What is Intrusion Detection?


7


1.1.1.4


Signatures


Signature is the pattern that you look for inside a data packet. A signature is used


to detect one or multiple types of attacks. For example, the presence of  scripts/iisad 


min  in a packet going to your web server may indicate an intruder activity.


Signatures may be present in different parts of a data packet depending upon the


nature of the attack. For example, you can find signatures in the IP header, transport


layer header (TCP or UDP header) and/or application layer header or payload. You will


learn more about signatures later in this book.


Usually IDS depends upon signatures to find out about intruder activity. Some


vendor specific IDS need updates from the vendor to add new signatures when a new


type of attack is discovered. In other IDS, like Snort, you can update signatures your 


self.


1.1.1.5


Alerts


Alerts are any sort of user notification of an intruder activity. When an IDS detects


an intruder, it has to inform security administrator about this using alerts. Alerts may be


in the form of pop up windows, logging to a console, sending e mail and so on. Alerts


are also stored in log files or databases where they can be viewed later on by security


experts. You will find detailed information about alerts later in this book.


Snort can generate alerts in many forms and are controlled by output plug ins.


Snort can also send the same alert to multiple destinations. For example, it is possible to


log alerts into a database and generate SNMP traps simultaneously. Some plug ins can


also modify firewall configuration so that offending hosts are blocked at the firewall or


router level. 


1.1.1.6


Logs


The log messages are usually saved in file. By default Snort saves these messages


under /var/log/snort directory. However, the location of log messages can be changed


using the command line switch when starting Snort. Log messages can be saved either


in text or binary format. The binary files can be viewed later on using Snort or tcpdump


program. A new tool called Barnyard is also available now to analyze binary log files


generated by Snort. Logging in binary format is faster because it saves some formatting


overhead. In high speed Snort implementations, logging in binary mode is necessary.


1.1.1.7


False Alarms


False alarms are alerts generated due to an indication that is not an intruder activ 


ity. For example, misconfigured internal hosts may sometimes broadcast messages that


trigger a rule resulting in generation of a false alert. Some routers, like Linksys home


routers, generate lots of UPnP related alerts. To avoid false alarms, you have to modify








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved