IDS – Intrusion Detection Systems

1. IDS – Intrusion Detection Systems

2. Overview • Concept: “An Intrusion Detection System is required to detect all types of malicious network traffic and computer usage that can't be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).” • Components: • Sensors which generate security events • Console to monitor events and alerts and control the sensors • Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. • Types: • Anomaly-Based Intrusion Detection System • Signature-Based Intrusion Detection System • Network-Based Intrusion Detection System • Host-based Intrusion Detection System

3. IDS mechanisms work together Source: ComputerWorld

4. Basic tools • Enterprise systems: Cisco Safe and IDS, Symantec Intrusion Protection, CA Host-based IPS,Network Intrusion- Prevention Systems, Others. • Honeypots: Honeyd Virtual Honeypot and Deception ToolKit • Snort:open source, from PCs to large networks; for Linux/UNIX, Windows, Macs. • References • Infosyssec IDS FAQ • SANS IDS FAQ • SANS InfoSec Reading Room: Intrusion Detection • WindowsSecurity.com: Intrusion Detection Systems (IDS): Classification; methods; techniques

5. Snort • What is Snort? • What can it do: detect and respond • Open source and business. • The main Web site for Snort. • Downloading • Download WinPcap 3.1 (do not use newer WinPcap versions.) • Download Snort for Windows or Linux • Install and setup • Install WinCap, then Snort, by double-clicking in the downloaded files. Snort is installed in c:\snort and snort.exe is in the c:\snort\bin directory. • Create a login in the Snort Web account signup page and login. • Go to the Download rules page and download under Sourcefire VRT Certified Rules - The Official Snort Ruleset (registered user release) the CURRENT file. It will look like: snortrules-snapshot-CURRENT.tar.gz • Extract this file to the directory c:\snort and both signatures (under doc) and rules (under rules) will be created.

6. Snort • Using snort • at the command prompt start in c:\snort\bin (options) • checking available interfaces c:\snort\bin snort -W example • capturing and viewing packets: c:\snort\bin snort -dev (press Control-C to stop the capture) example • capturing and saving in log file: c:\snort\bin snort -de -K ascii -l c:\snort\log examples: tcparp • log the Snort alert messages to the Windows Even Viewer, Applications c:\snort\bin snort -E - l c:\snort\log -c c:\snort\etc\snort.confsee example of running in IDS mode and events in Event viewer. • Modifying and creating rules • creating rules: experts only, download updates and read them. • modifying not a problem: typically many false positives are eliminated • example: I got many false positives as “MISC UPnP malformed advertisement [Classification: Misc Attack] “ I looked for misc.rules and edited rule as follows: #alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; In the example I just commented out the rule: added # in front of the line.

7. Snort • Additional references • Snort documentation • a Snort Reporting Tool • Snort IDS Policy Manager For Windows 2000/XP • Snort-Wireless • Securing your system with Snort in Linux • Snort install in Win 2000/XP with Acid and MySQL • Snort install in Linux with Acid and MySQL • ACID - Analysis Console for Intrusion Databases • ACID: Installation and Configuration in Linux • MySQL A free DB client and server