IDS IPS jnlin Computer Center CS NCTU 2

  • Slides: 11
Download presentation
IDS & IPS jnlin

IDS & IPS jnlin

Computer Center, CS, NCTU 2 IDS & IPS q Intrusion detection system (IDS) is

Computer Center, CS, NCTU 2 IDS & IPS q Intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. q The main functions of intrusion prevention systems (IPS) are to identify malicious activity, log information about this activity, report it and attempt to block or stop it.

Computer Center, CS, NCTU 3 IDS / IPS with Firewall

Computer Center, CS, NCTU 3 IDS / IPS with Firewall

Computer Center, CS, NCTU 4 Detection Method q Signature-based • Patterns of known malicious

Computer Center, CS, NCTU 4 Detection Method q Signature-based • Patterns of known malicious events • Difficult to detect new attacks q Anomaly-based • Use machine learning to create a model of trustworthy activity, and then compare new behavior against this model.

Computer Center, CS, NCTU 5 Pros & Cons q Pros • Simple • Cost

Computer Center, CS, NCTU 5 Pros & Cons q Pros • Simple • Cost Efficiency q Cons • False positives are frequent • Need to update signature library

Computer Center, CS, NCTU 6 Snort q An open source IDS • GPLv 2

Computer Center, CS, NCTU 6 Snort q An open source IDS • GPLv 2 q Very simple to use it

Computer Center, CS, NCTU 7 Snort - installation q Free. BSD: pkg install snort

Computer Center, CS, NCTU 7 Snort - installation q Free. BSD: pkg install snort q Don’t forget to update latest updated rules • Configure Pulled. Port Ø cp /usr/local/etc/pulledpork. conf. sample /usr/local/etc/pulledpork. conf Ø mkdir /usr/local/etc/snort/so_rules Ø mkdir /usr/local/etc/snort/rules/iplists Ø touch /usr/local/etc/snort/rules/local. rules Ø cp /usr/local/etc/snort/preproc_rules/sensitive-data. rules-sample /usr/local/etc/snort/preproc_rules/sensitive-data. rules Ø /usr/local/etc/snort/rules/white_list. rules Ø /usr/local/etc/snort/rules/black_list. rules

Computer Center, CS, NCTU 8 Snort - Pulled. Port q /usr/local/etc/pulledpork. conf

Computer Center, CS, NCTU 8 Snort - Pulled. Port q /usr/local/etc/pulledpork. conf

Computer Center, CS, NCTU 9 Run Pulled. Pork q pulledpork. pl -c /usr/local/etc/pulledpork. conf

Computer Center, CS, NCTU 9 Run Pulled. Pork q pulledpork. pl -c /usr/local/etc/pulledpork. conf -l

Computer Center, CS, NCTU 10 Start Snort q In /etc/rc. conf. local • snort_enable="YES”

Computer Center, CS, NCTU 10 Start Snort q In /etc/rc. conf. local • snort_enable="YES” • snort_interface="em 0” q /usr/local/etc/rc. d/snort start

Computer Center, CS, NCTU 11 Update rules periodically q crontab • 0 6 *

Computer Center, CS, NCTU 11 Update rules periodically q crontab • 0 6 * * * /usr/local/bin/pulledpork. pl -c /usr/local/etc/pulledpork. conf -l > /dev/null