LAB ASSIGNMENT 12 – Intrusion Detection

 

Part A:  Using Distributed IDS Attack Information – Dshield (http://www.dshield.org/) is an organization that gathers log files from users around the world and prepares reports that those users can analyze in order to determine if their networks have encountered intrusion attempts.

 

1)     From the front page of DShield, test to see if your computer is “cracked”. What was the result?

 

2)     Which port is listed as the most attacked? What service uses that port? Describe one of the vulnerabilities for this port.

 

3)      Which countries are listed among the top 10 offenders according to the DShield database?

 

Part B: Anomaly-based intrusion detection puts a burden on a network administrator to determine whether an anomaly deviates from “normal” behavior severly enough to warrant investigation. Use the user profile from an anomaly-based IDS in the table below to answers the following questions:

 

User

Behavior

Date

Time

Bob

Network Login

M-F

8:00 a.m. – 9:00 a.m.

 

Login to E-mail Account

M-F

8:30 a.m. – 5:00 p.m.

 

Login to File Server

M-F

8:30 a.m. – 5:00 p.m.

 

a.      Describe how you would respond upon receiving an alert notifying you that Bob logged in at 2 p.m. on a Friday and logged off at 7 p.m.

 

b.      Describe two possible causes (one legitimate, one suspicious) for the following series of events: You receive an alert stating that Bob had logged on at 2 a.m. on a Tuesday morning and logged off at 7 a.m. then logged on again at 8:30 a.m. and logged off at 5 p.m.

 

c.      Describe a suitable response to the discovery that the scenario described in Step ii. Was repeated every day during the previous week.

 

d.      Explain how you could determine whether or not Bob was actually logging on at 2 a.m.

 

Part C: View The Code Room: Breaking Into Las Vegas. http://www.thecoderoom.com/vegas/