F o c u s - I D S 
- -   S e c t i o n   T h r e e   - - 


Table Of Contents

  1. What is Intrusion Detection?
  2. What is the difference between Host based (HIDS) and Network based IDS(NIDS)?
  3. Who is Stephen Entwisle and why does he send a newsletter every week?
  4. Who are the 31173 on this list?
  5. I see snippets of output like:
  6. I always see Snort being mentioned. Is it the most popular NIDS?
  7. What tools can be used for building packets?
  8. What are some personal IDS/firewalls?
  9. Where can I find a list of Inrusion Detection Systems?
  10. How can I test my IDS?
  11. What is a false positive?
  12. What is a false negative?
  13. Why do discussions on Intrusion Detection seem to have a bias towards Linux / UNIX ?



Questions Specific to Intrusion Detection and this list

1:   What is Intrusion Detection?

Intrusion Detection is the active process to document and catch
attackers and malicious code on a network. It is described in
two types of software: Host based software and Network based software.

2:   What is the difference between Host based (HIDS) and Network based IDS(NIDS)?

HIDS is software which reveals if a machine is being or 
has been compromised. It does this by checking the files
on the machine for possable problems.  Software described
as host based IDS could include File Integrity checkers (TripWire),
Anti-virus software (Norton AV), Server Logs (Event viewer or syslog),
and in some ways even backup software can be a HIDS.

NIDS is software which monitors network packets and examines them
against a set of signatures and rules. When the rules are violated
the action is logged and the Admin could be alerted. 
Examples of NIDS software are SNORT, ISS Real Secure, and Network Flight Recorder.

3:   Who is Stephen Entwisle and why does he send a newsletter every week?

Stephen works for Security Focus. He worked as a moderator and editor of
different announcements. The weekly newsletter is a summary of vulnerabilities
and security papers announced that week. It is convenient to have the 
newsletter to keep up with the latest security issues without having
to check every day.

4:   Who are the 31173 on this list?

Dug Song: Security expert who wrote the 
tool fragrouter and runs monkey.org.
Robert Graham:CTO of the networkICE (Bought by ISS)
Wrote great FAQs.
Martin Roesch: Author of SNORT
Max Vision: Runs www.whitehats.com. Keeps a database of attack signature
information known as arachNIDS.
Marcus Ranum: CTO of Network Flight Recorder (one of the bets known NIDS)
See his offical bio here
Ron Gula: A large contributor to SNORT and CTO of Dragon NIDS.
He also has an offical bio here


5:   I see snippets of output like: 

Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56023 UDP
Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56034 UDP
Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56035 UDP

What is this output from?

As a whole, this is the type of output you will examine with a 
Network Intrustion Detection System. The above lines could have been
taken from a network sniffer like TCPDUMP or from a NIDS like SNORT.
Once you understand the basics about reading network sniffer ouptut, 
you can communicate with others about odd network traffic and understand
the output above. 

6:   I always see Snort being mentioned. Is it the most popular NIDS?

It is very popular for a few reasons:
1) The author of the program reads and replies to this list (See who are the 31173 question)
2) It is constantly improving from it's user feedback and the author's persistence.
3) It has both UNIX/Linux and Windows versions.
4) It's FREE!

Is it the top of the line NIDS? No. It is however a very good tool
to get started with NIDS. It has a serious place in any production network.

7:   What tools can be used for building packets?

hping
isic
Trinux a floppy distro of Linux, 
contains the above tools plus more.

8:   What are some personal IDS/firewalls?

While they don't fit into the enterprise class of IDS, there are several programs that
can provide firewall and IDS services for a single user/pc.  Here are a few:

Black Ice Defender
Symantec Personal Firewall
McAfee Firewall V2.1 
ZoneAlarm

9:   Where can I find a list of Inrusion Detection Systems?

http://www.networkintrusion.co.uk

10:  How can I test my IDS?
We suggest the following steps:
1) Place the NIDS on a test network with a hub and a separate server.
2) Run the tool Nessus against the separate server.
3) When Nessus is done, what attacks did it detect ? If it did not detect all the attacks
does the NIDS have the latest signatures ? Can you write your own rules for the NIDS to 
catch the attack ?
4) After the tests with Nessus, then run the packet building tools. Make various illegal packets
and aim them at the separate server. Does it detect the packets ? Also use frgroutr
against it to see how it handels fragmented packets.
5) Repeat steps 2 - 4 against the NIDS machine.
6) Harden the NIDS to help prevent it from being compromised.
7) Place it on the production network and see how many false positives it gets.
8) Tune it down from the false positives.
9) As new vunerabilities occur, update the Nessus signatures and test to see 
if the NIDS catches them.

Here are a few tools.
NIDSbench
IDSwakeup


11:  What is a false positive?

Most IDS use signatures to compare against attacks.  Sometimes normal activity triggers the IDS.  
The IDS detects an attack signature during normal activity.  Part of maintaining the IDS is knowing 
when what you are dealing with is a false positive and tuning the IDS to avoid them.

12:  What is a false negative?

Most IDS use signatures to compare against attacks.  Sometimes attack activity doesn't trigger the IDS.

13:  Why do discussions on Intrusion Detection seem to have a bias towards Linux / UNIX ?

It is mainly due to the tools available. Many great tools are free for Linux / UNIX. 
(See the question on the top 50 tools) Some of those tools have ports for Windows, 
but the Windows versions usually are an after thought.


PacketNexus.com

     ^
     |

     ^
     |

     ^
     |

     ^
     |

     ^
     |

     ^
     |

     ^
     |

     ^
     |