427 Botnet fm qxd

Products in this area range from heavy-duty, expensive network appliances
and full-scale commercial intrusion management software to open-source
packages such as Snort, which we’ll look at in some detail. Why Snort?
Because it’s a good example of open-source security software at its best, for
which documentation is widely available.There are many ways of imple-
menting IDS, but knowing a little about the internals of Snort will give you
some general understanding of the principles, using a tool that is—although
essentially signature based—also capable of some types of anomaly detection.
Not every IDS fits conveniently into the categories defined here. Many
systems are hybrid: Even Snort, which we consider later on and which falls
squarely into the NIDS-plus-signature-detection bag, can be used to imple-
ment forms of detection close to anomaly detection (we include an example
of a Snort signature that filters e-mail attachments with anomalous filename
extensions), and the distinction isn’t always realistic.There are a number of
obvious ways of looking for botnet activity at the host level:
■
Check executable files for known malicious code or characteristics
that suggest that the code is malicious.
■
Check settings such as the Windows registry for signs of malicious
code.
■
Check local auditing facilities for unusual activity.
■
Check file systems, mailboxes, and so on for signs of misuse, such as
hidden directories containing illicit material (pornographic images,
pirated applications, stolen data, and so on).
■
Check for signs of a bot doing what bots do best: misusing network
services.
However, assuming the competence of your system supplier and adminis-
tration, what you do is often more important than where you do it. Network
services can (and arguably should) be monitored at the host level as well as at
the gateway or from the center; defense in depth is good insurance.
Nor is the distinction between IDSes and IPSes (intrusion prevention sys-
tems) as absolute as we are often assured by market analysts. Detailed exami-
nation of IPSes isn’t really appropriate to a chapter on detection, but we’ll
enumerate a few common types:

Download 6,98 Mb.

Do'stlaringiz bilan baham: