Intrusion Detection and analysis resources?
SephStorm
Member Posts: 1,731 ■■■■■■■□□□
I'd like to study and practice some things on my days off. Can't believe i;'m saying that considering my current schedule... but anyway.
I think I do okay with what I know, but I know I have gaps in my ability to analyze events that occur on my work network. I'm wondering if you guys know of any resources that will be actually useful. I know there are plenty of books out there, on the subject, but it seems as though some focus on technology as the solution, I want to know when I see an alert, say for heartbeat/heartbleed, is it normal traffic, or is it an attack attempt? If that SSH or other overflow an attack attempt or just a possible outcome for normal traffic, and if so, how can I modify my rules to trim down on FP's?
I think I do okay with what I know, but I know I have gaps in my ability to analyze events that occur on my work network. I'm wondering if you guys know of any resources that will be actually useful. I know there are plenty of books out there, on the subject, but it seems as though some focus on technology as the solution, I want to know when I see an alert, say for heartbeat/heartbleed, is it normal traffic, or is it an attack attempt? If that SSH or other overflow an attack attempt or just a possible outcome for normal traffic, and if so, how can I modify my rules to trim down on FP's?
Comments
-
docrice Member Posts: 1,706 ■■■■■■■■■■Analyzing events often requires deep insight into protocol behavior, knowing the occasional quirks with some devices, staying up-to-date on evolving attacks/threats, understanding the common traffic patterns (especially in your environment based on an updated baseline, assuming that's feasible), among many other things. In other words, you have to know everything. More realistically, you have to see patterns or recognize something that looks out of place and maybe research the area(s) related to the event and (hopefully) connect the dots. As your environment changes, you need to tune your equipment to reduce noise but at the same time maintain enough sensitivity to detect shadows.
Intrusion detection is a moving target both technologically as well for the analyst developing his skills. Being adaptive is a key trait because you need to keep an open mind while understanding balance. You won't get everything, and sometimes you miss the obvious and sometimes you hit on something obvious which turns out to be a false positive. Frustrating.
For modifying rules (or writing your own), you just need to know what the technology you're using allows you to tweak. If you're using Snort/Sourcefire/Cisco, you need to understand how the IDS engine works (decoder, preprocessor, detection) and rule inspection ordering and syntax. That stuff takes time for sure.
I think being good at intrusion detection requires a lot of hands-on, experimentation, and reading up on new things constantly. Recreate some attacks, see how the engine fires an alert, etc.. Whether you can find the time for all that is another question, but you at least have the ability to start at home and use that as a reference. PCAPs of known-attacks are out there for download (maybe try the Counter Hack challenges).
Logs are a good place to start. Looking at a switch/router/firewall log isn't always as granular, but parsing through them will give you an idea what happens from the device's perspective and progressive filtering might lead you to reveal some interesting findings just themselves. ACL drop events are an easy way to see things, especially misconfigured devices or applications.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/ -
JDMurray Admin Posts: 13,091 AdminIt's good to be a programmer too. You can not only write your own packet parsers and generators, but also write your own network clients and servers and vulnerable targets too. Python and C are good languages to use for tinkering with network protocols. You learn a lot of "inside baseball" from experimentation.
-
SephStorm Member Posts: 1,731 ■■■■■■■□□□Thanks. I've been pushing for a lab at work, but it's not on the radar right now. And during my work week, it's not something I feel like doing after 12 hrs at work. I have been looking at the PCAP's from malware-traffic-analysis.net, I think I do okay when I can get a view of everything like what is seen there.