IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30th, 2010 CPSC 420/620 w/ Dr. Grossman Introduction and Layout • What is an IDS? – How it works – NIDS vs. HIDS (vs. NNIDS) • Different uses of an IDS – Passive vs. Aggressive (IDPS) – Anomaly vs. Signature • Supplements and Add-ons – Logging – Honeypots • Gotchas – False Positives – False Negatives • Closer look – Snort – Info – Modes – Rules & Features • Conclusion What is an IDS? • IDS – Intrusion Detection System – Analyzes network traffic – Reports problems • Three types of IDS – Network-based Intrusion Detection – Host-based Intrusion Detection – Network Node-based Intrusion Detection Types of IDS • Network-IDS – Typical view of IDS – Watches a subnet – Typically a perimeter defense • Host-based IDS – Watches host computers, involves software – Looks for system calls and registry changes – Typically an internal defense • Network-Node IDS – Specific host traffic – Kind of specialized NIDS (ex: VPN device) Types of IDS http://www.informit.com/articles/article.aspx?p=29601 http://ptgmedia.pearsoncmg.com/images/art_peikari1_intrusiondetection/elementLinks/fig01.gif Different uses of an IDS • How should the system react? • Passive system – Scans packets, traffic, or system – Takes notes – Sends alerts • Active system (Intrusion Detection and Prevention System) – Passive system + barrel rolls – Kills connections or modifies firewalls • Pros and Cons: Passive vs. Active – Less maintenance and lack of painful false alarms vs. More maintenance but avoid disasters Different uses of an IDS • What should the system look for? • Anomaly-based IDS – Samples network traffic – Checks against predefined ‘ideal’ traffic • Signature-based IDS – Polar opposite of anomaly – Samples network traffic – Checks against predefined virus patterns • Pros and Cons: Anomaly vs. Signature – Hard to pin down ‘normal’ network traffic, especially when updating or migrating a system – Virus patterns are only as good as the updated list Supplements and Add-ons • IDS: Good by themselves, great on a team – External Logging – Honeypots http://i.ehow.com/images/a06/e3/83/state-ohio-tax-id-number-120X120.jpg http://blog.hazrulnz.net/tag/ids IDS Logging • IDS typically logs traffic locally – Can become unorganized – Hard to search through • External Logging Databases (ex: ACIDBASE) – Categorize suspected attacks – IP traffic – Port traffic – Latest virus information – Stealthy logging Honeypots • IDS can be used on production or development systems • Honeypots lure attacker in (ex: Honeyd) – Network decoys to distract away from vulnerable machines – Typically virtual machines that simulate real networks – Honeypots capture the attacks, IDS analyzes, your system stays secure. A Few Gotchas • Every rose has its thorn… • False Positives – Normal traffic suspected to be malicious • False Negatives – Some attack is flagged to be normal or non-malicious • Not software flaws, usually configuration flaws – Encrypted traffic can cause false positives, and mutated worms or viruses can mismatch an attack pattern and cause false negatives. Quick Case Study: Snort • Originally released in 1998 by Sourcefire founder and CTO Martin Roesch • Combines signature and anomaly techniques • Ready out of the box • Updated rule sets • Three primary modes – Sniffer mode – Packet-logger mode – Network IDS mode Snort Rules • Can specify what IP subnet to look at and types of traffic in ‘snort.conf’ file • Sample rule – alert tcp any any -> 192.168.1.0/24 111 \ (content:"|00 01 86 a5|"; msg:"mountd access";) • Easy to customize with many different features – – – – Logging, passing, dropping, custom TCP and/or UDP, ICMP, IP Traffic direction Content, raw bytes, offsets Conclusions • Useful tool to keep a network safe • There are many different styles to a detection system • Snort incorporates many of the capabilities of intrusion detection systems – multiple detection techniques – ability to customize simple rules Works Cited • Bauer, Mick. “Stealthful Sniffing, Intrusion Detection and Logging http://www.linuxjournal.com/article/6222 October, 2002 • Innella, Paul. “The Evolution of Intrusion Detection Systems” http://www.symantec.com/connect/articles/evolution-intrusiondetection-systems November 16th, 2001 • Mattord, Verma (2008). Principles of Information Security. Course Technology. pp. 290–301 • Provos, Niels. “A Virtual Honeypot Network” http://www.usenix.org/event/sec04/tech/full_papers/provos/provos_htm l/ Proceedings of the 13th USENIX Security Symposium. August, 2004 • Timm, Kevin. “Strategies to Reduce False Positives and False Negatives in NIDS” http://www.symantec.com/connect/articles/strategies-reducefalse-positives-and-false-negatives-nids September, 2001 • The Snort Team. SNORT Users Manual 2.9.0. http://www.snort.org/assets/152/snort_manual.pdf September, 2010 • Wikipedia. http://en.wikipedia.org/wiki/Intrusion_detection_system