|
Questions Specific to Intrusion Detection and this list 1: What is Intrusion Detection? Intrusion Detection is the active process to document and catch attackers and malicious code on a network. It is described in two types of software: Host based software and Network based software. 2: What is the difference between Host based (HIDS) and Network based IDS(NIDS)? HIDS is software which reveals if a machine is being or has been compromised. It does this by checking the files on the machine for possable problems. Software described as host based IDS could include File Integrity checkers (TripWire), Anti-virus software (Norton AV), Server Logs (Event viewer or syslog), and in some ways even backup software can be a HIDS. NIDS is software which monitors network packets and examines them against a set of signatures and rules. When the rules are violated the action is logged and the Admin could be alerted. Examples of NIDS software are SNORT, ISS Real Secure, and Network Flight Recorder. 3: Who is Stephen Entwisle and why does he send a newsletter every week? Stephen works for Security Focus. He worked as a moderator and editor of different announcements. The weekly newsletter is a summary of vulnerabilities and security papers announced that week. It is convenient to have the newsletter to keep up with the latest security issues without having to check every day. 4: Who are the 31173 on this list? Dug Song: Security expert who wrote the tool fragrouter and runs monkey.org. Robert Graham:CTO of the networkICE (Bought by ISS) Wrote great FAQs. Martin Roesch: Author of SNORT Max Vision: Runs www.whitehats.com. Keeps a database of attack signature information known as arachNIDS. Marcus Ranum: CTO of Network Flight Recorder (one of the bets known NIDS) See his offical bio here Ron Gula: A large contributor to SNORT and CTO of Dragon NIDS. He also has an offical bio here 5: I see snippets of output like:Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56023 UDP Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56034 UDP Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56035 UDP What is this output from? As a whole, this is the type of output you will examine with a Network Intrustion Detection System. The above lines could have been taken from a network sniffer like TCPDUMP or from a NIDS like SNORT. Once you understand the basics about reading network sniffer ouptut, you can communicate with others about odd network traffic and understand the output above. 6: I always see Snort being mentioned. Is it the most popular NIDS? It is very popular for a few reasons: 1) The author of the program reads and replies to this list (See who are the 31173 question) 2) It is constantly improving from it's user feedback and the author's persistence. 3) It has both UNIX/Linux and Windows versions. 4) It's FREE! Is it the top of the line NIDS? No. It is however a very good tool to get started with NIDS. It has a serious place in any production network. 7: What tools can be used for building packets? hping isic Trinux a floppy distro of Linux, contains the above tools plus more. 8: What are some personal IDS/firewalls? While they don't fit into the enterprise class of IDS, there are several programs that can provide firewall and IDS services for a single user/pc. Here are a few: Black Ice Defender Symantec Personal Firewall McAfee Firewall V2.1 ZoneAlarm 9: Where can I find a list of Inrusion Detection Systems? http://www.networkintrusion.co.uk 10: How can I test my IDS? We suggest the following steps: 1) Place the NIDS on a test network with a hub and a separate server. 2) Run the tool Nessus against the separate server. 3) When Nessus is done, what attacks did it detect ? If it did not detect all the attacks does the NIDS have the latest signatures ? Can you write your own rules for the NIDS to catch the attack ? 4) After the tests with Nessus, then run the packet building tools. Make various illegal packets and aim them at the separate server. Does it detect the packets ? Also use frgroutr against it to see how it handels fragmented packets. 5) Repeat steps 2 - 4 against the NIDS machine. 6) Harden the NIDS to help prevent it from being compromised. 7) Place it on the production network and see how many false positives it gets. 8) Tune it down from the false positives. 9) As new vunerabilities occur, update the Nessus signatures and test to see if the NIDS catches them. Here are a few tools. NIDSbench IDSwakeup 11: What is a false positive? Most IDS use signatures to compare against attacks. Sometimes normal activity triggers the IDS. The IDS detects an attack signature during normal activity. Part of maintaining the IDS is knowing when what you are dealing with is a false positive and tuning the IDS to avoid them. 12: What is a false negative? Most IDS use signatures to compare against attacks. Sometimes attack activity doesn't trigger the IDS. 13: Why do discussions on Intrusion Detection seem to have a bias towards Linux / UNIX ? It is mainly due to the tools available. Many great tools are free for Linux / UNIX. (See the question on the top 50 tools) Some of those tools have ports for Windows, but the Windows versions usually are an after thought.
^ | ^ | ^ | ^ | ^ | ^ | ^ | ^ |