Slides from the overview presentation about intrusion detection/prevention systems presented at Security in Internet course at Faculty of Informatics and Information Technology. Presentation is part of the course assignment.
4. Traffic analysis
• analyzing behaviour, not just packets
• difficulties
– NIDS can be run from different part of network
– bad packets
– reordering issues
• sensor placement
– inline
– passive
• spanning port
• network tap
• load balancer
7. Signature-based analysis
• pattern matching
• “patterns of malicious traffic”
• very elementary (basically grepping)
+ huge community for rule generation
+ great for low level analysis (rules are very specific)
+ not taking too much resources
- lower performance with big ruleset
- slight attack variation can beat the rule
9. Protocol-based analysis
• reviewing network data
• strictly based on layer headers
• knowledge of expected values
+ better possibility for scalability
+ generic, able to catch zero-day exploits
- protocol headers preprocessor need resources
- rules can get extremely difficult to write/understand
- provide low information, admin has to investigate
10. Types of detected events
• transport layer attack
• network layer attack
• unexpected services (tunnel, backdoor etc.)
• policy violations (forbidden protocols, ports
etc.)
note: detection with accuracy
11. Types of attack
• evasion/insertion attacks
– bad IP headers
– bad IP options
– direct frame addressing
• IP packets fragmentation
– set up delay for dropping stored packets
• TCP layer problems
– sync between NIDS and end system
12. Prevention
• passive
– ending TCP stream
• inline
– inline firewalling
– throttling bandwith usage
– altering malicious content
• passive and inline
– running third party script
– reconfiguring other network devices
13. Toolset
• SNORT
– opensource
– windows / linux
– lots of plugins
• OSSIM (security information and event
management)
• Sguil (network security monitor)
14. SNORT
• started as sniffer in 1998
• sniffer, packet logger, and NIDS
• most used open-source NIDS right now
• loads of add-ons
• big and stable community (regular community
rule releases)
16. SNORT add-ons
• DumbPig
– bad rule grammar detection
• OfficeCat
– search for vurneabilities in Microsoft Office docs
• SnoGE
– reporting tool parsing your logs and visualising them as
points at Google Maps
• Oinkmaster
– tool for creating and managing rules
• iBlock
– daemon grepping alert file and blocking offending hosts
http://www.snort.org/snort-downloads/additional-downloads