Page 484 - StudyBook.pdf
P. 484
468 Chapter 7 • Topologies and IDS
EXERCISE 7.02
INSTALL A HONEYPOT
1. KFSensor is a Windows-based honeypot IDS that can be down-
loaded as a demo from www.keyfocus.net/kfsensor/
2. Fill out the required information for download.
3. Once the program downloads, accept the install defaults and
allow the program to reboot the computer to finish the install.
4. Once installed, the program will step you through a wizard pro-
cess that will configure a basic honeypot.
5. Allow the system to run for some time to capture data. The pro-
gram will install a sensor in the program tray that will turn red
when the system is probed by an attacker.
Judging False Positives and Negatives
As mentioned earlier, understanding the state of an IDS is very important.To be an
effective tool, an IDS must be configured properly.A false positive is a triggered
event that did not actually occur, which may be as innocuous as the download of a
signature database (downloading of an IDS signature database may trigger every
alarm in the book) or some unusual traffic generated by a networked game. False
positives have a significant impact on the effectiveness of an IDS sensor. If there are
a reasonable number of false positives being detected, the perceived urgency of an
alert may be diminished by the fact that there are numerous events being triggered
on a daily basis that turn into wild goose chases. In the end, all the power of IDS is
ultimately controlled by a single judgment call on whether or not to take action.
More dangerous, however, is the possibility for a false negative, which is the
failure to be alerted to an actual event.This would occur in a failure of one of the
key functional units of a NIDS. False negatives can occur because of misconfigura-
tions when an attacker modifies the attack payload in order to subvert the detec-
tion engine.
www.syngress.com
