Linux Intrusion Detection

1
Linux Intrusion Detection

• Joe Cicero
• Northeast Wisconsin Technical College

2
Linux Intrusion Detection Models

• Host Based
• Stack Based
• Network Based

3
Host Based Linux Intrusion Detection Products

• Host based intrusion detection looks at attacks
  on the host system.
• Md5sum
• Typically installed and present as a command
• Tripwire
• http//www.tripwire.org
• SNARE
• http//snare.sourceforge.net/
• LIDS
• http//www.lids.org/

4
Md5sum

• Command line command
• Synopsis
• root_at_linux /root md5sum b somefile
• 7041718f525195d02f2c49eb5fac9a somefile
• root_at_linux /root md5sum -b somefile
  somefile.md
• root_at_linux /root md5sum c somfile.md
• Junk OK
• Md5sum WARNING 1 of 1 computed checksum did NOT
  match
• Multiple file checking requires a script using
  the md5sum command

5
Tripwire

• Free for Linux
• Included on many distro cds
• East install and cleanup but default install
  does NOT monitor everything!
• root _at_linux /root rpm ivh tripwire-2.3.1-17.i
  386.rpm
• root _at_linux /tripwire ./twinstall.sh
• root _at_linux /tripwire tripwire --init
• root _at_linux /root tripwire --check less
• edit the /etc/tripwire/twpol.txt file
• root _at_linux /root tripwire --init
• root _at_linux /root tripwire -update-policy
  twpol.txt
• root _at_linux /root tripwire --check less

6
Snare

• Three Parts to Snare
• The Kernel changesIn order to collect event log
  data, Snare needs to add auditing support into
  the operating system. IE requires kernel
  patching. Efforts towards creating a native
  auditing subsystem for linux will soon mean that
  the kernel component of the Snare for Linux
  agent, will no longer be required.
• The Snare Audit DaemonThe Snare audit daemon
  acts as an interface between the Linux kernel,
  and the security administrator. It will allow you
  to turn on events, filter the output, and
  potentially push audit log information back to a
  central location for collection, analysis and
  archival.
• The Snare Micro-Web Server, and Audit GUIThe
  Snare audit GUI provides a graphical user
  interface to the Snare audit daemon. It allows
  you to add, remove or modify audit objectives,
  and change reporting options. The Micro-Web
  Server, is embedded in the audit daemon, and
  provides a very simple configuration capability
  that can be managed from your web browser.

7
LIDS

• The Linux Intrusion Detection System (LIDS) is a
  kernel patch and admin tools which enhances the
  kernel's security by implementing Mandatory
  Access Control (MAC).
• When it is in effect, chosen file access, all
  system network administration operations, any
  capability use, raw device, memory, and I/O
  access can be made impossible even for root.
• You can define which programs can access specific
  files. It uses and extends the system
  capabilities bounding set to control the whole
  system and adds some network and filesystem
  security features to the kernel to enhance the
  security.
• You can finely tune the security protections
  online, hide sensitive processes, receive
  security alerts through the network, and more.
  LIDS currently support kernel 2.6, 2.4. LIDS is
  released under GPL.

8
Stack BasedLinux Intrusion Detection Products

• Stack Based Intrusion Detection looks at packets
  in the TCP/IP stack or before they get to the
  OS and could cause damage. This is done on the
  host so stack based IDSs are also host based.
• RealSecure ServerSensor
• introductory suggested list price of 900

9
Network BasedLinux Intrusion Detection Products

• SNORT
• Free
• ActiveTest SecureCheck
• Price 5,995 for the scanning portion, plus
  one-time fee of 25,000, or a 120,000 year-long
  subscription with unlimited service
• Symantec Network Security(formerly Symantec
  ManHunt)
• Price range  10,719.00 - 15,763.00
• SecureNet Pro
• Price 25 995

10
SNORT

• SNORT
• http//www.snort.org
• Snort is an open source network intrusion
  detection system, capable of performing real-time
  traffic analysis and packet logging on IP
  networks. It can perform protocol analysis,
  content searching/matching and can be used to
  detect a variety of attacks and probes, such as
  buffer overflows, stealth port scans, CGI
  attacks, SMB probes, OS fingerprinting attempts,
  and much more.

11
Snort

• Snort is
• Small (2.57M source distribution)
• Portable (Linux, Solaris, BSD, IRIX, HP-UX,
  WIN32)
• Fast (High probability of detection for a given
  attack on average networks)
• Configurable (Easy rules language, many
  reporting/logging options)
• Free (GPL/Open Source Software)

12
Snort Design

• Packet sniffing network intrusion detection
  system
• Libpcap-based sniffing interface
• Rules-based detection engine
• Multiple output options
• decoded logs, tcpdump formatted logs
• real-time alerting to syslog, file, database, xml

13
Snort Detection

• Rules form signatures
• Modular detection elements are combined to form
  these signatures
• Anomalous activity detection is possible
• stealth scans, OS fingerprinting, invalid ICMP
  codes, etc
• Rules system is very flexible, and creation of
  new rules is relatively simple

14
Snort Rules

• alert tcp !10.1.1.0/24 any - 10.1.1.0/24 any
  (flags SF msg SYN-FIN Scan)
• Two sections to a rule
• rule header
• alert tcp !10.1.1.0/24 any - 10.1.1.0/24 any
• rule options
• (flags SF msg SYN-FIN Scan)
• Rule headers and options can be strung together
  in any combination

15
Snort Rule Headers

• IP addresses
• Negation (changes the truth value of a statement
  to its opposite ), CIDR (Classless InterDomain
  Routing) A CIDR IP address looks like a normal IP
  address except that it ends with a slash followed
  by a number for example, 192.168.0.0/16 blocks
• TCP/UDP ports
• negation, ranges, greater than/less than
• uni/bi-directional port/address consideration

16
Snort Rule Options

• IP TTL
• IP ID
• Fragment size
• TCP Flags
• TCP Ack number
• TCP Seq number
• Payload size

• Content
• Content offset
• Content depth
• Session recording
• ICMP type
• ICMP code
• Alternate log files

17
Snort Uses

• Packet Sniffing NIDS
• Honeypot Monitor
• Scan Detection/Traps
• Other

18
Snort Packet Sniffing NIDS

• Load up a good rules set and let it run!
• www.whitehats.com
• Automatically generates alerts and logs full
  packet data
• Alternative alerting/actions can be handled by
  something like Swatch
• email alerts, active response, etc

19
Snort HoneyPot Monitor

• Honeypots are deception systems that perform
  intrusion detection by inclusion
• Gets rid of all the false alarms!
• Use Snorts filtering capability to log all the
  traffic going to the honeypot
• Post process the data with a good ruleset

20
Snort Detection / Trap

• Snort has no formal port scan detection mechanism
• Setup rules to log traffic to known closed ports
  unused addresses
• Poor mans honeypot/port scan detector

Alert tcp any any - 10.1.1.0/24 100600 (flags
S msg TRAP!)
21
Snort Other

• Snort is a packet sniffer, can be used to analyze
  traffic in real-time
• Motivated people can write rules to pick up all
  sorts of naughty things
• SQL/ODBC, ActiveX, Java/JavaScript, Macro Viruses

22
SNORT For Busy Net Admins

• Sniffer mode
• SNORT allows you to use the snort command to view
  packet headers and the packet data just like a
  sniffer. (example ./snort vde)
• Packet Logger Mode
• SNORT also allows you to record all the packets
  to disk. (example ./snort dev l /log)

23
SNORT For Busy Net Admins

• Network Intrusion Detection Mode
• You can enable intrusion detection mode, so you
  dont record EVERY SINGLE PACKET sent down the
  wire!
• (./snort d h 192.168.1.0/24 l ./log c
  snort.conf)
• The previous command will have snort run its
  most basic NIDS form logging only those packets
  that meet the rules.

24
SNORT For Busy Net Admins

• So what are rules?
• The rules are the signatures that bad packets
  have. If a bad packet comes into the system or
  is on the wire it is logged.
• Rather than log all traffic on the network you
  will want to log those packets that break the
  rules!

25
Snort Ad ons

• Guardian 1.2.0, by Anthony Stevens and Ernie
  Limhttp//home.golden.net/elim/Guardian is a
  stand-alone Perl script which watches the output
  of snort, and will add rules to IPChains on the
  fly as snort detects and reports an attack.
• snort-panel, by Xatohttp//www.xato.net/files.htm
  A very useful windows-based utility for
  managing, controlling, and monitoring the win32
  port of Snort.
• snortnet, by Fyodorhttp//snortnet.scorpions.net/
  This code is an output plugin that allows you to
  log Snort alerts to a remote machine. Requires
  libiap-0.1.tar.gz
• Spade 01172001.1, by Silicon Defensehttp//www.si
  licondefense.com/spice/SPADE stands for the
  Statistical Packet Anomaly Detection Engine. It
  is a Snort preprocessor plugin which sends alerts
  of anomalous packet through standard Snort
  reporting mechanisms. Please consider this to be
  experimental, though it has worked well for us.
• ACID 0.9.6b9, by CERThttp//acidlab.sourceforge.n
  et/ACID is a PHP-based analysis engine to search
  and process a database of security incidents
  generated by Snort. Requires PHP and MySQL.
• more