forensics 12/1

Overview of Intrusion Detection Systems (IDS)

Purpose: Monitor and generate messages based on targets.
Types of IDS:
- Host-Based IDS: Runs on a single machine.
- Network-Based IDS: Operates across a group of computers.

Functionality: Utilizes a signature list to detect known threats.
Effectiveness: Requires an up-to-date signature list to ensure detection of new attacks.
- Abnormal Traffic Detection: Current traffic is assessed to flag any anomalies based on established patterns.
- Challenge: New attacks can result in unusual traffic patterns that may go undetected.

Operation: Monitors network traffic patterns to detect irregular behaviors.
Challenges:
- High probability of false positives due to issues like malfunctioning devices or misconfigured software.
- Alarms can be triggered by normal operations if they differ from the learning model of “normal” traffic.
Maintenance: Dedicated teams regularly assess and manage alarms to minimize disruptions in services.

Combines elements of both signature-based and behavior-based systems to enhance detection accuracy.

Popularity: Open-source with the largest user base globally.
Functionality: Offers multiple operational modes:
- Sniffing Mode: Monitors traffic without generating alarms.
- Alert Mode: Actively detects and generates alerts based on predetermined rules.
Snort Rules Structure: Consists of actions, protocols, directions, source, destination, and message format.
- Example Rules:
- To alert on TCP traffic if the source IP is outside specified parameters and the destination is valid.

Purpose of Syslog: Centralized logging for multiple devices and analysis of network events.
Components of Syslog Messages:
- First Part: Timestamps indicating when and from where the log message was generated.
- Second Part: Actual content/message from the application generating the log.
Severity Levels: Classifies incidents based on urgency, with code priority values assigned:
- Formula for Priority Value: ( ext{Facility Code} imes 8) + ext{Severity Code}

Log Entries Management: Defined rules dictate when and where to save log entries based on message priority.
Examples of Log Configuration: Rule setups determining which logs to collect and where to store them.
Logging Best Practices: Include centralized log storage for protection against tampering and ease of analyses.

Windows Event Logs: Organized into three categories: Application logs, Security logs, System logs.
Accessing Logs: Utilizes Windows Event Viewer which allows the creation of custom views and filters to simplify tracking relevant log entries.
Event ID: A unique identifier associated with specific events, pivotal for filtering and processing log data.

Importance of Monitoring: Regular checks to ensure that logs are not misleading or manipulated.
Network Forensics Challenges: Data from network devices may not be permanently stored, complicating investigations post-incident.
Diagnostic Entries: Often contain information more useful for development rather than for security assessments.

Types of Firewalls:
- Stateless Inspection Firewalls: Operate strictly on a per-packet basis.
- Stateful Inspection Firewalls: Have memory to track connections and allow stateful connections.
Firewall Logs Requirements: Typically, only critical traffic should be logged to avoid overwhelming log files with unnecessary data.
Monitoring Traffic: Outgoing and incoming traffic should be monitored closely to detect potential security breaches.

Limited time to cover future chapters, focusing on the main concepts and practical implications of network and log management.
Importance of understanding the principles of IDS, Syslog, and Windows logging to manage security effectively in an organization.