Differences between revisions 10 and 11
Revision 10 as of 2007-11-23 18:02:54
Size: 1399
Editor: localhost
Comment: converted to 1.6 markup
Revision 11 as of 2012-04-18 20:45:59
Size: 1357
Editor: DanRasmussen
Comment: Fixed typos/grammar
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Extrusion detection (aka. ReverseIntrusionDetection) is the process of turning an IntrusionDetectionSystem on it's head so that it watches for "bad" traffic leaving your network instead of bad traffic entering your network. Extrusion detection (aka. ReverseIntrusionDetection) means turning an IntrusionDetectionSystem on its head so it watches for "bad" traffic leaving your network instead of bad traffic entering your network.
Line 5: Line 5:
Below is a brief how to posted by TerrySchmidt on how he setup up an ExtrusionDetection system on his node: Below is a howto posted by TerrySchmidt on how he set up an ExtrusionDetection system on his node:
Line 7: Line 7:
 1. Grab the latest version of Snort (www.snort.org) currently it is 1.8p1 (however I'm running 1.7)  1. Grab the latest version of Snort (www.snort.org), currently 1.8p1 (however I'm running 1.7)
Line 11: Line 11:
 * Set the parameters high enough so you don't get accidental portscan false positives.  * Set the parameters high enough so you don't get port scan false positives.
Line 13: Line 13:
 * After you are satisfied, add Guardian (www.snort.org) which starts blocking IP addresses using IP chains of people triggering alerts. Be careful with the Guardian as you can block legitament hosts, and even yourself if configured improperly.  * After you are satisfied, add Guardian (www.snort.org) which starts blocking IP addresses using IP chains of people triggering alerts. Be careful with the Guardian as you can block legitimate hosts, and even yourself if configured improperly.

Extrusion detection (aka. ReverseIntrusionDetection) means turning an IntrusionDetectionSystem on its head so it watches for "bad" traffic leaving your network instead of bad traffic entering your network.

See also: ActivePortal, SoftSecurity

Below is a howto posted by TerrySchmidt on how he set up an ExtrusionDetection system on his node:

  1. Grab the latest version of Snort (www.snort.org), currently 1.8p1 (however I'm running 1.7)
  2. Grab the latest ruleset from www.snort.org (there are other snort rulesets available, I haven't determined which one best suites this projects needs).
  3. Whittle down the ruleset to just rules that only create True Positives (Not down to an exact since)
  4. Reverse the rules (done in just one place in the Snort configuration file) so that you monitor all traffic coming from your suspected hosts (probably wireless clients) against all the internet hosts.
  5. Set the parameters high enough so you don't get port scan false positives.
  6. Test the setup and monitor the rules for false positives.
  7. After you are satisfied, add Guardian (www.snort.org) which starts blocking IP addresses using IP chains of people triggering alerts. Be careful with the Guardian as you can block legitimate hosts, and even yourself if configured improperly.

(Added by AdamShand)


[CategoryDocumentation]

ExtrusionDetection (last edited 2012-04-18 20:45:59 by DanRasmussen)