Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort Dr. Jim Chen, Victor Tsao, Barry Williams, Tokunbo Olojo, John Smet,

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

F3 Collecting Network Based Evidence (NBE)
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Security administrators The experts need better tools too!
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 19: Configuring Windows Firewall
seminar on Intrusion detection system
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)
Section 01Resources1 HSQ - DATABASES & SQL 01 Resources And Franchise Colleges Name :MANSHA NAWAZ room :G 0/32
PCM2U Presentation by Paul A Cook IT SERVICES. PCM2U Our History  Our team has been providing complete development and networking solutions for over.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention.
GRAPHING CALCULATORS AND STUDENTS’ ACHIEVEMENT BY RAED DANDAN.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Captivating Your Students
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 What are the roles of learning targets and success criteria in my classroom? – I can specify plans for engaging my students with learning targets.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
Linux Networking and Security
Adaptive Data Visualization Packet Information Collection and Transformation for Network Intrusion Detection and Prevention Richard A. Aló,
Instructional Plan | Slide 1 CIS 295 Network Security M. Sue Fuentes.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Module 7: Advanced Application and Web Filtering.
Lesson 11: Configuring and Maintaining Network Security
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
Cryptography and Network Security Sixth Edition by William Stallings.
Network Security Major Problems Network Security Major Problems Why Firewall? Why Firewall? Problems with Firewalls Problems with Firewalls What is.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Some Great Open Source Intrusion Detection Systems (IDSs)
SIEM Rotem Mesika System security engineering
Outline Securing your system before the IDS and some tools to help you
Snort – IDS / IPS.
NETWORK SECURITY LAB Lab 9. IDS and IPS.
Autonomous Network Alerting Systems and Programmable Networks
Presentation transcript:

Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort Dr. Jim Chen, Victor Tsao, Barry Williams, Tokunbo Olojo, John Smet, Nicole Regobert, Lamin Kamara, Michael Hughes March 2006

Dr. Chen and othersSecure IT 2006 Conference2 CSMN683: Intrusion Detection, Incident Response, and Computer Forensics: Course Description “The theory, skills, and tools needed in intrusion detection and computer forensics are the major themes in this course. The course discusses techniques for identifying vulnerable target systems and types of malicious code, for mitigating security risks, and for recognizing attack patterns. It also presents the conceptual and operational tools necessary for analysis and resolution of problems with respect to effective filters and firewalls, attack tracing, system recovery, continuity of operation, evidence collection, evidence analysis, and prosecution.”

Dr. Chen and othersSecure IT 2006 Conference3 Student Background 38.09% students heard about at least one intrusion detection system % students heard about Snort % students never played with any intrusion detection system 90.47% students never saw a signature or a rule within an intrusion detection system 85.71% students never saw a log analyzer

Dr. Chen and othersSecure IT 2006 Conference4 Challenges (1) How to explain intrusion? (2) How to explain detection? (3) How to show detection methods? (4) How to demonstrate the limitations in some detection methods? (5) How to encourage students to figure out ways of overcoming the limitations?

Dr. Chen and othersSecure IT 2006 Conference5 Solution Selected Snort since it is an open source product Designed and developed some hands-on laboratory exercises using Snort

Dr. Chen and othersSecure IT 2006 Conference6 Snort “Snort® is an open source network intrusion prevention and detection system utilizing a rule- driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.” from

Dr. Chen and othersSecure IT 2006 Conference7 4 Lab Exercises Using Snort Lab 1: Shows the intrusion and the detection of the intrusion [addressing Challenges (1) & (2)] Lab 2: Shows the detection method using signature technology and its limitations [addressing Challenges (3) & (4)] Lab 3: Shows the analysis of Intrusion Detection System logs using an analysis engine [addressing Challenge (5)] Lab 4: Show one way of improving the IDS by writing plug-ins [addressing Challenge (5)]

Dr. Chen and othersSecure IT 2006 Conference8 Objectives of Lab 1 Show an intrusion Show the issues in detecting the intrusion Detect the intrusion

Dr. Chen and othersSecure IT 2006 Conference9 Lab 1: Intrusion Detection One computer with Snort running on it Another computer with an intrusion software tool running on it Connect the two computers together to form a network

Dr. Chen and othersSecure IT 2006 Conference10 Intrusion Detection Demo

Dr. Chen and othersSecure IT 2006 Conference11 Lab 1: Lesson Learned It is not difficult to explore a vulnerability within a computer system. By default, some intrusions may not be detected using Snort. With appropriate signatures and rules, some intrusions can be detected.

Dr. Chen and othersSecure IT 2006 Conference12 Objectives of Lab 2 Discuss the benefits and limitations of using signatures and rules Explain the syntax of rules in Snort Learn to modify the existing rules and write new rules

Dr. Chen and othersSecure IT 2006 Conference13 Lab 2: Signatures for Intrusion Detection What is a signature? Why are signatures needed in an intrusion detection system? What is a rule in Snort? What is the syntax of a rule in Snort? How do Snort rules work?

Dr. Chen and othersSecure IT 2006 Conference14 Anatomy of a Rule Rule header – Contains the rule’s action, protocol, source IP address, source port number, destination IP address, destination port number, etc. Rule body – Consists of keywords and arguments used to trigger an alert, etc.

Dr. Chen and othersSecure IT 2006 Conference15 Signatures for Intrusion Detection Demo

Dr. Chen and othersSecure IT 2006 Conference16 Writing Rules Identify the characteristics of the suspicious traffic Write rules based on the characteristics Implement the rules Test the rules to see if it can capture the suspicious traffic Modify the rules accordingly Test and modify the rules again

Dr. Chen and othersSecure IT 2006 Conference17 Lab 2: Lesson Learned It is important to identify the characteristics of the suspicious traffic before writing any rules. Rules need to be tested, modified, and further tested and modified again in order to reduce false positives and false negatives. It is also significant to know the limitations of signature technology.

Dr. Chen and othersSecure IT 2006 Conference18 Objectives of Lab 3 Discuss the importance of using a log analyzer, such as BASE (Basic Analysis and Security Engine) or ACID (Analysis Console for Intrusion Databases) Learn to use BASE to analyze log files

Dr. Chen and othersSecure IT 2006 Conference19 Lab 3: Intrusion Detection log Analysis Use BASE (Basic Analysis and Security Engine) to analyze log files Show the different functionalities of BASE

Dr. Chen and othersSecure IT 2006 Conference20 Basic Analysis and Security Engine Written in PHP programming language Analyzes intrusion logs Displays information from a database in a Web- based format Generates graphs and alerts based on the sensor, time, signature, and protocol Displays on the main page a summary of currently logged alerts as well as various alert summary breakdowns and links to graphs Can be administered based on categories such as alert groups, false positives, and alerts

Dr. Chen and othersSecure IT 2006 Conference21 Basic Analysis and Security Engine Demo

Dr. Chen and othersSecure IT 2006 Conference22

Dr. Chen and othersSecure IT 2006 Conference23 Lab 3: Lesson Learned It is important to identify the trend of suspicious traffic. Log analyzers can help us to identify the trend since they can display log data in a graphical and easy-to-understand format. Log analyzers should be further improved to handle logs in different formats.

Dr. Chen and othersSecure IT 2006 Conference24 Objectives of Lab 4 Discuss the importance of using plug-ins Learn to write plug-ins

Dr. Chen and othersSecure IT 2006 Conference25 Lab 4: Plug-Ins Learn the functions of plug-ins Write plug-ins

Dr. Chen and othersSecure IT 2006 Conference26 Categories of Plug-Ins Output mechanism Complex protocol decoder Detection plug-ins

Dr. Chen and othersSecure IT 2006 Conference27 Lab 4: Lesson Learned It is important to realize that the functions of an intrusion detection system are still limited. Designing, writing, testing, modifying, further testing and modifying plug-ins can help students to improve their critical thinking skills and creativity. Meanwhile, new functionality can be added into the existing system, including the functionality for the intrusion prevention system.

Dr. Chen and othersSecure IT 2006 Conference28 Student Survey After finishing the first three lab exercises 100% students were exposed to at least one intrusion detection system % students felt very familiar with signatures or rules within an intrusion detection system, 61.9% students felt somewhat familiar with them, and 9.53% students felt somewhat unfamiliar with them % students felt very familiar with a log analyzer, 52.38% students felt somewhat familiar with it, 23.81% students felt somewhat unfamiliar with it, and 4.76% students did not provide the answer.

Dr. Chen and othersSecure IT 2006 Conference29 Student Survey After finishing the first three lab exercises 95.24% students thought the lab exercises would be beneficial academically towards their learning in the class, 4.76% students did not provide the answer % students thought the lab exercises would be beneficial in their workplace in regards to network security, 4.76% students did not provide the answer.

Dr. Chen and othersSecure IT 2006 Conference30 Comments from Students “Good exercises. Hands-on definitely reinforces theories read and discussed in class.” “Lab is helpful. Reinforces the lectures. Having hands on is very important to understand IDS.” “Labs are great to learn with. They should continue to be offered.” “More time to work with other tasks not covered in lab to date.” “More lab time within the class.” Etc.

Dr. Chen and othersSecure IT 2006 Conference31 Lesson Learned Appropriate signatures in rules can help to detect some intrusions. Good rules can reduce false positives and false negatives. There are limitations in rules. Log analyzers can help to identify the trend. Log analyzers need to be further improved. Plug-ins can add new functionality into the existing system.

Dr. Chen and othersSecure IT 2006 Conference32 Pedagogical Implication The challenges in teaching intrusion detection and intrusion prevention can be addressed using hands-on labs, especially Snort labs. Critical thinking skills and creativity are promoted in putting students in an environment in which they need to find out the limitations of current IDS technologies and figure out their new solutions. Different perspectives need to be explored to make sure that students are really familiar with the intrusion detection and intrusion prevention technologies. More hands-on labs need to be designed and developed to enhance student learning.

Dr. Chen and othersSecure IT 2006 Conference33 Summary Hands-on lab exercises can enhance student learning. Hands-on lab exercises using Snort are good tools in learning intrusion detection and intrusion prevention.

Dr. Chen and othersSecure IT 2006 Conference34 References Beale, J., Baker, A., Caswell, B., Poor, M., and others. (2004). Snort 2.1 Intrusion Detection (2 nd Edition). Rockland, MA: Syngress Publishing, Inc. Cox, K. & Gerg, C. (2004). Managing Security with Snort and IDS Tools. Sebastopol, CA: O’Reilly Media, Inc. Smith, P. & Ragan, T. (1999). Instructional Design. Hoboken, NJ: John Wiley & Sons, Inc.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.