Network Intrusion Detection - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Network Intrusion Detection

Description:

Network Intrusion Detection. A DFWUUG Presentation. Wes Bateman. ManISec Corporation ... Avoiding Possible Problems By Avoiding Employee Monitoring. Problems ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 18
Provided by: mani76
Category:

less

Transcript and Presenter's Notes

Title: Network Intrusion Detection


1
Network Intrusion Detection
A DFWUUG Presentation Wes Bateman ManISec
Corporation wes_at_manisec.com http//www.manisec.com
2
Disclaimer
3
Things To Consider Before Starting To Use An IDS
  • Business Case for IDS
  • Costs
  • Benefits
  • Getting Authorization To Grab Packets
  • Privacy Concerns
  • Legal Issues
  • Avoiding Possible Problems By Avoiding Employee
    Monitoring
  • Problems With Targetting Individuals
  • Problems With Capturing Packet Payload vs.
    Headers Only

4
Sensor Choices for Unix
  • Snort
  • http//www.snort.org
  • Shadow
  • http//www.nswc.navy.mil/ISSEC/CID/index.html
  • Dragon
  • Others

5
Why Snort Wins My Vote
  • Rules - Very fast rule updates
  • snort.org
  • whitehats.com
  • Open Source
  • Easy On The Budget - Which equates to very wide
    usage with rapid development and

6
Snort Installation
  • Requirements
  • Libpcap - http//www.tcpdump.org
  • Optional
  • libnet
  • mySQL
  • openssl
  • Getting the source
  • ./configure -help
  • ./configure (options) make make install
  • /etc/snort directory for rules

7
Snort Rules
  • alert udp EXTERNAL_NET any -gt HOME_NET 635
    (msg"EXPLOIT x86 linux mountd overflow"
    content"5eb0 0289 06fe c889 4604 b006 8946"
    referencecve,CVE-1999-0002 classtypeattempted-a
    dmin sid315 rev1)
  • http//snort.sourcefire.com/docs/writing_rules/ind
    ex.html

8
Running Snort
  • Command line switches
  • snort -qDc /etc/snort/snort.conf
  • snort -u snort -g snort -s -b -D -i eth0 -l
    /var/log/snort -c /etc/snort/snort.conf
  • snort -vde -P 96 -i eth0 -r dump.file

9
Additional Tools
  • Snort Tools
  • SnortSnarf
  • ACID
  • Hogwash
  • snortplot
  • Other libpcap tools
  • tcpdump
  • tcpreplay
  • etherreal

10
Basic Analysis
  • Traffic Analysis and Content Analysis
  • Anomalous Activity
  • Establishing Baselines for Your Network
    Environment
  • Incorporating Your Security Policies Into Your
    Rules and Analysis

11
Example Detect 1
  • Just Another Code Red Scan

12
Example Detect 2
  • Successful Compromise of rpc.statd on a Default
    RedHat 6.2 Installation

13
Network Architecture Considerations
  • Network Activity
  • Network Segments
  • Switched Environments
  • Information Police
  • How to centrally manage
  • IP address on the monitor interface?

14
Filler Slide
  • Why vendors, who boast about how an intrusion
    detection system can email you whenever there is
    an alert, should make you very afraid

15
This Page Left Blank Intentionally
16
Websites You May Or May Not Find Cool
  • http//www.manisec.com
  • http//www.snort.org
  • http//www.whitehats.com
  • http//www.incidents.org
  • http//www.sans.org
  • http//www.securityfocus.com

17
Q (hopefully -) ) A
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Network Intrusion Detection" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!