IDS:%20Intrusion%20Detection%20System - PowerPoint PPT Presentation

About This Presentation
Title:

IDS:%20Intrusion%20Detection%20System

Description:

Chapter 25 Intrusion Detection, by Matt Bishop. ... Var: name value var: EXTERNAL_NET [128.198.160.0/19, 128.198.61.0/26] ... – PowerPoint PPT presentation

Number of Views:565
Avg rating:3.0/5.0
Slides: 36
Provided by: TM73
Learn more at: http://cs.uccs.edu
Category:

less

Transcript and Presenter's Notes

Title: IDS:%20Intrusion%20Detection%20System


1
IDS Intrusion Detection System
C. Edward Chow
2
Outline of The Talk
  • Definition, Concepts
  • Network Intrusion Detection Snort
  • A2D2 (Integrating NIDS with Firewall)
  • Host Intrusion Detection Tripwire
  • References
  • Chapter 25 Intrusion Detection, by Matt Bishop.
  • Chapter 7 Network Intrusion Detection, Inside
    Network Perimeter Security, by Northcutt et al
    (reserved in UCCS Library)
  • NIST IDS Survey http//cs.uccs.edu/chow/pub/ids/
    NISTsp800-31.pdf
  • A2D2 http//cs.uccs.edu/chow/pub/master/acearns/
    doc/
  • http//cs.uccs.edu/chow/pub/ids/2001_vigna_kemmer
    er_blix_raid01.pdf
  • Snort http//www.snort.org/
  • Tripwire http//www.tripwire.org/

3
Architecture of IDS
HIDS Host Intrusion Detection SystemNIDS
Network Intrusion Detection System(logger)
Director(Analyzer)
Notifier
4
HIDS vs. NIDS
  • Two Basic Types of IDS
  • Host-based IDS
  • Periodically analyze logs, perform file system
    integrity check.
  • Examples
  • Generic ISS RealSecure Server Sensor.
  • Check host file system Tripwire, AIDE
  • Check host network connections BlackICE,
    PortSentry
  • Check hosts log files LogSentry, Swatch
  • Network-based IDS
  • Analyze network traffic content and pattern for
    signs of intrusion
  • Examples
  • Snort, Cisco IDS4235,

5
IDS Placement
6
Snort
  • A popular network intrusion public domain
    package, available on www.snort.org.
  • It allows the user to specify a set of rules
    which specifies the pattern in the packets, and
    the corresponding actions (typically just an
    alert msg) for matched packets.
  • It also allows the user to create their own
    plug-in for additional detection that is not
    available with default pattern matching. For
    example, the subnet flooding, it requires
    modification of preprocessing step.
  • It was used by many other packages and products.
  • On snort download site, installation steps are
    given for integrating snort with mysql, apache,
    webmin, and ACID for easy web-based access and
    display of the intrusion instance, statistics,
    and related intrusion event databases, such as
    CVE, arachNIDS.
  • See http//www.snort.org/docs/snort-rh7-mysql-ACID
    -1-5.pdf for more details.

7
Snort-based IDS Setup Example(from Steven
Scotts tutorial)
8
Basic Snort Usage
  • Snort has three main modes
  • Sniffer mode read packets and display on
    console.
  • E.g., gtSnort -dev
  • v verbose d dump application data data e
    extensive
  • Packet Logger read packets and log to the disk.
  • E.g., gt snort dev l ./log h 192.168.1.0/24
  • l log, h only capture packets relative to the
    host
  • NIDS analyze packets and matched against user
    defined rules and perform actions.
  • E.g., gt snort dev l ./log c snort.conf
  • add D will have snort run as daemon.
  • -A fast full unsock non
  • -b for binary (tcpdump) format faster.Use r
    snort.og to read it back for offline analysis.
  • -o change the normal (alert?pass?log rules)
    processing order to (pass?alert?log).
  • You can use SMB alert. That use smbclient to send
    WinPopup alert msg to window machines.
  • Use O for (obsuscates) the ip addresses in log
    file for hiding IP addresses when sharing with
    others the logs.

9
/etc/snort/snort.conf
  • Snort read the snort.conf file for the default
    variables, additional pre/post processing plug-in
    (if any), output specification (to a mysql for
    example), and a set of rule files. For example,
    http//cs.uccs.edu/chow/pub/snort/snort.conf
  • output database log, mysql, usersnort
    passwordxxxx dbnamesnort hostlocalhost
  • include bad-traffic.rules
  • include exploit.rules
  • include scan.rules
  • include finger.rules
  • include ftp.rules
  • include telnet.rules
  • include rpc.rules
  • include rservices.rules
  • include dos.rules
  • include ddos.rules
  • include dns.rules

10
Snort Rule Syntax
  • Most rules written in single line. If multiple
    line use \
  • Each snort rule has two logical section rule
    header and rule options.alert icmp EXTERNAL_NET
    any ltgt HOME_NET any (msg"DDOS Stacheldraht
    agent-gthandler (skillz)" content"skillz"
    itype0 icmp_id6666 referenceurl,staff.washing
    ton.edu/dittrich/misc/stacheldraht.analysis
    classtypeattempted-dos sid1855 rev2) alert
    any any -gt 192.168.1.0/24 any (flagsA ack0
    msg NMAP TCP ping) nmap send TCP ACK pkt
    with ack field set to 0alert tcp EXTERNAL_NET
    any -gt HTTP_SERVERS HTTP_PORTS (msg"WEB-IIS
    cmd.exe access" flowto_server,established
    content"cmd.exe" nocase classtypeweb-applicati
    on-attack sid1002 rev5)
  • Rule header contains action, protocol, source
    (IPaddr/port), direction, destination
    (IPaddr/port)
  • Rule option contains alert msgs, info on which
    parts of packet to be inspected.
  • -gt and ltgt are the only two direction operators.

11
Snort Rule Syntax
  • Var ltnamegt ltvaluegtvar EXTERNAL_NET
    128.198.160.0/19, 128.198.61.0/26var HOME_LAN
    192.168.0.0/24, 10.1.1,0/24var NON_WIRELESS
    !128.198.61.128/25 use ! for negative operator
    for specifying the CIDR address not within a
    range.
  • Use ltvariablegt to reference them later.
  • alert tcp EXTERNAL_NET any ? HOME_LAN any
    (flags S msg SYN packet)
  • Rule Actions
  • Alert
  • Log
  • Pass (ignore the packet)
  • Activate (alert then turn on another dynamic rule
    (being phase out)
  • Dynamic remain idle until activated by an
    activeate rule, then act as a log rule.
  • You can also define your own rule types. Then use
    it as rule actioin.
  • ruletype redalert type alert
    output alert_syslog LOG_AUTH LOG_ALERT output
    database log, mysql,usersnort dbnamesnort
    hostlocalhost

12
Rule option Contentcontent ! ltcontent
stringgt
  • It allows the user to set rules that search for
    specific content in packet payload and trigger
    response based on the data.
  • Case sensitive. Can be mixed text and binary.
  • Use to specify the byte code (hexadecimal
    number).
  • ! For negation nocase to make case-insensitive
    matching.
  • Examples
  • Alert tcp any any -gt 192.168.1.0/24 143 (content
    90CB C0FF FFFF/bin/sh\ msg IMAP buffer
    overflow!)
  • Alert tcp any any -gt 192.168.1.0/24 21 (content
    !GET depth 3 nocase \ dsize gt100 msg
    Long Non-Get FTP command!)
  • Dsize payload size.
  • Related IMAP buffer overflow, http//www.securityf
    ocus.com/bid/130/discussion/

13
Rule option offset and depth
  • Offset lt numbergt
  • Specify the number of bytes to skip before
    starting pattern matching.
  • Depth ltnumbergt
  • Set maximum search depth for content pattern
    match.
  • alert tcp any any -gt HLAN 80(content
    cmd.exe offset 3 depth 22 msg com.exe
    attack)

14
Rule option sid flow
  • Sid specifies unique snort rule.
  • lt100 reserved for future use.
  • 100-1,000,000 rule included in snort
    distirbution.
  • gt1,000,000 for local rule usage.
  • Flow use in conjunction with TCP stream
    reassembly.
  • Option to_server (client request), to client
    (server response), from_client, from_server.
  • E.g., alert tcp EXTERNAL_NET any -gt
    HTTP_SERVERS HTTP_PORTS (msg"WEB-IIS cmd.exe
    access" flowto_server,established
    content"cmd.exe" nocase classtypeweb-applicati
    on-attack sid1002 rev5)

15
(No Transcript)
16
(No Transcript)
17
Detection Results
  •   0-(3-1)       snort WEB-IIS cmd.exe access
          2003-04-14 211400      
    65.106.21.1531541       128.198.161.11080      
    TCP
  • C\work\cucs\cs691\S2003gtnslookup 65.106.21.153
  • Server evans.eas.uccs.edu
  • Address 128.198.160.66
  • Name diahost153.dia.cnc.net
  • Address 65.106.21.153

18
Detection Results
  •    ID  lt Signature gt  lt Timestamp gt  lt Source
    Address gt  lt Dest. Address gt  lt Layer 4
    Proto gt         
  • 0-(4-39)       snort SCAN Proxy (8080) attempt
          2003-04-16191151       128.198.161.110639
    06       128.198.61.618080       TCP            
  • 1-(4-38)       snort SCAN Proxy (8080) attempt
          2003-04-16 191151      
    128.198.161.11063905       128.198.61.618080   
       TCP            
  • 2-(4-37)       cveicatcveicatsnort
    SNMP AgentX/tcp request       2003-04-16 191149
          128.198.161.11063906      
    128.198.61.61705       TCP            
  • 3-(4-36)       cveicatcveicatsnort
    SNMP AgentX/tcp request       2003-04-16 191149
          128.198.161.11063905      
    128.198.61.61705       TCP            
  • 4-(4-35)       urlsnort SCAN SOCKS Proxy
    attempt       2003-04-16 191148      
    128.198.161.11063906       128.198.61.611080   
       TCP            
  • 5-(4-34)       urlsnort SCAN SOCKS Proxy
    attempt       2003-04-16 191148      
    128.198.161.11063905       128.198.61.611080   
       TCP            
  • 6-(4-33)       cveicatcveicatsnort
    SNMP request tcp       2003-04-16 191130      
    128.198.161.11063906       128.198.61.61161   
       TCP            
  • 7-(4-32)       cveicatcveicatsnort
    SNMP request tcp       2003-0416191129      
    128.198.161.11063905       128.198.61.61161   
      TCP            
  • 8-(4-31)       snort SCAN Squid Proxy attempt
          2003-04-16 191127      
    128.198.161.11063906       128.198.61.613128   
       TCP            
  • 9-(4-30)       snort SCAN Squid Proxy attempt
          2003-04-16 191127      
    128.198.161.11063905       128.198.61.613128   
       TCP   

19
False Positives vs False Negatives
  • False positives something occurs that causes IDS
    to incorrectly identify an intrusion when none
    has occurred.
  • False negatives something occurs that causes IDS
    to incorrectly fail to identify an intrustion
    when one has in fact occurred.
  • Accuracy of IDS reflect the number of false
    positives.
  • Completeness reflect the number of false
    negatives.

20
Attack Response Rules
  • Check on the responses of server for obvious
    pattern that the system has be attacked/compromise
    d.
  • https//128.198.61.6110000/snort/conf_rules.cgi?r
    uleattack-responses
  • Examples
  • alert tcp HTTP_SERVERS HTTP_PORTS -gt
    EXTERNAL_NET any (msg"ATTACK RESPONSES index of
    /cgi-bin/ response" flowfrom_server,established
    content"Index of /cgi-bin/" nocase
    classtypebad-unknown sid1666 rev3)
  • alert tcp HOME_NET 22 -gt EXTERNAL_NET any
    (msg"ATTACK-RESPONSE successful gobbles ssh
    exploit (GOBBLE)" flowfrom_server,established
    content"2aGOBBLE2a" referencebugtraq,5093
    classtypesuccessful-admin sid1810 rev2)
  • http//www.securityfocus.com/bid/5093
  • alert tcp HOME_NET 749 -gt EXTERNAL_NET any
    (msg"ATTACK-RESPONSE successful kadmind
    bufferflow attempt" flowestablished,from_server
    content"GOBBLE" depth8 referencecve,CAN-20
    02-1235 referenceurl,www.kb.cert.org/vuls/id/875
    073 classtypesuccessful-admin sid1900
    rev1)

21
BackDoor Trojan
  • Try to detect know ports and content of packet
    that are used and generated by the backdoor
    trojan.
  • alert tcp HOME_NET 6789 -gt EXTERNAL_NET any
    (msg"BACKDOOR Doly 2.0 access" content "57 74
    7a 75 70 20 55 73 65" flags A depth 32
    referencearachnids,312 sid119
    classtypemisc-activity rev3)
  • http//www.whitehats.com/cgi/arachNIDS/Show?_idid
    s312viewresearch
  • https//128.198.61.6110000/snort/conf_rules.cgi?r
    ulebackdoor

22
DDoS Rules
  • DDoS with know protocol/port/content.
  • https//128.198.61.6110000/snort/conf_rules.cgi?r
    uleddos
  • alert icmp EXTERNAL_NET any ltgt HOME_NET any
    (msg"DDOS Stacheldraht handler-gtagent (ficken)"
    content"ficken" itype0 icmp_id6667
    referenceurl,staff.washington.edu/dittrich/misc/s
    tacheldraht.analysis classtypeattempted-dos
    sid1856 rev2)
  • alert udp EXTERNAL_NET any -gt HOME_NET 31335
    (msg"DDOS Trin00\DaemontoMaster(PONGdetected)"
    content"PONG"referencearachnids,187
    classtypeattempted-recon sid223 rev1)

23
DNS rules
  • Zone transfer, DNS buffer overflow exploit.
  • https//128.198.61.6110000/snort/conf_rules.cgi?r
    uledns
  • alert tcp EXTERNAL_NET any -gt DNS_SERVERS 53
    (msg"DNS zone transfer TCP" flowto_server,estab
    lished content "00 00 FC" offset14
    referencecve,CAN-1999-0532 referencearachnids,2
    12 classtypeattempted-recon sid255 rev7)
  • alert tcp EXTERNAL_NET any -gt DNS_SERVERS 53
    (msg"DNS EXPLOIT x86 linux overflow attempt
    (ADMv2)" flowto_server,established
    content"89f7 29c7 89f3 89f9 89f2 ac3c fe"
    classtypeattempted-admin sid265 rev3)

24
Scan rules
  • Scan certain node/ports. (network scan vs port
    scan)
  • https//128.198.61.6110000/snort/conf_rules.cgi?r
    ulescan
  • alert tcp EXTERNAL_NET any -gt HOME_NET 3128
    (msg"SCAN Squid Proxy attempt" flagsS
    classtypeattempted-recon sid618 rev2)
  • alert tcp EXTERNAL_NET any -gt HOME_NET any
    (msg"SCAN synscan portscan" id 39426 flags
    SFreferencearachnids,441 classtypeattempted-re
    con sid630 rev1)
  • alert tcp EXTERNAL_NET any -gt HOME_NET any
    (msg"SCAN nmap TCP"flagsAack0
    referencearachnids,28 classtypeattempted-recon
    sid628 rev1)
  • alert icmp EXTERNAL_NET any -gt HOME_NET any
    (msg"SCAN SolarWinds IP scan attempt"
    content"SolarWinds.Net" itype8 icode0
    classtypenetwork-scan sid1918 rev3)

25
WEB-CGI Rules
  • https//128.198.61.6110000/snort/conf_rules.cgi?r
    uleweb-cgi
  • alert tcp EXTERNAL_NET any -gt HTTP_SERVERS
    HTTP_PORTS (msg"WEB-CGI perl.exe access"
    flowto_server,established uricontent"/perl.exe"
    nocase referencecve,CAN-1999-0509
    referenceurl,www.cert.org/advisories/CA-1996-11.h
    tml referencearachnids,219 referencenessus,101
    73 classtypeattempted-recon sid832 rev8)
  • .. (DOT DOT) ATTACK.alert tcp EXTERNAL_NET any
    -gt HTTP_SERVERS HTTP_PORTS (msg"WEB-CGI
    technote main.cgi file directory traversal
    attempt" flowto_server,established
    uricontent"/technote/main.cgi" nocase
    content"filename" nocase content"../../"
    referencecve,CVE-2001-0075 referencebugtraq,215
    6 classtypeweb-application-attack sid1051
    rev7)

26
WEB-IIS Rules
  • https//128.198.61.6110000/snort/conf_rules.cgi?r
    uleweb-iis
  • alert tcp EXTERNAL_NET any -gt HTTP_SERVERS
    HTTP_PORTS (msg"WEB-IIS unicode directory
    traversal attempt" flowto_server,established
    content"/..c0af../" nocase
    classtypeweb-application-attack
    referencecve,CVE-2000-0884 sid981 rev6)
  • alert tcp EXTERNAL_NET any -gt HTTP_SERVERS
    HTTP_PORTS (msg"WEB-IIS cmd.exe access"
    flowto_server,established content"cmd.exe"
    nocase classtypeweb-application-attack
    sid1002 rev5)

27
SMTP Rules
  • SMTP has quite a few buffer overlfow exploit.
  • https//128.198.61.6110000/snort/conf_rules.cgi?r
    ulesmtp
  • alert tcp EXTERNAL_NET any -gt SMTP_SERVERS 25
    (msg"SMTP RCPT TO overflow" flowto_server,estab
    lished content"rcpt to3a" nocase
    content!"0a" within800 referencecve,CAN-200
    1-0260 referencebugtraq,2283
    classtypeattempted-admin sid654 rev7)
  • alert tcp EXTERNAL_NET any -gt SMTP_SERVERS 25
    (msg"SMTP sendmail 5.6.5 exploit"
    flowto_server,established content"MAIL
    FROM3a207c/usr/ucb/tail" nocase
    referencearachnids,122 classtypeattempted-user
    sid665 rev4)
  • alert tcp EXTERNAL_NET any -gt SMTP_SERVERS 25
    (msg"SMTP From comment overflow attempt"
    flowto_server,established content"From\"
    content"ltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtlt
    gtltgt" distance0 content"(" distance1
    content")" distance1 referencecve,CAN-2002-13
    37 referenceurl,www.kb.cert.org/vuls/id/398025
    classtypeattempted-admin sid2087 rev2)

28
Bad Traffic
  • Bad packet header content
  • https//128.198.61.6110000/snort/conf_rules.cgi?r
    ulebad-traffic
  • alert tcp EXTERNAL_NET any -gt HOME_NET any
    (msg"BAD TRAFFIC data in TCP SYN packet"
    flagsS dsizegt6 referenceurl,www.cert.org/inci
    dent_notes/IN-99-07.html sid526
    classtypemisc-activity rev4)
  • alert ip any any -gt any any (msg"BAD TRAFFIC
    same SRC/DST" sameip referencecve,CVE-1999-0016
    referenceurl,www.cert.org/advisories/CA-1997-28
    .html classtypebad-unknown sid527 rev3)

29
HIDS Host-based Intrusion Detection
  • Detect and examine malicious activity (same as
    network-based intrusion detection.)
  • Optimize for monitoring individual hosts.
  • Monitor system network activity, file system, log
    files, user actions.
  • Integrate the finding of several host-based
    intrusion detection provide unified view of
    multiple systems in the network.
  • Detect escalation of privileges for a user or
    system account. (from guest user to have admin
    privilege).
  • NIDS can not usually see or interpret such
    actions which takes place on a host.

30
HIDS Advantages over NIDS
  • HIDS can monitor user-specific activity of the
    system
  • Check process listing, local log files, system
    calls.
  • It is difficult for NIDS to associate packets to
    specific users (except when content switch-based
    NIDS is used!) and to determine if the commands
    in the packets violate specific users access
    privilege.
  • HIDS sensor can monitor encrypted traffic by
    tapping in at the connection endpoint such as VPN
    connection. (NIDS can not check encrypted
    IPsec/SSL payload.)
  • HIDS can help detect attack that evade NIDS
    detection.For example, attacks encode dangerous
    commands in non-standard Unicode encoding.
    checking for ".ida". An example request would
    look like GET /himom.idu0061 HTTP/1.0

31
Tripwire A Host-based IDS
  • Original version developed at Purdue Univ. 1992
    by Dr. Eugene Spafford and Gene Kim, now CTO of
    Tripwire
  • http//www.tripwire.org/downloads/index.php Linux
    public domain software download.
    http//www.tripwire.org/qanda/faq.php
  • Commercial evaluation version tripwire3.0 (with
    manager and server, run on both Linux/windows)
    available at http//www.tripwire.com/downloads/
  • Tripwire managers provide gui and unified
    interface to monitor multiple instances of
    tripwire program.
  • Can monitor configuration of routers/switches.
  • Here is a presentation from tripwire.com.
  • There is Advanced Intrusion Detection Environment
    (AIDE) available at http//www..cs.tut.fi/rammer/
    aide.html. It is actively maintained and
    developed. Not on windows. Does not encrypt and
    sign the baseline datagbase. (The tripwire does
    this).

32
(No Transcript)
33
(No Transcript)
34
File Access Permission Change
35
Example of Policy File
  • For windows systems,http//cs.uccs.edu/cs691/tri
    pwire/windows/Policy/twpol.txt
  • For linux,http//cs.uccs.edu/cs691/tripwire/linu
    x/Policy/twpol.txt
  • http//cs.uccs.edu/cs691/tripwire/windows/Documen
    ts/reference_guide.pdf page 25.
  • Rule object -gt properties
Write a Comment
User Comments (0)
About PowerShow.com