Assignment: Intrusion Detection and Intrusion Prevention

Part 1: True or False Questions.

1. T F To have a Snort rule match on both inbound and outbound traffic, the rule should use the flow:to_server,from_client,established; option.

2. T F Host-based IDS can be used to monitor compliance with corporate policies such as acceptable use of computer resources.

3. T F An on-demand operational IDS model is not suitable if legally admissible data collection is required.

4. T F Current criminal and civil procedure laws and rules of evidence do not provide clear guidance on digital and electronic forms of evidence such as IDS logs.

5. T F Snort unified output plug-ins can be used to off-load computing tasks from the core Snort program to improve overall performance.

6. T F Thresholds used in Snort alert rules can cause false negatives if the attacker works slowly enough.

7. T F Network-based IDS provides no protection against internal threats.

8. T F When a "pass" rule is matched in Snort, no other rules are evaluated.

9. T F To ensure proper execution of Snort rules using the "uricontent" option the HTTP Inspect preprocessor must be installed and configured in Snort.

10. T F There are no monitoring situations that justify real-time intrusion response.

Part 2: Short Answer Questions.

1. False positive and False negative

a. Define and differentiate false positive and false negative.
b. Which is worse, and why?
c. Give one example of each, drawn from any context that demonstrates your understanding of the terms.

2. Snort rule

a. Describe the components of the following Snort rule.

alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)

a. What sort of attack is it intended to detect?
b. What network traffic pattern information is it looking for?

3. User-centric and target-centric monitoring:

a. What are the key differences between user-centric and target-centric monitoring in behavioral data forensics?
b. Is one perspective preferred over the other?
c. If so, what are some of the advantages of the preferred choice, or disadvantages of the non-preferred choice?

4. Write a rule using Snort syntax to detect an internal user executing a Windows "tracert" command to identify the network path to an external destination. What changes, if any, would you need to make to this rule to make it also work for a Unix/Linux "traceroute"?

5. As Trost noted, most network IDS tools are designed to optimize performance analyzing traffic using a variety of protocols specific to TCP/IP wired networks.

a. Describe at least two intrusion detection scenarios where specialized types of monitoring and analysis are called for

b. what limitations exist in conventional NIDS that make them insufficient to provide effective intrusion detection in the environments corresponding to these scenarios.

6. Multi-event signature

a. What is a multi-event signature?
b. Provide at least two examples of multi-event signature activities or patterns that might be monitored with an intrusion detection system.

7. Anomaly-based intrusion detection

a. What are the operational requirements necessary to perform anomaly-based intrusion detection?

b. How does the information gathered about network traffic by anomaly-based IDS tools differ from the information gathered by signature-based NIDS?

8. Many people perceive intrusion detection to be a constant, all-the-time security function.

a. Identify and describe at least two "part-time" intrusion detection operational models,
b. and for each give an example of a usage scenario that would call for part-time monitoring.

9. Are organizations legally obligated to use intrusion detection capabilities? Why or why not?

10. Imagine you are tasked with monitoring network communication in an organization that uses encrypted transmission channels.

a. What are the limitations of using intrusion detection systems in this environment?
b. What methods would you employ to accomplish this task?

Part 3: Essay Questions. Maximum length: 2 pages each, excluding references.

1. In 2003, a well-publicized report from IT analyst firm Gartner predicted that the market for stand-alone IDS tools would soon disappear, and urged Gartner clients to cease investing in IDS tools in favor of firewalls. Last week, U.S. cyber security czar Howard Schmidt publicly called for enterprise network intrusion detection, and asked, "Why haven't we done this already?" Clearly, the obsolescence of IDS tools by 2005 did not occur as Gartner predicted.

a. What factors have been most important in the continued viability of the IDS market?

b. Based on what you have learned about IDS and IPS tools, do you think these tools will continue to be used as a key security component? Why or why not?

2. In early 2008, the U.S. Department of Homeland Security stated publicly that it wanted more intrusion detection capabilities, in particular citing a need to move to mandatory real-time intrusion detection for federal government networks, as an expansion of current passive, voluntary monitoring. The current manifestation of this goal is the Einstein program, which while officially in a pilot phase is likely to be expanded significantly soring in 2011.

Article: DHS releases new details on Einstein 3 intrusion prevention pilot By Ben Bain.

a. Using what we have learned in this course and your own knowledge of IDS operational models, requirements, and other characteristics associated with selecting and using the most appropriate types of intrusion detection and prevention, what is your response to the proposal to implement comprehensive intrusion detection and prevention for all network traffic to or from U.S. government agencies?

b. What are some of the key obstacles faced in rolling out an intrusion detection capability of this sort?

c. Identify and describe at least three challenges that DHS should consider when planning the Einstein deployment.