1. When running Snort IDS why might there be no alerts?
There are couple reasons when running Snort IDS there might be no alerts. The first one could be related to settings because the administrator has to set Snort IDS to its optimum settings in order to get any alerts. Since Snort works by ruleset, it can be mistakenly set up to a port other than what the network is using. The mistake can be done by either keeping the Snort default settings, or when users try to adjust them to their own network requirements. The point is when changing Snort default settings to rules other than what the website provided, the administrator might have disabled a packet sniffing on a specific port …show more content…
There are some general SQL injection rules that work pretty well to catch most of Web-SQL-Injection attacks. But these rules are much more specific to apps and web servers.
7. If a person with malicious intent were to get into your network and have read/write access to your IDS log or rule set how could they use that information to their advantage?
If a person with malicious intents gets a read/write access to an IDS log and/or rule set, would have the same right as an administrator, therefore having the right to modify, adjust and re-write rules, in order to be able to lunch new attacks on the network. Also the person can adjust the ruleset to have his identity not being capture by the IDS. This can be done by altering for example ports that should be used for packet sniffing and intrusion detection, giving him a perfect map for future attacks on the network. Worst he can disable the IDS.
8. An intrusion prevention system can either wait until it has all of the information it needs, or can allow packets through based on statistics (guessed or previously known facts). What are the advantages and disadvantages of each approach?
Stops trigger packets
Can use stream normalization techniques
Sensor issues might affect network traffic