Intrusion Detection Systems ● Network Intrusion Detection System – NIDS ● Host-based Intrusion Detection System – HIDS ● Intrusion Prevention/Protection

Download Intrusion Detection Systems ● Network Intrusion Detection System – NIDS ● Host-based Intrusion Detection System – HIDS ● Intrusion Prevention/Protection

Post on 25-Dec-2015

221 views

Category:

Documents

5 download

Embed Size (px)

TRANSCRIPT

<ul><li> Slide 1 </li> <li> Intrusion Detection Systems Network Intrusion Detection System NIDS Host-based Intrusion Detection System HIDS Intrusion Prevention/Protection System IPS IDS Service Centers System Logs </li> <li> Slide 2 </li> <li> Network Intrusion Detection Open Source NIDS Snort - www.snort.org Bro - www.icir.org/vern/bro.html Commercial NIDS ISS RealSecure Network Sensor - www.iss.net Intrusion Inc. SecureNet Sensor- www.intrusion.com StillSecure Border Guard - www.stillsecure.com </li> <li> Slide 3 </li> <li> Host Intrusion Detection Open Source HIDS Samhain la-samhna.de/samhain LIDS - www.lids.org AIDE - www.cs.tut.fi/~rammer/aide.html Commercial HIDS Tripwire - www.tripwire.com eEye Blink - www.eeye.com Symantec Host IDS - www.symantec.com </li> <li> Slide 4 </li> <li> Intrusion Prevention/Protection Open Source IPS Lak-IPS - lak-ips.sourceforge.net Commercial IPS ISS Preventia - www.iss.net ForeScout Active Scout - www.forescout.com Netscreen IDP - www.netscreen.com McAfee IntruShield - www.networkassociates.com </li> <li> Slide 5 </li> <li> IDS Service Centers Mynetwatchman - www.mynetwatchman.com DShield - www.dshield.org Internet Storm Center - isc.sans.org </li> <li> Slide 6 </li> <li> System Logs Firewall logs Audit logs System logs TCP wrappers logs Web server logs SMTP server logs FTP server logs </li> <li> Slide 7 </li> <li> Snort NIDS Open Source Home page - www.snort.org Supports UNIX and Windows Requires packet capturing library libpcap. Signature based Has many frontends and plugins </li> <li> Slide 8 </li> <li> Building Snort Build libpcap if require. Obtain source code from www.snort.org. Unpack source tar ball. $./configure $ make $ make install Binary installs in /usr/loca/bin/snort. </li> <li> Slide 9 </li> <li> Configuring Snort # adduser -u 6000 -g snort -c Snort IDS snort # cd /home/snort; mkdir etc logs rules # cp rules/*.rules /home/snort/rules # cp etc/snort.conf etc/*.config /home/snort/etc Edit /home/snort/etc/snort.conf. Create init script for launching snort at boot time. Schedule log rotation and cleanup. </li> <li> Slide 10 </li> <li> Running Snort # /usr/local/bin/ntpdate -s -t 10 ntp.alaska.edu # /sbin/ifconfig eth0 promisc # /usr/local/bin/snort -u snort -g snort -l /home/snort/logs -d -D -i eth0 -c /home/snort/etc/snort.conf ps -ax | grep snort tail /var/log/messages Setup cron job to synchronize clock. </li> <li> Slide 11 </li> <li> Using Snort Passive or active detection Active detection requires beefy machine and port mirroring. Alerts and portscan logs Warn sysadmins and security staff. Alert source ISP. Trend analysis What is being exploited. Data for security reports. </li> <li> Slide 12 </li> <li> Reporting Intrusion Attempts Required information Date and Time Time Zone Source IP, Port and Protocol Destination IP and Port Flags Packet content containing exploit </li> <li> Slide 13 </li> <li> Whom to Report Search whois database whois.arin.net (North America &amp; Academia) whois.ripe.net (Europe, Middle East &amp; Africa) whois.apnic.net (Asia Pacific) whois.krnic.net (South Korea) whois.nic.ad.jp (Japan) whois.twnic.net (Taiwan) whois.lacnic.net (Latin America) whois.nic.br (Brazil) </li> <li> Slide 14 </li> <li> Questions and Comments Questions and comments about IDS/IPS Questions and comments about Snort. </li> </ul>