1. When running Snort IDS why might there be no alerts?
When using Snort IDS, there are several modes that if configured properly, will generate alerts. Alerts are set by the user within the command prompt when initiating a rule set. There are five alerting options available with Snort IDS. According to (Roesch, 1999), Alerts may either be sent to syslog, logged to an alert text file in two different formats, or sent as Win-Popup messages using the Samba smbclient program. If there has been no alerts, the selected rule set was set may not have been enabled by the user. Another scenario where alerts may not occur is when another task is being performed. According to (Roesch, 1999) when alerting is unnecessary …show more content…
What are the advantages and disadvantages of each approach? Advantages of an IPS waiting until it has all the information it needs is that any initial attempts made leading up to a full exploit of your network could be stopped and the attacker would not have any indication on which part of the attempted attack was effective. The disadvantage of waiting until the IPS has what it needs is that packets allowed to get through could possibly create a back door or any additional unexpected damages to the network that could result in future vulnerabilities.
Advantages of an IPS allowing packets through based on statistics is that additional rules could be added to block any traffic attempting to exploit a vulnerability as it occurs. A disadvantage of allowing packets through is the same as allowing packets through until the IPS has what it needs. Packets that get to the network could create additional vulnerabilities.
9. So, the “bad guy” decides to do a Denial of Service on your Intrusion Prevention System.
At least two things can happen, the system can allow all traffic through (without being checked) or can deny all traffic until the system comes back up. What are the factors that you must consider in making this design decision?
One of the factors to consider if all network traffic is allowed to get through is that the network would be