Intrusion Detection Systems (IDS)
-
Upload
gary-ashley -
Category
Documents
-
view
52 -
download
6
description
Transcript of Intrusion Detection Systems (IDS)
![Page 1: Intrusion Detection Systems (IDS)](https://reader031.fdocuments.net/reader031/viewer/2022020111/56812d2a550346895d92285f/html5/thumbnails/1.jpg)
04/19/23 Jeramie Reese - IDS1
Intrusion Detection Systems (IDS)
Jeramie Reese
![Page 2: Intrusion Detection Systems (IDS)](https://reader031.fdocuments.net/reader031/viewer/2022020111/56812d2a550346895d92285f/html5/thumbnails/2.jpg)
04/19/23Jeramie Reese - IDS2
Agenda
What is Intrusion Detection? Categorizing IDS Systems IDS Functionality Passive Scans Benefits IDS Products Open Source Project: Snort Conclusion References
![Page 3: Intrusion Detection Systems (IDS)](https://reader031.fdocuments.net/reader031/viewer/2022020111/56812d2a550346895d92285f/html5/thumbnails/3.jpg)
04/19/23Jeramie Reese - IDS3
What is Intrusion Detection?
“An IDS does for a network what an antivirus software package does for files that enter a system.”
“An Intrusion Detection System (IDS) is a system for detecting misuse of network or computer resources.”
Sensors– Connection Requests– Log File Monitors– File Integrity Checker– User Account Auditing
![Page 4: Intrusion Detection Systems (IDS)](https://reader031.fdocuments.net/reader031/viewer/2022020111/56812d2a550346895d92285f/html5/thumbnails/4.jpg)
04/19/23Jeramie Reese - IDS4
Categorizing IDS Systems
Misuse detection Anomaly detection Network-based Host-based systems Passive system Reactive system
![Page 5: Intrusion Detection Systems (IDS)](https://reader031.fdocuments.net/reader031/viewer/2022020111/56812d2a550346895d92285f/html5/thumbnails/5.jpg)
04/19/23Jeramie Reese - IDS5
IDS Functionality
from http://www.snort.org/docs/idspaper/
![Page 6: Intrusion Detection Systems (IDS)](https://reader031.fdocuments.net/reader031/viewer/2022020111/56812d2a550346895d92285f/html5/thumbnails/6.jpg)
04/19/23Jeramie Reese - IDS6
Passive Scans
Active (Intrusion Prevention System: IPS) vs. Passive Scans (IDS)
Collect / Analyze Information Looking for patterns of misuse
– Attack Signatures– Authorized users overstepping permissions– Patterns of abnormal activity
Failed password attempts Access times
![Page 7: Intrusion Detection Systems (IDS)](https://reader031.fdocuments.net/reader031/viewer/2022020111/56812d2a550346895d92285f/html5/thumbnails/7.jpg)
04/19/23Jeramie Reese - IDS7
Benefits
Early warning of attack Flexible configuration options Alerts that a Network Invasion may be in progress Help identify the source of the incoming probes or
attacks Troubleshoot system anomalies Determine what has been compromised Catches insider hacking Identify attacker (proof)
![Page 8: Intrusion Detection Systems (IDS)](https://reader031.fdocuments.net/reader031/viewer/2022020111/56812d2a550346895d92285f/html5/thumbnails/8.jpg)
04/19/23Jeramie Reese - IDS8
IDS Products (Commercial)
Cisco Intrusion Detection– Cisco Secure IDS Director Software ($4,900)
Internet Security Systems– Real Secure ($8,995 per sensor)
Symantec Corporation– Intruder Alert (server: $995, workstation: $295)
Tripwire Inc.– Tripwire Manager 2.4 ($6,995)
![Page 9: Intrusion Detection Systems (IDS)](https://reader031.fdocuments.net/reader031/viewer/2022020111/56812d2a550346895d92285f/html5/thumbnails/9.jpg)
04/19/23Jeramie Reese - IDS9
IDS Products (Open Source)
Naval Surface Warfare Center– Shadow IDS– Originally started by the Cooperative Intrusion Detection
Evaluation and Response (CIDER) project
Developer: Stephen P. Berry– Shoki IDS
Developer: Marty Roesch– Snort IDS
![Page 10: Intrusion Detection Systems (IDS)](https://reader031.fdocuments.net/reader031/viewer/2022020111/56812d2a550346895d92285f/html5/thumbnails/10.jpg)
04/19/23Jeramie Reese - IDS10
Snort
Packet Sniffing– Similar to tcpdump
Packet Monitoring– Useful for network traffic debugging
Intrusion Detection– Applies rules on all captured packets
![Page 11: Intrusion Detection Systems (IDS)](https://reader031.fdocuments.net/reader031/viewer/2022020111/56812d2a550346895d92285f/html5/thumbnails/11.jpg)
04/19/23Jeramie Reese - IDS11
Snort Rules
Rule Actions Protocols IP Addresses Port Numbers The Direction Operator Activate/Dynamic Rules
![Page 12: Intrusion Detection Systems (IDS)](https://reader031.fdocuments.net/reader031/viewer/2022020111/56812d2a550346895d92285f/html5/thumbnails/12.jpg)
04/19/23Jeramie Reese - IDS12
Snort Rules Examples
log tcp 192.168.1.0/24 <> 192.168.1.0/24 23 (content: "USER root"; msg: "FTP root login";)
alert icmp any any -> any any (msg: “Ping with TTL=100” ttl:100;)
log udp any any -> 192.168.1.0/24 1:1024 Response: Fast Mode, Full Mode, UNIX
Socket Mode, SNMP, SYSLOG, etc.
![Page 13: Intrusion Detection Systems (IDS)](https://reader031.fdocuments.net/reader031/viewer/2022020111/56812d2a550346895d92285f/html5/thumbnails/13.jpg)
04/19/23Jeramie Reese - IDS13
Conclusion
IDS could benefit from standards Neighborhood Architecture
– IDS itself can be attacked– Altered to report incorrect data
Heuristic data collection More focus on internal attacks
![Page 14: Intrusion Detection Systems (IDS)](https://reader031.fdocuments.net/reader031/viewer/2022020111/56812d2a550346895d92285f/html5/thumbnails/14.jpg)
04/19/23Jeramie Reese - IDS14
References
Honeypots; Intrusion Detection, Honeypots and Incident Handling Resources; 2001. http://www.honeypots.net/ids/products
Infosyssec; Intrusion Detection Systems FAQ; 2003. http://www.infosyssec.net/infosyssec/intdet1.htm
Network World Fusion; Buyer's Guide: Network-based intrusion-detection systems; 2001. http://www.networkworld.com/reviews/2001/1008bgtoc.html
Shimonski, Robert J.; What You Need to Know About Intrusion Detection Systems; 2001. http://www.windowsecurity.com/articles/What_You_Need_to_Know_About_Intrusion_Detection_Systems.html