Security(network Intrusion Detection)

  • November 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Security(network Intrusion Detection) as PDF for free.

More details

  • Words: 1,063
  • Pages: 20
Network Intrusion Detection

David LaPorte [email protected]

Topics What is IDS?  HIDS v. NIDS  Signatures  Active Response / IPS  NIDS on the Cheap  Additional Resources 

What is IDS? the art of detecting inappropriate, incorrect, or anomalous activity. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems, and ID systems that operate on network data flows are called network-based ID systems. http://www.sans.org/newlook/resources/IDFAQ/what_is_ID.htm

HIDS v. NIDS  Defense

in depth, layered security

 HIDS  Typically

software installed on a system  Agent-based 

Monitors multiple data sources, including file system meta-data, log files

 Wrapper-based 

Acts like a firewall – denies or accepts connections or logins based on defined policy

HIDS v. NIDS  NIDS  Monitors

traffic on a network  Reports on traffic not considered “normal” 

Anomaly-based  



Packet sizes, destinations, protocol distributions, etc Hard to determine what “normal” traffic looks like

Signature-based 

Most products use signature-based technologies

Signature-based NIDS 

Signature-based 

Matches header fields, port numbers, content 



Advantages  



Network “grep” No learning curve Works out-of-box for well known attacks  Snort has ~1900 signatures  Dragon has ~1700 signatures

Disadvantages     

New attacks cannot be detected False positives Maintenance/tweaking Not very hard to evade Stateless, lacks thresholding

Signatures T A A S 10 20 6668 IRC:XDCC /5Bxdcc/5Dslt | | | | | | | | | | | | | | | | | SEARCH STRING | | | | | | | EVENT NAME | | | | | | PORT | | | | | | | | | | | COMPARE BYTES | | | | | | | | | DYNAMIC LOG | | | | | | | BINARY OR STRING | | | | | PROTECTED NETWORKS | | | DIRECTION | PROTOCOL

Signatures  On

the console…

Time Dir Source Destination Proto Event Name Group Sensor Session Raw Data 11:02 02Nov04 from 128.103.a.b:4295 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 11:01 02Nov04 from 128.103.a.b:1141 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 10:59 02Nov04 from 128.103.a.b:2582 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 10:57 02Nov04 from 128.103.a.b:3341 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5

NICK [XDCC]SLT-L482{A} USER b0b 32 . :XDCC{A} MODE [XDCC]SLT-L482 +i{A} NICK [XDCC]SLT-L482{A} USER b0b 32 . :XDCC{A} MODE [XDCC]SLT-L482 +i{A} NICK [XDCC]SLT-L482{A} USER b0b 32 . :XDCC{A} MODE [XDCC]SLT-L482 +i{A} {A} :snagged.wi.us.criten.net NOTICE AUTH :*** Looking up your hostname...{A} :snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A} :snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A} :snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC][email protected]{D}{A} :snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1 .4(34){D}{A} :snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A} :snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc {D}{A} :snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TO PICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this serv er{D}{A} :snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A} :snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A} :snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A} :snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A} :snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A} :snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A} :snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A} :snagged.wi.us.criten.net NOTICE [XD:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A} :snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A} :snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC][email protected] ard.edu{D}{A} :snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1 .4(34){D}{A} :snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A} :snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc {D}{A} :snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TO PICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this serv er{D}{A} :snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A} :snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A} :snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A} :snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A} :snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A} :snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A} :snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A} :snagged.wi.us.criten.net NOTICE [XD{A}

NIDS – Management  Correlation  Multiple

is key

sensors  Single data repository Syslog  DBMS  Text files 

NIDS – Placement 

Inside firewall 



Outside firewall 



Limits false positives – “cleaner” data Shows overall interest

Need to collect all traffic 

Switch port won’t cut it   



Hub Switch SPAN port Passive tap

Difficult on high-bandwidth links (>300Mbps)  

Distribution devices (TopLayer, etc) Hardware

NIDS – Drawbacks  False

Positives

 LOTS 

of data

We generate 3-4GB of logs each day on a ~250Mbps sustained link

 Makes

alerting difficult

 Interoperability  ESM

– Intellitactics, PentaSafe, etc.

NIDS - Drawbacks  Evasion  Packet

fragmentation

Out of order, overlapping  Fragroute 

 Character 

encodings / padding

Unicode, mixed case, ../..’s, \0’s

 OS

stack behavior  A simple “grep” of a packet won’t work

Active Response  NIDS

is primarily a passive technology

 Only

monitors traffic  Doesn’t sit in the data stream  Active response 

aka “sniping”, flex response

Active Response  Several

issues

 Timing 

By the time filters are applied, attack is complete

 False 

Self-inflicted DOS

 Lack 

alarms / spoofed traffic

of formatting standards

CVE, OPSEC

Intrusion Prevention  Place

system in-line

 Hardware  Redundancy

 Acts

as an IDS/Firewall hybrid

 Hogwash

NIDS on the Cheap 

So you want a NIDS? 

Snort   



MySQL 



Open-source DBMS

ACID 



Open-source NIDS Quickly becoming the “Apache” of IDS Runs on Windows and most Unix variants

Great web-based front-end for Snort/Mysql

A place to collect traffic  

Your NIC is fine if you have only one machine Use a hub if you’ve got a LAN

Additional Resources 



 





Fragroute  http://monkey.org/~dugsong/fragroute/ Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection  http://secinf.net/info/ids/idspaper/idspaper.html HIDS Products PortSentry  http://www.psionic.com/products/portsentry.html Tripwire  http://www.tripwire.com/ AIDE  http://www.cs.tut.fi/~rammer/aide.html

Additional Resources 

NIDS Products  Snort  http://www.snort.org  Dragon  http://www.enterasys.com/ids/  CiscoSecure IDS  ISS RealSecure 

http://www.iss.net/products_services/enterprise_protection/rsnetwork/index.php

ACID  http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html  Hogwash  http://hogwash.sourceforge.net/ 

Questions?

Related Documents