COEN 252 Computer Forensics

1
COEN 252 Computer Forensics

• Intrusion Detection Systems

2
IDS Overview

• Intrusion Detection System
• Host based
• Network based (NIDS)
• System Integrity Verifiers (SIV)
• Log File Monitors
• Deception Systems (decoys, honeypots)

3
IDS Architecture

• Raw packet logging
• Too much traffic, hence
• Attack detection
• Attack Signatures
• Can only find known attacks
• Anomaly Detection
• Finds deviations from normal traffic
• But what is normal traffic?

4
IDS Architecture

• Host Based Intrusion Detection
• Looks for changes to critical files.
• Tripwire.
• Detection of change and recovery to known good
  states already provided by MS Windows.
• Provide this system with access control.

5
IDS Architecture

• False positives
• Alarms are ringing, but there is no fire.
• E.g.
• NIDS reported login attempts.
• From within the network, but from remote site.
• Logs showed that logons were attempt to access
  unavailable network resources.
• Traced to workstations attempting to access an
  antivirus software update server.

6
IDS Architecture

• False Negatives.
• Stealth scans Traffic at slow rate.
• Suspicious traffic can be legitimate
• User forgot password.
• DoS attacks can be hard to distinguish from heavy
  traffic

7
IDS Architecture

• NIDS placement
• NIDS limited by traffic.
• Switched environments make NIDS difficult to
  place.
• On network perimeter
• Both sides of firewalls.

8
IDS Operations

• Anomaly Detection
• Based on statistical anomalies, compared with
• CPU utilization
• Disk activity
• User logins
• File activity, etc.
• Does not have to understand the cause.

9
IDS Operations

• Application protocol verification
• Invalid protocol behavior, such as WinNuke
• WinNuke attacker sends out-of-band / urgent
  data to port 139 on a Win95 system.
• Unusual behavior such as DNS cache poisoning.
• Simple create new logs that can then later be
  correlated with other system logs to show what
  happened.

10
IDS ExampleUDP Flooding January 1999

• 081010 bobadilla.echo gt 192.210.19.198.666 udp
  1024 (DF)
• 081010 bobadilla.echo gt 192.210.19.198.666 udp
  426 (DF)
• 081017 bobadilla.echo gt 192.210.19.198.666 udp
  1024 (DF)
• 081017 bobadilla.echo gt 192.210.19.198.666 udp
  426 (DF)
• 081022 bobadilla.echo gt 192.210.19.198.666 udp
  1024 (DF)
• 081022 bobadilla.echo gt 192.210.19.198.666 udp
  426 (DF)
• 081028 bobadilla.echo gt 192.210.19.62.666 udp
  1024 (DF)
• 081028 bobadilla.echo gt 192.210.19.62.666 udp
  426 (DF)
• 081035 bobadilla.echo gt 192.210.19.198.666 udp
  1024 (DF)
• 081035 bobadilla.echo gt 192.210.19.198.666 udp
  426 (DF)
• 081049 bobadilla.echo gt 192.210.19.62.666 udp
  1024 (DF)
• 081049 bobadilla.echo gt 192.210.19.62.666 udp
  426 (DF)
• 081105 bobadilla.echo gt 192.210.19.62.666 udp
  1024 (DF)
• 081105 bobadilla.echo gt 192.210.19.62.666 udp
  426 (DF)

11
IDS ExampleUDP Flooding January 1999

• Example of the Pepsi UDP flood.
• Send out UDP packages as fast as possible
• Sends UPD packages with a spoofed return address
  to an echo port (at Bobadilla).
• Echo returns it to the source address.
• Two systems under attack.

12
IDS Examplepepsi.c found on Internet

• /
• pepsi.c
• Random Source Host UDP flooder
• Author Soldier_at_data-t.org
• 12.25.1996
• Greets To Havok, nightmar, vira, Kage,
  ananda, tmw, Cheesebal, efudd,
• Capone, cphber, WebbeR, Shadowimg, robocod,
  napster, marl, eLLjAY, fLICK
• Toasty, shadow, magnus and silitek, oh and
  Data-T.
• Fuck You to Razor1911 the bigest fucking
  lamers in the warez comunity,
• Yakuza for ripping my code, cha0s on the
  undernet for trying to port
• it to win95, then ircOpers on efnet for being
  such cocksuckers
• especially prae for trying to call the fbi on
  me at least 5 times.
• all warez pups i don't know for ripping off
  honest programers.
• and Dianora for being a lesbian hoe,
  Srfag..err SrfRog for having an ego
• the size of california.

13
IDS Examplepepsi.c found on Internet

• define FRIEND "My christmas present to the
  internet -Soldier"
• define VERSION "Pepsi.c v1.6"
• define DSTPORT 7
• define SRCPORT 19
• define PSIZE 1024
• define DWAIT 1

14
IDS Examplepepsi.c found on Internet

• void usage(char pname)
• printf("usage\n ")
• printf("s -s src -n num -p size -d port
  -o port -w wait ltdestgt\n\n", pname)
• printf("\t-s ltsrcgt source where packets are
  comming from\n")
• printf("\t-n ltnumgt number of UDP packets to
  send\n")
• printf("\t-p ltsizegt Packet Size Default is
  1024\n")
• printf("\t-d ltportgt Destination Port Default
  is .2d\n", DSTPORT) printf("\t-o ltportgt
  Source Port Default is .2d\n", SRCPORT)
  printf("\t-w lttimegt Wait time between packets
  Default is 1\n") printf("\tltdestgt
  destination \n") printf("\n")
• exit(EXIT_SUCCESS)

15
IDS Examplepepsi.c found on Internet

• if (srchost srchost)
• ip-gtsaddr resolve(srchost)
• ip-gtdaddr dst
• ip-gtversion 4
• ip-gtihl 5
• ip-gtttl 255
• ip-gtprotocol IPPROTO_UDP
• ip-gttot_len htons(sizeof(struct iphdr)
  sizeof(struct udphdr) psize)
• ip-gtcheck in_cksum(ip, sizeof(struct iphdr))
• udp-gtsource htons(srcport)
• udp-gtdest htons(dstport)
• udp-gtlen htons(sizeof(struct udphdr) psize)

16
IDS Examplepepsi.c found on Internet

• if (sendto(sen, packet, sizeof(struct iphdr)
  sizeof(struct udphdr) psize, 0,
• (struct sockaddr ) dstaddr,
• sizeof(struct sockaddr_in)) (-1))
  puts(" Error sending Packet")
  perror("SendPacket")
• exit(EXIT_FAILURE)

17
IDS Examplepepsi.c found on Internet

• This is almost the complete code.
• Default ports are defined, but can be
  overwritten.
• Port 666 is used by Doom game.
• User input allows change from default values.
• Package is crafted.
• And sent.

18
IDS and Firewalls

• Firewalls perturb traffic
• Three way handshake is disrupted.
• Firewall logs are primary evidence and are
  primary method of intrusion detectin.

19
IDS and Firewalls

• Firewall Log
• IP packet discarded from 222.168.40.21 for port
  1880.
• IP packet discarded from 222.168.40.21 for port
  1882.
• IP packet discarded from 222.168.40.21 for port
  1881.
• This firewall log gives us a fact, but not enough
  to figure out what is happening.
• Is this TCP? UDP?

20
IDS and Firewalls

• Another log from a different vendor
• UDP packet dropped Source 123.4.56.78, 2820, WAN
  Destination 169.8.27.38 33430 LAN - - Rule 33
• This entry gives us enough information Source
  port, destination port, protocol.
• Traceroute from outside web server.

21
IDS and Firewalls

• Yet another log
• Myhost kernel INeth0 OUT MAC
  0080808098ae3e321245a0 SRC1.1.1.1
  Dst192.168.127.45 LEN38 TOS 0x00 PREC0x00
  TTL1 ID31758 PROTOUDP SPT32789 DPT33433
• This is another traceroute.
• Best log seen.

22
IDS and Signatures

• Signature Types
• Header-based Inspect the packet header
• Pattern-matching Match for content string
• Atomic match in a single packet
• Stateful match on reassembled packets
• Protocol-based Inspect based on RFC
• Heuristic-based Inspect based on statistics
• Anomaly-based

23
IDS and Signatures

• Header-based
• Destination port TCP 139 and Out of Band
• tcpdump dst port 139 and tcp13 0x20!0 and
  tcp18!0
• Detects the old WinNuke attack.
• WinNuke packets go to NetBIOS ports such as 139,
  have an urgent flag set, and have a non-zero
  urgent value.

24
IDS and Signatures

• Pattern-matching looking for the tsig overflow
  attempt.
• alert udp External_Net any -gt Home_Net 53 \
• (msg Exploit named tsig overflow attempt\
• content 80 00 07 00 00 00 00 00 01 3F 00 01
  02/bin/sh
• Snort rule looking for a pattern for a BIND
  transaction signature tsig code.
• Looks for specific byte code to UDP destination
  port 53.

25
IDS and Signatures

• Heuristic-based
• Look for large ICMP packets
• alert icmp any -gt HOME_NET (msg\ Large ICMP
  packet dsize gt 800)
• Such large ICMP packets are unusual.

26
IDS and Signatures

• Encryption
• Back Orifice uses a simple encryption scheme to
  protect its packet payload.
• All BO packets start with !QWTY?
• Barbwire uses Blowfish encryption.
• Challenge for string searches.

27
IDS and Signatures

• Fragmentation
• Allows to hide attack strings.
• Stateful analysis is more cumbersome.
• Too Generic
• Superscan
• 4500 0024 c5eb 0000 6f01 a144 4201 f789
• c08a 6b42 0800 fc46 0200 f9b8 0000 0000
• 0000 0000 0000 0000 0000 0000 0000
• alert icmp !HOME_NET any -gt HOME_NET any (msg
  Superscan echo content 00000000000000000000
  itype8 dsize 8)
• Too many matches.

28
Traffic Analysis

• Look for crafted packets
• Cheops uses TCP with both SYN and FIN flag set.
  This is impossible in normal TCP.
• Basic traffic characteristics
• To, from, date, time
• Information on source host
• Weight or severity
• Size, service, type class
• Tiny fragments, e.g. generated by nMap.
• Strange TTL values

29
Traffic Analysis

• Link Graphs
• A message passing from A to B generates a link
  between A and B.
• Links are weighted by the number of connections.

30
Traffic Analysis

• Link Graphs
• Ping Scan

J
D
X
A
C
B
E
F
I
G
H
31
Traffic Analysis
Intellitactics NSM
32
Traffic Analysis

• Short Time Profile Changes
• Profile Statistics on connections, port spread,
  services, etc.