際際滷

際際滷Share a Scribd company logo

Network Intrusion Detection Systems #1

Download as PPTX, PDF
Peter Dulaka
Peter Dulaka

際際滷s from the overview presentation about intrusion detection/prevention systems presented at Security in Internet course at Faculty of Informatics and Information Technology. Presentation is part of the course assignment.

1 of 17
Downloaded 72 times
Network intrusion detection/prevention systems
NIDS (detecton system) realtime attack detection passive (watchers) / active (measurement) systems via analysis protocol analysis graph analysis anomaly detection analysis of direct network traffic complete / light
NIDS scheme http://insecure.org/stf/secnet_ids/evasion-figure3.gif
Traffic analysis analyzing behaviour, not just packets difficulties NIDS can be run from different part of network bad packets reordering issues sensor placement inline passive spanning port network tap load balancer
http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
Signature-based analysis pattern matching patterns of malicious traffic very elementary (basically grepping) + huge community for rule generation + great for low level analysis (rules are very specific) + not taking too much resources - lower performance with big ruleset - slight attack variation can beat the rule
Rule example # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:267; rev:13; )
Protocol-based analysis reviewing network data strictly based on layer headers knowledge of expected values + better possibility for scalability + generic, able to catch zero-day exploits - protocol headers preprocessor need resources - rules can get extremely difficult to write/understand - provide low information, admin has to investigate
Types of detected events transport layer attack network layer attack unexpected services (tunnel, backdoor etc.) policy violations (forbidden protocols, ports etc.) note: detection with accuracy
Types of attack evasion/insertion attacks bad IP headers bad IP options direct frame addressing IP packets fragmentation set up delay for dropping stored packets TCP layer problems sync between NIDS and end system
Prevention passive ending TCP stream inline inline firewalling throttling bandwith usage altering malicious content passive and inline running third party script reconfiguring other network devices
Toolset SNORT opensource windows / linux lots of plugins OSSIM (security information and event management) Sguil (network security monitor)
SNORT started as sniffer in 1998 sniffer, packet logger, and NIDS most used open-source NIDS right now loads of add-ons big and stable community (regular community rule releases)
Firewall network with SNORT
SNORT add-ons DumbPig bad rule grammar detection OfficeCat search for vurneabilities in Microsoft Office docs SnoGE reporting tool parsing your logs and visualising them as points at Google Maps Oinkmaster tool for creating and managing rules iBlock daemon grepping alert file and blocking offending hosts http://www.snort.org/snort-downloads/additional-downloads
Q&A

More Related Content

Network Intrusion Detection Systems #1

  • 2. NIDS (detecton system) realtime attack detection passive (watchers) / active (measurement) systems via analysis protocol analysis graph analysis anomaly detection analysis of direct network traffic complete / light
  • 4. Traffic analysis analyzing behaviour, not just packets difficulties NIDS can be run from different part of network bad packets reordering issues sensor placement inline passive spanning port network tap load balancer
  • 7. Signature-based analysis pattern matching patterns of malicious traffic very elementary (basically grepping) + huge community for rule generation + great for low level analysis (rules are very specific) + not taking too much resources - lower performance with big ruleset - slight attack variation can beat the rule
  • 8. Rule example # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:267; rev:13; )
  • 9. Protocol-based analysis reviewing network data strictly based on layer headers knowledge of expected values + better possibility for scalability + generic, able to catch zero-day exploits - protocol headers preprocessor need resources - rules can get extremely difficult to write/understand - provide low information, admin has to investigate
  • 10. Types of detected events transport layer attack network layer attack unexpected services (tunnel, backdoor etc.) policy violations (forbidden protocols, ports etc.) note: detection with accuracy
  • 11. Types of attack evasion/insertion attacks bad IP headers bad IP options direct frame addressing IP packets fragmentation set up delay for dropping stored packets TCP layer problems sync between NIDS and end system
  • 12. Prevention passive ending TCP stream inline inline firewalling throttling bandwith usage altering malicious content passive and inline running third party script reconfiguring other network devices
  • 13. Toolset SNORT opensource windows / linux lots of plugins OSSIM (security information and event management) Sguil (network security monitor)
  • 14. SNORT started as sniffer in 1998 sniffer, packet logger, and NIDS most used open-source NIDS right now loads of add-ons big and stable community (regular community rule releases)
  • 16. SNORT add-ons DumbPig bad rule grammar detection OfficeCat search for vurneabilities in Microsoft Office docs SnoGE reporting tool parsing your logs and visualising them as points at Google Maps Oinkmaster tool for creating and managing rules iBlock daemon grepping alert file and blocking offending hosts http://www.snort.org/snort-downloads/additional-downloads
  • 17. Q&A