Intrusion Detection

what is intrusion detection? what r the different algorithms and where can i find them?

i am student of BS(CS) and have to do a project for networking and data communications. can u give me any ideas to work on? i would like to work on network security , so any ideas in this regard would be appreciated

Perhaps this is a good place to start: http://searchsecurity.techtarget.co...i295031,00.html

before you can learn network security you need to learn networking in general. How protocols work and what vulnerabilities lie within them as well as operating systems and their vulnerablitities its not something that can be answered in a forum group.

can u give me some place to start from juniperr?

I would start at cisco's web site search their tech docs on IDS, protocols and vulnerabilities. would also then search google on ....

CGI scripts
CGI scripts consist of server-side programs which generate Dynamic web sites. A typical CGI is be formmail.cgi, which allows users to send e-mails to the website administrator without making use of an e-mail client. Other attacks that make use of CGI scripts include Cross Site scripting, SQL command injection, and Path traversal.
Web server attacks
Many times the web server itself could have security holes. Both Apache on UNIX and IIS on Windows NT have their share of root or SYSTEM vulnerabilities. An unpatched IIS 5 is vulnerable to the UNICODE directory traversal attack where attackers are able to execute files such as CMD.exe to gain a remote shell. Another common bug is buffer overflow in the request field or in one of the other HTTP fields.
Web browser attacks
Most modern web browsers have a series of security loopholes. Typical software vulnerabilities like format string and buffer overflow attacks are also found in http clients (such as Internet Explorer and Netscape). Active Content such as JavaScript, Java, ActiveX and HTML itself can also pose a security risk.

HTTP headers can be used to exploit bugs because some fields are passed to functions that expect only certain information. A well-known exploit for IE consists of encapsulating HTTP headers within an EML file and launching an executable embedded within the EML file.
HTML can be often exploited through buffer overflows. Internet Explorer 6 as well as previous versions of IE and Netscape were found to be vulnerable to these kind of attacks using different HTML tags with long strings as attributes.
JavaScript is well known to be the prime cause of security loopholes within web browsers. Likewise with VBScript and any other type of active scripting. These functions are generally run in a sandbox environment, however from time to time hackers find out new ways to escape the sandbox environment and execute code, read sensitive files etc.
Frames and iframes are many times used in conjunction with Active Scripting (JavaScript, ActiveX, Vbscript) exploits. However they are sometimes also used as a social engineering exploit to fake legitimate sites.
Java was built with a strong security model by making use of the sandbox technology. However third parties have implemented their own versions which can introduce bugs and flaws. Normal Java applets have no access to the local system, but sometimes they would be more useful if they did have local access. Thus, the implementations of "trust" models that can more easily be hacked.
ActiveX is even more dangerous than Java as it works purely from a trust model and runs native code. The trust model consists of either allowing the ActiveX application to run on the client machine, or not. Unlike Java, the ActiveX model has no way to limit the application certain functions only. As a security precaution ActiveX components generally have to be digitally signed. The sign assures the customer that the producer of the ActiveX component is legitimate but not that the ActiveX component is safe to install.
Access Auditing
Operating Systems usually support logging of failed login attempts, failed file access and attempts to perform administrative tasks especially by non-administrative user accounts.
POP3 and IMAP
POP3 and IMAP servers are known to contain exploits just like any other software. Apart from that an attacker can launch at attack in order to guess the password of a specific email address.
IP spoofing
A good number of attacks make use of changing the source IP address. TCP/IP protocol has no way to check if the source IP address in the packet header actually belongs to the machine sending it. Some of the attacks which take advantage of ip spoofing are:

SMURF Attack
A broadcast ping is sent and the source IP of the ping is set the same as the victim's IP address. In this case a huge number of computers will respond back and send a Ping reply to the victim. When this is repeated, the victim's machine or link will get overloaded causing a Denial of Service.
TCP sequence number prediction
A TCP connection is assigned a sequence number for the client and for the server. If the sequence number is predictable, intruders can create packets with forged IP address and guess the sequence number to hijack TCP connections.
DNS poisoning through sequence prediction
DNS servers usually query other DNS servers to resolve names for other hosts. An attacker will send a request to the victim DNS server as well as a response to the same server. This way the attacker can make clients trying to access www.hotmail.com point to his servers.
Buffer Overflows
Some common buffer overflow attacks are:

Buffer overruns in major web servers
Both Apache and IIS have well known vulnerabilities. Worms such as Code Red (for IIS) and Linux.Slapper (for Apache) make use of such vulnerabilities to spread.
DNS overflow
Some of the older DNS servers (BIND) are vulnerable to overflows. A typical attack would be to supply an overly long DNS name to the server. DNS names are limited to 64-bytes per subcomponent and 256-bytes overall.
DNS attacks
DNS servers are usually trusted by services and users - meaning that compromising a DNS server can lead to further attacks on end users and other services. This makes DNS servers a prime target for hacker attacks.
DNS cache poisoning
This is a very typical attack on DNS servers. In simple terms it works by sending a Question to resolve a given domain ("Who is www.test.com?") and providing the answer with false information ("www.test.com is 127.0.0.1").

Wow! That's a lot of good information

Thanks