Assignment 8 BB
docx
keyboard_arrow_up
School
Florida International University *
*We aren’t endorsed by this school
Course
MISC
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
2
Uploaded by EarlSummerToad
Assignment 8 – Intrusion Detection 1)
Compare the following IDS: Snort, Bro and Suricata, focusing on capacities, location (Host or Network – based) (a paragraph for each or a table highlighting their difference and similarities. Snort:- snort is an open source interruption identification framework (IDS) and interruption insurance framework (IPS) initially created in 1998. s the year Windows 98 came out, but it was also the year that Martin Roesch first released Snort. Although Snort wasn't a true IDS at
the time, that was its destiny. Since then, it has become the de-facto standard for IDS, thanks to community contributions.
Bro - which was renamed Zeek in late 2018 and is sometimes referred to as Bro-IDS or now Zeek-IDS, is a bit different than Snort and Suricata. In a way, Bro is both a signature and anomaly-based IDS. Its analysis engine will convert traffic captured into a series of events. An event could be a user login to FTP, a connection to a website or practically anything. The power of the system is what comes after the event engine and that's the Policy Script Interpreter. This policy engine has its own language (Bro-Script) and it can do some very powerful and versatile tasks.
Suricata - If you're using Suricata instead. Although Suricata's architecture is different than Snort, it behaves the same way as Snort and can use the same signatures. What's great about Suricata is what else it's capable of over Snort. It does so much more, it probably deserves a dedicated post of its own. Snort runs with a single thread meaning it can only use one CPU(core) at a time. Suricata can run many threads so it can take advantage of all the cpu/cores you have available. There has been much contention on whether this is advantageous, Snort says No and a few benchmarks say Yes. Built in Hardware Acceleration - Did you know you can use graphic cards to inspect network traffic? File Extraction - Someone downloading malware? You can capture it right from Suricata and study it.
2)
Explain what does it mean when an IDS is located at the Host or the Network. What information can you obtain from each type of IDS? When an IDS is located at the host, it can provide information about attacks that are directed at that particular host. When an IDS is located at the network, it can provide information about attacks that are directed at any host on that network.
3)
Given the following Sort rule, describe what it does? alert tcp $EXTERNAL_NET any -> 10.200.0.0/24 80 (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web application-
attack; reference:url,www.cert.org/advisories/CA-2001 19.html; sid:1255; rev:7;) Url to assist: Snort Basics: How to Read and Write Snort Rules, Part 1 (hackers-arise.com)
The rule alerts for traffic to port 80 on the 10.200.0.0/24 subnet where the URI content includes "/root.exe". This may indicate an attempt to exploit the CodeRed vulnerability on an IIS web server.
4)
Explain the capabilities of Tripwire and compare it to Snort. Tripwire is a security and intrusion detection system that can be used to monitor and detect changes in files on a computer system. It can also be used to identify unauthorized access to a computer system. It is possible to use it, for instance, to monitor for changes in configuration files in order to determine whether or not a system has been corrupted. Tripwire can also be used
to monitor for changes in application files; for instance, it can be used to determine whether or not a malicious file has been added to a system by determining whether or not a change has occurred. Snort is a system that can be used to detect and prevent attacks on a network. It is classified as an intrusion detection and prevention system for networks. It is possible to use it to identify and stop traffic that is malicious, for instance by blocking traffic from IP addresses that are known to be malicious.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help