2. Introduction to IDPS
Importance of IDPS:
• Intrusion Detection and Prevention Systems (IDPS) are critical for
cybersecurity.
• Key Functions:
• Detect and prevent unauthorized access and attacks.
• Monitor and analyze network traffic for security threats.
• Role in Cybersecurity:
• Provides early warning of potential threats.
• Helps in identifying and mitigating security incidents.
3. Key Concepts of IDPS
• Rules: Predefined or custom-made criteria for identifying specific
patterns or behaviors.
• Signatures: Patterns or strings that represent known attacks or
vulnerabilities.
• Network Traffic Analysis: Continuously monitors and analyzes network
traffic.
• Alerting: Generates alerts or takes actions when suspicious activity is
detected *
* Any intrusion activity or violation is typically reported either to an administrator or collected centrally using
a security information and event management (SIEM) system. A SIEM system combines outputs from multiple
sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.
4. Intrusion Detection Systems
• An Intrusion Detection System (IDS) is a security technology designed to
monitor network or system activities to identify and respond to
suspicious or unauthorized activities.
• Key Purpose is to detect and mitigate potential security threats and
breaches.
• Types of IDS
• Host-Based IDS (HIDS): Monitors activity on individual devices or hosts.
• Network-Based IDS (NIDS): Analyzes network traffic for suspicious patterns.
• Signature-Based IDS: Uses predefined patterns or signatures to detect known
threats.
• Anomaly-Based IDS: Identifies deviations from established baselines.
Source: Intrusion detection System (July 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Intrusion_detection_system
5. Intrusion Detection Systems
• Detection Methods
• Signature-Based: Matches patterns against a database of known attack
signatures.
• Anomaly-Based: Profiles normal system behavior and raises alerts for anomalies.
• Heuristic-Based: Uses rules and heuristics to identify potentially malicious
activity.
• Statistical-Based : Analyzes statistical patterns to find anomalies.
• Deployment
• Placement: IDS can be deployed at the network perimeter, on hosts, or
throughout the network.
• Inline vs. Passive IDS: Inline IDS can block traffic, while passive IDS only monitor
and alert.
Source: Intrusion detection System (July 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Intrusion_detection_system
6. Intrusion Detection Systems
Challenges
• False Positives: IDS may generate alerts for legitimate traffic.
• False Negatives: IDS may fail to detect some attacks.
• Scalability: Effective deployment can be challenging in large, complex
networks.
Integration
• Often integrated with Intrusion Prevention Systems (IPS) to
automatically respond to threats.
• Integration with Security Information and Event Management (SIEM)
systems for centralized log analysis.
Source: Intrusion detection System (July 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Intrusion_detection_system
7. Intrusion Detection Systems
• Early Threat Detection helps identify threats before they can cause
significant damage.
• Compliance aids in meeting regulatory requirements.
• Enhanced Security Posture to strengthen overall security by identifying
vulnerabilities
• Intrusion Detection Systems play a critical role in safeguarding networks
and systems against security threats.
• Effective deployment and continuous monitoring are essential for a
robust security posture.
Source: Intrusion detection System (July 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Intrusion_detection_system
8. Security Information and Event Management
• SIEM is a comprehensive technology solution that combines
security information management (SIM) and security event
management (SEM).
• Purpose is to collect, correlate, and analyze data from various
sources to identify and respond to security incidents:
• Real-Time Monitoring: SIEM monitors events in real-time for immediate
threat detection.
• Log Management: Stores and manages logs, aiding in compliance and
investigations.
• Reporting and Alerting: Generates reports and alerts for security incidents.
• Incident Response: Supports incident investigation and response.
Source: Security information and event management (August 15, 2023), Wikipedia.
https://en.wikipedia.org/wiki/Security_information_and_event_management
9. Security Information and Event Management
• Data Sources
• Log Data: Collects logs from various devices and systems.
• Network Traffic Data: Analyzes network traffic for anomalies.
• Endpoint Data: Monitors individual devices for security events.
• Threat Intelligence Feeds: Integrates external threat information.
• Use Cases
• Threat Detection: Identifies and alerts on suspicious activities and security
breaches.
• Compliance: Helps organizations meet regulatory and compliance requirements.
• Forensics: Supports post-incident investigations with detailed data.
Source: Security information and event management (August 15, 2023), Wikipedia.
https://en.wikipedia.org/wiki/Security_information_and_event_management
10. Security Information and Event Management
• Challenges
• Alert Fatigue: SIEM systems can generate a high volume of alerts.
• Complex Configuration: Requires skilled personnel for proper setup and
maintenance.
• Scalability: Must scale to handle large, dynamic environments.
• Benefits
• Enhanced Security: Improves overall security posture by detecting and mitigating
threats.
• Compliance: Simplifies compliance efforts by providing audit trails and reports.
• Operational Efficiency: Centralizes monitoring and incident response.
Source: Security information and event management (August 15, 2023), Wikipedia.
https://en.wikipedia.org/wiki/Security_information_and_event_management
11. SPLUNK
• Leading platform for searching, monitoring, and analyzing machine-generated
data (2003).
• Core Functionality
• Data Collection: Splunk collects data from various sources, including logs, applications,
and sensors.
• Search and Analysis: It enables real-time search and analysis of large data sets.
• Visualization: Splunk offers interactive data visualization through customizable
dashboards.
• Use Case
• Security: Used for security information and event management (SIEM) to detect and
respond to security threats.
• Security Features: Splunk includes role-based access control and encryption
for data protection.
• Compliance: Helps organizations meet regulatory compliance requirements
through audit trails and reporting.
12. Snort
Source: Snort (March 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Snort_(software)
Introduction:
• An open-source IDPS designed to monitor and analyze network traffic in real-time.
• Maintained by Cisco Systems.
Functionality:
• Snort uses signature-based detection to identify known attack patterns and vulnerabilities in
network traffic.
• It can also be configured to create custom rules for detecting specific threats.
Components:
• Snort consists of various components, including Snort itself, which performs packet analysis, and
other utilities like Barnyard2 for log management.
Rule Language:
• Snort rules are written in a specific rule language and include fields for defining actions, protocols,
IP addresses, ports, and content patterns.
13. Snort
Source: Snort (March 22, 2023), Wikipedia. https://en.wikipedia.org/wiki/Snort_(software)
Deployment:
• Snort can be deployed as a Network-based IDPS (NIDPS) or a Host-based IDPS (HIDPS) and is commonly
used in conjunction with other security tools.
Use Cases:
• Snort is widely used in the cybersecurity industry and is instrumental in detecting and preventing a
variety of network-based threats, including intrusion attempts and malicious activities.
Community and Support:
• Snort has a large and active user community, contributing to rule updates and sharing knowledge.
• Commercial support is available through Cisco for enterprise users.
Licensing:
• Snort is released under the GNU General Public License (GPL), making it open-source and freely available
for use and modification.
Alternatives:
• Some alternative IDPS solutions, such as Suricata and Bro IDS, offer similar functionality.
14. Snort Configuration Options
• Network Interfaces: Define the network interface to
monitor.
• Logging: Specify log file locations and formats.
• Output Options: Control alert types, syslog, or database
output.
• Rule Management: Specify rule files for analysis.
15. Snort Rule Language
• Structure: Rules consist of several fields, including
action, protocol, source/destination IP, ports, and
content.
• Custom Rules: Create custom rules to detect specific
network events or anomalies.
• Rule Precedence: Rules are processed in a top-down
fashion.
16. Creating Custom Rules
• Testing and Validation: Validate rules using Snort's built-in tools.
Source: Writing Snort Rules with Examples and Cheat Sheet (January 27, 2022), CYVATAR. https://cyvatar.ai/write-configure-snort-rules/
17. Interpreting Snort Logs and Alerts
• Log Files: Understand the various fields in log files.
• Alerts: Decode and analyze the information provided in
alerts.
• Alert Levels: Differentiate between alert severity levels.
19. SYN Packet & “Flood”
Source: SYN flood (May 8, 2023), Wikipedia. https://en.wikipedia.org/wiki/SYN_flood
• Definition:
• A SYN flood is a type of cyber attack that targets the three-way handshake process in
the Transmission Control Protocol (TCP) communication.
• Attack Process:
• The attacker floods the target server with a large number of SYN (synchronization)
requests without completing the handshake, tying up server resources.
• Objective:
• The primary goal of a SYN flood attack is to overwhelm the target server, causing it to
become unresponsive and denying legitimate users access to services.
• Prevention and Mitigation:
• Mitigation techniques include implementing SYN cookies, rate limiting, and dedicated
security devices like Intrusion Prevention Systems (IPS) and firewalls.
• Significance:
• SYN flood attacks are a common form of distributed denial of service (DDoS) attacks
and can disrupt online services and websites, highlighting the importance of robust
security measures.
20. Hping3
• A versatile network tool that can be used for various
purposes, including crafting and sending custom packets,
port scanning, and network testing.
• Allows users to generate various types of network traffic,
including SYN, UDP, ICMP, and TCP flood attacks, making it
suitable for simulating different types of DDoS attacks.
• The tool provides more flexibility and control over the
parameters of the attack, allowing customization of packet
size, frequency, and other characteristics.
• Hping3 can be a powerful option for simulating
sophisticated and complex DDoS attacks,
21. Lab Exercise
• This lab aims to provide practical experience in using
Snort with Kali Linux
• It will cover topics such as Snort installation,
configuration, rule management, and monitoring.
• Analyzing real network traffic and generating alerts.
• Additionally, monitoring Snort alerts help gain insight
into identifying potential intrusions or suspicious
activities within network traffic.
22. Best Practices for IDPS
• Regularly update Snort's rules to detect the latest
threats.
• Combine Snort with other security tools for
comprehensive protection.
• Maintain proper documentation of rule changes and
configurations.
23. Conclusion
• Intrusion Detection and Prevention Systems are vital
for cybersecurity.
• Snort is a powerful open-source IDPS used for real-
time network traffic analysis.