Search Site

Search Rules

Account

email
password

not registered?

can't login?

user preferences

5.15 How do I understand this traffic and do IDS alert analysis?

1. You'll need to understand some basics of IP, TCP, and UDP. Things like destination addresses, source addresses, common ports, what TCP SYN, FIN and RST mean, etc. The same kind of basic knowledge of the internet you need to successfully configure a multi-interface router applies here, although you don't need to know router syntax. Some useful online references:
   • A truly basic ``intro to TCP/IP'' http://pclt.cis.yale.edu/pclt/COMM/TCPIP.HTM
   • A reasonable looking TCP/IP FAQ: http://www.itprc.com/tcpipfaq/default.htm
   • A basics of firewalls, DMZ's, etc.

     http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Firewall-HOWTO.html

2. You'll need to understand some basics of how network attacks work. I'd recommend skimming over ``Smashing the Stack for fun and profit'' by Aleph one. A deep understanding isn't necessary, but a casual read of this will give you some helpful basics in understanding the kinds of things that happen in an attack, and give you a better understanding of what to look for.

   http://www.insecure.org/stf/smashstack.txt

3. A good guide on securing systems is helpful, something like this one:

   http://www.openna.com/products/books/sol/solus.php

   http://www.seifried.org/lasg/

4. You'll need to understand the basics of internet servers, ie: what DNS, HTTP, FTP, SMTP, etc. are for. Most of that should be covered in the various other references made here.
5. An excellent reference on ``oddball'' traffic patterns commonly seen at network borders, also very helpful:

   http://www.robertgraham.com/pubs/firewall-seen.html

6. Also take a look at the ``Recommended Reading'' section (see FAQ )

Terms of Use | Privacy Policy | forum archives | site feedback ©2009 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.