A user not receiving alerts could be occurring for a few reasons. The main one would be Snort not being configured correctly. In order for Snort to run properly, it requires a set of rules. When first installed Snort provides users with a set of default rules, which can be modified as they see fit. However, when they modify the rules they could potentially disable packet sniffing on certain ports resulting in Snort to miss the alerts (manual snort). During the configuration process users should list all ports that are needed to be scanned.
2. If we only went to a few web sites, why are there so many alerts?
In some instances, Snort has the potential to create false positives. Admin …show more content…
Security Professionals are able to better diagnose the network traffic when there is a more complete history of the system. With the complete history they can look at past vulnerabilities allowing them to form better plans to deal with future attacks. The complete information can also allow for a more targeted response to each incident. The information gathered by Snort can be used in conjunction with your firewall logs and system logs to find the potential attacks before a real problem occurs (Brennan, 2002). Instead of guessing about the vulnerabilities that the system has faced you will know exactly what is after your …show more content…
This rule will send alerts if anyone is bypassing normal authentication, securing illegal remote access to a system, and obtaining access while trying to remain undetected. This would reduce the likelihood of someone gaining access to my high level security network without me knowing about it.
7. If a person with malicious intent were to get into your network and have read/write access to your IDS log or rule set how could they use that information to their advantage?
A person with malicious intent gains access to your rule set and your IDS log would have access to an enormous amount of information. With the knowledge of the rule sets they would know what is being monitored right down to the ports. The IDS log will give them more information on what is actually reported. A malicious attacker will use this information to formulate their plan of attack and avoid the ports which are being monitored by Snort. With read/write access they could even go as far as to change the ports being monitored and alter the IDS log to erase any mention of their presence on your network.
8. An intrusion prevention system can either wait until it has all of the information it needs, or can allow packets through based on statistics (guessed or previously known facts). What are the advantages and disadvantages of each