Govt. Engineering College Bikaner A PROJECT Presentation ON STUDY AND IMPLEMENTATION OF ADVANCE IDS SECURITY.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

IBM SMB Software Group ® ibm.com/software/smb Maintain Hardware Platform Health An IT Services Management Infrastructure Solution.
ServiceDesk Plus Product Overview Presented by ManageEngine 1.
ServiceDesk Plus MSP Product Overview. Why ServiceDesk Plus - MSP? Capability of Managing Multiple Client’s in one Help Desk Stop Juggling with multiple.
Addressing IPv6 Vulnerabilities on Small Business Networks Bradley HainesVincent Pullano University of Cincinnati College of Education, Criminal Justice,
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
The Most Analytical and Comprehensive Defense Network in a Box.
MONITORING TOOLS Open Source Security Tools to monitor your network.
SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Guide to Network Defense and Countermeasures Second Edition
Network Management Overview IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
1 Alternate Title Slide: Presentation Name Goes Here Presenter’s Name Infrastructure Solutions Division Date GIS Perfct Ltd. Autodesk Value Added Reseller.
Maintaining and Updating Windows Server 2008
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 14: Troubleshooting Windows Server 2003 Networks.
Host Intrusion Prevention Systems & Beyond
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEM
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.
Hands-On Microsoft Windows Server 2008 Chapter 11 Server and Network Monitoring.
CH 13 Server and Network Monitoring. Hands-On Microsoft Windows Server Objectives Understand the importance of server monitoring Monitor server.
Windows Server 2008 Chapter 11 Last Update
Security Guidelines and Management
H-1 Network Management Network management is the process of controlling a complex data network to maximize its efficiency and productivity The overall.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Penetration Testing Security Analysis and Advanced Tools: Snort.
The Most Analytical and Comprehensive Defense Network in a Box.
Vantage Report 3.0 Product Sales Guide
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Chapter © 2006 The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/ Irwin Chapter 7 IT INFRASTRUCTURES Business-Driven Technologies 7.
Event Management & ITIL V3
Engr. M. Fahad Khan Lecturer Software Engineering Department University Of Engineering & Technology Taxila.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Guide to Network Defense and Countermeasures
Computer Emergency Notification System (CENS)
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
Client: The Boeing Company Contact: Mr. Nick Multari Adviser: Dr. Thomas Daniels Group 6 Steven BromleyJacob Gionet Jon McKeeBrandon Reher.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Capture This! PO105 James Green. Table of Contents Capture Overview Laserfiche Tools Case Scenarios Questions and Answers.
Maintaining and Updating Windows Server 2008 Lesson 8.
SIEM Rotem Mesika System security engineering
Snort – IDS / IPS.
NETWORK SECURITY LAB Lab 9. IDS and IPS.
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
Presentation transcript:

Govt. Engineering College Bikaner A PROJECT Presentation ON STUDY AND IMPLEMENTATION OF ADVANCE IDS SECURITY

PROBLEMS  In an organization, there are many possible signs of incidents which may go unnoticed each day. These events can be studied mainly by analyzing network behaviour or by reviewing computer security event logs. In order to avoid or minimize the losses from an incident outcome, the events need to be analyzed as close to real-time as possible.

ABSTRACT  This project presents a solution to bridge logging, log based intrusion detection and network based intrusion detection using well known free open source tools available on the Security Onion Linux Distribution. It walks through the logging, monitoring and alerting approach necessary for security, compliance and quality of service. INTRODUCTION . An intrusion detection system (IDS) is software that automates the intrusion detection process. Network-Based IDS (NIDS) monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity.

LOG MANAGEMANT, SIEM OVERVIEW  Organizations should deploy one or more centralized logging servers and configure logging devices throughout the organization to send duplicates of their log entries to the centralized logging servers. A log management infrastructure consists of the hardware, software, networks and media used to generate, transmit, store, analyze, and dispose of log data.

LOG MANAGEMENT ARCHITECTURE A log management infrastructure typically comprises of three tiers: log generation, log analysis and storage, and log monitoring.  LOG GENERATION  LOG ANALYSIS AND STORAGE  LOG MONITORING

LOG MANAGEMENT AND BENIFITS Detect/Prevent Unauthorized Access and insider Abuse Meet Regulatory Requirement Forensic Analysis and Correlation Ensure Regulatory Compliance Track Suspicious Behaviour IT Troubleshooting and Network Operation Monitor User Activity Best Practices/Frameworks such as COBIT, ISO, ITIL, etc. Deliver Reports to Departments Measure Application Performance

PURPOSED ARCHITECTURE  This project uses the Security Onion (SO) live CD for setting up of the logging and monitoring system. Snort is used as the intrusion detection engine from the two different kinds of intrusion detection engines, Snort and Suricata, available on SO. Sguil, Squert and Snorby provide the management console to view and classify sensor alerts. SECURITY ONION Security Onion (SO) is a Linux distribution for IDS and NSM (Network Security Monitoring). It is based on Xubuntu and contains Snort®, Suricata, Sguil, Snorby, Squert, tcpreplay, hping, and many other security tools.

SGUIL Sguil's main component is an intuitive GUI that provides access to real-time events, session data, and raw packet captures. When an alert that needs more investigation has been identified, the Sguil client provides seamless access to the data that is needed to make a decision as how to handle the situation. SQUERT Squert is a web application that is used to query and view event data stored in a Sguil database Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets.

SNORT Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Source fire. Combining the benefits of signature, protocol, and anomaly-based inspection, it is the most widely deployed IDS/IPS technology. SNORBY Snorby is a front end web application (scripted in Ruby on Rails) for any application that logs events in the unified2 binary output format. Snorby integrates with intrusion detection systems like Snort, Suricata and Sagan.

OSSEC ELSA OSSEC is an Open Source Host-based Intrusion Detection System (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. Enterprise Log Search and Archive (ELSA) is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web.

CONFIGURATION OF SECURITY ONION

 Snort and OSSEC have a large number of rule sets available to choose from. Large numbers of anomalies are detected right from the start using these rule sets. These rule sets needs to be tuned to reduce the number of false positives. NIDS sensor works with Snort rules to alert on a network event of interest.  Snort rules are powerful, flexible and relatively easy to write. All Snort rules follow a very simple format and define what Snort should watch for as it inspects packet header, payload or both. Snort rules are divided into two logical sections, the rule header and the rule body. RULES SNORT RULES

LOG ANALYSIS AND CORRELATION  Log analysis is an art and is geared towards narrowing down to the events of interest. Analyst needs to focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment. Hence, it is important to minimize noise by removing routine, repetitive log entries from the view after confirming that they are benign. EVENT ANALYSIS  Analysis typically begins with Snort or OSSEC alerts displayed on the Sguil console in near real time. Analysts can then categorize the alert based on type of activity or escalate the alert to a more senior analyst for further analysis

EVENT CORRELATION  It becomes easier to correlate events by having multiple sensors feeding different types of events into the same analysis console. Correlating activities across different logs provides a comprehensive picture of the chain of events. Analysts need to develop theories about what occurred and explore logs to confirm or disprove those theories. AUTO CATEGORIZATION Sguil can automatically categorize events by editing the autocat.conf file at/etc/nsm/securityonion/ on the Sguil server. These event will have a status automatically assigned to them and will not appear in any analyst's console

LOG ALERTING REPORTING  The sensor alerts on Security Onion are sent to both the Snorby and Sguil MySQL databases on the master server. Therefore, there are two different ways to perform analysis and reporting based on the database source. Alert notifications can be produced in different ways as well. ALERT CLASSIFICATION AND PRIORITY  Real-time alerting with Snort is highly customizable. Alerts that need to result in real time notification can be chosen by assigning a priority to each rule, and by rule classifications. Each rule can have an individual priority attached to it, and every rule can be included in a classification of rules that has a priority attached to it.

ALERTS  Sguil’s alerting configuration is in the file sguild. located at/etc/nsm/securityonion/ and it contains related information such as smtp server, from to ids etc REPORTING  Sguil offers few basic reporting but lacks the mechanism to schedule reports, and reports with charts and graphs. Plain text or reports are created by selecting the events to report and choosing appropriate report type from the report menu. Summary reports contain the full packet headers while detail reports add the payloads as well.

CONCLUSION This project shows the importance of log managements and network monitoring for the effective security monitoring and compliance of an organization. It provides an open source solution to a complex and very common challenge of log management and network monitoring. The solution is based on a framework provided by the Security Onion Linux Distribution, which makes it possible to integrate necessary applications on one platform. It tries to provide a cost effective logging, alerting and monitoring solution alternative to the organizations that cannot afford commercially available SIEM (Security Information and Event Management) solutions.

REFRENCES Bianco, David J. (2012). Open Source Network Security Monitoring With Sguil. Retrieved from Burks, Doug (2012). Security Onion. Retrieved from Chuvakin, A & Zeltser, L. (2012). Critical Log Review Checklist for Security Incidents. Retrieved from reviewchecklist. html Cid, reviewchecklist Daniel B. (2007). Log Analysis using OSSEC. Retrieved from auscert-2007-dcid.pdf Holste, M. (2012). Enterprise-log-search-and-archive. Retrieved from

THANK you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.