FORESEC Academy

NETWORK-BASED INTRUSIONDETECTION

FORESEC Academy Security Essentials (III)

FORESEC Academy

Need for Network-basedIntrusion Detection

Most attacks come from the Internet Detecting these attacks allows a site to

tune defenses If we correlate data from a large

number of sources we increase ourcapability

The statistic that 90% of all attacks are perpetrated by

insiders is dead wrong.

FORESEC Academy

Inside a Network Attack

WinNuke, (also called OOBNuke), uses TCP 139 and OOB Data, even if NetBIOS is not enabled. It results in the “Blue Screen of Death”.

Patches/service packs are available

OOB stands for Out Of Band and is actually misnamed;it should say .Urgent mode., which is Urgent bit set inthe TCP header flags and the urgent pointer.

FORESEC Academy

Nuke’eM Screen

FORESEC Academy

BlackIce – Nuke ‘Em Detection

FORESEC Academy

Network IntrusionDetection 101

FORESEC Academy

BlackIce - Enable Logging

FORESEC Academy

BlackIce - Viewing Logs

FORESEC Academy

BlackIce - Visualization Tools

FORESEC Academy

Libpcap-based Systems

FORESEC Academy

Network Intrusion DetectionWith Snort

FORESEC Academy

Snort Design Goals

Low cost, lightweight Suitable for monitoring multiple

sites/sensors Low false alarm rate Efficient detect system Low effort for reporting

FORESEC Academy

Snort

FORESEC Academy

Writing Snort Rules

Can create custom rules to filter on specific content.

Pre-loaded with hundreds of rules (but you may need to create one or more custom

rules) Simple to write yet powerful enough to

capture most types of traffic Options

- Basic (Pass, Log, Alert) - Advanced (Activate, Dynamic)

FORESEC Academy