SlideShare a Scribd company logo

Linux for Cybersecurity CYB110 - Unit 8.ppsx

Download as PPSX, PDF
B
BrenoMeister

Linux for Cybersecurity CYB110 - Unit 8.ppsx

Technology
1 of 23
Intrusion Detection and Prevention with Snort
Introduction to IDPS Importance of IDPS: • Intrusion Detection and Prevention Systems (IDPS) are critical for cybersecurity. • Key Functions: • Detect and prevent unauthorized access and attacks. • Monitor and analyze network traffic for security threats. • Role in Cybersecurity: • Provides early warning of potential threats. • Helps in identifying and mitigating security incidents.
Key Concepts of IDPS • Rules: Predefined or custom-made criteria for identifying specific patterns or behaviors. • Signatures: Patterns or strings that represent known attacks or vulnerabilities. • Network Traffic Analysis: Continuously monitors and analyzes network traffic. • Alerting: Generates alerts or takes actions when suspicious activity is detected * * Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.
Intrusion Detection Systems • An Intrusion Detection System (IDS) is a security technology designed to monitor network or system activities to identify and respond to suspicious or unauthorized activities. • Key Purpose is to detect and mitigate potential security threats and breaches. • Types of IDS • Host-Based IDS (HIDS): Monitors activity on individual devices or hosts. • Network-Based IDS (NIDS): Analyzes network traffic for suspicious patterns. • Signature-Based IDS: Uses predefined patterns or signatures to detect known threats. • Anomaly-Based IDS: Identifies deviations from established baselines. Source: Intrusion detection System (July 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Intrusion_detection_system
Intrusion Detection Systems • Detection Methods • Signature-Based: Matches patterns against a database of known attack signatures. • Anomaly-Based: Profiles normal system behavior and raises alerts for anomalies. • Heuristic-Based: Uses rules and heuristics to identify potentially malicious activity. • Statistical-Based : Analyzes statistical patterns to find anomalies. • Deployment • Placement: IDS can be deployed at the network perimeter, on hosts, or throughout the network. • Inline vs. Passive IDS: Inline IDS can block traffic, while passive IDS only monitor and alert. Source: Intrusion detection System (July 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Intrusion_detection_system
Intrusion Detection Systems Challenges • False Positives: IDS may generate alerts for legitimate traffic. • False Negatives: IDS may fail to detect some attacks. • Scalability: Effective deployment can be challenging in large, complex networks. Integration • Often integrated with Intrusion Prevention Systems (IPS) to automatically respond to threats. • Integration with Security Information and Event Management (SIEM) systems for centralized log analysis. Source: Intrusion detection System (July 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Intrusion_detection_system
Intrusion Detection Systems • Early Threat Detection helps identify threats before they can cause significant damage. • Compliance aids in meeting regulatory requirements. • Enhanced Security Posture to strengthen overall security by identifying vulnerabilities • Intrusion Detection Systems play a critical role in safeguarding networks and systems against security threats. • Effective deployment and continuous monitoring are essential for a robust security posture. Source: Intrusion detection System (July 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Intrusion_detection_system
Security Information and Event Management • SIEM is a comprehensive technology solution that combines security information management (SIM) and security event management (SEM). • Purpose is to collect, correlate, and analyze data from various sources to identify and respond to security incidents: • Real-Time Monitoring: SIEM monitors events in real-time for immediate threat detection. • Log Management: Stores and manages logs, aiding in compliance and investigations. • Reporting and Alerting: Generates reports and alerts for security incidents. • Incident Response: Supports incident investigation and response. Source: Security information and event management (August 15, 2023), Wikipedia. https://en.wikipedia.org/wiki/Security_information_and_event_management
Security Information and Event Management • Data Sources • Log Data: Collects logs from various devices and systems. • Network Traffic Data: Analyzes network traffic for anomalies. • Endpoint Data: Monitors individual devices for security events. • Threat Intelligence Feeds: Integrates external threat information. • Use Cases • Threat Detection: Identifies and alerts on suspicious activities and security breaches. • Compliance: Helps organizations meet regulatory and compliance requirements. • Forensics: Supports post-incident investigations with detailed data. Source: Security information and event management (August 15, 2023), Wikipedia. https://en.wikipedia.org/wiki/Security_information_and_event_management
Security Information and Event Management • Challenges • Alert Fatigue: SIEM systems can generate a high volume of alerts. • Complex Configuration: Requires skilled personnel for proper setup and maintenance. • Scalability: Must scale to handle large, dynamic environments. • Benefits • Enhanced Security: Improves overall security posture by detecting and mitigating threats. • Compliance: Simplifies compliance efforts by providing audit trails and reports. • Operational Efficiency: Centralizes monitoring and incident response. Source: Security information and event management (August 15, 2023), Wikipedia. https://en.wikipedia.org/wiki/Security_information_and_event_management
SPLUNK • Leading platform for searching, monitoring, and analyzing machine-generated data (2003). • Core Functionality • Data Collection: Splunk collects data from various sources, including logs, applications, and sensors. • Search and Analysis: It enables real-time search and analysis of large data sets. • Visualization: Splunk offers interactive data visualization through customizable dashboards. • Use Case • Security: Used for security information and event management (SIEM) to detect and respond to security threats. • Security Features: Splunk includes role-based access control and encryption for data protection. • Compliance: Helps organizations meet regulatory compliance requirements through audit trails and reporting.
Snort Source: Snort (March 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Snort_(software) Introduction: • An open-source IDPS designed to monitor and analyze network traffic in real-time. • Maintained by Cisco Systems. Functionality: • Snort uses signature-based detection to identify known attack patterns and vulnerabilities in network traffic. • It can also be configured to create custom rules for detecting specific threats. Components: • Snort consists of various components, including Snort itself, which performs packet analysis, and other utilities like Barnyard2 for log management. Rule Language: • Snort rules are written in a specific rule language and include fields for defining actions, protocols, IP addresses, ports, and content patterns.
Snort Source: Snort (March 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Snort_(software) Deployment: • Snort can be deployed as a Network-based IDPS (NIDPS) or a Host-based IDPS (HIDPS) and is commonly used in conjunction with other security tools. Use Cases: • Snort is widely used in the cybersecurity industry and is instrumental in detecting and preventing a variety of network-based threats, including intrusion attempts and malicious activities. Community and Support: • Snort has a large and active user community, contributing to rule updates and sharing knowledge. • Commercial support is available through Cisco for enterprise users. Licensing: • Snort is released under the GNU General Public License (GPL), making it open-source and freely available for use and modification. Alternatives: • Some alternative IDPS solutions, such as Suricata and Bro IDS, offer similar functionality.
Snort Configuration Options • Network Interfaces: Define the network interface to monitor. • Logging: Specify log file locations and formats. • Output Options: Control alert types, syslog, or database output. • Rule Management: Specify rule files for analysis.
Snort Rule Language • Structure: Rules consist of several fields, including action, protocol, source/destination IP, ports, and content. • Custom Rules: Create custom rules to detect specific network events or anomalies. • Rule Precedence: Rules are processed in a top-down fashion.
Creating Custom Rules • Testing and Validation: Validate rules using Snort's built-in tools. Source: Writing Snort Rules with Examples and Cheat Sheet (January 27, 2022), CYVATAR. https://cyvatar.ai/write-configure-snort-rules/
Interpreting Snort Logs and Alerts • Log Files: Understand the various fields in log files. • Alerts: Decode and analyze the information provided in alerts. • Alert Levels: Differentiate between alert severity levels.
TCP State Diagram Source: Tcp state diagram
SYN Packet & “Flood” Source: SYN flood (May 8, 2023), Wikipedia. https://en.wikipedia.org/wiki/SYN_flood • Definition: • A SYN flood is a type of cyber attack that targets the three-way handshake process in the Transmission Control Protocol (TCP) communication. • Attack Process: • The attacker floods the target server with a large number of SYN (synchronization) requests without completing the handshake, tying up server resources. • Objective: • The primary goal of a SYN flood attack is to overwhelm the target server, causing it to become unresponsive and denying legitimate users access to services. • Prevention and Mitigation: • Mitigation techniques include implementing SYN cookies, rate limiting, and dedicated security devices like Intrusion Prevention Systems (IPS) and firewalls. • Significance: • SYN flood attacks are a common form of distributed denial of service (DDoS) attacks and can disrupt online services and websites, highlighting the importance of robust security measures.
Hping3 • A versatile network tool that can be used for various purposes, including crafting and sending custom packets, port scanning, and network testing. • Allows users to generate various types of network traffic, including SYN, UDP, ICMP, and TCP flood attacks, making it suitable for simulating different types of DDoS attacks. • The tool provides more flexibility and control over the parameters of the attack, allowing customization of packet size, frequency, and other characteristics. • Hping3 can be a powerful option for simulating sophisticated and complex DDoS attacks,
Lab Exercise • This lab aims to provide practical experience in using Snort with Kali Linux • It will cover topics such as Snort installation, configuration, rule management, and monitoring. • Analyzing real network traffic and generating alerts. • Additionally, monitoring Snort alerts help gain insight into identifying potential intrusions or suspicious activities within network traffic.
Best Practices for IDPS • Regularly update Snort's rules to detect the latest threats. • Combine Snort with other security tools for comprehensive protection. • Maintain proper documentation of rule changes and configurations.
Conclusion • Intrusion Detection and Prevention Systems are vital for cybersecurity. • Snort is a powerful open-source IDPS used for real- time network traffic analysis.

Recommended

information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...Zara Nawaz
 
Unit-5.pptx
Unit-5.pptxUnit-5.pptx
Unit-5.pptxRoyBokhiriya
 
Cours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxCours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxssuserc517ee1
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Deepak Mishra
 
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfFALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfthilakrajc
 
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptuseonlyfortech140
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
012
012012
012chatakondu karthik uday bhaskar
 

Recommended

information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...Zara Nawaz
 
Unit-5.pptx
Unit-5.pptxUnit-5.pptx
Unit-5.pptxRoyBokhiriya
 
Cours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxCours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxssuserc517ee1
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Deepak Mishra
 
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfFALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfthilakrajc
 
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptuseonlyfortech140
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
012
012012
012chatakondu karthik uday bhaskar
 
Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection amiable_indian
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionProgrammer
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environmentAyush Gargya
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
IS-Types of IDPSs.pptx
IS-Types of IDPSs.pptxIS-Types of IDPSs.pptx
IS-Types of IDPSs.pptxV.V.Vanniaperumal College for Women
 
Intruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptxIntruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptxSriK49
 
arun.ppt
arun.pptarun.ppt
arun.pptSunilKatkar5
 
Ids
IdsIds
IdsSuresh Reddy
 
arun.ppt
arun.pptarun.ppt
arun.pptDiyarAldusky
 
ch03.pptx
ch03.pptxch03.pptx
ch03.pptxHaipengCai1
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Wail Hassan
 
Network and web security
Network and web securityNetwork and web security
Network and web securityNitesh Saitwal
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
IS - Firewall
IS - FirewallIS - Firewall
IS - FirewallFumikageTokoyami4
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Chapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfChapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfAschalewAyele2
 
Cyber intrusion
Cyber intrusionCyber intrusion
Cyber intrusionKishor Datta Gupta
 
Securing E-commerce networks in MIS and E-Commerce
Securing E-commerce networks in MIS and E-CommerceSecuring E-commerce networks in MIS and E-Commerce
Securing E-commerce networks in MIS and E-Commercehidivin652
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

More Related Content

Similar to Linux for Cybersecurity CYB110 - Unit 8.ppsx

Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection amiable_indian
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionProgrammer
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environmentAyush Gargya
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Intruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptxIntruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptxSriK49
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Wail Hassan
 
Network and web security
Network and web securityNetwork and web security
Network and web securityNitesh Saitwal
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Chapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfChapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfAschalewAyele2
 
Securing E-commerce networks in MIS and E-Commerce
Securing E-commerce networks in MIS and E-CommerceSecuring E-commerce networks in MIS and E-Commerce
Securing E-commerce networks in MIS and E-Commercehidivin652
 

Similar to Linux for Cybersecurity CYB110 - Unit 8.ppsx (20)

Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environment
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
IS-Types of IDPSs.pptx
IS-Types of IDPSs.pptxIS-Types of IDPSs.pptx
IS-Types of IDPSs.pptx
 
Intruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptxIntruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptx
 
arun.ppt
arun.pptarun.ppt
arun.ppt
 
Ids
IdsIds
Ids
 
arun.ppt
arun.pptarun.ppt
arun.ppt
 
ch03.pptx
ch03.pptxch03.pptx
ch03.pptx
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)
 
Network and web security
Network and web securityNetwork and web security
Network and web security
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
IS - Firewall
IS - FirewallIS - Firewall
IS - Firewall
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Chapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfChapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdf
 
Cyber intrusion
Cyber intrusionCyber intrusion
Cyber intrusion
 
Securing E-commerce networks in MIS and E-Commerce
Securing E-commerce networks in MIS and E-CommerceSecuring E-commerce networks in MIS and E-Commerce
Securing E-commerce networks in MIS and E-Commerce
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

Linux for Cybersecurity CYB110 - Unit 8.ppsx

  • 2. Introduction to IDPS Importance of IDPS: • Intrusion Detection and Prevention Systems (IDPS) are critical for cybersecurity. • Key Functions: • Detect and prevent unauthorized access and attacks. • Monitor and analyze network traffic for security threats. • Role in Cybersecurity: • Provides early warning of potential threats. • Helps in identifying and mitigating security incidents.
  • 3. Key Concepts of IDPS • Rules: Predefined or custom-made criteria for identifying specific patterns or behaviors. • Signatures: Patterns or strings that represent known attacks or vulnerabilities. • Network Traffic Analysis: Continuously monitors and analyzes network traffic. • Alerting: Generates alerts or takes actions when suspicious activity is detected * * Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.
  • 4. Intrusion Detection Systems • An Intrusion Detection System (IDS) is a security technology designed to monitor network or system activities to identify and respond to suspicious or unauthorized activities. • Key Purpose is to detect and mitigate potential security threats and breaches. • Types of IDS • Host-Based IDS (HIDS): Monitors activity on individual devices or hosts. • Network-Based IDS (NIDS): Analyzes network traffic for suspicious patterns. • Signature-Based IDS: Uses predefined patterns or signatures to detect known threats. • Anomaly-Based IDS: Identifies deviations from established baselines. Source: Intrusion detection System (July 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Intrusion_detection_system
  • 5. Intrusion Detection Systems • Detection Methods • Signature-Based: Matches patterns against a database of known attack signatures. • Anomaly-Based: Profiles normal system behavior and raises alerts for anomalies. • Heuristic-Based: Uses rules and heuristics to identify potentially malicious activity. • Statistical-Based : Analyzes statistical patterns to find anomalies. • Deployment • Placement: IDS can be deployed at the network perimeter, on hosts, or throughout the network. • Inline vs. Passive IDS: Inline IDS can block traffic, while passive IDS only monitor and alert. Source: Intrusion detection System (July 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Intrusion_detection_system
  • 6. Intrusion Detection Systems Challenges • False Positives: IDS may generate alerts for legitimate traffic. • False Negatives: IDS may fail to detect some attacks. • Scalability: Effective deployment can be challenging in large, complex networks. Integration • Often integrated with Intrusion Prevention Systems (IPS) to automatically respond to threats. • Integration with Security Information and Event Management (SIEM) systems for centralized log analysis. Source: Intrusion detection System (July 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Intrusion_detection_system
  • 7. Intrusion Detection Systems • Early Threat Detection helps identify threats before they can cause significant damage. • Compliance aids in meeting regulatory requirements. • Enhanced Security Posture to strengthen overall security by identifying vulnerabilities • Intrusion Detection Systems play a critical role in safeguarding networks and systems against security threats. • Effective deployment and continuous monitoring are essential for a robust security posture. Source: Intrusion detection System (July 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Intrusion_detection_system
  • 8. Security Information and Event Management • SIEM is a comprehensive technology solution that combines security information management (SIM) and security event management (SEM). • Purpose is to collect, correlate, and analyze data from various sources to identify and respond to security incidents: • Real-Time Monitoring: SIEM monitors events in real-time for immediate threat detection. • Log Management: Stores and manages logs, aiding in compliance and investigations. • Reporting and Alerting: Generates reports and alerts for security incidents. • Incident Response: Supports incident investigation and response. Source: Security information and event management (August 15, 2023), Wikipedia. https://en.wikipedia.org/wiki/Security_information_and_event_management
  • 9. Security Information and Event Management • Data Sources • Log Data: Collects logs from various devices and systems. • Network Traffic Data: Analyzes network traffic for anomalies. • Endpoint Data: Monitors individual devices for security events. • Threat Intelligence Feeds: Integrates external threat information. • Use Cases • Threat Detection: Identifies and alerts on suspicious activities and security breaches. • Compliance: Helps organizations meet regulatory and compliance requirements. • Forensics: Supports post-incident investigations with detailed data. Source: Security information and event management (August 15, 2023), Wikipedia. https://en.wikipedia.org/wiki/Security_information_and_event_management
  • 10. Security Information and Event Management • Challenges • Alert Fatigue: SIEM systems can generate a high volume of alerts. • Complex Configuration: Requires skilled personnel for proper setup and maintenance. • Scalability: Must scale to handle large, dynamic environments. • Benefits • Enhanced Security: Improves overall security posture by detecting and mitigating threats. • Compliance: Simplifies compliance efforts by providing audit trails and reports. • Operational Efficiency: Centralizes monitoring and incident response. Source: Security information and event management (August 15, 2023), Wikipedia. https://en.wikipedia.org/wiki/Security_information_and_event_management
  • 11. SPLUNK • Leading platform for searching, monitoring, and analyzing machine-generated data (2003). • Core Functionality • Data Collection: Splunk collects data from various sources, including logs, applications, and sensors. • Search and Analysis: It enables real-time search and analysis of large data sets. • Visualization: Splunk offers interactive data visualization through customizable dashboards. • Use Case • Security: Used for security information and event management (SIEM) to detect and respond to security threats. • Security Features: Splunk includes role-based access control and encryption for data protection. • Compliance: Helps organizations meet regulatory compliance requirements through audit trails and reporting.
  • 12. Snort Source: Snort (March 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Snort_(software) Introduction: • An open-source IDPS designed to monitor and analyze network traffic in real-time. • Maintained by Cisco Systems. Functionality: • Snort uses signature-based detection to identify known attack patterns and vulnerabilities in network traffic. • It can also be configured to create custom rules for detecting specific threats. Components: • Snort consists of various components, including Snort itself, which performs packet analysis, and other utilities like Barnyard2 for log management. Rule Language: • Snort rules are written in a specific rule language and include fields for defining actions, protocols, IP addresses, ports, and content patterns.
  • 13. Snort Source: Snort (March 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Snort_(software) Deployment: • Snort can be deployed as a Network-based IDPS (NIDPS) or a Host-based IDPS (HIDPS) and is commonly used in conjunction with other security tools. Use Cases: • Snort is widely used in the cybersecurity industry and is instrumental in detecting and preventing a variety of network-based threats, including intrusion attempts and malicious activities. Community and Support: • Snort has a large and active user community, contributing to rule updates and sharing knowledge. • Commercial support is available through Cisco for enterprise users. Licensing: • Snort is released under the GNU General Public License (GPL), making it open-source and freely available for use and modification. Alternatives: • Some alternative IDPS solutions, such as Suricata and Bro IDS, offer similar functionality.
  • 14. Snort Configuration Options • Network Interfaces: Define the network interface to monitor. • Logging: Specify log file locations and formats. • Output Options: Control alert types, syslog, or database output. • Rule Management: Specify rule files for analysis.
  • 15. Snort Rule Language • Structure: Rules consist of several fields, including action, protocol, source/destination IP, ports, and content. • Custom Rules: Create custom rules to detect specific network events or anomalies. • Rule Precedence: Rules are processed in a top-down fashion.
  • 16. Creating Custom Rules • Testing and Validation: Validate rules using Snort's built-in tools. Source: Writing Snort Rules with Examples and Cheat Sheet (January 27, 2022), CYVATAR. https://cyvatar.ai/write-configure-snort-rules/
  • 17. Interpreting Snort Logs and Alerts • Log Files: Understand the various fields in log files. • Alerts: Decode and analyze the information provided in alerts. • Alert Levels: Differentiate between alert severity levels.
  • 18. TCP State Diagram Source: Tcp state diagram
  • 19. SYN Packet & “Flood” Source: SYN flood (May 8, 2023), Wikipedia. https://en.wikipedia.org/wiki/SYN_flood • Definition: • A SYN flood is a type of cyber attack that targets the three-way handshake process in the Transmission Control Protocol (TCP) communication. • Attack Process: • The attacker floods the target server with a large number of SYN (synchronization) requests without completing the handshake, tying up server resources. • Objective: • The primary goal of a SYN flood attack is to overwhelm the target server, causing it to become unresponsive and denying legitimate users access to services. • Prevention and Mitigation: • Mitigation techniques include implementing SYN cookies, rate limiting, and dedicated security devices like Intrusion Prevention Systems (IPS) and firewalls. • Significance: • SYN flood attacks are a common form of distributed denial of service (DDoS) attacks and can disrupt online services and websites, highlighting the importance of robust security measures.
  • 20. Hping3 • A versatile network tool that can be used for various purposes, including crafting and sending custom packets, port scanning, and network testing. • Allows users to generate various types of network traffic, including SYN, UDP, ICMP, and TCP flood attacks, making it suitable for simulating different types of DDoS attacks. • The tool provides more flexibility and control over the parameters of the attack, allowing customization of packet size, frequency, and other characteristics. • Hping3 can be a powerful option for simulating sophisticated and complex DDoS attacks,
  • 21. Lab Exercise • This lab aims to provide practical experience in using Snort with Kali Linux • It will cover topics such as Snort installation, configuration, rule management, and monitoring. • Analyzing real network traffic and generating alerts. • Additionally, monitoring Snort alerts help gain insight into identifying potential intrusions or suspicious activities within network traffic.
  • 22. Best Practices for IDPS • Regularly update Snort's rules to detect the latest threats. • Combine Snort with other security tools for comprehensive protection. • Maintain proper documentation of rule changes and configurations.
  • 23. Conclusion • Intrusion Detection and Prevention Systems are vital for cybersecurity. • Snort is a powerful open-source IDPS used for real- time network traffic analysis.