Analyzing IDS Effectiveness, Forensics, and Snort Plugin Usage

Verified

Added on 2022/10/12

AI Summary

This assignment investigates the effectiveness of Intrusion Detection Systems (IDS) in defending against network attacks and their application in computer forensics. The solution highlights that organizations utilize IDS solutions to identify anomalies, though they face challenges in data management and correlation. It provides an example of how IDS tools, like Snort, can be used in computer forensics by analyzing log messages containing information such as IP addresses and timestamps. The assignment also explores a specific Snort output plugin, syslog, explaining its utility in logging traffic for forensic event trails and providing authentication evidence. References to relevant research papers support the analysis, demonstrating the practical application and importance of IDS in maintaining network security. The assignment underscores that IDS can assist in identifying attackers and discovering newer patterns of attack to protect systems from threats.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: NETWORKING AND SECURITY
Networking and Security
Name of the Student
Name of the University
Author Note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1
NETWORKING AND SECURITY
How effective are companies and other organizations at applying IDS for
specific purposes?
Owing to the widespread integration and deployment of intrusion detection by the
industry, the importance of intrusion detection systems or IDS as integral parts of the
organization’s infrastructure is becoming more apparent. Medium to large organizations as
well as government institutes are deploying enterprise grade IDS solutions (Javaid et al.,
2016). As they begin towards rolling out and administering their IDS, businesses are starting
to experience several obstacles in regards to data collection, management, deployment as also
data correlation. Intrusion detection systems or IDSs are to identify anomalies in the network
and yet it still has low detection rates and higher false alarm rates especially with anomalies
having few records.
Find and summarize an example of ways IDS tools or techniques are used
in computer forensics.
Organizations cannot totally depend upon IDS in maintaining security of their network.
Hence the network administrators additionally need to perform investigations using audit
tools to analyse the network events in their entirety and to restore the network when affected
and disabled by different threats and attacks. The outcomes of IDS tools can vary based on
the type of IDS used. These outcomes include skills of reacting in prompt manner for
preventing or even reducing damages significantly through automated or manual
intervention, skills of identifying attackers or attack activities that may cause further damages
in time as also skills of discovering newer patterns of attack for measuring the threats so as to
grow measures to protect the systems from these threats. Snort for example saves several
messages in the /var/log/snort directory (Mualfah & Riadi, 2017). The messages can contain
important information regarding any incidents as soon as they occur based the rules that are

2
NETWORKING AND SECURITY
specified in the source code of Snort. This information can include attributes like time and
date, the IP addresses of the source and the destination, TTL or time to live in IP packet
headers, the length of IP packet headers, total length of IP packets, ICMP type fields, ICMP
code values, IP packet IDs, sequence numbers and ICMP packet types (Sayadi, Abbes &
Bouhoula 2017). With this information IDS tools can help in computer forensics.
Choose one of the output plug-in options in section 2.6 of the Snort manual
and provide an example of a situation or type of IDS requirement that
would be well suited for the plug-in or add-on you choose.
This module of Snort is able to send alerts to syslog facilities similar to the -s
command line switches. These modules also allow the users in specifying the logging
facilities as also prioritizing among the Snort configuration files, for providing the user with
higher flexibilities for the purpose of logging of alerts. The chosen output plug‐in option is
syslog which defines operating metrics of particular facilities on top of other options which
has been declared in its configuration file (Pir, 2015). An example can be the instance of
log_auth keyword for viewing logs for the facilities and is given below.
output alert_syslog: LOG_AUTH LOG_ALERT
Traffic gets logged into the syslog server for creation of forensic event trail. This syslog data
is able to provide event driven baselines. Authentication syslog keywords like the one
mentioned above can provide evidences as well as artifacts of successful breaches.

3
NETWORKING AND SECURITY
References
Javaid, A., Niyaz, Q., Sun, W., & Alam, M. (2016, May). A deep learning approach for
network intrusion detection system. In Proceedings of the 9th EAI International
Conference on Bio-inspired Information and Communications Technologies
(formerly BIONETICS) (pp. 21-26). ICST (Institute for Computer Sciences, Social-
Informatics and Telecommunications Engineering).
Mualfah, D., & Riadi, I. (2017). Network Forensics For Detecting Flooding Attack On Web
Server. International Journal of Computer Science and Information Security, 15(2),
326.
Pir, R. M. (2015). Intrusion Detection Systems with Snort.
Sayadi, S., Abbes, T., & Bouhoula, A. (2017, October). Detection of Covert Channels Over
ICMP Protocol. In 2017 IEEE/ACS 14th International Conference on Computer
Systems and Applications (AICCSA) (pp. 1247-1252). IEEE.