Intrusion Detection Systems

● Network Intrusion Detection System – NIDS

● Host-based Intrusion Detection System – HIDS

● Intrusion Prevention/Protection System – IPS

● IDS Service Centers

● System Logs

Network Intrusion Detection

● Open Source NIDS– Snort - www.snort.org– Bro - www.icir.org/vern/bro.html

● Commercial NIDS– ISS RealSecure Network Sensor - www.iss.net– Intrusion Inc. SecureNet Sensor- www.intrusion.com– StillSecure Border Guard - www.stillsecure.com

Host Intrusion Detection

● Open Source HIDS– Samhain – la-samhna.de/samhain– LIDS - www.lids.org– AIDE - www.cs.tut.fi/~rammer/aide.html

● Commercial HIDS– Tripwire - www.tripwire.com– eEye Blink - www.eeye.com– Symantec Host IDS - www.symantec.com

Intrusion Prevention/Protection

● Open Source IPS– Lak-IPS - lak-ips.sourceforge.net

● Commercial IPS– ISS Preventia - www.iss.net– ForeScout Active Scout - www.forescout.com– Netscreen IDP - www.netscreen.com– McAfee IntruShield - www.networkassociates.com

IDS Service Centers

● Mynetwatchman - www.mynetwatchman.com● DShield - www.dshield.org● Internet Storm Center - isc.sans.org

System Logs

● Firewall logs● Audit logs● System logs● TCP wrappers logs● Web server logs● SMTP server logs● FTP server logs

Snort NIDS

● Open Source● Home page - www.snort.org● Supports UNIX and Windows● Requires packet capturing library libpcap.● Signature based● Has many frontends and plugins

Building Snort

● Build libpcap if require.● Obtain source code from www.snort.org.● Unpack source tar ball.● $ ./configure● $ make● $ make install● Binary installs in /usr/loca/bin/snort.

Configuring Snort

● # adduser -u 6000 -g snort -c “Snort IDS” snort● # cd /home/snort; mkdir etc logs rules● # cp rules/*.rules /home/snort/rules● # cp etc/snort.conf etc/*.config /home/snort/etc● Edit /home/snort/etc/snort.conf.● Create init script for launching snort at boot time.● Schedule log rotation and cleanup.

Running Snort

● # /usr/local/bin/ntpdate -s -t 10 ntp.alaska.edu● # /sbin/ifconfig eth0 promisc● # /usr/local/bin/snort -u snort -g snort -l

/home/snort/logs -d -D -i eth0 -c /home/snort/etc/snort.conf

● ps -ax | grep snort● tail /var/log/messages● Setup cron job to synchronize clock.

Using Snort

● Passive or active detection– Active detection requires beefy machine and port

mirroring.

● Alerts and portscan logs– Warn sysadmins and security staff.– Alert source ISP.

● Trend analysis– What is being exploited.– Data for security reports.

Reporting Intrusion Attempts

● Required information– Date and Time– Time Zone– Source IP, Port and Protocol– Destination IP and Port– Flags– Packet content containing exploit

Whom to Report

● Search whois database– whois.arin.net (North America & Academia)– whois.ripe.net (Europe, Middle East & Africa)– whois.apnic.net (Asia Pacific)

● whois.krnic.net (South Korea)● whois.nic.ad.jp (Japan)● whois.twnic.net (Taiwan)

– whois.lacnic.net (Latin America)● whois.nic.br (Brazil)

Questions and Comments

● Questions and comments about IDS/IPS● Questions and comments about Snort.