Pre-Processors in Intrusion Detection Systems (IDS)
Pre-Processors in Intrusion Detection Systems (IDS)
Pre-Processors in Intrusion Detection Systems (IDS) (e.g. Snort) serve several purposes, including but not limited to:- normalizing network traffic for specific services that Snort uses to monitor packets of interest to ensure that the detection system correctly matches signatures; and to detect non-signature based attack packets or network anomalies that would be potential threats but which are not yet part of the rule sets in the IDS.
Examples of Pre-Processors
1. ARPspoof – This pre-processor detects malicious Address Resolution Protocol (ARP) packets in a network. ARP is used to map IP addresses to MAC addresses. This protocol can be exploited by producing malicious ARP requests, known as ARP spoofing, for sniffing purposes or even DoS attacks. ARPspoof preprocessor in Snort detects these kinds of malicious activities by determining the source and destination addresses and comparing them to the addresses in the ARP message.
2. Portscan2 – This pre-processor is used for anormally detection to prevent network reconnaissance attempts. Portscan2 generates an alert whenever packets in a network are seen (during monitoring via Snort) to have Port destinations that are more than four in less than a minute. Portscan2 can detect vertical portscans, which scan for a range of ports in a single host, and also horizontal portscans that scan for one port on multiple hosts.
Pre-Processors in Intrusion Detection Systems (IDS)
Wiki | thetqweb