Open Source IDS

1
Open Source IDS

• A Quick and Dirty Guide
• Darrin Wassom
• Technical Architect

2
The Road to Ruin?

• Introduction
• What is this thing called IDS
• SHADOW
• SNORT
• Distributed IDS
• The Future
• Toolkit Essentials
• Links/Publications of Interest
• Questions

3
Introductions

• Presenter
• Darrin Wassom
• Technical Architect
• Information Security Compliance Team
• Foundational Presentation
• By no means a definitive guide!
• YMMV!

4
What is IDS?!?!

• IDS Intrusion Detection System
• Two types
• Host-based IDS (HIDS)
• Tripwire is a great example
• Network-based IDS (NIDS)
• ISS RealSecure, Cisco (formerly called
  NetRanger), Symantec and many other commercial
  products available but we dont care about
  those.. yet.
• SHADOW
• SNORT

5
SHADOW The Granddaddy!

• Secondary Heuristic Analysis for Defensive Online
  Warfare SHADOW
• Formerly called CIDER
• Cooperative Intrusion Detection Evaluation and
  Response
• Developed by the Naval Surface Warfare Center
  (NSWC) in 1994 by Stephen Northcutt

6
SHADOW

• Open Source components include
• TCPDUMP (key component!)
• OpenSSH
• Apache
• Tripwire
• PERL
• Statistical means of viewing network traffic
• Patterns appear over time
• Looks for network anomalies

7
SHADOW - Screenshots
8
SHADOW - Screenshots
9
SHADOW - Caveats

• SHADOW does not provide real-time analysis in the
  traditional sense
• Its strength lies in long term packet analysis
• SHADOW is not rule-based
• You wont receive event specific alerts like
  Code Red Attack
• SHADOW has been known to cause bouts of rage,
  insomnia and second thoughts about career choice
• Its not easy to configure!

10
SHADOW Sounds Cool.

• Tell me more!
• Can be downloaded at
• http//www.nswc.navy.mil/ISSEC/CID/
• Latest release published
• April 2003
• Actively maintained by NSWC
• SHADOW fork
• Guy Bruneau has provided an ISO image format of
  Shadow on Slackware Linux (last updated 8/2003)
• http//www.whitehats.ca/main/index.html
• VERY cool, check it out!

11
SNORT An Open Source Star

• Developed by Marty Roesch in 1998
• Rules-based
• also called signature-based
• Benefits
• easy to install
• HIGHLY customizable
• Flexible
• FAST
• Can also work as a packet sniffer
• supports BPF flags!

12
SNORT Modes of Operation

• Packet Sniffer
• snort v
• prints headers to the screen only
• snort vd
• will show application data in transit
• snort vde
• all the above and data link layer
• snort vd tcp and port not ssh
• example of using BPF flags
• snort vd l /var/tmp
• dumps data to a directory for future analysis
• snort vd L /var/tmp/test.cap
• writes data to a specific file in TCPDUMP format
• snort r /var/tmp/test.cap
• opens any TCPDUMP file

13
SNORT Modes of Operation

• Intrusion Detection Mode
• The nuts and bolts!
• snort i eth0 c /etc/snort/snort.conf
• specifies the eth0 interface and the location of
  the snort configuration file (snort.conf)
• Snort Configuration
• snort.conf
• Allows for any range of possibilities
• Well documented and easy to follow

14
SNORT Analysis of a Rule

• alert tcp EXTERNAL_NET any -gt HOME_NET 22
  (msg"EXPLOIT gobbles SSH exploit attempt"
  flowto_server,established content"GOBBLES"
  referencebugtraq,5093 classtypemisc-attack
  sid1812 rev2)
• Rule Header
• Action required
• alert, log, pass, user-defined
• defines network protocols
• source/destination
• traffic direction
• Rule Options
• Always enclosed in parentheses
• Defines which attributes must be present to
  trigger an event

15
SNORT Tips/Tricks for Rules

• SID Snort ID
• 1-100 Reserved for Marty Roesch
• 101-1000000 Reserved for Snort Development Team
• gt 1000000 Can be used for locally defined rules
• Rule/Signature Maintenance
• SNORT regularly updates rules and can be
  downloaded from their site
• Oinkmaster
• Script written to help with rule management
• http//www.algonet.se/nitzer/oinkmaster/
• Creating Custom Rules
• use TCPDUMP or Ethereal to analyze packets which
  you wish to be alerted on..
• Check sites like Internet Storm Center
  (http//isc.sans.org/) for timely rule updates

16
SNORT A Problem

• SNORT, by itself, is great for a single probe
  installation
• One configuration file
• One set of rules
• One place to look for alerts, logs, etc
• Management and Analysis becomes difficult with
  more than one probe
• multiple conf files to maintain
• rules issues
• which probe do you check for analysis

17
SNORT Distributed Approach
18
SNORT Components to Webify!

• ACID - written by Roman Danyliw
• Analysis Console for Intrusion Databases
• http//www.andrew.cmu.edu/rdanyliw/snort/snortaci
  d.html
• Other Requirements (ship w/ most Linux distros)
• Web Server Apache
• PHP
• SQL database MySQL
• Other misc components
• Sounds difficult!!
• Several EXCELLENT whitepapers are available
• Step by Step guides!

19
SNORT Uh, Where?

• Steven Scott
• Red Hat 7.3 and 9.0
• VERY detailed and HIGHLY recommended
• http//www.snort.org/docs/snort-rh7-mysql-ACID-1-5
  .pdf
• http//www.superhac.com/snort/docs/snort_enterpris
  e.pdf
• Stevens site, Superhac, is intermittent. If you
  cant find the site, let me know and Ill send a
  copy of the document
• Local Subject Matter Expert
• Mark Eanes
• Putting him on the spot!

20
SNORT Show me!
21
SNORT Real Time?

• Near real-time alerts are available!
• SWATCH
• Simple WATCHer
• http//swatch.sourceforge.net/
• Can be configured to monitor just about any type
  of log file
• can send email, pager or SMB popup
• Easy to configure

22
SNORT Usage/Application

• Detection of Privilege Escalation
• DEMO
• FTP Exploit
• Gain root level access to a public facing FTP
  server
• Would most likely go undetected
• Results in SNORT/ACID
• Link

23
SNORT Usage/Application

• Enterprise IDS
• Advantage
• low cost (hardware, learning curve)
• Extremely flexible
• Cons
• Requires significant tuning/tweaking
• Constant maintenance
• rule mgmt issues
• Eternal vigilance!
• applies to ANY internal IDS presence
• Augment Outsourced IDS
• Point Solution
• Track internal vulnerabilities on specific
  segment
• outbound worm traffic is a great example

24
SNORT The Future

• Evolution
• Intrusion Prevention
• Flex response (user-defined)
• built-in
• Snort Inline
• actively developed
• Both add elements of intelligence to
  dynamically block ports/hosts based on signatures
• Event Correlation
• Analyze multiple log events
• Coming soon!
• Sourcefire
• Commercial arm of SNORT
• founded by Marty Roesch

25
Toolkit Essentials

• TCPDUMP
• http//www.tcpdump.org/
• WINDUMP
• http//windump.polito.it/
• Ethereal
• http//www.ethereal.com/

26
Links/Publications

• SNORT
• http//www.snort.org/
• Superhac
• http//www.superhac.org
• SANS Reading Room
• http//rr.sans.org/
• Publications (Available at Amazon)
• Snort 2.0 Intrusion Detection
• Brian Caswell, Ryan Russel, Jay Beale, et al
• Intrusion Detection with Snort
• Jack Koziol
• IDS with Snort Advanced Techniques
• Rafeeq Rehman

27
Education

• SANS Institute
• Education track devoted to Intrusion Detection
• http//www.sans.org
• http//www.giac.org
• GCIA GIAC Certified Intrusion Analyst
• heavy coverage of TCPDUMP, Snort and advanced
  analysis techniques

28
Questions?
29
Thank You!

• Contact Information
• Darrin Wassom
• Darrin.Wassom_at_spectrum-health.org
• 616.391.9031 (Office)