Tip

Using IDS as a hack detection tool

The intrusion detection system (IDS) has come a long way since James Anderson helped develop some of the early concepts in a 1980s white paper, Computer Security Threat Monitoring and Surveillance. We can be thankful that IDS technology has continued to advance, because attack patterns are changing. Virus writers and hacker groups are continuing to coalesce and develop more virulent code. The IDS plays a critical role in protecting the IT infrastructure.

An IDS is a great tool for monitoring network activity, detecting unauthorized access, and alerting the appropriate individuals to an intrusion so that counteractions can be taken. An IDS is typically network or host based, and it has a difficult job -- it must quickly process a vast amount of traffic and classify the results. There are many brands of IDS, but they can be grouped into two broad categories:

  • Anomaly detection: functions by learning what's normal and then alerting to abnormal activity.
  • Signature detection: functions by matching traffic to a database of known attacks. These attacks have been loaded into the system as signatures.

No matter which method of detection you use, one of the most critical choices you will have to make is where to place the sensors. Sensor placement will determine what types of traffic you will detect. This requires some consideration because, after all, a sensor in the demilitarized zone (DMZ) will work well at detecting misuse there

    Requires Free Membership to View

but will prove useless against attackers that are inside the network. Final placement will require that you determine what type of activity you are monitoring for and what policies and guidelines management has put forward.

Once sensor placement has been determined, you will still need to perform system tuning and configuration. Without specific tuning, the sensor will generate alerts for all traffic that matches a given criterion, regardless of whether the traffic is indeed something that should produce an alert. An IDS must be trained or programmed to look for suspicious activity. There are four basic responses an IDS can produce:

  • True positive: An alarm was generated, and an event did occur.
  • True negative: An alarm was not generated, and an event did not occur.
  • False positive: An alarm was generated, and an event did not occur.
  • False negative: An alarm was not generated, and an event did occur.

The worst of these responses is a false negative. A false negative means that an event did occur but no alert was generated. Spending the appropriate amount of time on tuning can help prevent this. If you would like to get more hands-on IDS experience without sinking a ton of cash, a good place to start is Snort.

Snort is a freeware IDS developed by Martin Roesch and Brian Caswell. Snort is a network-based IDS that can be set up on a Linux or Windows host. Although the core program has a command-line interface, many individuals have developed GUIs and add-ons, including SnortSnarf and IDS Center. Snort operates as a network sniffer and logs activity that matches predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP).

Now that you have been introduced to intrusion detection, I hope you are motivated to start exploring how it could be a useful tool for your organization. A good defense requires detection and response. Intrusion detection can make the difference between a minor security blip and a full-fledged disaster.

About the author:
Michael Gregg is the president of Superior Solutions Inc., a Houston-based training and consulting firm. He has more than 15 years of experience in IT and is an expert on networking, security and Internet technologies. Michael holds two associate degrees, a bachelor's degree and a master's degree. He presently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.

This was first published in May 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.