DREnet Traffic Analysis: Lessons Learned in the Deployment of an IDS on the DREnet

PDF

Authors
  1. Lefebvre, J.
  2. Treurniet, J.
Corporate Authors
Defence Research Establishment Ottawa, Ottawa ONT (CAN)
Abstract
To better understand the needs of intrusion analysts, the SHADOW Intrusion Detection System (IDS) was deployed on the DREnet. All network traffic at the DREnet-Internet border in a 16-day period was collected and analysed using SHADOW, and again analysed by replaying through the Snort IDS. In this report, Snort and SHADOW are compared and the benefits of deploying an ID System are discussed. Some interesting statistics for the period are presented, as well as a full analysis of a half-day of activity, including scans, effects of denial of service attacks, false alarms and misconfigurations. SHADOW filters, customized for use on the DREnet, and scripts developed for the analysis process are included.

Il y a un résumé en français ici.

Keywords
Network traffic;Electronic security;Information warfare (IW);IDS (Intrusion Detection Systems);Internet;Network security;Denial of service attacks;Information warfare
Report Number
DREO-TM-2001-100 — Technical Memorandum
Date of publication
01 Nov 2001
Number of Pages
56
DSTKIM No
CA021207
CANDIS No
517927
Format(s):
Hardcopy;Microfiche filmed at DSIS;CD ROM

Permanent link

Document 1 of 1

Date modified: