Network-based Intrusion Detection & Prevention

Content Leader: Jess Garcia - Last Updated: January 17, 2007

Index

• IDS / IPS Testing
• IDS on Encrypted Traffic
• IDS / IPS Evasion
• IP Traceback

Protocols

Field Notes

The below notes are aimed at helping you in your daily Traffic Analysis. They cover the most usual information you need for real life operations, but they are not meant to be a complete reference. A best effort is made to keep them as accurate and updated as possible.

• IP - ICMP - TCP - UDP

References

• An Illustrated Guide to IPSec

Signatures

Signature Development

• Tools for helping in the development of signatures:
  • Universal Pattern Searcher - Looks for common patterns in different datasets
  • Worminator - Win32 tool for easing/automating the process of creating IDS/IPS signatures for SMTP based worms, providing a comfortable GUI, including raw base64 variants and Snort signatures support.

Resources

• You'll find almost everything you need to do IDS/IPS in the Real World in the
  JL Intrusion Detection Resources Page

• Other Useful Resources:

• CIDR table
• ascii table
• CVE List
• CVE - CAN List
• Protocols (nmap)
• Services (nmap)
• RPCs (nmap)

• Capture Files Repositories:

• http://www.cs.ucsb.edu/~rsg/datasets/
• http://www.honeynet.org/scans/
• http://lcamtuf.coredump.cx/mobp/