The network has been receiving quite a lot of inbound traffic, and although you have been given instructions to keep the network open, you want to know what is going on. You have decided to implement an Intrusion Detection System. You bring this up at the next meeting.
"After looking at our current network security, and the network traffic we are dealing with, I recommend that we implement an Intrusion Detection System," you begin.
"We don't have any more budget for security equipment, it will have to wait until next year." This is the reply from the CEO that you were anticipating.
"I realize that the budget is tight, but this is an important part of setting up security." You continue, "If I cannot properly identify all the network traffic, and have a system in place to respond to it, we might not know about an incident until after our information is found for sale on the open market." As expected, your last comment got the group thinking.
"What about false alarms?" asks the VP of sales, "I hear those things are always going off, and just end up wasting everyone" time."
"Tha's a fair concern, but it is my concern. When we implement the system, I will fine tune it and adjust it until the alarms it generates are appropriate, and are generated when there is legitimately something to be concerned about. We are concerned with traffic that would indicate an attack; only then will the system send me an alert."
For a few minutes there was talk back and forth in the room, and then the CEO responds again to your inquiry, "I agree that this type of thing could be helpful. But, we simply don have any more budget for it. Since it is a good idea, go ahead and find a way to implement this, but don't spend any money on it."
With this information, and your knowledge of MegaCorp, choose the answer that will provide the best solution for the IDS needs of MegaCorp:}
A. You install Snort on a dedicated machine just inside the router. The machine is designed to send alerts to you when appropriate. You do have some concern that the system will have too many rules to operate efficiently. To address this, you decide to pull the critical rules out of the built-in rule sets, and create one simple rule set that is short and will cover all of the serious incidents that the network might experience.
alert udp any 19 <> $HOME_NET 7 (msg:"DOS UDP Bomb"; classtype:attempted-dos; sid:271;
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; id:242;
classtype:attempted-dos; sid:270; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; id: 678; itype: 8; content: "1234";
classtype:attempted-recon; sid:221; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8;
classtype:attempted-recon; sid:469; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS";flags:SRAFPU; classtype:attempted-recon; sid:625; rev:1;) alert tcp $HOME_NET 31337 -> $EXTERNAL_NET 80 (msg:"SCAN synscan microsoft"; id: 39426; flags: SF; classtype:attempted-recon; sid:633; rev:1;)
B. You install your IDS on a dedicated machine just inside the router. The machine is designed to send alerts to you when appropriate. You begin the install by performing a new install of Windows on a clean hard drive.
You install ISS Internet Scanner and ISS System Scanner on the new system. System Scanner is configured to do full backdoor testing, full baseline testing, and full password testing. Internet Scanner is configured with a custom policy you made to scan for all vulnerabilities. You configure both scanners to generate automatic weekly reports and to send you alerts when an incident of note takes place on the network.
C. You configure a new dedicated machine just outside the router and install Snort on that machine. The machine logs all intrusions locally, and you will connect to the machine remotely once each morning to pull the log files to your local machine for analysis.
You run snort with the following command: Snort ev \snort\log snort.conf and using the following rule base:
Alert tcp any any <> any 80 Alert tcp any any <> 10.10.0.0\16 any (content: "Password"; msg:"Password transfer Possible";) Log tcp any any <- 10.10.0.0\16 23 Log tcp any any <> 10.10.0.0\16 1:1024
D. You install two computers to run your IDS. One will be a dedicated machine that is on the outside of the router, and the second will be on the inside of the router. You configure the machine on the outside of the router to run Snort, and you combine the default rules of several of the built-in rule sets. You combine the ddos.rules, dos.rules, exploit.rules, icmp.rules, and scan.rules.
On the system that is inside the router, running Snort, you also combine several of the built-in rule sets. You combine the scan.rules, web-cgi.rules, ftp.rules, web-misc.rules, and web-iis.rules. You configure the alerts on the two systems to send you email messages when events are identified. After you implement the two systems, you run some external scans and tests using vulnerability checkers and exploit testing software. You modify your rules based on your tests.
E. You install Snort on a dedicated machine just outside the router. The machine is designed to send alerts to you when appropriate. You implement the following rule set:
Alert udp any any -> 10.10.0.0\16 (msg: "O\S Fingerprint Detected"; flags: S12;) Alert tcp any any -> 10.10.0.0\16 (msg: "Syn\Fin Scan Detected"; flags: SF;) Alert tcp any any -> 10.10.0.0\16 (msg: "Null Scan Detected"; flags: 0;) Log tcp any any -> 10.10.0.0\16 any
You then install Snort on the web and ftp server, also with this system designed to send you alerts when appropriate. You implement the built-in scan.rules ruleset on the server.