Intrusion Detection Systems

Question 1

What is an Intrusion Detection System (IDS)?

Answer 1

A security mechanism designed to detect unauthorized access, misuse, or attacks on a network or system.

Question 2

What are the two main types of IDS?

Answer 2

1. Host-Based IDS (HIDS): Monitors activity on individual devices.
2. Network-Based IDS (NIDS): Monitors traffic across a network.

Question 3

What are the primary functions of IDS?

Answer 3

Detecting malicious activity.
Logging details of detected incidents.
Alerting administrators to take action.

Question 4

What is signature-based detection in IDS?

Answer 4

Detecting attacks by matching traffic against known attack patterns (signatures).

Question 5

What is anomaly-based detection in IDS?

Answer 5

Identifying deviations from normal behavior to detect unknown attacks.

Question 6

How does behavioral detection work in IDS?

Answer 6

Observes and profiles normal behavior patterns, triggering alerts when deviations occur.

Question 7

How do rule-based alerts work in IDS?

Answer 7

Predefined rules trigger alerts when conditions are met, such as specific packet content or protocol violations.

Question 8

Interpret the example rule:
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any
(msg:”SHELLCODE Linux shellcode”; content:”|90 90 90 E8 C0 FF FF FF|/bin/sh”; classtype:shellcode-detect; sid:652; rev:9;)

Answer 8

Detects Linux shellcode targeting the home network using a specific signature.

Question 9

What are the main challenges faced by IDS?

Answer 9

High false-positive rates.
Inability to detect new threats without updated signatures.
Resource-intensive processing.

Question 10

How can attackers evade IDS?

Answer 10

Packet fragmentation.
Encryption to hide payloads.
Flooding IDS with benign traffic to mask attacks.

Question 11

What is a botnet?

Answer 11

A collection of compromised machines (bots) under the control of a botmaster, used for attacks like DDoS or spam.

Question 12

How do botnets communicate?

Answer 12

Bots “phone home” to the C&C infrastructure for instructions and updates.

Question 13

What is domain fluxing in botnets?

Answer 13

A technique where bots generate random domain names to find their C&C server, making detection and blocking harder.

Question 14

How can ethical actors perform botnet takeovers?

Answer 14

Predict and register future C&C domains, intercepting bot communication without sending harmful commands.

Question 15

What ethical guidelines should be followed during a botnet takeover?

Answer 15

Do no harm.
Avoid altering bot configurations.
Collaborate with ISPs and law enforcement.

Question 16

What data was collected during botnet monitoring?

Answer 16

Over 70GB of data in 10 days, providing insights into botnet operations.

Question 17

What are the benefits of using IDS in networks?

Answer 17

Early detection of attacks.
Comprehensive logging of suspicious activities.
Enhanced incident response capabilities.

Question 18

How can IDS be integrated with other security tools?

Answer 18

IDS can complement firewalls, antivirus software, and SIEM systems for holistic security.