What is Intrusion Detection?
7
1.1.1.4
Signatures
Signature is the pattern that you look for inside a data packet. A signature is used
to detect one or multiple types of attacks. For example, the presence of  scripts/iisad 
min  in a packet going to your web server may indicate an intruder activity.
Signatures may be present in different parts of a data packet depending upon the
nature of the attack. For example, you can find signatures in the IP header, transport
layer header (TCP or UDP header) and/or application layer header or payload. You will
learn more about signatures later in this book.
Usually IDS depends upon signatures to find out about intruder activity. Some
vendor specific IDS need updates from the vendor to add new signatures when a new
type of attack is discovered. In other IDS, like Snort, you can update signatures your 
self.
1.1.1.5
Alerts
Alerts are any sort of user notification of an intruder activity. When an IDS detects
an intruder, it has to inform security administrator about this using alerts. Alerts may be
in the form of pop up windows, logging to a console, sending e mail and so on. Alerts
are also stored in log files or databases where they can be viewed later on by security
experts. You will find detailed information about alerts later in this book.
Snort can generate alerts in many forms and are controlled by output plug ins.
Snort can also send the same alert to multiple destinations. For example, it is possible to
log alerts into a database and generate SNMP traps simultaneously. Some plug ins can
also modify firewall configuration so that offending hosts are blocked at the firewall or
router level. 
1.1.1.6
Logs
The log messages are usually saved in file. By default Snort saves these messages
under /var/log/snort directory. However, the location of log messages can be changed
using the command line switch when starting Snort. Log messages can be saved either
in text or binary format. The binary files can be viewed later on using Snort or tcpdump
program. A new tool called Barnyard is also available now to analyze binary log files
generated by Snort. Logging in binary format is faster because it saves some formatting
overhead. In high speed Snort implementations, logging in binary mode is necessary.
1.1.1.7
False Alarms
False alarms are alerts generated due to an indication that is not an intruder activ 
ity. For example, misconfigured internal hosts may sometimes broadcast messages that
trigger a rule resulting in generation of a false alert. Some routers, like Linksys home
routers, generate lots of UPnP related alerts. To avoid false alarms, you have to modify






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved