Open Source IDS
A Quick and Dirty Guide
Darrin Wassom
Technical Architect
The Road to Ruin?









Introduction
What is this thing called IDS
SHADOW
SNORT
Distributed IDS
The Future
Toolkit Essentials
Links/Publications of Interest
Questions
Introductions
 Presenter
– Darrin Wassom
• Technical Architect
• Information Security Compliance Team
 Foundational Presentation
– By no means a definitive guide!
– YMMV!
What is IDS?!?!
 IDS = Intrusion Detection System
 Two types
– Host-based IDS (HIDS)
• Tripwire is a great example
– Network-based IDS (NIDS)
• ISS RealSecure, Cisco (formerly called NetRanger), Symantec
and many other commercial products available but we don’t
care about those….. yet.
• SHADOW
• SNORT
SHADOW – The Granddaddy!
 Secondary Heuristic Analysis for Defensive
Online Warfare = SHADOW
 Formerly called CIDER
– Cooperative Intrusion Detection Evaluation
and Response
 Developed by the Naval Surface Warfare
Center (NSWC) in 1994 by Stephen
Northcutt
SHADOW
 Open Source components include
– TCPDUMP (key component!)
– OpenSSH
– Apache
– Tripwire
– PERL
 Statistical means of viewing network traffic
– Patterns appear over time
– Looks for network anomalies
SHADOW - Screenshots
SHADOW - Screenshots
SHADOW - Caveats
 SHADOW does not provide real-time analysis in
the traditional sense
– Its strength lies in long term packet analysis
 SHADOW is not rule-based
– You won’t receive event specific alerts like “Code Red
Attack”
 SHADOW has been known to cause bouts of rage,
insomnia and second thoughts about career choice
– It’s not easy to configure!
SHADOW – Sounds Cool….
 Tell me more!
 Can be downloaded at
– http://www.nswc.navy.mil/ISSEC/CID/
 Latest release published
– April 2003
• Actively maintained by NSWC
 SHADOW fork
– Guy Bruneau has provided an ISO image format of
Shadow on Slackware Linux (last updated 8/2003)
• http://www.whitehats.ca/main/index.html
• VERY cool, check it out!
SNORT – An Open Source Star
 Developed by Marty Roesch in 1998
 Rules-based
– also called signature-based
 Benefits
– easy to install
– HIGHLY customizable
– Flexible
– FAST
– Can also work as a packet sniffer
• supports BPF flags!
SNORT – Modes of Operation
 Packet Sniffer
– snort –v
• prints headers to the screen only
– snort –vd
• will show application data in transit
– snort –vde
• all the above and data link layer
– snort –vd tcp and port not ssh
• example of using BPF flags
– snort –vd –l /var/tmp
• dumps data to a directory for future analysis
– snort –vd –L /var/tmp/test.cap
• writes data to a specific file in TCPDUMP format
– snort –r /var/tmp/test.cap
• opens any TCPDUMP file
SNORT – Modes of Operation
 Intrusion Detection Mode
– The nuts and bolts!
– snort –i eth0 –c /etc/snort/snort.conf
• specifies the eth0 interface and the location of the
snort configuration file (snort.conf)
– Snort Configuration
• snort.conf
– Allows for any range of possibilities
– Well documented and easy to follow
SNORT – Analysis of a Rule
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT gobbles SSH
exploit attempt"; flow:to_server,established; content:"GOBBLES";
reference:bugtraq,5093; classtype:misc-attack; sid:1812; rev:2;)
 Rule Header
– Action required
• alert, log, pass, user-defined
– defines network protocols
– source/destination
– traffic direction
 Rule Options
– Always enclosed in parentheses
– Defines which attributes must be present to trigger an event
SNORT – Tips/Tricks for Rules
 SID – Snort ID
– 1-100 – Reserved for Marty Roesch
– 101-1000000 – Reserved for Snort Development Team
– > 1000000 – Can be used for locally defined rules
 Rule/Signature Maintenance
– SNORT regularly updates rules and can be downloaded
from their site
– Oinkmaster
• Script written to help with rule management
• http://www.algonet.se/~nitzer/oinkmaster/
 Creating Custom Rules
– use TCPDUMP or Ethereal to analyze packets which you wish to
be alerted on…..
SNORT – A Problem
 SNORT, by itself, is great for a single probe
installation
– One configuration file
– One set of rules
– One place to look for alerts, logs, etc
 Management and Analysis becomes difficult with
more than one probe
– multiple conf files to maintain
– rules issues
– which probe do you check for analysis
SNORT – Distributed Approach
SNORT – Components to Webify!
 ACID - written by Roman Danyliw
– Analysis Console for Intrusion Databases
– http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.
html
 Other Requirements (ship w/ most Linux distros)
– Web Server – Apache
– PHP
– SQL database – MySQL
– Other misc components
 Sounds difficult!!
– Several EXCELLENT whitepapers are available
• Step by Step guides!
SNORT – Uh, Where?
 Steven Scott
– Red Hat 7.3 and 9.0
– VERY detailed and HIGHLY recommended
– http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf
– http://www.superhac.com/snort/docs/snort_enterprise.pdf
• Steven’s site, Superhac, is intermittent. If you can’t find the site, let
me know and I’ll send a copy of the document
 Local Subject Matter Expert
– Mark Eanes
• Putting him on the spot!
SNORT – Show me!
SNORT – Real Time?
 Near real-time alerts are available!
– SWATCH
• Simple WATCHer
• http://swatch.sourceforge.net/
• Can be configured to monitor just about any type of
log file
– can send email, pager or SMB popup
– Easy to configure
SNORT – Usage/Application
 Detection of Privilege Escalation
– DEMO
• FTP Exploit
– Gain root level access to a public facing FTP server
– Would most likely go undetected
• Results in SNORT/ACID
– Link
SNORT – Usage/Application
 Enterprise IDS
– Advantage
• low cost (hardware, learning curve)
• Extremely flexible
– Cons
• Requires significant tuning/tweaking
• Constant maintenance
– rule mgmt issues
• Eternal vigilance!
– applies to ANY internal IDS presence
 Augment Outsourced IDS
 Point Solution
– Track internal vulnerabilities on specific segment
• outbound worm traffic is a great example
SNORT – The Future
 Evolution
– Intrusion Prevention
• Flex response (user-defined)
– built-in
• Snort Inline
– actively developed
• Both add elements of “intelligence” to dynamically block
ports/hosts based on signatures
– Event Correlation
• Analyze multiple log events
– Coming soon!
– Sourcefire
• Commercial arm of SNORT
– founded by Marty Roesch
Toolkit Essentials
 TCPDUMP
– http://www.tcpdump.org/
 WINDUMP
– http://windump.polito.it/
 Ethereal
– http://www.ethereal.com/
Links/Publications
 SNORT
– http://www.snort.org/
 Superhac
– http://www.superhac.org
 SANS Reading Room
– http://rr.sans.org/
 Publications (Available at Amazon)
– Snort 2.0 Intrusion Detection
• Brian Caswell, Ryan Russel, Jay Beale, et al
– Intrusion Detection with Snort
• Jack Koziol
– IDS with Snort: Advanced Techniques
• Rafeeq Rehman
Education
 SANS Institute
– Education track devoted to Intrusion Detection
• http://www.sans.org
• http://www.giac.org
• GCIA – GIAC Certified Intrusion Analyst
– heavy coverage of TCPDUMP, Snort and advanced
analysis techniques
Questions?
Thank You!
 Contact Information
– Darrin Wassom
• Darrin.Wassom@spectrum-health.org
• 616.391.9031 (Office)