Using Argus Audit Trails to Enhance IDS Analysis - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

Using Argus Audit Trails to Enhance IDS Analysis

Description:

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems jhaile_at_nitrodata.com Overview What is an audit trail? What is Argus? Overview of IP ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 19
Provided by: Jed55
Category:

less

Transcript and Presenter's Notes

Title: Using Argus Audit Trails to Enhance IDS Analysis


1
Using Argus Audit Trailsto Enhance IDS Analysis
  • Jed Haile
  • Nitro Data Systems
  • jhaile_at_nitrodata.com

2
Overview
  • What is an audit trail?
  • What is Argus?
  • Overview of IP audit trails
  • Why are they useful?
  • Using audit trails to monitor your network
  • Detecting interesting network events using audit
    trails
  • Enhancing IDS analysis using audit trails

3
What is an IP Audit Trail?
  • An IP audit trail is a collection of network
    flows across some point of a network.
  • A network flow is an identifiable exchange of
    data between two endpoints on a network.
  • Flows may be delineated by normal protocol (a SYN
    replied to by an RST) or by timeouts.
  • Flows may become exaggerated, as not all network
    traffic is readily broken into correct sessions
    with available information

4
What is Argus?
  • Written by Carter Bullard as part of a DoD
    contract while he was at Carnegie-Mellons SEI
  • Runs on unix
  • The free version is available at
    http//www.qosient.com/argus
  • A commercial version is under development by
    Qosient

5
More about Argus
  • Argus uses a client server model
  • Data collection engine (Server) Monitors the
    network using libpcap, collects network data into
    audit trails. This engine can output the data to
    a file or to a socket.
  • Argus client Reads audit data from a file or
    from a socket. There are a number of clients
    available for various purposes.

6
Argus Clients
  • ra reads Argus data and displays it on stdout
  • ragator aggregates flows in arbitrary fashions
  • ramon produce rmon style reports and tables
  • racount counts bytes and packets
  • rasort sorts Argus records
  • raxml display all fields in xml format
  • Others ratop, ragrep, rahistogram, rasrvstats
  • Lacking Database client!!

7
Default RA output
timestamp protocol src IP direction
dst IP status 17 Apr 02 095916 icmp
192.172.1.26 lt-gt 192.172.1.253 ECO 17 Apr
02 095916 tcp 192.172.191.46.458 -gt
207.68.162.24.80 FIN 17 Apr 02 095916 icmp
192.172.1.25 lt-gt 192.172.1.253 ECO 17
Apr 02 095916 tcp 192.18.221.25.119 -gt
192.172.191.61.25 FIN 17 Apr 02 095916 tcp
192.172.1.6.3562 -gt 209.10.33.195.80 FIN 17 Apr
02 095916 tcp 192.172.1.23.5936 -gt
61.200.81.153.80 EST 17 Apr 02 095916 tcp
192.172.191.46.4585 -gt 64.4.30.24.80 FIN 17
Apr 02 095917 tcp 192.172.191.46.4990 -gt
12.12.162.203.80 RST 17 Apr 02 100004 tcp
192.172.191.46.240 -gt 216.33.240.24.80 RST 17
Apr 02 095917 tcp 142.177.221.77.177 -gt
192.172.18.27.634 RST 17 Apr 02 100002 icmp
192.172.1.25 -gt 192.172.1.253 ECO 17 Apr
02 100002 icmp 129.82.45.220 -gt
192.172.1.3 ECO 17 Apr 02 100002 icmp
129.82.45.220 -gt 192.172.1.3 ECO 17
Apr 02 100002 udp 205.158.62.41.967 -gt
192.172.191.6.53 TIM 17 Apr 02 100002 icmp
129.82.45.220 -gt 192.172.1.3 ECO
There is still a lot of other useful data we can
capture!!
8
Data Model
  • Source IP address
  • Destination IP address
  • Source Port
  • Destination Port
  • Protocol
  • Time of first packet
  • Time of last packet
  • Packets sent
  • Bytes sent
  • Packets received
  • Bytes received
  • This set of data is surprisingly rich!

9
Why are these useful?
  • This set of data can be analyzed to find network
    sessions, or sets of session that appear to be
    suspicious.
  • In the case of a compromise, the audit trails can
    be examined to find out what else might have
    happened.
  • Excellent tool for network policy monitoring.
    Makes finding unauthorized servers, or services,
    or backdoors much easier to detect.
  • Much smaller than full packet captures, so more
    can be stored for longer.
  • Well suited to statistical analysis

10
Reducing Record Counts
  • A major problem with collecting network flows is
    the extreme rate and large quantity of records
  • Fortunately network flows are readily aggregated
  • All flows with the same source and destination
    addresses and ports can be collapsed to a single
    row, with a counter

11
Portscan Detection
  • IP audit trails are an excellent tool for
    detecting network enumeration attempts.
  • Snorts spp_portscan2 uses network flows to
    detect portscans
  • To detect portscanning simply count connections
    from external hosts to distinct hosts and ports
    on your network
  • A well defined concept of home network versus
    external network is critical
  • A portscan attempt which also correlates to an
    IDS alert, or to a session that is long or that
    moves some data might point to a successful
    compromise

12
Long Sessions
  • Long sessions are common on networks
  • Due to the more stateless nature of udp and icmp,
    distinct network flows might be collapsed into a
    single network flow
  • Long sessions to interesting ports, or inbound to
    unexpected locations, or with IDS alerts are the
    things we want to focus on
  • Extensive correlation is critical to making the
    important long sessions stand out

13
Traffic to Nonexistent Hosts
  • Inbound traffic to a host that is known to not
    exist
  • A good way of detecting network enumeration
    attempts

14
Traffic to High Ports
  • Sessions being initiated to high ports on your
    home network should always be viewed with
    suspicion
  • There are exceptions (ftp traffic)
  • By keeping state on your networks flows you
    can eliminate many of the valid inbound high port
    connections
  • High port traffic IDS alert

15
High Connection Rate
  • High connection rates could point to DOS
    attempts, port scanning, auto rooter, P2P
    activity, worm activity, and more
  • There are valid network activities which can
    generate high connection rates
  • Correlation of high connection rates to other
    anomalous activities is what we need to look for

16
High Packet Rate
  • Another example of could be bad, could be good
    activity
  • High packet rates might indicate worm activity,
    portscanning, or other nastiness
  • A sudden appearance of high packet rates linked
    to a previous session which had IDS alerts
    associated could indicate a host that has been
    successfully compromised

17
Stepping Stone Detection
  • A stepping stone is a computer that is used as an
    intermediate point between two other computers
  • Stepping stones are frequently used by attackers
    to obscure their location/identity
  • Stepping stones can be detected by correlation of
    on/off times between two network flows. This is
    prone to false positives.
  • A better approach is to correlate on and off
    times of packet activity inside the flow, but
    requires finer granularity in the data than can
    be provided by argus.

18
Summary
  • Using IP audit trails is a powerful enhancement
    to IDS
  • IP audit trails also give new ways of looking for
    anomalous traffic, new services on your network,
    or for getting a better perspective on your
    networks operation
  • There is lots to be done!
Write a Comment
User Comments (0)
About PowerShow.com