Intrusion Detection System

-: Intrusion Detection System (IDS) :-

An intrusion detection system (IDS) is software and/or hardware based system that monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. In some cases the IDS may also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network.

Typical locations for an intrusion detection system is as shown in the following figure -



Following are the types of intrusion detection systems :-

1) Host-Based Intrusion Detection System (HIDS) :- Host-based intrusion detection systems or HIDS are installed as agents on a host. These intrusion detection systems can look into system and application log files to detect any intruder activity.

2) Network-Based Intrusion Detection System (NIDS) :- These IDSs detect attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment, thereby protecting those hosts. Network-based IDSs often consist of a set of single-purpose sensors or hosts placed at various points in a network. These units monitor network traffic, performing local analysis of that traffic and reporting attacks to a central management console.

Some important topics comes under intrusion detection are as follows :-

1) Signatures - Signature is the pattern that you look for inside a data packet. A signature is used to detect one or multiple types of attacks. For example, the presence of “scripts/iisadmin” in a packet going to your web server may indicate an intruder activity. Signatures may be present in different parts of a data packet depending upon the nature of the attack.

2) Alerts - Alerts are any sort of user notification of an intruder activity. When an IDS detects an intruder, it has to inform security administrator about this using alerts. Alerts may be in the form of pop-up windows, logging to a console, sending e-mail and so on. Alerts are also stored in log files or databases where they can be viewed later on by security experts.

3) Logs - The log messages are usually saved in file.Log messages can be saved either in text or binary format.

4) False Alarms - False alarms are alerts generated due to an indication that is not an intruder activity. For example, misconfigured internal hosts may sometimes broadcast messages that trigger a rule resulting in generation of a false alert. Some routers, like Linksys home routers, generate lots of UPnP related alerts. To avoid false alarms, you have to modify and tune different default rules. In some cases you may need to disable some of the rules to avoid false alarms.

5) Sensor - The machine on which an intrusion detection system is running is also called the sensor in the literature because it is used to “sense” the network.

Snort :- Snort is a very flexible network intrusion detection system that has a large set of pre-configured rules. Snort also allows you to write your own rule set. There are several mailing lists on the internet where people share new snort rules that can counter the latest attacks.

Snort is a modern security application that can perform the following three functions :

* It can serve as a packet sniffer.
* It can work as a packet logger.
* It can work as a Network-Based Intrusion Detection System (NIDS).

Further details and downloads can be obtained from it's home- http://www.snort.org
-: Honeypots :-

Definition :-
"Honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems."  -Wikipedia

"Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource."  -Lance Spitzner

Unlike firewalls or Intrusion Detection Systems, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. Its is this flexibility that gives honeypots their true power. It is also this flexibility that can make them challenging to define and understand.

Types of Honeypots :-
Low-Interaction Honeypot:- Low-interaction honeypots have limited interaction, they normally work by emulating services and operating systems. Attacker activity is limited to the level of emulation by the honeypot. These honeypots tend to be easier to deploy and maintain, with minimal risk. Examples of low-interaction honeypots include Specter, Honeyd, and KFSensor.

High-Interaction Honeypot:- High-interaction honeypots are different, they are usually complex solutions as they involve real operating systems and applications. Nothing is emulated, we give attackers the real thing. The advantages with such a solution are two fold. First, you can capture extensive amounts of information. By giving attackers real systems to interact with, you can learn the full extent of their behavior. The second advantage is high-interaction honeypots make no assumptions on how an attacker will behave. Instead, they provide an open environment that captures all activity. However, this also increases the risk of the honeypot as attackers can use these real operating system to attack non-honeypot systems. As result, additional technologies have to be implement that prevent the attacker from harming other non-honeypot systems. However, they can be more complex to deploy and maintain. Examples of high-interaction honeypots include Symantec Decoy Server and Honeynets.

Typical Honeypot Model

Honeypot Softwares :-
Argos by Georgios Portokalidis, Herbert Bos
Back Officer Friendly by NFR Security
Bait N Switch Honeypot by Team Violating
BigEye by Team Violating
FakeAP by Black Alchemy Enterprises
GHH - The "Google Hack" Honeypot by Ryan McGeehan et al
HOACD by Honeynet.BR Project
HoneyBOT by Atomic Software Solutions
Honeyd by Niels Provos
Honeyd Development site by Niels Provos
Honeyd for Windows by Michael A. Davis (port)
Honeynet Security Console for Windows 2000/XP by Activeworx, Inc.
HoneyPerl by Brazilian Honeypot Project (HoneypotBR)
HoneyPoint by MicroSolved, Inc.
Honeywall CD-ROM by The Honeynet Project
HoneyWeb by Kevin Tim
Impost by sickbeatz
Jackpot Mailswerver by Jack Cleaver
KFSensor by Keyfocus
Kojoney by Jose Antonio Coret
LaBrea Tarpit by Tom Liston
NetBait by NetBait Inc.
NetFacade by Verizon
OpenBSD's spamd by OpenBSD Team
ProxyPot by Alan Curry
Sandtrap by Sandstorm Enterprises, Inc.
Single-Honeypot by Luis Wong and Louis Freeze
Smoke Detector by Palisade Systems Inc.
SMTPot.py by Karl A. Krueger
Spamhole by Dr. Uid
Spampot.py by Neale Pikett
Specter by Netsec
SWiSH by Canned Ham
Symantec Decoy Server (formerly ManTrap) by Symantec
Tiny Honeypot (thp) by George Bakos
The Deception Toolkit by Fred Cohen & Associates
User-Mode Linux (UML) by Jeff Dike