Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Published byCharles Armstrong Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and."— Presentation transcript:

1 CSCI 530 Lab Intrusion Detection Systems IDS

2 A collection of techniques and methodologies used to monitor suspicious activities both at the network and the host level It is not a firewall It inspects the content and intent of the network traffic

3 IDS Additional level of security in the network Firewalls will prevent attacks IDS is more like an alarm system It will perform actions like Alerting, logging, etc upon detection. It can be configured to make changes in the firewall rules upon detection of attacks Can help detect attacks that pass through the firewall Protection from the insiders

4 IDS Deployed with multiple sensors on various location on the network Report to a centralized management console A sensor Monitors traffic, matches against the rule sets and raises alerts, logs it or some other action. A rule set contains Traffic signatures or rules for unwanted behavior Rules Check for threshold, protocol IP source and destination Signatures Traffic patterns associated with attack

5 IDS Hack I.T.: Security Through Penetration fig 19.2

6 Host Based IDS Log Monitors Parse system event Log files Example: Apache, access log file check for “cgi-bin” Integrity Checkers check for key system structures to change System files, registry keys Tripwire File Additions, deletions, flag modifications, access time etc.

7 Network Based IDS Signature Based Database of know signatures Similar to virus signatures, but it looks for attack signatures Anomaly based Form a baseline for a normal system Raise an alarm when the system is no longer functioning under normal conditions

8 Network Based IDS Deployment It should have access to all the network data Alerts generation Response Policy Environment adaptation

9 Hacking through the IDS Fragmentation or packet splitting throughput increases, consuming more resources making the IDS less accurate Spoofing Spoof the sequence no. Sending random sequence numbers Causes IDS to be desynchronized from the source and ignore the true packets Denial-of-Service IDS software can only handle a limited amount of data Break the IDS, then attack the network

10 SNORT, Open source IDS www.snort.org Components of snort Packet Decoder Preprocessor Detection Engine Logging and Alerting System Output Modules Internet Preprocessor Packet Decoder Detection Engine Output Alert Logging and Alerting System Output Modules Dropped Packets

11 Components of Snort Packet Decoder It takes packets from different interfaces (ethernet, PPP, SLIP) and prepares it for the other stages Preprocessor Plugins that modify or setup data for the detection engine Same example  GET /cgi-bin/subdirectory/../phf It rearranges the data to be detectable by the IDS Packet defragmentation If the packets are too large, then it gets fragmented into smaller packets Must be reassembled prior to analysis

12 Components of Snort Detection Engine Most important part of the engine Uses the detection rules It is time dependent Speed of the machine Number of rules Load on the network The Detection Engine applies rules to different parts of the packet Header (IP/TCP/Application) Packet Payload Policy for matching of rules varies with versions In v2 all the rules are matched, highest priority recorded

13 Components of snort Logging and Alerting system Based upon the matched rule Logged, alert generated Logs /var/log/snort -l for the modification of location Output Modules Changes the location of the generated output Log in the logfile SNMP traps (Simple Network Managent Protocol, notification to admin) Messages to syslog (network logger) Logging to a Database XML generation for use in another program Send SMB (server message block, protocol for sharing files on the network for Windows Machines)

14 Snort Rules A very bad rule Alert ip any any -> any any (msg: “ip packet detected”;) Alert: the action to be performed, ip : rule applies to all ip packets any : rule applies to any source ip address any : rule applies to any source port -> : direction of packet any : rule applies to any destination ip address any : rule applies to any destination port

15 Rule Structure Header Actions Pass, Log, Alert, Activate, Dynamic Protocols IP, ICMP, TCP, UDP, etc. Address Exclusion ![192.168.1.0/24] any any… Rule Header Rule Options Action Protocol Address Port Direction Address Port Header SourceDestination

16 Rule Structure Options Ack keyword(nmap scanning purposes) Classtype (classification:name:description:priority) Content keyword Offset Depth Nocase Dsize Content-list Logto ………

17 This week’s lab EagleX Windows front-end for Snort Easier to deploy than Snort by itself There are many other front-ends for Snort, for Windows or Linux

Download ppt "CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.

Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

Similar presentations

Ads by Google