CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
INTRUSION DETECTION SYSTEM
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
The Security Aspect of Social Engineering Justin Steele.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Honeypot and Intrusion Detection System
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
What is a “Network Intrusion Detection System (NIDS)"?
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.
Cs490ns - cotter1 Snort Intrusion Detection System
Chapter 5: Implementing Intrusion Prevention
Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
1 Quick Overview Overview Network –IPTables –Snort Intrusion Detection –Tripwire –AIDE –Samhain Monitoring & Configuration –Beltaine –Lemon –Prelude Conclusions.
Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
S E C U R E C O M P U T I N G Not For Public Release 1 Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Machine Learning for Network Anomaly Detection Matt Mahoney.
Network Intrusion Detection System (NIDS)
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Some Great Open Source Intrusion Detection Systems (IDSs)
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
IDS Intrusion Detection Systems
Snort – IDS / IPS.
Proventia Network Intrusion Prevention System
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Intrusion Detection Systems (IDS)
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

CSCI 530 Lab Intrusion Detection Systems IDS

A collection of techniques and methodologies used to monitor suspicious activities both at the network and the host level It is not a firewall It inspects the content and intent of the network traffic

IDS Additional level of security in the network Firewalls will prevent attacks IDS is more like an alarm system It will perform actions like Alerting, logging, etc upon detection. It can be configured to make changes in the firewall rules upon detection of attacks Can help detect attacks that pass through the firewall Protection from the insiders

IDS Deployed with multiple sensors on various location on the network Report to a centralized management console A sensor Monitors traffic, matches against the rule sets and raises alerts, logs it or some other action. A rule set contains Traffic signatures or rules for unwanted behavior Rules Check for threshold, protocol IP source and destination Signatures Traffic patterns associated with attack

IDS Hack I.T.: Security Through Penetration fig 19.2

Host Based IDS Log Monitors Parse system event Log files Example: Apache, access log file check for “cgi-bin” Integrity Checkers check for key system structures to change System files, registry keys Tripwire File Additions, deletions, flag modifications, access time etc.

Network Based IDS Signature Based Database of know signatures Similar to virus signatures, but it looks for attack signatures Anomaly based Form a baseline for a normal system Raise an alarm when the system is no longer functioning under normal conditions

Network Based IDS Deployment It should have access to all the network data Alerts generation Response Policy Environment adaptation

Hacking through the IDS Fragmentation or packet splitting throughput increases, consuming more resources making the IDS less accurate Spoofing Spoof the sequence no. Sending random sequence numbers Causes IDS to be desynchronized from the source and ignore the true packets Denial-of-Service IDS software can only handle a limited amount of data Break the IDS, then attack the network

SNORT, Open source IDS Components of snort Packet Decoder Preprocessor Detection Engine Logging and Alerting System Output Modules Internet Preprocessor Packet Decoder Detection Engine Output Alert Logging and Alerting System Output Modules Dropped Packets

Components of Snort Packet Decoder It takes packets from different interfaces (ethernet, PPP, SLIP) and prepares it for the other stages Preprocessor Plugins that modify or setup data for the detection engine Same example  GET /cgi-bin/subdirectory/../phf It rearranges the data to be detectable by the IDS Packet defragmentation If the packets are too large, then it gets fragmented into smaller packets Must be reassembled prior to analysis

Components of Snort Detection Engine Most important part of the engine Uses the detection rules It is time dependent Speed of the machine Number of rules Load on the network The Detection Engine applies rules to different parts of the packet Header (IP/TCP/Application) Packet Payload Policy for matching of rules varies with versions In v2 all the rules are matched, highest priority recorded

Components of snort Logging and Alerting system Based upon the matched rule Logged, alert generated Logs /var/log/snort -l for the modification of location Output Modules Changes the location of the generated output Log in the logfile SNMP traps (Simple Network Managent Protocol, notification to admin) Messages to syslog (network logger) Logging to a Database XML generation for use in another program Send SMB (server message block, protocol for sharing files on the network for Windows Machines)

Snort Rules A very bad rule Alert ip any any -> any any (msg: “ip packet detected”;) Alert: the action to be performed, ip : rule applies to all ip packets any : rule applies to any source ip address any : rule applies to any source port -> : direction of packet any : rule applies to any destination ip address any : rule applies to any destination port

Rule Structure Header Actions Pass, Log, Alert, Activate, Dynamic Protocols IP, ICMP, TCP, UDP, etc. Address Exclusion ![ /24] any any… Rule Header Rule Options Action Protocol Address Port Direction Address Port Header SourceDestination

Rule Structure Options Ack keyword(nmap scanning purposes) Classtype (classification:name:description:priority) Content keyword Offset Depth Nocase Dsize Content-list Logto ………

This week’s lab EagleX Windows front-end for Snort Easier to deploy than Snort by itself There are many other front-ends for Snort, for Windows or Linux

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.