Adeptus-Mechanicus

Main
Codex
Librarium Whitehat
Advisories
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one


INTRUSION DETECTION SYSTEMS - A GENERAL OVERVIEW

Intrusion detection systems, or better known as IDS, are systems which can tell you about traffic.While you may question the worth of this, bear in mind that a firewall is simply a device which allows or disallows packets based upon what it's ruleset dictates, it does not actually detect attacks. Now an IDS does not detect actually detect attacks, but it does know the significance of the traffic it encounters. It does this by analyzing the data it see's and reporting anything which it deems to be worthy of interest or investigation.

Pattern Matching Mode
These systems function much like anti-virus software in that they use signature files against which they compare traffic. These signatures files contain the signatures of hundreds of attacks, and the IDS reports when it finds a match. Much like anti-virus software, these signature files need to be updated to recognize new attacks, but the cycle for this is a lot longer then it is for anti-virus scanners due to the fact that new attacks do not appear as often as new viruses.

Anomaly Detection Mode
These systems establish a baseline of traffic when they are first installed, and this baseline is used as the guideline for what "normal" traffic looks like. Any future deviation from this baseline is noted for investigation. This type of operation is useful in that it can detect new types of attacks, but the drawback is that the establishment of the baseline must be done properly in order for it to be any good. Also many legitimate changes to the network will alter the baseline, so it needs to be updated in order to function properly again.

The two modes above are ways in which an IDS attempts to find attacks, the following are a broad classification of the two types of IDS there are;

Network-Based IDS
This type of IDS is used to monitor network traffic in order to detect any attacks. Such an IDS can...
But the drawbacks of these types of  IDS are..
Host-Based IDS
This type of IDS is used to monitor a specific network machine and what happens on that machine. Instead of being worried about attacks seen on the network, this IDS is worried about who does what and what can happen on a machine. Such an IDS can...
But the drawbacks of these types of IDS are...
Weaknesses
So how do attackers defeat systems that are specifically built to detect attacks? Well here are some of the common methods...

Overwhelm
An attacker sends so much data that the IDS just cannot examine all of it and some slips past unnoticed
Web text
An attackers uses URL character codes to trigger attacks rather then using normal text
Timeouts
An attacker slows down the attack so that each part of it is seen as unrelated to one another by the IDS
Extra Characters
The attacker simply puts extra characters into the attack in order to change the attack signature
Replace Spaces
An attacker uses "tabs" rather than spaces in the attack so as to change the attack signature
Reverse Attacks
An attacker basically runs the attack in reverse to confuse the IDS
Multiple Sessions
An attacker runs each step of the attack in a separate session
Multiple Sites
An attacker uses multiple points of origin to run the attack


Here finishes a general overview of Intrusion Detection Systems, do not be put of by the weaknesses I have listed here, an IDS is an important part of your overall security infrastructure. It can give you an important heads-up for an attacks which are busy getting started. So check them out, learn and have fun.