Security(network Intrusion Detection)

Network Intrusion Detection

David LaPorte [email protected]

Topics What is IDS?  HIDS v. NIDS  Signatures  Active Response / IPS  NIDS on the Cheap  Additional Resources 

What is IDS? the art of detecting inappropriate, incorrect, or anomalous activity. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems, and ID systems that operate on network data flows are called network-based ID systems. http://www.sans.org/newlook/resources/IDFAQ/what_is_ID.htm

HIDS v. NIDS  Defense

in depth, layered security

 HIDS  Typically

software installed on a system  Agent-based 

Monitors multiple data sources, including file system meta-data, log files

 Wrapper-based 

Acts like a firewall – denies or accepts connections or logins based on defined policy

HIDS v. NIDS  NIDS  Monitors

traffic on a network  Reports on traffic not considered “normal” 

Anomaly-based  



Packet sizes, destinations, protocol distributions, etc Hard to determine what “normal” traffic looks like

Signature-based 

Most products use signature-based technologies

Signature-based NIDS 

Signature-based 

Matches header fields, port numbers, content 



Advantages  



Network “grep” No learning curve Works out-of-box for well known attacks  Snort has ~1900 signatures  Dragon has ~1700 signatures

Disadvantages     

New attacks cannot be detected False positives Maintenance/tweaking Not very hard to evade Stateless, lacks thresholding

Signatures T A A S 10 20 6668 IRC:XDCC /5Bxdcc/5Dslt | | | | | | | | | | | | | | | | | SEARCH STRING | | | | | | | EVENT NAME | | | | | | PORT | | | | | | | | | | | COMPARE BYTES | | | | | | | | | DYNAMIC LOG | | | | | | | BINARY OR STRING | | | | | PROTECTED NETWORKS | | | DIRECTION | PROTOCOL

Signatures  On

the console…

Time Dir Source Destination Proto Event Name Group Sensor Session Raw Data 11:02 02Nov04 from 128.103.a.b:4295 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 11:01 02Nov04 from 128.103.a.b:1141 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 10:59 02Nov04 from 128.103.a.b:2582 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 10:57 02Nov04 from 128.103.a.b:3341 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5

NICK [XDCC]SLT-L482{A} USER b0b 32 . :XDCC{A} MODE [XDCC]SLT-L482 +i{A} NICK [XDCC]SLT-L482{A} USER b0b 32 . :XDCC{A} MODE [XDCC]SLT-L482 +i{A} NICK [XDCC]SLT-L482{A} USER b0b 32 . :XDCC{A} MODE [XDCC]SLT-L482 +i{A} {A} :snagged.wi.us.criten.net NOTICE AUTH :*** Looking up your hostname...{A} :snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A} :snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A} :snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC][email protected]{D}{A} :snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1 .4(34){D}{A} :snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A} :snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc {D}{A} :snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TO PICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this serv er{D}{A} :snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A} :snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A} :snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A} :snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A} :snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A} :snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A} :snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A} :snagged.wi.us.criten.net NOTICE [XD:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A} :snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A} :snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC][email protected] ard.edu{D}{A} :snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1 .4(34){D}{A} :snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A} :snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc {D}{A} :snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TO PICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this serv er{D}{A} :snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A} :snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A} :snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A} :snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A} :snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A} :snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A} :snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A} :snagged.wi.us.criten.net NOTICE [XD{A}

NIDS – Management  Correlation  Multiple

is key

sensors  Single data repository Syslog  DBMS  Text files 

NIDS – Placement 

Inside firewall 



Outside firewall 



Limits false positives – “cleaner” data Shows overall interest

Need to collect all traffic 

Switch port won’t cut it   



Hub Switch SPAN port Passive tap

Difficult on high-bandwidth links (>300Mbps)  

Distribution devices (TopLayer, etc) Hardware

NIDS – Drawbacks  False

Positives

 LOTS 

of data

We generate 3-4GB of logs each day on a ~250Mbps sustained link

 Makes

alerting difficult

 Interoperability  ESM

– Intellitactics, PentaSafe, etc.

NIDS - Drawbacks  Evasion  Packet

fragmentation

Out of order, overlapping  Fragroute 

 Character 

encodings / padding

Unicode, mixed case, ../..’s, \0’s

 OS

stack behavior  A simple “grep” of a packet won’t work

Active Response  NIDS

is primarily a passive technology

 Only

monitors traffic  Doesn’t sit in the data stream  Active response 

aka “sniping”, flex response

Active Response  Several

issues

 Timing 

By the time filters are applied, attack is complete

 False 

Self-inflicted DOS

 Lack 

alarms / spoofed traffic

of formatting standards

CVE, OPSEC

Intrusion Prevention  Place

system in-line

 Hardware  Redundancy

 Acts

as an IDS/Firewall hybrid

 Hogwash

NIDS on the Cheap 

So you want a NIDS? 

Snort   



MySQL 



Open-source DBMS

ACID 



Open-source NIDS Quickly becoming the “Apache” of IDS Runs on Windows and most Unix variants

Great web-based front-end for Snort/Mysql

A place to collect traffic  

Your NIC is fine if you have only one machine Use a hub if you’ve got a LAN

Additional Resources 



 





Fragroute  http://monkey.org/~dugsong/fragroute/ Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection  http://secinf.net/info/ids/idspaper/idspaper.html HIDS Products PortSentry  http://www.psionic.com/products/portsentry.html Tripwire  http://www.tripwire.com/ AIDE  http://www.cs.tut.fi/~rammer/aide.html

Additional Resources 

NIDS Products  Snort  http://www.snort.org  Dragon  http://www.enterasys.com/ids/  CiscoSecure IDS  ISS RealSecure 

http://www.iss.net/products_services/enterprise_protection/rsnetwork/index.php

ACID  http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html  Hogwash  http://hogwash.sourceforge.net/ 

Questions?