1 / 17

CSCI 530 Lab

CSCI 530 Lab. Intrusion Detection Systems IDS. IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and the host level It is not a firewall It inspects the content and intent of the network traffic. IDS.

rangle
Download Presentation

CSCI 530 Lab

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCI 530 Lab Intrusion Detection Systems IDS

  2. IDS • A collection of techniques and methodologies used to monitor suspicious activities both at the network and the host level • It is not a firewall • It inspects the content and intent of the network traffic

  3. IDS • Additional level of security in the network • Firewalls will prevent attacks • IDS is more like an alarm system • It will perform actions like • Alerting, logging , etc upon detection. • It can be configured to make changes in the firewall rules upon detection of attacks • Can help detect attacks that pass through the firewall • Protection from the insiders

  4. IDS • Deployed with multiple sensors on various location on the network • Report to a centralized management console • A sensor • Monitors traffic, matches against the rule sets and raises alerts, logs it or some other action. • A rule set contains • Traffic signatures or rules for unwanted behavior • Rules • Check for threshold, protocol IP source and destination • Signatures • Traffic patterns associated with attack

  5. IDS Hack I.T.: Security Through Penetration fig 19.2

  6. Host Based IDS • Log Monitors • Parse system event Log files • Example: Apache, • access log file • check for “cgi-bin” • Integrity Checkers • check for key system structures to change • System files, registry keys • Tripwire • File Additions , deletions, flag modifications, access time etc.

  7. Network Based IDS • Signature Based • Database of know signatures • Similar to virus signatures, but it looks for attack signatures • Anomaly based • Form a baseline for a normal system • Raise an alarm when the system is no longer functioning under normal conditions

  8. Network Based IDS Deployment • It should have access to all the network data • Alerts generation • Response Policy • Environment adaptation

  9. Hacking through the IDS • Fragmentation or packet splitting • throughput increases, consuming more resources making the IDS less accurate • Spoofing • Spoof the sequence no. • Sending random sequence numbers • Causes IDS to be desynchronized from the source and ignore the true packets • Denial-of-Service • IDS software can only handle a limited amount of data • Break the IDS, then attack the network

  10. SNORT, Open source IDS www.snort.org • Components of snort • Packet Decoder • Preprocessor • Detection Engine • Logging and Alerting System • Output Modules Preprocessor Detection Engine Logging and Alerting System Internet Output Alert Output Modules Packet Decoder Dropped Packets

  11. Components of Snort • Packet Decoder • It takes packets from different interfaces (ethernet, PPP, SLIP) and prepares it for the other stages • Preprocessor • Plugins that modify or setup data for the detection engine • Same example • GET /cgi-bin/subdirectory/../phf • It rearranges the data to be detectable by the IDS • Packet defragmentation • If the packets are too large, then it gets fragmented into smaller packets • Must be reassembled prior to analysis

  12. Components of Snort • Detection Engine • Most important part of the engine • Uses the detection rules • It is time dependent • Speed of the machine • Number of rules • Load on the network • The Detection Engine applies rules to different parts of the packet • Header (IP/TCP/Application) • Packet Payload • Policy for matching of rules varies with versions • In v2 all the rules are matched , highest priority recorded

  13. Components of snort • Logging and Alerting system • Based upon the matched rule • Logged, alert generated • Logs /var/log/snort • -l for the modification of location • Output Modules • Changes the location of the generated output • Log in the logfile • SNMP traps (Simple Network Managent Protocol, notification to admin) • Messages to syslog (network logger) • Logging to a Database • XML generation for use in another program • Send SMB (server message block, protocol for sharing files on the network for Windows Machines)

  14. Snort Rules • A very bad rule Alert ip any any -> any any (msg: “ip packet detected”;) Alert: the action to be performed, ip : rule applies to all ip packets any : rule applies to any source ip address any : rule applies to any source port -> : direction of packet any : rule applies to any destination ip address any : rule applies to any destination port

  15. Rule Structure Rule Header Rule Options • Header • Actions • Pass, Log, Alert, Activate, Dynamic • Protocols • IP, ICMP, TCP, UDP, etc. • Address • Exclusion ![192.168.1.0/24] any any… Source Destination Action Protocol Address Port Direction Address Port Header

  16. Rule Structure • Options • Ack keyword(nmap scanning purposes) • Classtype (classification:name:description:priority) • Content keyword • Offset • Depth • Nocase • Dsize • Content-list • Logto • ………

  17. This week’s lab • EagleX • Windows front-end for Snort • Easier to deploy than Snort by itself • There are many other front-ends for Snort, for Windows or Linux

More Related