December 13th, 2003, 08:38 AM
IDS/Snort : part 1.1 (a bigger paper will come)
December 13th, 2003, 07:47 PM
I know something that you missed. You didn't even talk about Snort, not to mention that you posted the tutorial twice. I don't want to be mean or anything, but this was a very vauge tutorial. You didn't cover very much of what an IDS is about. I mean how can you have a tutorial on IDSs without talking about signature based or anomaly based detection methods. Ok I am going to break it down
You said that firewalls do a great job of detecting attacks outside the network. Firewalls can be used internally also, but they don't really detect too much, they protect and do what you configure it to do like.... block all traffic from 126.96.36.199.
An IDS should not really be considered a "protection" device. I mean you can one up to reconfigure something if an attack happens or take some other kind of action. That can soften the blow of an attack. But your analagy of a burgler alarm is correct. An alarm does not keep people out of your house, it only lets you know when they are in there.
You discussed logs and their importance but thinkg about this, you shouldn't keep the logs on the box. If someone compromises your IDS your logs will be zapped. It is better to have all of the logs sent to another box for collection. Also you want to try and protect the logs on the other box, because if the IDS is compromised the attacker can view your configs and find the box that is collecting the logs.
Also when you have an IDS it should not be running any unnecessary services. Services that can be exploited to gain access to the box.
Another thing that should be mentioned is having two NICs in the box and not assigning an IP address to the monitoring nic. That way it makes it harder to attack the IDS.
You also didn't mention using an IDS in a switched enviornment. Most businesses nowdays have switches instead of hubs. So you have to either create a monitoring segment or span the ports on the switch to go to the port that you are monitoring.
Another thing to note is the fact that IDSs have a certain amount of traffic that they can handle. When traffic reaches its capacity it starts to let traffic slip though.
You didn't discuss IDS evation techniques, such as fragmenting or using alternate protocols or anything like that. You can actually hide data in unnecessary parts of protocols or even in HTTP GET requests.
You also didn't mention that another way around an IDS is using encryption. Encrypted traffic can not be checked by many IDSs unless they are configured to do so.
In a secure enviornment you should never use telnet or anything else that sends credentials in plain text. You should use SSH instead.
Plus you didn't even talk about Snort at all.
Anyway, I have more to write but I am not the one writing the tutorial. If you want to write a good IDS tut you should go back to the drawing board and reasearch and talk about some of the things that I have mentioned. I hope that helped.
December 13th, 2003, 08:46 PM
sorry for posting it twice, i will delete it.
btw . here is my toc, as you could see, this was just 1.1, what is IDS.
Table of Contents:
1.1 What is IDS?
1.4 Hybrid IDS
1.6 Signature based detection
1.7 Anomaly based detection
1.8 Statistical based detection
1.9 Other methods of detection that are used
1.10 What is a Sniffer?
1.11 Common places to place your IDS sensor
1.12 Problems with IDS
1.12.1 False Positives
1.12.2 False Negatives
2.1 What is Snort?
2.2 What makes it tick.
2.3 Some history.
2.4 System requirements.
2.5 Running Snort.
2.6 Snort's Components.
2.7.1 Packet Sniffer
2.7.2 Packet Decoder.
2.7.5 Output and Logs.
2.7 Rules Basics
2.8 Preprocessor Basics
2.9 A look at snort.conf
2.10 Configuring and tweaking snort.
2.11 Updating Snort.
3. Shortcomings of NIDS and how they reflect on Snort
3.1 Architectural Issues
3.1.1 Sensor placement
3.1.4 Gigabyte Ethernet
3.2 False Positives
3.3 False Negatives
3.4 Anti-IDS tactics
3.4.1 URL encoding
3.4.3 Self-referenced Directory
3.4.5 Snort and Stick
3.6 Stateless packets
3.7 Session splicing
3.9 What snort is still vulnerable against