[SOLVED] IDS Question
July 23rd, 2013
Am writing about this for my dissertation and am somewhat stuck. The only way i believe this is achievable is through the use of network based anomaly detection. The only way i can see to achieve this is through the snort plugin call SPADE.
At this point any information you guys could offer would be grateful. Also i have to use opensource tools
Not sure if you are wanting just IDS but early detection is usually for NIDS (n – network) where as IDS is for single host/client.(SNORT can be setup as NIDS which I am going to talk about)
Well the post you have created is a little confusing but what I got form the description is if an IDS can be used as an early warning system. You said SNORT however SNORT is more for a client software protection. Lets say on the end of the net work you have the router, then IDS/Firewall to other host on a TCP/IP Ethernet start-hybrid topology (only example)
Now you can have your IDS and Firewall separate but now days most are combined. One thing that seems to go most undetected in IDS and firewalls are attacks from mobile devices. Most conventional IDS for anomaly detection usually will produce a high false positive rate or do not detect attacks at all(mobile devices as I mentioned) false negatives. However you are writing a paper so chances are that what I just wrote you being the networking administrating guru that you are probably already know that. So I wont bore you anymore….
I recommend to check out methods of artificial intelligence on an IDS, maybe do research on the FIDeS. Can SNORT be set up this way? Yes, but what is the point if its not on the DMZ?
Anyway for SNORT if I were an admin as great as you or all the others here, I may simply use the following command:
./snort -d -b -A full -i eth0 10.10.0.0/8
-l /var/log/snort -c snort.conf
As you know the “snort.conf” or is the name of the rules files and the IP address I created is just the network’s IP range. So with the fake network address 10.10.1.0/8 or (subnet mask 255.0.0.0) again I am sure you know everything about CIDR but I am sure someone reading this may not know what the /8 meant.
The figure that I drew in MSPAINT shows that the NIDS is outside the firewall on the edge of the network. (note this is a logical representation not necessarily the physical layout.) with a port monitoring enabled on an Ethernet switch between the routher and firewall (Internet and intranet). The switch mirrors all frames inbound and outbound traffic between the router and firewall to the port that the NIDS is connected to on the switch… (self explanatory right?)
With other tools setup such as Tripwire and Wireshark you are good. Some people also like to use The Coroner’s Toolkit or known as TCT. All of these tools are free as in speech. Open source and work on the UNIX/LINUX environment. Sorry I do not think TCT can run on a Windows environment. These tools work great at giving information to the admin and helps with early detection but still not just one program or single software you are looking for.
I hope this has helped you out. If there is anything unclear go ahead and PM me.
cheers for you help man. I was indeed talking about NIDS and i apologise for not wording it all very well, was one of those arghhhh moments. I have figured out a way for this to work and appreciate all the time and effort you put in to your answer. I will be referencing your diagram in my dissertation =)
You helped me out a lot by leading me down another line of thought =)