IDS:%20Intrusion%20Detection%20System

1
IDS Intrusion Detection System
C. Edward Chow
2
Outline of The Talk

• Definition, Concepts
• Network Intrusion Detection Snort
• A2D2 (Integrating NIDS with Firewall)
• Host Intrusion Detection Tripwire
• References
• Chapter 25 Intrusion Detection, by Matt Bishop.
• Chapter 7 Network Intrusion Detection, Inside
  Network Perimeter Security, by Northcutt et al
  (reserved in UCCS Library)
• NIST IDS Survey http//cs.uccs.edu/chow/pub/ids/
  NISTsp800-31.pdf
• A2D2 http//cs.uccs.edu/chow/pub/master/acearns/
  doc/
• http//cs.uccs.edu/chow/pub/ids/2001_vigna_kemmer
  er_blix_raid01.pdf
• Snort http//www.snort.org/
• Tripwire http//www.tripwire.org/

3
Architecture of IDS
HIDS Host Intrusion Detection SystemNIDS
Network Intrusion Detection System(logger)
Director(Analyzer)
Notifier
4
HIDS vs. NIDS

• Two Basic Types of IDS
• Host-based IDS
• Periodically analyze logs, perform file system
  integrity check.
• Examples
• Generic ISS RealSecure Server Sensor.
• Check host file system Tripwire, AIDE
• Check host network connections BlackICE,
  PortSentry
• Check hosts log files LogSentry, Swatch
• Network-based IDS
• Analyze network traffic content and pattern for
  signs of intrusion
• Examples
• Snort, Cisco IDS4235,

5
IDS Placement
6
Snort

• A popular network intrusion public domain
  package, available on www.snort.org.
• It allows the user to specify a set of rules
  which specifies the pattern in the packets, and
  the corresponding actions (typically just an
  alert msg) for matched packets.
• It also allows the user to create their own
  plug-in for additional detection that is not
  available with default pattern matching. For
  example, the subnet flooding, it requires
  modification of preprocessing step.
• It was used by many other packages and products.
• On snort download site, installation steps are
  given for integrating snort with mysql, apache,
  webmin, and ACID for easy web-based access and
  display of the intrusion instance, statistics,
  and related intrusion event databases, such as
  CVE, arachNIDS.
• See http//www.snort.org/docs/snort-rh7-mysql-ACID
  -1-5.pdf for more details.

7
Snort-based IDS Setup Example(from Steven
Scotts tutorial)
8
Basic Snort Usage

• Snort has three main modes
• Sniffer mode read packets and display on
  console.
• E.g., gtSnort -dev
• v verbose d dump application data data e
  extensive
• Packet Logger read packets and log to the disk.
• E.g., gt snort dev l ./log h 192.168.1.0/24
• l log, h only capture packets relative to the
  host
• NIDS analyze packets and matched against user
  defined rules and perform actions.
• E.g., gt snort dev l ./log c snort.conf
• add D will have snort run as daemon.
• -A fast full unsock non
• -b for binary (tcpdump) format faster.Use r
  snort.og to read it back for offline analysis.
• -o change the normal (alert?pass?log rules)
  processing order to (pass?alert?log).
• You can use SMB alert. That use smbclient to send
  WinPopup alert msg to window machines.
• Use O for (obsuscates) the ip addresses in log
  file for hiding IP addresses when sharing with
  others the logs.

9
/etc/snort/snort.conf

• Snort read the snort.conf file for the default
  variables, additional pre/post processing plug-in
  (if any), output specification (to a mysql for
  example), and a set of rule files. For example,
  http//cs.uccs.edu/chow/pub/snort/snort.conf
• output database log, mysql, usersnort
  passwordxxxx dbnamesnort hostlocalhost
• include bad-traffic.rules
• include exploit.rules
• include scan.rules
• include finger.rules
• include ftp.rules
• include telnet.rules
• include rpc.rules
• include rservices.rules
• include dos.rules
• include ddos.rules
• include dns.rules

10
Snort Rule Syntax

• Most rules written in single line. If multiple
  line use \
• Each snort rule has two logical section rule
  header and rule options.alert icmp EXTERNAL_NET
  any ltgt HOME_NET any (msg"DDOS Stacheldraht
  agent-gthandler (skillz)" content"skillz"
  itype0 icmp_id6666 referenceurl,staff.washing
  ton.edu/dittrich/misc/stacheldraht.analysis
  classtypeattempted-dos sid1855 rev2) alert
  any any -gt 192.168.1.0/24 any (flagsA ack0
  msg NMAP TCP ping) nmap send TCP ACK pkt
  with ack field set to 0alert tcp EXTERNAL_NET
  any -gt HTTP_SERVERS HTTP_PORTS (msg"WEB-IIS
  cmd.exe access" flowto_server,established
  content"cmd.exe" nocase classtypeweb-applicati
  on-attack sid1002 rev5)
• Rule header contains action, protocol, source
  (IPaddr/port), direction, destination
  (IPaddr/port)
• Rule option contains alert msgs, info on which
  parts of packet to be inspected.
• -gt and ltgt are the only two direction operators.

11
Snort Rule Syntax

• Var ltnamegt ltvaluegtvar EXTERNAL_NET
  128.198.160.0/19, 128.198.61.0/26var HOME_LAN
  192.168.0.0/24, 10.1.1,0/24var NON_WIRELESS
  !128.198.61.128/25 use ! for negative operator
  for specifying the CIDR address not within a
  range.
• Use ltvariablegt to reference them later.
• alert tcp EXTERNAL_NET any ? HOME_LAN any
  (flags S msg SYN packet)
• Rule Actions
• Alert
• Log
• Pass (ignore the packet)
• Activate (alert then turn on another dynamic rule
  (being phase out)
• Dynamic remain idle until activated by an
  activeate rule, then act as a log rule.
• You can also define your own rule types. Then use
  it as rule actioin.
• ruletype redalert type alert
  output alert_syslog LOG_AUTH LOG_ALERT output
  database log, mysql,usersnort dbnamesnort
  hostlocalhost

12
Rule option Contentcontent ! ltcontent
stringgt

• It allows the user to set rules that search for
  specific content in packet payload and trigger
  response based on the data.
• Case sensitive. Can be mixed text and binary.
• Use to specify the byte code (hexadecimal
  number).
• ! For negation nocase to make case-insensitive
  matching.
• Examples
• Alert tcp any any -gt 192.168.1.0/24 143 (content
  90CB C0FF FFFF/bin/sh\ msg IMAP buffer
  overflow!)
• Alert tcp any any -gt 192.168.1.0/24 21 (content
  !GET depth 3 nocase \ dsize gt100 msg
  Long Non-Get FTP command!)
• Dsize payload size.
• Related IMAP buffer overflow, http//www.securityf
  ocus.com/bid/130/discussion/

13
Rule option offset and depth

• Offset lt numbergt
• Specify the number of bytes to skip before
  starting pattern matching.
• Depth ltnumbergt
• Set maximum search depth for content pattern
  match.
• alert tcp any any -gt HLAN 80(content
  cmd.exe offset 3 depth 22 msg com.exe
  attack)

14
Rule option sid flow

• Sid specifies unique snort rule.
• lt100 reserved for future use.
• 100-1,000,000 rule included in snort
  distirbution.
• gt1,000,000 for local rule usage.
• Flow use in conjunction with TCP stream
  reassembly.
• Option to_server (client request), to client
  (server response), from_client, from_server.
• E.g., alert tcp EXTERNAL_NET any -gt
  HTTP_SERVERS HTTP_PORTS (msg"WEB-IIS cmd.exe
  access" flowto_server,established
  content"cmd.exe" nocase classtypeweb-applicati
  on-attack sid1002 rev5)

15
(No Transcript)
16
(No Transcript)
17
Detection Results

•   0-(3-1)       snort WEB-IIS cmd.exe access
        2003-04-14 211400      
  65.106.21.1531541       128.198.161.11080      
  TCP
• C\work\cucs\cs691\S2003gtnslookup 65.106.21.153
• Server evans.eas.uccs.edu
• Address 128.198.160.66
• Name diahost153.dia.cnc.net
• Address 65.106.21.153

18
Detection Results

•    ID  lt Signature gt  lt Timestamp gt  lt Source
  Address gt  lt Dest. Address gt  lt Layer 4
  Proto gt         
• 0-(4-39)       snort SCAN Proxy (8080) attempt
        2003-04-16191151       128.198.161.110639
  06       128.198.61.618080       TCP            
  
• 1-(4-38)       snort SCAN Proxy (8080) attempt
        2003-04-16 191151      
  128.198.161.11063905       128.198.61.618080   
     TCP            
• 2-(4-37)       cveicatcveicatsnort
  SNMP AgentX/tcp request       2003-04-16 191149
        128.198.161.11063906      
  128.198.61.61705       TCP            
• 3-(4-36)       cveicatcveicatsnort
  SNMP AgentX/tcp request       2003-04-16 191149
        128.198.161.11063905      
  128.198.61.61705       TCP            
• 4-(4-35)       urlsnort SCAN SOCKS Proxy
  attempt       2003-04-16 191148      
  128.198.161.11063906       128.198.61.611080   
     TCP            
• 5-(4-34)       urlsnort SCAN SOCKS Proxy
  attempt       2003-04-16 191148      
  128.198.161.11063905       128.198.61.611080   
     TCP            
• 6-(4-33)       cveicatcveicatsnort
  SNMP request tcp       2003-04-16 191130      
  128.198.161.11063906       128.198.61.61161   
     TCP            
• 7-(4-32)       cveicatcveicatsnort
  SNMP request tcp       2003-0416191129      
  128.198.161.11063905       128.198.61.61161   
    TCP            
• 8-(4-31)       snort SCAN Squid Proxy attempt
        2003-04-16 191127      
  128.198.161.11063906       128.198.61.613128   
     TCP            
• 9-(4-30)       snort SCAN Squid Proxy attempt
        2003-04-16 191127      
  128.198.161.11063905       128.198.61.613128   
     TCP   

19
False Positives vs False Negatives

• False positives something occurs that causes IDS
  to incorrectly identify an intrusion when none
  has occurred.
• False negatives something occurs that causes IDS
  to incorrectly fail to identify an intrustion
  when one has in fact occurred.
• Accuracy of IDS reflect the number of false
  positives.
• Completeness reflect the number of false
  negatives.

20
Attack Response Rules

• Check on the responses of server for obvious
  pattern that the system has be attacked/compromise
  d.
• https//128.198.61.6110000/snort/conf_rules.cgi?r
  uleattack-responses
• Examples
• alert tcp HTTP_SERVERS HTTP_PORTS -gt
  EXTERNAL_NET any (msg"ATTACK RESPONSES index of
  /cgi-bin/ response" flowfrom_server,established
  content"Index of /cgi-bin/" nocase
  classtypebad-unknown sid1666 rev3)
• alert tcp HOME_NET 22 -gt EXTERNAL_NET any
  (msg"ATTACK-RESPONSE successful gobbles ssh
  exploit (GOBBLE)" flowfrom_server,established
  content"2aGOBBLE2a" referencebugtraq,5093
  classtypesuccessful-admin sid1810 rev2)
• http//www.securityfocus.com/bid/5093
• alert tcp HOME_NET 749 -gt EXTERNAL_NET any
  (msg"ATTACK-RESPONSE successful kadmind
  bufferflow attempt" flowestablished,from_server
  content"GOBBLE" depth8 referencecve,CAN-20
  02-1235 referenceurl,www.kb.cert.org/vuls/id/875
  073 classtypesuccessful-admin sid1900
  rev1)

21
BackDoor Trojan

• Try to detect know ports and content of packet
  that are used and generated by the backdoor
  trojan.
• alert tcp HOME_NET 6789 -gt EXTERNAL_NET any
  (msg"BACKDOOR Doly 2.0 access" content "57 74
  7a 75 70 20 55 73 65" flags A depth 32
  referencearachnids,312 sid119
  classtypemisc-activity rev3)
• http//www.whitehats.com/cgi/arachNIDS/Show?_idid
  s312viewresearch
• https//128.198.61.6110000/snort/conf_rules.cgi?r
  ulebackdoor

22
DDoS Rules

• DDoS with know protocol/port/content.
• https//128.198.61.6110000/snort/conf_rules.cgi?r
  uleddos
• alert icmp EXTERNAL_NET any ltgt HOME_NET any
  (msg"DDOS Stacheldraht handler-gtagent (ficken)"
  content"ficken" itype0 icmp_id6667
  referenceurl,staff.washington.edu/dittrich/misc/s
  tacheldraht.analysis classtypeattempted-dos
  sid1856 rev2)
• alert udp EXTERNAL_NET any -gt HOME_NET 31335
  (msg"DDOS Trin00\DaemontoMaster(PONGdetected)"
  content"PONG"referencearachnids,187
  classtypeattempted-recon sid223 rev1)

23
DNS rules

• Zone transfer, DNS buffer overflow exploit.
• https//128.198.61.6110000/snort/conf_rules.cgi?r
  uledns
• alert tcp EXTERNAL_NET any -gt DNS_SERVERS 53
  (msg"DNS zone transfer TCP" flowto_server,estab
  lished content "00 00 FC" offset14
  referencecve,CAN-1999-0532 referencearachnids,2
  12 classtypeattempted-recon sid255 rev7)
• alert tcp EXTERNAL_NET any -gt DNS_SERVERS 53
  (msg"DNS EXPLOIT x86 linux overflow attempt
  (ADMv2)" flowto_server,established
  content"89f7 29c7 89f3 89f9 89f2 ac3c fe"
  classtypeattempted-admin sid265 rev3)

24
Scan rules

• Scan certain node/ports. (network scan vs port
  scan)
• https//128.198.61.6110000/snort/conf_rules.cgi?r
  ulescan
• alert tcp EXTERNAL_NET any -gt HOME_NET 3128
  (msg"SCAN Squid Proxy attempt" flagsS
  classtypeattempted-recon sid618 rev2)
• alert tcp EXTERNAL_NET any -gt HOME_NET any
  (msg"SCAN synscan portscan" id 39426 flags
  SFreferencearachnids,441 classtypeattempted-re
  con sid630 rev1)
• alert tcp EXTERNAL_NET any -gt HOME_NET any
  (msg"SCAN nmap TCP"flagsAack0
  referencearachnids,28 classtypeattempted-recon
  sid628 rev1)
• alert icmp EXTERNAL_NET any -gt HOME_NET any
  (msg"SCAN SolarWinds IP scan attempt"
  content"SolarWinds.Net" itype8 icode0
  classtypenetwork-scan sid1918 rev3)

25
WEB-CGI Rules

• https//128.198.61.6110000/snort/conf_rules.cgi?r
  uleweb-cgi
• alert tcp EXTERNAL_NET any -gt HTTP_SERVERS
  HTTP_PORTS (msg"WEB-CGI perl.exe access"
  flowto_server,established uricontent"/perl.exe"
  nocase referencecve,CAN-1999-0509
  referenceurl,www.cert.org/advisories/CA-1996-11.h
  tml referencearachnids,219 referencenessus,101
  73 classtypeattempted-recon sid832 rev8)
• .. (DOT DOT) ATTACK.alert tcp EXTERNAL_NET any
  -gt HTTP_SERVERS HTTP_PORTS (msg"WEB-CGI
  technote main.cgi file directory traversal
  attempt" flowto_server,established
  uricontent"/technote/main.cgi" nocase
  content"filename" nocase content"../../"
  referencecve,CVE-2001-0075 referencebugtraq,215
  6 classtypeweb-application-attack sid1051
  rev7)

26
WEB-IIS Rules

• https//128.198.61.6110000/snort/conf_rules.cgi?r
  uleweb-iis
• alert tcp EXTERNAL_NET any -gt HTTP_SERVERS
  HTTP_PORTS (msg"WEB-IIS unicode directory
  traversal attempt" flowto_server,established
  content"/..c0af../" nocase
  classtypeweb-application-attack
  referencecve,CVE-2000-0884 sid981 rev6)
• alert tcp EXTERNAL_NET any -gt HTTP_SERVERS
  HTTP_PORTS (msg"WEB-IIS cmd.exe access"
  flowto_server,established content"cmd.exe"
  nocase classtypeweb-application-attack
  sid1002 rev5)

27
SMTP Rules

• SMTP has quite a few buffer overlfow exploit.
• https//128.198.61.6110000/snort/conf_rules.cgi?r
  ulesmtp
• alert tcp EXTERNAL_NET any -gt SMTP_SERVERS 25
  (msg"SMTP RCPT TO overflow" flowto_server,estab
  lished content"rcpt to3a" nocase
  content!"0a" within800 referencecve,CAN-200
  1-0260 referencebugtraq,2283
  classtypeattempted-admin sid654 rev7)
• alert tcp EXTERNAL_NET any -gt SMTP_SERVERS 25
  (msg"SMTP sendmail 5.6.5 exploit"
  flowto_server,established content"MAIL
  FROM3a207c/usr/ucb/tail" nocase
  referencearachnids,122 classtypeattempted-user
  sid665 rev4)
• alert tcp EXTERNAL_NET any -gt SMTP_SERVERS 25
  (msg"SMTP From comment overflow attempt"
  flowto_server,established content"From\"
  content"ltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtltgtlt
  gtltgt" distance0 content"(" distance1
  content")" distance1 referencecve,CAN-2002-13
  37 referenceurl,www.kb.cert.org/vuls/id/398025
  classtypeattempted-admin sid2087 rev2)

28
Bad Traffic

• Bad packet header content
• https//128.198.61.6110000/snort/conf_rules.cgi?r
  ulebad-traffic
• alert tcp EXTERNAL_NET any -gt HOME_NET any
  (msg"BAD TRAFFIC data in TCP SYN packet"
  flagsS dsizegt6 referenceurl,www.cert.org/inci
  dent_notes/IN-99-07.html sid526
  classtypemisc-activity rev4)
• alert ip any any -gt any any (msg"BAD TRAFFIC
  same SRC/DST" sameip referencecve,CVE-1999-0016
  referenceurl,www.cert.org/advisories/CA-1997-28
  .html classtypebad-unknown sid527 rev3)

29
HIDS Host-based Intrusion Detection

• Detect and examine malicious activity (same as
  network-based intrusion detection.)
• Optimize for monitoring individual hosts.
• Monitor system network activity, file system, log
  files, user actions.
• Integrate the finding of several host-based
  intrusion detection provide unified view of
  multiple systems in the network.
• Detect escalation of privileges for a user or
  system account. (from guest user to have admin
  privilege).
• NIDS can not usually see or interpret such
  actions which takes place on a host.

30
HIDS Advantages over NIDS

• HIDS can monitor user-specific activity of the
  system
• Check process listing, local log files, system
  calls.
• It is difficult for NIDS to associate packets to
  specific users (except when content switch-based
  NIDS is used!) and to determine if the commands
  in the packets violate specific users access
  privilege.
• HIDS sensor can monitor encrypted traffic by
  tapping in at the connection endpoint such as VPN
  connection. (NIDS can not check encrypted
  IPsec/SSL payload.)
• HIDS can help detect attack that evade NIDS
  detection.For example, attacks encode dangerous
  commands in non-standard Unicode encoding.
  checking for ".ida". An example request would
  look like GET /himom.idu0061 HTTP/1.0

31
Tripwire A Host-based IDS

• Original version developed at Purdue Univ. 1992
  by Dr. Eugene Spafford and Gene Kim, now CTO of
  Tripwire
• http//www.tripwire.org/downloads/index.php Linux
  public domain software download.
  http//www.tripwire.org/qanda/faq.php
• Commercial evaluation version tripwire3.0 (with
  manager and server, run on both Linux/windows)
  available at http//www.tripwire.com/downloads/
• Tripwire managers provide gui and unified
  interface to monitor multiple instances of
  tripwire program.
• Can monitor configuration of routers/switches.
• Here is a presentation from tripwire.com.
• There is Advanced Intrusion Detection Environment
  (AIDE) available at http//www..cs.tut.fi/rammer/
  aide.html. It is actively maintained and
  developed. Not on windows. Does not encrypt and
  sign the baseline datagbase. (The tripwire does
  this).

32
(No Transcript)
33
(No Transcript)
34
File Access Permission Change
35
Example of Policy File

• For windows systems,http//cs.uccs.edu/cs691/tri
  pwire/windows/Policy/twpol.txt
• For linux,http//cs.uccs.edu/cs691/tripwire/linu
  x/Policy/twpol.txt
• http//cs.uccs.edu/cs691/tripwire/windows/Documen
  ts/reference_guide.pdf page 25.
• Rule object -gt properties