1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects data even if host is in NIDS blind spot Gives data specific to hosts; relevant for diagnosis Might see data after decryption
12
Embed
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Figure 10-4: Intrusion Detection Systems (IDSs)
HOST IDSs
Protocol Stack Monitor (like NIDS)
Collects the same type of information as a NIDS
Collects data even if host is in NIDS blind spot
Gives data specific to hosts; relevant for diagnosis
Might see data after decryption
2
Figure 10-4: Intrusion Detection Systems (IDSs)
HOST IDSs
Operating System Monitors
Collect data on operating system events
Failed logins
Attempt to change system executables
Attempt to change system configuration (registry keys, etc.)
3
Figure 10-4: Intrusion Detection Systems (IDSs)
HOST IDSs
Application Monitors (Monitor Specific Applications)
What users did in terms relevant to an application for easy interpretation
Filtering input data for buffer overflows
Signatures of application-specific attacks
4
Figure 10-4: Intrusion Detection Systems (IDSs)
Recap
Protocol monitor
Protocol events (suspicious packets, etc.)
Operating monitor
Operating system events (file changes, etc.)
Application monitor
Application events (application commands issued)
5
Figure 10-4: Intrusion Detection Systems (IDSs)
HOST IDSs
Weaknesses of Host IDSs
Limited Viewpoint; Only see events on one host
If host is hacked, Host IDS can be attacked and disabled
6
Figure 10-4: Intrusion Detection Systems (IDSs)
HOST IDSs Other host-based tools
File integrity checker programs
Create baseline message digests for sensitive files
After an attack, recompute message digests
This tells which files were changed; indicates Trojan horses, etc.
7
Figure 10-4: Intrusion Detection Systems (IDSs)
HOST IDSs
Other host-based tools
Operating system lockdown tools
Limits changes possible during attacks
Limits who may make crucial changes
May interfere with software functioning
8
Figure 10-4: Intrusion Detection Systems (IDSs)
Log Files
Flat files of time-stamped events
Individual logs
Integrated logs Aggregation of event logs from multiple IDS agents
(Figure 10-7)
Difficult to create because of format incompatibilities
Time synchronization of IDS event logs is crucial (NTP)
Can see suspicious patterns in a series of events across multiple devices
9
Figure 10-7: Event Correlation for an Integrated Log File
Sample Log File(Many Irrelevant Log Entries Not Shown)
1. 8:45:05. Packet from 1.15.3.6 to 60.3.4.5 (network IDS log entry)