Linux.com Article DB: Intrusion Detection Systems for the Uninitiated, Part 2; Installing and Configuring Snort

Securing IDS

It should be kept in mind that Intrusion Detection Systems are not 'God'. They have their own flaws like everything else in this world ! The true spirit of ' hacking' involves stretching the capability of a system (legally!). To beat the 'crackers' you have to be ever vigilent, not being afraid to learn and testing the limitation your IDS, firewall etc. Everything that falls into the periphery of your security policy.

Since there are already beautifully written articles and papers by some very knowledgeable people on this issue, I will do them the honor of just providing a pointer to the relevant URLs.

    Articles :
    ++++++
 >``Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection'' paper of   January 1998.
       ( http://secinf.net/info/ids/idspaper/idspaper.html ) 

     >  "A look at whisker's anti-IDS tactics "   (www.wiretrip.net)      
   
     Tools :
     +++++
     > Fragrouter(http://www.anzen.com/research/nidsbench)
     > Whisker((www.wiretrip.net))

To summarize most of the techniques described in these articles (and on which the tools work) deal with wily packet-games or changing the URL pattern to execute a malicious command.

These tools are used by security experts and crackers worldwide to fool IDSs. So learn to use them on your network/IDS before the baddies do.

Also, check out the snort.org downloads section for tools that assist snort in performing better. These guys have also got a snort discussion forum, a resource if you have any queries or problems with Snort.

Links of Interest

www.snort.org
www.silicondefence.com
www.whitehats.com
project.honeynet.org

Credits

The author would like to thank:

The developers of Snort and the author(s) of the Snort web site. Many of the examples and some documentation were reproduced in part and can be directly attributed to the developer's information as posted on the Snort web site (http://www.snort.org/) and also in the readme's accompanying the snort distribution.

-Simon Hayes (Chief Editor) and the editorial team of Linux.com: for polishing my articles J

-To YOU (for still being awake!)

Conclusion

Snort is a great tool not only for securing your network but also to learn about how attacks happen and how to prevent them. It can be integrated with other security tools like 'tripwire' and 'swatch' to get an even clearer picture of the intrusion attempt. At the same time, IDSs (both free and the other ones) are plagued with issues like poor event processing when taking appropriate action and quite a few security glitches. Let's see how future IDSs turn out to be!

Your mails and comments are more than welcome, as always .

I hope we had a good time, guys ;-)

About the Author

The author is an undergraduate student of Computer science and works as ' I.T. Manager' at a New Delhi(India) based Total I.T sols organization. He is also actively involved as a freelance Information Security consultant, swears by 'information dissemination' and does not hate bill gates! (I would rather pay attention to my work than hating anybody.) I like playing guitar, a bit of meditation and sci-fi. Said author is probably gonna launch his own 'kewl-Geek' portal in a short time. Can live without oxygen for as long as he can hold his breath but not even a micro-second without technology!

Originally Published: Tuesday, 16 October 2001	Author: Shashank Pandey
Published to: enchance_articles_security/Advanced Security Articles	Page: 4/4 - [Printable]
Intrusion Detection Systems for the Uninitiated, Part 2; Installing and Configuring Snort Shashank Pandey returns to Linux.com with part two of his popular series on IDS: Intrusion detection Systems for Linux. Quizzing PortSentry in his last article, in today's Pandey cast a sharp eye over working with snort. And remember in some primitive parts of the world you have to pay for information like this! Can you imagine?

	<< Page 4 of 4
Securing IDS It should be kept in mind that Intrusion Detection Systems are not 'God'. They have their own flaws like everything else in this world ! The true spirit of ' hacking' involves stretching the capability of a system (legally!). To beat the 'crackers' you have to be ever vigilent, not being afraid to learn and testing the limitation your IDS, firewall etc. Everything that falls into the periphery of your security policy. Since there are already beautifully written articles and papers by some very knowledgeable people on this issue, I will do them the honor of just providing a pointer to the relevant URLs. Articles : ++++++ >``Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection'' paper of January 1998. ( http://secinf.net/info/ids/idspaper/idspaper.html ) > "A look at whisker's anti-IDS tactics " (www.wiretrip.net) Tools : +++++ > Fragrouter(http://www.anzen.com/research/nidsbench) > Whisker((www.wiretrip.net)) To summarize most of the techniques described in these articles (and on which the tools work) deal with wily packet-games or changing the URL pattern to execute a malicious command. These tools are used by security experts and crackers worldwide to fool IDSs. So learn to use them on your network/IDS before the baddies do. Also, check out the snort.org downloads section for tools that assist snort in performing better. These guys have also got a snort discussion forum, a resource if you have any queries or problems with Snort. Links of Interest www.snort.org www.silicondefence.com www.whitehats.com project.honeynet.org Credits The author would like to thank: The developers of Snort and the author(s) of the Snort web site. Many of the examples and some documentation were reproduced in part and can be directly attributed to the developer's information as posted on the Snort web site (http://www.snort.org/) and also in the readme's accompanying the snort distribution. -Simon Hayes (Chief Editor) and the editorial team of Linux.com: for polishing my articles J -To YOU (for still being awake!) Conclusion Snort is a great tool not only for securing your network but also to learn about how attacks happen and how to prevent them. It can be integrated with other security tools like 'tripwire' and 'swatch' to get an even clearer picture of the intrusion attempt. At the same time, IDSs (both free and the other ones) are plagued with issues like poor event processing when taking appropriate action and quite a few security glitches. Let's see how future IDSs turn out to be! Your mails and comments are more than welcome, as always . I hope we had a good time, guys ;-) About the Author The author is an undergraduate student of Computer science and works as ' I.T. Manager' at a New Delhi(India) based Total I.T sols organization. He is also actively involved as a freelance Information Security consultant, swears by 'information dissemination' and does not hate bill gates! (I would rather pay attention to my work than hating anybody.) I like playing guitar, a bit of meditation and sci-fi. Said author is probably gonna launch his own 'kewl-Geek' portal in a short time. Can live without oxygen for as long as he can hold his breath but not even a micro-second without technology!
	<< Page 4 of 4