An intrusion detection system (IDS) is
software and/or hardwarebased system that
monitors network traffic and monitors for
suspicious activity and alerts the system or
network administrator. In some cases the IDS
may also respond to anomalous or malicious
traffic by taking action such as blocking the
user or source IP address from accessing the
network.
Typical locations for an intrusion detection
system is as shown in the following figure -
Following are the types of intrusion detection
systems :-
1) Host-Based Intrusion Detection System
(HIDS) :-Host-based intrusion detection
systems or HIDS are installed as agents on a
host. These intrusion detection systems can
look into system and application log files to
detect any intruder activity.
2) Network-Based Intrusion Detection System
(NIDS) :-These IDSs detect attacks by
capturing and analyzing network packets.
Listening on a network segment or switch,
one network-based IDS can monitor the
network traffic affecting multiple hosts that
are connected to the network segment,
thereby protecting those hosts. Network-
based IDSs often consist of a set of single-
purpose sensors or hosts placed at various
points in a network. These units monitor
network traffic, performing local analysis
ofthat traffic and reporting attacks to a
central management console.
Some important topics comes under
intrusion detection are as follows :-
1) Signatures -Signature is the pattern that
you look for inside a data packet. A signature
is used todetect one or multiple types of
attacks. For example, the presenceof “scripts/
iisadmin” in a packet going to your web
server may indicate an intruder activity.
Signatures may be present in different parts
of a data packet depending upon the nature
of theattack.
2) Alerts -Alerts are any sort of user
notification of an intruder activity. When an
IDS detects an intruder, it has to inform
security administrator about this using alerts.
Alerts may be in the form ofpop-up windows,
logging to a console, sending e-mail and so
on.Alerts are also stored in log files or
databases where they can be viewed later on
by security experts.
3) Logs -The log messages are usually saved
in file.Log messages can be saved either in
text or binary format.
4) False Alarms -False alarms are alerts
generated due to an indication that is not an
intruder activity. For example, misconfigured
internal hosts may sometimes broadcast
messages that trigger a rule resulting in
generation of a false alert. Some routers, like
Linksys home routers,generate lots of UPnP
related alerts. To avoid false alarms, you have
to modify and tune different default rules. In
some cases you may need to disable some of
the rules to avoid false alarms.
5) Sensor -The machine on whichan
intrusion detection system is running is also
called the sensor in the literature because it
is used to “sense” the network.
Snort :s nort is a very flexible network
intrusion detection system that has a large
set of pre-configured rules. Snort also allows
you to write your own rule set. There are
several mailing lists on the internet where
people share new snort rules that can
counter the latest attacks.
Snort is a modern security application that
can perform the following three functions :
* It can serve as a packet sniffer.
* It can work as a packet logger.
* It can work as a Network-Based Intrusion
No comments:
Post a Comment