* 13 *

Intrusion detection

Graded problems

The purpose of these exercises is to familiarize you with some of the concepts of intrusion detection. Unfortunately we do not have the time or the resources to set up intrusion detectors personally.
  1. Create a cause tree for intrusion detection at a site, which includes network traffic and changes to host (Hint, think about use of MD5 checksums of files, logging and analysis of data etc.).

  2. Use nmap to port scan a few machines at IU (e.g. cube). On an avergae day you will find a number of unidentifiable ports open. These are usually IRC related services which students run "illegally". Do not portscan anywhere outside our College. Portscans are usually regarded as attacks!.

  3. Snort is a so-called intrusion detection system (IDS) which logs network traffic and attempts to match patterns of events to a knowledge-base of known attacks. Such intrusion detection systems generate enormous amounts of data. Some example data have been collected at cube:/local/iu/var_log_snort from about ten minutes of watching on a private branch of a switched network.
    1. Examine the files and sub-directories. There are many directories here. What do they represent?
    2. In the file called alert, there is chronological summary of possible problems. Some of these have explanatory references at whitehats.com. Do you think that all of these alerts correspond to real attacks?
    3. What do you think is the main problem for intrusion detection systems?

  4. The final graded problem is for you to evaluate the course. Please answer the following questions as part of your final submission, to be delivered next week.
    1. Hvor vellykket mener du at kurset har vært i
      • Å vise deg hva datasikkerhet går ut på
      • Å få deg til å innse hvordan sikkerhets mekanismer fungerer i detalj.
      • Å få deg til å unngå de verste software feil selv.
    2. Hvordan vurderer du kontinuiteten mellom dette og andre fag?
    3. Har forelesningene vært tilstrekkelige? Burde det vært flere?
    4. Har øvingsoppgavene vært tilstrekkelige?
    5. Opplever du en passe blanding av teori og praksis i kurset?
    6. Hvordan vurderer du kontinuiteten i forelesningene?
    7. Har du hele tiden skjønt poenget med de valgte emnene i forelesningene?
    8. Har du hele tiden skjønt poenget med ukeoppgavene?
    9. Hva synes du om boka?
    10. Har du hele tiden fått svar på det du lurte på?
    11. Har du inntrykk av at du lærer noe i kurset?
    12. Hva oppfatter du som det viktigste en kan lære av et kurs i datasikkerhet?
    13. Hva synes du er det beste med kurset?
    14. Hva synes du er det dårligste med kurset?
    15. Hva synes du burde vært anderledes?
    16. Generelle kommentarer eller inntrykk?