14.1 IDS

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

19 hours 55 minutes
Video Transcription
I welcome back to the course. So the last module we finished up our discussion on mobile hacking and mobile security
in March of 14 we're going to talk about ideas for intrusion detection systems and also I PS intrusion prevention systems, as well as firewalls and honey pots.
So in this particular video, we're gonna go focus on I. D. S and I PS.
So what is ideas? Well, I mentioned intrusion detection system, but basically it's a device or some type of software application that monitors a network or system for any type of malicious activity or even some pilot policy violations.
So, generally two types you've got host based, which is going to be, if you think it in the context of like a user work station, you'll have the whole space a little bit more of a software solution that also a network based intrusion detection system. And that might either be a software solution on a server. Or it could also be the most the most larger companies. Ah, hardware solution as well.
So here's just kind of a graphic on what they might look like. So again, I mentioned kind of the user workstation there would be a host based, and the network base would be some kind of journalism kind of actual, like hardware unit.
Now most organizations were also going to use both of these, right? And it just makes perfect sense if something's missed by the network, one that you might be able to catch it on the host side.
So how does ideas actually detect intrusions? Well, basically monitors the traffic to and from particular devices, So I send traffic to you. It's standing in the way, and it monitors that traffic. And then you might get it, or you may not. You know, depending on what happens,
the traffic is generally could be matched to some kind of signature library. So especially just a library of known attacks.
And then it's also my may also which have talked about this. A second here may also check for abnormal behavior.
And in any event where an intrusion detection system is going to do is you send an alert to the administrator,
or so you know someone else.
Now, the intrusion prevention system again. This is generally combined with the intrusion detection. It just makes perfect sense if I find it I want to try to stop it right. I want to do some kind of action to try to block the activity
so it will take action and try to block or stop the activity. So that might be things of the drop in the packet. Might also recaps reset the connection. And it could also blocked traffic from a particular i p address.
So different types of detection methods anomaly based. That's where we basically check it against the baseline. So that's where hey, this is the behavior here is abnormal. Let's go ahead and drop this package or whatever the case might be signature bases at that original one. We talked about where it's comparing it to a goddamn kind of that library of known
signatures. Air No, no attack patterns.
I mean, so it's gonna compare that, and then it's gonna take an action based off of that
and then stay full protocol analysis. So basically, that's, ah, little, little more fancying. So basically it's talking about we have certain protocols and these air how the protocols operate right looks TCP or something like that. And so, based on any deviations off that
it makes a comparison off the observed events and says, Well, that doesn't sound right. You know, that doesn't follow
what TCP should be doing. So let me go ahead and look at this more. Let me just go ahead and drop this if we've got the intrusion prevention system attached.
So this is just a screenshot of, ah, intrusion detection system. Kind of what it might look like. So you'll see the different packets coming through. It'll take I p addresses you might. You may or may not get the,
uh, the different graph top of stuff, depending on the particular tool that you're using.
So different types of ideas. Try Pia's alerts. These are the four main types here. So true. Positive. That's a good thing. That's bad traffic. It triggers an alert. So that's what we want. False, positive. So good traffic is gonna trigger an alert. And that's you know, that's okay. We get some of those that's to be expected, but false negatives. Actually, our worst kind, right? So bad traffic doesn't
trigger any alerts or just comes right through. It hits our network
and then a true negative. So that's just good traffic. Not figuring it alert again That's another good thing.
So snort. That's probably gonna be the
most tested, too, on the exam as faras ous faras intrusion detection. That's probably when you may or may not see. We've got some other ones that will talk about but any official material they go over, start snoring. Excuse me quite a bit.
So basically, it's an intrusion detection system. It's free and open source and very, very popular. You'll you'll see this if you work in an industry, depending on the your organization or at least in some capacity, they'll be mentioning it or referencing it.
So this screen shot this kind of the
kind of one of the best final ones I could find, unfortunately, because it's kind of kind of blurry, but I'll talk about each thing here. So you got you got your, you know, command here. You're just saying like, Okay, we want to alert and then here using just i p That just makes it apply to all i p A packets. So basically any i p about that I see in the i p A packets
coming in.
Um, we wanted to alert on
and then the source. So here we put any. So that's basically got to grab any I p address coming through that's gonna give us an alert on those and then here the source port
that's gonna tell us, You know, we could specify a port if we wanted to, but otherwise every type any here, it's gonna basically alerted us on any incoming traffic. That's from any I p address that's on any port
and coming to this destination I ps dress in this destination port. So our destination again, we've got any here and then for the destination port. We have any. So this entire ah little string here is gonna alert on any I p address that's coming from any pork,
and that's going to any I p address, and that's going, you know, going to any port now. In real life, we wouldn't use something like this because our logs, they're gonna be ridiculous in size. It was just kind of an example. And then it would, you know, we could specify a particular message that we wanted to show, you know, So you know, hey, I pay packet detected or whatever the case might be,
so start rule actions, and this is something newer,
uh, on the exam. They covered in the material in version nine a little bit, but kind of you kind of want to know it a little more inversion 10 of the CH exam
so past. Basically, just tell snore to ignore that particular packets or just draw, you know either Lex a pastor or drops it in the log. It's used a lot of packet alert. Obviously, that's going to send the alert message, and we have seen that in the previous slide
and then activate issues you're creating alert and then also activate another rule for more conditions. And then dynamic rules actually have to be invoked by other rules that used the activate action
and then user defined. We can actually create custom things there so we can make it sending messages since log where we can make it. Take multiple actions in a particular packets, and we could have it sent an alert and then also drop the packet. That sort of stuff.
So the direction operator snort. It's pretty straightforward. Basically, we can specify if it's a bidirectional flow of traffic or if the traffic's flowing in one direction. So in our example we've The traffic was flowing from our our source to the destination. It wasn't bi directional.
Now that the any can actually be used to specify or define a particular I p address
or range of I P addresses and then pork ranges are indicated with the range operator. So that Colin sign
No, no America I p addresses must be used with See the i R. So if you're not familiar with that, that's a classless enter domain routing. So we just basically need to specify in that mess there,
So some other i. D. S I. P s tools besides a start that you might see on the Examiner, at least in the official material area Volts O s s I am, which is free. Well, excuse me. Open source. And they do have ah free trial version on that and then tipping points.
software as well.
I kind of stumbled there. Okay, So here's a lee involved O s s I am. And this is again This is ah, got a free trial. But you can also get the page version is all it is very popular, outed industry as well,
and then turn Michael's tipping point, just another type of interest prevention detection system.
I mean so again, all these are either free or paid tools, and he's kind of pens on what your particular organization is going to use
security. Onion is another good one that a lot of people that I know use and so, you know, just check all these out and play around with it a little bit. You don't have to know these for the exam. You don't have to know like the syntax or anything that an extremely
chisel down method. We don't to drill down too much, but just kind of know, like the tool on kind of what it does.
So evading intrusion, detection. So several different attacks. We can do it. These are just a handful of insertion attacks were basically we send a packet that the ideas doesn't recognize as being malicious for being off it all. But then it gets to the host machining it gets rejected. You don't really e guess You could see those nowadays, but most, uh,
most ideas out there at least the advance once
or the common ones and use are gonna have some type of ah analysis of the entire stream. So it's not gonna, you know, when it's just one packet coming through. It's basically gonna wait in Annalise's entire stream of the communication denial of service. So that's where we want to overwhelm the ideas, which is basically
either from a processing standpoint of
overwhelming it. So you know, they can't basically use of all the processing power. Or we can overwhelm it in the concept of, you know, like the human element, right? The the the network administrators looking all that we can overwhelm with so many packets that they're just like, Oh, I don't even wanna look at the logs today
office skating so we could use a unique We basically want to create unique attack pattern so we can use that with something like polymorphic shell code. We can keep generating different attack patterns. Ah, Unicode, which is basically there's a screen shot here, but essentially, Unicode is a a particular symbol for every single
letter or, you know, item in a
language around the world. So it's huge, but basically it allows us to change the signature that the ideas come pick up on
in the fragmentation. We want to split the payload into smaller packets.
So different invasion tools. We can use necessary proxy on map whisker that allows us to create packets with very small payloads. And it's also called session spicing, sticking snout or used to generate a large number of alerts. Basically, again, that's the overwhelm the human element.
So, SSL proxy proxy. It allows us to basically create an encrypted tunnel to whatever we're getting, too. In this example have the Internet, but we couldn't get to a particular host machine as well. And the ideas can really that encrypted traffic
and then end map. So mm, we went over earlier, but we could basically use the slow switches. So the t zero her tea once whips switch. Now, that's an example of the of the command that you would use their. But we could basically use those to slow down the communication stream and the packets being said.
So some countermeasures for I. D. S evasion snoring actually can use the dash lower case Z switch, and what that's gonna do is actually ignore the stick. It's not attack, so we don't even have to worry about those. And then we can also use traffic reassembly Sofer fragmented traffic. We could resemble those packets and see what is actually in him.
And then we also could just closely monitor fragmenting
traffic is part of that to just see like, Okay, this is fragmented. Let's go ahead and check it and reassemble it and see what's going on.
So in this video, we covered kinda intrusion detection. In a nutshell, we covered the basic information about it. We covered tools like snort. Also
the, uh, alien Volvo S s, I am. And then also ah, tipping point as well.
We talked about different types of evasion techniques and then also some tools that we could use for evasion and then, as well as countermeasures for those.
So in the next video, we're gonna start off our discussion with firewalls.
Up Next
Penetration Testing and Ethical Hacking

Do you like breaking things or figuring out how things work? Join thousands of professionals who’ve entered the information security field by taking this class. Taking this ethical hacking course will give you the skills needed to become a professional penetration tester and prepare you for industry certifications, like the CEH.

Instructed By