Homebrew Intrusion Detection Systems
Chris Kuethe
his article is not about how to install Snort, tcpdump,
NFR, or any other collection of bits that may reside in your $PATH.
This article will discuss how to make all your tools and toys play nicely together.
Other articles may have introduced you to the tools of the trade, Snort and
tcpdump being two of the most popular tools. You've learned
how to install them, but not much more than that. In brief, network intrusion
detection is the "grey science" of analyzing network traffic anomalies. This
implies that you have a relatively good baseline of normal traffic.
Generally, network intrusion detection systems are the collection of hardware,
software, and personnel used to capture, display, and analyze traffic. Picking
the best hardware and software is fairly simple. Network intrusion detection
is certainly not infallible; the packets you see are interesting, but it is
up to you to decide why they are interesting and whether this is cause for concern.
As such, there are only general guidelines, not recipes. Intrusion detection
can be a lot of fun, and even rudimentary intrusion detection capabilities can
make the cleanup, and prevention, of a compromise a simpler task.
Many sites now have some form of traffic control in place, ranging from tcp-wrappered
daemons to very restrictive packet filters and carefully written proxies. An
excellent way to begin the journey into the world of intrusion detection is
to tune your NIDS to watch for attempts to circumvent traffic policy and actual
policy violations. With the freely available tools and some practice, you will
be able to detect very subtle attacks.
Hardware
Network intrusion detection requires processing a huge amount of data,
thus your system will need to be tuned for excellent disk and network I/O performance.
|
