-: Intrusion Detection System (IDS) :-
An intrusion detection
system (IDS) is software and/or hardware based system that monitors
network traffic and monitors for suspicious activity and alerts the
system or network administrator. In some cases the IDS may also respond
to anomalous or malicious traffic by taking action such as blocking
the user or source IP address from accessing the network.
Typical locations for an intrusion detection system is as shown in
the following figure -
Following are the types of intrusion detection
1) Host-Based Intrusion Detection System (HIDS) :-
Host-based intrusion detection systems or HIDS are installed as agents
on a host. These intrusion detection systems can look into system
and application log files to detect any intruder activity.
2) Network-Based Intrusion Detection System
(NIDS) :- These IDSs detect attacks by capturing and analyzing
network packets. Listening on a network segment or switch, one network-based
IDS can monitor the network traffic affecting multiple hosts that
are connected to the network segment, thereby protecting those hosts.
Network-based IDSs often consist of a set of single-purpose sensors
or hosts placed at various points in a network. These units monitor
network traffic, performing local analysis of that traffic and reporting
attacks to a central management console.
Some important topics comes under intrusion detection are as follows
1) Signatures - Signature is the pattern that you
look for inside a data packet. A signature is used to detect one or
multiple types of attacks. For example, the presence of “scripts/iisadmin”
in a packet going to your web server may indicate an intruder activity.
Signatures may be present in different parts of a data packet depending
upon the nature of the attack.
2) Alerts - Alerts are any sort of user notification
of an intruder activity. When an IDS detects an intruder, it has to
inform security administrator about this using alerts. Alerts may
be in the form of pop-up windows, logging to a console, sending e-mail
and so on. Alerts are also stored in log files or databases where
they can be viewed later on by security experts.
3) Logs - The log messages are usually saved in file.Log
messages can be saved either in text or binary format.
4) False Alarms - False alarms are alerts generated
due to an indication that is not an intruder activity. For example,
misconfigured internal hosts may sometimes broadcast messages that
trigger a rule resulting in generation of a false alert. Some routers,
like Linksys home routers, generate lots of UPnP related alerts. To
avoid false alarms, you have to modify and tune different default
rules. In some cases you may need to disable some of the rules to
avoid false alarms.
5) Sensor - The machine on which an intrusion detection
system is running is also called the sensor in the literature because
it is used to “sense” the network.
Snort :- Snort is a very flexible network
intrusion detection system that has a large set of pre-configured
rules. Snort also allows you to write your own rule set. There are
several mailing lists on the internet where people share new snort
rules that can counter the latest attacks.
Snort is a modern security application that can perform the following
three functions :
* It can serve as a packet sniffer.
* It can work as a packet logger.
* It can work as a Network-Based Intrusion Detection System (NIDS).
Further details and downloads can be obtained from it's home- http://www.snort.org