After a review of some of the previous weeks discussion on ECC week 4’s lecture focused on Intrusion Detection Systems [IDS]. The initial slide of the lecture featured a great summary of IDS:

Intrusion Detection System
Intrusion Detection System- source week 4 lecture notes

The concepts behind IDSs are not overly complicated; analyse incoming traffic, compare it to known bad traffic and take action accordingly. Unfortunately implementation of such a system is not so simple, some of the primary difficulties are:

  • To what extent can we generalize on bad.malicious traffic recognition?
  • How much time/computational resources can be spent on each incoming packet?
  • How can knowledge base and analysis engines communicate in real-time without slowing the network?
  • How can definitions/knowledge bases keep up with new exploits?

To help deal with these difficulties IDS systems are modularized into:

  • Host Based IDS [HIDS] – Examines all packets flowing through a network (ie: Tripwire, AIDE)
  • Network Based IDS [NIDS] – Examines process activity on a system, identifying malicious process behavior

Snort, the IDS we have been experimenting with in labs, was introduced in the lecture as an example of a NIDS. It strengths were identified as being an open-source option the is extremely fast and lightweight in comparison to it’s competition.

The rest of the lecture discussed how snort rules work and how to write them. A detailed version can be found in chapter 3 of: http://www.snort.org/assets/166/snort_manual.pdf