Embed Size (px)
DESCRIPTION
Slides from the overview presentation about intrusion detection/prevention systems presented at Security in Internet course at Faculty of Informatics and Information Technology. Presentation is part of the course assignment.
Citation preview
Network intrusiondetection/prevention systems
NIDS (detecton system)
• realtime attack detection• passive (watchers) / active (measurement)
systems• via analysis– protocol analysis– graph analysis– anomaly detection
• analysis of direct network traffic– complete / light
NIDS scheme
http://insecure.org/stf/secnet_ids/evasion-figure3.gif
Traffic analysis
• analyzing behaviour, not just packets• difficulties– NIDS can be run from different part of network– bad packets– reordering issues
• sensor placement– inline– passive
• spanning port• network tap• load balancer
http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
Signature-based analysis
• pattern matching• “patterns of malicious traffic”• very elementary (basically grepping)
+ huge community for rule generation+ great for low level analysis (rules are very specific)+ not taking too much resources- lower performance with big ruleset- slight attack variation can beat the rule
Rule example# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:267; rev:13;)
Protocol-based analysis
• reviewing network data• strictly based on layer headers• knowledge of expected values
+ better possibility for scalability+ generic, able to catch zero-day exploits - protocol headers preprocessor need resources- rules can get extremely difficult to write/understand- provide low information, admin has to investigate
Types of detected events
• transport layer attack• network layer attack• unexpected services (tunnel, backdoor etc.)• policy violations (forbidden protocols, ports
etc.)
note: detection with accuracy
Types of attack
• evasion/insertion attacks– bad IP headers– bad IP options– direct frame addressing
• IP packets fragmentation– set up delay for dropping stored packets
• TCP layer problems– sync between NIDS and end system
Prevention
• passive– ending TCP stream
• inline– inline firewalling– throttling bandwith usage– altering malicious content
• passive and inline– running third party script– reconfiguring other network devices
Toolset
• SNORT– opensource– windows / linux– lots of plugins
• OSSIM (security information and event management)
• Sguil (network security monitor)
SNORT
• started as sniffer in 1998• sniffer, packet logger, and NIDS• most used open-source NIDS right now• loads of add-ons• big and stable community (regular community
rule releases)
Firewall network with SNORT
SNORT add-ons
• DumbPig– bad rule grammar detection
• OfficeCat– search for vurneabilities in Microsoft Office docs
• SnoGE– reporting tool parsing your logs and visualising them as points
at Google Maps• Oinkmaster
– tool for creating and managing rules• iBlock
– daemon grepping alert file and blocking offending hosts
http://www.snort.org/snort-downloads/additional-downloads
Q&A
