intrusion detection system
play

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com - PowerPoint PPT Presentation

Jan 10, 2024 •255 likes •571 views

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

  1. Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1

  2. Contents  Intrusion Detection Systems  Tripwire  Snort 2

  3. IDS (Definition)  Intrusion Detection is the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problem.  The bulk of intrusion detection research and development has occurred since 1980. 3

  4. IDS (Architecture) 4

  5. IDS (Information Sources)  The first requirement for intrusion detection is a set of input data.  Which source is the best source for intrusion detection? 5

  6. Information Sources (Cont.)  Host-Based Information Sources  Network-Based Information Sources 6

  7. Host-Based  Operating System Audit Trails  System Logs  Application Information  Target-Based Monitoring 7

  8. Network-Based  In network-based approach, information is collected form the network traffic stream as it travels on the network segment. 8

  9. IDS (Analysis)  Analysis is organizing and characterizing data about user and system to identify activity of interest.  This process is divided into three phases:  Constructing the analyzer.  Performing analysis of live data.  Feedback or refinement of the process. 9

  10. Analysis (Cont.)  Misuse Detection  Engines look for something defined to be bad.  Anomaly Detection  Engines look for something rare or unusual. 10

  11. IDS (Responses)  Active Responses  Take action against the intruder  Amend the environment  Collect more information  Passive Responses  Alarm and notification  SNMP Trap 11

  12. Contents  Intrusion Detection Systems  Tripwire  Snort 12

  13. Tripwire  It is a host-based IDS.  It is one of the most popular applications for determining when a file or directory has been alerted.  It scans the system’s hard drive and create a database. 13

  14. Tripwire Files  /usr/sbin/tripwire  The tripwire binary responsible for reading, creating and updating the database.  /etc/tripwire/twpol.txt  The tripwire policy configuration file.  /etc/tw.pol  The signed tripwire policy file. 14

  15. Tripwire Files  /usr/tripwire/twinstall.sh  The file that signs the /etc/tripwire/twpol.txt and /etc/tripwire/twcfg.txt files.  /etc/tripwire/twcfg.txt  Configures the environment for the /usr/sbin/tripwire binary.  /var/lib/tripwire/hostname.twd  The default location of the Tripwire database file. 15

  16. Configuring the Tripwire Policy File  /etc/tripwire/twpol.txt  /etc/shadow -> $(IgnoreNone);  Any file followed by the IgnoreNone argument will be checked by Tripwire’s “paranoid mode,” which means that any and all changes will be reported to you.  !/proc;  Informs Tripwire to ignore the /proc directory. 16

  17. Creating the Tripwire Policy File  After you have installed Tripwire and edited the /etc/tripwire/twpol.txt, you are ready to begin the initial scan.  Simply run the /etc/tripwire/twinstall.sh script.  It will then create the Tripwire configuration file. 17

  18. Database Initialization Mode  After you have created a policy file, you can then enter database initialization mode.  tripwire --init  tripwire --help init 18

  19. Integrity Checking Mode  After you have created the database, you can run Tripwire in integrity checking mode.  tripwire --check 19

  20. Contents  Intrusion Detection Systems  Tripwire  Snort 20

  21. Snort  It is a network-based IDS.  It places the NIC into promiscuous mode and captures all traffic on your network segment. 21

  22. Snort Files and Directories  /usr/local/snort  The Snort binary, when installed from an RPM package.  /usr/local/bin/snort  The binary, when installed from a tarball.  /etc/snort/  A directory that contains the Snort configuration file, as well as all Snort rules. 22

  23. Snort Files and Directories  /etc/snort/snort.conf  The Snort configuration file.  /usr/share/doc/snort-1.7  The documentation directory if you install Snort using the RPM. If you install using a tarball, the documentation will be in the subdirectory where you installed all of the source files.  /etc/rc.d/init.d/snortd  The initialization script for snortd. 23

  24. Starting Snort  Start Snort as a simple packet sniffer.  This command will log traffic only at the network level.  snort -v 24

  25. Starting Snort 25

  26. Starting Snort  If you use the -d option to have Snort capture application-layer data, you will capture additional information.  snort -vd 26

  27. Starting Snort 27

  28. Logging Snort Entries  /usr/sbin/snort -u snort -g snort -dev -l /var/log/snort -h 192.168.2.0/24  This command starts Snort under a user and group of Snort.  It then logs all packets to the /var/log/snort directory.  The e option has Snort read data link layer headers, as well.  The –h command tells Snort that the 192.168.2.0/24 network is the home network and to log all packets relative to the 192.168.2.0 system. 28

  29. Running Snort as a Network-Based IDS  snort -u snort -g snort -dev -h 192.168.2.0/24 -d -D -i eth0 -c /etc/snort/snort.conf  This command has snort run in daemon mode (-D) and specifies the eth0 interface.  The last part of the command specifies the snort.conf file, which if properly configured will enable Snort to log traffic only as it violates the rules it contains. 29

  30. Question? 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior

Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior

Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior that characterizes intruders While avoiding improper detection of legitimate access At a reasonable cost Lecture 11 Page 1 CS 236 Online

426 views • 13 slides
Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1 Talk loosely based on following publications Han et al. UNICORN: Revisiting Host-Based Intrusion Detection in the Age of

783 views • 55 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to

SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to

SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP Michael Rave Coen Steenbeek 7 February 2007 Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

203 views • 18 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network Engineering 7-2-2007 R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 1 / 18 Contents Assignment 1 Intrusion Detection Systems 2

454 views • 18 slides
Intrusion Detection Using Monitor Information Fusion Student: Atul Bohara P.I.: William H.

Intrusion Detection Using Monitor Information Fusion Student: Atul Bohara P.I.: William H.

Intrusion Detection Using Monitor Information Fusion Student: Atul Bohara P.I.: William H. Sanders Previous Work [1] Intrusion detection by combining and clustering diverse monitor data System Logs Firewall Logs Feature extraction Cluster

527 views • 49 slides
Intrusion Detection and Prevention System (IPS) Technology, Applications, and Trend Dr.

Intrusion Detection and Prevention System (IPS) Technology, Applications, and Trend Dr.

Intrusion Detection and Prevention System (IPS) Technology, Applications, and Trend Dr. Nen-Fu (Fred) Huang Professor, Department of Computer Science, National Tsing Hua University, Taiwan President, Broadweb Corp, Taiwan E-mail:

846 views • 41 slides
Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
Design and implementation of an intrusion detection system (IDS) for in-vehicle networks

Design and implementation of an intrusion detection system (IDS) for in-vehicle networks

Design and implementation of an intrusion detection system (IDS) for in-vehicle networks Presented by: Nors Salman Credits to my thesis partner: Marco Bresch Brief background: in-vehicle networks Controller Area Network (CAN) MOST

425 views • 23 slides
Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139

Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139

Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established content:"|eb2f 5feb 4a5e 89fb 893e 89f2|" msg:"EXPLOIT x86 linux samba overflow" reference:bugtraq,1816

436 views • 4 slides
FRACTALS OUTLINE Chaotic Systems Strange Attractors Newton-Raphson Diffusion

FRACTALS OUTLINE Chaotic Systems Strange Attractors Newton-Raphson Diffusion

FRACTALS OUTLINE Chaotic Systems Strange Attractors Newton-Raphson Diffusion Limited Aggregation Fractal Geometry L-Systems Iterative Function Systems (IFS) WHAT IS A FRACTAL? Geometric A rough or

499 views • 23 slides
Practicalities ENAR Spring Meeting Pittsburgh Short tutorial (105 minutes) March 2004 High

Practicalities ENAR Spring Meeting Pittsburgh Short tutorial (105 minutes) March 2004 High

Peter Dalgaard Practicalities ENAR Spring Meeting Pittsburgh Short tutorial (105 minutes) March 2004 High coverage, not great depth Little time for

143 views • 13 slides
Verbs in the Open Multilingual Wordnet Francis Bond Linguistics and Multilingual Studies,

Verbs in the Open Multilingual Wordnet Francis Bond Linguistics and Multilingual Studies,

Verbs in the Open Multilingual Wordnet Francis Bond Linguistics and Multilingual Studies, Nanyang Technological University Affectedness Workshop 2014, NTU Overview What do we do? What is a wordnet? How are verbs represented?

780 views • 43 slides
Lab 7: Firewalls & Intrusion Detection Systems Fengwei Zhang SUSTech CS 315 Computer

Lab 7: Firewalls & Intrusion Detection Systems Fengwei Zhang SUSTech CS 315 Computer

Lab 7: Firewalls & Intrusion Detection Systems Fengwei Zhang SUSTech CS 315 Computer Security 1 Firewall & IDS Firewall A device or application that analyzes packet headers and enforces policy based on protocol type, source

465 views • 20 slides
Compiling PCRE to FPGA for Accelerating SNORT IDS Abhishek Mitra Walid Najjar Laxmi N Bhuyan

Compiling PCRE to FPGA for Accelerating SNORT IDS Abhishek Mitra Walid Najjar Laxmi N Bhuyan

Compiling PCRE to FPGA for Accelerating SNORT IDS Abhishek Mitra Walid Najjar Laxmi N Bhuyan QuickTime and a QuickTime and a decompressor decompressor are needed to see this picture. are needed to see this picture. Outline FPGA

316 views • 27 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 7 Intrusion Detection Topics Fundamentals Network IDS Snort Host-based IDS

1.03k views • 72 slides

More recommend