Home » Blogs » ramez hanna's blog

discovering the world of intrusion detection

I wanted to learn more about security so i started to read about vulnerabilities, exploits, penetration testing, etc... but all the time all i could find was very basic and doesn't seem like real life attacks. they seemed so simple and too easy to implement and defend. so i moved to reading about securing the network more than penetrating it, so i went reading about the security best practices and the technical tricks. then it hit me, i wanted to see real scans and attacks, and in the same time my boss wanted to implement an IDS, so IDS it is.
IDS or Intrusion Detection System is a way of discovering what is happening behind your back. this could be either per host or on a network.
i work in a data center where I don't manage every host here so i started implementing a NIDS (network based IDS), and being an opensource beleiver i chose SNORT.

what SNORT does is it sniffs all network traffic passing through it and inspects those packets against a set of filters that identify possible attacks and then generate logs of all that

to see these logs you would either look at the log files or use a frontend such as base or snort-report. base reads the logs from a mysql connection so you will need to configure SNORT to lo alerts to a mysql database, snort-report reads from the log files which is not so efficient when dealing with a big network. i used both but after sometime snort-report was getting too slow so i dropped it and headed on with base.

the problem with IDSes is that they generate a lot of alerts and not all alerts are equivilant to attacks, for example an directory traversal attack on a patched IIS is not an threat but still it is generated. so i had to see what traffic is never a real threat and disable the snort rule that generates it but again these are so few.
another example is when snort inspect http traffic it and it sees a non-standard GET/PUT submits it will fire an alarm while this could be an attack it also can be a miss-coded web application.

currently all i do is i look at the logs every morning and inspect every alert i see and take the suitable actions.\
i am also trying to figure out the procedure to be taken to automate reporting the real alerts.
what i mean by automating is leting non-experienced support personel to identify the high risk alerts.

more to come as i go on with my work.
commets are appreciated :)