Intrusion Detection Systems - PowerPoint PPT Presentation

About This Presentation
Title:

Intrusion Detection Systems

Description:

Title: Intrusion Detection System Last modified by: Mitchell Roth Document presentation format: Custom Company: UAF Other titles: Times New Roman Nimbus Roman No9 L ... – PowerPoint PPT presentation

Number of Views:85
Avg rating:3.0/5.0
Slides: 15
Provided by: csUafEdu4
Learn more at: https://www.cs.uaf.edu
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection Systems


1
Intrusion Detection Systems
  • Network Intrusion Detection System NIDS
  • Host-based Intrusion Detection System HIDS
  • Intrusion Prevention/Protection System IPS
  • IDS Service Centers
  • System Logs

2
Network Intrusion Detection
  • Open Source NIDS
  • Snort - www.snort.org
  • Bro - www.icir.org/vern/bro.html
  • Commercial NIDS
  • ISS RealSecure Network Sensor - www.iss.net
  • Intrusion Inc. SecureNet Sensor-
    www.intrusion.com
  • StillSecure Border Guard - www.stillsecure.com

3
Host Intrusion Detection
  • Open Source HIDS
  • Samhain la-samhna.de/samhain
  • LIDS - www.lids.org
  • AIDE - www.cs.tut.fi/rammer/aide.html
  • Commercial HIDS
  • Tripwire - www.tripwire.com
  • eEye Blink - www.eeye.com
  • Symantec Host IDS - www.symantec.com

4
Intrusion Prevention/Protection
  • Open Source IPS
  • Lak-IPS - lak-ips.sourceforge.net
  • Commercial IPS
  • ISS Preventia - www.iss.net
  • ForeScout Active Scout - www.forescout.com
  • Netscreen IDP - www.netscreen.com
  • McAfee IntruShield - www.networkassociates.com

5
IDS Service Centers
  • Mynetwatchman - www.mynetwatchman.com
  • DShield - www.dshield.org
  • Internet Storm Center - isc.sans.org

6
System Logs
  • Firewall logs
  • Audit logs
  • System logs
  • TCP wrappers logs
  • Web server logs
  • SMTP server logs
  • FTP server logs

7
Snort NIDS
  • Open Source
  • Home page - www.snort.org
  • Supports UNIX and Windows
  • Requires packet capturing library libpcap.
  • Signature based
  • Has many frontends and plugins

8
Building Snort
  • Build libpcap if require.
  • Obtain source code from www.snort.org.
  • Unpack source tar ball.
  • ./configure
  • make
  • make install
  • Binary installs in /usr/loca/bin/snort.

9
Configuring Snort
  • adduser -u 6000 -g snort -c Snort IDS snort
  • cd /home/snort mkdir etc logs rules
  • cp rules/.rules /home/snort/rules
  • cp etc/snort.conf etc/.config /home/snort/etc
  • Edit /home/snort/etc/snort.conf.
  • Create init script for launching snort at boot
    time.
  • Schedule log rotation and cleanup.

10
Running Snort
  • /usr/local/bin/ntpdate -s -t 10 ntp.alaska.edu
  • /sbin/ifconfig eth0 promisc
  • /usr/local/bin/snort -u snort -g snort -l
    /home/snort/logs -d -D -i eth0 -c
    /home/snort/etc/snort.conf
  • ps -ax grep snort
  • tail /var/log/messages
  • Setup cron job to synchronize clock.

11
Using Snort
  • Passive or active detection
  • Active detection requires beefy machine and port
    mirroring.
  • Alerts and portscan logs
  • Warn sysadmins and security staff.
  • Alert source ISP.
  • Trend analysis
  • What is being exploited.
  • Data for security reports.

12
Reporting Intrusion Attempts
  • Required information
  • Date and Time
  • Time Zone
  • Source IP, Port and Protocol
  • Destination IP and Port
  • Flags
  • Packet content containing exploit

13
Whom to Report
  • Search whois database
  • whois.arin.net (North America Academia)
  • whois.ripe.net (Europe, Middle East Africa)
  • whois.apnic.net (Asia Pacific)
  • whois.krnic.net (South Korea)
  • whois.nic.ad.jp (Japan)
  • whois.twnic.net (Taiwan)
  • whois.lacnic.net (Latin America)
  • whois.nic.br (Brazil)

14
Questions and Comments
  • Questions and comments about IDS/IPS
  • Questions and comments about Snort.
Write a Comment
User Comments (0)
About PowerShow.com