?
Solved

IDS (Intrusion Detection Systems)

Posted on 2003-03-10
10
Medium Priority
?
259 Views
Last Modified: 2010-04-11
Hello all,
for those of you that have familiar with IDS (Intrusion Detection Systems), I know the concept but I was wondering if any of you know a site or tuotiral of how to progam a basic IDS software. Or any open source project!
thanks

0
Comment
Question by:ataleghani
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 8107276
look at snort. It is one of the first and still open projects:
http://www.snort.org/
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8107284
Everything you ever wanted to know about Intrustion Detection but were afraid to ask:
http://www.sans.org/rr/intrusion/
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 8107672
Also worth having a look at tripwire:)

http://www.tripwire.org/
0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 
LVL 2

Expert Comment

by:festive
ID: 8109978
Basically an IDS is a pattern matching engine:
you capture data from the interface (promiscuously)
and then run the data through a pattern matching algorithm.
limitations to this approach are usually around complex rules and these systems unless very well written can be fooled by obscuring data (using unicode for example).

Open Source utililies such as Snort are very good.

There are a number of others such as prelude.

If you want to see how these work, or get an insight into the process of detection play with some open source sniffers like Analyzer or Ethereal, set some capture rules - and voila - you have the ability to produce rather crude (but educational) rules.

If you are uninterested in the history and want to do something similar on a WINTEL platform - get snort and IDScenter (windows front-end)

I hope this helps - good luck.
0
 
LVL 1

Expert Comment

by:newyhouse
ID: 8116186
To append to festive's comment- it is important to note that not all IDSs rely on network data.  Some IDSs analyze audit logs or compare observed user behavior (perhaps including network data) to profiles of normal user behavior looking for suspicious activity.

Also, some on-the-fly network based IDSs do more than "packet grepping" for malicious strings.  Often times they search for anomalies such as an outgoing TCP connection from a machine that should never need to do such a thing.

As for projects to look into, as mentioned earlier snort.org is definitely a good place to check out.  Also, take a look at this page of ID papers compiled (and in some cases written) by a grad student at RPI:

http://www.cs.rpi.edu/~brancj/research.htm

Steve
0
 
LVL 2

Expert Comment

by:bkrahmer
ID: 8117427
There are also honeypot ('decoy servers') and hybrid host/network IDS approaches available.

brian
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12487272
Question asked and answered
points to lrmoore

0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question