|
Intrusion
Detection begins with an awareness of what kind of attacks
exist on your network. Once you know what... you will want
to know who. Both of these questions are important to answer
before you can create an appropriate response. Use
this information at your own risk.
Step
#1: The What - Discovering Attacks
IPCop offers an interesting interface that provides you with
detailed information about what kind of attacks are currently
active on your network. This information is provided as an
integration with Snort, a project that focuses on discovering
intrusion attempts. In order to access this information open
IPCop, select the Services Tab and Intrusion Detection System
Administration. This will open up a page that will allow you
to configure the Snort rules.
The
first option you will have is to choose which interfaces to
use Snort rules on. In the example a Red Zone, the Internet
facing network card and the Green Zone, the internal network
are both checked. This means that Intrusion Detection will
focus on both zones so that you will see the attacks on the
outside as well as any attacks on the inside. Of course attacks
from the inside Green Zone will be critical issues to resolve
quickly.
The
Snort rules are created by an organization at snort.org. You
must register to be able to use the rules. There are several
choices for rules including choices for the most current rules
that will cost you money. However, the free rules, which are
not as current, are a good way to start. You must go to the
snort.org site, register as a user and then create the snort
rule code that will be used on the IPCop machine. Notice that
the Snort rules update has been selected for registered users
which is the free option.
If
you will be using Snort be sure to login to the Snort.org
site and create your Oink code and place that code in the
section provided with IPCop.
|
Create
Your Oink Code
Once you log into the snort.org site you will see a user interface
that has a Get Code button that you can create a Oink Code that
will allow you to get updates for Snort rules. These rules are ways
that detect what kind of intrusion attempts are underway on your
network. If you want to know what is happening on your network these
rules will show up in the logs which will provide you with specific
information about what kind of attacks are current on your network.
The
Snort rules generate log entires when an attack specific to a rule
is used. These logs are found in the Logs Tab and the Intrusion
Dectection System Log. The log will show the time, the chain on
which it was created, the interface, the protocol, source IP Address,
source port, MAC address, the destination IP Address and the destination
port. All of this information is important to defense of your network.
Below is an example of the page that will create the Oink Code for
updating the Snort rules.
Here
is what a log file will look like for Snort rules showing types
of intrusion attempts.
When
you click on the Snort ID or SID number it will take you to the
Snort site and give you complete details on the type of intrusion
attempt that is occuring on your site, outside or inside your network.
You are also able to search for specific SIDs that you may need
information on.
The
What is then basically answered by using the Snort interface with
IPCop, or at least it is one valuable tool in a defense. The next
question that is important is the Who. Who is it that is making
attempts to break into or damage aspects of your network.
Step
#2: The Who - Discovering the Source of Attack
IPCop is designed to help with the source of the attack as well.
After all, an important aspect of protecting your network is knowing
where the attack is coming from. As you view the Intrusion Detection
logs you will see a source IP Address and a source port. A defensive
strategy will use both of these aspects to protect the network.
A.
Source IP Address
The source IP Address will provide a network IP Address that is
indicated to be the source of the attack. If you go to http://ip.ludost.net
you will be able to use this IP Address to determine the country
that the attack is coming from. You may choose to block entire courntry
subnets that are seen as potential problems.
If
you go to the logs and click on the IP Address link in the logs
gwhois will take you to teh information about who is responsible
for that IP Address. It will provide a detailed list of the company
that is registered in using that IP Address. In addtiona, there
willb ea Security section typically that will allow you to contact
them for abuse violations.
Caution:
No one with any intelligence would be using their own network or
machines to attack another network as it is too easy to trace. When
you use gwhois you are typically locating a computer on a network
that is being used by someone else, a zombie or a computer infected
with a virus. The point is, to take any offensive action will usually
not be dealing with the real person or attacker that is using the
machine. Use the information you gain as a defensive measure only.
You
should seriously consider blocking any IP range that is attacking
your network.
B.
Source Port and Destination Port
The value of knowing the source port and destination port is that
you have the information you need to verify that the ports you open
can be blocked from these IP Addresses. You also know exactly what
services are under attack so you can reevaluate the defensive measures
you have for those services.
Summary:
When you use the Snort rules you have a good idea of that kind of
attacks are being used on your network and who is performing those
attacks. That information is very valuable for the defense of your
network.
|
