d

Intrusion Detection System: The Complete Documentation

• This category contains 76 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

50 Ways to Defeat Your Intrusion Detection System

Published on , by Fred Cohen, www.all.net.

Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

A practical guide to running SNORT on Red Hat Linux 7.2 and Management Using IDS Policy Manger MySQL+IIS+ACIDFrom your Workstation

Published on 2002-04-02, by William Metcalf, ©SANS Institute.

In the brief time that I have been on this planet the state of computing has changed drastically. The high-powered computers and blink of the eye internet connectivity once reserved for universities and major corporations has now become a staple in small businesses around the United States and the world. As more and more these small businesses get connected to the global network we call the internet, we must focus our attention on securing these systems. It used to be that hacking systems such as these could only be done by high skilled programmers and network gurus. This has also changed with the birth of “script kiddies” who are hackers who use programs and scripts that are freely available and easy to use to attack such systems. Firewalls and virus protection software add layers of security but in most cases this is not enough.

Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection (An)

Published on 2003, by Matthew V. Mahoney and Philip K. Chan, ©Florida Institute of Technology.

We investigate potential simulation artifacts and their effects on the evaluation of network anomaly detection systems in the 1999 DARPA/MIT Lincoln Laboratory off-line intrusion detection evaluation data set. A statistical comparison of the simulated background and training traffic with real traffic collected from a university departmental server suggests the presence of artifacts that could allow a network anomaly detection system to detect some novel intrusions based on idiosyncrasies of the underlying implementation of the simulation, with an artificially low false alarm rate. The evaluation problem can be mitigated by mixing real traffic into the simulation. We compare five anomaly detection algorithms on simulated and mixed traffic. On mixed traffic they detect fewer attacks, but the explanations for these detections are more plausible.

Anti-IDS Tools and Tactics

Published on 2001, by Steve Martin, ©SANS Institute.

Over the past twenty years the World Wide Web has grown from a network used purely for the exchange of academic information to the mainstream medium we now use for communication, education, business and a plethora of other uses.

Bleeding Knoppix Guide -- or how to use bleeding snort rules off of a Live CD

Published on 2004-11-01, by David Glosser, ©the Bleeding Edge of Snort.

A LiveCD is an operating system complete with software that is stored on a bootable drive (such as a CD-ROM). It can be booted and run without any installation onto a hard drive. The system returns to its previous OS when the LiveCD is ejected and the computer is rebooted.

Bleeding Snort HOW-TO

Published on 2004-09-17, by Burak DAYIOGLU, ©Burak DAYIOGLU.

My previous note on Bleeding Snort got so many hits with referrals from search engines with keywords and phrases like "bleeding", "bleeding snort", "bleeding snort howto" etc. so here it is. As many people are looking around how to integrate Bleeding Snort signatures in their environments, I decided to write this short HOW-TO.

Bypassing Intrusion Detection Systems

Published on July 27, 2000, by Ron Gula, www.blackhat.com.

This session will highlight some common sense approaches to bypassing IDS tools as well as review the basic theory behind the technology and operation of an IDS. As a NIDS vendor, pushing the limits of NIDS technology makes for a better overall NIDS. As a NIDS consumer, understanding the types of threats that can occur to a NIDS allows for better operation and understanding.

Characterizing the Performance of Network Intrusion Detection Sensors

Published on 2003, by Lambert Schaelicke, Thomas Slabach, Branden Moore and Curt Freel, ©University of Notre Dame.

We investigate potential simulation artifacts and their effects on the evaluation of network anomaly detection systems in the 1999 DARPA/MIT Lincoln Laboratory off-line intrusion detection evaluation data set. A statistical comparison of the simulated background and training traffic with real traffic collected from a university departmental server suggests the presence of artifacts that could allow a network anomaly detection system to detect some novel intrusions based on idiosyncrasies of the underlying implementation of the simulation, with an artificially low false alarm rate. The evaluation problem can be mitigated by mixing real traffic into the simulation. We compare five anomaly detection algorithms on simulated and mixed traffic. On mixed traffic they detect fewer attacks, but the explanations for these detections are more plausible.

Checklist for Deploying an IDS

Published on 2003-12-30, by Andy Cuff, ©SecurityFocus.

Installing a Network IDS (NIDS) onto a network requires a significant amount of thought and planning. In addition to the technical issues and product selection there are resource issues, from product cost to manning the sensor feeds and supporting the infrastructure that must also be considered. The scope of this article considers the worst case scenario, that of deploying a NIDS on a remote network (target). The introduction of an IDS into a organization's network can be sensitive and often has political implications with the network staff, and thus a checklist written from the perspective of an outside consultant (even if the IDS is deployed internally) that appeases all parties can be useful to ensure a successful implementation. While this topic is broad, there's sufficient information and planning required to form the basis of the checklist. If you are unfamiliar with the terminology in this article, please refer to my previous SecurityFocus articles on IDS terminology.

Complete Snort-based IDS Architecture, Part 1

Published on 2002-11-06, by Anton Chuvakin, Ph.D. and Vladislav V. Myasnyankin, ©SecurityFocus.

Intrusion detection systems (IDS) are one of the fastest growing technologies within the security space. Unfortunately, many companies find it hard to justify acquiring IDS systems due to their perceived high cost of ownership (for example see Justifying the Expense of IDS by Kevin Timm and David Kinn). However, not all IDS systems are prohibitively expensive. This two-part article will provide a set of detailed directions to build an affordable intrusion detection architecture from hardware and freely available software. This discussion will avoid the classic "build or buy" debate and instead focus on building the system at a minimum cost.

Complete Snort-based IDS Architecture, Part 2

Published on 2002-11-19, by Anton Chuvakin, Ph.D. and Vladislav V. Myasnyankin, ©SecurityFocus.

Many companies find it hard to justify acquiring the IDS systems due to their perceived high cost of ownership. However, not all IDS systems are prohibitively expensive. This is second part of a two-part article that will provide a set of detailed directions to build an affordable intrusion detection architecture from hardware and freely available software. In this installment we shall discuss Web interface configuration, summaries and daily reporting, automated attack response, sensor installation, installation of the central station, and big distributed IDS systems.

Defeating Sniffers and Intrusion Detection Systems

Published on 1998-12-25, by horizon, ©phrack.

The purpose of this article is to demonstrate some techniques that can be used to defeat sniffers and intrusion detection systems. This article focuses mainly on confusing your average \"hacker\" sniffer, with some rough coverage of Intrusion Detection Systems (IDS). However, the methods and code present in this article should be a good starting point for getting your packets past ID systems. For an intense examination of attack techniques against IDS, check out: http://www.nai.com/products/security/advisory/papers/ids-html/doc000.asp.

Double Snorting

Published on 2004, by Jeffrey Taylor, ©CMP Media LLC.

Snort is a GPLed, Network Intrusion Detection System (NIDS) that runs on Linux and Win32. A NIDS monitors the network, looking for hostile traffic. Basically it scans all traffic on a network interface, not just its own host's, comparing it to rules describing the signatures of known attacks.

Evading NIDS, revisited

Published on 2005-12-02, by Sumit Siddharth, ©SecurityFocus.

In this article we look at some of the most popular IDS evasion attack techniques.

We start by looking at attacks that are based on fragmentation, which includes attacks based on different fragment reassembly timeouts of different operating systems. Then we go a step further and look at how various operating systems perform fragment reassembly differently and how this can be useful when performing an IDS evasion. These are known as attacks based on overlapping fragments.

The remainder of this article will then look at attacks based on the TTL field. We will turn our focus to widely popular Snort NIDS and describe how Snort deals with all these attacks, as well as what parameters are involved in configuring snort to stop an IDS

Evolution of Intrusion Detection Systems (The)

Published on 2001-11-16, by Paul Innella, ©SecurityFocus.

I am currently working with a client who asked me to choose an intrusion detection system (IDS) to deploy in their environment. I have been working with intrusion detection since it was virtually unknown, so it would seem the decision would be quite simple. On the contrary, with all of the different components and vendors to choose from, IDS offerings have become pretty complex. That led me to wonder how IDS technology has progressed to its current state. So, I invested some time trying to figure it out. Now that I have, let me tell you, it is enough to induce a headache. Nonetheless, I wrote this article to share my findings with you. If you are ready for a discussion about the evolution of IDS, then read on; however, be forewarned, the history of intrusion detection is as confusing as Greenspan’s economic strategies.

False Positives: A User's Guide to Making Sense of IDS Alarms

Published on 2003, by Marcus J. Ranum, ©TruSecure.

Intrusion Detection Systems (IDS) became widely available as commercial off-the-shelf (COTS) security products starting in the late 1990's. Since that time, they have demonstrated their worth, but not their full potential, by assisting network administrators in detecting holes as they are being exploited, or by providing valuable forensic data during clean-up after networks have been penetrated by attackers. It is safe to say that IDS have been a mixed blessing: they provide both priceless data and time-wasting irritation — sometimes in nearly equal measure.

Guide to Intrusion Detection and Prevention Systems (IDPS)

Published on 2007, by Karen Scarfone, Peter Mell, ©National Institute of Standards and Technology.

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS)1 are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization.

Guide To Using Snort For Basic Purposes

Published on April 20, 2003, by Revenge, ©eBCVG Network.

A few months ago I was presented with a task of creating a secure DMZ with Linux servers in it, since I am not a Linux guru yet, I wanted to research different programs and told that I can use to monitor, filter, traffic, as well as some other programs, but it doesn't matter right now. By my friend's recommendation I decided to look into snort as an IDS (Intrusion Detection System). In the following essay I will tell you about writing rules and alerts for snort. I went through a lot of reading and nights of trying to configure it, and playing around with it, and I think that if material was presented in a slightly different fashion if could of made the life of snort users much easier, and so here is some basic information first.

Holistic approaches to attack detection

Published on 2001-08-11, by sasha, ©Phrack Magazine.

This article concerns various approaches to the problem of detecting attacks. Specifically, we are interested in enterprise environments in which weaknesses in traditional security monitoring methods become apparent. Holistic methods are proposed as a partial solution to some of the shortcomings in traditional reductionist approaches.

Host-Based IDS vs Network-Based IDS (Part 1)

Published on 2003-07-10, by Ricky M. Magalhaes, ©TechGenix Ltd..

This white paper will highlight the association between Network Based and Host based intrusion detection. A product comparison will be incorporated in a following white paper part 2 to assist in the selection of the appropriate IDS for your organization. Important facts and consideration will be highlighted to assist when selecting a sound intrusion detection system. This white paper will give you a better understanding of the differences between NID and HIDS and will highlight the strengths and weaknesses of both concurrently extending your knowledge and increasing your understanding of the IDS systems.

Host-based intrusion detection with samhain

Published on August 05, 2003, by Matt Lesko, ©Open Source Development Network.

Samhain is a wonderful GPL host-based intrusion detection system. Rather than just comparing files with a known-good database, samhain can perform centralized monitoring with encrypted TCP/IP communications, log to SQL databases, compute cryptographic checksums of configuration files, use stealth mode to disguise itself from intruders, and detect kernel rootkits. It offers a Web interface should you decide to use it in client-server mode.

How to setup and secure Snort, MySQL and Acid on FreeBSD 4.7 Release

Published on 2003-01-28, by Keith Tokash, ©Keith Tokash.

This document will help a user install FreeBS D 4.7 Release, Snort 1.9.0, MySQL 3.23.53, and ACID-0.9.6b21. It will also guide the user through the process of securing the machine and getting the snort sensor(s) to log to a central database over stunnel. The intention is to give users that are new to any of the software the opportunity to build an enterprise-class system based completely on free, open-source tools.

How to use BleedingSnort with Oinkmaster

Published on 2004, by bleedingsnort, ©the Bleeding Edge of Snort.

This article assumes that you do not have Snort or Oinkmaster compiled or configured yet. To that end, we will start our journey at the very beginning: downloading the components. (This article also assumes you are using Linux). You will need to have superuser rights to accomplish most of the following.

IDS - Intrusion Detection System, Part I

Published on May 2003, by Klaus Müller, www.linuxfocus.org.

This is the first article of a sequence about Intrusion Detection Systems. The first part will not only present typical IDS architectures but also typical attacks against Intrusion Detection Systems.

IDS - Intrusion Detection System, Part II

Published on July 2003, by Klaus Müller, www.linuxfocus.org.

In Part I we focused on typical attacks on Intrusion Detection Systems. Part II introduces methods for their discovery and our responses - the application of signatures and filters among them. Finally, we are introducing Snort and LIDS.

IDS Correlation of VA Data and IDS Alerts

Published on June 30, 2003, by Neil Desai, ©securityfocus.

The sky is falling! The sky is falling! Okay, well the sky isn't really falling, but isn't that they way that we all felt the first time we installed a NIDS and turned it on? We watched the alerts fly by the screen quicker than we could determine what they were. If we were lucky we could just make out what colors the alerts were. Unfortunately that stigma has stuck with the intrusion detection industry.

Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor

Published on 2001, by Lambert Schaelicke, Matthew R. Geiger, Curt J. Freeland, ©Lambert Schaelicke, Matthew R. Geiger, Curt J. Freeland.

Network intrusion detection systems have become one of several invaluable tools to safeguard critical infrastructure and information. Publicly available network intrusion detection systems (NIDS) such as Snort and Bro as well as a large number of commercial systems complement other security mechanisms by passively monitoring a network link for possible intrusions and other security breaches. Alerts about possible violations are forwarded to security personal and are often also stored in databases for further analysis and correlation .

Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection

Published on January, 1998, by Thomas H. Ptacek and Timothy N. Newsham, www.secinf.net.

All currently available network intrusion detection (ID) systems rely upon a mechanism of data collection#-passive protocol analysis#-which is fundamentally flawed. In passive protocol analysis, the intrusion detection system (IDS) unobtrusively watches all traffic on the network, and scrutinizes it for patterns of suspicious activity. We outline in this paper two basic problems with the reliability of passive protocol analysis: (1) there isn't enough information on the wire on which to base conclusions about what is actually happening on networked machines, and (2) the fact that the system is passive makes it inherently "fail¡open," meaning that a compromise in the availability of the IDS doesn't compromise the availability of the network. We define three classes of attacks which exploit these fundamental problems#-insertion, evasion, and denial of service attacks #- and describe how to apply these three types of attacks to IP and TCP protocol analysis. We present the results of tests of the efficacy of

Inside Prelude, an Open Source IDS

Published on 2003-09-18, by KIVILCIM Hindistan, ©O'Reilly.

Today organizations, companies, countries, and ordinary individuals have reflections or even a point of presence in another medium, the Internet. In some cases this point of presence is more important than many real world assessments.

Introduction to Intrusion Detection Systems (An)

Published on 2001-12-06, by Paul Innella and Oba McMillan, ©SecurityFocus.

Intrusion detection systems, or IDSs, have become an important component in the Security Officer’s toolbox. However, many security experts are still in the dark about IDS, unsure about what IDS tools do, how to use them, or why they must. This article will offer a brief overview of intrusion detection systems, including: a description of what IDSs are, the functions they serve, the two primary types of IDS, and the different methods of intrusion detection that they may employ.

Introduction to Intrusion Protection and Network Security

Published on february 24, 2002, by Jennifer Vesperman, source: LinuxSecurity.

In this introduction to protecting your computers from intrusion, the author discusses concepts of computer security. Selecting good passwords, using firewalls, and other security concepts are introduced.

Intrusion Detection 101

Published on March 02, 1998, by Dug Song, ©Nikos Drakos.

In this talk, we provide provide an overview of current technologies used in research and commercial intrusion detection systems. We also provide a taxonomy of such systems, and identify problems in each approach.

Intrusion Detection Terminology (Part 1)

Published on September 03, 2003, by Andy Cuff, ©SecurityFocus.

Intrusion Detection Systems (IDS) are still in their infancy, but in terms of development they are evolving at an extraordinary rate. The terminology associated with IDS is evolving just as rapidly. As a result of IDS' rapid growth and the marketing prowess of some IDS vendors, some confusion has arisen about the correct meaning of key terms. In some cases the same term may be used by different vendors to mean different things. This is the first of a two-part series that discusses IDS terminology, including terms where there may be disagreement from within the security community. Wherever possible, I have tried to include all definitions except where I consider usage of the term to be inaccurate or misleading.

Intrusion Detection Terminology (Part 2)

Published on 2003-09-24, by Andy Cuff, ©SecurityFocus.

The first part of this series discussed the concept of Alerts, Consoles, False Negatives, and many other terms that are important for Intrusion Detection Systems (IDS). This second and final terminology article will continue in the same vein, starting with an explanation of the many different types of IDSs that exist today.

Intrusion detection with AIDE

Published on 2005-01-20, by Paul Virijevich, ©Open Source Technology Group.

The Advanced Intrusion Detection Environment (AIDE) is a GPL licensed IDS. AIDE works by creating a database containing information about the files on your system. The database is created from rules laid out in the configuration file aide.conf. When AIDE is run, this database is referenced to check for changes. Any changes not permitted by the configuration file are reported.

Intrusion Detection with Tripwire

Published on 2004, by Barry O'Donovan, ©Barry O'Donovan.

A little over two years ago I was hacked. Someone broke into a web server I was administrating that had only Apache and OpenSSH running publically, and all packages were up-to-date. The hacker replaced my ps binary with his own to hide his processes, added a new service that was executed from the binary "/bin/crond " (the space is intentional - it makes it look like a normal and an expected process in a running-processes listing and a normal binary in a directory listing). The "crond " process gathered usernames and passwords and stored them in a text file in the directory "/dev/pf0 / /", (5 and 2 spaces respectively), which also contained a root shell. The chances of me finding and identifying this intrusion would have been extremely remote if I had not been running Tripwire.

Intrusion Detection: Implementation and Operational Issues

Published on 2001, by Julia Allen, Alan Christie, John McHugh, ©Ogden Air Logistics Center.

Intrusion detection systems (IDSs) are an important component of defensive measures protecting computer systems and networks from abuse. This article gives an overview of the most commonly used intrusion detection (ID) techniques. It considers the role of IDSs in the overall defensive posture of an organization and provides guidelines for their deployment, operation, and maintenance.

Intrusion-Detection Model (An)

Published on 1987, by Dorothy E. Denning, ©IEEE.

A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described. The model is based on the hypothesis that security violations can be detected by monitoring a system’s audit records for abnormal patterns of system usage. The model includes profiles for representing the behavior of subjects with respect to objects in terms of metrics and statistical models, and rules for acquiring knowledge about this behavior from audit records and for detecting anomalous behavior. The model is independent of any particular system, application environment, system vulnerability, or type of intrusion, thereby providing a framework for a general-purpose intrusion-detection expert system.

Issues Discovering Compromised Machines

Published on 2004-10-25, by Anton Chuvakin, ©SecurityFocus.

One of the latest security books I read had a fascinating example in the preface. The authors, well-known and trustworthy experts in the field http://wwwdev.securityfocus.com/cgi-bin/preview/infocus_preview.pl?id=1809of security, made an outrageous claim that most of the Fortune 2000 companies have already been penetrated by hackers (and have been in that state for years!). Hackers move in and out at will through the backdoors and other covert channels without the security personnel knowing or even suspecting it. Without being able to verify the validity of this, I decided to look at the problem of reliably discovering the compromised machines on corporate networks. Reliability is of key importance here as there are lots of ways to obtain a suspicion that the machine is "owned" or infected, but sadly there are few truly reliable ways to discover that short of full forensic analysis, likely requiring physical access to a machine as well as shutting it down for a potentially long time.

Look at whisker’s anti-IDS tactics (A)

Published on December 24, 1999, by Rain Forest Puppy, www.wiretrip.net.

Anti-Intrusion Detection System (IDS) tactics were one of the original key features of my whisker web scanner. The goal of any anti-IDS tactic is to mutate a request so much that the ID systems will get confused, but the web server will still be able to understand it, hence the subtitle \"just how bad can we ruin a good thing?\"

Network IDS: To Tailor, or Not to Tailor

Published on 2002-03-06, by Jon-Michael C. Brook, ©SANS Institute.

Intrusion Detection Systems (IDS) identify attacks on a company's resources. These IDS devices watch points in the company's network infrastructure (network intrusion detection), or operate on a specific company asset (host based intrusion detection). These products detect attacks by comparing incoming activity to rule sets and patterns in search of hostile activity (signature based) or by comparing incoming activity against a known baseline in search of out-of-the-ordinary usage (anomaly based). Both signature and anomaly based intrusion detection are resource intensive. IDS resources include CPU, Network interface card (NIC), Memory (RAM), Storage (Hard Drive, SANS, etc), and, an overlooked end analyst. This user is often the most under-appreciated component of the IDS design as well as the most important. The analyst must find details and make correlations between multiple information sources.

Network Intrusion Detection Signatures, Part 1

Published on 2001-12-19, by Karen Kent Frederick, ©SecurityFocus.

This is the first in a series of articles on understanding and developing signatures for network intrusion detection systems. In this article we will discuss the basics of network IDS signatures and then take a closer look at signatures that focus on IP, TCP, UDP and ICMP header values. Such signatures ignore packet payloads and instead look for certain header field values or combinations of values. By learning about network IDS signatures, you’ll have more knowledge of how intrusion detection systems operate, and you’ll have a better foundation to write your own IDS signatures.

Network Intrusion Detection Signatures, Part 2

Published on 2002-01-22, by Karen Kent Frederick, ©SecurityFocus.

This is the second in a series of articles on understanding and developing signatures for network intrusion detection systems. In the first installment we looked at signature basics, the functions that signatures serve, header values, signature components, and choosing signatures. In this article we will continue our discussion of IP protocol header values in signatures by closely examining some signature examples. Although it may be relatively easy to develop a signature that matches a particular type of traffic, it will likely cause unexpected false positives and false negatives. Signatures must be carefully developed and tested in order to create a signature set that is highly accurate, yet is also as efficient as possible.

Network Intrusion Detection Signatures, Part 3

Published on 2002-02-19, by Karen Kent Frederick, ©SecurityFocus.

This is the third in a series of articles on understanding and developing signatures for network intrusion detection systems. In Part One and Part Two, we examined the use of IP protocol header values, particularly TCP, UDP and ICMP, in network intrusion detection signatures. In this article, we will continue our discussion of signatures by studying the area of protocol analysis, focusing on the examination of values within TCP and UDP payloads. Network intrusion detection using protocol analysis-based signatures is very effective in detecting both known and unknown attacks involving protocols such as DNS, FTP, HTTP and SMTP.

Network Intrusion Detection Systems FAQ

Published on March 21, 2000, by Robert Graham, ©Robert Graham.

This FAQ answers simple questions related to detecting intruders who attack systems through the network, especially how such intrusions can be detected.

Polymorphism and Intrusion Detection Systems

Published on July 12, 2001, by Chad R. Skipper, www.blackhat.com.

As the Internet and corporate networks continue to evolve and grow, much of the conventional wisdom associated with computer security will continue to be challenged, changed, and in some cases will become obsolete. This presentation discusses the effects of polymorphic attacks on networks. It is important to note that the polymorphic algorithms used to craft malicious attacks are specifically designed to evade common techniques used by Network Intrusion Detection Systems (NIDS). While the use of malicious polymorphic code is not new, we are beginning to see a paradigm shift from

PortSentry for Attack Detection - Part One

Published on May 29, 2002, by Ido Dubrawsky, ©securityfocus.

Portsentry by Psionic Technologies is a component of their TriSentry suite of attack detection tools: portsentry, hostsentry, and logsentry. This article is the first of a two-part series that will describe in detail how Portsentry works from both a theoretical and a technical point of view.The second article will discuss installing, configuring, and tailoring PortSentry for individual systems.

PortSentry for Attack Detection - Part Two

Published on May 29, 2002, by Ido Dubrawsky, ©securityfocus.

This is the second in a two-part series on PortSentry. The first article discussed how PortSentry works to identify attacks, as well as what types of attacks it identifies. This article will focus on building, installing, and operating PortSentry. The focus here will be on the various configuration options available for PortSentry, as well as some of the benefits and drawbacks of those options.

Rules definition for anomaly based intrusion detection

Published on 2002, by Lubomir Nistor, www.security-gurus.de.

Intrusion detection systems (IDS) are one of the fastest growing technologies within the security space. Unfortunately, many companies find it hard to put in use due to complexity of deployment and or lack of information about its possible use. This document should help security experts, integrators or end-customers to utilize their IDS system to its limits or to fit the expectations required by company.

Running Snort on IIS Web Servers Part 2: Advanced Techniques

Published on 2001-03-07, by Mark Burnett, ©SecurityFocus.

Intrusion detection is the process of monitoring a network to identify, and thereby prevent, malicious network-based attacks. This process can be automated by a software application or hardware device known as an Intrusion Detection System or IDS. An IDS provides a wide range of monitoring techniques including packet sniffing, file integrity monitoring, and even artificial intelligence algorithms that detect anomalies in network traffic.

Running Snort on IIS Web Servers: Part I

Published on 2000-01-17, by Mark Burnett, ©Mark Burnett.

Not too long ago when talking about network security tools like Snort or Nmap, those of us in the Windows world were often left on the outside looking in. The problem was that those tools simply were not available for any Windows platform. But recently things have changed. Snort, Nmap, Ngrep, and many other network security tools have been ported to the Win32 platform. Finally we can play too.

Securing a Windows’ Snort Sensor for Hostile Environments

Published on 2003-03-22, by Michael Wunsch, ©SANS Institute.

Snort is an open-source Network Intrusion Detection System (NIDS). Originally written for UNIX, it has since been ported to the Windows platform. While Snort undoubtedly runs faster and with less packet loss on a UNIX host, many organizations lack the requisite skill sets to deploy and maintain a UNIX host within their environment. For these organizations, Snort on Windows 2000 provides a low-cost, high-quality NIDS.

Securing an Unpatchable Webserver... HogWash!

Published on 2001-07-31, by Jed Haile and Jason Larsen, ©SecurityFocus.

During a routine examination of a client's network we discovered a vulnerability on a Microsoft IIS 3 web server. After brief investigation, we discovered that this web server runs a mission-critical web application: it is the client's primary means of doing business and must be protected at all cost. The real problem is that this application is tightly bound to certain features of Microsoft's IIS 3 web server. We searched for a patch, but there were none. Microsoft's solution was to upgrade the server to a more recent version. We attempted to upgrade the server to IIS 4, but the result was disaster. A total rewrite of the web application using better technology is underway, but will not be complete for a long time. In the meantime the server needs to remain available and unhacked. What is the security professional to do?

Seldom cry wolf: Tuning out false positives on Network Intrusion Detection Systems

Published on 2004-11-15, by Paul Leitao, ©SANS Institute.

No group of words sound more exciting to a technical security practitioner than Network Intrusion Detection Systems. These words invoke mental images of cyber clashes with hackers, forensic investigations and do-or-die incident handling exercises. The truth, however, is far less glamorous. In my experience, Intrusion Detection System (NIDS) management usually consists of carrying out less high profile tasks such as system patching, signature updates and, of course, false positive identification and tuning. Just after my attendance at SANS Downunder 2004 in Melbourne, Australia, one of the major projects that I was deployed on was NIDS tuning for a financial services organization. Having carried out this function in the past and being well aware of the problems associated with this exercise, I resolved to design and implement a tuning methodology which would make the tuning process less painful. The following document describes the tuning methodology design and implementation steps. It provides a step-by-step process of deployment within a medium size organization (all IP ranges have been changed to protect the innocent of course).

Snort - Lightweight Intrusion Detection for Networks

Published on 2004, by Martin Roesch, ©Martin Roesch.

Network intrusion detection systems (NIDS) are an important part of any network security architecture. They provide a layer of defense which monitors network traffic for predefined suspicious activity or patterns, and alert system administrators when potential hostile traffic is detected. Commercial NIDS have many differences, but Information Systems departments must face the commonalities that they share such as significant system footprint, complex deployment and high monetary cost. Snort was designed to address these issues.

Snort Alert Collection and Analysis Suite

Published on 2003-09-14, by Chip Calhoun, ©SANS Institute.

This document outlines separating Snort IDS Collection and Analysis Suite duties across a minimum of three servers (Snort sensor, MySQL database and an ACID web server) to gain optimal coverage and performance. The suggestion is to use Linux for all server components and Windows XP for management and viewing via a Management console. To effectively monitor and protect your network, you will need to understand what parts of your network are crucial to business operations and only then can you design your installation to meet the business requirements. There will be a bit of discussion around Linux installations and the software required on each component. The goal is a scalable solution that can help to secure networks of varying designs and size.

SNORT and ACID install on Solaris9

Published on 2004, by Guillaume Rix, ©Guillaume Rix.

This manual concern the installation and configuration of snort and acid on Solaris9. Of course, all installation of necessary components as mysql, SSL, PHP, adodb, etc .... will be explained too.

Snort Install on Win2000/XP with Acid, and MySQL

Published on 2002, by Christina Neal, ©SANS Institute.

"Snort is a lightweight Network Intrusion Detection System, capable of performing realtime traffic analysis and packet logging on IP networks." Snort spies on all of the packets going through a specific network that it is set up to monitor and alerts when it finds specific predefined patterns (defined in the Rules) that could be malicious. Snort works with many different operating systems and platforms. It can be used as a Packet Sniffer, Packet Logger or Network Intrusion Detection System. Snort is very a powerful, customizable, flexible

Snort Installation and Basic Usage, part 1

Published on 2000-07-17, by Dale Coddington, ©SecurityFocus.

Computer Intrusions are on the rise. Whether it's script kids trying to deface a web page or a calculated attacker trying to steal credit card information, sites must equip themselves to not only ward off attacks, but know if these attacks are taking place. This is where Intrusion Detection Systems (IDS) come into play. In a nutshell, an IDS is a system that sits on a network and watches for anomalies. A basic IDS watches either all of the traffic or a sampling of the traffic going through the wire. It compares this traffic to a database of fingerprints or signatures of known attacks. If an attack is detected the IDS can take multiple actions depending on the configurable response to the attack. These actions can be anything from paging the administrator to dropping the route of the attacker. More complex IDS's will also recognize anomalies in the patterns of system users. As an example, Bob always logs in from the machine named 'defiant' from the hours of 9 to 5. Suddenly Bob begins to log in from the machine named 'regret' from the hours of 1 am to 3 am on Saturdays. A robust IDS would flag this as suspect.

Snort Installation and Basic Usage, Part 2

Published on 2000-07-31, by Dale Coddington, ©SecurityFocus.

Part I of this article focused on the installation and basic usage of the snort intrusion detection system (IDS) on the Linux platform, including running snort as a command line sniffer and loading snort with a pre-defined rule set. This article will take a look at some further methods and programs that can be used in conjunction with snort to more reliably detect and fend off intrusions. We will also examine how rules are written to suit special case scenarios.

Snort Users Manual

Published on 2003-07-22, by Martin Roesch and Chris Green, ©Martin Roesch and Chris Green.

Snort really isn’t very hard to use, but there are a lot of command line options to play with, and it’s not always obvious which ones go together well. This file aims to make using Snort easier for new users. Before we proceed, there are a few basic concepts you should understand about Snort. There are three main modes in which Snort can be configured: sniffer, packet logger, and network intrusion detection system. Sniffer mode simply reads the packets off of the network and displays them for you in a continuous stream on the console. Packet logger mode logs the packets to the disk. Network intrusion detection mode is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user defined rule set and perform several actions based upon what it sees.

Snort's Place in a Windows 2000 Environment

Published on 2002-04-15, by Jon Bull, ©Jon Bull.

The target audience of this document is middle of the road administrators who may be looking for an easy to setup network intrusion detection system that won't put a dent in the IT budget. This document will introduce you to Snort.

Snort, Apache, PHP, MySQL and Acid Install on RH9.0

Published on 2003-08-02, by Patrick Harper, ©Patrick Harper.

This document originated when a friend of mine asked me to put together this procedure for him so that he could install Snort and Acid. It is pretty basic and is for the Linux newbie, as well the snort newbie. This is not an ultra-secure end-all to Snort IDS deployment guide; this is a “How in the hell do I get this installed and working” guide. This document will walk you through installing a stand alone RedHat system (this is not for a dual boot system).

Snort, Apache, SSL, PHP, MySQL, Acid Install on Fedora Core 2

Published on 2004-10-10, by Patrick Harper, ©Patrick Harper.

This document originated when a friend of mine asked me to put together this procedure for him so that he could install Snort and Acid. It is pretty basic and is for the Linux newbie, as well the Snort newbie. This is not an ultra-secure end-all to Snort IDS deployment guide; this is a "How in the hell do I get this installed and working" guide. This document will walk you through installing a stand-alone RedHat/Fedora system (this is not for a dual boot system).

Snort, MySQL and ACID on Redhat 7.3

Published on 2002, by Steven J. Scott, ©Steven J. Scott.

The purpose of this guide is to document the installation and configuration of a complete Snort implementation. This guide contains all the necessary information for installing and understanding the architectural layout of the implementation. The information in this guide was written for implementing Snort 1.8 using Redhat 7.3. You may find some discrepancies if you are installing different versions of Snort or using different versions of Redhat. This guide was written with the assumption that you understand how to run Snort and have a basic understanding of Linux. This includes editing files, making directories, compiling software and understanding general Unix commands. This guide does not explain how to use or configure Snort, but information on where to obtain this information can be found in the "Additional Information" section.

Snort-Setup for Statistics HOWTO

Published on 2002-02-23, by Sandro Poppi, ©Sandro Poppi.

This HOWTO describes how to configure Snort version 1.8.3 to be used in conjunction with the statistical tools ACID (Analysis Console for Intrusion Databases) and SnortSnarf. It also intends to get some internal statistics out of snort, e.g. if there are packets dropped.

State of the Practice of Intrusion Detection Technologies

Published on 2000, by Julia Allen, Alan Christie, William Fithen, John McHugh, Jed Pickel, Ed Stoner, ©Carnegie Mellon University..

Attacks on the nation’s computer infrastructures are a serious problem. Over the past 12 years, the growing number of computer security incidents on the Internet has reflected the growth of the Internet itself. Because most deployed computer systems are vulnerable to attack, intrusion detection (ID) is a rapidly developing field. Intrusion detection is an important technology business sector as well as an active area of research.

Strategies to Reduce False Positives and False Negatives in NIDS

Published on 2001-09-11, by Kevin Timm, ©SecurityFocus.

Network-based intrusion detection systems (NIDS) perform in-depth packet analysis in order to enumerate attackers who are attempting to expose network and service vulnerabilities. NIDS devices can also aid in identifying misuse patterns and gathering forensic data. By examining network traffic in real time, NIDS devices can alert users to possible attacks and/or take predefined responsive actions to help mitigate the threat. By providing an additional layer of protection above and beyond access control devices such as a firewall, NIDSs can be a valuable addition to the security arsenal. However, network intrusion detection has been criticized for its propensity to generate a perceived large amount of false positives and false negatives. Effective NIDS device management can appreciably reduce these reporting inaccuracies.

Tool for running Snort in dynamic IP address assignment environment (A)

Published on 2002-02-16, by Shin Ishikawa, ©SANS Institute.

The purpose of this paper is to detail the creation of a small tool program which aids the operation of the Snort IDS in dynamically assigned IP address environment. The configuration file of Snort (snort.conf) specifies IP numbers for the monitored network and servers. For the non-permanent IP address subscriber sites, which are the case for the most of ADSL users, these parameters need be updated every time the data link connection reset and new address is assigned. A set of small programs is written to automate Snort configuration update for the connection using PPPoE.

Using Afick To Aid In Intrusion Detection

Published on 2004-02-27, by Rick Nicholas, ©Rick Nicholas.

Afick is a fast and portable utility which acts as an aid in intrusion detection as well as helping to monitor the general integrity of your system. Afick was written by Eric Gerbier and is distributed under the GNU General Public License. It is available for a number of platforms in both binary and source formats.

Using Snort For a Distributed Intrusion Detection System

Published on 2002, by Michael P. Brennan, ©SANS Institute.

Intrusion detection has become an extremely important feature of the defense-in-depth strategy. The thought used to be that if you had a firewall protecting your network you were secure. This is no longer the case. A firewall is an essential and important part of network security but it does not have the ability to detect hostile intent. Unlike a firewall, an intrusion detection system has the ability to evaluate solitary packets and generate an alarm if it detects a packet with hostile potential. This document will provide an option for setting up a distributed network intrusion detection system using open source tools including the intrusion detection software Snort. Through the use of open source tools and spare hardware an intrusion detection system can be setup with minimal financial burden.

Using Snort v1.8 with SnortSnarf on a RedHat Linux system

Published on 2001-07-25, by Richard L. Greene Jr., ©SANS Institute.

To effectively implement system and network security, a multi pronged approach should be used. Proper security policies, firewalls, proxy servers, properly complex passwords and intrusion detection systems layered together help form one of the bedrock principles called “Defense in Depth”[1]. The purpose of defense in depth is preventing inherent and unknown flaws in the technologies deployed from allowing unauthorized access into a system or server. If one layer fails there is another to protect the failed layer. The intrusion detection system’s (IDS) job is to log attempts of unauthorized network access into the systems.

Wanted Dead or Alive: Snort Intrusion Detection System

Published on 2003-10-15, by Mark Eanes, ©SANS Institute.

With the status of intrusion detection system’s (IDS) future doubted by some and supported by others, the steps involved in building a distributed IDS are questioned. Issues with deployment and implementation are outlined in summary. Review of currently available documentation and setup of systems, while updating applications required for the builds, are conducted to determine what problems may be encountered and if solutions or workarounds exist. A question of what additional security measures may be performed is addressed, along with a means to duplicate systems inexpensively.

Wireless Intrusion Detection and Response

Published on 2003, by Yu-Xi Lim, Tim Schmoyer, ©Georgia Institute of Technology.

A prototype implementation of a wireless intrusion detection and active response system is described. An off the shelf wireless access point was modified by downloading a new Linux operating system with non-standard wireless access point functionality in order to implement a wireless intrusion detection system that has the ability to actively respond to identified threats. An overview of the characteristics and functionality required in a wireless intrusion detection system is presented along with a review and comparison of existing wireless intrusion detection systems and functionalities. Implemented functionality and capabilities of our prototyped system are presented along with conclusions as to what is necessary to implement a more desirable and capable wireless intrusion detection system.

Wireless Intrusion Detection Systems

Published on 2003-11-05, by Jamil Farshchi , ©SecurityFocus.

Threats to wireless local area networks (WLANs) are numerous and potentially devastating. Security issues ranging from misconfigured wireless access points (WAPs) to session hijacking to Denial of Service (DoS) can plague a WLAN. Wireless networks are not only susceptible to TCP/IP-based attacks native to wired networks, they are also subject to a wide array of 802.11-specific threats. To aid in the defense and detection of these potential threats, WLANs should employ a security solution that includes an intrusion detection system (IDS). Even organizations without a WLAN are at risk of wireless threats and should consider an IDS solution. This paper will describe the need for wireless intrusion detection, provide an explanation of wireless intrusion detection systems, and identify the benefits and drawbacks of a wireless intrusion detection solution.

Wireless Intrusion Detection Systems

Published on 2004-10-18, by Ken Hutchison, ©SANS Institute.

Hewlett Packard tells us that 31 Million users worldwide will be accessing public wireless networks by 2007.

It is clear that wireless solutions are transforming the way we work and live. Employees are able to keep in touch with their e-mail, calendar and employer from mobile devices, while wireless applications such as Radio Frequency Identification (RFID) Smart Tags are, for example, transforming the way luggage is handled at airports, the way public transport is managed and even tracking cattle to help prevent future bovine disease! Using wireless enabled devices, it is already possible to access the internet from public areas such as coffee shops, hotels and motorway rest stops. All of this is possible through the use of Wireless Local Area Networks (WLAN’s).