Techniques ■ Intrusion Detection

Introduction
In this chapter we look at tools and techniques commonly used for botnet
detection. By definition, this is a big subject, and we only touch lightly on
some ideas and tools. For example, the popular open-source Snort intrusion
detection system is mentioned, but Snort is a very complex package, and we
can’t do it justice in a few pages. In addition to skimming over some tools, we
mention a few techniques that are commonly used either to prevent malware
such as botnets in the first place or help in detection, prevention, or post-
attack cleanup.
First we’ll discuss abuse reporting, because it could turn out that your
enterprise simply receives e-mail to tell you that you seem to have a botnet
client on your premises. (Of course, it’s better if you are proactive and try to
control your network in the first place.) Then we will talk about common
network-monitoring tools, including sniffers, and other network monitoring
tools as well as confinement techniques, including firewalls and broadcast
domain management. We will touch on common intrusion detection systems,
including virus checkers and the Snort IDS system. We also mention the role
darknets, honeypots, and honeynets have to play. Last we touch on host foren-
sics. One thread through all this discussion to which we should draw your
attention is the important part that logging and log analysis play at both the
network and host levels. For example, firewall, router, and host logs (including
server logs) could all show attacks. We cannot do the subject of log analysis
justice, but we can and will at least give a few pointers on how to use them.
Abuse 
One possible way to learn about botnets in your enterprise is if someone sends
you e-mail to tell you about it. We typically refer to this as 
abuse e-mail.
The
basic idea is that someone out there on the Internet has decided to complain
about something they think is wrong related to your site.This might include
spam (from botnet clients), scanning activity (botnet clients at work), DoS
attacks, phishing, harassment, or other forms of perceived “abuse.”The conven-
tion is that you have administrative contacts of some form listed at global
regional information registry sites such as ARIN, APNIC, LAPNIC, or RIPE

Download 6,98 Mb.

Do'stlaringiz bilan baham: