2. Intrusion Detection System Overview
What is Intrusion?
Restricted Access to computer Infrastructure
What is intrusion detection System?
Mechanism to trace the intrusion
Why is it required?
Protect CIA triad
How does IDS work?
3. Intrusion Detection System
• Two IDS in this model
• One external for monitoring external traffic
• One internal for monitoring internal traffic
4. Types of IDS
HIDs examine specific host-based
actions, such as what applications
are being used, what files are being
accessed and what information
resides in the kernel logs.
NIDs analyze the flow of
information between
computers, i.e., network
traffic. They essentially "sniff"
the network for suspicious
behavior.
5. NIDS Introduction
Why NIDS?
Monitor network traffic
Alert the responsible personnel or the target
Apply preventive measures-(Network Intrusion Prevention System)
6. NIDS Functionality
How it works?
Sniffing
collect and inspect incoming traffic
Protocol awareness
protocol reassembly and normalization
Alerting
Send email / log events / Sending SNMP
7. Modes of Detection
Signature Based
Old method
Compare data packets against known malicious sequence
Protocol Awareness
Compare the network packets against standard protocol
Behavioral Analysis
Recent Development
Learn pattern, alert when pattern changes
9. Output of NIDS/NIPS
Depends upon the vendor
General evidences/output
Configuration: Configuration of devices being monitored
Alert Data: Alert through text files emails sms
Packet headers/flow Information: logged malicious packets headers
Content Data: Captured full data packets
Correlated Activates: Correlated event data
10. NIDS EXAMPLE
SNORT
The single most widely used IDS in the world.
Signature Based
Open Source
Large support community
12. SNORT CONFIGURATIONS
RULES
Rules written in a single line
Rules are created with known intrusion signatures
Stored in /etc/snort/rules
Native alerts are stored in /var/log/snort
Global values are stored at /etc/snort/snort.conf
16. Challenges with current NIDS
SNORT/Signature based
More processing for packet logging
Requires high disk capacity to log information
17. Conclusion
NIDS/NIPS are the first step on against malicious activities
Investigators leverage evidence from NIDS to find the root of the problem
Field of further study and research
23. Case Study
Further analysis of Target IP (192.168.1.69)
Searching all the alerts related with this IP
Count of Malicious Alert for same IP
Alert Message
24. Case Study
Alert Message Analysis:
The alert
TCP windows scale option found with length > 14
Findings: