• Programmer PortSentry (Craig H. Rowland / Psionic) is very careful in commenting source code, so that the user knows how to draft a script / program is built.
• It makes PortSentry beyond its function as a "fortress", but also can be used by anyone who wants to learn about socket programming
Applications for HIDS
• portsentry (Linux)
• Nuke Nabber (Windows)
• Snort (Linux and Windows)
Capturing FTP session
• Create a snort rule in the file "ftp.conf", with the contents:
log tcp any any -> 192.168.1.0/24 21
• Note: rule header only
• Create a directory called "trial", then run the following command:
unix # snort-d-l-c try ftp.confLanjutan
• Run FTP session that led to a host on the network 192.168.1.0
unix $ ftp 192.168.1.101
Connected to 192.168.1.101.
220 FTP server ready.
Name: anonymous
331 Guest login ok, send your complete e-mail
address as the password.
Password: guest@hotmail.com
ftp> quit
ACID
• Analysis Console for Intrusion Databases (ACID)
• Programs designed to manage data security events, such as IDS, Firewall, and Network Monitoring Tools
• The data is stored in a database (MySQL)
benefits of ACID
• Log-log that had Become difficult to read Easily read
• The data can be searched (search) and filtered According to specific criteria
• Managing Large Databases Alert (Deleting and Archiving)
• For certain cases can merujukalert on site security databases such as SecurityFocus, CVE, arachNIDS
Excess N-IDS
• The surplus network-based:
Lower-cost
-Able to handle the attacks that are not detected by the host-based
-The difficulty for an attacker to remove traces of live netwok use data, so that detect attacks in real-time
-Detection and response in real time
-Detection of the failed attack and attack trend
-It does not depend on the operating system.
• Examples of network-based:
-snort
Overview Portsentry