Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort Dr. Jim Chen, Victor Tsao, Barry Wil...
CSMN683: Intrusion Detection, Incident Response, and Computer Forensics: Course Description <ul><li>“ The theory, skills, ...
Student Background <ul><li>38.09%  students heard about at least one intrusion detection system. </li></ul><ul><li>14.28% ...
Challenges <ul><li>(1) How to explain intrusion? </li></ul><ul><li>(2) How to explain detection? </li></ul><ul><li>(3) How...
Solution <ul><li>Selected Snort since it is an open source product </li></ul><ul><li>Designed and developed some hands-on ...
Snort <ul><li>“ Snort® is an open source network intrusion prevention and detection system utilizing a rule-driven languag...
4 Lab Exercises Using Snort <ul><li>Lab 1: Shows the intrusion and the detection of the intrusion   [addressing Challenges...
Objectives of Lab 1 <ul><li>Show an intrusion </li></ul><ul><li>Show the issues in detecting the intrusion </li></ul><ul><...
Lab 1: Intrusion Detection <ul><li>One computer with Snort running on it </li></ul><ul><li>Another computer with an intrus...
Intrusion Detection <ul><li>Demo </li></ul>
Lab 1: Lesson Learned <ul><li>It is not difficult to explore a vulnerability within a computer system. </li></ul><ul><li>B...
Objectives of Lab 2 <ul><li>Discuss the benefits and limitations of using signatures and rules </li></ul><ul><li>Explain t...
Lab 2: Signatures for Intrusion Detection <ul><li>What is a signature? </li></ul><ul><li>Why are signatures needed in an i...
Anatomy of a Rule <ul><li>Rule header  – Contains the rule’s action, protocol, source IP address, source port number, dest...
Signatures for Intrusion Detection <ul><li>Demo </li></ul>
Writing Rules <ul><li>Identify the characteristics of the suspicious traffic </li></ul><ul><li>Write rules based on the ch...
Lab 2: Lesson Learned <ul><li>It is important to identify the characteristics of the suspicious traffic before writing any...
Objectives of Lab 3 <ul><li>Discuss the importance of using a log analyzer, such as BASE (Basic Analysis and Security Engi...
Lab 3: Intrusion Detection log Analysis   <ul><li>Use BASE (Basic Analysis and Security Engine) to analyze log files </li>...
Basic Analysis and Security Engine <ul><li>Written in PHP programming language </li></ul><ul><li>Analyzes intrusion logs <...
Basic Analysis and Security Engine <ul><li>Demo  </li></ul>
 
Lab 3: Lesson Learned <ul><li>It is important to identify the trend of suspicious traffic. </li></ul><ul><li>Log analyzers...
Objectives of Lab 4 <ul><li>Discuss the importance of using plug-ins </li></ul><ul><li>Learn to write plug-ins </li></ul>
Lab 4: Plug-Ins <ul><li>Learn the functions of plug-ins </li></ul><ul><li>Write plug-ins </li></ul>
Categories of Plug-Ins <ul><li>Output mechanism </li></ul><ul><li>Complex protocol decoder </li></ul><ul><li>Detection plu...
Lab 4: Lesson Learned <ul><li>It is important to realize that the functions of an intrusion detection system are still lim...
Student Survey <ul><li>After finishing the first three lab exercises </li></ul><ul><li>100%  students were exposed to at l...
Student Survey <ul><li>After finishing the first three lab exercises </li></ul><ul><li>95.24%  students thought the lab ex...
Comments from Students <ul><li>“ Good exercises. Hands-on definitely reinforces theories read and discussed in class.” </l...
Lesson Learned <ul><li>Appropriate signatures in rules can help to detect some intrusions. </li></ul><ul><li>Good rules ca...
Pedagogical Implication <ul><li>The challenges in teaching intrusion detection and intrusion prevention can be addressed u...
Summary <ul><li>Hands-on lab exercises can enhance student learning. </li></ul><ul><li>Hands-on lab exercises using Snort ...
References <ul><li>Beale, J., Baker, A., Caswell, B., Poor, M., and others. (2004).  Snort 2.1 Intrusion Detection  (2 nd ...
Upcoming SlideShare
Loading in...5
×

Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort

7,706
-1

Published on

Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort

Published in: Technology
4 Comments
11 Likes
Statistics
Notes
  • Such an amazing presentation. Well done.

    Darren Mack
    www.lyricsringtones.org/
    www.shibidoo.com/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Impressive presentation of 'Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort'. You've shown your credibility on presentation with this slideshow. This one deserves thumbs up. I'm John, owner of www.freeringtones.ws/ . Hope to see more quality slides from you.

    Best wishes.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • outstanding display..convinced me to have a hardlook at my company model..brilliant
    Anisa
    http://financejedi.com http://healthjedi.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Very interesting ppt. The research indicated PPT only contains 30% of information; therefore the 70% valuable information comes from the presenter himself/herself. soEZLecturing.com provides you a chance to record your voice with your PowerPoint presentation and upload to the website. It can share with more readers and also promote your presentation more effectively on soEZLecturing.com.

    www.soezlecturing.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
7,706
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
4
Likes
11
Embeds 0
No embeds

No notes for slide

Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort

  1. 1. Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort Dr. Jim Chen, Victor Tsao, Barry Williams, Tokunbo Olojo, John Smet, Nicole Regobert, Lamin Kamara, Michael Hughes March 2006
  2. 2. CSMN683: Intrusion Detection, Incident Response, and Computer Forensics: Course Description <ul><li>“ The theory, skills, and tools needed in intrusion detection and computer forensics are the major themes in this course. The course discusses techniques for identifying vulnerable target systems and types of malicious code, for mitigating security risks, and for recognizing attack patterns. It also presents the conceptual and operational tools necessary for analysis and resolution of problems with respect to effective filters and firewalls, attack tracing, system recovery, continuity of operation, evidence collection, evidence analysis, and prosecution.” </li></ul>
  3. 3. Student Background <ul><li>38.09% students heard about at least one intrusion detection system. </li></ul><ul><li>14.28% students heard about Snort. </li></ul><ul><li>61.91% students never played with any intrusion detection system </li></ul><ul><li>90.47% students never saw a signature or a rule within an intrusion detection system </li></ul><ul><li>85.71% students never saw a log analyzer </li></ul>
  4. 4. Challenges <ul><li>(1) How to explain intrusion? </li></ul><ul><li>(2) How to explain detection? </li></ul><ul><li>(3) How to show detection methods? </li></ul><ul><li>(4) How to demonstrate the limitations in some detection methods? </li></ul><ul><li>(5) How to encourage students to figure out ways of overcoming the limitations? </li></ul>
  5. 5. Solution <ul><li>Selected Snort since it is an open source product </li></ul><ul><li>Designed and developed some hands-on laboratory exercises using Snort </li></ul>
  6. 6. Snort <ul><li>“ Snort® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.” </li></ul><ul><li>from http://www.snort.org/ </li></ul>
  7. 7. 4 Lab Exercises Using Snort <ul><li>Lab 1: Shows the intrusion and the detection of the intrusion [addressing Challenges (1) & (2)] </li></ul><ul><li>Lab 2: Shows the detection method using signature technology and its limitations [addressing Challenges (3) & (4)] </li></ul><ul><li>Lab 3: Shows the analysis of Intrusion Detection System logs using an analysis engine [addressing Challenge (5)] </li></ul><ul><li>Lab 4: Show one way of improving the IDS by writing plug-ins [addressing Challenge (5)] </li></ul>
  8. 8. Objectives of Lab 1 <ul><li>Show an intrusion </li></ul><ul><li>Show the issues in detecting the intrusion </li></ul><ul><li>Detect the intrusion </li></ul>
  9. 9. Lab 1: Intrusion Detection <ul><li>One computer with Snort running on it </li></ul><ul><li>Another computer with an intrusion software tool running on it </li></ul><ul><li>Connect the two computers together to form a network </li></ul>
  10. 10. Intrusion Detection <ul><li>Demo </li></ul>
  11. 11. Lab 1: Lesson Learned <ul><li>It is not difficult to explore a vulnerability within a computer system. </li></ul><ul><li>By default, some intrusions may not be detected using Snort. </li></ul><ul><li>With appropriate signatures and rules, some intrusions can be detected. </li></ul>
  12. 12. Objectives of Lab 2 <ul><li>Discuss the benefits and limitations of using signatures and rules </li></ul><ul><li>Explain the syntax of rules in Snort </li></ul><ul><li>Learn to modify the existing rules and write new rules </li></ul>
  13. 13. Lab 2: Signatures for Intrusion Detection <ul><li>What is a signature? </li></ul><ul><li>Why are signatures needed in an intrusion detection system? </li></ul><ul><li>What is a rule in Snort? </li></ul><ul><li>What is the syntax of a rule in Snort? </li></ul><ul><li>How do Snort rules work? </li></ul>
  14. 14. Anatomy of a Rule <ul><li>Rule header – Contains the rule’s action, protocol, source IP address, source port number, destination IP address, destination port number, etc. </li></ul><ul><li>Rule body – Consists of keywords and arguments used to trigger an alert, etc. </li></ul>
  15. 15. Signatures for Intrusion Detection <ul><li>Demo </li></ul>
  16. 16. Writing Rules <ul><li>Identify the characteristics of the suspicious traffic </li></ul><ul><li>Write rules based on the characteristics </li></ul><ul><li>Implement the rules </li></ul><ul><li>Test the rules to see if it can capture the suspicious traffic </li></ul><ul><li>Modify the rules accordingly </li></ul><ul><li>Test and modify the rules again </li></ul>
  17. 17. Lab 2: Lesson Learned <ul><li>It is important to identify the characteristics of the suspicious traffic before writing any rules. </li></ul><ul><li>Rules need to be tested, modified, and further tested and modified again in order to reduce false positives and false negatives. </li></ul><ul><li>It is also significant to know the limitations of signature technology. </li></ul>
  18. 18. Objectives of Lab 3 <ul><li>Discuss the importance of using a log analyzer, such as BASE (Basic Analysis and Security Engine) or ACID (Analysis Console for Intrusion Databases) </li></ul><ul><li>Learn to use BASE to analyze log files </li></ul>
  19. 19. Lab 3: Intrusion Detection log Analysis <ul><li>Use BASE (Basic Analysis and Security Engine) to analyze log files </li></ul><ul><li>Show the different functionalities of BASE </li></ul>
  20. 20. Basic Analysis and Security Engine <ul><li>Written in PHP programming language </li></ul><ul><li>Analyzes intrusion logs </li></ul><ul><li>Displays information from a database in a Web-based format </li></ul><ul><li>Generates graphs and alerts based on the sensor, time, signature, and protocol </li></ul><ul><li>Displays on the main page a summary of currently logged alerts as well as various alert summary breakdowns and links to graphs </li></ul><ul><li>Can be administered based on categories such as alert groups, false positives, and e-mail alerts </li></ul>
  21. 21. Basic Analysis and Security Engine <ul><li>Demo </li></ul>
  22. 23. Lab 3: Lesson Learned <ul><li>It is important to identify the trend of suspicious traffic. </li></ul><ul><li>Log analyzers can help us to identify the trend since they can display log data in a graphical and easy-to-understand format. </li></ul><ul><li>Log analyzers should be further improved to handle logs in different formats. </li></ul>
  23. 24. Objectives of Lab 4 <ul><li>Discuss the importance of using plug-ins </li></ul><ul><li>Learn to write plug-ins </li></ul>
  24. 25. Lab 4: Plug-Ins <ul><li>Learn the functions of plug-ins </li></ul><ul><li>Write plug-ins </li></ul>
  25. 26. Categories of Plug-Ins <ul><li>Output mechanism </li></ul><ul><li>Complex protocol decoder </li></ul><ul><li>Detection plug-ins </li></ul>
  26. 27. Lab 4: Lesson Learned <ul><li>It is important to realize that the functions of an intrusion detection system are still limited. </li></ul><ul><li>Designing, writing, testing, modifying, further testing and modifying plug-ins can help students to improve their critical thinking skills and creativity. </li></ul><ul><li>Meanwhile, new functionality can be added into the existing system, including the functionality for the intrusion prevention system. </li></ul>
  27. 28. Student Survey <ul><li>After finishing the first three lab exercises </li></ul><ul><li>100% students were exposed to at least one intrusion detection system. </li></ul><ul><li>28.57% students felt very familiar with signatures or rules within an intrusion detection system, 61.9% students felt somewhat familiar with them, and 9.53% students felt somewhat unfamiliar with them. </li></ul><ul><li>19.05% students felt very familiar with a log analyzer, 52.38% students felt somewhat familiar with it, 23.81% students felt somewhat unfamiliar with it, and 4.76% students did not provide the answer. </li></ul>
  28. 29. Student Survey <ul><li>After finishing the first three lab exercises </li></ul><ul><li>95.24% students thought the lab exercises would be beneficial academically towards their learning in the class, 4.76% students did not provide the answer. </li></ul><ul><li>95.24% students thought the lab exercises would be beneficial in their workplace in regards to network security, 4.76% students did not provide the answer. </li></ul>
  29. 30. Comments from Students <ul><li>“ Good exercises. Hands-on definitely reinforces theories read and discussed in class.” </li></ul><ul><li>“ Lab is helpful. Reinforces the lectures. Having hands on is very important to understand IDS.” </li></ul><ul><li>“ Labs are great to learn with. They should continue to be offered.” </li></ul><ul><li>“ More time to work with other tasks not covered in lab to date.” </li></ul><ul><li>“ More lab time within the class.” </li></ul><ul><li>Etc. </li></ul>
  30. 31. Lesson Learned <ul><li>Appropriate signatures in rules can help to detect some intrusions. </li></ul><ul><li>Good rules can reduce false positives and false negatives. </li></ul><ul><li>There are limitations in rules. </li></ul><ul><li>Log analyzers can help to identify the trend. </li></ul><ul><li>Log analyzers need to be further improved. </li></ul><ul><li>Plug-ins can add new functionality into the existing system. </li></ul>
  31. 32. Pedagogical Implication <ul><li>The challenges in teaching intrusion detection and intrusion prevention can be addressed using hands-on labs, especially Snort labs. </li></ul><ul><li>Critical thinking skills and creativity are promoted in putting students in an environment in which they need to find out the limitations of current IDS technologies and figure out their new solutions. </li></ul><ul><li>Different perspectives need to be explored to make sure that students are really familiar with the intrusion detection and intrusion prevention technologies. </li></ul><ul><li>More hands-on labs need to be designed and developed to enhance student learning. </li></ul>
  32. 33. Summary <ul><li>Hands-on lab exercises can enhance student learning. </li></ul><ul><li>Hands-on lab exercises using Snort are good tools in learning intrusion detection and intrusion prevention. </li></ul>
  33. 34. References <ul><li>Beale, J., Baker, A., Caswell, B., Poor, M., and others. (2004). Snort 2.1 Intrusion Detection (2 nd Edition). Rockland, MA: Syngress Publishing, Inc. </li></ul><ul><li>Cox, K. & Gerg, C. (2004). Managing Security with Snort and IDS Tools . Sebastopol, CA: O’Reilly Media, Inc. </li></ul><ul><li>Smith, P. & Ragan, T. (1999). Instructional Design . Hoboken, NJ: John Wiley & Sons, Inc. </li></ul><ul><li>http://www.snort.org </li></ul>

×