Download presentation
Presentation is loading. Please wait.
Published byReynold Stewart Modified over 8 years ago
1
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury
2
What is intrusion detection? “A true intrusion detection is simply trying to detect the signs of a network intruder before damage is done to the infrastructure.” “A true intrusion detection is simply trying to detect the signs of a network intruder before damage is done to the infrastructure.” A basic example of intrusion detection mechanism would be to review system logs for suspicious activities. Example: Network logs, server logs, internet security monitor logs and even windows eventview logs. A basic example of intrusion detection mechanism would be to review system logs for suspicious activities. Example: Network logs, server logs, internet security monitor logs and even windows eventview logs.
3
There are two key types of IDS: Host based intrusion detection (HIDS): Host based intrusion detection (HIDS): A HIDS might look at the state of a system, its stored information, whether in RAM, in the file-system, log files or elsewhere; and check that the contents of these appear as expected. A HIDS might look at the state of a system, its stored information, whether in RAM, in the file-system, log files or elsewhere; and check that the contents of these appear as expected. Network base intrusion detection (NIDS): Network base intrusion detection (NIDS): NIDS determine when unauthorized people are attempting to break in the network system and alerts the security personal. NIDS determine when unauthorized people are attempting to break in the network system and alerts the security personal. NIDS is the final layer of intrusion detection
4
Why Snort as a NIDS? It is an open source IDS and thus cost effective. It is an open source IDS and thus cost effective. It is platform independent. It is platform independent. It is very flexible and easily deployable. It is very flexible and easily deployable. The rules and signatures are frequently updated. The rules and signatures are frequently updated. It is the most popular open source IDS in the world! It is the most popular open source IDS in the world!
5
SNORT Biopsy begin…. BUT FIRST, LETS SEE WHAT A HACKER DOES? BUT FIRST, LETS SEE WHAT A HACKER DOES? The 6 Rules of Hacking 1. Footprinting 2. Scanning 3. Enumeration 4. Gaining Access 5. Escalating 6. Covering Tracks
6
Snort Installation Configuration of Snort.config Configuration of Snort.config Adodb for database connectivity Adodb for database connectivity Base for the front end GUI Base for the front end GUI Mysql or SQL server as back end database Mysql or SQL server as back end database Php to support the front end Base Php to support the front end Base Winpcap Winpcap
7
The Duo Signature: A network IDS signature is a pattern that we want to look for in traffic. Example: Example: Denial of service attack on a POP3 server caused by issuing the same command thousands of times. One signature for this attack would be to keep track of how many times the command is issued and to alert when that number exceeds a certain threshold.. Denial of service attack on a POP3 server caused by issuing the same command thousands of times. One signature for this attack would be to keep track of how many times the command is issued and to alert when that number exceeds a certain threshold.. Rules: performs some degree of matching against a packet or stream of packets are designed to alert an operator to a network event of interest. This network event is usually identified as a suspicious or malicious activity, but some of the network events could be false positives.
8
Implementation There are many different ways IDS can be installed. One the most current approach is to implement as “Software as a Service”.
13
Five Common IDS Implementation Mistakes Ignoring frequent false positives Ignoring frequent false positives Avoiding IPSec to support NIDS Avoiding IPSec to support NIDS Monitoring only inbound connections Monitoring only inbound connections Using Shared Network Resources to gather NIDS data Using Shared Network Resources to gather NIDS data Trusting IDS analysis to non-expert analysts Trusting IDS analysis to non-expert analysts
14
The Future Creating an IDS that can prevent intrusion from happening before the network system is compromised. Creating an IDS that can prevent intrusion from happening before the network system is compromised. - AI. - AI. - Improved algorithm to perform pattern matching. - Improved algorithm to perform pattern matching.
15
Conclusion Ultimately, I think that future IDS will merge all of the independent network components and tools which exist today, into a complete and cooperative system, dedicated to keeping networks stable. There will be many distributed elements performing specific jobs, each passing the results onto a higher level for correlation and analysis. As always, the ultimate authority will be our own judgment. Ultimately, I think that future IDS will merge all of the independent network components and tools which exist today, into a complete and cooperative system, dedicated to keeping networks stable. There will be many distributed elements performing specific jobs, each passing the results onto a higher level for correlation and analysis. As always, the ultimate authority will be our own judgment.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.