Intrusion Detection in AlienVault
|
|
- Meredith Baldwin
- 8 years ago
- Views:
Transcription
1 Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved.
2 AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM and OSSIM are trademarks or service marks of AlienVault.
3 CONTENTS 1. INTRODUCTION OVERVIEW ALIENVAULT SENSORS AND NETWORK VISIBILITY PACKET ANALYSIS, SIGNATURE MATCHING AND FALSE POSITIVES SIMPLE SIGNATURES PREPROCESSORS INTRUSION DETECTION WITHIN OSSIM Feeds SIEM Events Correlation, Cross Correlation Suricata SIEM Events in OSSIM Suricata Data Source Plugins in OSSIM Suricata Message SIDS in OSSIM Unified IDS and SIEM Capabilities Analyzing IDS Events IDS is not antivirus Analyzing IDS Events LibEmu Code Disassembly DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 3 of 16
4 1. INTRODUCTION AlienVault includes a Network Intrusion Detection system on the Sensor. This document introduces the feature set and usage of the NIDS system for Analysts. 2. OVERVIEW AlienVault s open source advantage means we can include all the essential security controls into a single single: perhaps no other control is as identifiable with modern security operations as the Network Intrusion Detection system. Network IDS started to become an established part of security detection and investigation in the late 1990 s and since then has proved itself as an essential go-to tool for security analysts a Network IDS system positioned correctly, can grant visibility into a wide range of security issues, without the reliance on the systems being correctly configured to log information properly, run endpoint controls or any number of machine-dependent security considerations. NIDS have their limitations in return, however, they can only see activity that transpires over the network, not within the hosts on it so while a network IDS may see an attack attempt against a system, it is not always possible for it to make a determination as to whether that attack was successful or not. By combining the information form a Network IDS, with the system-side logs in the SIEM, AlienVault can present the complete picture of activity relevant to security defenses to the analysts. The following is an overview of NIDS configuration and usage within AlienVault. 3. ALIENVAULT SENSORS AND NETWORK VISIBILITY The AlienVault Sensor component is responsible for all functions involving the monitoring of network traffic. A typical sensor should be configured at least with two network interfaces (but it is normal to be configured with more): an administrative interface, configured with an IP address and reachable from the network; and a monitor interface. This interface will often have no configured address and is unreachable from the network, instead being connected to a Spanning or Mirror port on a network switch, that copies all other traffic travelling through the switch to a single port, to allow those packets to be captured and analyzed. For the NIDS Component of AlienVault to function this configuration is essential, without it the NIDS will only be able to monitor traffic going to the AlienVault machine itself. DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 4 of 16
5 Figure 1. NIDS Component of AlienVault configuration 4. PACKET ANALYSIS, SIGNATURE MATCHING AND FALSE POSITIVES While there have been many variations of the underlying technology to implement Network Intrusion Detection, signature-based detection remains the most reliable and easiest method to interpret. Different IDS systems use different signature detection methods, but in general they will all examine the following things: IP addresses: Is the source of the traffic internal or external? Does it come from a host that is known to run a particular service (e.g. DNS) or not? Transport Protocol: TCP, UDP, IGMCP, ICMP? Ports and Services: what TCP/UDP port is being connected to? Is the client-side port from a low (<1024) port? TCP Flags: Is this a new connection, or an established stream? Protocol Headers: what settings are configured in the application-layer protocol being used? Protocol Data: what is being sent over the application layer protocol? The core of a Network Intrusion Detection system is a packet capture and stream reassembly individual packets are captured from the network, and then re-assembled into a complete streams (all the data sent back and forth between source and destination. The contents of DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 5 of 16
6 these streams are then run through filters that search for particular patterns of data in certain locations (taking into account how the application layer protocol itself is written). 5. SIMPLE SIGNATURES Simple signatures must take into account how the protocol itself is written, for example, an application protocol may use the first 27 bytes of the stream as the protocol header, with the data following after that. A signature that looks for a particular pattern in the protocol data must know to ignore the first 27 bytes of any stream, when looking for a match for that attack signature. This makes the assumption that the data being analyzed is actually the protocol the signature is written for an HTTP exploit signature will be looking for traffic over TCP Port 80 but will still analyze data from any application protocol, so long as it is transmitted over TCP Port 80 resulting in the possibility of signature hits from the same sequence of bytes being captured, in a completely harmless data stream. Similarly, different versions of application protocols can exist signatures may match on data that is harmful in a particular version of a protocol, but completely innocent without a different version. As a rule, simple signatures should be taken as an informed best guess about the presence of attacks in network traffic although the range of accuracy between individual signatures can vary greatly. 6. PREPROCESSORS Protocol Preprocessors add an additional layer of intelligence to IDS systems they preprocess streams to validate that a particular application protocol is in use, and separate out the contents of the data stream into separate blocks of data that represent functions of the protocol itself. This allows a much more fine-grained analysis of traffic contents to be performed, within the context of what is actually happening although a simple signature may be limited to searching for a particular sequence of data within the whole datastream, or within a certain DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 6 of 16
7 byte position in the data, preprocessors can look for malicious data only within the functions of the protocol that are vulnerable to that attack. When correctly written, signatures that use pre-processors can be highly accurate in making detections of real attack data coming over the network. 7. INTRUSION DETECTION WITHIN OSSIM The intrusion detection engine that currently ships with OSSIM is the Suricata open source intrusion detection engine. Suricata is an established standard in IDS, and uses the same format and language for attack signatures that Snort (another IDS) uses. Snort is a reference standard amongst other IDS engines. There are many engines that import Snort signatures alongside their own. When new exploits are discovered, information about how to detect them is usually first shared amongst the security community using these signatures. Since new attacks are created almost every day now, IDS signatures are published via feeds of new and updated signatures. It is possible to configure Snort instead of Suricata in OSSIM through the Web Interface: 1. Choose Configuration > Deployment > Components > AlienVault Center. 2. Click on the node name. 3. Click on Sensor Configuration link. 4. Click on Collection link. DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 7 of 16
8 Figure 2. Enabling Data Source Plugins This table displays 2 columns. The left column shows plugins that are enabled and the right column shows plugins that are available to be enabled. 5. To pass Snort from the right column to the left, look for it and drag and drop it or use the link [+] which are next to Snort. It will pass to the left column. To pass Suricata to the right column, look for it and drag and drop it or use the link [-]. It is not possible to have enabled Suricata and Snort at the same time FEEDS There is a primary feed of signatures distributed with Suricata, populated with well-tested signatures for recognizing attacks the signatures in this feed can be assumed to have a reasonably high degree of detection accuracy (or at least as accurate as is possible, given the nature of the attack). A secondary feed, of Emerging Threats, is also available for use in Suricata these signatures are written for the newest attacks known in the security research community however, this newness means that these signatures have not received the same amount of testing and validation as the primary feed, and may generate false positives more DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 8 of 16
9 often. Eventually the signatures in Emerging Threats will make their way into the standard feed after sufficient testing and feedback from usage in the field. Both of these feeds are available within OSSIM SIEM EVENTS Signature hits from the Suricata IDS system distributed in OSSIM, generate SIEM events, just like log events from system logs: they are normalized into source and destination, protocol, etc., and can be searched and pivoted on just as with any regular SIEM event. Just as with any log-based decide, the IDS information is consumed into the SIEM via Data Sources Plugins (and ID s), and message SIDs for each event type. The Preprocessors in particular, get their own Data Source ID s, simple signatures get another, each signature gets a unique SID, and SIDs are mapped to OSSIM Taxonomy from their Suricata Taxonomy CORRELATION, CROSS CORRELATION Just as how log correlation can be used to identify particular sequences of log events from devices, the events from IDS can be factored into those sequences too. This comparison between network-level and host-level events can perform some of the initial validation that would normally be performed by an analyst manually during security analysis. E.g. an IDS system will show an attack attempt, but often has no way to validate that it has been successful. A host s logs may show a new administrative user being added, but has no way to determine if this has been done maliciously. Yet the sequence of an IDS attack detection, followed almost immediately by the creation of an admin account, is an event that shouts successful attack quite clearly. Similarly, the cross - device correlation between an event (detector) and state (monitor) plugin is just as straightforward. Attacks against hosts known to have that service or vulnerability present can be correlated into alarms immediately SURICATA SIEM EVENTS IN OSSIM Choose Analysis > Security Events (SIEM). Then Select Snort on Data Sources field: DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 9 of 16
10 Figure 3. Suricata SIEM Events 7.5. SURICATA DATA SOURCE PLUGINS IN OSSIM Choose Configuration > Threat Intelligence > Data Source : DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 10 of 16
11 Figure 4. Suricata Data Source Plugins 7.6. SURICATA MESSAGE SIDS IN OSSIM Choose Configuration > Threat Intelligence > Data Source and double click on a line: DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 11 of 16
12 Figure 5. Suricata Message SIDS in OSSIM 7.7. UNIFIED IDS AND SIEM CAPABILITIES While any SIEM can accept IDS logs in the form of syslog messages, there is more to an IDS signature match than merely the information about the hosts involved, the network connection and the name of the signature involved. Proper investigation requires analysis of the data that was matched by the signature. IDS Signatures are an indicator of an attack, not an infallible identifier of attacks analysts must examine the traffic that triggered the signature and validate malicious intent before proceeding with any further investigation. With traditional IDS to SIEM setup, this often requires logging into the IDS management interface to cross-reference and locate the event in the SIEM, with the event (complete with all details) in the IDS. Since OSSIM includes the IDS on the same system as the SIEM however, this extended information is directly available from the SIEM UI itself: clicking on an IDS event in the SIEM will bring up the extended details page complete with packet capture breakdown and a payload. Choose Analysis > Security Events (SIEM) : DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 12 of 16
13 Figure 6. Extended details of an IDS event Events and Signatures in OSSIM can have external references attached to them, especially important in the case of IDS signatures where analysis is entirely dependent upon knowledge of the methods involved in the attack method the signature is indicating. The signature reference links to the side of every IDS event will open a new browser window and load one of several authoritative references on the vulnerabilities and exploit methods relevant to the IDS signature in question. Clicking on the event (signature) name it will bring up the event details page as normal for any event, but with an additional details panel, specific to IDS events: DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 13 of 16
14 Figure 7. Event details of an IDS event There are a great many additional open-source tools out there that consume packet data for further analysis, however, and we include a link to download a. pap file containing the matching packet data for use in those external tools ANALYZING IDS EVENTS IDS IS NOT ANTIVIRUS One of the most common issues junior analysts encounter when responding to IDS alerts, is the One Signature, One Attack fallacy real world attacks may trigger several signatures, none of which references the attack by name. Complete attacks operate via several stages exploitation of a vulnerability, delivery of a payload and reconfiguration of the victim host to allow the attacker persistent access to the system each of which will trigger a different class of IDS signature. The All events from this host option (right-click on a hostname in the event list window) from any IDS event listed in SIEM, will search for all other SIEM events between the source and destination host this should often be the starting point for investigation of any IDS alert, to get a bigger picture of the activity between these systems (especially other IDS alerts that have triggered between them). Many signatures in particular are generic indicators of exploitation methods, and signify very little by themselves. A list of the signatures most commonly encountered by successful details of compromised machines lists these signatures as having the highest rate of successful detection. DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 14 of 16
15 Detects SID Author Phase Description 27% 22466:7 snort inbound exploit netbios smb-ds ipc$ unicode share access 26% :10 snort inbound policy reserved ip space traffic - bogon nets 2 19% :1 snort inbound exploit shellcode x86 0x90 unicode noop Yet none of these signatures by themselves demonstrates an actual attack, and in isolation, indicate either a false positive or normal network activity. It is recommended to check if the AlienVault correlation system has generated some alarm. The event correlation is a valuable capability that saves time to Analysts ANALYZING IDS EVENTS LIBEMU CODE DISASSEMBLY With a few notable exceptions (such as SQL Injection), almost all software exploitation is performed using compiled code, this compiled code is then converted to a format suitable for transmission over network protocols (that normally would not transfer executable code) via a format dubbed ShellCode. Shellcode detection is a reliable indicator of malicious software, has a high rate of false positive when an IDS examines all transmitted data across the network (a sequence of bytes that may be shellcode, may also just be part of an otherwise harmless image file for example). To assist in the identification of actual shellcode payloads in IDS alerts, OSSIM includes the LibEMU disassembly library, which will attempt to de-compile any data detected as being shellcode, back into human-readable source code. DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 15 of 16
16 When an IDS signature payload is detected as containing Shellcode, LibEMU will be run against it and attempt to provide a disassembly of the code back into X86 assembly language. Success disassembly will generate call graphs (example above) that demonstrate the activities of the code in question. (Interpreting this disassembly is, however, outside of the scope of this introductory document). The presence of a successful disassembly is an extremely strong indicator of actual exploit code being the cause of the IDS signature hit. The message The Shellcode couldn t be analyzed is strong evidence of a false positive (or at least, shellcode for an unsupported CPU architecture). DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 16 of 16
AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationSuricata IDS. What is it and how to enable it
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationAlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals
AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationAssets, Groups & Networks
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationModule 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration
Module 1: Overview This module provides an overview of the AlienVault Unified Security Management (USM) solution. Upon completing this module, you will meet these objectives: Describe the goal of network
More informationAlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide
AlienVault Unified Security Management (USM) 4.x-5.x Deployment Planning Guide USM 4.x-5.x Deployment Planning Guide, rev. 1 Copyright AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationMonitoring VMware ESX Virtual Switches
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationDeploying HIDS Client to Windows Hosts
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationThe SIEM Evaluator s Guide
Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,
More informationHow to send emails triggered by events
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationDevice Integration: CyberGuard SG565
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationNetflow Collection with AlienVault Alienvault 2013
Netflow Collection with AlienVault Alienvault 2013 CONFIGURE Configuring NetFlow Capture of TCP/IP Traffic from an AlienVault Sensor or Remote Hardware Level: Beginner to Intermediate Netflow Collection
More informationDevice Integration: Citrix NetScaler
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationAlienVault. Unified Security Management 5.x Configuration Backup and Restore
AlienVault Unified Security Management 5.x Configuration Backup and Restore USM 5.x Configuration Backup and Restore Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationWHAT IS LOG CORRELATION? Understanding the most powerful feature of SIEM WWW.ALIENVAULT.COM
WHAT IS LOG CORRELATION? Understanding the most powerful feature of SIEM WWW.ALIENVAULT.COM IT S ALWAYS IN THE LOGS. 84% of Organizations that had their security breached in 2011, had evidence of the breach
More informationSnort Installation - Ubuntu FEUP. SSI - ProDEI-2010. Paulo Neto and Rui Chilro. December 7, 2010
December 7, 2010 Work Proposal The purpose of this work is: Explain a basic IDS Architecture and Topology Explain a more advanced IDS solution Install SNORT on the FEUP Ubuntu distribution and test some
More informationAlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard
AlienVault Unified Security Management (USM) 5.1 Running the Getting Started Wizard USM v5.1 Running the Getting Started Wizard, rev. 2 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault
More informationInternational Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849
WINDOWS-BASED APPLICATION AWARE NETWORK INTERCEPTOR Ms. Shalvi Dave [1], Mr. Jimit Mahadevia [2], Prof. Bhushan Trivedi [3] [1] Asst.Prof., MCA Department, IITE, Ahmedabad, INDIA [2] Chief Architect, Elitecore
More informationIDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for
Intrusion Detection Intrusion Detection Security Intrusion: a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts
More informationAlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts
AlienVault Unified Security Management (USM) 4.x-5.x Deploying HIDS Agents to Linux Hosts USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Copyright 2015 AlienVault, Inc. All rights reserved. AlienVault,
More informationIntroducing IBM s Advanced Threat Protection Platform
Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM
More informationArchitecture Overview
Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and
More informationDevice Integration: Cisco Wireless LAN Controller (WLC)
Complete. Simple. Affordable Device Integration: Cisco Wireless LAN Controller (WLC) Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM,
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationIDS / IPS. James E. Thiel S.W.A.T.
IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods
More informationOn-Premises DDoS Mitigation for the Enterprise
On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has
More informationHow to configure High Availability (HA) in AlienVault USM (for versions 4.14 and prior)
Complete. Simple. Affordable How to configure High Availability (HA) in AlienVault USM Copyright 2015 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM,
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationFIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others
FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker
More informationUnified Security Management (USM) 5.2 Vulnerability Assessment Guide
AlienVault Unified Security Management (USM) 5.2 Vulnerability Assessment Guide USM 5.2 Vulnerability Assessment Guide, rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationDevice Integration: Checkpoint Firewall-1
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationUnified Security Management and Open Threat Exchange
13/09/2014 Unified Security Management and Open Threat Exchange RICHARD KIRK SENIOR VICE PRESIDENT 11 SEPTEMBER 2014 Agenda! A quick intro to AlienVault Unified Security Management (USM)! Overview of the
More informationAn Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan
An Open Source IPS IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan Introduction IPS or Intrusion Prevention System Uses a NIDS or Network Intrusion Detection System Includes
More informationIntrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com
Intrusion Detection & SNORT Fakrul Alam fakrul@bdhbu.com Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied promptly enough Antivirus signatures not up to date 0- days get through
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationManaging Latency in IPS Networks
Application Note Revision B McAfee Network Security Platform Managing Latency in IPS Networks Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended
More informationLesson 5: Network perimeter security
Lesson 5: Network perimeter security Alejandro Ramos Fraile aramosf@sia.es Tiger Team Manager (SIA company) Security Consulting (CISSP, CISA) Perimeter Security The architecture and elements that provide
More informationAlienVault. Unified Security Management 5.x Configuring a VPN Environment
AlienVault Unified Security Management 5.x Configuring a VPN Environment USM 5.x Configuring a VPN Environment, rev. 3 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationCSCI 4250/6250 Fall 2015 Computer and Networks Security
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP
More informationIBM Security QRadar QFlow Collector appliances for security intelligence
IBM Software January 2013 IBM Security QRadar QFlow Collector appliances for security intelligence Advanced solutions for the analysis of network flow data 2 IBM Security QRadar QFlow Collector appliances
More informationAbout Firewall Protection
1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote
More informationIntrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12
Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984
More informationCourse Title: Penetration Testing: Security Analysis
Course Title: Penetration Testing: Security Analysis Page 1 of 9 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics in advanced
More informationConfiguring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA
Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationAdvancement in Virtualization Based Intrusion Detection System in Cloud Environment
Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Jaimin K. Khatri IT Systems and Network Security GTU PG School, Ahmedabad, Gujarat, India Mr. Girish Khilari Senior Consultant,
More informationExercise 7 Network Forensics
Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will:
More informationHow To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)
SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK www.alienvault.com A Rose By Any Other Name SLM/LMS, SIM, SEM, SEC, SIEM Although the industry has settled on
More informationIntro to Firewalls. Summary
Topic 3: Lesson 2 Intro to Firewalls Summary Basic questions What is a firewall? What can a firewall do? What is packet filtering? What is proxying? What is stateful packet filtering? Compare network layer
More informationGetting Ahead of Malware
IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,
More informationPeeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory
Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory A Little Context! The Five Golden Principles of Security! Know your system! Principle
More informationIntrusion Detections Systems
Intrusion Detections Systems 2009-03-04 Secure Computer Systems Poia Samoudi Asli Davor Sutic Contents Intrusion Detections Systems... 1 Contents... 2 Abstract... 2 Introduction... 3 IDS importance...
More informationIntrusion Detection Systems
Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado Work Topics 1. Definition 2. Characteristics
More informationz/os V1R11 Communications Server system management and monitoring
IBM Software Group Enterprise Networking Solutions z/os V1R11 Communications Server z/os V1R11 Communications Server system management and monitoring z/os Communications Server Development, Raleigh, North
More informationAlienVault Unified Security Management (USM) 4.15-5.x. Configuring High Availability (HA)
AlienVault Unified Security Management (USM) 4.15-5.x Configuring High Availability (HA) USM v4.15-5.x Configuring High Availability (HA), rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The
More informationSIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security
SIEM Optimization 101 ReliaQuest E-Book Fully Integrated and Optimized IT Security Introduction SIEM solutions are effective security measures that mitigate security breaches and increase the awareness
More informationCHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM
59 CHAPETR 3 DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 3.1. INTRODUCTION The last decade has seen many prominent DDoS attack on high profile webservers. In order to provide an effective defense against
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
More informationCentre for the Protection of National Infrastructure Effective Log Management
Centre for the Protection of National Infrastructure Effective Log Management Tom Goldsmith, 2nd April 2014 response@contextis.com Effective Log Management / Contents Contents 1 Executive Summary 5 2 About
More informationIntrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool
Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool Mukta Garg Assistant Professor, Advanced Educational Institutions, Palwal Abstract Today s society
More informationIP Filter/Firewall Setup
IP Filter/Firewall Setup Introduction The IP Filter/Firewall function helps protect your local network against attack from outside. It also provides a method of restricting users on the local network from
More informationRAVEN, Network Security and Health for the Enterprise
RAVEN, Network Security and Health for the Enterprise The Promia RAVEN is a hardened Security Information and Event Management (SIEM) solution further providing network health, and interactive visualizations
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationDeployment of Snort IDS in SIP based VoIP environments
Deployment of Snort IDS in SIP based VoIP environments Jiří Markl, Jaroslav Dočkal Jaroslav.Dockal@unob.cz K-209 Univerzita obrany Kounicova 65, 612 00 Brno Czech Republic Abstract This paper describes
More informationUser Management Guide
AlienVault Unified Security Management (USM) 4.x-5.x User Management Guide USM v4.x-5.x User Management Guide, rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationLinux Network Security
Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols
More informationNetwork Security Monitoring: Looking Beyond the Network
1 Network Security Monitoring: Looking Beyond the Network Ian R. J. Burke: GCIH, GCFA, EC/SA, CEH, LPT iburke@headwallsecurity.com iburke@middlebury.edu February 8, 2011 2 Abstract Network security monitoring
More informationDynamic Rule Based Traffic Analysis in NIDS
International Journal of Information & Computation Technology. ISSN 0974-2239 Volume 4, Number 14 (2014), pp. 1429-1436 International Research Publications House http://www. irphouse.com Dynamic Rule Based
More informationCOORDINATED THREAT CONTROL
APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,
More informationNetwork- vs. Host-based Intrusion Detection
Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477
More informationThe Value of QRadar QFlow and QRadar VFlow for Security Intelligence
BROCHURE The Value of QRadar QFlow and QRadar VFlow for Security Intelligence As the security threats facing organizations have grown exponentially, the need for greater visibility into network activity
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationCisco RSA Announcement Update
Cisco RSA Announcement Update May 7, 2009 Presented by: WWT and Cisco Agenda Cisco RSA Conference Announcements Collaborate with Confidence Overview Cisco s Security Technology Differentiation Review of
More informationIntruPro TM IPS. Inline Intrusion Prevention. White Paper
IntruPro TM IPS Inline Intrusion Prevention White Paper White Paper Inline Intrusion Prevention Introduction Enterprises are increasingly looking at tools that detect network security breaches and alert
More informationSOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013
SOUTHERN POLYTECHNIC STATE UNIVERSITY Snort and Wireshark IT-6873 Lab Manual Exercises Lucas Varner and Trevor Lewis Fall 2013 This document contains instruction manuals for using the tools Wireshark and
More information1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?
Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More information2010 White Paper Series. Layer 7 Application Firewalls
2010 White Paper Series Layer 7 Application Firewalls Introduction The firewall, the first line of defense in many network security plans, has existed for decades. The purpose of the firewall is straightforward;
More informationFirst Line of Defense to Protect Critical Infrastructure
RFI SUBMISSION First Line of Defense to Protect Critical Infrastructure Developing a Framework to Improve Critical Infrastructure Cybersecurity Response to NIST Docket # 130208119-3119-01 Document # 2013-044B
More informationFIREWALLS & CBAC. philip.heimer@hh.se
FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that
More informationConfiguring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)
Configuring Virtual Switches for Use with PVS February 7, 2014 (Revision 1) Table of Contents Introduction... 3 Basic PVS VM Configuration... 3 Platforms... 3 VMware ESXi 5.5... 3 Configure the ESX Management
More informationPassive Logging. Intrusion Detection System (IDS): Software that automates this process
Passive Logging Intrusion Detection: Monitor events, analyze for signs of incidents Look for violations or imminent violations of security policies accepted use policies standard security practices Intrusion
More informationComprehensive Advanced Threat Defense
1 Comprehensive Advanced Threat Defense June 2014 PAGE 1 PAGE 1 1 INTRODUCTION The hot topic in the information security industry these days is Advanced Threat Defense (ATD). There are many definitions,
More informationHoneyBOT User Guide A Windows based honeypot solution
HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3
More informationHow To Protect Your Network From Attack From A Hacker On A University Server
Network Security: A New Perspective NIKSUN Inc. Security: State of the Industry Case Study: Hacker University Questions Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com
More informationHow To Protect A Dns Authority Server From A Flood Attack
the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point
More informationClassic IOS Firewall using CBACs. 2012 Cisco and/or its affiliates. All rights reserved. 1
Classic IOS Firewall using CBACs 2012 Cisco and/or its affiliates. All rights reserved. 1 Although CBAC serves as a good foundation for understanding the revolutionary path toward modern zone based firewalls,
More informationConfiguring Snort as a Firewall on Windows 7 Environment
Configuring Snort as a Firewall on Windo Environment Moath Hashim Alsafasfeh a, Abdel Ilah Noor Alshbatat b a National university of Malaysia UKM, Selengor, Malaysia. b Tafila Technical University, Electrical
More informationSURVEY OF INTRUSION DETECTION SYSTEM
SURVEY OF INTRUSION DETECTION SYSTEM PRAJAPATI VAIBHAVI S. SHARMA DIPIKA V. ASST. PROF. ASST. PROF. MANISH INSTITUTE OF COMPUTER STUDIES MANISH INSTITUTE OF COMPUTER STUDIES VISNAGAR VISNAGAR GUJARAT GUJARAT
More informationNetwork Instruments white paper
Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features
More informationO S S I M. Open Source Security Information Manager. User Manual
O S S I M Open Source Security Information Manager User Manual Created by Kevin Milne (www.z4ck.org) Contributions by OSSIM Staff 2 nd September 2004 Index Introduction 3 1 Logging in 5 1.1 The Metrics
More informationSecurity Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2
Sponsored by McAfee Security Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2 May 2013 A SANS Whitepaper Written by Dave Shackleford The ESM Interface Page 2 Rapid Event
More informationConfiguring Snort as a Firewall on Windows 7 Environment
Journal of Ubiquitous Systems & Pervasive Networks Volume 3, No. 2 (2011) pp. 3- Configuring Snort as a Firewall on Windo Environment Moath Hashim Alsafasfeh a, Abdel Ilah Noor Alshbatat b a National University
More informationMissing the Obvious: Network Security Monitoring for ICS
Missing the Obvious: Network Security Monitoring for ICS If ICS are so vulnerable, why haven t we seen more attacks? We aren t looking! Two Key Reasons Intent Visibility Intent Why are targeted attacks
More informationSecurity Advisory. Some IPS systems can be easily fingerprinted using simple techniques.
Some IPS systems can be easily fingered using simple techniques. The unintentional disclosure of which security devices are deployed within your defences could put your network at significant risk. Security
More informationCisco IPS Tuning Overview
Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.
More informationNetwork Security Monitoring
Network Security Monitoring Network Startup Resource Center www.nsrc.org These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationThe Importance of Cybersecurity Monitoring for Utilities
The Importance of Cybersecurity Monitoring for Utilities www.n-dimension.com Cybersecurity threats against energy companies, including utilities, have been increasing at an alarming rate. A comprehensive
More information