427 Botnet fm qxd

Download 6,98 Mb.

Pdf ko'rish

bet	128/387
Sana	03.12.2022
Hajmi	6,98 Mb.
	#878307

1 ... 124 125 126 127 128 129 130 131 ... 387

Bog'liq
Botnets - The killer web applications

Intrusion Detection
A straightforward definition of intrusion detection from Robert Slade’s
Dictionary of Information Security
(Syngress, 2006) is “an automated system for
www.syngress.com
Botnet Detection: Tools and Techniques • Chapter 5
155
427_Botnet_05.qxd 1/9/07 9:59 AM Page 155

alerting an operator to a penetration or other contravention of a security
policy.”This does, however, leave open the question of exactly what an IDS
monitors. Commonly, IDS sensors check network packets, system files, and
log files.They may also be set up as part of a system (a darknet or honeynet)
set up to trap or monitor intrusive activity, and some of these program types
are considered in this chapter.
Intrusion detection systems (IDSes)
are usually considered as falling into one
of two main types—either
host based (HIDS)
or
network based (NIDS).
Both
these types are usually subdivided according to monitoring algorithm type,
the two main types being signature detection and anomaly detection. (If you
prefer, you can consider HIDS and NIDS as subdivisions of signature detec-
tion and anomaly detection; it works as well for us either way.)
A NIDS monitors a network, logically enough; it sees protected hosts in
terms of the external interfaces to the rest of the network, rather than as a
single system, and gets most of its results by network packet analysis.This
makes it an effective approach to detecting particular types of attack:
■
Denial-of-service (DoS) attacks, detected by specific signatures or by
traffic analysis
■
Port scans (scanning for a range of open/listening ports) and port
sweeps (scanning for a single listening port on a range of hosts)
■
Specific probe/attack signatures—for instance, the following signa-
ture, or a substring, is/was used by many IDSes for Code Red. We’ll
discuss signatures in more depth shortly.
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0
You shouldn’t restrict a NIDS to monitoring traffic coming in from the
Internet. Ingress filtering can be helpful in monitoring global bot-related
activity (not to mention bringing it to your attention that you’re being hit by
a DoS attack!). However, monitoring outgoing traffic (egress filtering) and

Download 6,98 Mb.

Do'stlaringiz bilan baham:

1 ... 124 125 126 127 128 129 130 131 ... 387