Title: COEN 252 Computer Forensics
1COEN 252 Computer Forensics
- Intrusion Detection Systems
2IDS Overview
- Intrusion Detection System
- Host based
- Network based (NIDS)
- System Integrity Verifiers (SIV)
- Log File Monitors
- Deception Systems (decoys, honeypots)
3IDS Architecture
- Raw packet logging
- Too much traffic, hence
- Attack detection
- Attack Signatures
- Can only find known attacks
- Anomaly Detection
- Finds deviations from normal traffic
- But what is normal traffic?
4IDS Architecture
- Host Based Intrusion Detection
- Looks for changes to critical files.
- Tripwire.
- Detection of change and recovery to known good
states already provided by MS Windows. - Provide this system with access control.
5IDS Architecture
- False positives
- Alarms are ringing, but there is no fire.
- E.g.
- NIDS reported login attempts.
- From within the network, but from remote site.
- Logs showed that logons were attempt to access
unavailable network resources. - Traced to workstations attempting to access an
antivirus software update server.
6IDS Architecture
- False Negatives.
- Stealth scans Traffic at slow rate.
- Suspicious traffic can be legitimate
- User forgot password.
- DoS attacks can be hard to distinguish from heavy
7IDS Architecture
- NIDS placement
- NIDS limited by traffic.
- Switched environments make NIDS difficult to
place. - On network perimeter
- Both sides of firewalls.
8IDS Operations
- Anomaly Detection
- Based on statistical anomalies, compared with
- CPU utilization
- Disk activity
- User logins
- File activity, etc.
- Does not have to understand the cause.
9IDS Operations
- Application protocol verification
- Invalid protocol behavior, such as WinNuke
- WinNuke attacker sends out-of-band / urgent
data to port 139 on a Win95 system. - Unusual behavior such as DNS cache poisoning.
- Simple create new logs that can then later be
correlated with other system logs to show what
10IDS ExampleUDP Flooding January 1999
- 081010 bobadilla.echo gt udp
1024 (DF) - 081010 bobadilla.echo gt udp
426 (DF) - 081017 bobadilla.echo gt udp
1024 (DF) - 081017 bobadilla.echo gt udp
426 (DF) - 081022 bobadilla.echo gt udp
1024 (DF) - 081022 bobadilla.echo gt udp
426 (DF) - 081028 bobadilla.echo gt udp
1024 (DF) - 081028 bobadilla.echo gt udp
426 (DF) - 081035 bobadilla.echo gt udp
1024 (DF) - 081035 bobadilla.echo gt udp
426 (DF) - 081049 bobadilla.echo gt udp
1024 (DF) - 081049 bobadilla.echo gt udp
426 (DF) - 081105 bobadilla.echo gt udp
1024 (DF) - 081105 bobadilla.echo gt udp
426 (DF)
11IDS ExampleUDP Flooding January 1999
- Example of the Pepsi UDP flood.
- Send out UDP packages as fast as possible
- Sends UPD packages with a spoofed return address
to an echo port (at Bobadilla). - Echo returns it to the source address.
- Two systems under attack.
12IDS Examplepepsi.c found on Internet
- /
- pepsi.c
- Random Source Host UDP flooder
- Author Soldier_at_data-t.org
- 12.25.1996
- Greets To Havok, nightmar, vira, Kage,
ananda, tmw, Cheesebal, efudd, - Capone, cphber, WebbeR, Shadowimg, robocod,
napster, marl, eLLjAY, fLICK - Toasty, shadow, magnus and silitek, oh and
Data-T. -
- Fuck You to Razor1911 the bigest fucking
lamers in the warez comunity, - Yakuza for ripping my code, cha0s on the
undernet for trying to port - it to win95, then ircOpers on efnet for being
such cocksuckers - especially prae for trying to call the fbi on
me at least 5 times. - all warez pups i don't know for ripping off
honest programers. - and Dianora for being a lesbian hoe,
Srfag..err SrfRog for having an ego - the size of california.
13IDS Examplepepsi.c found on Internet
- define FRIEND "My christmas present to the
internet -Soldier" - define VERSION "Pepsi.c v1.6"
- define DSTPORT 7
- define SRCPORT 19
- define PSIZE 1024
- define DWAIT 1
14IDS Examplepepsi.c found on Internet
- void usage(char pname)
- printf("usage\n ")
- printf("s -s src -n num -p size -d port
-o port -w wait ltdestgt\n\n", pname) - printf("\t-s ltsrcgt source where packets are
comming from\n") - printf("\t-n ltnumgt number of UDP packets to
send\n") - printf("\t-p ltsizegt Packet Size Default is
1024\n") - printf("\t-d ltportgt Destination Port Default
is .2d\n", DSTPORT) printf("\t-o ltportgt
Source Port Default is .2d\n", SRCPORT)
printf("\t-w lttimegt Wait time between packets
Default is 1\n") printf("\tltdestgt
destination \n") printf("\n") - exit(EXIT_SUCCESS)
15IDS Examplepepsi.c found on Internet
- if (srchost srchost)
- ip-gtsaddr resolve(srchost)
- ip-gtdaddr dst
- ip-gtversion 4
- ip-gtihl 5
- ip-gtttl 255
- ip-gtprotocol IPPROTO_UDP
- ip-gttot_len htons(sizeof(struct iphdr)
sizeof(struct udphdr) psize) - ip-gtcheck in_cksum(ip, sizeof(struct iphdr))
- udp-gtsource htons(srcport)
- udp-gtdest htons(dstport)
- udp-gtlen htons(sizeof(struct udphdr) psize)
16IDS Examplepepsi.c found on Internet
- if (sendto(sen, packet, sizeof(struct iphdr)
sizeof(struct udphdr) psize, 0, - (struct sockaddr ) dstaddr,
- sizeof(struct sockaddr_in)) (-1))
puts(" Error sending Packet")
perror("SendPacket") - exit(EXIT_FAILURE)
17IDS Examplepepsi.c found on Internet
- This is almost the complete code.
- Default ports are defined, but can be
overwritten. - Port 666 is used by Doom game.
- User input allows change from default values.
- Package is crafted.
- And sent.
18IDS and Firewalls
- Firewalls perturb traffic
- Three way handshake is disrupted.
- Firewall logs are primary evidence and are
primary method of intrusion detectin.
19IDS and Firewalls
- Firewall Log
- IP packet discarded from for port
1880. - IP packet discarded from for port
1882. - IP packet discarded from for port
1881. - This firewall log gives us a fact, but not enough
to figure out what is happening. - Is this TCP? UDP?
20IDS and Firewalls
- Another log from a different vendor
- UDP packet dropped Source, 2820, WAN
Destination 33430 LAN - - Rule 33 - This entry gives us enough information Source
port, destination port, protocol. - Traceroute from outside web server.
21IDS and Firewalls
- Yet another log
- Myhost kernel INeth0 OUT MAC
0080808098ae3e321245a0 SRC1.1.1.1
Dst192.168.127.45 LEN38 TOS 0x00 PREC0x00
TTL1 ID31758 PROTOUDP SPT32789 DPT33433 - This is another traceroute.
- Best log seen.
22IDS and Signatures
- Signature Types
- Header-based Inspect the packet header
- Pattern-matching Match for content string
- Atomic match in a single packet
- Stateful match on reassembled packets
- Protocol-based Inspect based on RFC
- Heuristic-based Inspect based on statistics
- Anomaly-based
23IDS and Signatures
- Header-based
- Destination port TCP 139 and Out of Band
- tcpdump dst port 139 and tcp13 0x20!0 and
tcp18!0 - Detects the old WinNuke attack.
- WinNuke packets go to NetBIOS ports such as 139,
have an urgent flag set, and have a non-zero
urgent value.
24IDS and Signatures
- Pattern-matching looking for the tsig overflow
attempt. - alert udp External_Net any -gt Home_Net 53 \
- (msg Exploit named tsig overflow attempt\
- content 80 00 07 00 00 00 00 00 01 3F 00 01
02/bin/sh - Snort rule looking for a pattern for a BIND
transaction signature tsig code. - Looks for specific byte code to UDP destination
port 53.
25IDS and Signatures
- Heuristic-based
- Look for large ICMP packets
- alert icmp any -gt HOME_NET (msg\ Large ICMP
packet dsize gt 800) - Such large ICMP packets are unusual.
26IDS and Signatures
- Encryption
- Back Orifice uses a simple encryption scheme to
protect its packet payload. - All BO packets start with !QWTY?
- Barbwire uses Blowfish encryption.
- Challenge for string searches.
27IDS and Signatures
- Fragmentation
- Allows to hide attack strings.
- Stateful analysis is more cumbersome.
- Too Generic
- Superscan
- 4500 0024 c5eb 0000 6f01 a144 4201 f789
- c08a 6b42 0800 fc46 0200 f9b8 0000 0000
- 0000 0000 0000 0000 0000 0000 0000
- alert icmp !HOME_NET any -gt HOME_NET any (msg
Superscan echo content 00000000000000000000
itype8 dsize 8) - Too many matches.
28Traffic Analysis
- Look for crafted packets
- Cheops uses TCP with both SYN and FIN flag set.
This is impossible in normal TCP. - Basic traffic characteristics
- To, from, date, time
- Information on source host
- Weight or severity
- Size, service, type class
- Tiny fragments, e.g. generated by nMap.
- Strange TTL values
29Traffic Analysis
- Link Graphs
- A message passing from A to B generates a link
between A and B. - Links are weighted by the number of connections.
30Traffic Analysis
31Traffic Analysis
Intellitactics NSM
32Traffic Analysis
- Short Time Profile Changes
- Profile Statistics on connections, port spread,
services, etc.