Presentation is loading. Please wait.

Presentation is loading. Please wait.

IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.

Published byVanessa Welch Modified over 8 years ago

Similar presentations

Presentation on theme: "IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network."— Presentation transcript:

1 IDS – Intrusion Detection Systems

2 Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network traffic and computer usage that can't be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).” Concept  Components:  Sensors which generate security events  Console to monitor events and alerts and control the sensors  Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received.  Types:  Anomaly-Based Intrusion Detection System Anomaly-Based Intrusion Detection System  Signature-Based Intrusion Detection System Signature-Based Intrusion Detection System  Network-Based Intrusion Detection System Network-Based Intrusion Detection System  Host-based Intrusion Detection System Host-based Intrusion Detection System

3 IDS mechanisms work together Source: ComputerWorldComputerWorld

4 Basic tools  Enterprise systems: Cisco Safe and IDS, Symantec Intrusion Protection, CA Host-based IPS, Network Intrusion- Prevention Systems, Others. Cisco Safe and IDSSymantec Intrusion Protection, CA Host-based IPS,Network Intrusion- Prevention Systems Others  Honeypots : Honeyd Virtual Honeypot and Deception ToolKit Honeyd Virtual HoneypotDeception ToolKit  Snort: open source, from PCs to large networks; for Linux/UNIX, Windows, Macs. open source  References  Infosyssec IDS FAQIDS FAQ  SANS IDS FAQIDS FAQ  SANS InfoSec Reading Room: Intrusion DetectionInfoSec Reading Room: Intrusion Detection  WindowsSecurity.com: Intrusion Detection Systems (IDS): Classification; methods; techniques: Intrusion Detection Systems (IDS): Classification; methods; techniques

5 Snort  What is Snort?  What can it do: detect and respond What can it do  Open source and business.  The main Web site for Snort.Web site  Downloading  Download WinPcap 3.1 (do not use newer WinPcap versions.)3.1  Download Snort for Windows or LinuxSnort for Windows or Linux  Install and setup  Install WinCap, then Snort, by double-clicking in the downloaded files. Snort is installed in c:\snort and snort.exe is in the c:\snort\bin directory.  Create a login in the Snort Web account signup page and login.account signup page  Go to the Download rules page and download under Sourcefire VRT Certified Rules - The Official Snort Ruleset (registered user release) the CURRENT file. It will look like: snortrules-snapshot-CURRENT.tar.gzDownload rules page  Extract this file to the directory c:\snort and both signatures (under doc) and rules (under rules) will be created.

6 Snort  Using snort  at the command prompt start in c:\snort\bin (options)options  checking available interfaces c:\snort\bin snort -W example example  capturing and viewing packets: c:\snort\bin snort -dev (press Control-C to stop the capture) exampleexample  capturing and saving in log file: c:\snort\bin snort -de -K ascii -l c:\snort\log examples: tcp arptcparp  log the Snort alert messages to the Windows Even Viewer, Applications c:\snort\bin snort -E - l c:\snort\log -c c:\snort\etc\snort.conf see example of running in IDS mode and events in Event viewer.exampleevents  Modifying and creating rules  creating rules: experts only, download updates and read them.  modifying not a problem: typically many false positives are eliminated  example: I got many false positives as “MISC UPnP malformed advertisement [Classification: Misc Attack] “ I looked for misc.rules and edited rule as follows: #alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; In the example I just commented out the rule: added # in front of the line.misc.rules

7 Snort  Additional references –Snort documentationSnort documentation –a Snort Reporting Toola Snort Reporting Tool –Snort IDS Policy Manager For Windows 2000/XPSnort IDS Policy Manager For Windows 2000/XP –Snort-WirelessSnort-Wireless –Securing your system with Snort in LinuxSecuring your system with Snort in Linux –Snort install in Win 2000/XP with Acid and MySQLSnort install in Win 2000/XP with Acid and MySQL –Snort install in Linux with Acid and MySQLSnort install in Linux with Acid and MySQL –ACID - Analysis Console for Intrusion DatabasesACID - Analysis Console for Intrusion Databases –ACID: Installation and Configuration in LinuxACID: Installation and Configuration in Linux –MySQL A free DB client and serverMySQL A free DB client and server

Download ppt "IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network."

Similar presentations

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30 th, 2010 CPSC 420/620 w/ Dr. Grossman.

IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30 th, 2010 CPSC 420/620 w/ Dr. Grossman.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Analysis Console for Intrusion Databases Roy. Description ACID.

Analysis Console for Intrusion Databases Roy. Description ACID.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.

Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Similar presentations

Ads by Google