FORESEC Academy Security Essentials III NETWORKBASED INTRUSION DETECTION
FORESEC Academy Security Essentials (III) NETWORK-BASED INTRUSION DETECTION
FORESEC Academy Need for Network-based Intrusion Detection Most attacks come from the Internet Detecting these attacks allows a site to tune defenses If we correlate data from a large number of sources we increase our capability The statistic that 90% of all attacks are perpetrated by insiders is dead wrong.
FORESEC Academy Inside a Network Attack Win. Nuke, (also called OOBNuke), uses TCP 139 and OOB Data, even if Net. BIOS is not enabled. It results in the “Blue Screen of Death”. Patches/service packs are available OOB stands for Out Of Band is actually misnamed; it should say. Urgent mode. , which is Urgent bit set in the TCP header flags and the urgent pointer.
FORESEC Academy Nuke’e. M Screen
FORESEC Academy Black. Ice – Nuke ‘Em Detection
FORESEC Academy Network Intrusion Detection 101
FORESEC Academy Black. Ice - Enable Logging
FORESEC Academy Black. Ice - Viewing Logs
FORESEC Academy Black. Ice - Visualization Tools
FORESEC Academy Libpcap-based Systems
FORESEC Academy Network Intrusion Detection With Snort
FORESEC Academy Snort Design Goals Low cost, lightweight Suitable for monitoring multiple sites/sensors Low false alarm rate Efficient detect system Low effort for reporting
FORESEC Academy Snort
FORESEC Academy Writing Snort Rules Can create custom rules to filter on specific content. Pre-loaded with hundreds of rules (but you may need to create one or more custom rules) Simple to write yet powerful enough to capture most types of traffic Options - Basic (Pass, Log, Alert) - Advanced (Activate, Dynamic)
FORESEC Academy
- Slides: 15