1 / 8

IDS Intrusion Detection Systems

CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes it to determine if an attack or an intrusion has occurred. Some ID Systems can automatically respond to an intrusion. IDS Intrusion Detection Systems. Two Models.

goldy
Download Presentation

IDS Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CERT definition: • A combination of hardware and software that monitors and collects system and network information and analyzes it to determine if an attack or an intrusion has occurred. Some ID Systems can automatically respond to an intrusion. IDS Intrusion Detection Systems Two Models Anomaly Detection Model Misuse Detection Model database of normal activity search for deviations database of malicious signatures search for matches

  2.  Monitor and analyze user/system/network activities  Audit configuration vulnerabilities  Assess integrity of critical files  Recognize patterns of known attacks  Statistically analyze for abnormal activities  Respond with warnings and/or actions  Install decoy servers (honey pots)  Install vendor patches (some IDS) IDS - What Can It Do? false positive false negative

  3. Host-based Intrusion Detection System (HIDS) • Searches for patterns in logs, processes, and/or memory. • Can check file integrity (MD5) Two Types of IDS • Observe network traffic flow • HID also called agent Network-based Intrusion Detection System (NIDS) • Searches for patterns in packets, patterns of packets and packets that don’t belong. • Can log results or communicate via SMTP/SNMP • Sensors, analyzers and management consoles • Reactive sensors might alter router/firewall rules • More extreme response: throttling, session hijacking

  4. Snort Rules alert tcp !138.49.38.0/24 any -> 138.49.38.0/24 111\ ( content ... msg ...) Rule-based Appliances log udp any any -> 138.49.38.0/24 1:1024 alert tcp any any -> 138.49.38.0/24 ( flags:SF; msg:”possible SYN FIN scan”) pass icmp any any <> 138.49.38.0/24 (itype:0)

  5. IDS Disadvantages An IDS is another tool in the arsenal. Host-based Intrusion Detection System (HIDS) • Cannot see all network traffic • Processor time • Log file requirements • OS vulnerabilities may impact agent • Agents are OS specific Network-based Intrusion Detection System (NIDS) • Large bandwidth can overwhelm sensor • Sensor can view network flow, but not its impact upon host(s) • Encryption

  6. Example: Port Scans P o r t s Port scan Port sweep IP addresses

  7. Products Snort //www.snort.org Sourcefire //www.sourcefire.com Cisco Secure IDS //www.cisco.com/go/ids/ Tripwire //www.tripwire.com

More Related