* 13 *

Intrusion detection

Graded problems

The purpose of these exercises is to familiarize you with some of the concepts of intrusion detection. Unfortunately we do not have the time or the resources to set up intrusion detectors personally.
  1. Create a cause tree for intrusion detection at a site, which includes network traffic and changes to host (Hint, think about use of MD5 checksums of files, logging and analysis of data etc.).

  2. Use nmap to port scan a few machines at IU (e.g. cube). On an avergae day you will find a number of unidentifiable ports open. These are usually IRC related services which students run "illegally". Do not portscan anywhere outside our College. Portscans are usually regarded as attacks!.

  3. Snort is a so-called intrusion detection system (IDS) which logs network traffic and attempts to match patterns of events to a knowledge-base of known attacks. Such intrusion detection systems generate enormous amounts of data. Some example data have been collected at cube:/local/iu/var_log_snort from about ten minutes of watching on a private branch of a switched network.
    1. Examine the files and sub-directories. There are many directories here. What do they represent?
    2. In the file called alert, there is chronological summary of possible problems. Some of these have explanatory references at whitehats.com. Do you think that all of these alerts correspond to real attacks?
    3. What do you think is the main problem for intrusion detection systems?

  4. The final graded problem is for you to evaluate the course. Please answer the following questions as part of your final submission, to be delivered next week.
    1. How successful has the course been in showing you
      • What security means and what it is about?
      • How security mechanisms work in detail?
      • How to avoid the worst blunders yourself?
    2. How would you rate the continuity between this and other lecture courses?
    3. Have the lectures been adequate? Should there have been more?
    4. Have the problems/labs been adequate?
    5. Is there a good mixture of theory and practice?
    6. How would you rate the continuity of the lectures throughout the course?
    7. Have you understood what the point of each lecture has been?
    8. Have you understood what the point of each of the exercises has been?
    9. What do you think of the course book?
    10. Have you always received help when you needed it?
    11. Do you feel that you have learned something from the course?
    12. What do you think is the most important thing to learn in a course on security?
    13. What is the best/worst thing about the course?
    14. Any general comments you have to make....