Advanced intrusion detection – SnapGear 2.0.1 User Manual

Intrusion Detection

93

Advanced Intrusion Detection

Advanced Intrusion Detection is based on the tried and tested Snort v2 IDS. It is able to
detect attacks by matching incoming network data against defined patterns or rules.

Advanced Intrusion Detection utilizes a combination of methods to perform extensive IDS
analysis on the fly. These include protocol analysis, inconsistency detection, historical
analysis and rule based inspection engines. Advanced Intrusion Detection can detect
many attacks by checking destination port number, TCP flags and doing a simple search
through the packet’s data payload. Rules can be quite complex, allowing a trigger if one
criterion matches but another fails and so on. Advanced Intrusion Detection can also
detect malformed network packets and protocol anomalies.

Advanced Intrusion Detection can detect attacks and probes such as buffer overflows,
stealth port scans, CGI attacks, NetBIOS SMB probes, OS finger printing attempts and
many other common and not so common exploits.

Typically, Advanced Intrusion Detection will be configured to log intrusion attempts to a
remote database server, which in turn will run an analysis console. An analysis console,
such as ACID (Analysis Console for Intrusion Databases), is an application purpose built
for analyzing this log output.