reading-notes
Dedicated to my thoughts while learning cybersec
Intrusion Detection and Prevention Systems
10/16/2020
Intrusion detection systems are a lot like fire alarms. Just as a fire alarm detects smoke, an intrusion detection system idenitifies incidents and potential threats.
An IDS is a visibility tool that sits off to the side of the network and monitors traffic. It consists of a management console and sensors. When the sensors encounter something that matches up to a previously detected attack signature, they report the activity to the console. An IDS can notify security personnel of infections, spyware or key loggers, as well as accidental information leakage, security policy violations, unauthorized clients and servers, and even configuration errors
An IPS is similar to an IDS, except that they are able to block potential threats as well. They monitor, log and report activities, similarly to an IDS, but they are also capable of stopping threats without the system administrator getting involved. If an IPS is not tuned correctly, it can also deny legitimate traffic, so they are not suitable for all applications.
The Confusion Matrix (Blocks and Warnings)
| Actual class | |||
|---|---|---|---|
| P | N | ||
Predicted
class |
P | TPπ | FPπ |
| N | FNπ± | TNβ | |
True Positive π
A true positive is when an attack is expected and the attack is realβ¦
False Positive π
A false positive, is a result that indicates a given condition exists when it does not. Alarm Fatigue
True Negative β
An attack was not suspected and nothing actually occurred. Everything is good here.
False Negative π±
An attack occured and it wasnβt caught, no alarms raised! the worst of the worst
Snort
Snort is an Open Source Intrusion Prevention System (IPS). Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users. http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node31.html
Event Class Types | Classtype | Description | Priority | |βββββββββββ|ββββββββββββββββββββ-|βββ-| | attempted-admin | Attempted Administrator Privilege Gain | high | | attempted-user | Attempted User Privilege Gain | high | | inappropriate-content | Inappropriate Content was Detected | high | | policy-violation | Potential Corporate Privacy Violation | high | | shellcode-detect | Executable code was detected | high | | successful-admin | Successful Administrator Privilege Gain | high | | successful-user | Successful User Privilege Gain | high | | trojan-activity | A Network Trojan was detected | high | | unsuccessful-user | Unsuccessful User Privilege Gain | high | | web-application-attack | Web Application Attack | high | | attempted-dos | Attempted Denial of Service | medium | | attempted-recon | Attempted Information Leak | medium | | bad-unknown | Potentially Bad Traffic | medium | | default-login-attempt | Attempt to login by a default username and password | medium | | denial-of-service | Detection of a Denial of Service Attack | medium | | misc-attack | Misc Attack | medium | | non-standard-protocol | Detection of a non-standard protocol or event | medium | | rpc-portmap-decode | Decode of an RPC Query | medium | | successful-dos | Denial of Service | medium | | successful-recon-largescale | Large Scale Information Leak | medium | | successful-recon-limited | Information Leak | medium | | suspicious-filename-detect | A suspicious filename was detected | medium | | suspicious-login | An attempted login using a suspicious username was detected | medium | | system-call-detect | A system call was detected | medium | | unusual-client-port-connection | A client was using an unusual port | medium | | web-application-activity | Access to a potentially vulnerable web application | medium | | icmp-event | Generic ICMP event | low | | misc-activity | Misc activity | low | | network-scan | Detection of a Network Scan | low | | not-suspicious | Not Suspicious Traffic | low | | protocol-command-decode | Generic Protocol Command Decode | low | | string-detect | A suspicious string was detected | low | | unknown | Unknown Traffic | low | | tcp-connection | A TCP connection was detected | very low |