This week's discussion posting is designed to augment the information taught as part of the network forensics lecture. We lecture introduced you to packets, packet capture software options, and filter

This week's discussion posting is designed to augment the information taught as part of the network forensics lecture. We lecture introduced you to packets, packet capture software options, and filtering, as well as network traffic file carving. 

One area we regrettably don't have much time to cover in the course, but I feel you should have at minimum an understanding of prior to graduating with a degree in cyber security is intrusion detection systems and how to write signatures to detect malicious network traffic. 

For those of you who are unfamiliar with IDS systems, please take a few minutes to read this SANS paper  that explains the differences between HIDS and NIDS. 

For this discussion board, I want you to do some research on Suricata, Bro (now called Zeek), Snort, and Security Onion. What similarities did you observe in these tools and its functionality? Do you think one of these would perform better than another and if so, why or under what circumstance? How do you add a rule to the IDS? What happens once a rule has been triggered? What is the structure and syntax for, let's say, a Snort rule? Provide an example of a Snort rule then explain what it is searching for in the network traffic. Provide two sources with citation

Discussion:

_________________________________________________

Write a response for 100 words.

Suricata and snort are both capable of intrustion detection and intrusion prevention whereas Zeek is just used for monitoring network traffic and can not prevent any attacks in real time. Zeek can only alert security personell of anamolys so that they can take some action. Suricata and Snort would be better to use in a network as they can both detect and actively prevent any threats. Security onion is a linux distribution intrusion detection system based on ubuntu and contains snort, suricata and bro also known as zeek. Security onion is simple to use and good for a small network. 

The way to import rules in snort is to first download all the snort rules you will be using. In Snort you can click SNORT Rules tab, select files to import in import SNORT rules, and then go to the downloaded snort rules file with the rules and select it and then click on add. When and IDS rule is triggered it gets logged and the approprite security personell are notified in form of an alert. 

Example of a SNORT rule: log tcp !192.168.0/24 any -> 192.168.0.33 (msg: "mounted access" ; )The above rule simply says to log any TCP comunication happening from 192.168.0/24 to 192.168.0.33 in one direction. and to display the message mounted access in the log. 

Response: