92


Chapter 10. Intrusion Detection


10.3. Network based IDS


Network based intrusion detection systems operate differently from host based IDSes. The design


philosophy of a network based IDS is to scan network packets at the router or host level, auditing


packet information and logging any suspicious packets into a special log file with extended infor 


mation. Based on these suspicious packets, a network based IDS can scan its own database of known


network attack signatures and assign a severity level for each packet. If severity levels are high enough,


a warning email or pager call is placed to security team members so they can further investigate the


nature of the anomaly.


Network based IDSes have become popular as the Internet grows in size and traffic. IDSes that can


scan the voluminous amounts of network traffic and successfully tag suspect traffic are well received


within the security industry. Due to the inherent insecurity of the TCP/IP protocols, it has become


imperative to develop scanners, sniffers, and other network auditing and detection tools to prevent


security breaches due to such malicious network activity as:


IP Spoofing


Denial of service attacks


arp cache poisoning


DNS name corruption


Man in the middle attacks


Most network based IDSes require that the host system network device be set to promiscuous mode,


which allows the device to capture every packet on the network. Promiscuous mode can be set through


the


ifconfig


command, like the following:


ifconfig eth0 promisc


Running ifconfig with no options reveals that


eth0


is now in promiscuous mode.


eth0


Link encap:Ethernet


HWaddr 00:00:D0:0D:00:01


inet addr:192.168.1.50


Bcast:192.168.1.255


Mask:255.255.252.0


UP BROADCAST RUNNING PROMISC MULTICAST


MTU:1500


Metric:1


RX packets:6222015 errors:0 dropped:0 overruns:138 frame:0


TX packets:5370458 errors:0 dropped:0 overruns:0 carrier:0


collisions:0 txqueuelen:100


RX bytes:2505498554 (2389.4 Mb)


TX bytes:1521375170 (1450.8 Mb)


Interrupt:9 Base address:0xec80


lo


Link encap:Local Loopback


inet addr:127.0.0.1


Mask:255.0.0.0


UP LOOPBACK RUNNING


MTU:16436


Metric:1


RX packets:21621 errors:0 dropped:0 overruns:0 frame:0


TX packets:21621 errors:0 dropped:0 overruns:0 carrier:0


collisions:0 txqueuelen:0


RX bytes:1070918 (1.0 Mb)


TX bytes:1070918 (1.0 Mb)


Using a tool such as


tcpdump


(included with Red Hat Linux), we can see the large amounts of traffic


flowing throughout a network:


# tcpdump


tcpdump: listening on eth0


02:05:53.702142 pinky.exampledomain.com.ha cluster > \


heavenly.exampledomain.com.860:


udp 92 (DF)


02:05:53.702294 heavenly.exampledomain.com.860 > \


pinky.exampledomain.com.ha cluster:


udp 32 (DF)


02:05:53.702360 pinky.exampledomain.com.55828 > dns1.exampledomain.com.domain: \


PTR? 254.35.168.192.in addr.arpa. (45) (DF)








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      web hosting comparison

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved