2009年3月20日星期五

How to Detect Hacker Attack With Sax2

Most computer vulnerabilities can be exploited in a variety of ways. Hacker attacks may use a single specific exploit, several exploits at the same time, a misconfiguration in one of the system components or even a backdoor from an earlier attack.

Due to this, detecting hacker attacks is not an easy task, especially for an inexperienced user, but Sax2 will let it become very easy, Sax2 is a professional intrusion detection and prevention system (NIDS) and it provides a wealth of security policy. This article gives a few basic solution to help you figure out either if your machine is under attack or if the security of your system has been compromised.

Solution1:

Diagnosis View is the most direct and effective place to detect hacker attack and should be our first choice. Sax2 can detects most of hacker attack and generate invasion events, if Sax2 confirm that the current attack are very dangerous, it will automatically block or interfere with the conversation. Picture 1 is an example of detection "Erazer Lite" backdoor.

(picture1)

Solution2:

See E-mail log, Check for suspicious mail, Trojan usually will send a E-mail message in order to steal your important information, such as bank account and password.


Solution3

Suspiciously high outgoing network traffic. If you are on a dial-up account or using ADSL and notice an unusually high volume of outgoing network (traffic especially when you computer is idle or not necessarily uploading data), then it is possible that your computer has been compromised. Your computer may be being used either to send spam or by a network worm which is replicating and sending copies of itself. For cable connections, this is less relevant - it is quite common to have the same amount of outgoing traffic as incoming traffic even if you are doing nothing more than browsing sites or downloading data from the Internet. About how to monitor network traffic, please visits http://www.ids-sax2.com/articles/MonitorNetworkTraffic.htm.

How to Monitor IM Activities with Sax2

In Logs Window, besides the three original logs: HTTP Requests, Email and FTP Transfers , we can monitor real-time activities and detailed messages of MSN instant messengers. The following picture 1 is an example of MSN Activities.


(picture 1)

1.Automatically save all messages for future reference

By default Sax2 will not save logs of those IM activities, to enable this function, we have to make some log settings. Let's take MSN log as an example:

Click "Options" button on the menu bar and then a dialog box will pop up as displayed in picture 2, then switch to "MSN Analyzer" Settings page,

(picture 2)

We can see Log File(s) is disabled. To enable log files, we have to click "..." to open another dialog box where we can define full path to log file.

2.IM Activities Information

Date - date information of the activity;
Time - time information of the activity;
IP1 - IP address of the node that is conducting the IM activity;
Account - account that is conducting the IM activity;
Transactions - detailed message content;

All IM messages are listed in time sequence, Picture 3 is an example of MSN messages.


3.Benefits:

* No need to purchase another IM monitor;
* Monitor all IM activities in real time;
* Save all IM messages for future reference;
* Prevent business secretes from leaking out via IM activities;
* Learn how much time your employees are spending in personal chatting during working hours;

2009年3月19日星期四

How to Monitor Network Traffic with Ax3soft Sax2

This article is to discuss how we can monitor network traffic .Sax2 make it easy for us to monitor and analyze network traffic in its intuitive and information-rich window. With Sax2's network traffic monitor feature, we can quickly identify network bottleneck and detect network abnormities.

1. Monitor network traffic in "Status" windows

Project status window shows the current status of the operation, including start time, duration, capture packets, buffer usage and real-time network traffic.



2. Monitor network traffic in "Statistical" window

"Statistical" is a view that provides general statistical information of the entire network or the selected node in the "Node Explorer". In "Statistical" we can get a quick view of the total traffic. When we switch among the node from the node explorer, corresponding traffic information will be provided.



2.Monitor network traffic in "Conversations" window

In "Conversations" window we can monitor network traffic by each conversation and the figure out which conversation has generated the largest network traffic.



As we can see, we can analyze network traffic in deferent levels with sax2, thus enables us quickly and efficiently detect network abnormities and troubleshoot network problems.

2009年3月18日星期三

Why is a firewall alone not enough? What are IDSes and why are they worth having?

Is a firewall the ultimate solution? Total reliance on the firewall tool, may provide a false sense of security. The firewall will not work alone (no matter how it is designed or implemented) as it is not a panacea. The firewall is simply one of many tools in a toolkit for IT security policy.

1.Is a firewall the ultimate solution?

The term “firewall” is already a buzzword in computer literature. Firewall marketing companies have generated a straightforward association in the mentality of budget administrators: “We have a firewall in place and therefore our network must be secure”.
However, total reliance on the firewall tool, may provide a false sense of security. The firewall will not work alone (no matter how it is designed or implemented) as it is not a panacea. The firewall is simply one of many tools in a toolkit for IT security policy.



Let us briefly examine what tasks are attributed to contemporary firewalls. Firewalls control both incoming and outgoing network traffic. They can allow certain packets to pass through or else disable access for them. For example, a firewall can be configured to pass traffic solely to port 80 of the Web server and to port 25 of the email server. This simple example shows that a firewall cannot evaluate the contents of “legitimate” packets and can unknowingly pass through some attacks on the Web server.



There are different types of firewalls. In the firewall market there are many solutions - from firewall imitations to very advanced application filters.



Basically, a firewall removed from its packing and installed between the network and the Internet adds little improvements to the security of the system. Human intervention is also required to decide how to screen traffic and “instruct” the firewall to accept or deny incoming packets. It is de facto a complex and sensitive task. Just a single security policy rule established for the wrong reasons can lead to a system being vulnerable to outside attackers. Once must also remember, that a poorly configured firewall may worsen the system’s effective immunity to attacks. This is because system administrators may believe that their systems are safe inside the “Maginot Line” and will become lax towards internal day to day security standards, if a firewall is in place.



Similarly to “firewall” another buzzword has recently become very popular – “IDS”. IDS solutions are designed to monitor events in an IT system, thus complementing the first line of defense (behind firewalls) against attacks. This article will explain the IDS related terminology and take a closer look at the protection technology basics.

2.Monitoring IT systems: why and how?

It is common knowledge that a system administrator is similar to a policeman, (or to a security guard, if you like) since he/she is responsible for preventing outside attacks on an IT system. The difference is that policemen work on a shift basis providing round-the-clock coverage, therefore a non-stop watch is guaranteed. However such a situation goes beyond the expectations of the administration of an IT system. Another difference is that the Internet is not inherently secure, therefore contemporary IT systems are exposed to attacks that come from hackers worldwide for criminal intent. So, what should a contemporary “policeman” look like? How can one proactively protect one’s assets against unknown threats derived from unknown sources that are likely to appear at any time during the day or night? The answer is simple – using automatically operated systems to assist “policemen” in their work. IDS tools are those which perform the function of such a “policeman”, by taking care of the security of IT systems and detecting potential intrusions. An important caveat to remember: firewalls are tools only to be used by people.

3. What is IDS?

IDS stands for Intrusion Detection System and for purposes of simplicity it is a system that detects burglary attempts. If one wishes to compare to a home anti-burglary system, firewalls perform the role of door and window locks. These types of locks will stop the majority of burglars but sophisticated intruders may circumvent security devices that protect an intended target i.e. a home. Therefore, most people use a combination of sophisticated locks with alarm systems. An IDS performs the role of such an alarm system and adds the next preventive layer of security by detecting attacks that penetrate IT systems.


IDS’ originators assumed that no protection system could make a network 100 percent secure against outside attacks. Once the protection barrier has been negotiated, such an anomalous situation must be reported to the system administrator as quickly as possible. It would be useful to view what an intruder was doing in an IT system. These are the key tasks for Intrusion Detection System programs.

4. How does an IDS operate?

IDS performs a continuous monitoring of events. The intrusion detection software monitors the server and logs any unauthorized access attempts and aberrant behavior patterns. Of course, an IDS must be instructed” to recognize such events. IDS can process various types of data. The most frequent are: traffic eavesdropping, packets flowing into system logs, information on users’ activities. In operational terms, three primary types of intrusion detection systems are available:

- Host-based systems – HIDS,

- Network-based systems – NIDS,

- Network node-based systems - NNIDS.

5. Host-based IDS (HIDS)

This is a firewall software that is based on auditing whatever information it can glean as generated by the OS’ activities. Such information can include system-generated logs, system events (e.g. unauthorized login attempts, aberrant file accesses, file status etc.). Generally – an IDS deals with all IT systems that can be monitored.

6. Log Auditing

The primary task of HIDS is to audit system log data. This means that they basically rely on an appropriate configuration of the OS log mechanisms, e.g., EventLog in Windows-based systems, Syslog –in Unix. HIDS collects data flowing into system logs and searches for any information that triggers alerts. This task is relatively simple to implement and is similar to that used by test processor dictionaries. The host-based ID can be “instructed”, for example, to trigger an alarm after a triple unauthorized login attempt within one minute. LogCaster service is an example of a log analyzer discussed here.


Click Here for a list of Log Auditing based Intrusion Detection systems

7. File integrity checking

Increasingly, HIDS are using technologies, which allow them to detect alterations to important system files and assets. As a rule, the files to check are periodically check summed and compared against a checksum database. If a checksum does not match the current result stored in a checksum database, this means that the file integrity has been altered. Obviously, this rule can be used to monitor only critical non-alterable system files.


Certain HIDS are able to verify features of certain assets. It is well known, for example, that system log files are incremental files. Therefore, the system should be configured so that an alarm is triggered as soon as the system detects any abnormal logs.


A number of products that deal with monitoring of files and assets are available on the market. They are denoted with a FIA (File Integrity Assessment) abbreviation. The first program likely to employ file integrity assessment by checksum verification was Tripwire.


When deploying HIDS software, attention must be paid to provide security for the databases used by the system (event detection rule files, checksum files). Imagine if your operating system is brought under attack and the attacker knows that your OS uses HIDS coverage. By making changes to the system, the attacker may also modify the database containing signatures of changed files. Therefore, it is a good idea to store signatures and other databases, as well as configuration files and HIDS binaries using a non-erasable method – for example, a write-protected diskette or a CD-ROM.

8. Intrusion prevention system

The biggest disadvantages of the majority of host-based systems HIDS is that they are passive, which means that they have to wait for an event to be an indication of an attack, and cannot proactively prevent it. Recently, HIDS are being provided with intrusion prevention technology aimed at detecting certain symptoms of an attack and the possibility to resist it before any damage can occur. One such advanced hybrid ID is based on monitoring system Application Programming Interface (API) software calls, (made in OS or kernel), and in capturing calls that are prohibited under the established security policy rules. Thus, a system will not only detect an aberrant action but also prevent it. For example, if a system user (or a process) attains elevated permissions in an operating system as a result of intrusive actions, (or a trojan) and is trying to destroy an important file, a passive system will detect a lack or modification of this file. A proactive system, in addition to notifying the system administrator, will also be able to prevent data from damage. This technique was used, among others, by the Linux Intrusion Detection System (LIDS).

9. Network-based IDS (NIDS)

The software belonging to this IDS group analyzes network packets. A NIDS agent places the network interface card into “promiscuous” mode and audits all traffic crossing the interface. As a general rule, it should be able to analyze all traffic within a specific network segment. Therefore, with switched networks, a NIDS agent should be connected to the monitoring port of the hub. A NIDS agent functions as an appropriate software module that resides on one of servers within a LAN segment. However, one must remember that the volume of packets sent over contemporary LANs is enormous. And this volume must be analyzed by a NIDS. If the agent has inadequate capacity to handle extreme loads, it can miss packets due to congestion on the network link that it is monitoring it and fail to collect the next packets that are received. Therefore, functioning under a regime close to the real-time mode is a must for a NIDS. On the other hand, a NIDS agent itself may overload the system it resides in and “incapacitate” the system to perform other tasks. This weakness spurs NIDS manufacturers to develop data collecting agents as a dedicated system to be installed on a separate robust PC (for instance, NFR NID-100 is offered as a CD-ROM to boot the system). Another option is a complete system encompassing both hardware and software (for example, Cisco NetRanger is a Cisco software-based PC running on Solaris operating system).


NIDS are installed per network segment coverage associated with characteristic attacks (for example ping of death or IIS .ida) or else used to deal with lesser events that are not simply attacks but preparative steps (for example, port scan).


For detecting aberrant traffic, NIDS use some other techniques as presented below.

10. Pattern Matching

This is a basic technique that has been used by NIDS programs since their origins. Each packet on the network is received by the listening system, the NIDS, it is then filtered and compared on a byte-code matching basis, against a database of known attack signatures (or patterns). The attack signature is a known technique used by anti-virus programs. CA eTrust uses the same engine – InoculateIT – as the anti-virus software of the same manufacturer. This method is easy to deploy, but requires a powerful system to reside on. In addition, a simple math indicates that there is an exponential relation between the amount of processed data or detected attacks (signatures) and the demand for computational power.

11. Protocol-based Anomaly IDS

This approach to IDS works on the principle that the traffic-monitoring agent has a database of known protocol-specific vulnerabilities and thereby is able to detect certain suspicious packets. With “ping of death” attacks, for example, that send an unusually large ICMP-echo (ping), a NIDS that analyzes protocols will detect the attack – this very large ICMP-echo packet. Adding the protocol-based technology considerably enhances attack detection that uses signature databases, because headers are dropped away and only the payload is taken for analysis.

With this technique added, NIDS agents have also gained mechanisms allowing them to analyze correlation between successive packets. Thus, SYN flood attacks or scanning to search for open port type attacks can be detected.


Another substantial enhancement to NIDS’ capabilities has been given with a protocol-related packet defragmentation technique. A NIDS agent not provided with this function may have difficulty in revealing the presence of an attack hidden in fragmented packets (a common technique used to deceive “ordinary” firewalls).

12. Session-based Packet Analysis

DS designers have been taking steps to extend the functionality of intrusion detection systems – in addition to single packet analysis, they have been providing NIDS with the capability to monitor session-based attacks, which may occur over a course of a dialog between systems. A NIDS agent set up in this way will be able to reassemble packet data streams. It is a task that poses high requirements for a CPU, but it allows a full review of anomalous activities, without being restricted to single packets. For example, there can be identified attempts to manipulate TCP stream or to bypass inspection firewalls.

13. Full Protocol Analysis

n advanced NIDS should have a database with the majority of contemporary protocols and be able to handle various options of these protocols. Suppose that an evader is attacking a Web server by sending commands of a particular format to a cgi.bin script (for example, test.cgi or showcode.asp). A signature –based IDS would have to match some specific patters to identify the attack. Another example would be if an intruder created a variation using UNICODE. A “simple’ NIDS would never even notice such a modified attack. Only a sophisticated, full-protocol-based system that is able to “normalize” audited data before processing (in this case, by using pure ASCII) can detect such attacks. This is a common technique when hiding attacks from a NIDS.

14. Specialized Network Drivers

Network drivers supplied with OSes today are not designed for high efficiency network analysis of traffic associated with all computers on a specific network segment. Besides, standard drivers themselves have been the source of insider threats. Therefore, vendors of sophisticated NIDS sometimes supply their own drivers. They are optimised for traffic listening and especially tuned by discarding portions that are unnecessary for NIDS applications.

15. Proactive solutions

Like HIDS, a part of NIDS is able not only to detect but also to proactively prevent an attack before any damage can occur. Normally, sessions are interrupted when an attack is detected. Advanced IDSes are able to inter-operate within firewalls (for example, Cisco NetRanger and Cisco routers) and disable traffic from the source of the attack. Note, however, that this apparently interesting feature may make DINS vulnerable to Denial of Service (DoS) attacks. For example, a site using firewall-configured IDSes under a DoS attack using spoofed address within the Web/Web server (for example, www.onet.pl or a main corporate server’s address). After an IDS intervention, this address would be denied access by the firewall.

16. Network Node IDS (NNIDS)

This IDS sub-approach is a specific modification of NIDS. Traditional NIDS agents, with the network interface set properly, collect data intended for the whole network. On the other hand, NNIDS are composed of micro agents distributed over each workstation within a network segment. Each micro agent monitors the network traffic directed to that workstation only, greatly reducing the capacity requirements needed by the NIDS. NNIDS weaknesses are associated with the requirement to have and manage a huge amount of micro agents as well as with the fact that NNIDS may have difficulty detecting attacks for which the coverage of the entire network is required, for example, to detect TCP Stealth Scanning. Such a traffic analysis approach is a must in VPNs, when the end-to-end encryption technique is employed. No traditional NIDS will be able to audit such traffic, as it is encrypted. A NNIDS analyses instantly, after decryption is made.

17. Attack Databases

From this review of IDS technology solutions it can be seen that certain IDSes (particularly NIDS) use attack signatures. Therefore, it is of key importance to have a frequently updated signature database to ensure effectiveness of IDS solutions. One must remember that signature updates are sometimes dependent upon the version of the NIDS software that may not be able to detect attacks that do not have fingerprints in the system database.


Today, IDS designers periodically issue signature database updating information. When choosing an IDS solution, remember to consider primarily how often the vendor updates the signatures, and what the vendor response rate in terms of the interval between BugTraq publication/vendor’s information to the appearance of the specific signature in the IDS would be. Remember, that a potential intruder or trojan rummaging through your Web site will take advantage of the newest information on bugs and exploits.


Certain vendors provide automated response mechanisms (for example, ISS Real Secure X-Press Updates).


Sometimes a “build your own” approach is possible with more advanced IDS software i.e. user-written signature-related plug-ins are possible as they are compiled with the use of high-level programming language. This is a very useful option for knowledgeable security administrators as they can customize their NIDS. Snort and NFR scripting languages (N-Code language that resembles Perla and C) have this option. With such IDS approaches, the problem of producing false-positives (see below for explanation) can be considerably alleviated.

16. Problems with IDSes

The primary problem with IDS software usage is that it is prone to “false-positives” (false alerts). Both the triggers and the attack signatures are generally not that sophisticated and precise when in use. Therefore, it is possible that an intrusion detecting system generates an alert when no problem was actually present with the network traffic. This is known as a false positive. If a system generates a number of alerts that appear to be false positives, the network administrator may ignore these alerts, possibly allowing a serious attack to pass unnoticed. The implication is that prior to implementing an IDS, a detailed tuning of alerting and triggering rules must be performed to match the environment the IDS will work in.

Security administrators or integrators wishing to install IDS, must take into consideration that this is a serious task. Therefore, it is critical to understand the properties of IDS technologies and the working environment to be used and also to have a broad knowledge of contemporary intrusion types. Contrary to firewall solutions, with IDS a more rigorous configuration policy is necessary, as they are much more sophisticated tools. Therefore, it is a good idea outsource the implementing of an IDS service to specialists.

17. IDS Modules

Basically, the current generation of IDS programs has a modular architecture. In its most basic form, IDS architecture consists of the following modules:

*
IDS agents that collect information. These are software programs that reside on servers (HIDS), within critical network segments (NIDS), or on each network node (NNIDS). Agents are key issues for IDS functioning. They may generate alerts for malicious activities.
*
Database. Here, all data collected by agents is stored. By auditing data gathered by all agents, certain attacks that are threats for the entire network can be detected and also attack trends and patterns on the network may be tracked.
*
Manager. This is a console that manages all modules. The manager is the administrator’s interface.
*
Alert Generator. This module is responsible for notifying the administrator about a potential threat. There are a variety of currently available IDS approaches. Certain IDS are limited to generate alerts (which may be logged) or others which may be placed on the management console only (Snort, Cisco RealSecure) and are based on outside software for information processing purposes (Cisco recommends, for example, netForensics). Other solutions can take the form of a wide range of sophisticated notifications (e-mail, SNMP trap, displaying a console box, fax, SMS, sending messages to the managing software, launching any deliberate program).


The alerting module may be included either in an agent or in the central data acquisition system.


*
Report Generator. This is a software module designed to generate reports based on the collected data.


Often, (particularly with IDS) the database, the manager and the reporting software are integrated within a single console.

Vendors sometimes offer, for example, extra modules that can consolidate IDS with the centralized management console (HP OpenView, Tivoli).



When fitting an IDS within the rest of the security framework, protection of inside communication is to be considered with proper care. If the inter-module transmission is prone to sniffing and eavesdropping, the IDS itself will be vulnerable to attacks. Inter-module communications should be encrypted using all well recognized security standards. Avoid using ad hoc encryption standards produced by early adapters or non-published standards. Secure and trusted IDS employ IPSec technology to encrypt packets. If a specific IDS is not provided with such a function or its encryption protocol seems untrustworthy, the transmission between the centralized console and the agents should be protected from using outside programs. I would like to emphasize once again: IDS inside transmission security is a key issue. Over-reliance on an IDS mechanism that cannot ensure data integrity while en route cannot be tolerated!

18. Summary

IDS are complex organisms. While the proponents of IDS software are moving to offer their products as complete as possible, the step towards IDS implementation within an organization is a very serious and complex task that requires a great deal of knowledge and skills.


Compared to firewalls, IDS are more sensitive to configuration errors and misleading design assumptions and product mix choices. So, a careful performance check of any IDS infrastructure is needed before its planned purchase and installation. This may include:

*
System architecture,
*
System management,
*
Capacity,
*
Database integrity,
*
Updating frequency,
*
IDS infrastructure security,
*
System effectiveness (handling false-positives),
*
Notification countermeasures,
*
Seamless interaction with other network infrastructure components,
*
Reporting facility.


What is most important – human intervention is still required i.e. from security-aware persons who will be responsible for IDS setup and maintenance and will be alerted about security breach attempts. An IDS cannot do the job alone and cannot be a “magic wand” to make IDS the only security required for our systems. This is just a tool to be used by people, for this purpose a prerequisite suit of response procedures should be prepared for the users to observe strictly. Otherwise, IDS will remain an expensive gadget only.


For those who wish to try IDS, I can recommend Sax2 (http://www.Ids-sax2.com).

2009年3月3日星期二

How to monitor email activity with sax2 NIDS

Step1: Click "Tool \ Option" to pop-up options settings window, and then switch to "Email Analyzer" Settings page, as shown below, and then change the value of "Save Email" to a "yes" and set up the " Save Path ".

Step2: Switch to the logs page, choose Email log, and then double-click to view the message body

Prevent hacker probing: Block bad ICMP messages

Takeaway: The ICMP protocol facilitates the use of important administrator utilities such as ping and traceroute, but it can also be manipulated by hackers to get a snapshot of your network. Learn what ICMP traffic to filter and what to allow.

This article originally appeared in the Security Solutions e-newsletter.

Although most network administrators do a fairly good job of filtering TCP and UDP traffic, many forget to filter ICMP traffic. ICMP traffic is necessary for troubleshooting TCP/IP and for managing its flow and proper function. However, ICMP is also dangerous. Hackers can use it to map and attack networks, so it needs to be restricted.

Like TCP and UDP, ICMP is a protocol within TCP/IP that runs over IP. Unlike TCP and UDP, ICMP is a Network Layer protocol and not a Transport Layer protocol. For more information on ICMP, see its request for comments (RFC) on the IETF's Web site.

Bad ICMP
Some ICMP message types are necessary for network administration. Unfortunately, hackers have found a way to turn a good network tool into an attack. The most common types of ICMP attacks are:


* ICMP packet magnification (or ICMP Smurf): An attacker sends forged ICMP echo packets to vulnerable networks' broadcast addresses. All the systems on those networks send ICMP echo replies to the victim, consuming the target system's available bandwidth and creating a denial of service (DoS) to legitimate traffic.
* Ping of death: An attacker sends an ICMP echo request packet that's larger than the maximum IP packet size. Since the received ICMP echo request packet is larger than the normal IP packet size, it's fragmented. The target can't reassemble the packets, so the OS crashes or reboots.
* ICMP flood attack: A broadcast storm of pings overwhelms the target system so it can't respond to legitimate traffic.
* ICMP nuke attack: Nukes send a packet of information that the target OS can't handle, which causes the system to crash.


Good ICMP
Several common tools that use ICMP are necessary for normal administration, management, and troubleshooting on your network. These tools include ping, traceroute, and path Maximum Transmit Unit (MTU) discovery.

Ping
When you ping a destination network address, you're sending an ICMP packet with message type 8 (Echo) code 0 (Echo--Request) to that address. The ICMP reply packet has a message type 0 (Echo) code 0 (Echo--Reply).

Traceroute
When you run a traceroute to a target network address, you send a UDP packet with one time to live (TTL) to the target address. The first router this packet hits decreases the TTL to 0 and rejects the packet. Now the TTL for the packet is expired. The router sends back an ICMP message type 11 (Exceeded) code 0 (TTL--Exceeded) packet to your system with a source address. Your system displays the round-trip time for that first hop and sends out the next UDP packet with a TTL of 2.

This process continues until you receive an ICMP message type 3 (Unreachable) code 3 (Port--Unreachable) from the destination system. Traceroute is completed when your machine receives a Port-Unreachable message.

If you receive a message with three asterisks [* * *] during the traceroute, a router in the path doesn't return ICMP messages. Traceroute will continue to send UDP packets until the destination is reached or the maximum number of hops is exceeded.

Path MTU discovery
When you begin a TCP/IP session between two machines, TCP/IP tries to negotiate the size of packets that can be sent during the session. This is called path MTU discovery. The machine that initiates the connection will send the largest packet it can with the Don't Fragment (DF) bit set.

If any router in the path has a smaller MTU, it will drop the packet with the DF bit set. That router will send an ICMP message type 3 (Unreachable) code 4 (Fragmentation--DF--Set) back to the initiating system. On the initiating system, TCP/IP will decrease the packet size and resend the packet.

The bottom line
Without getting into vendor specifics, disable IP-directed broadcasts to all of your routers to keep your network healthy. Letting traceroute, ping, or any of the other ICMP messages into and through your network from the Internet is an invitation for network mapping, and it could lead to an attack.

You can protect your network from attack by implementing three simple network rules:


* Allow ping—CMP Echo-Request outbound and Echo-Reply messages inbound.
* Allow traceroute—TTL-Exceeded and Port-Unreachable messages inbound.
* Allow path MTU—ICMP Fragmentation-DF-Set messages inbound.


Don't let poor configuration lead to hacker probing and attacks that are easily blocked. Applying these three rules and blocking other types of ICMP traffic can provide a lot of network security with minimal effort.

reference:http://www.ids-sax2.com/articles/BlockbadICMPmessages.htm

How to Detect a Hacker Attack

Most computer vulnerabilities can be exploited in a variety of ways. Hacker attacks may use a single specific exploit, several exploits at the same time, a misconfiguration in one of the system components or even a backdoor from an earlier attack.

Due to this, detecting hacker attacks is not an easy task, especially for an inexperienced user. This article gives a few basic guidelines to help you figure out either if your machine is under attack or if the security of your system has been compromised. Keep in mind just like with viruses, there is no 100% guarantee you will detect a hacker attack this way. However, there's a good chance that if your system has been hacked, it will display one or more of the following behaviors.
Windows machines:

* Suspiciously high outgoing network traffic. If you are on a dial-up account or using ADSL and notice an unusually high volume of outgoing network (traffic especially when you computer is idle or not necessarily uploading data), then it is possible that your computer has been compromised. Your computer may be being used either to send spam or by a network worm which is replicating and sending copies of itself. For cable connections, this is less relevant - it is quite common to have the same amount of outgoing traffic as incoming traffic even if you are doing nothing more than browsing sites or downloading data from the Internet.
* Increased disk activity or suspicious looking files in the root directories of any drives. After hacking into a system, many hackers run a massive scan for any interesting documents or files containing passwords or logins for bank or epayment accounts such as PayPal. Similarly, some worms search the disk for files containing email addresses to use for propagation. If you notice major disk activity even when the system is idle in conjunction with suspiciously named files in common folders, this may be an indication of a system hack or malware infection.
* Large number of packets which come from a single address being stopped by a personal firewall. After locating a target (eg. a company's IP range or a pool of home cable users) hackers usually run automated probing tools which try to use various exploits to break into the system. If you run a personal firewall (a fundamental element in protecting against hacker attacks) and notice an unusually high number of stopped packets coming from the same address then this is a good indication that your machine is under attack. The good news is that if your personal firewall is reporting these attacks, you are probably safe. However, depending on how many services you expose to the Internet, the personal firewall may fail to protect you against an attack directed at a specific FTP service running on your system which has been made accessible to all. In this case, the solution is to block the offending IP temporarily until the connection attempts stop. Many personal firewalls and IDSs have such a feature built in.
* Your resident antivirus suddenly starts reporting that backdoors or trojans have been detected, even if you have not done anything out of the ordinary. Although hacker attacks can be complex and innovative, many rely on known trojans or backdoors to gain full access to a compromised system. If the resident component of your antivirus is detecting and reporting such malware, this may be an indication that your system can be accessed from outside.

Unix machines:

* Suspiciously named files in the /tmp folder. Many exploits in the Unix world rely on creating temporary files in the /tmp standard folder which are not always deleted after the system hack. The same is true for some worms known to infect Unix systems; they recompile themselves in the /tmp folder and use it as 'home'.
* Modified system binaries such as 'login', 'telnet', 'ftp', 'finger' or more complex daemons, 'sshd', 'ftpd' and the like. After breaking into a system, a hacker usually attempts to secure access by planting a backdoor in one of the daemons with direct access from the Internet, or by modifying standard system utilities which are used to connect to other systems. The modified binaries are usually part of a rootkit and generally, are 'stealthed' against direct simple inspection. In all cases, it is a good idea to maintain a database of checksums for every system utility and periodically verify them with the system offline, in single user mode.
* Modified /etc/passwd, /etc/shadow, or other system files in the /etc folder. Sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in a later date. Look for any suspicious usernames in the password file and monitor all additions, especially on a multi-user system.
* Suspicious services added to /etc/services. Opening a backdoor in a Unix system is sometimes a matter of adding two text lines. This is accomplished by modifying /etc/services as well as /etc/ined.conf. Closely monitor these two files for any additions which may indicate a backdoor bound to an unused or suspicious port.
reference:http://www.ids-sax2.com/articles/DetectHackerAttack.htm

What is Network intrusion detection system

A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.

The NIDS does this by reading all the incoming packets and trying to find suspicious patterns. If, for example, a large number of TCP connection requests to a very large number of different ports are observed, one could assume that there is someone committing a "port scan" at some of the computer(s) in the network. It also (mostly) tries to detect incoming shellcodes in the same manner that an ordinary intrusion detection systems does.

A NIDS is not limited to inspecting incoming network traffic only. Often valuable information about an ongoing intrusion can be learned from outgoing or local traffic as well. Some attacks might even be staged from the inside of the monitored network or network segment, and are therefore not regarded as incoming traffic at all.

Often, network intrusion detection systems work with other systems as well. They can for example update some firewalls' blacklist with the IP addresses of computers used by (suspected) crackers.

Certain DISA documentation, such as the Network STIG, uses the term NID to distinguish an internal IDS instance from its outward-facing counterpart.

http://www.ids-sax2.com/articles/NetworkIntrusionDetectionSystem.htm

What is Intrusion detection system

This article is about the computing term. For other uses, see Burglar alarm.
http://www.ids-sax2.com/articles/IntrusionDetectionSystem.htm


An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic.
An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).
An IDS can be composed of several components: Sensors which generate security events, a Console to monitor events and alerts and control the sensors, and a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations all three components are combined in a single device or appliance.


Contents
1 Types of Intrusion-Detection systems
2 Passive system vs. reactive system
3 IDS evasion techniques
4 Development


Types of Intrusion-Detection systems


In a network-based intrusion-detection system (NIDS), the sensors are located at choke points in network to be monitored, often in the demilitarized zone (DMZ) or at network borders. The sensor captures all network traffic and analyzes the content of individual packets for malicious traffic. In systems, PIDS and APIDS are used to monitor the transport and protocols illegal or inappropriate traffic or constructs of language (say SQL). In a host-based system, the sensor usually consists of a software agent, which monitors all activity of the host on which it is installed. Hybrids of these two systems also exist.
A network intrusion detection system (NIDS) is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts. Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap. An example of a NIDS is Snort.
A protocol-based intrusion detection system (PIDS) consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system). For a web server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the web server/system it is trying to protect. Where HTTPS is in use then this system would need to reside in the "shim" or interface between where HTTPS is un-encrypted and immediately prior to it entering the Web presentation layer.
An application protocol-based intrusion detection system (APIDS) consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. For example; in a web server with database this would monitor the SQL protocol specific to the middleware/business-login as it transacts with the database.
A host-based intrusion detection system (HIDS) consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is OSSEC.
A hybrid intrusion detection system combines two or more approaches. Host agent data is combined with network information to form a comprehensive view of the network. An example of a Hybrid IDS is Prelude.

Passive system vs. reactive system


In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner. In a reactive system, also known as an intrusion prevention system (IPS), the IDS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. This can happen automatically or at the command of an operator.
Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system which terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.
The term IDPS is commonly used to refer to hybrid security systems that both "detect" and "prevent".

IDS evasion techniques


Intrusion detection system evasion techniques bypass detection by creating different states on the IDS and on the targeted computer. The adversary accomplishes this by manipulating either the attack itself or the network traffic that contains the attack.

Development


A preliminary concept of an IDS began with James P. Anderson and reviews of audit trails.[1] An example of an audit trail would be a log of user access.
Fred Cohen noted in 1984 (see Intrusion Detection) that it is impossible to detect an intrusion in every case and that the resources needed to detect intrusions grows with the amount of usage.
Dorothy E. Denning, assisted by Peter Neuman, published a model of an IDS in 1986 that formed the basis for many systems today.[2] Her model used statistics for anomaly detection, and resulted in an early IDS at SRI named the Intrusion detection expert system (IDES), which ran on Sun Workstations and could consider both user and network level data.[3] IDES had a dual approach with a rule-based Expert System to detect known types of intrusions plus a statistical anomaly detection component based on profiles of users, host systems, and target systems. Lunt proposed adding an Artificial neural network as a third component. She said all three components could then report to a resolver. SRI followed IDES in 1993 with the Next-generation Intrusion Detection Expert System (NIDES).[4]
The Multics intrusion detection and alerting system (MIDAS), an expert system using P-BEST and LISP, was developed in 1988 based on the work of Denning and Neuman.[5] Haystack was also developed this year using statistics to reduce audit trails.[6]
Wisdom & sense (W&S) was a statistics-based anomaly detector developed in 1989 at the Los Alamos National Laboratory.[7] W&S created rules based on statistical analysis, and then used those rules for anomaly detection.
In 1990, the Time-based inductive machine (TIM) did anomaly detection using inductive learning of sequential user patterns in Common LISP on a VAX 3500 computer.[8] The Network Security Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-3/50 workstation.[9] The Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies including statistics, a profile checker, and an expert system.[10] ComputerWatch at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detection.[11]
Then, in 1991, researchers at the University of California created a prototype Distributed intrusion detection system (DIDS), which was also an expert system.[12] The Network anomaly detection and intrusion reporter (NADIR), also in 1991, was a prototype IDS developed at the Los Alamos National Laboratory's Integrated Computing Network (ICN), and was heavily influenced by the work of Denning and Lunt.[13] NADIR used a statistics-based anomaly detector and an expert system.
The Lawrence Berkeley National Laboratory announced Bro in 1998 which used its own rule language for packet analysis from libpcap data.[14] Network Flight Recorder (NFR)in 1999 also used libpcap.[15] APE was developed as a packet sniffer, also using libpcap, in November, 1998, and was renamed Snort one month later.[16]
The Audit data analysis and mining (ADAM) IDS in 2001 used tcpdump to build profiles of rules for classifications.[17]