An Introduction To Gateway Intrusion Detection Systems

1
An Introduction To Gateway Intrusion
DetectionSystems

• Hogwash GIDS
• Jed Haile
• Nitro Data Systems

2
What Is a Gateway IDS?

• Gateway Intrusion Detection System
• A network intrusion detection system which acts
  as a network gateway
• Designed to stop malicious traffic and generate
  alerts on suspicious traffic
• An ideal gateway IDS is able to stop all known
  exploits

3
GIDS vs NIDS

• GIDS
• Acts as network gateway
• Stops suspect packets
• Prevents successful intrusions
• False positives are VERY bad

• NIDS
• Only observes network traffic
• Logs suspect packets and generates alerts
• Cannot stop an intruder
• False positives are not as big of an issue

4
About Hogwash

• Based on the Snort intrusion detection system
• Operation is similar to some bridging firewalls
• Uses snort rules with some additional keywords to
  make forward/drop decisions
• Compatible with most snort plugins
• Freely available under the GPL

5
Basic Theory of Operation

• Much like a bridging firewall, Hogwash makes
  forward/drop decisions
• This packet is always good so pass it into my
  network.
• This packet is always bad so drop it and tell me
  about it.
• This packet is sometimes bad so tell me about it,
  but don't drop it.

6
Typical Hogwash Installation
7
New Hogwash Keywords

• drop Drops a packet, sends an rst, logs
  the packet
• ignore Drops a packet without sending an
  rst
• sdrop Drops a packet, sends an rst, does
  not log the packet

8
Multipacket Signature Matching

• Hogwash cannot do traditional stream reassembly
• Instead, hogwash can watch for partial content
  matches at the end of a packet
• If there is a partial match, hogwash goes ahead
  and forwards the packet and caches a copy
• When then next packet comes hogwash will
  reassemble the two packets and run it back
  through the detection engine, if it matches the
  second packet is dropped
• Works for out of order packets also
• Enabled by using the multi keyword in a rule

9
Defeating Portscans

• Hogwash uses state counting to detect portscans
• Each time a new session (tcp, udp, icmp) is
  initiated in your network, hogwash notes it
• All sessions are tracked from a host until it is
  idle for some period of time, 60 seconds by
  default
• If a host hits more than 20 unique ports or 5
  unique targets, he is determined to be
  portscanning. These thresholds are user
  configurable.
• Hogwash will then drop all that portscanners
  packets

10
Content Replacement

• Hogwash can replace content in a packet
• replace keyword tells hogwash to replace a
  detected string with another string.
• Example
• alert tcp any any -gt IIS_SERVERS 80
  (contentcmd.exe replaceyyy.yyy)
• Any content in the packet payload can be
  replaced.
• A great way to break an exploit without dropping
  the packet!!

11
Stealth

• Stackless Operation
• Hogwash does not require an ip stack to be loaded
  on its network interfaces
• Hogwash can invisibly forward traffic, no
  decreased TTLs, etc

12
Stackless Control Protocol

• Stackless Control Protocol
• Hogwash can be remotely controlled, even when
  running in stackless mode
• To send a command simply send a control packet so
  that it will pass through the hogwash box
• Packets can be any combination of TCP, UDP, ICMP
• The stackless control protocol uses twofish or
  AES cryptography and a custom protocol to ensure
  security

13
Stackless Control Protocol Theory

• Each packet that passes through hogwash is
  checked for a magic token in the payload. If
  the token is found, then hogwash will attempt to
  decrypt the payload following the magic token. If
  the token is found again immediately following
  the first magic token, then hogwash knows it has
  found a control packet and processes the command.

14
Stackless Control Protocol Theory
15
Stackless Control Protocol Commands

• hping - ping the hogwash box to see if its alive.
• hstat - get statistics from the hogwash box
• hbuff -retrieve either RULES, ALERT, or LOG file
• hfilesync - store the retrieved file in a file,
  can be used to feed standard snort toys
• hsetbuf - transfer a file to the hogwash box
• hsetrules - transfer a new rules file to the
  hogwash box, restart hogwash

16
Sample Hogwash Rules

• To drop incoming port 80 connections
• drop tcp any any -gt HOMENET 80 (msgPort 80
  tcp)
• To drop cmd.exe calls to your webservers
• drop tcp any any -gt HOMENET 80 (msgcmd.exe
  attempt content cmd.exe)

17
Running Hogwash

• hogwash ltoptionsgt
• -c ltrules filegt
• -i ltinternal interfacegt
• -e ltexternal interfacegt
• -l ltlog directorygt
• -n ltno rules modegt
• hogwash i eth0 e eth1 c hogwash.conf l
  /var/log/hogwash

18
References

• http//hogwash.sourceforge.net
• http//www.snort.org
• Securing an Unpatchable Web Server
  http//www.securityfocus.com/infocus/1208
• Jed Haile jhaile_at_nitrodata.com
• Jason Larsen jlarsen_at_nitrodata.com