04/19/23 Jeramie Reese - IDS1

Intrusion Detection Systems (IDS)

Jeramie Reese

04/19/23Jeramie Reese - IDS2

Agenda

What is Intrusion Detection? Categorizing IDS Systems IDS Functionality Passive Scans Benefits IDS Products Open Source Project: Snort Conclusion References

04/19/23Jeramie Reese - IDS3

What is Intrusion Detection?

“An IDS does for a network what an antivirus software package does for files that enter a system.”

“An Intrusion Detection System (IDS) is a system for detecting misuse of network or computer resources.”

Sensors– Connection Requests– Log File Monitors– File Integrity Checker– User Account Auditing

04/19/23Jeramie Reese - IDS4

Categorizing IDS Systems

Misuse detection Anomaly detection Network-based Host-based systems Passive system Reactive system

04/19/23Jeramie Reese - IDS5

IDS Functionality

from http://www.snort.org/docs/idspaper/

04/19/23Jeramie Reese - IDS6

Passive Scans

Active (Intrusion Prevention System: IPS) vs. Passive Scans (IDS)

Collect / Analyze Information Looking for patterns of misuse

– Attack Signatures– Authorized users overstepping permissions– Patterns of abnormal activity

Failed password attempts Access times

04/19/23Jeramie Reese - IDS7

Benefits

Early warning of attack Flexible configuration options Alerts that a Network Invasion may be in progress Help identify the source of the incoming probes or

attacks Troubleshoot system anomalies Determine what has been compromised Catches insider hacking Identify attacker (proof)

04/19/23Jeramie Reese - IDS8

IDS Products (Commercial)

Cisco Intrusion Detection– Cisco Secure IDS Director Software ($4,900)

Internet Security Systems– Real Secure ($8,995 per sensor)

Symantec Corporation– Intruder Alert (server: $995, workstation: $295)

Tripwire Inc.– Tripwire Manager 2.4 ($6,995)

04/19/23Jeramie Reese - IDS9

IDS Products (Open Source)

Naval Surface Warfare Center– Shadow IDS– Originally started by the Cooperative Intrusion Detection

Evaluation and Response (CIDER) project

Developer: Stephen P. Berry– Shoki IDS

Developer: Marty Roesch– Snort IDS

04/19/23Jeramie Reese - IDS10

Snort

Packet Sniffing– Similar to tcpdump

Packet Monitoring– Useful for network traffic debugging

Intrusion Detection– Applies rules on all captured packets

04/19/23Jeramie Reese - IDS11

Snort Rules

Rule Actions Protocols IP Addresses Port Numbers The Direction Operator Activate/Dynamic Rules

04/19/23Jeramie Reese - IDS12

Snort Rules Examples

log tcp 192.168.1.0/24 <> 192.168.1.0/24 23 (content: "USER root"; msg: "FTP root login";)

alert icmp any any -> any any (msg: “Ping with TTL=100” ttl:100;)

log udp any any -> 192.168.1.0/24 1:1024 Response: Fast Mode, Full Mode, UNIX

Socket Mode, SNMP, SYSLOG, etc.

04/19/23Jeramie Reese - IDS13

Conclusion

IDS could benefit from standards Neighborhood Architecture

– IDS itself can be attacked– Altered to report incorrect data

Heuristic data collection More focus on internal attacks

04/19/23Jeramie Reese - IDS14

References

Honeypots; Intrusion Detection, Honeypots and Incident Handling Resources; 2001. http://www.honeypots.net/ids/products

Infosyssec; Intrusion Detection Systems FAQ; 2003. http://www.infosyssec.net/infosyssec/intdet1.htm

Network World Fusion; Buyer's Guide: Network-based intrusion-detection systems; 2001. http://www.networkworld.com/reviews/2001/1008bgtoc.html

Shimonski, Robert J.; What You Need to Know About Intrusion Detection Systems; 2001. http://www.windowsecurity.com/articles/What_You_Need_to_Know_About_Intrusion_Detection_Systems.html