Network Intrusion Detection - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Network Intrusion Detection

Description:

The art and science of sensing when a system or network is being used ... Var RULE_PATH ./rules. Configure preprocessors. Portscan Detection. IP defragmentation ... – PowerPoint PPT presentation

Number of Views:29
Avg rating:3.0/5.0
Slides: 27
Provided by: Dep53
Category:

less

Transcript and Presenter's Notes

Title: Network Intrusion Detection


1
Network Intrusion Detection
  • Bill Eaheart
  • Network Security Coordinator
  • DePaul University

2
What is Intrusion Detection?
  • The art and science of sensing when a system or
    network is being used inappropriately or without
    authorization. An intrusion-detection system
    (IDS) monitors system and network resources and
    activities and, using information gathered from
    these sources, notifies the authorities when it
    identifies a possible intrusion.

3
Why use Intrusion Detection?
  • Provides an extra layer of protection
  • Defense in Depth
  • Protect Data and Networks
  • Ensure system integrity
  • New vulnerabilities and exploits are found
    regularly

4
What types of Intrusion Detection?
  • Host-Based Detection
  • Installed on a single Host
  • Checks for modified files
  • Log scanners
  • Swatch
  • Log Surfer
  • Log Sentry
  • Integrity Checkers
  • Tripwire
  • AIDE (Advanced Intrusion Detection Environment)
  • Fcheck
  • Network-Based Detection
  • Collect and analyze all traffic on a network
  • Rule Based analysis
  • Flags suspicious traffic

5
Advantages and Disadvantages
  • Yeah!
  • Relatively easy to deploy
  • statistics on probes and attacks
  • detection and watching capability for low to
    moderately skilled intruders
  • Works out-of-the-box for well know
    vulnerabilities
  • Snort has over 1900 signatures
  • Boo!
  • New vulnerabilities cannot be detected
  • False positives / negatives
  • Maintenance / Monitoring
  • Can be bypassed

6
How are intrusions detected?
  • Signature-based detection
  • Activity matches a predefined string
  • Effective against known attacks
  • Must be updated constantly
  • Anomaly-based detection
  • Identifies unusual traffic behavior (anomalies)
  • Some signature-based IDSes include limited
    instances of anomaly detection, but few rely
    solely on this technology.

7
What about Network Intrusion Prevention?
  • Inspect traffic directly
  • Detects, intercept and stop attacks before they
    occur
  • Danger! Will Robinson Danger!
  • Could stop legitimate traffic
  • False Positives can cause headaches
  • Network latency
  • Single point of failure

8
Where do I put IDS systems on my network?
  • Network hosts
  • Network perimeter
  • Production Environments
  • LAN subnets

9
IDS Not the only part
  • First step system security
  • Policies and standards
  • Offers another layers of protection
  • Will not substitute for other elements of an
    information security plan

10
QUIZ TIME
  • In computer security, this describes a
    non-technical kind of intrusion that relies
    heavily on human interaction. It often involves
    tricking people into breaking their own security
    procedures.
  • a. cyberterrorismb. debuggingc. hijackingd.
    nonrepudiatione. social engineering
  • A properly configured firewall will provide
    complete information security from external
    attacks?
  • True or False?

11
Introduction to Snort
  • www.snort.org

12
What is Snort?
  • Network Intrusion Detection System
  • Developed by Marin Roesch in 1998
  • Current version snort 1.9.0

13
Why use it?
  • ITS FREE!!
  • GPL/Open Source Software
  • Other products avaialbe -
  • Dragon

14
What does it run on?
  • Linux
  • BSDs
  • Solaris
  • Win98/XP/NT/2000

15
How does it work?
  • Configuration File - /etc/snort.conf
  • Here you tell it which networks to protect.
  • What servers to ignore traffic from
  • What options you want loaded
  • Rules
  • How to log the alerts

16
/etc/snort.conf Setup
  • Set the network variables for your network
  • var HOME_NET 192.168.0.0/16
  • var EXTERNAL_NET !192.168.0.0/16
  • var DNS_SERVERS HOME_NET
  • Var RULE_PATH ./rules
  • Configure preprocessors
  • Portscan Detection
  • IP defragmentation
  • TCP stream assembly
  • Configure output plugins
  • Alert_syslog
  • Database
  • Customize your rule set
  • local.rules

17
Understanding Snort Rules
  • Simple Format
  • Each Rule has two parts
  • Rule Header
  • Rule options
  • Rule Header is required but rule options are not

18
Snort Rules cont.
  • Rule Header
  • Defines who is involved
  • Action alert, log, pass
  • Protocol tcp, udp, icmp, ip
  • Source and Destination IP addresses
  • Source and Destination IP ports
  • Direction of traffic
  • Alert tcp !10.1.1.0/24 any -gt 10.1.1.0/24
    !21

19
Snort Rules cont.
  • Rule Options
  • Define what is involved
  • What packet attributes should be inspected
  • Syntax
  • (flagsSF msg SYN-FIN scan)
  • Options (not a complete list)
  • TCP flags IP TOS IP TTL
  • IP ID IP Protocol IP Options
  • ICMP Type Payload content

20
Examples of Rules
  • FTP rule
  • alert tcp EXTERNAL_NET any -gt HOME_NET 21
    (msg"FTP EXPLOIT STAT dos attempt"
    flowto_server,established content"STAT "
    nocase content"" referencebugtraq,4482
    classtypeattempted-dos sid1777 rev1)
  • DNS rule
  • alert udp EXTERNAL_NET 53 -gt HOME_NET any
    (msg"DNS SPOOF query response PTR with TTL\ 1
    min. and no authority" content"8580000100010000
    0000" content"c00c000c00010000003c000f"
    classtypebad-unknown sid253 rev2)

21
What do the logs look like?
  • Alert Logs
  • 100 mssql-030125-1
  • Priority 0
  • 02/19-220350.209431 140.192.198.401058 -gt
    26.40.206.1551434
  • UDP TTL127 TOS0x0 ID27377 IpLen20 DgmLen404
  • Len 384
  • 100 mssql-030125-1
  • Priority 0
  • 02/19-220350.220920 140.192.198.401058 -gt
    202.250.124.2441434
  • UDP TTL127 TOS0x0 ID27553 IpLen20 DgmLen404
  • Len 384

22
ACID Console
23
What do the logs look like?
  • Port scan Logs
  • Feb 19 220345 209.193.65.484270 -gt
    140.192.176.149139 SYN S
  • Feb 19 220347 209.193.65.484806 -gt
    140.192.176.170139 SYN S
  • Feb 19 220347 209.193.65.484335 -gt
    140.192.176.152139 SYN S
  • Feb 19 220345 200.81.6.7844123 -gt
    140.192.184.1672347 INVALIDACK APRF

24
Portscan Reports
  • Thu Feb 20 074359 CST 2003
  • Number of scans 5543
  • Total Source IP
  • 8.26 458 12.104.249.244
  • 7.87 436 12.37.37.3
  • 6.78 376 204.181.201.224
  • Total Destination IP
  • 0.29 16 140.192.180.213
  • 0.29 16 140.192.180.181
  • 0.27 15 140.192.177.246
  • Destination Ports
  • Total Port
  • 5439 139
  • 42 80
  • 17 6346
  • 10 1582
  • 4 1080
  • Number of scans 5543
  • Number of source 71
  • Number of destination 1222
  • Number of unique source ports 3406
  • Number of unique destination ports 24

25
How does it help us?
  • Detecting Portscans
  • Incoming
  • outgoing
  • Compromised Hosts
  • ftp servers listening not on port 21
  • Configure local rules
  • Network Flows
  • argus

26
The End!
  • Thank you
  • Any questions
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Network Intrusion Detection" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!