Example: if(src_ip == dsp_ip && src_prt == dst_prt)
then “land attack”
Monitoring Networks and Host
An IDS performs passive monitoring:
it records and analyzes data about system and network activity
if the IDS sends out an alert AND the response policy dictates intervention, then activities are affected
Network Based IDS
– Monitors traffic at selected points on a network in real or close to real time
– May examine network, transport, and/or application-level protocol activity
– Comprised of a number of sensors, one or more servers for NIDS management functions, and one or more management consoles for the human interface
– Analysis of traffic patterns may be done at the sensor, the management server or a combination of the two
Host IDS
– Operating System Event
Inline Sensors
– used to block an attack when one is detected, performing both intrusion detection and prevention functions
– An inline sensor is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.
– Combining NIDS sensor logic with a firewall or LAN switch. This has the advantage of no additional hardware is needed
– Using a stand-alone inline NIDS sensor
Passive Sensors
– A passive sensor monitors a copy of network traffic; the actural traffic does not pass through the device
– Passive sensors are more efficient
Network traffic: monitoring interface, management interface(with IP)
