150 likes | 365 Views
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System. By Asif Syed Chowdhury. What is intrusion detection?. “A true intrusion detection is simply trying to detect the signs of a network intruder before damage is done to the infrastructure.”
E N D
SNORT Biopsy:A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury
What is intrusion detection? “A true intrusion detection is simply trying to detect the signs of a network intruder before damage is done to the infrastructure.” A basic example of intrusion detection mechanism would be to review system logs for suspicious activities. Example: Network logs, server logs, internet security monitor logs and even windows eventview logs.
There are two key types of IDS: Host based intrusion detection (HIDS): A HIDS might look at the state of a system, its stored information, whether in RAM, in the file-system, log files or elsewhere; and check that the contents of these appear as expected. Network base intrusion detection (NIDS): NIDS determine when unauthorized people are attempting to break in the network system and alerts the security personal. NIDS is the final layer of intrusion detection
Why Snort as a NIDS? • It is an open source IDS and thus cost effective. • It is platform independent. • It is very flexible and easily deployable. • The rules and signatures are frequently updated. • It is the most popular open source IDS in the world!
SNORT Biopsy begin…. • BUT FIRST, LETS SEE WHAT A HACKER DOES? The 6 Rules of Hacking
Snort Installation • Configuration of Snort.config • Adodb for database connectivity • Base for the front end GUI • Mysql or SQL server as back end database • Php to support the front end Base • Winpcap
The Duo Signature: A network IDS signature is a pattern that we want to look for in traffic. Example: Denial of service attack on a POP3 server caused by issuing the same command thousands of times. One signature for this attack would be to keep track of how many times the command is issued and to alert when that number exceeds a certain threshold.. Rules: performs some degree of matching against a packet or stream of packets are designed to alert an operator to a network event of interest. This network event is usually identified as a suspicious or malicious activity, but some of the network events could be false positives.
Implementation There are many different ways IDS can be installed. One the most current approach is to implement as “Software as a Service”.
Five Common IDS ImplementationMistakes • Ignoring frequent false positives • Avoiding IPSec to support NIDS • Monitoring only inbound connections • Using Shared Network Resources to gather NIDS data • Trusting IDS analysis to non-expert analysts
The Future Creating an IDS that can prevent intrusion from happening before the network system is compromised. - AI. - Improved algorithm to perform pattern matching.
Conclusion Ultimately, I think that future IDS will merge all of the independent network components and tools which exist today, into a complete and cooperative system, dedicated to keeping networks stable. There will be many distributed elements performing specific jobs, each passing the results onto a higher level for correlation and analysis. As always, the ultimate authority will be our own judgment.