网络信息安全(入侵检测)1.pptVIP

Intrusion Detection System What is IDS? IDS = Intrusion Detection System Intrusion detection systems (IDSs) are software or hardware systems that automate the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems. Not firewall General IDS Model Sensor Analyzer Manager Operator Administrator Basic Classification NIDS - Network Based e.g. Cisco Secure IDS , Axent Netpowler, Snort, ISS RealSecure Network Sensor, NAI Cybercop Monitor HIDS - Host Based e.g. Axent Intruder Alert, ISS RealSecure OS Sensor, Tripwire Snort libpcap Takes the “raw” packet stream Parses the packets and presents them as a Filtered packet stream Library for packet capture Website for more details /. Malicious Pattern Example Malicious Patterns Example content: “/cgi-bin/phf” Matches any packet whose payload contains the string “/cgi-bin/phf” Look at /advisories/CA-1996-06.html msg: “PHF probe!” Generate this message if a match happens More Examples How to generate new patterns? Buffer overrun found in Internet Message Access Protocol (IMAP) /advisories/CA-1997-09.html Run exploit in a test network and record all traffic Examine the content of the attack packet Notional IMAP buffer overflow packet Alert rule for the new buffer overflow Advantages of Snort Lightweight Small footprint Focused monitoring: highly tuned Snort for the SMTP server Malicious patterns easy to develop Large user community Consider the IRDP denial-of-service attack Rule for this attack available on the same day the attack was announced Disadvantages Does not perform stream reassembly Attackers can use that to “fool” Snort Break one attack packet into a stream Pattern matching is expensive Matching patterns in payloads is expensive (avoid it!) Rule development methodology is adhoc Deployment Tips (1) Dual NIC No TCP/IP binding Network Performance NIC optimization settings Promiscuous mode Deployment Tips (2) Locations DMZ In front of f