IDS - PowerPoint PPT Presentation

About This Presentation



IDS Intrusion Detection Systems Overview Concept: An Intrusion Detection System is required to detect all types of malicious network traffic and computer ... – PowerPoint PPT presentation

Number of Views:21
Avg rating:3.0/5.0
Slides: 8
Provided by: AlBen153
Learn more at:


Transcript and Presenter's Notes

Title: IDS

IDS Intrusion Detection Systems
  • Concept An Intrusion Detection System is
    required to detect all types of malicious network
    traffic and computer usage that can't be detected
    by a conventional firewall. This includes network
    attacks against vulnerable services, data driven
    attacks on applications, host based attacks such
    as privilege escalation, unauthorized logins and
    access to sensitive files, and malware (viruses,
    trojan horses, and worms).
  • Components
  • Sensors which generate security events
  • Console to monitor events and alerts and control
    the sensors
  • Engine that records events logged by the sensors
    in a database and uses a system of rules to
    generate alerts from security events received.
  • Types
  • Anomaly-Based Intrusion Detection System
  • Signature-Based Intrusion Detection System
  • Network-Based Intrusion Detection System
  • Host-based Intrusion Detection System

IDS mechanisms work together
Source ComputerWorld
Basic tools
  • Enterprise systems Cisco Safe and IDS, Symantec
    Intrusion Protection, CA Host-based IPS, Network
    Intrusion- Prevention Systems, Others.
  • Honeypots Honeyd Virtual Honeypot and Deception
  • Snort open source, from PCs to large networks
    for Linux/UNIX, Windows, Macs.
  • References
  • Infosyssec IDS FAQ
  • SANS InfoSec Reading Room Intrusion Detection
  • Intrusion Detection Systems
    (IDS) Classification methods techniques

  • What is Snort?
  • What can it do detect and respond
  • Open source and business.
  • The main Web site for Snort.
  • Downloading
  • Download WinPcap 3.1 (do not use newer WinPcap
  • Download Snort for Windows or Linux
  • Install and setup
  • Install WinCap, then Snort, by double-clicking in
    the downloaded files. Snort is installed in
    c\snort and snort.exe is in the c\snort\bin
  • Create a login in the Snort Web account signup
    page and login.
  • Go to the Download rules page and download under
    Sourcefire VRT Certified Rules - The Official
    Snort Ruleset (registered user release) the
    CURRENT file. It will look like
  • Extract this file to the directory c\snort and
    both signatures (under doc) and rules (under
    rules) will be created.

  • Using snort
  • at the command prompt start in c\snort\bin
  • checking available interfaces c\snort\bin
    snort -W example
  • capturing and viewing packets c\snort\bin
    snort -dev (press Control-C to stop the
    capture) example
  • capturing and saving in log file c\snort\bin
    snort -de -K ascii -l c\snort\log examples tcp
  • log the Snort alert messages to the Windows Even
    Viewer, Applications c\snort\bin snort -E - l
    c\snort\log -c c\snort\etc\snort.confsee
    example of running in IDS mode and events in
    Event viewer.
  • Modifying and creating rules
  • creating rules experts only, download updates
    and read them.
  • modifying not a problem typically many false
    positives are eliminated
  • example I got many false positives as MISC UPnP
    malformed advertisement Classification Misc
    Attack I looked for misc.rules and edited rule
    as follows alert udp EXTERNAL_NET any -gt
    HOME_NET 1900 (msg"MISC UPnP malformed
    advertisement" content"NOTIFY " nocase In
    the example I just commented out the rule added
    in front of the line.

  • Additional references
  • Snort documentation
  • a Snort Reporting Tool
  • Snort IDS Policy Manager For Windows 2000/XP
  • Snort-Wireless
  • Securing your system with Snort in Linux
  • Snort install in Win 2000/XP with Acid and MySQL
  • Snort install in Linux with Acid and MySQL
  • ACID - Analysis Console for Intrusion Databases
  • ACID Installation and Configuration in Linux
  • MySQL A free DB client and server
Write a Comment
User Comments (0)