Intrusion Detection in AlienVault

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Intrusion Detection in AlienVault"

Transcription

1 Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved.

2 AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM and OSSIM are trademarks or service marks of AlienVault.

3 CONTENTS 1. INTRODUCTION OVERVIEW ALIENVAULT SENSORS AND NETWORK VISIBILITY PACKET ANALYSIS, SIGNATURE MATCHING AND FALSE POSITIVES SIMPLE SIGNATURES PREPROCESSORS INTRUSION DETECTION WITHIN OSSIM Feeds SIEM Events Correlation, Cross Correlation Suricata SIEM Events in OSSIM Suricata Data Source Plugins in OSSIM Suricata Message SIDS in OSSIM Unified IDS and SIEM Capabilities Analyzing IDS Events IDS is not antivirus Analyzing IDS Events LibEmu Code Disassembly DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 3 of 16

4 1. INTRODUCTION AlienVault includes a Network Intrusion Detection system on the Sensor. This document introduces the feature set and usage of the NIDS system for Analysts. 2. OVERVIEW AlienVault s open source advantage means we can include all the essential security controls into a single single: perhaps no other control is as identifiable with modern security operations as the Network Intrusion Detection system. Network IDS started to become an established part of security detection and investigation in the late 1990 s and since then has proved itself as an essential go-to tool for security analysts a Network IDS system positioned correctly, can grant visibility into a wide range of security issues, without the reliance on the systems being correctly configured to log information properly, run endpoint controls or any number of machine-dependent security considerations. NIDS have their limitations in return, however, they can only see activity that transpires over the network, not within the hosts on it so while a network IDS may see an attack attempt against a system, it is not always possible for it to make a determination as to whether that attack was successful or not. By combining the information form a Network IDS, with the system-side logs in the SIEM, AlienVault can present the complete picture of activity relevant to security defenses to the analysts. The following is an overview of NIDS configuration and usage within AlienVault. 3. ALIENVAULT SENSORS AND NETWORK VISIBILITY The AlienVault Sensor component is responsible for all functions involving the monitoring of network traffic. A typical sensor should be configured at least with two network interfaces (but it is normal to be configured with more): an administrative interface, configured with an IP address and reachable from the network; and a monitor interface. This interface will often have no configured address and is unreachable from the network, instead being connected to a Spanning or Mirror port on a network switch, that copies all other traffic travelling through the switch to a single port, to allow those packets to be captured and analyzed. For the NIDS Component of AlienVault to function this configuration is essential, without it the NIDS will only be able to monitor traffic going to the AlienVault machine itself. DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 4 of 16

5 Figure 1. NIDS Component of AlienVault configuration 4. PACKET ANALYSIS, SIGNATURE MATCHING AND FALSE POSITIVES While there have been many variations of the underlying technology to implement Network Intrusion Detection, signature-based detection remains the most reliable and easiest method to interpret. Different IDS systems use different signature detection methods, but in general they will all examine the following things: IP addresses: Is the source of the traffic internal or external? Does it come from a host that is known to run a particular service (e.g. DNS) or not? Transport Protocol: TCP, UDP, IGMCP, ICMP? Ports and Services: what TCP/UDP port is being connected to? Is the client-side port from a low (<1024) port? TCP Flags: Is this a new connection, or an established stream? Protocol Headers: what settings are configured in the application-layer protocol being used? Protocol Data: what is being sent over the application layer protocol? The core of a Network Intrusion Detection system is a packet capture and stream reassembly individual packets are captured from the network, and then re-assembled into a complete streams (all the data sent back and forth between source and destination. The contents of DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 5 of 16

6 these streams are then run through filters that search for particular patterns of data in certain locations (taking into account how the application layer protocol itself is written). 5. SIMPLE SIGNATURES Simple signatures must take into account how the protocol itself is written, for example, an application protocol may use the first 27 bytes of the stream as the protocol header, with the data following after that. A signature that looks for a particular pattern in the protocol data must know to ignore the first 27 bytes of any stream, when looking for a match for that attack signature. This makes the assumption that the data being analyzed is actually the protocol the signature is written for an HTTP exploit signature will be looking for traffic over TCP Port 80 but will still analyze data from any application protocol, so long as it is transmitted over TCP Port 80 resulting in the possibility of signature hits from the same sequence of bytes being captured, in a completely harmless data stream. Similarly, different versions of application protocols can exist signatures may match on data that is harmful in a particular version of a protocol, but completely innocent without a different version. As a rule, simple signatures should be taken as an informed best guess about the presence of attacks in network traffic although the range of accuracy between individual signatures can vary greatly. 6. PREPROCESSORS Protocol Preprocessors add an additional layer of intelligence to IDS systems they preprocess streams to validate that a particular application protocol is in use, and separate out the contents of the data stream into separate blocks of data that represent functions of the protocol itself. This allows a much more fine-grained analysis of traffic contents to be performed, within the context of what is actually happening although a simple signature may be limited to searching for a particular sequence of data within the whole datastream, or within a certain DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 6 of 16

7 byte position in the data, preprocessors can look for malicious data only within the functions of the protocol that are vulnerable to that attack. When correctly written, signatures that use pre-processors can be highly accurate in making detections of real attack data coming over the network. 7. INTRUSION DETECTION WITHIN OSSIM The intrusion detection engine that currently ships with OSSIM is the Suricata open source intrusion detection engine. Suricata is an established standard in IDS, and uses the same format and language for attack signatures that Snort (another IDS) uses. Snort is a reference standard amongst other IDS engines. There are many engines that import Snort signatures alongside their own. When new exploits are discovered, information about how to detect them is usually first shared amongst the security community using these signatures. Since new attacks are created almost every day now, IDS signatures are published via feeds of new and updated signatures. It is possible to configure Snort instead of Suricata in OSSIM through the Web Interface: 1. Choose Configuration > Deployment > Components > AlienVault Center. 2. Click on the node name. 3. Click on Sensor Configuration link. 4. Click on Collection link. DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 7 of 16

8 Figure 2. Enabling Data Source Plugins This table displays 2 columns. The left column shows plugins that are enabled and the right column shows plugins that are available to be enabled. 5. To pass Snort from the right column to the left, look for it and drag and drop it or use the link [+] which are next to Snort. It will pass to the left column. To pass Suricata to the right column, look for it and drag and drop it or use the link [-]. It is not possible to have enabled Suricata and Snort at the same time FEEDS There is a primary feed of signatures distributed with Suricata, populated with well-tested signatures for recognizing attacks the signatures in this feed can be assumed to have a reasonably high degree of detection accuracy (or at least as accurate as is possible, given the nature of the attack). A secondary feed, of Emerging Threats, is also available for use in Suricata these signatures are written for the newest attacks known in the security research community however, this newness means that these signatures have not received the same amount of testing and validation as the primary feed, and may generate false positives more DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 8 of 16

9 often. Eventually the signatures in Emerging Threats will make their way into the standard feed after sufficient testing and feedback from usage in the field. Both of these feeds are available within OSSIM SIEM EVENTS Signature hits from the Suricata IDS system distributed in OSSIM, generate SIEM events, just like log events from system logs: they are normalized into source and destination, protocol, etc., and can be searched and pivoted on just as with any regular SIEM event. Just as with any log-based decide, the IDS information is consumed into the SIEM via Data Sources Plugins (and ID s), and message SIDs for each event type. The Preprocessors in particular, get their own Data Source ID s, simple signatures get another, each signature gets a unique SID, and SIDs are mapped to OSSIM Taxonomy from their Suricata Taxonomy CORRELATION, CROSS CORRELATION Just as how log correlation can be used to identify particular sequences of log events from devices, the events from IDS can be factored into those sequences too. This comparison between network-level and host-level events can perform some of the initial validation that would normally be performed by an analyst manually during security analysis. E.g. an IDS system will show an attack attempt, but often has no way to validate that it has been successful. A host s logs may show a new administrative user being added, but has no way to determine if this has been done maliciously. Yet the sequence of an IDS attack detection, followed almost immediately by the creation of an admin account, is an event that shouts successful attack quite clearly. Similarly, the cross - device correlation between an event (detector) and state (monitor) plugin is just as straightforward. Attacks against hosts known to have that service or vulnerability present can be correlated into alarms immediately SURICATA SIEM EVENTS IN OSSIM Choose Analysis > Security Events (SIEM). Then Select Snort on Data Sources field: DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 9 of 16

10 Figure 3. Suricata SIEM Events 7.5. SURICATA DATA SOURCE PLUGINS IN OSSIM Choose Configuration > Threat Intelligence > Data Source : DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 10 of 16

11 Figure 4. Suricata Data Source Plugins 7.6. SURICATA MESSAGE SIDS IN OSSIM Choose Configuration > Threat Intelligence > Data Source and double click on a line: DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 11 of 16

12 Figure 5. Suricata Message SIDS in OSSIM 7.7. UNIFIED IDS AND SIEM CAPABILITIES While any SIEM can accept IDS logs in the form of syslog messages, there is more to an IDS signature match than merely the information about the hosts involved, the network connection and the name of the signature involved. Proper investigation requires analysis of the data that was matched by the signature. IDS Signatures are an indicator of an attack, not an infallible identifier of attacks analysts must examine the traffic that triggered the signature and validate malicious intent before proceeding with any further investigation. With traditional IDS to SIEM setup, this often requires logging into the IDS management interface to cross-reference and locate the event in the SIEM, with the event (complete with all details) in the IDS. Since OSSIM includes the IDS on the same system as the SIEM however, this extended information is directly available from the SIEM UI itself: clicking on an IDS event in the SIEM will bring up the extended details page complete with packet capture breakdown and a payload. Choose Analysis > Security Events (SIEM) : DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 12 of 16

13 Figure 6. Extended details of an IDS event Events and Signatures in OSSIM can have external references attached to them, especially important in the case of IDS signatures where analysis is entirely dependent upon knowledge of the methods involved in the attack method the signature is indicating. The signature reference links to the side of every IDS event will open a new browser window and load one of several authoritative references on the vulnerabilities and exploit methods relevant to the IDS signature in question. Clicking on the event (signature) name it will bring up the event details page as normal for any event, but with an additional details panel, specific to IDS events: DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 13 of 16

14 Figure 7. Event details of an IDS event There are a great many additional open-source tools out there that consume packet data for further analysis, however, and we include a link to download a. pap file containing the matching packet data for use in those external tools ANALYZING IDS EVENTS IDS IS NOT ANTIVIRUS One of the most common issues junior analysts encounter when responding to IDS alerts, is the One Signature, One Attack fallacy real world attacks may trigger several signatures, none of which references the attack by name. Complete attacks operate via several stages exploitation of a vulnerability, delivery of a payload and reconfiguration of the victim host to allow the attacker persistent access to the system each of which will trigger a different class of IDS signature. The All events from this host option (right-click on a hostname in the event list window) from any IDS event listed in SIEM, will search for all other SIEM events between the source and destination host this should often be the starting point for investigation of any IDS alert, to get a bigger picture of the activity between these systems (especially other IDS alerts that have triggered between them). Many signatures in particular are generic indicators of exploitation methods, and signify very little by themselves. A list of the signatures most commonly encountered by successful details of compromised machines lists these signatures as having the highest rate of successful detection. DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 14 of 16

15 Detects SID Author Phase Description 27% 22466:7 snort inbound exploit netbios smb-ds ipc$ unicode share access 26% :10 snort inbound policy reserved ip space traffic - bogon nets 2 19% :1 snort inbound exploit shellcode x86 0x90 unicode noop Yet none of these signatures by themselves demonstrates an actual attack, and in isolation, indicate either a false positive or normal network activity. It is recommended to check if the AlienVault correlation system has generated some alarm. The event correlation is a valuable capability that saves time to Analysts ANALYZING IDS EVENTS LIBEMU CODE DISASSEMBLY With a few notable exceptions (such as SQL Injection), almost all software exploitation is performed using compiled code, this compiled code is then converted to a format suitable for transmission over network protocols (that normally would not transfer executable code) via a format dubbed ShellCode. Shellcode detection is a reliable indicator of malicious software, has a high rate of false positive when an IDS examines all transmitted data across the network (a sequence of bytes that may be shellcode, may also just be part of an otherwise harmless image file for example). To assist in the identification of actual shellcode payloads in IDS alerts, OSSIM includes the LibEMU disassembly library, which will attempt to de-compile any data detected as being shellcode, back into human-readable source code. DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 15 of 16

16 When an IDS signature payload is detected as containing Shellcode, LibEMU will be run against it and attempt to provide a disassembly of the code back into X86 assembly language. Success disassembly will generate call graphs (example above) that demonstrate the activities of the code in question. (Interpreting this disassembly is, however, outside of the scope of this introductory document). The presence of a successful disassembly is an extremely strong indicator of actual exploit code being the cause of the IDS signature hit. The message The Shellcode couldn t be analyzed is strong evidence of a false positive (or at least, shellcode for an unsupported CPU architecture). DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 16 of 16

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

Suricata IDS. What is it and how to enable it

Suricata IDS. What is it and how to enable it Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

Assets, Groups & Networks

Assets, Groups & Networks Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration Module 1: Overview This module provides an overview of the AlienVault Unified Security Management (USM) solution. Upon completing this module, you will meet these objectives: Describe the goal of network

More information

Monitoring VMware ESX Virtual Switches

Monitoring VMware ESX Virtual Switches Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide AlienVault Unified Security Management (USM) 4.x-5.x Deployment Planning Guide USM 4.x-5.x Deployment Planning Guide, rev. 1 Copyright AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

The SIEM Evaluator s Guide

The SIEM Evaluator s Guide Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,

More information

Deploying HIDS Client to Windows Hosts

Deploying HIDS Client to Windows Hosts Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

How to send emails triggered by events

How to send emails triggered by events Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

Device Integration: CyberGuard SG565

Device Integration: CyberGuard SG565 Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

Module 2: AlienVault USM Basic Configuration and Verifying Operations

Module 2: AlienVault USM Basic Configuration and Verifying Operations Course Introduction Module 1: Overview The Course Introduction provides learners with the course objectives and prerequisite learner skills and knowledge. The Course Introduction presents the course flow

More information

Netflow Collection with AlienVault Alienvault 2013

Netflow Collection with AlienVault Alienvault 2013 Netflow Collection with AlienVault Alienvault 2013 CONFIGURE Configuring NetFlow Capture of TCP/IP Traffic from an AlienVault Sensor or Remote Hardware Level: Beginner to Intermediate Netflow Collection

More information

Device Integration: Citrix NetScaler

Device Integration: Citrix NetScaler Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

AlienVault. Unified Security Management 5.x Configuration Backup and Restore

AlienVault. Unified Security Management 5.x Configuration Backup and Restore AlienVault Unified Security Management 5.x Configuration Backup and Restore USM 5.x Configuration Backup and Restore Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

AlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard

AlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard AlienVault Unified Security Management (USM) 5.1 Running the Getting Started Wizard USM v5.1 Running the Getting Started Wizard, rev. 2 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault

More information

Snort Installation - Ubuntu FEUP. SSI - ProDEI-2010. Paulo Neto and Rui Chilro. December 7, 2010

Snort Installation - Ubuntu FEUP. SSI - ProDEI-2010. Paulo Neto and Rui Chilro. December 7, 2010 December 7, 2010 Work Proposal The purpose of this work is: Explain a basic IDS Architecture and Topology Explain a more advanced IDS solution Install SNORT on the FEUP Ubuntu distribution and test some

More information

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts AlienVault Unified Security Management (USM) 4.x-5.x Deploying HIDS Agents to Linux Hosts USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Copyright 2015 AlienVault, Inc. All rights reserved. AlienVault,

More information

International Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849

International Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849 WINDOWS-BASED APPLICATION AWARE NETWORK INTERCEPTOR Ms. Shalvi Dave [1], Mr. Jimit Mahadevia [2], Prof. Bhushan Trivedi [3] [1] Asst.Prof., MCA Department, IITE, Ahmedabad, INDIA [2] Chief Architect, Elitecore

More information

WHAT IS LOG CORRELATION? Understanding the most powerful feature of SIEM WWW.ALIENVAULT.COM

WHAT IS LOG CORRELATION? Understanding the most powerful feature of SIEM WWW.ALIENVAULT.COM WHAT IS LOG CORRELATION? Understanding the most powerful feature of SIEM WWW.ALIENVAULT.COM IT S ALWAYS IN THE LOGS. 84% of Organizations that had their security breached in 2011, had evidence of the breach

More information

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for Intrusion Detection Intrusion Detection Security Intrusion: a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts

More information

How to configure High Availability (HA) in AlienVault USM (for versions 4.14 and prior)

How to configure High Availability (HA) in AlienVault USM (for versions 4.14 and prior) Complete. Simple. Affordable How to configure High Availability (HA) in AlienVault USM Copyright 2015 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM,

More information

Device Integration: Cisco Wireless LAN Controller (WLC)

Device Integration: Cisco Wireless LAN Controller (WLC) Complete. Simple. Affordable Device Integration: Cisco Wireless LAN Controller (WLC) Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM,

More information

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

Introducing IBM s Advanced Threat Protection Platform

Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

Device Integration: Checkpoint Firewall-1

Device Integration: Checkpoint Firewall-1 Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of

More information

IDS / IPS. James E. Thiel S.W.A.T.

IDS / IPS. James E. Thiel S.W.A.T. IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods

More information

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide AlienVault Unified Security Management (USM) 5.2 Vulnerability Assessment Guide USM 5.2 Vulnerability Assessment Guide, rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

AlienVault. Unified Security Management 5.x Configuring a VPN Environment AlienVault Unified Security Management 5.x Configuring a VPN Environment USM 5.x Configuring a VPN Environment, rev. 3 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

Managing Latency in IPS Networks

Managing Latency in IPS Networks Application Note Revision B McAfee Network Security Platform Managing Latency in IPS Networks Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended

More information

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com Intrusion Detection & SNORT Fakrul Alam fakrul@bdhbu.com Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied promptly enough Antivirus signatures not up to date 0- days get through

More information

About Firewall Protection

About Firewall Protection 1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote

More information

Unified Security Management and Open Threat Exchange

Unified Security Management and Open Threat Exchange 13/09/2014 Unified Security Management and Open Threat Exchange RICHARD KIRK SENIOR VICE PRESIDENT 11 SEPTEMBER 2014 Agenda! A quick intro to AlienVault Unified Security Management (USM)! Overview of the

More information

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan An Open Source IPS IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan Introduction IPS or Intrusion Prevention System Uses a NIDS or Network Intrusion Detection System Includes

More information

IP Filter/Firewall Setup

IP Filter/Firewall Setup IP Filter/Firewall Setup Introduction The IP Filter/Firewall function helps protect your local network against attack from outside. It also provides a method of restricting users on the local network from

More information

On-Premises DDoS Mitigation for the Enterprise

On-Premises DDoS Mitigation for the Enterprise On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has

More information

Lesson 5: Network perimeter security

Lesson 5: Network perimeter security Lesson 5: Network perimeter security Alejandro Ramos Fraile aramosf@sia.es Tiger Team Manager (SIA company) Security Consulting (CISSP, CISA) Perimeter Security The architecture and elements that provide

More information

AlienVault Unified Security Management (USM) 4.15-5.x. Configuring High Availability (HA)

AlienVault Unified Security Management (USM) 4.15-5.x. Configuring High Availability (HA) AlienVault Unified Security Management (USM) 4.15-5.x Configuring High Availability (HA) USM v4.15-5.x Configuring High Availability (HA), rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The

More information

Intrusion Detections Systems

Intrusion Detections Systems Intrusion Detections Systems 2009-03-04 Secure Computer Systems Poia Samoudi Asli Davor Sutic Contents Intrusion Detections Systems... 1 Contents... 2 Abstract... 2 Introduction... 3 IDS importance...

More information

RAVEN, Network Security and Health for the Enterprise

RAVEN, Network Security and Health for the Enterprise RAVEN, Network Security and Health for the Enterprise The Promia RAVEN is a hardened Security Information and Event Management (SIEM) solution further providing network health, and interactive visualizations

More information

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Passive Logging. Intrusion Detection System (IDS): Software that automates this process Passive Logging Intrusion Detection: Monitor events, analyze for signs of incidents Look for violations or imminent violations of security policies accepted use policies standard security practices Intrusion

More information

Course Title: Penetration Testing: Security Analysis

Course Title: Penetration Testing: Security Analysis Course Title: Penetration Testing: Security Analysis Page 1 of 9 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics in advanced

More information

Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory

Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory A Little Context! The Five Golden Principles of Security! Know your system! Principle

More information

Exercise 7 Network Forensics

Exercise 7 Network Forensics Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will:

More information

Intro to Firewalls. Summary

Intro to Firewalls. Summary Topic 3: Lesson 2 Intro to Firewalls Summary Basic questions What is a firewall? What can a firewall do? What is packet filtering? What is proxying? What is stateful packet filtering? Compare network layer

More information

CSCI 4250/6250 Fall 2015 Computer and Networks Security

CSCI 4250/6250 Fall 2015 Computer and Networks Security CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP

More information

SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK. www.alienvault.com

SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK. www.alienvault.com SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK www.alienvault.com A Rose By Any Other Name SLM/LMS, SIM, SEM, SEC, SIEM Although the industry has settled on

More information

Dynamic Rule Based Traffic Analysis in NIDS

Dynamic Rule Based Traffic Analysis in NIDS International Journal of Information & Computation Technology. ISSN 0974-2239 Volume 4, Number 14 (2014), pp. 1429-1436 International Research Publications House http://www. irphouse.com Dynamic Rule Based

More information

z/os V1R11 Communications Server system management and monitoring

z/os V1R11 Communications Server system management and monitoring IBM Software Group Enterprise Networking Solutions z/os V1R11 Communications Server z/os V1R11 Communications Server system management and monitoring z/os Communications Server Development, Raleigh, North

More information

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12 Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984

More information

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool Mukta Garg Assistant Professor, Advanced Educational Institutions, Palwal Abstract Today s society

More information

IBM Security QRadar QFlow Collector appliances for security intelligence

IBM Security QRadar QFlow Collector appliances for security intelligence IBM Software January 2013 IBM Security QRadar QFlow Collector appliances for security intelligence Advanced solutions for the analysis of network flow data 2 IBM Security QRadar QFlow Collector appliances

More information

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 59 CHAPETR 3 DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 3.1. INTRODUCTION The last decade has seen many prominent DDoS attack on high profile webservers. In order to provide an effective defense against

More information

Linux Network Security

Linux Network Security Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols

More information

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Jaimin K. Khatri IT Systems and Network Security GTU PG School, Ahmedabad, Gujarat, India Mr. Girish Khilari Senior Consultant,

More information

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013 SOUTHERN POLYTECHNIC STATE UNIVERSITY Snort and Wireshark IT-6873 Lab Manual Exercises Lucas Varner and Trevor Lewis Fall 2013 This document contains instruction manuals for using the tools Wireshark and

More information

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4) Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware

More information

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline

More information

User Management Guide

User Management Guide AlienVault Unified Security Management (USM) 4.x-5.x User Management Guide USM v4.x-5.x User Management Guide, rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

Centre for the Protection of National Infrastructure Effective Log Management

Centre for the Protection of National Infrastructure Effective Log Management Centre for the Protection of National Infrastructure Effective Log Management Tom Goldsmith, 2nd April 2014 response@contextis.com Effective Log Management / Contents Contents 1 Executive Summary 5 2 About

More information

2010 White Paper Series. Layer 7 Application Firewalls

2010 White Paper Series. Layer 7 Application Firewalls 2010 White Paper Series Layer 7 Application Firewalls Introduction The firewall, the first line of defense in many network security plans, has existed for decades. The purpose of the firewall is straightforward;

More information

Getting Ahead of Malware

Getting Ahead of Malware IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,

More information

COORDINATED THREAT CONTROL

COORDINATED THREAT CONTROL APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

FIREWALLS & CBAC. philip.heimer@hh.se

FIREWALLS & CBAC. philip.heimer@hh.se FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that

More information

Configuring Snort as a Firewall on Windows 7 Environment

Configuring Snort as a Firewall on Windows 7 Environment Journal of Ubiquitous Systems & Pervasive Networks Volume 3, No. 2 (2011) pp. 3- Configuring Snort as a Firewall on Windo Environment Moath Hashim Alsafasfeh a, Abdel Ilah Noor Alshbatat b a National University

More information

Intrusion Detection Systems

Intrusion Detection Systems Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado Work Topics 1. Definition 2. Characteristics

More information

A Review on Network Intrusion Detection System Using Open Source Snort

A Review on Network Intrusion Detection System Using Open Source Snort , pp.61-70 http://dx.doi.org/10.14257/ijdta.2016.9.4.05 A Review on Network Intrusion Detection System Using Open Source Snort Sakshi Sharma and Manish Dixit Department of CSE& IT MITS Gwalior, India Sharmasakshi1009@gmail.com,

More information

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security SIEM Optimization 101 ReliaQuest E-Book Fully Integrated and Optimized IT Security Introduction SIEM solutions are effective security measures that mitigate security breaches and increase the awareness

More information

Security Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2

Security Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2 Sponsored by McAfee Security Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2 May 2013 A SANS Whitepaper Written by Dave Shackleford The ESM Interface Page 2 Rapid Event

More information

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1) Configuring Virtual Switches for Use with PVS February 7, 2014 (Revision 1) Table of Contents Introduction... 3 Basic PVS VM Configuration... 3 Platforms... 3 VMware ESXi 5.5... 3 Configure the ESX Management

More information

Deployment of Snort IDS in SIP based VoIP environments

Deployment of Snort IDS in SIP based VoIP environments Deployment of Snort IDS in SIP based VoIP environments Jiří Markl, Jaroslav Dočkal Jaroslav.Dockal@unob.cz K-209 Univerzita obrany Kounicova 65, 612 00 Brno Czech Republic Abstract This paper describes

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Network Security Monitoring: Looking Beyond the Network

Network Security Monitoring: Looking Beyond the Network 1 Network Security Monitoring: Looking Beyond the Network Ian R. J. Burke: GCIH, GCFA, EC/SA, CEH, LPT iburke@headwallsecurity.com iburke@middlebury.edu February 8, 2011 2 Abstract Network security monitoring

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

FortKnox Personal Firewall

FortKnox Personal Firewall FortKnox Personal Firewall User Manual Document version 1.4 EN ( 15. 9. 2009 ) Copyright (c) 2007-2009 NETGATE Technologies s.r.o. All rights reserved. This product uses compression library zlib Copyright

More information

HoneyBOT User Guide A Windows based honeypot solution

HoneyBOT User Guide A Windows based honeypot solution HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3

More information

SURVEY OF INTRUSION DETECTION SYSTEM

SURVEY OF INTRUSION DETECTION SYSTEM SURVEY OF INTRUSION DETECTION SYSTEM PRAJAPATI VAIBHAVI S. SHARMA DIPIKA V. ASST. PROF. ASST. PROF. MANISH INSTITUTE OF COMPUTER STUDIES MANISH INSTITUTE OF COMPUTER STUDIES VISNAGAR VISNAGAR GUJARAT GUJARAT

More information

Configuring Snort as a Firewall on Windows 7 Environment

Configuring Snort as a Firewall on Windows 7 Environment Configuring Snort as a Firewall on Windo Environment Moath Hashim Alsafasfeh a, Abdel Ilah Noor Alshbatat b a National university of Malaysia UKM, Selengor, Malaysia. b Tafila Technical University, Electrical

More information

Cisco RSA Announcement Update

Cisco RSA Announcement Update Cisco RSA Announcement Update May 7, 2009 Presented by: WWT and Cisco Agenda Cisco RSA Conference Announcements Collaborate with Confidence Overview Cisco s Security Technology Differentiation Review of

More information

O S S I M. Open Source Security Information Manager. User Manual

O S S I M. Open Source Security Information Manager. User Manual O S S I M Open Source Security Information Manager User Manual Created by Kevin Milne (www.z4ck.org) Contributions by OSSIM Staff 2 nd September 2004 Index Introduction 3 1 Logging in 5 1.1 The Metrics

More information

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques. Some IPS systems can be easily fingered using simple techniques. The unintentional disclosure of which security devices are deployed within your defences could put your network at significant risk. Security

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

The Value of QRadar QFlow and QRadar VFlow for Security Intelligence

The Value of QRadar QFlow and QRadar VFlow for Security Intelligence BROCHURE The Value of QRadar QFlow and QRadar VFlow for Security Intelligence As the security threats facing organizations have grown exponentially, the need for greater visibility into network activity

More information

Cover. White Paper. (nchronos 4.1)

Cover. White Paper. (nchronos 4.1) Cover White Paper (nchronos 4.1) Copyright Copyright 2013 Colasoft LLC. All rights reserved. Information in this document is subject to change without notice. No part of this document may be reproduced

More information

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

IntruPro TM IPS. Inline Intrusion Prevention. White Paper IntruPro TM IPS Inline Intrusion Prevention White Paper White Paper Inline Intrusion Prevention Introduction Enterprises are increasingly looking at tools that detect network security breaches and alert

More information

Network- vs. Host-based Intrusion Detection

Network- vs. Host-based Intrusion Detection Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

Web Application Firewall

Web Application Firewall Web Application Firewall Getting Started Guide August 3, 2015 Copyright 2014-2015 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks

More information

Solving Monitoring Challenges in the Data Center

Solving Monitoring Challenges in the Data Center Solving Monitoring Challenges in the Data Center How a network monitoring switch helps IT teams stay proactive White Paper IT teams are under big pressure to improve the performance and security of corporate

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n

More information

Network Security Monitoring

Network Security Monitoring Network Security Monitoring Network Startup Resource Center www.nsrc.org These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)

More information

First Line of Defense to Protect Critical Infrastructure

First Line of Defense to Protect Critical Infrastructure RFI SUBMISSION First Line of Defense to Protect Critical Infrastructure Developing a Framework to Improve Critical Infrastructure Cybersecurity Response to NIST Docket # 130208119-3119-01 Document # 2013-044B

More information

IBM Security QRadar SIEM Version 7.1.0 (MR1) Tuning Guide

IBM Security QRadar SIEM Version 7.1.0 (MR1) Tuning Guide IBM Security QRadar SIEM Version 7.1.0 (MR1) Tuning Guide Note: Before using this information and the product that it supports, read the information in Notices and Trademarks on page 35. Copyright IBM

More information

Network Security Monitoring

Network Security Monitoring Network Security Coleman Kane Coleman.Kane@ge.com September 24, 2014 Cyber Defense Overview Network Security 1 / 23 Passive Passive 2 Alert Alert Passive monitoring analyzes traffic with the intention

More information

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding? Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against

More information