What is Intrusion Detection? 7
1.1.1.4 Signatures
Signature is the pattern that you look for inside a data packet. A signature is used
to detect one or multiple types of attacks. For example, the presence of “scripts/iisad-
min” in a packet going to your web server may indicate an intruder activity.
Signatures may be present in different parts of a data packet depending upon the
nature of the attack. For example, you can find signatures in the IP header, transport
layer header (TCP or UDP header) and/or application layer header or payload. You will
learn more about signatures later in this book.
Usually IDS depends upon signatures to find out about intruder activity. Some
vendor-specific IDS need updates from the vendor to add new signatures when a new
type of attack is discovered. In other IDS, like Snort, you can update signatures your-
self.
1.1.1.5 Alerts
Alerts are any sort of user notification of an intruder activity. When an IDS detects
an intruder, it has to inform security administrator about this using alerts. Alerts may be
in the form of pop-up windows, logging to a console, sending e-mail and so on. Alerts
are also stored in log files or databases where they can be viewed later on by security
experts. You will find detailed information about alerts later in this book.
Snort can generate alerts in many forms and are controlled by output plug-ins.
Snort can also send the same alert to multiple destinations. For example, it is possible to
log alerts into a database and generate SNMP traps simultaneously. Some plug-ins can
also modify firewall configuration so that offending hosts are blocked at the firewall or
router level.
1.1.1.6 Logs
The log messages are usually saved in file. By default Snort saves these messages
under /var/log/snort directory. However, the location of log messages can be changed
using the command line switch when starting Snort. Log messages can be saved either
in text or binary format. The binary files can be viewed later on using Snort or tcpdump
program. A new tool called Barnyard is also available now to analyze binary log files
generated by Snort. Logging in binary format is faster because it saves some formatting
overhead. In high-speed Snort implementations, logging in binary mode is necessary.
1.1.1.7 False Alarms
False alarms are alerts generated due to an indication that is not an intruder activ-
ity. For example, misconfigured internal hosts may sometimes broadcast messages that
trigger a rule resulting in generation of a false alert. Some routers, like Linksys home
routers, generate lots of UPnP related alerts. To avoid false alarms, you have to modify
我的内容管理
展开
