IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that...
-
Upload
corey-mills -
Category
Documents
-
view
212 -
download
0
Transcript of IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that...
IDS Intrusion Detection Systems
IDS Intrusion Detection SystemsCERT definition:
A combination of hardware and software that monitors and collects system and network information and analyzes it to determine if an attack or an intrusion has occurred. Some ID Systems can automatically respond to an intrusion.
Two Models Two Models
Anomaly Detection Modeldatabase of normal activitysearch for deviations
Misuse Detection Modeldatabase of malicious signaturessearch for matches
IDS - What Can It Do?IDS - What Can It Do? Monitor and analyze user/system/network activities
Audit configuration vulnerabilities
Assess integrity of critical files
Recognize patterns of known attacks
Statistically analyze for abnormal activities
Respond with warnings and/or actions
Install decoy servers (honey pots)
Install vendor patches (some IDS)
false positive false negative
Two Types of IDSTwo Types of IDS
Network-based Intrusion Detection System (NIDS)Network-based Intrusion Detection System (NIDS)
Host-based Intrusion Detection System (HIDS)Host-based Intrusion Detection System (HIDS)
• Searches for patterns in packets, patterns of packets and packets that don’t belong.
• Can log results or communicate via SMTP/SNMP
• Sensors, analyzers and management consoles
• Searches for patterns in logs, processes, and/or memory.
• Can check file integrity (MD5)
• Observe network traffic flow
• HID also called agent
• Reactive sensors might alter router/firewall rules
• More extreme response: throttling, session hijacking
Rule-based AppliancesRule-based AppliancesSnort RulesSnort Rules
alert tcp !138.49.38.0/24 any -> 138.49.38.0/24 111\ ( content ... msg ...)
log udp any any -> 138.49.38.0/24 1:1024
alert tcp any any -> 138.49.38.0/24 ( flags:SF; msg:”possible SYN FIN scan”)
pass icmp any any <> 138.49.38.0/24 (itype:0)
IDS Disadvantages
Network-based Intrusion Detection System (NIDS)Network-based Intrusion Detection System (NIDS)
Host-based Intrusion Detection System (HIDS)Host-based Intrusion Detection System (HIDS)
• Large bandwidth can overwhelm sensor
• Sensor can view network flow, but not its impact upon host(s)
• Encryption
• Cannot see all network traffic
• Processor time
• Log file requirements
• OS vulnerabilities may impact agent
An IDS is another tool in the arsenal.
• Agents are OS specific
Example: Port Scans
IP addresses
Ports
Port sweepPort scan
Products SnortSnortSnortSnort
//www.snort.org
SourcefireSourcefireSourcefireSourcefire //www.sourcefire.com
Cisco Secure IDSCisco Secure IDSCisco Secure IDSCisco Secure IDS//www.cisco.com/go/ids/
TripwireTripwireTripwireTripwire//www.tripwire.com