Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online

    Free Trial

    Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • DownloadDownload
    • PrintPrint
    Share this Page URL
    Help

    Chapter 8. Dealing with the Data > Solutions Fast Track

    Solutions Fast Track

    What Is Intrusion Analysis?

    		Intrusion analysis is an investigation into a network incident.

    		A Snort alert is in many cases the first sign of an intrusion. At the core of the alert message is a simple log of events of interest. This information includes a timestamp, IP addresses, and port information.

    		The analyst must examine the packets gathered during an event to determine the validity and estimate the severity of the intrusion.

    		By examining the rule, an analyst can determine whether the detection mechanism is prone to falsing, whether the rule has matured, and subsequently what to look for in the packet logs.


    Intrusion Analysis Tools

    		ACID works with MySQL or PostgreSQL databases.

    		To work properly, ACID needs a Web server with PHP4 and a set of PHP libraries installed.

    		ACID deployment can be scaled so that many different Web servers work with one database or so that different consoles have different access rights.

    		The search feature allows database exploration and correlation of events.

    		Database management allows clearing of alerts or moving them into an archive database. SGUIL is a powerful analysis platform for monitoring Snort events.

    		SGUIL is written in tcl/tk so it is possible to run on many different platforms.

    		SGUIL can quickly query the database and generate incident reports. SGUIL can even sanitize the report data so that your private IP information is not revealed.

    		Snort_stat.pl is Perl script that summarizes Snort event file information.

    		Run snort_stat.pl from a cron script and have it mail you the results. For added privacy, encrypt the data with PGP.

    		SnortSnarf processes Snort log files and creates a set of static HTML pages with various details and correlations between data. It can process various events that are not logged to a database—for example, portscan log files.

    		It is more useful to have SnortSnarf run periodically as a cron job.

    		If you provide SnortSnarf with a reference to your rules file, it will include rule-related information in its output, such as exploit database reference links or rule descriptions.

    		Take care to secure access to the Web server that SnortSnarf is posting your IDS information on. Attackers might be very interested in what your IDS is picking up.



      

    You are currently reading a PREVIEW of this book.

                                                                                            

    Get instant access to over
    $1 million worth of books and videos.

      

    Start a Free Trial