After a review of some of the previous weeks discussion on ECC week 4’s lecture focused on Intrusion Detection Systems [IDS]. The initial slide of the lecture featured a great summary of IDS:
The concepts behind IDSs are not overly complicated; analyse incoming traffic, compare it to known bad traffic and take action accordingly. Unfortunately implementation of such a system is not so simple, some of the primary difficulties are:
- To what extent can we generalize on bad.malicious traffic recognition?
- How much time/computational resources can be spent on each incoming packet?
- How can knowledge base and analysis engines communicate in real-time without slowing the network?
- How can definitions/knowledge bases keep up with new exploits?
To help deal with these difficulties IDS systems are modularized into:
- Host Based IDS [HIDS] – Examines all packets flowing through a network (ie: Tripwire, AIDE)
- Network Based IDS [NIDS] – Examines process activity on a system, identifying malicious process behavior
Snort, the IDS we have been experimenting with in labs, was introduced in the lecture as an example of a NIDS. It strengths were identified as being an open-source option the is extremely fast and lightweight in comparison to it’s competition.
The rest of the lecture discussed how snort rules work and how to write them. A detailed version can be found in chapter 3 of: http://www.snort.org/assets/166/snort_manual.pdf