92
Chapter 10. Intrusion Detection
10.3. Network based IDS
Network based intrusion detection systems operate differently from host based IDSes. The design
philosophy of a network based IDS is to scan network packets at the router or host level, auditing
packet information and logging any suspicious packets into a special log file with extended infor 
mation. Based on these suspicious packets, a network based IDS can scan its own database of known
network attack signatures and assign a severity level for each packet. If severity levels are high enough,
a warning email or pager call is placed to security team members so they can further investigate the
nature of the anomaly.
Network based IDSes have become popular as the Internet grows in size and traffic. IDSes that can
scan the voluminous amounts of network traffic and successfully tag suspect traffic are well received
within the security industry. Due to the inherent insecurity of the TCP/IP protocols, it has become
imperative to develop scanners, sniffers, and other network auditing and detection tools to prevent
security breaches due to such malicious network activity as:
IP Spoofing
Denial of service attacks
arp cache poisoning
DNS name corruption
Man in the middle attacks
Most network based IDSes require that the host system network device be set to promiscuous mode,
which allows the device to capture every packet on the network. Promiscuous mode can be set through
the
ifconfig
command, like the following:
ifconfig eth0 promisc
Running ifconfig with no options reveals that
eth0
is now in promiscuous mode.
eth0
Link encap:Ethernet
HWaddr 00:00:D0:0D:00:01
inet addr:192.168.1.50
Bcast:192.168.1.255
Mask:255.255.252.0
UP BROADCAST RUNNING PROMISC MULTICAST
MTU:1500
Metric:1
RX packets:6222015 errors:0 dropped:0 overruns:138 frame:0
TX packets:5370458 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2505498554 (2389.4 Mb)
TX bytes:1521375170 (1450.8 Mb)
Interrupt:9 Base address:0xec80
lo
Link encap:Local Loopback
inet addr:127.0.0.1
Mask:255.0.0.0
UP LOOPBACK RUNNING
MTU:16436
Metric:1
RX packets:21621 errors:0 dropped:0 overruns:0 frame:0
TX packets:21621 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1070918 (1.0 Mb)
TX bytes:1070918 (1.0 Mb)
Using a tool such as
tcpdump
(included with Red Hat Linux), we can see the large amounts of traffic
flowing throughout a network:
# tcpdump
tcpdump: listening on eth0
02:05:53.702142 pinky.exampledomain.com.ha cluster > \
heavenly.exampledomain.com.860:
udp 92 (DF)
02:05:53.702294 heavenly.exampledomain.com.860 > \
pinky.exampledomain.com.ha cluster:
udp 32 (DF)
02:05:53.702360 pinky.exampledomain.com.55828 > dns1.exampledomain.com.domain: \
PTR? 254.35.168.192.in addr.arpa. (45) (DF)






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

web hosting comparison

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved