Intrusion detection using Snort IDS
Quiz
1. Critically analyzing the operational priority and outline of Snort IDS, its scope of dealing with threats in a certain environment only can be hampered by some features of the system making it unable to detect any threats. These features that might cause the program not to detect any threats include the operating system which is the controller of the operation environment and the set security levels and rules of the system. The other thing that might cause the program not to detect any threat is the set identities of possible threats. If the rules separating threats from allowable clients in the website are too specific, then it might be difficult to detect a threat from another source or IP configuration (Roberts, 2001).
2. If the Snort IDS is tried over a spectrum of systems, the threats detected may vary from a few to infinite depending on the operation environments of the systems. For example, if a system’s security levels are high, the number of threats detected may be very high. Also, if the environment is very much vulnerable to intrusion, Snort IDS will detect very many threats from the possible intrusion sources. Secondly, the sources of threats as dictated in the individual websites and the Snort IDS may be very wide in spectrum making the number of threats detected to be very many (Roberts, 2001).
3. Once many threat warnings are logged into the system, the number of threats detected is more compared to when only a few warnings are logged on. Therefore, logging on many threats increases the security of the system and this helps reduce the number of threats that may lead to intrusion without notice (Roberts, 2001).
4. On the other side, logging on a lot of information in threats file make the security levels too high making the website slow in access. This may result in poor website use and a lot of privileges denial making the website very complicated. Also, a lot of security information may be leaked once a person accesses the threats file giving that intruder more information on how to distort the security of the website (Roberts, 2001).
5. The main advantage of using rules set from snort website is the ease of removal or resetting once the security is compromised. The security of the website can also be easily monitored online and the necessary recommendation and adjustments made to adapt to a certain system (Roberts, 2001).
6. The type of snort rules that I like most to include in high security systems is the header rule. This rule has over seven security levels all designed to tap warnings at different levels. Considering that snort IDS utilizes the intruder signature and all headers must contain a sender signature including the IP /TCP address, this rule has the ability to detect almost all threats to a website. Also, the latest version of snort IDS can detect threats even in layer 4 of a message encoded in a seven layer protocol (most common in IP/TCP) (Roberts, 2001).
7. Once an intruder has ability to access read/write permission in any system, the person has administrator privileges thus can change the whole configuration and access permission as well as passwords in the system. Therefore, if an intruder has access to these privileges, he/she can do virtually anything on the system and can alter all the security levels of the system. This can allow him/her to access any resource in the network or any information in the database and use it for any purpose (Roberts, 2001).
8. If a system waits for all information it requires to make a decision, it may be slow but in the real sense, it is better in security levels since there is no assumption made. Secondly, such a system is less prone to hacking. Looking at a system that assumes data packets based on some statistics, the system is much prone to hacking. Contrary to the waiting system, it is rather fast thus easily accessible (Roberts, 2001).
9. The main factor to consider in any website is security. If there is no threat detection service to a website, other measures must be put in place so as to ascertain security. Some of the factors to consider are the intended number of users; the confidentiality of the data stored or found in the website and the level of security to be offered to the stored information (Roberts, 2001).
10. The most important part of this lab was the network threat detection using Snort IDS. This was much complicated though with time I came to understand what it was all about. So as to improve it, I would recommend more practical sessions and elaboration including sub-topic assessment (Roberts, 2001).
