FORESEC Academy Security Essentials III NETWORKBASED INTRUSION DETECTION

FORESEC Academy Security Essentials (III) NETWORK-BASED INTRUSION DETECTION

FORESEC Academy Need for Network-based Intrusion Detection Most attacks come from the Internet Detecting these attacks allows a site to tune defenses If we correlate data from a large number of sources we increase our capability The statistic that 90% of all attacks are perpetrated by insiders is dead wrong.

FORESEC Academy Inside a Network Attack Win. Nuke, (also called OOBNuke), uses TCP 139 and OOB Data, even if Net. BIOS is not enabled. It results in the “Blue Screen of Death”. Patches/service packs are available OOB stands for Out Of Band is actually misnamed; it should say. Urgent mode. , which is Urgent bit set in the TCP header flags and the urgent pointer.

FORESEC Academy Nuke’e. M Screen

FORESEC Academy Black. Ice – Nuke ‘Em Detection

FORESEC Academy Network Intrusion Detection 101

FORESEC Academy Black. Ice - Enable Logging

FORESEC Academy Black. Ice - Viewing Logs

FORESEC Academy Black. Ice - Visualization Tools

FORESEC Academy Libpcap-based Systems

FORESEC Academy Network Intrusion Detection With Snort

FORESEC Academy Snort Design Goals Low cost, lightweight Suitable for monitoring multiple sites/sensors Low false alarm rate Efficient detect system Low effort for reporting

FORESEC Academy Snort

FORESEC Academy Writing Snort Rules Can create custom rules to filter on specific content. Pre-loaded with hundreds of rules (but you may need to create one or more custom rules) Simple to write yet powerful enough to capture most types of traffic Options - Basic (Pass, Log, Alert) - Advanced (Activate, Dynamic)

FORESEC Academy