Categories
Welcome Center
Education & Development
Cyber Security
Virtualization
General
Certification Preparation
Project Management
Posts
Groups
Training Resources
Infosec
IT & Security Bootcamps
Practice Exams
Security Awareness Training
About Us
Home
General
Off-Topic
Scoring System using IDS Alert
zamroot
I have an idea to develop a project scoring system for games like capture the flag using IDS alert eg snort or bro. I need your comment and suggestion on this. Is it sound relevant or possible to do that? If relevant which IDS should I focus snort or bro or any others? Thanks.
Find more posts tagged with
Comments
Codyy
I'd probably focus on Snort. Interested in hearing how this works out, I could see someone gaming the system by just sending stuff that Snort shows as high severity(like shellcode) over and over. Do you have a plan to adjust/limit scoring for duplicate attacks?
Good luck and keep us posted, sounds like a cool idea.
wastedtime
This is definitely relevant and a good way to identify bad/odd traffic without spending a lot of time on the normal stuff. I agree with Codyy that you should probably focus on Snort. I think scoring would be more accurate with Bro, but harder to achieve. The reason I say that is you would have to do a lot more cross log correlation to achieve the same effect in bro and that would add a lot of complexity once everything is said and done. Not to mention how hard it would be to tweak the scoring method without making many changes.
zamroot
Thanks for the feedback. Coody do you have more details about the game you mentioned? Maybe any reference/link?
At the moment I'm still in initial study about this and still searching if any other project that related with this idea.
BlackBeret
Snort seems like the better candidate for this, but I have some questions on what you're trying to achieve.
Are you using the IDS detection to award points or take away points? I ask because even in a game environment a lot of attacks aren't going to be picked up by the IDS. Unless you're trying to award points for a properly executed <insert X exploit>. If you're going to use an IDS system to take away points, you could configure it to IPS mode and simply block the attacks that it alerts on so that they can't get points.
Honestly I can't see anything on the network that can/will catch everything. One of the finer points of pentesting is to stay under the radar and develop/use new attack methods.
I haven' participated in any SANS challenges yet so take what I say with a grain of salt, but I read a bit about their scoring system and how people attempt to ****, it was a good article. I'll look for it later. The basics is that a scoring server is set up, and on each machine is a hash that is only readable by X level (User, root, etc). Once users penetrate the machine they copy the hash and paste it in to the scoring server to award points. One method students were using to try and **** the system was to use a sniffer on the network and capture these hashes as other teams were sending them to the server.
BlackBeret
SANS Penetration Testing | Mission Impossible? Thwarting Cheating in an Advanced Pen Test Class CtF: The SANS SEC660 Experience | SANS Institute
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
