Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Network intrusiondetection/prevention systems
NIDS (detecton system)• realtime attack detection• passive (watchers) / active (measurement)systems• via analysis– protoco...
NIDS schemehttp://insecure.org/stf/secnet_ids/evasion-figure3.gif
Traffic analysis• analyzing behaviour, not just packets• difficulties– NIDS can be run from different part of network– bad...
http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
Signature-based analysis• pattern matching• “patterns of malicious traffic”• very elementary (basically grepping)+ huge co...
Rule example# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-SOLARIS EXPLOIT sparc overflow attempt";flow:to_server,...
Protocol-based analysis• reviewing network data• strictly based on layer headers• knowledge of expected values+ better pos...
Types of detected events• transport layer attack• network layer attack• unexpected services (tunnel, backdoor etc.)• polic...
Types of attack• evasion/insertion attacks– bad IP headers– bad IP options– direct frame addressing• IP packets fragmentat...
Prevention• passive– ending TCP stream• inline– inline firewalling– throttling bandwith usage– altering malicious content•...
Toolset• SNORT– opensource– windows / linux– lots of plugins• OSSIM (security information and eventmanagement)• Sguil (net...
SNORT• started as sniffer in 1998• sniffer, packet logger, and NIDS• most used open-source NIDS right now• loads of add-on...
Firewall network with SNORT
SNORT add-ons• DumbPig– bad rule grammar detection• OfficeCat– search for vurneabilities in Microsoft Office docs• SnoGE– ...
Q&A
Upcoming SlideShare
Loading in …5
×

Network Intrusion Detection Systems #1

1,529 views

Published on

Slides from the overview presentation about intrusion detection/prevention systems presented at Security in Internet course at Faculty of Informatics and Information Technology. Presentation is part of the course assignment.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Network Intrusion Detection Systems #1

  1. 1. Network intrusiondetection/prevention systems
  2. 2. NIDS (detecton system)• realtime attack detection• passive (watchers) / active (measurement)systems• via analysis– protocol analysis– graph analysis– anomaly detection• analysis of direct network traffic– complete / light
  3. 3. NIDS schemehttp://insecure.org/stf/secnet_ids/evasion-figure3.gif
  4. 4. Traffic analysis• analyzing behaviour, not just packets• difficulties– NIDS can be run from different part of network– bad packets– reordering issues• sensor placement– inline– passive• spanning port• network tap• load balancer
  5. 5. http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
  6. 6. http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
  7. 7. Signature-based analysis• pattern matching• “patterns of malicious traffic”• very elementary (basically grepping)+ huge community for rule generation+ great for low level analysis (rules are very specific)+ not taking too much resources- lower performance with big ruleset- slight attack variation can beat the rule
  8. 8. Rule example# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-SOLARIS EXPLOIT sparc overflow attempt";flow:to_server,established; content:"|90 1A C0 0F 90 02||08 92 02| |0F D0 23 BF F8|";fast_pattern:only;metadata:ruleset community, service dns;classtype:attempted-admin;sid:267; rev:13;)
  9. 9. Protocol-based analysis• reviewing network data• strictly based on layer headers• knowledge of expected values+ better possibility for scalability+ generic, able to catch zero-day exploits- protocol headers preprocessor need resources- rules can get extremely difficult to write/understand- provide low information, admin has to investigate
  10. 10. Types of detected events• transport layer attack• network layer attack• unexpected services (tunnel, backdoor etc.)• policy violations (forbidden protocols, portsetc.)note: detection with accuracy
  11. 11. Types of attack• evasion/insertion attacks– bad IP headers– bad IP options– direct frame addressing• IP packets fragmentation– set up delay for dropping stored packets• TCP layer problems– sync between NIDS and end system
  12. 12. Prevention• passive– ending TCP stream• inline– inline firewalling– throttling bandwith usage– altering malicious content• passive and inline– running third party script– reconfiguring other network devices
  13. 13. Toolset• SNORT– opensource– windows / linux– lots of plugins• OSSIM (security information and eventmanagement)• Sguil (network security monitor)
  14. 14. SNORT• started as sniffer in 1998• sniffer, packet logger, and NIDS• most used open-source NIDS right now• loads of add-ons• big and stable community (regular communityrule releases)
  15. 15. Firewall network with SNORT
  16. 16. SNORT add-ons• DumbPig– bad rule grammar detection• OfficeCat– search for vurneabilities in Microsoft Office docs• SnoGE– reporting tool parsing your logs and visualising them aspoints at Google Maps• Oinkmaster– tool for creating and managing rules• iBlock– daemon grepping alert file and blocking offending hostshttp://www.snort.org/snort-downloads/additional-downloads
  17. 17. Q&A

×