Intrusion Detection
Methods of Detection
The FireRack Intrusion Detection System used both signature based and behaviour based detection methods.
Signature Based Intrusion Detection
The signature based method uses Snort signatures to identify the use of known exploits. This is very useful for identifying attacks from worms and hackers. Attacks against flaws in Microsoft Windows, such as the RPC-DCOM vulnerability exploited by the Nachi worm, can easily be identified using this method.
Behaviour Based Intrusion Detection
The best example of behaviour based IDS is "port scan detection". For example, we don't normally expect to see a single host attempting connections to 10+ machines in rapid succession. None of these connections in isolation would be enough to alert us to the threat, but when identified as a pattern, it may be cause for concern.
Responding to intrusion attempts
FireRack can respond to intrusion attempt in a dynamic manner. Attacking hosts can be instantaneously added to a "Dynamic Group", which can be used as a blacklist. Once blacklisted, all existing connections to or from the offending host are blocked.