Intrusion Detection Systems Network Intrusion Detection System NIDS

  • Slides: 14
Download presentation
Intrusion Detection Systems ● Network Intrusion Detection System – NIDS ● Host-based Intrusion Detection

Intrusion Detection Systems ● Network Intrusion Detection System – NIDS ● Host-based Intrusion Detection System – HIDS ● Intrusion Prevention/Protection System – IPS ● IDS Service Centers ● System Logs

Network Intrusion Detection ● ● Open Source NIDS – Snort - www. snort. org

Network Intrusion Detection ● ● Open Source NIDS – Snort - www. snort. org – Bro - www. icir. org/vern/bro. html Commercial NIDS – ISS Real. Secure Network Sensor - www. iss. net – Intrusion Inc. Secure. Net Sensorwww. intrusion. com – Still. Secure Border Guard - www. stillsecure. com

Host Intrusion Detection ● ● Open Source HIDS – Samhain – la-samhna. de/samhain –

Host Intrusion Detection ● ● Open Source HIDS – Samhain – la-samhna. de/samhain – LIDS - www. lids. org – AIDE - www. cs. tut. fi/~rammer/aide. html Commercial HIDS – Tripwire - www. tripwire. com – e. Eye Blink - www. eeye. com – Symantec Host IDS - www. symantec. com

Intrusion Prevention/Protection ● Open Source IPS – ● Lak-IPS - lak-ips. sourceforge. net Commercial

Intrusion Prevention/Protection ● Open Source IPS – ● Lak-IPS - lak-ips. sourceforge. net Commercial IPS – ISS Preventia - www. iss. net – Fore. Scout Active Scout - www. forescout. com – Netscreen IDP - www. netscreen. com – Mc. Afee Intru. Shield www. networkassociates. com

IDS Service Centers ● Mynetwatchman - www. mynetwatchman. com ● DShield - www. dshield.

IDS Service Centers ● Mynetwatchman - www. mynetwatchman. com ● DShield - www. dshield. org ● Internet Storm Center - isc. sans. org

System Logs ● Firewall logs ● Audit logs ● System logs ● TCP wrappers

System Logs ● Firewall logs ● Audit logs ● System logs ● TCP wrappers logs ● Web server logs ● SMTP server logs ● FTP server logs

Snort NIDS ● Open Source ● Home page - www. snort. org ● Supports

Snort NIDS ● Open Source ● Home page - www. snort. org ● Supports UNIX and Windows ● Requires packet capturing library libpcap. ● Signature based ● Has many frontends and plugins

Building Snort ● Build libpcap if require. ● Obtain source code from www. snort.

Building Snort ● Build libpcap if require. ● Obtain source code from www. snort. org. ● Unpack source tar ball. ● $. /configure ● $ make install ● Binary installs in /usr/loca/bin/snort.

Configuring Snort ● # adduser -u 6000 -g snort -c “Snort IDS” snort ●

Configuring Snort ● # adduser -u 6000 -g snort -c “Snort IDS” snort ● # cd /home/snort; mkdir etc logs rules ● # cp rules/*. rules /home/snort/rules ● ● ● # cp etc/snort. conf etc/*. config /home/snort/etc Edit /home/snort/etc/snort. conf. Create init script for launching snort at boot time.

Running Snort ● ● ● # /usr/local/bin/ntpdate -s -t 10 ntp. alaska. edu #

Running Snort ● ● ● # /usr/local/bin/ntpdate -s -t 10 ntp. alaska. edu # /sbin/ifconfig eth 0 promisc # /usr/local/bin/snort -u snort -g snort -l /home/snort/logs -d -D -i eth 0 -c /home/snort/etc/snort. conf ● ps -ax | grep snort ● tail /var/log/messages ● Setup cron job to synchronize clock.

Using Snort ● Passive or active detection – ● ● Active detection requires beefy

Using Snort ● Passive or active detection – ● ● Active detection requires beefy machine and port mirroring. Alerts and portscan logs – Warn sysadmins and security staff. – Alert source ISP. Trend analysis – What is being exploited. – Data for security reports.

Reporting Intrusion Attempts ● Required information – Date and Time – Time Zone –

Reporting Intrusion Attempts ● Required information – Date and Time – Time Zone – Source IP, Port and Protocol – Destination IP and Port – Flags – Packet content containing exploit

Whom to Report ● Search whois database – whois. arin. net (North America &

Whom to Report ● Search whois database – whois. arin. net (North America & Academia) – whois. ripe. net (Europe, Middle East & Africa) – whois. apnic. net (Asia Pacific) – ● whois. krnic. net (South Korea) ● whois. nic. ad. jp (Japan) ● whois. twnic. net (Taiwan) whois. lacnic. net (Latin America) ● whois. nic. br (Brazil)

Questions and Comments ● Questions and comments about IDS/IPS ● Questions and comments about

Questions and Comments ● Questions and comments about IDS/IPS ● Questions and comments about Snort.