Network Intrusion Detection

David LaPorte
david_laporte@harvard.edu
Topics
 What is IDS?
 HIDS v. NIDS
 Signatures
 Active Response / IPS
 NIDS on the Cheap
 Additional Resources
What is IDS?
the art of detecting inappropriate, incorrect, or
anomalous activity. ID systems that operate
on a host to detect malicious activity on that
host are called host-based ID systems, and ID
systems that operate on network data flows
are called network-based ID systems.
http://www.sans.org/newlook/resources/IDFAQ/what_is_ID.htm
HIDS v. NIDS
 Defense in depth, layered security
 HIDS
 Typically
software installed on a system
 Agent-based
 Monitors multiple data sources, including file
system meta-data, log files
 Wrapper-based
 Acts like a firewall – denies or accepts
connections or logins based on defined policy
HIDS v. NIDS
 NIDS
 Monitors traffic on a network
 Reports on traffic not considered “normal”
 Anomaly-based
 Packet sizes, destinations, protocol distributions, etc
 Hard to determine what “normal” traffic looks like
 Signature-based
 Most products use signature-based technologies
Signature-based NIDS
 Signature-based
 Matches header fields, port numbers, content
 Network “grep”
 Advantages
 No learning curve
 Works out-of-box for well known attacks
 Snort has ~1900 signatures

 Dragon has ~1700 signatures

 Disadvantages
 New attacks cannot be detected
 False positives
 Maintenance/tweaking
 Not very hard to evade
 Stateless, lacks thresholding
Signatures
T A A S 10 20 6668 IRC:XDCC /5Bxdcc/5Dslt
| | | | | | | | |
| | | | | | | | SEARCH STRING
| | | | | | | EVENT NAME
| | | | | | PORT
| | | | | |
| | | | | COMPARE BYTES
| | | | |
| | | | DYNAMIC LOG
| | | |
| | | BINARY OR STRING
| | |
| | PROTECTED NETWORKS
| |
| DIRECTION
|
PROTOCOL
Signatures
 On the console…
Time Dir Source Destination Proto Event Name Group Sensor Session Raw Data
11:02 02Nov04 from 128.103.a.b:4295 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5
11:01 02Nov04 from 128.103.a.b:1141 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5
10:59 02Nov04 from 128.103.a.b:2582 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5
10:57 02Nov04 from 128.103.a.b:3341 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5
NICK [XDCC]SLT-L482{A}
USER b0b 32 . :XDCC{A}
MODE [XDCC]SLT-L482 +i{A}
NICK [XDCC]SLT-L482{A}
USER b0b 32 . :XDCC{A}
MODE [XDCC]SLT-L482 +i{A}
NICK [XDCC]SLT-L482{A}
USER b0b 32 . :XDCC{A}
MODE [XDCC]SLT-L482 +i{A}
{A}
:snagged.wi.us.criten.net NOTICE AUTH :*** Looking up your hostname...{A}
:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A}
:snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A}
:snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC]SLT-L482!~b0b@jojo.harvard.edu{D}{A}
:snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1
.4(34){D}{A}
:snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A}
:snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc
{D}{A}
:snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TO
PICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this serv
er{D}{A}
:snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A}
:snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A}
:snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A}
:snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A}
:snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A}
:snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A}
:snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A}
:snagged.wi.us.criten.net NOTICE [XD:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A}
:snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A}
:snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC]SLT-L482!~b0b@dhcp-108-176.harv
ard.edu{D}{A}
:snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1
.4(34){D}{A}
:snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A}
:snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc
{D}{A}
:snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TO
PICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this serv
er{D}{A}
:snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A}
:snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A}
:snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A}
:snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A}
:snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A}
:snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A}
:snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A}
:snagged.wi.us.criten.net NOTICE [XD{A}
NIDS – Management
 Correlation is key
 Multiplesensors
 Single data repository
 Syslog
 DBMS

 Text files
NIDS – Placement
 Inside firewall
 Limits false positives – “cleaner” data
 Outside firewall
 Shows overall interest
 Need to collect all traffic
 Switch port won’t cut it
 Hub
 Switch SPAN port
 Passive tap
 Difficult on high-bandwidth links (>300Mbps)
 Distribution devices (TopLayer, etc)
 Hardware
NIDS – Drawbacks
 False Positives
 LOTS of data
 We generate 3-4GB of logs each day on a
~250Mbps sustained link
 Makes alerting difficult
 Interoperability
 ESM – Intellitactics, PentaSafe, etc.
NIDS - Drawbacks
 Evasion
 Packet fragmentation
 Out of order, overlapping
 Fragroute

 Character encodings / padding

 Unicode, mixed case, ../..’s, \0’s
 OS stack behavior
 A simple “grep” of a packet won’t work
Active Response
 NIDS is primarily a passive technology
 Only monitors traffic
 Doesn’t sit in the data stream

 Active response
 aka “sniping”, flex response
Active Response
 Several issues
 Timing
 By the time filters are applied, attack is complete
 False alarms / spoofed traffic
 Self-inflicted DOS
 Lack of formatting standards
 CVE, OPSEC
Intrusion Prevention
 Place system in-line
 Hardware

 Redundancy

 Acts as an IDS/Firewall hybrid

 Hogwash
NIDS on the Cheap
 So you want a NIDS?
 Snort
 Open-source NIDS
 Quickly becoming the “Apache” of IDS
 Runs on Windows and most Unix variants
 MySQL
 Open-source DBMS
 ACID
 Great web-based front-end for Snort/Mysql
 A place to collect traffic
 Your NIC is fine if you have only one machine
 Use a hub if you’ve got a LAN
Additional Resources
 Fragroute
 http://monkey.org/~dugsong/fragroute/

 Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection

 http://secinf.net/info/ids/idspaper/idspaper.html

 HIDS Products
 PortSentry
 http://www.psionic.com/products/portsentry.html

 Tripwire
 http://www.tripwire.com/

 AIDE
 http://www.cs.tut.fi/~rammer/aide.html
Additional Resources
 NIDS Products
 Snort

 http://www.snort.org

 Dragon

 http://www.enterasys.com/ids/

 CiscoSecure IDS

 ISS RealSecure
 http://www.iss.net/products_services/enterprise_protection/rsnetwork/index.php
 ACID
 http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html

 Hogwash
 http://hogwash.sourceforge.net/
Questions?