LEARNING LOG 4

In this week, we learned about Snort. It was a refresher subject since we already configured Snort during our course in INFOSEC. Nevertheless, I was still excited because my group was only done at the installation phase of the Snort before, we didn’t really explore much about Snort. But now we had a chance to completely utilize Snort being an Intrusion Detection System or IDS. Sir Justin first explained that what an IDS is for but we all know that it is for detecting suspicious and anomalous traffic that is going on in the network. This could be possible XSS attacks, Denial of Service or DoS attacks, payloads and viruses at work. That is why Snort is important in the network. Snort is the one alerting the administrators of the network of the dangerous attacks that were being executed or being executed. If Snort is not implemented in the network, there are chances that attacks could just slip through the defense without any detection and damage the network itself. We were reminded to where the IDS should be placed. It should be placed behind the firewall or besides it where traffic is coming in the network. It shouldn’t be placed in front of the firewall since it would just detect false positives. Although we studied Snort, my mind that day was thinking about the correlation that we would be implementing and demonstrating. It was the tree correlation that we proposed and it was the combination of alert correlation and event correlation. Alert correlation is about gathering the alerts which are related to each other and total it into one alert. Event correlation is about identifying attacks and try to correlate those attacks with other system to determine if is just a harmless attack on the system. I am excited on building our correlator and I hope it is successful! Thanks for reading 🙂