SANS InfoSec Reading Room - Intrusion Detection

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 82 papers as of Nov 8, 2009

Harness the Power of SIEM

By: Dereck Haye (posted on October 6, 2009)

Defend against the Conficker worm and other viruses. How it is possible to take individual security updates and, in Siem architecture combine them with other metrics to enhance and tune detection capabilities.

An Inexpensive Wireless IDS using Kismet and OpenWRT

By: Jason Murray (posted on May 4, 2009)

The discipline of network security has as one of its goals the protection of critical business network traffic. There are a number of preventative methods that can be employed to ensure that a network is designed well, but attackers will still attempt to exploit weaknesses to gain access to important business data and systems.

Snort 3.0 Beta 3 for Analysts

By: Doug Burks (posted on April 15, 2009)

This paper will demonstrate how analysts can begin experimenting with Snort 3.0 today by manually compiling the source code or by simply downloading a preconfigured bootable CD. This paper will also discuss the design of Snort 3.0 and its new features, such as multithreading, native inline bridging, dynamic reconfiguration, and native IPv6 support.

Capturing 10G versus 1G Traffic Using Correct Settings!

By: Emilio Valente (posted on March 17, 2009)

In this paper, I will describe the steps needed to tune the host TCP/IP stack for optimal throughput for use with 1 GigE network interfaces and 10 GigE network interfaces.

Detecting and Preventing Anonymous Proxy Usage

By: John Brozycki (posted on November 6, 2008)

This paper explores methods organizations may use to detect and prevent anonymous proxy usage.

Intrusion Detection Likelihood: A Risk-Based Approach

By: Blake Hartstein (posted on November 5, 2008)

The goal of this paper is to highlight the useful aspects of Network Intrusion Detection System (NIDS) and Network Intrusion Prevention System (NIPS).

Intel IXP Network Processor Based Intrusion Detection

By: Greg Pangrazio (posted on October 16, 2008)

This paper will introduce the IXP series processors as well as outline the steps to create a functioning Snort based IDS on the IXP 425.

Network IDS & IPS Deployment Strategies

By: Nicholas Pappas (posted on April 11, 2008)

Information systems are more capable today than ever before. Society increasingly relies on computing environments ranging from simple home networks, commonly attached to high speed Internet connections, to the largest enterprise networks spanning the entire globe. Filling one's tax return, shopping online, banking online, or even reading news headlines posted on the Internet are all so convenient. This increased reliance and convenience, coupled with the fact that attacks are concurrently becoming more prevalent has consequently elevated the need to have security controls in place to minimize risk as much as possible.

Challenges of Managing an Intrusion Detection System (IDS) in the Enterprise

By: Russell Meyer (posted on March 28, 2008)

Detecting and Preventing Unauthorized Outbound Traffic

By: Brian Wippich (posted on October 29, 2007)

Distilling Data in a SIM: A Strategy for the Analysis of Events in the ArcSight ESM

By: James Voorhees (posted on October 12, 2007)

Tuning an IDS/IPS From The Ground UP

By: Brandon Greenwood (posted on September 27, 2007)

Detecting and Preventing Rogue Devices on the Network

By: Ibrahim Halil Saruhan (posted on August 13, 2007)

Assumptions in Intrusion Detection - Blind Spots in Analysis

By: Rodney Caudle (posted on March 28, 2007)

This paper examines one of the assumptions that form the foundations of packet analysis. A discussion of an approach to analyzing protocol stacks is presented. This approach can be used to determine gaps in the protocol stack where an analyst can be misled.

Enhancing IDS using, Tiny Honeypot

By: Richard Hammer (posted on November 13, 2006)

This paper will describe how to install, use, and deploy Tiny Honeypot (THP), written by George Bakos [Bakos, 2002], and then use the data returned by THP to write custom IDS rules. THP completes the incoming connection, records data received, can return custom responses, and simulate any application layer protocol. Completing the TCP connections allows the IDS to see the data payload instead of just the connection attempt.

Passive Application Mapping

By: Benjamin Small (posted on October 27, 2006)

Passive Application Mapping (PAM) is a solution for this problem. In this paper I cover the topics that are vital to understanding and utilizing PAM. I also cover the commercial and public efforts that incorporate PAM to better aid in Intrusion Analysis and network maintenance.

A Framework to Collect Security Events for Intrusion Analysis

By: Jim Chrisos (posted on April 3, 2006)

This paper describes a framework to help security personnel have a starting point with which to collect and view security events from devices capable of reporting via syslog. Ideally, the reader will be able to follow along and use this paper in a way similar to a how-to reference guide.

Solaris 10 Filesystem Integrity Protection Using Radmind

By: Sam Wilson (posted on May 17, 2005)

This report is intended to provide information of value to security engineers who are choosing among various solutions to protect their Solaris systems from undesirable changes. In particular, the open-source product "Radmind" is described so it may be effectively compared to other, perhaps more well-known, commercial and open-source filesystem integrity applications.

Understanding Wireless Attacks and Detection

By: Christopher Low (posted on May 17, 2005)

This paper introduces wireless attacks from a OSI layer 2 perspective and attempts to understand how wireless attacks can be detected by looking at wireless frames at these layers.

A Honeypot Based Worm Alerting System

By: Jeff Kloet (posted on May 5, 2005)

Network administrators are always looking for simple and effective ways to make their company networks more secure and resilient from worms and viruses.

Building a tripwire System for SQL Server

By: Frank Ress (posted on May 5, 2005)

Tripwire is a well known host-based Intrusion Detection System (IDS) that is available for a wide range of operating systems in both commercial and noncommercial versions.

Maintaining a Secure Network

By: Robert Droppleman (posted on August 15, 2004)

Maintaining a secure network connected to the Internet is becoming more difficult as time goes on. New viruses are released daily, higher machine speeds and more sophisticated and automated tools mean that hackers can scan and attack wide sections of the Internet at a time

Enforcing Policy at the Perimeter

By: Derek Buelna (posted on July 25, 2004)

The rapid deployment of security patches and anti-virus updates has become a basic need within most IT organizations. The time between the disclosure of a vulnerability and its exploitation continues to decrease while vulnerabilities are becoming easier to exploit and are increasingly severe. Locally enforcing security policy on a large number of computers can be a challenge but keeping remote (VPN or dial-up connected) computers up to date can prove even more difficult.

Algorithm-based Approaches to Intrusion Detection and Response

By: Alexis Cort (posted on June 9, 2004)

Computer and network intrusions have been with us since the introduction of the computer, but intrusion detection systems are still somewhat new to the market (first implementations started in the early 90's).

Running a World Class Intrusion Detection Program: More Than Just Picking the Right Tool

By: JD Aupperle (posted on May 2, 2004)

In today's security landscape, Intrusion detection systems have joined firewalls as "must have" tools, but getting the greatest benefit from these devices requires much more than a deploy and move on strategy.

Understanding IPS and IDS: Using IPS and IDS together for Defense in Depth

By: Ted Holland (posted on May 2, 2004)

Over the past few years many papers and books have included articles explaining and supporting either Intrusion Detection Systems (IDS) or the newer technology on the security block, Intrusion Prevention Systems (IPS).

Enterprise Security Management Reducing the Pain of Managing Multiple IDS Systems

By: David Leadston (posted on March 25, 2004)

ESM is an emerging market space within the security technology arena that consists of several vendors who provide a holistic view of all your security device information.

IDS Burglar Alarms: A How-To Guide

By: Mark Embrich (posted on March 2, 2004)

The goal of this paper is to make the task of building Intrusion Detection burglar alarms less daunting and incorporates modular "how-to" guides.

Intrusion detection evasion: How Attackers get past the burglar alarm

By: Corbin Del Carlo (posted on December 13, 2003)

The purpose of this paper is to show methods that attackers can use to fool IDS systems into thinking their attack is legitimate traffic.

Wanted Dead or Alive: Snort Intrusion Detection System

By: Mark Eanes (posted on December 13, 2003)

A review of IDS deployment strategies using hubs, switches, or taps and a brief discussion on IDS implementation on the network is presented in this paper.

Secure Setup of a Corporate Detection and Scanning Environment

By: Dieter Sarrazyn (posted on December 13, 2003)

This paper covers the secure deployment of a distributed intrusion detection environment as well as the secure deployment of a distributed vulnerability scanning environment.

Snort Alert Collection and Analysis Suite

By: Chip Calhoun (posted on November 6, 2003)

This document outlines separating Snort IDS Collection and Analysis Suite duties across a minimum of three servers (Snort sensor, MySQL database and an ACID web server) to gain optimal coverage and performance.

Distributed NIDS: A HOW-TO Guide

By: Alan McCarty (posted on November 6, 2003)

This paper discusses the design, installation, configuration and monitoring of an NIDS, and provides the reader with a fully functional and powerfully distributed NIDS as a result.

Intrusion Detection Is Dead. Long Live Intrusion Prevention!

By: Timothy Wickham (posted on October 31, 2003)

This practical will demonstrate the limitations and drawbacks of intrusion detection as well as the reasons why intrusion prevention is a vastly better method of securing a network

An Overview of PureSecureTM

By: Jeffrey Slonaker (posted on October 31, 2003)

This paper's objective was to examine the role of the Intrusion Detection System (IDS) in modern security strategies, establish a set of criteria for IDS evaluation, investigate the functionality of PureSecureTM, an application developed and marketed by Demarc Security, and present conclusions concerning its desirability as a working IDS.

Installing, Configuring, and Testing The Deception Tool Kit on Mac OS X

By: Jon Lucenius (posted on October 31, 2003)

This paper will introduce a Honey Pot known as the Deception Tool Kit (DTK) written by Fred Cohen. It will give an overview of what the DTK is, where to obtain it, how it works, and offers advice about when it should be deployed.

Intrusion Prevention - Part of Your Defense in Depth Architecture?

By: Roberta Spitzberg (posted on October 31, 2003)

This paper will explore Intrusion Protection Systems (IPS) from the perspective of using IPS as part of a Defense in Depth strategy.

Securing a Windows Snort Sensor for Hostile Environments

By: Michael Wunsch (posted on October 31, 2003)

This white paper documents how to secure a Windows' Snort sensor for deployment into extremely hostile environments.

IDMEF "Lingua Franca" for Security Incident Management

By: Douglas S. Corner (posted on October 31, 2003)

This paper examines the relationship of the Intrusion Detection Working Group specifications to transfer protocols well as an overview of the specifications themselves.

Intelligent Correlator for NIDS

By: Marco Bove (posted on October 31, 2003)

The goal of this work is the realization of a prototype of a system that reduces the number of false positives of a NIDS by triggering a real time collects for information upon alert reception.

Logfile Analysis: Identifying a Network Attack

By: Michael Fleming (posted on October 31, 2003)

Although all parts of the backup strategy are equally important, this paper will focus on the backup script and will detail a flexible backup script that uses built-in Solaris software tools which create a reliable local backup of a Solaris machine running Oracle.

How to Choose Intrusion Detection Solution

By: Baiju Shah (posted on October 31, 2003)

This paper discues how Intrusion detection systems are crucial in securing any system but the effectiveness comes only from proper planning, deploying, monitoring, and responding to intrusions.

Using Snort v1.8 with SnortSnarf on a RedHat Linux System

By: Richard L. Greene (posted on October 31, 2003)

This analysis concentrates on several ways of getting the log file information from an open source IDS system called Snort. The tool that is explored for that purpose is SnortSnarf.

Application of Neural Networks to Intrusion Detection

By: Jean-Philippe Planquart (posted on October 31, 2003)

This paper presents a "state of the art" of Intrusion Detection Systems, developing commercial and research tools, and a new way to improve false-alarm detection using Neural Network approach.

Understanding Intrusion Detection Systems

By: Danny Rozenblum (posted on October 31, 2003)

The paper is designed to: outline the necessity of the implementation of Intrusion Detection systems in the enterprise environment; clarify the steps that need to be taken in order to efficiently implement your Intrusion Detection System; and, describe the necessary components.

Selecting an Intrusion Detection System

By: Kathleen Buonocore (posted on October 31, 2003)

This paper examines five steps to follow when selecting an intrusion detection system (IDS): identify the need, gain a general understanding of intrusion detection systems, gain a detailed understanding of the network, evaluate various IDS systems, and determine policy and procedures.

Anti-IDS Tools and Tactics

By: Steve Martin (posted on October 31, 2003)

This paper focuses on Network ID Systems, and discusses the technical detail behind techniques that can be employed to counteract the utility of these systems and identifies tools that actually use the techniques described.

Building and Maintaining a NIDS Cluster Using FreeBSD and Snort

By: Michael Boman (posted on October 31, 2003)

This paper describes how to build a NIDS cluster with central logging and maintenance facilities.

Intrusion Detection - Systems for Today and Tomorrow

By: George Ho (posted on October 31, 2003)

This paper will examine the intrusion detection systems, one of the relative new technologies in information security. It aims to explore, in high level, the intrusion detection systems available today, as well as new developments in the technology.

Intrusion Detection Systems: An Overview of RealSecure

By: Darrin Wassom (posted on October 31, 2003)

This paper reviews one IDS, RealSecure, to describe its plusses and minuses with special emphasis on filtering out false positives.

Intrusion Detection Systems: Definition, Need and Challenges

By: Abhijit Sarmah (posted on October 31, 2003)

This paper defines Intrusion Detection Systems and examines the need for such tools as well as the challenges of IDS implementation.

The History and Evolution of Intrusion Detection

By: Guy Bruneau (posted on October 31, 2003)

The aim of this paper is to examine the origins of detecting, analysing and reporting of malicious activity, where it is today and where it appears to be heading in the future. Some of the many techniques and tools presently used in Network defence will be explored as well.

An Informal Analysis of One Site's Attempts to Contact Host Owners

By: Laurie Zirkle (posted on October 31, 2003)

This paper will look at one system administrator's attempts to contact host owners of machines that scan or probe her network. After a brief discussion of various ways to identify possible contacts, this person's data will be used to show how different sites may respond and how probes have multiplied over a definitive period of time. The paper concludes by mentioning two projects that might help the overburdened system/network/security administrator to simplify the whole process of contacting a host owner.

Black ICE 2.5 Events, False Positives and Custom Attack Signatures

By: Alan Mercer (posted on October 31, 2003)

This paper aims to help BlackICE IDS administrators by identifying and classifying some events frequently seen by IDS agents in two common deployments - on a DMZ web server and on systems within an internal (mainly Microsoft) network.

Network Intrusion Detection - Keeping Up With Increasing Information Volume

By: Timothy Weber (posted on October 31, 2003)

This paper will detail ways to help a network-based IDS cope with the ever increasing volume of information that threatens its ability to fulfill its role in a defense-in-depth strategy.

Host-Based Intrusion Systems for Solaris

By: Lynn Bogovich (posted on October 31, 2003)

This paper presents requirements for an Intrusion Detection System (IDS), as well as an analysis of currently available IDS software packages and a recommendation of the best HIDS package to manage a suite of Solaris machines.

Protocol Anomaly Detection for Network-based Intrusion Detection

By: Kumar Das (posted on October 31, 2003)

This paper describes Intrusion Detection Systems (IDS) and compares the two main categories of detection principles, signature detection and anomaly detection; also described is a new type of anomaly detection based on protocol standards.

Do I Need to Be Concerned About These Firewall Log Entries?

By: Arvid Soderberg (posted on October 31, 2003)

In this paper, I'll highlight certain entries from the firewall log file and attempt to determine the level of concern that should be associated with them.

IDS - Today and Tomorrow

By: Thomas Goeldenitz (posted on October 31, 2003)

This paper is not intended to predict the future, but bring to light emerging technologies and trends in the field of IDS that could make the life of the security specialist easier (if there is such a thing).

Using Snort For a Distributed Intrusion Detection System

By: Michael P. Brennan (posted on October 31, 2003)

This document will provide an option for setting up a distributed network intrusion detection system using open source tools including the intrusion detection software Snort.

Host Based Intrusion Detection: An Overview of Tripwire and Intruder Alert

By: Allison Hrivnak (posted on October 31, 2003)

Choosing the right software for an intrusion detection system can be a challenging task that often requires extensive research. While there are many different products available, Tripwire from Tripwire Inc. and Symantec's Intruder Alert offer two possible solutions for a host-based intrusion detection system.

Suspicious Unix Log File Entries and Reporting Considerations

By: Cathy Gresham (posted on October 31, 2003)

In my Kickstart paper I covered basic Unix log files with a configuration file that gathered everything. I would like to expand on that and now cover messages found in those log files that would cause concern and require further investigation.

A Tool for Running Snort in Dynamic IP Address Assignment Environment

By: Shin Ishikawa (posted on October 31, 2003)

The purpose of this paper is to detail the creation of a small tool program which aids the operation of the Snort IDS in dynamically assigned IP address environment.

Intrusion Detection Interoperability and Standardization

By: Pravin Kothari (posted on October 31, 2003)

This paper presents the motivation for such standardization efforts and an overview of a potential standard - IDMEF along with its communication protocol IDXP.

Network IDS: To Tailor, or Not to Tailor

By: Jon-Michael C. Brook (posted on October 31, 2003)

The following discussion centers on the benefits and detractors of rule-based Intrusion Detection Tailoring, and how, overall, it is best to leave tailoring for Network IDS systems to the product vendors.

SSH and Intrusion Detection

By: Heather M. Larrieu (posted on October 31, 2003)

This paper outlines the role and issues with the use of the SSH protocol, types and methods of intrusion detection, and proposes techniques and an architecture for an intrusion detection system that uses the SSH daemon as a sensor.

The Design and Theory of Data Visualization Tools and Techniques

By: Brian K. Sheffler (posted on October 31, 2003)

The purpose of this paper is to inform and educate security professionals about the analytical potential of using a tool or technique that renders visual representations of the data/traffic that traverses a given network. The emphasis is on the design and theory behind such tools. Included are examples of data visualization products that are commercially available.

Intrusion Detection with MOM - Going Above the Wire

By: Don Murdoch (posted on October 31, 2003)

In this paper, Microsoft Operations Manager 2000 (hence, MOM) will be discussed as a tool to aid the analyst in understanding what occurs within the operating system and the application level.

A Practical Guide to Running SNORT on Red Hat Linux 7.2 and Management Using IDS Policy Manger MySQL

By: William Metcalf (posted on October 31, 2003)

This paper demonstrates how to setup snort on Red Hat 7.2 and how to manage your sensor and view alerts from your windows 2000 workstation.

A Thousand Heads Are Better Than One - The Present and Future of Distributed Intrusion Detection

By: Robert Zuver (posted on October 31, 2003)

This paper will focus on intrusion detection systems in general, and specifically on two examples of the most promising new weapon in the battle against Internet hackers and worms: distributed intrusion detection.

Snort Install on Win2000/XP with Acid, and MySQL

By: Christina Neal (posted on October 31, 2003)

This paper is designed with as much detail as possible to help "newbies" easily install and configure Snort 1.8.6 on Windows 2000/XP.

A Single IDS Console Please: ManHunt 2.1 Pilot Test

By: Scott Reynolds (posted on October 31, 2003)

The paper discusses the implementation of ManHunt, the pilot version protocol anomaly based NIDS offered by Recourse Technologies that were evaluated against high level functional requirements detailed in the following case study.

Doing My Part - Sending Data to the Internet Storm Center

By: Sydney Jensen (posted on October 31, 2003)

This paper documents the procedure that I set up to automate collecting and sending intrusion attempt information to Incidents.org and the Internet Storm Center, then discusses my results and some possible next steps.

Hands in the Honeypot

By: Kecia Gubbels (posted on October 31, 2003)

This paper focuses on the description and analysis of honeypots as well as how and where they are used. I describe the process of setting up and running a honeypot.

Intrusion Prevention Systems- Security's Silver Bullet?

By: Dinesh Sequeira (posted on October 31, 2003)

This paper takes a look at Intrusion Prevention Systems (IPS), the technology behind these systems, why we need them, how they function, their pros and cons, and lists some highly rated products.

Distributed Intrusion Detection Systems: An Introduction and Review

By: Royce Robbins (posted on October 31, 2003)

A number of dIDS with global scope have been active for several years, and five of these are discussed and compared with each other in terms of focus, data source, notification tools, available agents, statistical reporting tools and linkage to security and vulnerability information.

The Human Factor - Adding Intelligence and Action to Intrusion Detection

By: Daniel Hill (posted on October 31, 2003)

This paper explores the current state of Intrusion Detection Systems (IDS) technology, identifies system requirements and essential elements in the context of an overall architecture; and it highlights several systems, available today, that fit nicely into the suggested architecture.

Turning the tables: Loadable Kernel Module Rootkits deployed in a honeypot environment

By: Jonathan Rose (posted on October 31, 2003)

This paper addresses the topic of honeypots, which are one of the latest technologies available to track and monitor hackers and Internet attackers.

Archiving Event Logs

By: Jim Stansbury (posted on October 31, 2003)

Archived event logs often play an important role in the detection, investigation, and prosecution of a computer crime or other computer misuse.

The Keep Within the Castle Walls - An Experiment in Home Network Intrusion Detection

By: Gary Wallin (posted on October 31, 2003)

The author describes how to set up snort 1.9.1 on a virtual Linux machine, including before and after scenarios.

Choosing an Intrusion Detection System that Best Suits your Organization

By: Dennis Mathew (posted on September 16, 2002)

A discussion on the nature of an IDS as well as a review of the various types of IDS' on the market with their varied approaches taken to detect intruders.

Fundamental Honeypotting

By: Justin Mitchell (posted on )