Introduction

Successful attacks against enterprise networks typically require a substantial effort on the part of the attacker. Many large networks that realize they have been compromised only do so after discovering a discrepancy in activity or the log files traversing their network. Once the compromise is known, the network staff may backtrack and identify all of the activity that occurred prior to the compromise or they may not. Attacks typically are characterized by three phases of activity:

• Reconnaissance

• Probing

• Exploitation

Reconnaissance involves identifying network address ranges, telephone numbers, performing DNS lookups (both forward and reverse), as well as whois searches to identify potential names and accounts to try on various target systems. Probing involves ping sweeps to identify potential targets as well as port scans to identify services active on the target systems. Finally, exploitation of a vulnerability (whether it be a buffer overflow in a running service or access due to poor password selections) is the culmination of an attack to gain access to the target network.

The probing and exploitation phases require the use of active tools to identify available services and potential exploit targets. It is this activity that intrusion detection systems (IDSs) are designed to identify. By monitoring traffic on the network and inspecting and analyzing packets, the IDS is able to determine if a network is under attack. If an attack is identified by the IDS, it can issue alerts to network and security operations personnel so they can respond appropriately to protect vital corporate...