Signature Actions Non Aggressive Actions Produce Alert Produce Verbose Alert Log Attacker Packets Log Victim Packets Log pair Packets Request SNMP trap.

Slides:

Advertisements

Similar presentations

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Advertisements

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

Implementing a Highly Available Network

Network Layer Security: IPSec

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Intrusion Detection Systems and Practices

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff DePaul University.

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.

Report on statistical Intrusion Detection systems By Ganesh Godavari.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Lecture 11 Intrusion Detection (cont)

Network Intrusion Prevention CSCI Network Security Amruta Gurav.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention.

Penetration Testing Security Analysis and Advanced Tools: Snort.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Thanks for joining! We will begin in just a few minutes as more people.

Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.

Monitoring for network security and management Cyber Solutions Inc.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Lec 3: Infrastructure of Network Management Part2 Organized by: Nada Alhirabi NET 311.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Access Control List (ACL)

Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.

Chapter 5: Implementing Intrusion Prevention

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Page 1 Access Lists Lecture 7 Hassan Shuja 04/25/2006.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

EECB 473 DATA NETWORK ARCHITECTURE AND ELECTRONICS PREPARED BY JEHANA ERMY JAMALUDDIN Basic Packet Processing: Algorithms and Data Structures.

Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

Module 7: Advanced Application and Web Filtering.

Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.

NMS Case Study-I NetScreen Global Manager CS720H.

Detecting Evasion Attack at High Speed without Reassembly.

Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA

1 © 2009 Cisco Learning Institute. CCNA Security Chapter Five Implementing Intrusion Prevention.

VersionIHLTotal Length FlagsIdentificationFragment Offset Time To Live Destination Address OptionsPadding Protocol = 6 Type of Service IP Header TCP Destination.

Intrusion Detection System

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

Introduction to Linux Firewall

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Thanks for joining! We will begin in just a few minutes as more people.

Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.

Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent and W. Timothy.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.

Proventia Network Intrusion Prevention System

FIREWALL configuration in linux

Configuring TMG as a Firewall

Chapter 4: Access Control Lists (ACLs)

Intrusion Detection Systems

Chapter 4: outline 4.1 Overview of Network layer data plane

Presentation transcript:

Signature Actions Non Aggressive Actions Produce Alert Produce Verbose Alert Log Attacker Packets Log Victim Packets Log pair Packets Request SNMP trap Aggressive Actions Deny Packet Inline (Single) Deny Connection Inline (udp/tcp) Deny Attacker Inline (S/IP) Deny Attacker-Victim pair Inline (S/IP & D/IP) Deny Attacker-service pair Inline (S/IP to D/Port) Reset TCP Connection Request Block Connection Request Block Host Request rate Limit Modify Packet Inline Risk Rating Potential Damage Target Asset value Signature Accuracy Attack Relevancy Clues from Others ASR TVR SFR/PD ARR/OS WLR (CSA) ASR = Attack Severity rating Info (25) Low (50) Med (75) High (100) TVR = Target Value rating Zero (50) Low (75) Med (100) High (150) Critical (200) SFR = Signature Fidelity rating (0-100) PD = Promiscuous delta (0-30) minus value ARR = Attack Relevancy Rating Relevant (10) unknown (0) Not relevant (-10) WLR = watch List rating (0-100) RR= (ASR*TVR*SFR/10000) +ARR –PD +WLR Signature Parameters Event Action Overides Based on RR category Add actions Event Action Filters Based on RR category & others Delete actions Common Signature Parameters Signature ID SubSig ID Alert Severity (H,M,L,I) Sig Fidelity (0-100) Promis delta (0-30) Sig Name TO FIRE THE SIG Event Count Event count Key AaBb Interval TO GENERATE ALERT Summary Mode Summary Key AaBb Summary Threshold Global Summary Threshold Summary Interval Enabled/Retired Specific Signature Parameters Atomic IP Engine Parameters IP Addr Options IP Payload length TCP Mask urg,ack,psh,rst,syn,fin TCP flags urg,ack,psh,rst,syn,fin

Summary Key XXXX AaBb Aa=Attack Bb=Victim Uppercase=IP Lowercase=port 0 60 secs TRAFFIC secs TRAFFIC secs TRAFFIC Matches = 100 alerts 160 Matches = 150 alerts 320 matches = 150 sec Generate sec Generate Global Summary Criteria Sig ID = Summary Mode: Fire All Summary Threshold: 150 Global Summary Threshold: 300 Summary Interval: 60

TCP Header U A SF MASK = ASF Flags = SF11

False Positive = TOO SENSITIVE (Increase accuracy../cmd.exe rather than../) False Negative = INSENSITIVE (Decrease accuracy../ rather than../fred.txt/home/)