Chapter 2. Network Traffic Analysis
A network IDS is really just a network sniffer that compares the contents of packets of information traveling the wire to a catalog of signatures that indicate potential malicious activity. A sniffer is a device (formerly very expensive, special-built systems, but now a simple laptop) with a network card that watches traffic between computers and other network-capable devices. This device can do a number of things with this traffic: record, sort, or analyze it.
Because most network security and intrusion detection is based on identifying and interpreting packet data, it’s important to understand how a packet is constructed and how it performs in real-world scenarios. In most cases, you can trust intrusion detection tools such as Snort and their alerts regarding suspicious packets, but there are times when the packet payload must be examined a person rather than a computer program. A careful analysis of a packet is sometimes required to determine if an alert is in fact a real alert or a red herring. Not knowing at least the basics of how computers use the network to communicate makes this task much harder, if not impossible.
This chapter starts with some level-setting discussions about how networks are used by systems to communicate using the TCP/IP suite of protocols. We’ll cover the TCP/IP suite in general and concentrate on TCP in particular. While looking at TCP, we will break down the structure of an individual TCP packet, looking at the different ...
Get Managing Security with Snort & IDS Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.