Security+ Lesson5

Network analyzer captures and analyzes network traffic. It can read packet headers to determine traffic patterns or view protocol information in depth. It is also known as a packet analyzer or protocol analyzer.

You have implemented IDS as intrusion detection systems are fundamentally passive monitoring systems designed to keep administrators aware of malicious activity: they can record detected intrusions in a database and send alert notifications, but they rely on humans to take action. IDS will never delay or interrupt traffic due to a false positive.

The severity level is an essential concept for event logging in general. Syslog defines eight levels, ranging from emergency messages about severe error conditions to detailed information on everyday activities that can be used to troubleshoot application functions. The warning is an error or a problem condition that is immediately harmless or correctable but might need user review.

Correlation analyzes aggregated events to find useful data that might need additional human review. Correlation engines work by finding relationships and trends within a large volume of events, filtering out irrelevant data, and highlighting what is most likely to be of interest to administrators. For example, if an unfamiliar application is linked to a known-bad IP address, it becomes more suspect even if nothing is obviously wrong with it.

Object Identifier (OID) is a unique number corresponding to an object property that can be monitored on a managed device. For example, on a switch, the up or down status of a particular interface might be an object, as would be its rate of incoming traffic. (The actual value of an object is called a variable.)

The tail command retrieves and displays the last part of a file. The following command will display the last 30 lines of a file named logfile2.txt:

tail -n 30 logfile2.txt

Forward proxies mediate communications between LAN clients and internet servers but require client-side configuration. They’re often used on small but heavily secured networks.

A honeypot system is designed to be attractive and accessible to attackers. It might be completely open, or it might have an outwardly reasonable but flawed or inadequate level of security. In truth, it’s a decoy: the honeypot has no useful resources, and it’s isolated from the rest of the network (in a DMZ, for example) so that compromising it won’t even be useful for mounting an inside attack. Instead, it’s monitored to gather information on attackers without actually risking the consequences of an attack on real systems or other network locations. More sophisticated decoys live right among functional systems and files, but since legitimate users never access them, unexpected communications are automatically suspicious.