IDS – Intrusion Detection IDS – Intrusion Detection Systems Systems

OverviewOverview Concept: “An Intrusion Detection System is required to detect all types of

malicious network traffic and computer usage that can't be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).”

ComponentsComponents:: Sensors which generate security events Console to monitor events and alerts and control the sensors Engine that records events logged by the sensors in a database and uses a

system of rules to generate alerts from security events received.

TypesTypes:: Anomaly-Based Intrusion Detection System Signature-Based Intrusion Detection System Network-Based Intrusion Detection System Host-based Intrusion Detection System

IDS mechanisms work togetherIDS mechanisms work together

Source: ComputerWorld

Basic toolsBasic tools Enterprise systems: Cisco Safe and IDS, Symantec Intrusion

Protection, CA Host-based IPS, Network Intrusion- Prevention Systems, Others.

Honeypots: Honeyd Virtual Honeypot and Deception ToolKit Snort: open source, from PCs to large networks; for Linux/UNIX,

Windows, Macs.

References Infosyssec IDS FAQ SANS IDS FAQ SANS InfoSec Reading Room: Intrusion Detection WindowsSecurity.com:

Intrusion Detection Systems (IDS): Classification; methods; techniques

SnortSnort What is Snort?

What can it do: detect and respond Open source and business. The main Web site for Snort.

Downloading Download WinPcap 3.1 (do not use newer WinPcap versions.) Download Snort for Windows or Linux

Install and setup Install WinCap, then Snort, by double-clicking in the downloaded files. Snort

is installed in c:\snort and snort.exe is in the c:\snort\bin directory. Create a login in the Snort Web account signup page and login. Go to the Download rules page and download under Sourcefire VRT Certified

Rules - The Official Snort Ruleset (registered user release) the CURRENT file. It will look like: snortrules-snapshot-CURRENT.tar.gz

Extract this file to the directory c:\snort and both signatures (under doc) and rules (under rules) will be created.

SnortSnort Using snort

at the command prompt start in c:\snort\bin (options) checking available interfaces c:\snort\bin snort -W example capturing and viewing packets:

c:\snort\bin snort -dev (press Control-C to stop the capture) example capturing and saving in log file:

c:\snort\bin snort -de -K ascii -l c:\snort\log examples: tcp arp log the Snort alert messages to the Windows Even Viewer, Applications

c:\snort\bin snort -E - l c:\snort\log -c c:\snort\etc\snort.confsee example of running in IDS mode and events in Event viewer.

Modifying and creating rules creating rules: experts only, download updates and read them. modifying not a problem: typically many false positives are eliminated example: I got many false positives as “MISC UPnP malformed

advertisement [Classification: Misc Attack] “ I looked for misc.rules and edited rule as follows: #alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; In the example I just commented out the rule: added # in front of the line.

SnortSnort

Additional references– Snort documentation

– a Snort Reporting Tool

– Snort IDS Policy Manager For Windows 2000/XP

– Snort-Wireless

– Securing your system with Snort in Linux

– Snort install in Win 2000/XP with Acid and MySQL

– Snort install in Linux with Acid and MySQL

– ACID - Analysis Console for Intrusion Databases

– ACID: Installation and Configuration in Linux

– MySQL A free DB client and server