IDS (Intrusion detection system)
An IDS (Intrusion detection system) is a device or software application that monitors network or system
activities for malicious activities or policy violations and produces reports to a management station. IDS
come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways.
There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may
attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.
An IDS (Intrusion detection system) is designed to monitor all inbound and outbound network activity
and identify any suspicious patterns that may indicate a network or system attack from someone
attempting to break into or compromise a system. IDS is considered to be a passive-monitoring system,
since the main function of an IDS product is to warn you of suspicious activity taking place − not prevent
them.
An IDS specifically looks for suspicious activity and events that might be the result of a virus, worm or
hacker. This is done by looking for known intrusion signatures or attack signatures that characterize
different worms or viruses and by tracking general variances which differ from regular system activity.
The IDS is able to provide notification of only known attacks.
The network administrator can configure the IDS system to choose the appropriate response to various
threats. When packets in a session match a signature, the IDS system can be configured to take these
actions:
Send an alarm to a syslog server or a Cisco Secure IDS Director (centralized management
interface)
Drop the packet
Reset the TCP connection
Figure 1 IDS (Intrusion detection system)
IDS (Intrusion detection system)
The information provided by the IDS will help the security and network management teams uncover, as
a start:
Security policy violations, such as systems or users who are running applications against policy
Infections, such as viruses or Trojan horses that have partial or full control of internal systems,
using them to spread infection and attack other systems
Information leakage, such as running spyware and key loggers, as well as accidental information
leakage by valid users
Configuration errors, such as applications or systems with incorrect security settings or
performance-killing network misconfiguration, as well as misconfigured firewalls where the rule
set does not match policy
Unauthorized clients and servers including network-threatening server applications such as
DHCP or DNS service, along with unauthorized applications such as network scanning tools or
unsecured remote desktop.
Network Intrusion Detection Systems
Network Intrusion Detection Systems (NIDS) are placed at a strategic point or points within the network
to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the
entire subnet, works in a promiscuous mode, and matches the traffic that is passed on the subnets to
the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can
be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls
are located in order to see if someone is trying to break into the firewall. Ideally one would scan all
inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall
speed of the network. OPNET and NetSim are commonly used tools for simulation network intrusion
detection systems.
Host Intrusion Detection Systems
Host Intrusion Detection Systems (HIDS) run on individual hosts or devices on the network. A HIDS
monitors the inbound and outbound packets from the device only and will alert the user or
administrator if suspicious activity is detected. It takes a snapshot of existing system files and matches it
to the previous snapshot. If the critical system files were modified or deleted, an alert is sent to the
administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which
are not expected to change their configurations.
Intrusion detection systems can also be system-specific using custom tools and honeypots.
Misuse Detection vs. Anomaly Detection
In misuse detection, the IDS analyzes the information it gathers and compares it to large databases of
attack signatures. Essentially, the IDS look for a specific attack that has already been documented. Like
IDS (Intrusion detection system)
a virus detection system, detection software is only as good as the database of intrusion signatures that
it uses to compare packets against. In anomaly detection, the system administrator defines the baseline,
or normal, state of the network's traffic load, breakdown, protocol, and typical packet size. The anomaly
detector monitors network segments to compare their state to the normal baseline and look for
anomalies.
Passive vs. Reactive Systems
In a passive system, the IDS detect a potential security breach, logs the information and signals an alert.
In a reactive system, the IDS respond to the suspicious activity by logging off a user or by
reprogramming the firewall to block network traffic from the suspected malicious source.
False Positive and Negatives
The term false positive itself refers to security systems incorrectly seeing legitimate requests as spam or
security breaches. Basically, the IDS will detect something it is not supposed to. Alternatively, IDS is
prone to false negatives where the system fails to detect something it should. Both of these problematic
problems are associated with IDS, but are issues vendors spend a lot of time working on, and as a result,
it is not believed that IDS detects a high percentage of false positive or false negatives. Still, it is a topic
worth consideration when looking at different IDS solutions.
IDS Detection Techniques
HIDS and NIDS can come in a number of types of intrusion systems as well. All Intrusion Detection
Systems use one of three detection techniques:
Statistical anomaly-based IDS
An IDS which is anomaly based will monitor network traffic and compare it against an established
baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is
generally used, what protocols are used, what ports and devices generally connect to each other- and
alert the administrator or user when traffic is detected which is anomalous, or significantly different,
than the baseline. The issue is that it may raise a False Positive alarm for a legitimate use of bandwidth if
the baselines are not intelligently configured.
Signature-based IDS
A signature based IDS will monitor packets on the network and compare them against a database of
signatures or attributes from known malicious threats. This is similar to the way most antivirus software
detects malware. The issue is that there will be a lag between a new threat being discovered in the wild
and the signature for detecting that threat being applied to your IDS. During that lag time your IDS
would be unable to detect the new threat.
IDS (Intrusion detection system)
Rule based
Rule based systems are more advanced and cleverly built systems. A knowledge base programmed as
rules will decide the output alongside an inference engine. If the defined rules for example all match, a
certain assumption can be determined in which an action may take place. This assumption is the power
of the inference engine. The inference engine can assume an attack may be occurring because of so
many factors; this is unique and is very much behaving like the human mind. In normal computing
assumptions cannot be made, its either yes or no, but the inference engine adds a different level of
thinking; it also adds the “Probably” to the list, like humans. If it rains and is warm, we can assume it
may thunder. If more traffic was leaving the company than usual, as well as coming from a certain
server, the inference engine may assume, the server could be compromised by a hacker.
Cisco IOS Firewall IDS Signature List
The following is a complete list of Cisco IOS Firewall IDS signatures. A signature detects patterns of
misuse in network traffic. In Cisco IOS Firewall IDS, signatures are categorized into four types:
Info Atomic
Info Compound
Attack Atomic
Attack Compound
An info signature detects information-gathering activity, such as a port sweep.
An attack signature detects attacks attempted into the protected network, such as denial-of-service
attempts or the execution of illegal commands during an FTP session.
Info and attack signatures can be either atomic or compound signatures. Atomic signatures can detect
patterns as simple as an attempt to access a specific port on a specific host. Compound signatures can
detect complex patterns, such as a sequence of operations distributed across multiple hosts over an
arbitrary period of time.
The intrusion-detection signatures included in the Cisco IOS Firewall were chosen from a broad cross-
section of intrusion-detection signatures as representative of the most common network attacks and
information-gathering scans that are not commonly found in an operational network.
The following signatures are listed in numerical order by their signature number in the Cisco Secure IDS
Network Security Database. After each signature's name is an indication of the type of signature (info or
attack, atomic or compound).
IDS (Intrusion detection system)
Cisco Secure IDS Components
The Cisco Secure IDS consists of three components:
Sensor
Director
Post Office
Cisco Secure IDS Sensors, which are high-speed network appliances, analyze the content and context of
individual packets to determine if traffic is authorized. If a network's data stream exhibits unauthorized
or suspicious activity, such as a SATAN attack, a ping sweep, or the transmission of a secret research
project code word, Cisco Secure IDS Sensors can detect the policy violation in real time, forward alarms
to a Cisco Secure IDS Director management console, and remove the offender from the network.
The Cisco Secure IDS Director is a high-performance, software-based management system that centrally
monitors the activity of multiple Cisco Secure IDS Sensors located on local or remote network segments.
The Cisco Secure IDS Post Office is the communication backbone that allows Cisco Secure IDS services
and hosts to communicate with each other. All communication is supported by a proprietary,
connection-based protocol that can switch between alternate routes to maintain point-to-point
connections.
Limitations
Noise can severely limit an intrusion detection system's effectiveness. Bad packets generated
from software bugs, corrupt DNS data, and local packets that escaped can create a significantly
high false-alarm rate.
It is not uncommon for the number of real attacks to be far below the number of false-alarms.
Number of real attacks is often so far below the number of false-alarms that the real attacks are
often missed and ignored.
Many attacks are geared for specific versions of software that are usually outdated. A constantly
changing library of signatures is needed to mitigate threats. Outdated signature databases can
leave the IDS vulnerable to newer strategies.
For signature-based IDSes there will be lag between a new threat discovery and its signature
being applied to the IDS. During this lag time the IDS will be unable to identify the threat.
It cannot compensate for a weak identification and authentication mechanisms or for
weaknesses in network protocols. When an attacker gains access due to weak authentication
mechanism then IDS cannot prevent the adversary from any malpractice.
Encrypted packets are not processed by the intrusion detection software. Therefore, the
encrypted packet can allow an intrusion to the network that is undiscovered until more
significant network intrusions have occurred.
IDS (Intrusion detection system)
Intrusion detection software provides information based on the network address that is
associated with the IP packet that is sent into the network. This is beneficial if the network
address contained in the IP packet is accurate. However, the address that is contained in the IP
packet could be faked or scrambled.
Due to the nature of NIDS systems, and the need for them to analyse protocols as they are
captured, NIDS systems can be susceptible to same protocol based attacks that network hosts
may be vulnerable. Invalid data and TCP/IP stack attacks may cause an NIDS to crash.
Evasion Techniques
There are a number of techniques which attackers are using, the following are considered ‘simple’
measures which can be taken to evade IDS:
Fragmentation: by sending fragmented packets, the attacker will be under the radar and can
easily bypass the detection system's ability to detect the attack signature.
Avoiding defaults: The TCP port utilised by a protocol does not always provide an indication to
the protocol which is being transported. For example, an IDS may expect to detect a trojan on
port 12345. If an attacker had reconfigured it to use a different port the IDS may not be able to
detect the presence of the trojan.
Coordinated, low-bandwidth attacks: coordinating a scan among numerous attackers (or
agents) and allocating different ports or hosts to different attackers makes it difficult for the IDS
to correlate the captured packets and deduce that a network scan is in progress.
Address spoofing/proxying: attackers can increase the difficulty of the ability of Security
Administrators to determine the source of the attack by using poorly secured or incorrectly
configured proxy servers to bounce an attack. If the source is spoofed and bounced by a server
then it makes it very difficult for IDS to detect the origin of the attack.
Pattern change evasion: IDS generally rely on ‘pattern matching’ to detect an attack. By
changing the data used in the attack slightly, it may be possible to evade detection. For example,
an IMAP server may be vulnerable to a buffer overflow, and an IDS is able to detect the attack
signature of 10 common attack tools. By modifying the payload sent by the tool, so that it does
not resemble the data that the IDS expects, it may be possible to evade detection.
Free Intrusion Detection Systems
ACARM-ng
AIDE
Bro NIDS
Fail2ban
OSSEC HIDS
Prelude Hybrid IDS
Samhain
IDS (Intrusion detection system)
Snort
Suricata
Cisco IOS Firewall Intrusion Detection System Commands
(Note: 12.0(5)T- These commands were introduced.)
clear ip audit configuration
To disable Cisco IOS Firewall IDS, remove all intrusion detection configuration entries, and release
dynamic resources, use the clear ip audit configuration EXEC command.
clear ip audit statistics
To reset statistics on packets analyzed and alarms sent, use the clear ip audit statistics EXEC command.
ip audit
To apply an audit specification created with the ip audit command to a specific interface and for a
specific direction, use the ip audit interface configuration command. To disable auditing of the interface
for the specified direction, use the no version of this command.
ip audit audit-name {in | out}
no ip audit audit-name {in | out}
ip audit attack
To specify the default actions for attack signatures, use the ip audit attack global configuration
command. To set the default action for attack signatures, use the no form of this command.
ip audit attack {action [alarm] [drop] [reset]}
no ip audit attack
ip audit info
To specify the default actions for info signatures, use the ip audit info global configuration command. To
set the default action for info signatures, use the no form of this command.
ip audit info {action [alarm] [drop] [reset]}
no ip audit info
IDS (Intrusion detection system)
ip audit name
To create audit rules for info and attack signature types, use the ip audit name global configuration
command. To delete an audit rule, use the no form of this command.
ip audit name audit-name {info | attack} [list standard-acl] [action [alarm] [drop] [reset]]
no ip audit name audit-name {info | attack}
ip audit notify
To specify the method of event notification, use the ip audit notify global configuration command. To
disable event notifications, use the no form of this command.
ip audit notify {nr-director | log}
no ip audit notify {nr-director | log}
ip audit po local
To specify the local Post Office parameters used when sending event notifications to the NetRanger
Director, use the ip audit po local global configuration command. To set the local Post Office parameters
to their default settings, use the no form of this command.
ip audit po local hostid id-number orgid id-number
no ip audit po local [hostid id-number orgid id-number]
ip audit po max-events
To specify the maximum number of event notifications that are placed in the router's event queue, use
the ip audit po max-events global configuration command. To set the number of recipients to the
default setting, use the no version of this command.
ip audit po max-events number-of-events
no ip audit po max-events
ip audit po protected
To specify whether an address is on a protected network, use the ip audit po protected global
configuration command. To remove network addresses from the protected network list, use the no
form of this command. If you specify an IP address for removal, that address is removed from the list. If
you do not specify an address, then all IP addresses are removed from the list.
ip audit po protected ip-addr [to ip-addr]
no ip audit po protected [ip-addr]
IDS (Intrusion detection system)
ip audit po remote
To specify one or more set of Post Office parameters for NetRanger Directors receiving event
notifications from the router, use the ip audit po remote global configuration command. To remove a
NetRanger Director's Post Office parameters as defined by host ID, organization ID, and IP address, use
the no form of this command.
ip audit po remote hostid host-id orgid org-id rmtaddress ip-address localaddress ip-address [port port-
number] [preference preference-number] [timeout seconds] [application {director | logger}]
no ip audit po remote hostid host-id orgid org-id rmtaddress ip-address
ip audit signature
To attach a policy to a signature, use the ip audit signature global configuration command. You can set
two policies: disable a signature or qualify the audit of a signature with an access list. To remove the
policy, use the no form of this command. If the policy disabled a signature, then the no form of this
command reenables the signature. If the policy attached an access list to the signature, the no form of
this command removes the access list.
ip audit signature signature-id {disable | list acl-list}
no ip audit signature signature-id
ip audit smtp
To specify the number of recipients in a mail message over which a spam attack is suspected, use the ip
audit smtp global configuration command. To set the number of recipients to the default setting, use
the no form of this command
ip audit smtp spam number-of-recipients
no ip audit smtp spam
show ip audit configuration
To display additional configuration information, including default values that may not be displayed using
the show run command, use the show ip audit configuration EXEC command.
show ip audit configuration
show ip audit interface
To display the interface configuration, use the show ip audit interface EXEC command.
show ip audit interface
IDS (Intrusion detection system)
show ip audit statistics
To display the number of packets audited and the number of alarms sent, among other information, use
the show ip audit statistics EXEC command.
show ip audit statistics
Top Related