Intrusion Detection Systems - PowerPoint PPT Presentation
Title:
Intrusion Detection Systems
Description:
Title: Intrusion Detection System Last modified by: Mitchell Roth Document presentation format: Custom Company: UAF Other titles: Times New Roman Nimbus Roman No9 L ... – PowerPoint PPT presentation
Number of Views:84
Avg rating:3.0/5.0
Title: Intrusion Detection Systems
1
Intrusion Detection Systems
- Network Intrusion Detection System NIDS
- Host-based Intrusion Detection System HIDS
- Intrusion Prevention/Protection System IPS
- IDS Service Centers
- System Logs
2
Network Intrusion Detection
- Open Source NIDS
- Snort - www.snort.org
- Bro - www.icir.org/vern/bro.html
- Commercial NIDS
- ISS RealSecure Network Sensor - www.iss.net
- Intrusion Inc. SecureNet Sensor-
www.intrusion.com - StillSecure Border Guard - www.stillsecure.com
3
Host Intrusion Detection
- Open Source HIDS
- Samhain la-samhna.de/samhain
- LIDS - www.lids.org
- AIDE - www.cs.tut.fi/rammer/aide.html
- Commercial HIDS
- Tripwire - www.tripwire.com
- eEye Blink - www.eeye.com
- Symantec Host IDS - www.symantec.com
4
Intrusion Prevention/Protection
- Open Source IPS
- Lak-IPS - lak-ips.sourceforge.net
- Commercial IPS
- ISS Preventia - www.iss.net
- ForeScout Active Scout - www.forescout.com
- Netscreen IDP - www.netscreen.com
- McAfee IntruShield - www.networkassociates.com
5
IDS Service Centers
- Mynetwatchman - www.mynetwatchman.com
- DShield - www.dshield.org
- Internet Storm Center - isc.sans.org
6
System Logs
- Firewall logs
- Audit logs
- System logs
- TCP wrappers logs
- Web server logs
- SMTP server logs
- FTP server logs
7
Snort NIDS
- Open Source
- Home page - www.snort.org
- Supports UNIX and Windows
- Requires packet capturing library libpcap.
- Signature based
- Has many frontends and plugins
8
Building Snort
- Build libpcap if require.
- Obtain source code from www.snort.org.
- Unpack source tar ball.
- ./configure
- make
- make install
- Binary installs in /usr/loca/bin/snort.
9
Configuring Snort
- adduser -u 6000 -g snort -c Snort IDS snort
- cd /home/snort mkdir etc logs rules
- cp rules/.rules /home/snort/rules
- cp etc/snort.conf etc/.config /home/snort/etc
- Edit /home/snort/etc/snort.conf.
- Create init script for launching snort at boot
time. - Schedule log rotation and cleanup.
10
Running Snort
- /usr/local/bin/ntpdate -s -t 10 ntp.alaska.edu
- /sbin/ifconfig eth0 promisc
- /usr/local/bin/snort -u snort -g snort -l
/home/snort/logs -d -D -i eth0 -c
/home/snort/etc/snort.conf - ps -ax grep snort
- tail /var/log/messages
- Setup cron job to synchronize clock.
11
Using Snort
- Passive or active detection
- Active detection requires beefy machine and port
mirroring. - Alerts and portscan logs
- Warn sysadmins and security staff.
- Alert source ISP.
- Trend analysis
- What is being exploited.
- Data for security reports.
12
Reporting Intrusion Attempts
- Required information
- Date and Time
- Time Zone
- Source IP, Port and Protocol
- Destination IP and Port
- Flags
- Packet content containing exploit
13
Whom to Report
- Search whois database
- whois.arin.net (North America Academia)
- whois.ripe.net (Europe, Middle East Africa)
- whois.apnic.net (Asia Pacific)
- whois.krnic.net (South Korea)
- whois.nic.ad.jp (Japan)
- whois.twnic.net (Taiwan)
- whois.lacnic.net (Latin America)
- whois.nic.br (Brazil)
14
Questions and Comments
- Questions and comments about IDS/IPS
- Questions and comments about Snort.
