Computing | Computer Security | Linux Security | Industrial Control Systems Security | Penetration Testing | Exploitation | Social Engineering | Metasploit | encryption | IDS/IPS | HoneyPots | Securing Web/Apps

IDS/IPS

Intrusion Detection System

• Alert
• Log
• Email

Intrusion Prevetion System

• IDS - it has all functions of the IDS
• AXN - it can take actions depending on packets
• Drop

                 _________
                 |SpanPort|
               x-----------
          |    |	             ________------
          |    |        _______      |vlan1  |HIDS| on host machine
          |    |public  |      |     |       ------
  isp --> | // |--------|Server|-----|
          |    |  ^     |______|     |
          |    |  |                  |       ---------
          |    | NIDS                |_______|Honeypot|
         firewall                     vlan2  ----------

Network Based IDS
Host Based IDS

Normally we only use NIDS which sits next to the firewall which is running in spanport mode. In the IDS software we create rules (signature) and if it matches rule or finds an anomaly then it will raise a log.

Tools

Snort

1. Start snort service
2. configure rules
3. restart snort
4. start snort console
5. attack and detect

 sudo vi /etc/snort/snort.conf
 /etc/init.d/snort restart
 snort -q -A -i wlan0 -c /etc/snort/snort.conf
 nmap -sU 192.168.100.82

http:///wiki/?idsips

29nov16

admin