FORESEC Academy
NETWORK-BASED INTRUSIONDETECTION
FORESEC Academy Security Essentials (III)
FORESEC Academy
Need for Network-basedIntrusion Detection
Most attacks come from the Internet Detecting these attacks allows a site to
tune defenses If we correlate data from a large
number of sources we increase ourcapability
The statistic that 90% of all attacks are perpetrated by
insiders is dead wrong.
FORESEC Academy
Inside a Network Attack
WinNuke, (also called OOBNuke), uses TCP 139 and OOB Data, even if NetBIOS is not enabled. It results in the “Blue Screen of Death”.
Patches/service packs are available
OOB stands for Out Of Band and is actually misnamed;it should say .Urgent mode., which is Urgent bit set inthe TCP header flags and the urgent pointer.
FORESEC Academy
Nuke’eM Screen
FORESEC Academy
BlackIce – Nuke ‘Em Detection
FORESEC Academy
Network IntrusionDetection 101
FORESEC Academy
BlackIce - Enable Logging
FORESEC Academy
BlackIce - Viewing Logs
FORESEC Academy
BlackIce - Visualization Tools
FORESEC Academy
Libpcap-based Systems
FORESEC Academy
Network Intrusion DetectionWith Snort
FORESEC Academy
Snort Design Goals
Low cost, lightweight Suitable for monitoring multiple
sites/sensors Low false alarm rate Efficient detect system Low effort for reporting
FORESEC Academy
Snort
FORESEC Academy
Writing Snort Rules
Can create custom rules to filter on specific content.
Pre-loaded with hundreds of rules (but you may need to create one or more custom
rules) Simple to write yet powerful enough to
capture most types of traffic Options
- Basic (Pass, Log, Alert) - Advanced (Activate, Dynamic)
FORESEC Academy