【正文】 f attacks without specific knowledge of details. ??Producing information that can in turn be used to define signatures for misuse detectors. Advantages ??Producing a large number of false alarms ??Often requiring extensive “training sets” of system event records in order to characterize normal behavior patterns. Disadvantages 使用 ROC ( Receiver Operator Characteristic ) 曲線能 夠很好地顯示不同入侵檢測方 法在采用不同閾值時(shí)的 性能。 ?CVE就好像是一個(gè)字典表，為廣泛認(rèn)同的信息安全漏洞或者已經(jīng)暴露出來的弱點(diǎn)給出一個(gè)公共的名稱。 CIDF在 IDES和 NIDES的基礎(chǔ)上提出了一個(gè)通用模型，將入侵檢測系統(tǒng)分為四個(gè)基本組件：事件產(chǎn)生器、事件分析器、響應(yīng)單元和事件數(shù)據(jù)庫。 CIDF的工作重點(diǎn)是定義了一種應(yīng)用層的語言 CISL（ 公共入侵規(guī)范語言），用來描述 IDR組件之間傳送的信息，以及制定一套對這些信息進(jìn)行編碼的協(xié)議。 ?如果在一個(gè)漏洞報(bào)告中指明的一個(gè)漏洞，如果有 CVE名稱，你就可以快速地在任何其它 CVE兼容的數(shù)據(jù)庫中找到相應(yīng)修補(bǔ)的信息，解決安全問題。 Summary ? IDS Classification ? IDS Deployment Considerations ? How to choose an IDS ? Industry standards End ?CVE的英文全稱是“ Common Vulnerabilities amp。 消息層確保被加密認(rèn)證消息在防火墻或 NAT等設(shè)備之間傳輸過程中的可靠性。 IDWG Intrusion Detection Working Group ?公共入侵檢測框架（ CIDF） CIDF， 即公共入侵檢測框架（ The Common Intrusion Detection Framework） ,是構(gòu)建分布式 IDS的基礎(chǔ)。 Response Options for IDS Once IDS have obtained event information and analyzed it to find symptoms of attacks, they generate responses. ? Active IDS responses are automated actions taken ? There are three categories of active responses: ?Collect additional information: The most innocuous, but at times most productive ?Change the Environment: reconfigure router,reset TCP inject ? Take Action Against the Intruder: this response is ill advised. Active Responses Passive Responses ? Provide information to system users, relying on humans to take subsequent action based on that information. ? Many mercial IDSs rely solely on passive responses. Deploying IDS Deployment Tips (1) ? Dual NIC – No TCP/IP binding – Network Performance ? NIC optimization settings ? Promiscuous mode Deployment Tips (2) ? Locations – DMZ – In front of firewall – Behind firewall – Server segments – “Power user” segments ??Sees attacks that perate the work’s perimeter defenses. ??Finding problems exiting in firewall policy or performance ??Sees attacks that might target the web server or ftp server, which monly reside in this DMZ ??Even if the ining attack is not recognized, the IDS can sometimes recognize the outgoing traffic that results from the promised server Location1: Behind each external firewall, in the work DMZ Location2: Outside an external firewall ? Documents number of attacks originating on the Inter that target the work. ?Documents types of attacks originating on the Inter that target the work ? Monitors a large amount of a work’s traffic, thus increasing the possibility of spotting attacks. ?Detects unauthorized activity by authorized users within the anization’s security perimeter. Location3: On major work backbones( Server segments) ? Detects attacks targeting critical systems and resources. ? Focusing limited resources to the work considered of greatest value. Location4: On critical subs (Power user segments) Problem Scenarios (1) ? Signature quality – False POSITIVES – False NEGATIVES – Threshold values – Duplicates elimination ? Encrypted traffic – SSL, IPSEC amp。其規(guī)則形式如下： 其中 E1～ E 5表示安全事件。在獲得 /etc/passwd文件的內(nèi)容時(shí)，我們不直接輸入 cat /etc/passwd等命令行，而是通過一個(gè)命令解釋器 (例 如： perl)來實(shí)現(xiàn)我們的目的： badguyhost$ perl –e ?$foo=pack(“C11”,47,101,116,99,47,112,97,115,115,119,100)。 msg: “PHF probe!”。 5E 89 76 08 31 ED 31 C9 31 C0 88 6E 07 89 6E 0C ^...n..n. B0 0B 89 F3 8D 6E 08 89 E9 8D 6E 0C 89 EA CD 80 .....n....n..... 31 DB 89 D8 40 CD 80 90 90 90 90 90 90 90 90 90 1.............. 90 90 90 90 90 90 90 90 90 90 90 E8 C0 FF FF FF ................ 2F 62 69 6E 2F 73 68 90 90 90 90 90 90 90 90 90 /bin/sh......... Alert rule for the new buffer overflow alert tcp any any (content:|E8C0 FFFF FF|/bin/s