02233

Netværkssikkerhed
Network Security

• Introduktion
• Nessus Scan
• Nessus Questions
• Snort Questions
  • Question 1
  • Question 2
  • Question 3
  • Question 4
  • Question 5
  • Question 6
  • Question 7
  • Question 8
  • Question 9
  • Question 10
  • Question 11
  • Question 12
  • Question 13
  • Question 14
  • Question 15
  • Question 16
  • Question 17
  • Question 18
• References

Question 11

Will it be possible to see worm and virus attacks with an enterprise IDS?

That's heavily dependent on the infection vector and how it propagates. Also, the virus/worm might lead to some kind of network activity depending on the payload.
Most vira are spread through email as attachments so in order to reliably detect these one'll have to take into account the whole email. Snort can't do this as it's only inspecting the individual network packages. After the fact detection might be possible if Snort suddenly eg notices smtp trafic from a computer where none such should originate.
If the spreading vector is purely network based, ie the worm is self-propagating, then Snort is able to detect what's happening.

Bjarne D Mathiesen

Michael Pantridge

Thabet Al-Assdi

Chang Jensen