DMC ITSY 2430 - Network Intrusion Detection - D1867336

Home> Schools> Del Mar College> Comp Science/Info Tech (ITSY) > ITSY 2430> Network Intrusion Detection

DOC PREVIEW

DMC ITSY 2430 - Network Intrusion Detection

School name Del Mar College

Course Itsy 2430- Intrusion Detection

Pages 20

This preview shows page 1-2-19-20 out of 20 pages.

Save

View full document

Premium Document

Do you want full access? Go Premium and unlock all 20 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 20 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 20 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 20 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

Premium Document

Do you want full access? Go Premium and unlock all 20 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

Unformatted text preview:

Network Intrusion DetectionTopicsWhat is IDS?HIDS v. NIDSSlide 5Signature-based NIDSSignaturesSlide 8Slide 9NIDS – ManagementNIDS – PlacementNIDS – DrawbacksNIDS - DrawbacksActive ResponseSlide 15Intrusion PreventionNIDS on the CheapAdditional ResourcesSlide 19Slide 20Network Intrusion DetectionDavid [email protected]What is IDS?HIDS v. NIDSSignaturesActive Response / IPSNIDS on the CheapAdditional ResourcesWhat is IDS?the art of detecting inappropriate, incorrect, or anomalous activity. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems, and ID systems that operate on network data flows are called network-based ID systems.http://www.sans.org/newlook/resources/IDFAQ/what_is_ID.htmHIDS v. NIDSDefense in depth, layered securityHIDSTypically software installed on a systemAgent-basedMonitors multiple data sources, including file system meta-data, log filesWrapper-basedActs like a firewall – denies or accepts connections or logins based on defined policyHIDS v. NIDSNIDSMonitors traffic on a networkReports on traffic not considered “normal”Anomaly-basedPacket sizes, destinations, protocol distributions, etcHard to determine what “normal” traffic looks likeSignature-basedMost products use signature-based technologiesSignature-based NIDSSignature-basedMatches header fields, port numbers, contentNetwork “grep”AdvantagesNo learning curveWorks out-of-box for well known attacksSnort has ~1900 signaturesDragon has ~1700 signaturesDisadvantagesNew attacks cannot be detected False positivesMaintenance/tweakingNot very hard to evadeStateless, lacks thresholdingSignaturesT A A S 10 20 6668 IRC:XDCC /5Bxdcc/5Dslt| | | | | | | | || | | | | | | | SEARCH STRING| | | | | | | EVENT NAME| | | | | | PORT| | | | | || | | | | COMPARE BYTES | | | | || | | | DYNAMIC LOG| | | || | | BINARY OR STRING| | || | PROTECTED NETWORKS| || DIRECTION|PROTOCOLSignaturesOn the console…Time Dir Source Destination Proto Event Name Group Sensor Session Raw Data 11:02 02Nov04 from 128.103.a.b:4295 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 11:01 02Nov04 from 128.103.a.b:1141 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 10:59 02Nov04 from 128.103.a.b:2582 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 10:57 02Nov04 from 128.103.a.b:3341 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5NICK [XDCC]SLT-L482{A}USER b0b 32 . :XDCC{A}MODE [XDCC]SLT-L482 +i{A}NICK [XDCC]SLT-L482{A}USER b0b 32 . :XDCC{A}MODE [XDCC]SLT-L482 +i{A}NICK [XDCC]SLT-L482{A}USER b0b 32 . :XDCC{A}MODE [XDCC]SLT-L482 +i{A}{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Looking up your hostname...{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A}:snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC][email protected]{D}{A}:snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1.4(34){D}{A}:snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A}:snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc{D}{A}:snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TOPICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this server{D}{A}:snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A}:snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A}:snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A}:snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A}:snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A}:snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A}:snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A}:snagged.wi.us.criten.net NOTICE [XD:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A}:snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC][email protected]{D}{A}:snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1.4(34){D}{A}:snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A}:snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc{D}{A}:snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TOPICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this server{D}{A}:snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A}:snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A}:snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A}:snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A}:snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A}:snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A}:snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A}:snagged.wi.us.criten.net NOTICE [XD{A}NIDS – ManagementCorrelation is keyMultiple sensorsSingle data repositorySyslogDBMSText filesNIDS – PlacementInside firewallLimits false positives – “cleaner” dataOutside firewallShows overall interestNeed to collect all trafficSwitch port won’t cut itHubSwitch SPAN portPassive tapDifficult on high-bandwidth links (>300Mbps)Distribution devices (TopLayer, etc)HardwareNIDS – DrawbacksFalse PositivesLOTS of dataWe generate 3-4GB of logs each day on a ~250Mbps sustained linkMakes alerting difficultInteroperabilityESM – Intellitactics, PentaSafe, etc.NIDS - DrawbacksEvasionPacket fragmentationOut of order,

View Full Document