new IDS

Document Sample
new IDS Powered By Docstoc
					 Intrusion Detection Systems
An IDS is any combination of hardware & software that
monitors a system or network for malicious activity.

 Examples of IDSs in real life
  Car alarms
  Fire detectors
  House alarms
  Surveillance systems

  Polytechnic University                     Introduction   1
                                   “Deep Packet Inspection”
Can be detected:
                                   Many organizations deploy
 Mapping
                                    IDS systems
 Port scans
                                   Provide warnings to
       Tens of thousands of
                                    network administrator
                                        Administrator can then
 TCP stack scans                        improve network’s security
      Hundreds of thousands of         Vigorous investigation
       packets                           could lead to attackers

   There are host-based and network-based
   IDS systems. Focus here on network-based.

Polytechnic University                                    Introduction   2
IDS sensors
                                                   = IDS sensor

                         gateway        firewall


                                                    Underlying OS needs
    Internal              Web
                          server        DNS         to be hardened:
    network                    FTP      server      stripped of unnecessary
                               server               network services

                         Demilitarized zone

Polytechnic University                                      Introduction   3
False Alarms
False alarms:
 False positive: normal traffic or benign
  action triggers alarm
    Example:  fire alarm if wrong password is
      entered; benign user makes a typo
 False negative: alarm is not fired during

Polytechnic University                           Introduction   4
Efficiency of IDS system
 Accuracy: low false positive and false negative
 Performance: the rate at which traffic and audit
  events are processed
      To keep up with traffic, may not be able to put IDS at
       network entry point
      Instead, place multiple IDSs downstream
 Fault tolerance: resistance to attacks
    Should be run on a single hardened host that supports
     only intrusion detection services
 Timeliness: time elapsed between intrusion and
Polytechnic University                                 Introduction   5
Signature-based IDS
Sniff traffic on network
 border router or multiple sensors within a LAN
Match sniffed tracffic with signatures
 attack signatures in database
 signature: set of rules pertaining to a typical intrusion
     Simple example rule: any ICMP packet > 10,000 bytes
     Example: more than one thousand SYN packets to
      different ports on same host under a second
 skilled security engineers research known attacks; put them
  in database
 can configure IDS to exclude certain signatures; can modify
  signature parameters
Warn administrator when signature matches
 send e-mail, SMS
 send message to network management system

Polytechnic University                               Introduction   6
Limitations to signature detection

 Requires previous knowledge of attack to
  generate accurate signature
    Blind     to unknown attacks
 Signature bases are getting larger
   Every packet must be compared with each
   IDS can get overwhelmed with processing; can
    miss packets

Polytechnic University                    Introduction   7
Anomaly Detection IDS
 Observe traffic during normal operation
 Create normal traffic profile
 Look for packet streams that are statistically
      e.g., inordinate percentage of ICMP packet
      or exponential growth in port scans/sweeps
 Doesn’t rely on having previous knowledge of
 Research topic in security

Polytechnic University                              Introduction   8
IDS evasion: “spy vs. spy”
 Attackers do not want to be detected by IDS
    Often attackers are intimately familiar with the popular
     IDS products, their weaknesses
 Idea: manipulate attack data
    Active area of research in attack community
    Example: port scan stretched out over long period of
     time, with different source IP addresses
 Most common approach: fragmentation
   To detect malicious activity, IDS must capture, store,
    and analyze fragments.
   Many fragment streams spread out over long period time
    ➜IDS must have large buffers
        • Requires significant memory and processing power

Polytechnic University                                       Introduction   9
IDS evasion: fragmentation
 Send a flood of fragments
    Send so many fragments that IDS system
    Once saturated, IDS will not be able detect a
     new attack
 Fragment packets in unexpected ways
    Such that the IDS does not understand how to
     properly reassemble the attack packets

Polytechnic University                       Introduction   10
 IDS evasion tool: FragRouter


attack       attack                    IDS     target
system       obfuscation
(eg nmap)    (fragrouter)

  Runs on Unix/Linux systems
  Provides over 35 different schemes for
   fragmenting flow of data
  Separates attack functionality from the
   fragmentation functionality
  Polytechnic University                     Introduction   11
Some fragmentation types in
 Sends data in ordered 8-byte fragments
 Sends data in ordered 24-byte fragments
 Sends data in ordered 8-byte fragments
  with one fragment out of order
 Complete TCP handshake, send fake FIN
  and RST (with bad checksums) before
  sending data in ordered 1-byte

Polytechnic University              Introduction   12
Snort                             Good book: Intrusion Detection
                                  with Snort, by Jack Koziol

 Popular open source IDS         Typical setup
    200,000 installations
 Enhanced sniffer
    Runs on Linux, Unix,                     firewall
    Generic sniffing interface
    Can easily handle 100
     Mbps of traffic              hub
 Signatures                                             snort
    Written and released by
     Snort community within
    Anyone can create
    Largest collection of              internal
     signatures for IDS                 network

Polytechnic University                                   Introduction   13
Snort deployment                                           Switch SPAN port:
                                                           • provides monitoring
                                                           for net admin & security
                                                           • switch copies all
                                                           traffic to SPAN port
                    firewall                               • can select which switch
                                                           ports get copied
                                                           • approach doesn’t require
                          unidirectional   firewall        intro of new hub
                          sniffing cable
                                                           • no need for unidirectional
        hub                                                cable

                         switch                                  snort
              internal                          internal
              network                           network

Polytechnic University                                               Introduction   14
Distributing traffic to multiple
 Large organizations         Solutions:
  often have Gbps                Put sensors on
  backbone                        different 100 Mbps
 Snort with full rule
                                 Or, multiple sensors on
  set cannot handle all           backbone; each sensor
  traffic                         processes different
      Packets can get            range of destination IP
       dropped; attacks go        addresses
 Tempting to tune
  Snort by trimming
Polytechnic University                           Introduction   15

var    HOME_NET
Var    HTTP_PORTS 80 8080

Polytechnic University           Introduction   16
   Snort rule examples
alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:”ICMP PING NMAP”; dsize: 0; itype: 8;)

      Rule generates alert for ICMP having empty payload, ICMP type 8, and
       arriving from the outside.
      This is part of an NMAP ping.

alert tcp $EXTERNAL_NET any -> $HOME_NET 139
(msg: “DOS SMBdie attack”:; flags: A+; content:”|57724c6568004577a|”;)

      Rule generates alert if a TCP packet from outside contains
       |57724c6568004577a| in payload and is headed to port 139 (netbios)
       for some internal host.
      This is part of a buffer overflow attack on a computer running Server
       Message Block Service.

   Polytechnic University                                      Introduction   17
 Snort rule examples (2)
(msg:”WEB-IIS ISAPI .ida attempt”; uricontent:”.ida?”;
nocase; dsize:>239; flags:A+;)

   Rule generatesalert for packet heading to Web server with .ida? in
   URL in GET message
   Buffer overflow attack that allows attacker to take over server.

  Polytechnic University                                   Introduction   18
Snort rule files
 chat.rules
 ddos.rules
 ftp.rules
 multimedia.rules
 p2p.rules
 porn.rules
 virus.rules

Polytechnic University   Introduction   19
 Snort Rule Writing
Example: Cross-site scripting (XSS):
 Web site allows scripts to be inserted into dynamically
  created Web page. Can reek havoc.
 Look out for HTTP requests containing <SCRIPT>
 Might first try:
    alert tcp any any -> any any
    (content: “<SCRIPT>”; msg: “XSS attempt”;)
      triggers many false positives: e.g., e-mail message with
 Then try:
    alert tcp $EX_NET any -> $HTTP_SRVS $HTTP_PRTS
    (content: “<SCRIPT>”; msg: “XSS attempt”; nocase;)

  Polytechnic University                                  Introduction   20
Snort Rule Syntax
 Rule is a single line
    Rule header: everything before parenthesis
    Rule option: what’s in the parenthesis

Syntax for rule header:
rule_action protocol src_add_range src_prt_range
dir_operator dest_add_range dest_prt_range

alert tcp 192.168.1/24 1:1024 -> 80
 rule actions: alert, log, drop
 protocol: tcp, udp, icmp
 direction: -> and <>
 src, dest port ranges :

Polytechnic University                      Introduction   21
 Snort Rule Syntax (2)
Syntax for rule option:
 One or more option keywords
      separated by semi-colons
 Example:
      (msg: “XSS attempt”; content: “<SCRIPT>”; nocase;)
Content-related keyword examples:
 content: ”smtp v2”;          (ascii)
 content: ”|0f 65 a7 7b|” ; (binary)
 uricontent: ”.ida?”;
 content-list: “inappropriate_content.txt”;
 nocase;
 offset: 20;              (start at byte 20 in payload)
 depth: 124;               (stop at byte 124 in payload)

  Polytechnic University                                    Introduction   22
Snort Rule Syntax (3)
IP-related keyword examples:
 ttl: <5;
 id:2345;     (id field, used for fragments)
 fragoffset: 0;
 dsize: >500;        (payload size)
 ip_proto: 7;
ICMP-relayed keyword examples:
 itype: 8;
 icode: 3;
Polytechnic University                 Introduction   23
Snort Rule Syntax (4)
TCP-related rules
 flags: A+;   (ACK flag)
 flags: FUP; (FIN, Urgent, or Push flag)
      + alert if specified bit is discovered, in addition to at
       least one other
      ! alert if any of the specified bits is not set
 seq: 12345432;          ack: 54321234;
Response examples
 msg: “christmas tree attack”;
 logto: “new_rule.log”; logs packet when match
Polytechnic University                                    Introduction   24

Shared By: