Network Intrusion Detection David LaPorte

advertisement
Network Intrusion Detection
David LaPorte
david_laporte@harvard.edu
Topics

What is IDS?
 HIDS v. NIDS
 Signatures
 Active Response / IPS
 NIDS on the Cheap
 Additional Resources
What is IDS?
the art of detecting inappropriate, incorrect, or
anomalous activity. ID systems that operate
on a host to detect malicious activity on that
host are called host-based ID systems, and ID
systems that operate on network data flows
are called network-based ID systems.
http://www.sans.org/newlook/resources/IDFAQ/what_is_ID.htm
HIDS v. NIDS
 Defense
in depth, layered security
 HIDS
 Typically
software installed on a system
 Agent-based

Monitors multiple data sources, including file
system meta-data, log files
 Wrapper-based

Acts like a firewall – denies or accepts
connections or logins based on defined policy
HIDS v. NIDS
 NIDS
 Monitors
traffic on a network
 Reports on traffic not considered “normal”

Anomaly-based



Packet sizes, destinations, protocol distributions, etc
Hard to determine what “normal” traffic looks like
Signature-based

Most products use signature-based technologies
Signature-based NIDS

Signature-based

Matches header fields, port numbers, content


Advantages



Network “grep”
No learning curve
Works out-of-box for well known attacks
 Snort has ~1900 signatures
 Dragon has ~1700 signatures
Disadvantages





New attacks cannot be detected
False positives
Maintenance/tweaking
Not very hard to evade
Stateless, lacks thresholding
Signatures
T A A S 10 20 6668 IRC:XDCC /5Bxdcc/5Dslt
| | | | | | |
|
|
| | | | | | |
|
SEARCH STRING
| | | | | | |
EVENT NAME
| | | | | | PORT
| | | | | |
| | | | | COMPARE BYTES
| | | | |
| | | | DYNAMIC LOG
| | | |
| | | BINARY OR STRING
| | |
| | PROTECTED NETWORKS
| |
| DIRECTION
|
PROTOCOL
Signatures
 On
the console…
Time Dir Source Destination Proto Event Name Group Sensor Session Raw Data
11:02 02Nov04 from 128.103.a.b:4295 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5
11:01 02Nov04 from 128.103.a.b:1141 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5
10:59 02Nov04 from 128.103.a.b:2582 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5
10:57 02Nov04 from 128.103.a.b:3341 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5
NICK [XDCC]SLT-L482{A}
USER b0b 32 . :XDCC{A}
MODE [XDCC]SLT-L482 +i{A}
NICK [XDCC]SLT-L482{A}
USER b0b 32 . :XDCC{A}
MODE [XDCC]SLT-L482 +i{A}
NICK [XDCC]SLT-L482{A}
USER b0b 32 . :XDCC{A}
MODE [XDCC]SLT-L482 +i{A}
{A}
:snagged.wi.us.criten.net NOTICE AUTH :*** Looking up your hostname...{A}
:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A}
:snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A}
:snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC]SLT-L482!~b0b@jojo.harvard.edu{D}{A}
:snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1
.4(34){D}{A}
:snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A}
:snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc
{D}{A}
:snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TO
PICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this serv
er{D}{A}
:snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A}
:snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A}
:snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A}
:snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A}
:snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A}
:snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A}
:snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A}
:snagged.wi.us.criten.net NOTICE [XD:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A}
:snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A}
:snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC]SLT-L482!~b0b@dhcp-108-176.harv
ard.edu{D}{A}
:snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1
.4(34){D}{A}
:snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A}
:snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc
{D}{A}
:snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TO
PICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this serv
er{D}{A}
:snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A}
:snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A}
:snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A}
:snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A}
:snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A}
:snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A}
:snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A}
:snagged.wi.us.criten.net NOTICE [XD{A}
NIDS – Management
 Correlation
 Multiple
is key
sensors
 Single data repository
Syslog
 DBMS
 Text files

NIDS – Placement

Inside firewall


Outside firewall


Limits false positives – “cleaner” data
Shows overall interest
Need to collect all traffic

Switch port won’t cut it




Hub
Switch SPAN port
Passive tap
Difficult on high-bandwidth links (>300Mbps)


Distribution devices (TopLayer, etc)
Hardware
NIDS – Drawbacks
 False
Positives
 LOTS

of data
We generate 3-4GB of logs each day on a
~250Mbps sustained link
 Makes
alerting difficult
 Interoperability
 ESM
– Intellitactics, PentaSafe, etc.
NIDS - Drawbacks
 Evasion
 Packet
fragmentation
Out of order, overlapping
 Fragroute

 Character

encodings / padding
Unicode, mixed case, ../..’s, \0’s
 OS
stack behavior
 A simple “grep” of a packet won’t work
Active Response
 NIDS
is primarily a passive technology
 Only
monitors traffic
 Doesn’t sit in the data stream
 Active response

aka “sniping”, flex response
Active Response
 Several
issues
 Timing

By the time filters are applied, attack is complete
 False

Self-inflicted DOS
 Lack

alarms / spoofed traffic
of formatting standards
CVE, OPSEC
Intrusion Prevention
 Place
system in-line
 Hardware
 Redundancy
 Acts
as an IDS/Firewall hybrid
 Hogwash
NIDS on the Cheap

So you want a NIDS?

Snort




MySQL


Open-source DBMS
ACID


Open-source NIDS
Quickly becoming the “Apache” of IDS
Runs on Windows and most Unix variants
Great web-based front-end for Snort/Mysql
A place to collect traffic


Your NIC is fine if you have only one machine
Use a hub if you’ve got a LAN
Additional Resources






Fragroute
 http://monkey.org/~dugsong/fragroute/
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection
 http://secinf.net/info/ids/idspaper/idspaper.html
HIDS Products
PortSentry
 http://www.psionic.com/products/portsentry.html
Tripwire
 http://www.tripwire.com/
AIDE
 http://www.cs.tut.fi/~rammer/aide.html
Additional Resources

NIDS Products
 Snort
 http://www.snort.org
 Dragon
 http://www.enterasys.com/ids/
 CiscoSecure IDS
 ISS RealSecure


http://www.iss.net/products_services/enterprise_protection/rsnetwork/index.php
ACID
 http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html
 Hogwash
 http://hogwash.sourceforge.net/
Questions?
Download