Docstoc

Intrusion_Detection_System

Document Sample
Intrusion_Detection_System Powered By Docstoc
					Intrusion Detection System
Snort
What is Snort?
   Free and Open Source Intrusion
    Detection System
     Monitor network traffic
     Scan for protocol anomalies
     Scan for packet payload signatures that
      represent potential attacks, worms, and
      unusual activities
 Monitoring consoles available
 Can be configured as an IPS
Where should it be placed?
   Snort Tap Placement
       Natural Choke Points
          Areas where the network topology creates a
          single traffic path
       Artificial Choke Points
          Exist   due to logical topology of the network
       Intranet Trust/Un-trust Zone Boundaries
                to Natural Choke Points but are intra-
          Similar
          network
How does it work?
   Snort Rules
     Primarily a signature based detection
      engine
     Example:
          alerttcp $TELNET_SERVERS 23 ->
          $EXTERNAL_NET any (msg:"TELNET root
          login"; flow:from_server,established;
          content:"login|3A| root";
          classtype:suspicious-login; sid:719; rev:7;)
       While indicative of attacks, leaks, and
        protocol violations, false positives are
        generated
How to monitor?
   BASE (Basic Analysis and Security
    Engine)
     Number of unique alerts
     Alerts ordered by category
     Today’s alert
     Most frequent src/dest ports
BASE – Main Screen
BASE – Policy Violations
Worm Propagation Analysis
Example
   Multiple Layers of Antivirus checkers in
    place: workstations, servers, email-stores,
    and email gateways
   Most active updating checkers gets new
    signatures every 15 minutes
   On September 2005, 3 bagle variants were
    released quickly
   AV companies alerted us, but workstations
    were affected
   Which of the 5000 workstations were
    affected?
Worm Propagation Analysis
Example
   alert tcp any any -> any any (msg:"Potential Bagle
    Propagation"; content:"osa6.gif"; classtype:policy-
    violation; sid:1000003; rev:3;)
Conclusion
 Snort provides another tool in the
  toolkit and can help provide
  information about exactly who’s
  talking to who on the network
 “Security is a process, not a product”

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:23
posted:9/18/2012
language:English
pages:10