4 Days Left to Save $400 on SANSFIRE 2017

IDFAQ: Setting up a simple inexpensive ($39.95) host intrusion detection system.

Perry Dollar
January 20, 2001


To demonstrate knowledge of intrusion detection as explained at the Washington D.C. Sans conference. Selection Criteria: Everyone needs to know who is trying to enter their network or computer and why. This is one of the "defense in depth" techniques that demonstrate best practices are in use.


White hat attacks: Attacks on a network or computer instituted for good. To determine weaknesses in the attacked system for learning purposes. Reporting Authority: The authority designated by your management as the person(s) or group or agency you report intrusions to.

Similar Topics:

Personal Firewalls World Wide Web Security FAQ Self-Testing your own security

Main Text:

A good intrusion detection tool (IDT) should detect a multitude of intrusion attempts. In addition, it should have the ability to log all attempts. It would be even nicer if it could back trace the IP address of the intruder. And to top of the feature set it would be nice if the tool gave you advice about how to proceed, if you wanted to report the intrusion.

I found this product to have intrusion detection capabilities quite by accident. What I thought I was buying was a personal firewall on a computer inside a government research network. Since this was the computer I used to conduct my daily activities, I wanted an extra measure of protection for this one computer, beside the usual firewall equipment installed. It's important to note that this tool does not relieve you of applying the latest patches to your computer(s) or hardening them against attacks such as setting up a three - time bad password lockout, removing Administrator as a user name, disabling the Guest account or at least applying a secure password of 8 or more characters, and other forms of hardening. For more information browse to http://store.sans.org/store_item.php?item=20 or http://www.microsoft.com/security for more details.

Because the Government had recently done poorly on a security evaluation from GSA, a group external to our network was hired to determine weaknesses in security. They subjected my network, as well as many other agencies to various "white hat" attacks. They felt, quite correctly, that the best way to find the weaknesses was to exploit different agencies using "Hacker" methods.

This dandy little IDT shot off like crazy and allowed me to correctly report all the different exploits they used against my network. Because they scanned my entire network my computer became one of the targets. I was able to tell them what source IP address and what exploits were used in the attack as well as when it occurred, and was able to give evidence log files of the event to my reporting authority.

So, what is a $39.95 IDT that can perform all the things mentioned in the previous paragraphs? The Black Ice Defender personal firewall. You can get it at: http://www.networkice.com/products/soho_solutions.html.

Let me explain. This firewall has the ability to back trace the intruder. It will record his IP address and DNS as well as return little or no information about your computer to the intruder. For purposes of this "Practical" I purchased a copy of this IDT and installed it on a Windows 98 computer. After the basic installation using the defaults, and before any stealth activity could occur this is what the log looks like:

figure 1

Notice the advICE button above, which we will come back to.

Then I went to Steve Gibson's website (https://grc.com/x/ne.dll?bh0bkyd2) and ran their external testing tool called Shields Up!. This site will test your firewall (with your permission) and will also look for the more common open ports as seen by someone across the internet. This will be our "hacker" simulator. Black Ice Defender works exactly like this if your computer is on an intranet or just a LAN running TCP/IP. First I ran the security test for the firewall:

The IP address above is correct, because I ran IPCONFIG from a DOS prompt just before performing the test. My ISP assigns me a temporary IP address when I dial in, then leases it to someone else when I hang up. Net bios also did not exist according to these tests.

Then I ran the ports test with the following two screens as the result:

figure 2


figure 3

So it looks like the firewall part is working well. Also note that this is the default installation and that I am accessing the internet just fine. Zone Alarm, another personal firewall, (http://www.zonealarm.com/) requires a lot of configuration and has to ask you every time it encounters a new connection. There is another test on Steve's site that you may want to try - called Leak Test. This one Black Ice Defender fares poorly on while Zone Alarm does well at.

Well we now have simulated an attack on our computer. Somewhere in the middle of this testing the Black Ice Defender Icon changed color and started blinking wildly at me from the Task Bar. Let's look at what information has been obtained from Black Ice Defender.

First let's look at the Attacks Log:

figure 4

All the probe exploits are clearly shown in the log. It catches the number of attempts, the exact time it occurred, and who was doing it. Notice I have highlighted one particular exploit.

If I now click on the advICE button, I get advice on what this exploit means and what to do next:

figure 5

Suppose I want to report the intruder to my reporting authority. As indicated in the previous screen shot, there are URL's to link you to more advice like "How do I report the hacker to my ISP?". If you click on that you get:

figure 6

Of course you need to have enough knowledge about the types of network activity that normally comes across your computer or network and what might just be an accident to prevent acting on false positives. Assuming you know the difference and you wish to report this activity, you can copy the IP address from the intruders tab into the submit box as above, and find out what ISP or Website administrator to contact. In this case Verio is the ISP:

figure 7

So we see that this tool makes a dandy host-based IDT. You get all you need to make a proper report to your reporting authority, as well as a pretty good personal firewall. Of course this is not the proper tool for enterprise or network based intrusion detection, but Network Ice also sells that.

There are also several other personal firewalls on the market you should investigate: http://www.zdnet.com/products/stories/reviews/0,4161,2669359,00.html. For a small office or home network of two or three computers, this may be all you need. Ultimately what you want to do is make it so difficult for the intruder that, like a car thief who bypasses the cars with an alarm system, he or she will most likely pick an easier target. If not, you have the tool that can report him or her to the authorities.

For Further Information:
See the following web sites: