Re: IDS Creation

[Rainer Duffner <rainer () ultra-secure de>]

spam2fred wrote:

> Hello there guys...
>
> I wonder if someone could help me or redirect me to someplace 
> where I could find help...
>
> I'm suposed to "create" or "assembly" a very simple IDS or 
> NIDS, but all the information I can find on the net is still 
> to complex or even wrote for those who have already a lot of 
> knowlogy abt this subject. 
> Maybe any of you could tell me where to find "beginner" 
> material abt IDSs
>
> tnks a lot
>  

I guess the situation is that you are supposed to have a good 
understanding of how TCP/IP works.
Then, an IDS doesn't look very complicated to you, unless you want to 
understand it on the source-code level, which is not necessary today 
anymore.

Have you ever watched the recording of a simple TCP/IP session (like 
fetching http://www.google.com or even better http://ip.on.your.lan) in 
ethereal ?
Did you understand what you could see ?
Have you ever watched the recording of a "not so simple" TCP/IP session 
(like the download of a small file over actice FTP, with different clients)?
Did you understand what you could see ?

If you can't answer these questions with yes, then you are probably 
right: IDSs are way above your knowledge - but that's not the fault of 
the IDS-documentation then.

IDS is all about TCP/IP flags, fragmentation, segmentation and 
reassembly of packets and bits - and that's only at the lowest level.

Give yourself time, comb the net for advanced TCP/IP tutorials (beyond 
"righ-click on MyNetworks...") and buy a good IDS-book or two for some 
historical context. And read "Practical Unix & Internet Security 3rd 
ed." before that.





Rainer


---------------------------------------------------------------------------

---------------------------------------------------------------------------