SANS Local Mentor Program

1
SANS Local Mentor Program

• Rutgers University
• Spring 2004

2
After Action Review

• W32/Bagle.j_at_MM
• http//vil.nai.com/vil/content/v_101071.htm
• Worm Authors Exchange Taunting Messages
• http//www.internetweek.com/story/showArticle.jhtm
  l?articleID18201890

3
Host-based Intrusion Detection

• p. 754 Need for host-based IDS
• p. 760 Host-based Intrusion Detection
  methodology
• p. 762 Unix host-based IDS
• p. 785 Windows host-based IDS
• p. 790 Tripwire for Windows
• p. 792 Comparing IDS to Anti- virus software

4
Examples

• Netstat
• TCP wrappers (dogberry)
• Vision

5
Network-based IDS

• p. 797 Need for Network-based IDS
• p. 805 Libpcap-based systems
• p. 808 Snort
• p. 809 Writing Snort rules
• p. 810 Snort rule example
• p. 822 Network-based IDS Pros
• p. 823 Network-based IDS Cons

6
Example Snort IDS

• IDS logs
• IDS logs on central syslog server
• SnortSnarf

7
Risk Management and Auditing

• p. 830 The Risk Management process
• p. 834 Risk Management Choices
• p. 838 Single Loss Expectancy (SLE)
• p. 839 Annualized Loss Expectancy (ALE)
• p. 840 Quantitative vs. Qualitative
• p. 849 Threat vectors
• p. 858 Risk assessment steps

8
Examples Auditing

• Center for Internet Security
• DumpSec