A look into IDS/Snort part 1 of 3

from http://searchsecurity.techtarget.com...18283,00.html:

Quote:

---

"
1) In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. This mode of operation is sometimes given to a network snoop server that captures and saves all packets for analysis (for example, for monitoring network usage).

2) In an Ethernet local area network (LAN), promiscuous mode is a mode of operation in which every data packet transmitted can be received and read by a network adapter. Promiscuous mode must be supported by each network adapter as well as by the input/output driver in the host operating system. Promiscuous mode is often used to monitor network activity.

Promiscuous mode is the opposite of non-promiscuous mode. When a data packet is transmitted in non-promiscuous mode, all the LAN devices "listen to" the data to determine if the network address included in the data packet is theirs. If it isn't, the data packet is passed onto the next LAN device until the device with the correct network address is reached. That device then receives and reads the data. "

---

hope this clears it up, if not please tell me :)

As thehorse13 mentioned, most firewalls keep excellent logs. That's a good point. With script kiddies, it's probably sufficient, as they lack the skills needed to completely and accurately footprint a system.

The problem, however, is that when [gloworange](not if)[/gloworange] the firewall is penetrated by an accomplished hacker, and when [gloworange](not if)[/gloworange] that hacker gains root, your firewall logs aren't worth $hit. A good hacker is going to case the place before attempting anything that will put an entry into your firewall logs. The only safe assumption at this point is to assume the worst.

The hacker's first order of business will usually be to ensure they can gain subsequent access to the system with a backdoor, most likely with a trojan or rootkit. Next, they will cover their tracks by hiding user accounts, shell scripts, and yep, you guessed it, clearing all evidence of their mischef from your logs. Any good hacker knows that an admin worth his salt keeps logs, and they are going to hunt the logs down and purge information that gives them away. Hackers don't like trails.

This is where the value of the IDS reveals itself. The IDS is a supplement to the firewall....a failover of sorts. All of a hacker's activities have been logged by the IDS in explicit detail. In the event the firewall logs are "sanitized" by the hacker, you can still get the info from the IDS. If implemented correctly, it's nearly invisible...the hacker should not even be aware of its exsistance. When used in conjuction with a dedicated syslog server, as in honeypot implementations, the value is increased exponentially.

As for the false-positives, like thehorse13 said, that is where network trending comes into play. Once you have a baseline, the IDS will be less prone to false-positive. Hopefully qod will address this issue as well in a later tutorial.

I know...most firewalls are capable of alert reporting that will send me an immediate alert via email, text message, or pager. Why do I care about IDS?

Because the alert is not immediate. It still has to wait for your mail server to recieve and send the message, or for your RRAS server to lookup and dial the number, and for your PBX to access a channel bank, etc. What happens if it is the mail server or RRAS server that is hacked? What if the hacker dials into your PBX and hacks it too?

[gloworange]Can you smell the bread burning?[/gloworange] :eek:

IDS is not an option, it's a must have. Layered defences are always best. After all...every firewall has a hole, every program has a bug, and every OS has a vulnerability...no matter how secure.

[glowpurple]Yep, I'm paranoid...It makes the hacker's job just that much harder. The more work involved in hacking a system, the less inviting it is to hack[/glowpurple] :D

--"You can be sure of succeeding in your attacks if you only attack places which are undefended.You can ensure the safety of your defense if you only hold positions that cannot be attacked."

Sun Tsu
The Art of War

I dunno, this is all good information, but I have to ask if this really can be considered a tutorial. No offense qod, but this is just reference information, and yes, while it is very good, it doesn't necessarily belong as a tutorial since there is no actual "this is how you do this". I suppose this does fit the description of where it should go, but honestly, this shouldn't count as a tutorial IMO.

Good info though. :)

Quote:

---

As for the false-positives, like thehorse13 said, that is where network trending comes into play. Once you have a baseline, the IDS will be less prone to false-positive. Hopefully qod will address this issue as well in a later tutorial.

---

do you mean to address how to lower the false positive rate?? i think i talked about that:

Quote:

---

1.10 False Positives

One of the many problems with IDS is that they are prone to many false positives, as a matter of fact almost 90% of all alerts are false positives. False positives is best described as Stefan Axelsson said: "If you call everything with a large red nose a clown, you'll spot all the clowns, but also Santa's reindeer, Rudolph, and Vice versa." This is a great example of what are false positives. They are alerts and logs that classify authorized strange behavior as an attack while in fact it is not.
The reason why false positives are problematic is that they waste precious time and resources. They are administrative intensive and will not affect your network. But because every alert needs to be analyzed this could require many people to do, and these people might miss the real attack.
There are many reasons that cause false positives:

1) Poorly written attack signatures.
Because attack signatures are often written general enough to detect variants of the attack, they also produce a higher false positive rate. As an example, say there is a signature files that detects when a cmd.exe is passed your web server, this would catch many attacks against your web server. But what if a user (Kevin) has a password of cmd.exe, every time Kevin will log in the IDS will generate a false positive.
2) Poorly Configure IDS

Tuning your IDS to work with your network is your best choice against false positives, remember that it might take you weeks if not months just to fine tune your IDS. A couple of guidelines include:
1) Do not put attack signatures that you will not need. Not only that is process intensive, but it is also wastefully. If you do not have an FTP server why would you be afraid of it being attacked, and why would you need the FTP attack signatures?
2) Do not detect hosts that you do not have on your network. If you have 100 computers on your network, then you would only need to monitor those 100 systems, and not the whole subnet.
3) Remove attack signatures that produce too many false positives. Not all attack signatures are created equal, so if you find an attack signature that produces too much false positives, they you could rewrite the attack signature, or just delete it.


1.11 False negatives

False negatives on the other hand are when an IDS does not detect a real attack, and they cause more havoc than false positives. They are usually cause by new exploits(0-day), variants of known attacks, or an none-updated IDS signature file. To defeat them make sure that you secure your network, and also keep your signature files up-to-date.

---

also chsh i agree this is not a tutorial, and you cann't have a tutorial with IDS or any security measure, because each network is unique and will have custome settings. but then again many of the posts here are not tutorials but to give you understanding of where to go from there.

My bad, qod, you did say that...I typed the wrong handle ;)

I just got kinda flustered and started ranting.

no problem. just hang on, i am almost done with part 2

Nice man, really good job on informing us.

Maybe in later parts you could turn it into a tutorial by showing how to create/or what is needed to create the ultimate hybrid IDS. when you have one sysadmin for a big corporation it could be good to have a bit of help from the IDS.

Keep em commin!
Modderfokker

sorry, where is the pdf format that will can download?

Quote:

---

Originally posted here by decyberworld
sorry, where is the pdf format that will can download?

---

http://www.antionline.com/attachment...&postid=705436


QUOTE] Originally posted here by Modderfokker
Nice man, really good job on informing us.

Maybe in later parts you could turn it into a tutorial by showing how to create/or what is needed to create the ultimate hybrid IDS. when you have one sysadmin for a big corporation it could be good to have a bit of help from the IDS.

Keep em commin!
Modderfokker [/QUOTE]

thank you for the commplement, but i cann't do a tutorial on the best hybrid IDS, the best one is the one custome made for you network, that is the reason why this was not a tutorial in the first place, is because you will not know any thing and will have just another thing that will not work on your network.