* 13 *
The purpose of these exercises is to familiarize you with some of the
concepts of intrusion detection. Unfortunately we do not have the time
or the resources to set up intrusion detectors personally.
- Create a cause tree for intrusion detection at a site, which
includes network traffic and changes to host (Hint, think about
use of MD5 checksums of files, logging and analysis of data etc.).
- Use nmap to port scan a few machines at IU (e.g. cube).
On an avergae day you will find a number of unidentifiable ports
open. These are usually IRC related services which students run
Do not portscan anywhere outside our College. Portscans are usually
regarded as attacks!.
- Snort is a so-called intrusion detection
system (IDS) which logs network traffic and attempts to match patterns of
events to a knowledge-base of known attacks. Such intrusion detection systems
generate enormous amounts of data. Some example data have been
collected at cube:/local/iu/var_log_snort from about ten minutes of
watching on a private branch of a switched network.
- Examine the files and sub-directories. There are many directories
here. What do they represent?
- In the file called alert, there is chronological summary
of possible problems. Some of these have explanatory references at
whitehats.com. Do you think that all of these alerts correspond to real
- What do you think is the main problem for intrusion detection systems?
- The final graded problem is for you to evaluate the course.
Please answer the following questions as part of your final
submission, to be delivered next week.
- How successful has the course been in showing you
- What security means and what it is about?
- How security mechanisms work in detail?
- How to avoid the worst blunders yourself?
- How would you rate the continuity between this and other lecture courses?
- Have the lectures been adequate? Should there have been more?
- Have the problems/labs been adequate?
- Is there a good mixture of theory and practice?
- How would you rate the continuity of the lectures throughout the course?
- Have you understood what the point of each lecture has been?
- Have you understood what the point of each of the exercises has been?
- What do you think of the course book?
- Have you always received help when you needed it?
- Do you feel that you have learned something from the course?
- What do you think is the most important thing to learn in a course on security?
- What is the best/worst thing about the course?
- Any general comments you have to make....