Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Similar presentations


Presentation on theme: "CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and."— Presentation transcript:

1 CSCI 530 Lab Intrusion Detection Systems IDS

2 A collection of techniques and methodologies used to monitor suspicious activities both at the network and the host level It is not a firewall It inspects the content and intent of the network traffic

3 IDS Additional level of security in the network Firewalls will prevent attacks IDS is more like an alarm system It will perform actions like Alerting, logging, etc upon detection. It can be configured to make changes in the firewall rules upon detection of attacks Can help detect attacks that pass through the firewall Protection from the insiders

4 IDS Deployed with multiple sensors on various location on the network Report to a centralized management console A sensor Monitors traffic, matches against the rule sets and raises alerts, logs it or some other action. A rule set contains Traffic signatures or rules for unwanted behavior Rules Check for threshold, protocol IP source and destination Signatures Traffic patterns associated with attack

5 IDS Hack I.T.: Security Through Penetration fig 19.2

6 Host Based IDS Log Monitors Parse system event Log files Example: Apache, access log file check for “cgi-bin” Integrity Checkers check for key system structures to change System files, registry keys Tripwire File Additions, deletions, flag modifications, access time etc.

7 Network Based IDS Signature Based Database of know signatures Similar to virus signatures, but it looks for attack signatures Anomaly based Form a baseline for a normal system Raise an alarm when the system is no longer functioning under normal conditions

8 Network Based IDS Deployment It should have access to all the network data Alerts generation Response Policy Environment adaptation

9 Hacking through the IDS Fragmentation or packet splitting throughput increases, consuming more resources making the IDS less accurate Spoofing Spoof the sequence no. Sending random sequence numbers Causes IDS to be desynchronized from the source and ignore the true packets Denial-of-Service IDS software can only handle a limited amount of data Break the IDS, then attack the network

10 SNORT, Open source IDS www.snort.org Components of snort Packet Decoder Preprocessor Detection Engine Logging and Alerting System Output Modules Internet Preprocessor Packet Decoder Detection Engine Output Alert Logging and Alerting System Output Modules Dropped Packets

11 Components of Snort Packet Decoder It takes packets from different interfaces (ethernet, PPP, SLIP) and prepares it for the other stages Preprocessor Plugins that modify or setup data for the detection engine Same example  GET /cgi-bin/subdirectory/../phf It rearranges the data to be detectable by the IDS Packet defragmentation If the packets are too large, then it gets fragmented into smaller packets Must be reassembled prior to analysis

12 Components of Snort Detection Engine Most important part of the engine Uses the detection rules It is time dependent Speed of the machine Number of rules Load on the network The Detection Engine applies rules to different parts of the packet Header (IP/TCP/Application) Packet Payload Policy for matching of rules varies with versions In v2 all the rules are matched, highest priority recorded

13 Components of snort Logging and Alerting system Based upon the matched rule Logged, alert generated Logs /var/log/snort -l for the modification of location Output Modules Changes the location of the generated output Log in the logfile SNMP traps (Simple Network Managent Protocol, notification to admin) Messages to syslog (network logger) Logging to a Database XML generation for use in another program Send SMB (server message block, protocol for sharing files on the network for Windows Machines)

14 Snort Rules A very bad rule Alert ip any any -> any any (msg: “ip packet detected”;) Alert: the action to be performed, ip : rule applies to all ip packets any : rule applies to any source ip address any : rule applies to any source port -> : direction of packet any : rule applies to any destination ip address any : rule applies to any destination port

15 Rule Structure Header Actions Pass, Log, Alert, Activate, Dynamic Protocols IP, ICMP, TCP, UDP, etc. Address Exclusion ![192.168.1.0/24] any any… Rule Header Rule Options Action Protocol Address Port Direction Address Port Header SourceDestination

16 Rule Structure Options Ack keyword(nmap scanning purposes) Classtype (classification:name:description:priority) Content keyword Offset Depth Nocase Dsize Content-list Logto ………

17 This week’s lab EagleX Windows front-end for Snort Easier to deploy than Snort by itself There are many other front-ends for Snort, for Windows or Linux


Download ppt "CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and."

Similar presentations


Ads by Google