Beruflich Dokumente
Kultur Dokumente
Detection Software
Matt Gustafson
Becky Smith
CS691 Semester Project
Spring 2003
♦ Intrusion Detection Systems are used to
discover “attempts to comprise the confidentiality,
integrity, and availability… of a computer or
network.” (Bace, p.5)
Syntax:
<action> <protocol> <src IP/mask> <port> -> <dest
IP/mask> <port> (msg: <alert message>; content:”search packet
for”; … etc)
Some of the Rules We Wrote
A Scan Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(flags: A; ack: 0; tag: host, 500, packets, src; msg: “NMAP
TCP ping”;)
A Local Rule:
pass tcp $HOME_NET any -> 128.198.1.250 53 (msg:
“DNS zone transfer – Transfer uccs.edu domain:; flags:
A+; content: “|00 00 FC|”; offset: 13; reference:
arachmids, 212; classtype: attempted-recon; sid: 255;
rev:5;)
IDS Responses to Detection