Search for notes by fellow students, in your own course and all over the country.
Browse our notes for titles which look like what you need, you can preview any of the notes via a sample of the contents. After you're happy these are the notes you're after simply pop them into your shopping cart.
Title: Hacking
Description: It's a complete notes on Anomaly rules of Ethical Hacking
Description: It's a complete notes on Anomaly rules of Ethical Hacking
Document Preview
Extracts from the notes are below, to see the PDF you'll receive please use the links above
Rules definition for anomaly based
intrusion detection
©2002 By Lubomir Nistor
Rules definition for anomaly based intrusion detection © 2002 Lubomir Nistor
Introduction
Intrusion detection systems (IDS) are one of the fastest growing technologies within
the security space
...
This document should help security experts, integrators or end-customers to utilize
their IDS system to its limits or to fit the expectations required by company
...
This fact requires such IDS to be under constant construction updating and modifying
attack signatures and requiring to pay considerable financial amount for support
...
There is no clear answer which solution is better as they have their advantages and
disadvantages, but there is a possibility to put the rule-based IDS solutions in use as if
they were anomaly based
...
All the examples and solutions are based upon Snort IDS
that is open-source solution freely available and well established on the market
...
2
Rules definition for anomaly based intrusion detection © 2002 Lubomir Nistor
Data flow identification
The whole network security is based upon allowed suspicious and not allowed traffic
...
Very often even the system owners don’t know what kind of traffic they can expect
and therefore it is necessary for network security professional to know the most used
and known protocols and networking systems
...
More detailed information about data flow helps to specify exactly the traffic
expected by end systems
...
)
• Application protocol (distinguished by port nr
...
)
• Other features (sequence nr
...
)
Defining ALLOWED category
Here fall all the packets complying with clearly with requirements of system owners
...
It is possible to search the content for specific values or
check the content size in order to determine the packet’s category
...
Although according to port and IP address they are allowed to pass the
packet filter or firewall but this protocol option is not expected or not supported by
end system
...
Defining NOT ALLOWED category
All the traffic that doesn’t fall under any other category should be put in this category
...
Even packets with allowed services that have invalid destination or
packets with correct destination but invalid services should be in this category
...
Information taken from data flow identification
Configuration example
#web server
Pass TCP $WEB_SERVER 80 <> any 1024:
#admin access
Pass TCP $ADMIN_IP 1024: <> $WEB_SERVER 22
#DNS
Pass UDP $WEB_SERVER 1024: <> $DNS_SERVER 53
#alert rules
ALERT IP any any <> any any (msg: “not allowed traffic”;)
Advantages
Can catch any not standard traffic incl
...
By using protocol definitions it is possible to distinguish between various options or
states in communication and define rules that alert in case of unexpected protocol
states
...
If none of the webserver’s
pages are using such protocol option it is suspicious to see such traffic going to the
webserver
...
There is a scan technique called “Xmas tree scan” where
all these options are in the packet and by defining alert rule like this SNORT is able to
detect it
...
Email server generates a lot of email traffic or user network generates a lot of
HTTP traffic and by identifying such trends it is possible to observe a trend in general
network traffic coming through one point in the network
...
By detecting packets not complying with
protocol standard or communication trend they raise the alert
...
General communication
standard of ARP traffic is that IP address doesn’t change it’s MAC address in a static
network (although there are some exceptions)
...
sans
...
php
Protocol analysis for link state routing protocols:
http://www
...
ucsb
...
Statistical analyzers
Each network traffic has it’s key identificators either qualitative or quantitative
...
For example it is very suspicious to see increase of ICMP traffic from 1KB/s to
10MB/s or one IP address sending SYN packets to every port
...
silicondefense
...
htm
6
Rules definition for anomaly based intrusion detection © 2002 Lubomir Nistor
Conclusion
During the time of Economic recession it is necessary to save as much finance as
possible in order to stay competitive
...
These best IT managers and experts see the bright future in open-source solutions and
would put information provided in this document in good use
...
And don’t forget it’s not the IDS that secures your company but the people who
manage it
Title: Hacking
Description: It's a complete notes on Anomaly rules of Ethical Hacking
Description: It's a complete notes on Anomaly rules of Ethical Hacking