Operational requirements necessary for anomaly-based intrusion detection
Essay Question. MAXIMUM length: 3 double-spaced pages, excluding references.
In 2003, a well-publicized report from IT analyst firm Gartner predicted that the market for stand-alone IDS tools would soon disappear, and urged Gartner clients to cease investing in IDS tools in favor of firewalls. Clearly, the obsolescence of IDS tools by 2005 did not occur as Gartner predicted, due in part to significant increases in the technological capability, processing speed, and accuracy of IDS tools in the nearly 15 years since the erroneous prediction.
Contemporary enterprises have a wide array of network and platform security tools from which to choose, and as we have seen in this course there is substantial overlap in the capabilities of different categories of tools such as firewalls, IDS, anti-malware, vulnerability scanners, and so forth. What factors would exert the most influence on an organization and lead it to choose to implement IDS? In your response please identify potential benefits of IDS, potential drawbacks, and any considerations about an organization’s operating environment that might drive its decision.
1.What are the operational requirements necessary to perform anomaly-based intrusion detection? How does the information gathered about network traffic by anomaly-based IDS tools differ from the information gathered by signature-based NIDS?
2.IDS is a great way to capture forensic evidence for the activity of systems (including intrusion), however, there is inherent problems with using IDS logs as legal evidence because of the possibility for manipulation of the data and therefore credibility of the evidence. Describe the requirements on log data to be admissible as legal evidence.\
3.Imagine you are tasked with monitoring network communication in an organization that uses encrypted transmission channels. What are the limitations of using intrusion detection systems in this environment? What methods would you employ to accomplish this task?
4.Describe how Distributed Denial-of-service (DDoS) attacks may be detected and alerted using Snort. Which snort rule option would you use to detect such attacks? Please describe in detail about what that option means and how it can be used to detect the traffic pattern from the DDoS attack.
5.Explain the following Snort rule. Describe the meanings of all the options and modifiers used in the rule in as much detail as possible.
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"Attack Detected"; flow:to_server,established; content:"|02|";depth:1;content:"sa";depth:2;offset:39; nocase; detection_filter:track_by_src,count 5,seconds 2;)
6.Write a Snort rule with the following functions:
a. Looks for the case-insensitive string “http://www.abc.com/test.cgi?id=pwn3d” in all traffic matched by the rule header.
b.Skips the first 12 bytes before starting search, for efficiency.
c.The match should be done within the 50 bytes from the location where the search begins.
d.Once there is a match detected, then you need to skip 20 bytes to begin the next string search.
e.Looks for the second string (case sensitive) “akjsfgoew”
7.Most network IDS tools are designed to optimize performance analyzing traffic using a variety of protocols specific to TCP/IP wired networks. Describe at least two intrusion detection scenarios where specialized types of monitoring and analysis are called for, explaining what limitations exist in conventional NIDS that make them insufficient to provide effective intrusion detection in the environments corresponding to these scenarios.
8.What is a multi-event signature? Provide at least two examples of multi-event signature activities or patterns that might be monitored with an intrusion detection system.
9.Snort rule has a metadata field, with zero or more policy values. Describe currently available policy values along with explanations.
10.Describe what the “fast_pattern” modifier means in Snort rules. Also, explain the differences between “fast_pattern” and “fast_pattern:only” modifiers in detail with examples.
11.Describe the meaning of the following content options used in a Snort rule with matching and unmatching examples:
content:"GET"; offset:5; depth:10; content:"downloads"; distance:10; within:9;
12.Define and differentiate false positive and false negative. Which is worse, and why? Give one example of each, drawn from any context that demonstrates your understanding of the terms.