (IDS)
are used to monitor attempts (successful
or otherwise) to use remote exploits .
There are basically 2 different IDS
Post-intrusion detection after the event
Active (re-active) real-time detection
The main difference between the 2 IDS
can often be one of cost.
Many free packages depend on scripts for
data reduction whilst real-time IDS is
Suppose there is no firewall or attack is
against well-known service which
cannot be access controlled.
Assumption is that an attack has been
detected on one or more hosts (from
Need to establish extent of compromise
for the rest of the site.
Extent of attacks can be determined if
there are logs of all the TCP traffic
Cisco flow logs can be recorded with high
efficiency on Cisco routers.
Argus (available from SEI / Cert-CC )
Sniffers - tcpdump, snoop, etc.
Size of data files is a big issue.
Analysis and Reduction
This can be time consuming.
If know src IP of attacker and dest port
then similar targets can be determined
Data should be retained for a reasonable
time in case of need to refine the
Several commercial packages.
Need very fast TCP monitoring.
Packets analysed for tell-tale fingerprints.
Port scans, buffer overflows, cgi-bin, etc.
Many ‘new’ attacks may not be detected
but there may be a ‘generic’ indicator.
Log ‘events’ detected.
Real-time IDS (cont.)
Huge logfiles if too many ‘events’ are
enabled on a busy interface.
Fingerprint updates - maintenance costs.
Main benefit - real-time alarms and auto-
SNMP traps, email, auto-kill, firewall ACL
on detection if one reliable event.
Real-time IDS (cont)
One event could trigger a block for all
further attacks from attacking host.
Beware IP spoofing - easy DoS.
IDS becomes target for attacks - direct or
in-direct - efficiency falls under high
Newer style attacks - multi-sourced and/or
slow (low frequency).
Both should offer chance to go back in
Ease of data extraction - time stamp
Secure access to IDS needs care -
obviously a very tempting target
Can be distributed across network -
Real-time and Post-event
Major benefit if you have both IDS sytems
logs to analyse.
Net-flow or Argus very efficient and
unlikely to miss connections
Use one to trace events in the other(s)
Src MAC address very hard to trace
unless all routers log flows
IDS is another very useful component in
multi-faceted security system.
One observant admin’s report can lead to
a speedy recovery of many
Non-obvious target ports can then be
considered for ACLs.
Data can be used to support bids for