Get documents about "Intrusion Detection Systems (IDS)
Shared by: HC120831035638
-
Stats
- views:
- 25
- posted:
- 8/30/2012
- language:
- Unknown
- pages:
- 14
Document Sample
Intrusion Detection Systems (IDS)
Jeramie Reese
1 8/30/2012 Jeramie Reese - IDS
Agenda
What is Intrusion Detection?
Categorizing IDS Systems
IDS Functionality
Passive Scans
Benefits
IDS Products
Open Source Project: Snort
Conclusion
References
2 Jeramie Reese - IDS 8/30/2012
What is Intrusion Detection?
“An IDS does for a network what an antivirus software
package does for files that enter a system.”
“An Intrusion Detection System (IDS) is a system for
detecting misuse of network or computer resources.”
Sensors
– Connection Requests
– Log File Monitors
– File Integrity Checker
– User Account Auditing
3 Jeramie Reese - IDS 8/30/2012
Categorizing IDS Systems
Misuse detection
Anomaly detection
Network-based
Host-based systems
Passive system
Reactive system
4 Jeramie Reese - IDS 8/30/2012
IDS Functionality
from http://www.snort.org/docs/idspaper/
5 Jeramie Reese - IDS 8/30/2012
Passive Scans
Active (Intrusion Prevention System: IPS) vs.
Passive Scans (IDS)
Collect / Analyze Information
Looking for patterns of misuse
– Attack Signatures
– Authorized users overstepping permissions
– Patterns of abnormal activity
Failed password attempts
Access times
6 Jeramie Reese - IDS 8/30/2012
Benefits
Early warning of attack
Flexible configuration options
Alerts that a Network Invasion may be in progress
Help identify the source of the incoming probes or
attacks
Troubleshoot system anomalies
Determine what has been compromised
Catches insider hacking
Identify attacker (proof)
7 Jeramie Reese - IDS 8/30/2012
IDS Products (Commercial)
Cisco Intrusion Detection
– Cisco Secure IDS Director Software ($4,900)
Internet Security Systems
– Real Secure ($8,995 per sensor)
Symantec Corporation
– Intruder Alert (server: $995, workstation: $295)
Tripwire Inc.
– Tripwire Manager 2.4 ($6,995)
8 Jeramie Reese - IDS 8/30/2012
IDS Products (Open Source)
Naval Surface Warfare Center
– Shadow IDS
– Originally started by the Cooperative Intrusion Detection
Evaluation and Response (CIDER) project
Developer: Stephen P. Berry
– Shoki IDS
Developer: Marty Roesch
– Snort IDS
9 Jeramie Reese - IDS 8/30/2012
Snort
Packet Sniffing
– Similar to tcpdump
Packet Monitoring
– Useful for network traffic debugging
Intrusion Detection
– Applies rules on all captured packets
10 Jeramie Reese - IDS 8/30/2012
Snort Rules
Rule Actions
Protocols
IP Addresses
Port Numbers
The Direction Operator
Activate/Dynamic Rules
11 Jeramie Reese - IDS 8/30/2012
Snort Rules Examples
log tcp 192.168.1.0/24 <> 192.168.1.0/24 23
(content: "USER root"; msg: "FTP root login";)
alert icmp any any -> any any (msg: “Ping with
TTL=100” ttl:100;)
log udp any any -> 192.168.1.0/24 1:1024
Response: Fast Mode, Full Mode, UNIX
Socket Mode, SNMP, SYSLOG, etc.
12 Jeramie Reese - IDS 8/30/2012
Conclusion
IDS could benefit from standards
Neighborhood Architecture
– IDS itself can be attacked
– Altered to report incorrect data
Heuristic data collection
More focus on internal attacks
13 Jeramie Reese - IDS 8/30/2012
References
Honeypots; Intrusion Detection, Honeypots and Incident Handling
Resources; 2001. http://www.honeypots.net/ids/products
Infosyssec; Intrusion Detection Systems FAQ; 2003.
http://www.infosyssec.net/infosyssec/intdet1.htm
Network World Fusion; Buyer's Guide: Network-based intrusion-
detection systems; 2001.
http://www.networkworld.com/reviews/2001/1008bgtoc.html
Shimonski, Robert J.; What You Need to Know About Intrusion
Detection Systems; 2001.
http://www.windowsecurity.com/articles/What_You_Need_to_Kno
w_About_Intrusion_Detection_Systems.html
14 Jeramie Reese - IDS 8/30/2012
