Embed Size (px)
Citation preview
Topics What is IDS? HIDS v. NIDS Signatures Active Response / IPS NIDS on the Cheap Additional Resources
What is IDS?
the art of detecting inappropriate, incorrect, or anomalous activity. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems, and ID systems that operate on network data flows are called network-based ID systems.
http://www.sans.org/newlook/resources/IDFAQ/what_is_ID.htm
HIDS v. NIDSDefense in depth, layered securityHIDS
Typically software installed on a system Agent-based
Monitors multiple data sources, including file system meta-data, log files
Wrapper-based Acts like a firewall – denies or accepts
connections or logins based on defined policy
HIDS v. NIDSNIDS
Monitors traffic on a network Reports on traffic not considered “normal”
Anomaly-based Packet sizes, destinations, protocol distributions, etc Hard to determine what “normal” traffic looks like
Signature-based Most products use signature-based technologies
Signature-based NIDS Signature-based
Matches header fields, port numbers, content Network “grep”
Advantages No learning curve Works out-of-box for well known attacks
Snort has ~1900 signatures Dragon has ~1700 signatures
Disadvantages New attacks cannot be detected False positives Maintenance/tweaking Not very hard to evade Stateless, lacks thresholding
SignaturesT A A S 10 20 6668 IRC:XDCC /5Bxdcc/5Dslt| | | | | | | | || | | | | | | | SEARCH STRING| | | | | | | EVENT NAME| | | | | | PORT| | | | | || | | | | COMPARE BYTES | | | | || | | | DYNAMIC LOG| | | || | | BINARY OR STRING| | || | PROTECTED NETWORKS| || DIRECTION|PROTOCOL
SignaturesOn the console…Time Dir Source Destination Proto Event Name Group Sensor Session Raw Data 11:02 02Nov04 from 128.103.a.b:4295 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 11:01 02Nov04 from 128.103.a.b:1141 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 10:59 02Nov04 from 128.103.a.b:2582 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 10:57 02Nov04 from 128.103.a.b:3341 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5
NICK [XDCC]SLT-L482{A}USER b0b 32 . :XDCC{A}MODE [XDCC]SLT-L482 +i{A}NICK [XDCC]SLT-L482{A}USER b0b 32 . :XDCC{A}MODE [XDCC]SLT-L482 +i{A}NICK [XDCC]SLT-L482{A}USER b0b 32 . :XDCC{A}MODE [XDCC]SLT-L482 +i{A}{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Looking up your hostname...{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A}:snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC][email protected]{D}{A}:snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1.4(34){D}{A}:snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A}:snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc{D}{A}:snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TOPICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this server{D}{A}:snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A}:snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A}:snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A}:snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A}:snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A}:snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A}:snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A}:snagged.wi.us.criten.net NOTICE [XD:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A}:snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC][email protected]{D}{A}:snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1.4(34){D}{A}:snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A}:snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc{D}{A}:snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TOPICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this server{D}{A}:snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A}:snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A}:snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A}:snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A}:snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A}:snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A}:snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A}:snagged.wi.us.criten.net NOTICE [XD{A}
NIDS – ManagementCorrelation is key
Multiple sensors Single data repository
Syslog DBMS Text files
NIDS – Placement Inside firewall
Limits false positives – “cleaner” data Outside firewall
Shows overall interest Need to collect all traffic
Switch port won’t cut it Hub Switch SPAN port Passive tap
Difficult on high-bandwidth links (>300Mbps) Distribution devices (TopLayer, etc) Hardware
NIDS – DrawbacksFalse Positives
LOTS of data We generate 3-4GB of logs each day on a
~250Mbps sustained link Makes alerting difficult
Interoperability ESM – Intellitactics, PentaSafe, etc.
NIDS - DrawbacksEvasion
Packet fragmentation Out of order, overlapping Fragroute
Character encodings / padding Unicode, mixed case, ../..’s, \0’s
OS stack behavior A simple “grep” of a packet won’t work
Active ResponseNIDS is primarily a passive technology
Only monitors traffic Doesn’t sit in the data stream Active response
aka “sniping”, flex response
Active ResponseSeveral issues
Timing By the time filters are applied, attack is complete
False alarms / spoofed traffic Self-inflicted DOS
Lack of formatting standards CVE, OPSEC
Intrusion PreventionPlace system in-line
Hardware Redundancy
Acts as an IDS/Firewall hybrid Hogwash
NIDS on the Cheap So you want a NIDS?
Snort Open-source NIDS Quickly becoming the “Apache” of IDS Runs on Windows and most Unix variants
MySQL Open-source DBMS
ACID Great web-based front-end for Snort/Mysql
A place to collect traffic Your NIC is fine if you have only one machine Use a hub if you’ve got a LAN
Additional Resources Fragroute
http://monkey.org/~dugsong/fragroute/ Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection
http://secinf.net/info/ids/idspaper/idspaper.html HIDS Products PortSentry
http://www.psionic.com/products/portsentry.html Tripwire
http://www.tripwire.com/ AIDE
http://www.cs.tut.fi/~rammer/aide.html
Additional Resources NIDS Products
Snort http://www.snort.org
Dragon http://www.enterasys.com/ids/
CiscoSecure IDS ISS RealSecure
http://www.iss.net/products_services/enterprise_protection/rsnetwork/index.php ACID
http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html Hogwash
http://hogwash.sourceforge.net/
Questions?
