[go: up one dir, main page]

0% found this document useful (0 votes)
18 views11 pages

10 Ids&ips

The document discusses Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), highlighting their functions in monitoring and blocking malicious activities. It details detection methods, including signature-based and anomaly-based approaches, and provides an overview of the open-source IDS Snort, including installation and configuration instructions. Additionally, it outlines the pros and cons of these systems, emphasizing the importance of updating signature libraries to reduce false positives.

Uploaded by

Arslan Coskun
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
18 views11 pages

10 Ids&ips

The document discusses Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), highlighting their functions in monitoring and blocking malicious activities. It details detection methods, including signature-based and anomaly-based approaches, and provides an overview of the open-source IDS Snort, including installation and configuration instructions. Additionally, it outlines the pros and cons of these systems, emphasizing the importance of updating signature libraries to reduce false positives.

Uploaded by

Arslan Coskun
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

IDS & IPS

國立陽明交通大學資工系資訊中心
Computer Center of Department of Computer Science, NYCU
1
IDS & IPS
● Intrusion detection system (IDS) is a device or software application
that monitors a network or systems for malicious activity or policy
violations.
● The main functions of intrusion prevention systems (IPS) are to
identify malicious activity, log information about this activity,
report it and attempt to block or stop it.

2
IDS / IPS with Firewall

Firewall

Attack IDS

Data Administrator
Intruder

Rules Signature Maintain


DB DB Administrative
Interface
Alerts

3
Detection Method
● Signature-based
○ Patterns of known malicious events
○ Difficult to detect new attacks
○ Example: Snort
● Anomaly-based
○ Use machine learning to create a model of trustworthy activity, and
then compare new behavior against this model.
■ Example: https://zeek.org/
■ Example: ReCAPTCHA v3
reCAPTCHA v3 returns a score for each request without user friction.
The score is based on interactions with your site and enables you to
take an appropriate action for your site. 4
Pros & Cons
● Pros
○ Simple
○ Cost Efficiency
● Cons
○ False positives are frequent
○ Need to update signature library

5
Snort
● An open source IDS
○ GPLv2
● Very simple to use it

6
Snort - Installation
● FreeBSD: pkg install snort
● Don’t forget to update latest updated rules
○ Configure PulledPork
■ cp /usr/local/etc/pulledpork/pulledpork.conf.sample
/usr/local/etc/pulledpork/pulledpork.conf
■ mkdir /usr/local/etc/snort/so_rules
■ mkdir /usr/local/etc/snort/rules/iplists
■ touch /usr/local/etc/snort/rules/local.rules
■ cp /usr/local/etc/snort/preproc_rules/sensitive-data.rules-sample
/usr/local/etc/snort/preproc_rules/sensitive-data.rules
■ /usr/local/etc/snort/rules/white_list.rules
■ /usr/local/etc/snort/rules/black_list.rules
7
Snort - PulledPork
● /usr/local/etc/pulledpork/pulledpork.conf
○ https://github.com/shirkdog/pulledpork/blob/master/etc/pulledpork.conf
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
rule_url=https://snort.org/downloads/ip-block-list|IPBLOCKLIST|open
ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
temp_path=/tmp
rule_path=/usr/local/etc/snort/rules/snort.rules
sorule_path=/usr/local/etc/snort/so_rules/
local_rules=/usr/local/etc/snort/rules/local.rules
sid_msg=/usr/local/etc/snort/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/sid_changes.log
snort_path=/usr/local/bin/snort
config_path=/usr/local/etc/snort/snort.conf
distro=FreeBSD-12

8
Run PulledPork
● pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -l

9
Start Snort
● In /etc/rc.conf.local
○ snort_enable="YES”
○ snort_interface="em0”
● /usr/local/etc/rc.d/snort start

10
Update rules periodically
● crontab
○ 0 6 * * * /usr/local/bin/pulledpork.pl -c
/usr/local/etc/pulledpork/pulledpork.conf -l > /dev/null

11

You might also like