Manual IDS v1.0

SURFids USER MANUAL
version 1.0, March 2007
SURFNET BV, RADBOUDKWARTIER 273, POSTBUS 19035, 3501 DA UTRECHT

T +31 302 305 305, F +31 302 305 329, WWW.SURFNET.NL
SURFids User Manual / version 1.0
CONTENTS
1. Introduction ............................................................................. 4
2. SURFids Operation ..................................................................... 5
2.1 In short ........................................................................... 5
2.2 Sensors ........................................................................... 6
2.3 Honeypots ........................................................................ 6
2.4 Other Detection Modules ....................................................... 8
2.5 Web Interface .................................................................... 9
3. Logging in and out .................................................................... 10
3.1 Before using SURFids .......................................................... 10
3.2 Logging in ....................................................................... 10
3.3 Logging out ...................................................................... 10
4. SURFids Overview ..................................................................... 11
4.1 Menu Bar ........................................................................ 11
4.2 Time span selector ............................................................. 12
4.3 Attacks ........................................................................... 13
4.4 Exploits .......................................................................... 14
4.5 Attackers ......................................................................... 14
4.6 Ports .............................................................................. 15
5. Report .................................................................................. 16
5.1 Ranking .......................................................................... 16
5.2 Cross Domain ................................................................... 17
5.3 Google Map ...................................................................... 18
5.4 Traffic ............................................................................ 19
5.5 Server Info (for administrators only) ........................................ 20
5.6 Detected Protocols ............................................................. 21
5.7 Graphs ........................................................................... 22
5.8 My Reports ...................................................................... 23
6. Analyze ................................................................................. 28
6.1 Attacks ........................................................................... 28
6.2 Exploits .......................................................................... 29
2
6.3 Malware Offered ................................................................ 29
6.4 Malware Downloaded .......................................................... 30
6.5 ARP cache ....................................................................... 32
6.6 Search ............................................................................ 33
7. Configuration .......................................................................... 37
7.1 Sensor Status ................................................................... 37
7.2 ARP ............................................................................... 38
7.3 IP Exclusions .................................................................... 39
7.4 Argos ............................................................................. 39
7.5 Argos Templates (for administrators only) .................................. 41
7.6 Config Info (for administrators only) ........................................ 42
8. Administration ......................................................................... 43
8.1 My Account ...................................................................... 43
8.2 Users ............................................................................. 44
8.3 Domains (for administrators only) ........................................... 45
Glossary ..................................................................................... 47
3
1. INTRODUCTION
SURFids is an innovative intrusion detection system. It specifically aims at

open network environments with uncontrolled users, e.g. students. This
solution detects worm outbreaks, hack attempts and other malicious traffic on
your network.
SURFids is a distributed solution: sensors are located at several locations in a

client LAN, and traffic directed to the sensors is tunnelled to a central point (a
set of IDS servers). At this central point, the traffic is analysed and checked
for attacks. Thus, not all the traffic on your network is analysed, but only
traffic directed to the sensors in your network.
The SURFids web interface provides reports and analyses which enable you to
make appropriate action for optimal network security. This web application
will mainly be used by security officers and administrators.
This manual gives an overview of the technical details of SURFids, and

explains the operation of the SURFids web interface.
At the back of this manual , you will find a glossary which explains specific IDS
related terms.
If you have any questions or comments on SURFids, do not hesitate to contact

SURFnet at ids@surfnet.nl.
4
2. SURFids OPERATION
2.1 In short
SURFids basically consists of:
 sensors in the client networks
 a central component (a set of dedicated IDS servers) that analyses client

LAN traffic and presents the results in a web interface
Through a VPN tunnel connection, the central component obtains an IP

address on the client LAN. This IP address is the sensor. All inbound and
outbound traffic on this IP address is redirected to the central component.
This central component will analyse the traffic, using intrusion detection
applications called honeypots (see section 2.3).
Fig. 1 SURFids network overview
5
2.2 Sensors
SURFids examines the traffic on your network through sensors, which ar e
physically installed in your network. A sensor consists of a dedicated pc which
is booted from a USB stick provided by SURFnet.
The sensors in your network are passive sensors: their only function is to
build up a direct link between your network and the central IDS component,
through a VPN tunnel. So attacks on the sensor will be directed to the central
IDS component and analyzed by the honeypots.
Sensors support multiple VLAN, making it possible for one sensor to connect
up to 8 VLANs to the central IDS component, see Fig. 2.
Fig. 2 Multiple VPN tunnels
The central IDS component manages the sensors and pushes updates to the
sensor if necessary. So the sensors in your network need very lit tle
maintenance on your part.
2.3 Honeypots
General
Two honeypots are running on the central IDS server: Nepenthes and Argos.
Honeypots are software applications which detect and identify malicious
attacks by simulating known and unknown vulnerabilities in Windows and
other applications.
In action, a honeypot is waiting for malicious traffic on the sensors, mainly

worms and hacker’s attacks. Once such an attack is detected, the sensor tries
6
to ‘play the attacker’s game’, in order to gain as much information as possible

on the attack (such as source IP and downloaded files).
The honeypots on the IDS server are able to respond to numerous types of
attacks, aimed at different operating systems. The honeypots si mulate these
operating systems.
In short: the honeypots will do everything in their power to co-operate in a

successful attack. By doing this, the honeypots are able to detect and report
exactly which attack they were hit by.
Nepenthes
This honeypot simulates numerous known vulnerabilities in Windows and in
various applications. It will try to download malware (malicious software code
which is offered during an attack) , so it can be analyzed.
SURFids uses this honeypot by default to detect attacks on client LANs.
Argos
Rather than simulate an operating system or application, this honeypot
actually is one, located in a safe environment. Unlike Nepenthes, Argos does
not base its responses on predefined scripts but utilizes buffer overflow
detection among other technologies to react authentically to both known an d
unknown attacks. In this way it surpasses Nepenthes in the detection of
malicious traffic.
Argos is only used to check traffic on a user defined set of IP addresses (see
section 7.4).
Characteristics compared
Nepenthes and Argos have different characteristics and are used for different
purposes. These characteristics are compared in the following table. You can
use this table to choose between Nepenthes and Argos.
Nepenthes Argos
High performance Low performance
Detailed attack analysis Global analysis only
Detects known attacks only Detects both known and unknown

attacks
7
As mentioned, Nepenthes is used by default for attack detection. You can use
Argos for example in the following cases:
 Nepenthes has detected ‘possible malicious’ traffic (a possible attack) on a

sensor in the client LAN. If the attack is repeated, Argos may be able to
detect whether this was malicious traffic (a real attack) or not.
 A sensor runs in a protected and controlled LAN. Normally, it will not be

accessed by traffic from outside the LAN. If however this does occur, the
heaviest tool is needed in order to analyse such traffic. It can then be
forwarded to Argos rather than Nepenthes.
 An IP address or range attracts your attention bec ause it shows up often

in various logs, e.g. your firewall logs. Nepenthes has reported traffic from
this address or range as ‘possible malicious’, but cannot see if it i s really
malicious or not. You can forward all traffic coming from this address or
range to Argos for more detailed analysis.
2.4 Other Detection Modules
ARP poisoning module

This module detects ARP poisoning attacks. ARP poisoning means that the
attacker tries to associate his MAC-address with the IP-address of a node in
the attacked network, such as the default gateway. If he is successful, all
traffic meant for that node will be sent to the attacker, who can decide what
to do with it. He can for example forward it to the actual default gateway, or
change the data before he forwards it.
Rogue DHCP server module

This module detects rogue DHCP servers that run on the network. A rogue
DHCP server is a DHCP server which is not controlled by the network staff. A
rogue DHCP server can be a network device (e.g. a router) unintentionally
connected to the network by a user, but it can also be used for network
attacks.
In the second case, the rogue DHCP is set to provide as default gateway an IP
address of a machine controlled by a n attacker. This attacker can see all the
traffic sent by the client to other networks.
8
2.5 Web Interface

In the SURFids web application, you can:
 see general information on the (malicious) traffic reported by your

sensor(s).
 see detailed information on the attacks on your sensor(s), including details

on the downloaded malware.
 add reports with user defined information on the attacks .
 search in the SURFids database.
 configure your sensors.
 set user accounts.
In the chapters following the application menu, these features are explained
in detail.
9
3. LOGGING IN AND OUT
3.1 Before using SURFids

Before SURFids can be used, you must do the following:
 One or more sensors must be requested from SURFnet.
 The sensor(s) must be brought online in your LAN.
 A SURFids account must be requested (via ids-beheer@surfnet.nl).
3.2 Logging in
Once you have received a SURFids username and password (from SURFnet or
your security officer), you can log in on SURFids:
1. Using your internet browser, go to https://surfids.surfnet.nl (do not forget

the ‘s’ in ‘https’).
Fig. 3 Logging in
2. Enter your user name and password and click on Login.
SURFids starts.
If you start SURFids for the first time, it is advisable to change the password
into a self-selected one. Proceed as follows:
1. From the menu, choose Administration > My account.
2. Enter your new password at and confirm this password.
3. Click on Update to confirm your new password.
3.3 Logging out

To log out, click on Logout.
10
4. SURFids OVERVIEW
After logging in into SURFids, you will see the SURFids homepage:
Fig. 4 Homepage
The homepage consists of the following components:
4.1 Menu Bar
Fig. 5 Menu bar
From the menu bar, you can enter the various SURFids components:
 Home: leads you to the SURFids homepage
 Reports: see chapter 5
 Analyze: see chapter 6
 Configuration: see chapter 7
 Administration (only available if you have the appropriate access rights) :

see chapter 8
11
4.2 Time span selector
Fig. 6 Time span selector
The time span selector enables you to set the time span over which you want
to see report information.
 The time span setting is persistent for all information pages you
choose in SURFids. It does not return to its default value when you
open a new page.
 In the dropdown box, you can choose a time span.
 By clicking on you can fine tune the time span:
Fig. 7 Fine tuning the time span (date and time)
- Click on the start date and the finish date.
- Click on the hours and minutes boxes to set the start time and finish
time.
 Click on or to go back or go forward one time span (that was chosen

in the ‘Period’ box).
12
4.3 Attacks
Fig. 8 Attacks overview
This window displays the (possible) attacks that were detected by the SURFids
central component:
 possible malicious attacks: all the connec tions that were logged by
Nepenthes, both harmless and malicious connections .
 malicious attacks: connections that are certainly malicious connections,

detected by Nepenthes, Argos, the ARP poisoning module and the Rogue
DHCP server detection module.
 malware offered: attacks that have offered malware, which Nepenthes has
tried to download.
 malware downloaded: attacks of which Nepenthes has successfully

downloaded the malware offered.
You can:
 hover over to see information on the items.
 click on to see the details of the data in the ‘Statistics’ column. For an
explanation of this details window, see section 6.6.
13
4.4 Exploits
Fig. 9 Exploits overview
This window displays the type of exploits that were detected by Nepenthes. An
exploit is a piece of software code which uses vulnerabilities in software
applications on operating systems, in order to gain unauthorised access to a
computer (network).
 Click on the exploit name for additional inform ation on the exploit.
 Click on to see the details of the data in the ‘Statistics’ column. For an
4.5 Attackers
Fig. 10 Attackers
In this box you can find the top 10 of attackers, ordered by the number of
attacks they have made during the period you have selected.
 Click on an IP address to perform a whois query (RIPE, ARIN, APNI,

LACNIC, AFRINIC, KRNIC).
14
 Click on to see the details of the data in the ‘Total Hits’ column. For an
4.6 Ports
Fig. 11 Ports that were attacked
This window displays the top 10 of ports that were a ttacked in the period you
have selected.
 Click on the port description name for additional information on the port.
 Click on to see the details of the data in the ‘Total Hits’ column. For an
15
5. REPORT
This chapter describes the tabs under the ‘Report’ menu item.
5.1 Ranking
Fig. 12 Ranking
This page compares malicious attack information of your sensors (right side of
the page) with that of all sensors connected to SURFids (left side of the
page). The following information is compared:
 total malicious attacks and downloaded malware
 top 10 exploits
 top 10 sensors that were attacked

In the top 10 sensors of all sensors, only your own sensors are specified
by name.
 top 10 ports that were attacked
 top 10 IP addresses of attackers
 top 10 file names of malware offered
 top 10 download protocols
 top 10 attacker’s operating system
 top 5 attacked domains

In this list, only your own domains are specified by name.
16
5.2 Cross Domain
Fig. 13 Attacks from within your own network
The ‘Range’ column shows an overview of the IP-ranges in your own network.
The other columns show:
 (Possible) malicious attacks coming from this range in your own

network. Click on to see details of the attacks. For an explanation of this
details window, see section 6.6.
 Unique source addresses that were attacked from this range. Click on
the number to see the source addresses and the number of attacks per
source address.
 If the IP ranges shown on this page do not correspond with your own
IP ranges or if no IP ranges are displayed at all , please contact ids-
beheer@surfnet.nl.
17
5.3 Google Map
Fig. 14 Google map
This map shows the approximate origins of malicious attacks (not possible
malicious attacks) on the sensors in your network. The IP address of the
attacker is converted into a geographical location, usi ng a geolocation
database. The location is plotted via Google Maps.
If more attacks come from one IP address, the colour indication on the map
changes.
18
5.4 Traffic
Fig. 15 Traffic per sensor
These graphs show the network traffic through the VPN tunnel for every
sensor in your network.
You can:
 make a selection of sensors to be displayed , using the drop-down box.
 click on each graph to see other time spans: weekly, monthly and yearly.
19
5.5 Server Info (for administrators only)
Fig. 16 Server information
This page gives the following ‘health status’ information of your servers, over
the last 24 hours:
 CPU load
 memory usage
 available hard disk space
 network traffic
You can:
 choose another server from the drop-down box.
 click on each graph to see other time spans: weekly, monthly and yearly.
20
5.6 Detected Protocols
Fig. 17 Detected protocols
The central IDS server sniffs on your sensors and logs every protocol it
detects. Here you can view the protocol information (name and type number)
of the traffic on your sensors, to check for unusual protocols in your network.
 Click on the sensor you want to view. The protocol information of that
sensor is displayed:
Fig. 18 Detailed protocol information
 By clicking on Clear detected protocols, you delete the list of protocols

that were detected up to this moment, for the selected sensor.
21
5.7 Graphs
Fig. 19 Setting up a graph
Here you can draw various graphs displaying in formation about your sensors.
1. In the ‘Actions’ bar, select the type of information you want to display:
- severity of the attacks on the sensor
- type of attack (exploit used)
- destination ports of the attacks, and the severity
- OS of the attacker, and the severity
- virus scanner, with the downloaded malware it has scanned
2. Choose the sensor(s), the information to be displayed, the interval and the
plot type.
3. Use the period selector (see section 4.2) to set the time span.
4. Click on Show to display the graph.
22
Fig. 20 Graph example, which is the result of the parameters chosen in Fig.
19.
The graph can contain the following categories:
 PosA: possible malicious attack
 MalA: malicious attack
 MalO: malware offered
 MalD: malware downloaded
5.8 My Reports
Fig. 21 My reports overview
You can set up reports that contain the infor mation you specify. Reports can
be sent to you by e-mail, or you can use the RSS feed, so you are
automatically kept up-to-date on attacks in your network.
23
You can use the following report templates:
 All attacks: an overview of all attacks, specified by severity.
 Own ranges: an overview of all attacks from IP ranges in your own

network.
 Sensor status: an alert when a sensor is down or failed to start.
 ARP alert: an e-mail alert in case of ARP poisoning.
 DHCP servers: an e-mail alert when a rogue DHCP server is detected.
Search results
The reports list also contains search queries that you have saved (see section
6.6). You can perform a search query by clicking on .
Add a report
1. In the ‘Actions’ bar, click on Add report.
Fig. 22 Setting up a report
2. Fill in the following fields (where applicable):
SUBJ E C T
Report name, also the subject of the e-mail or RSS feed containing the report
information.
 Tip: enter a meaningful name here, so that you can eas ily distinguish
your reports.
24
MA IL P R IOR IT Y
The importance level the message gets in your mail box.
SE NS O RS
The sensors that are checked for this report.
RE P OR T T E MP LA T E
The basic type of information for your report (see page 27 for example
reports):
 All attacks: an overview of all attacks, specified by severity (with

timestamp, source IP, attack type).
 Own ranges: an overview of all attacks from IP ranges in your own

network (with timestamp, source IP, attack type) .
 Sensor status: an alert when a sensor is down or failed tot start (with
sensor name, status).
 ARP alert: an e-mail alert in case of ARP poisoning (with attacking MAC
address and attacked IP address) .
 DHCP servers: an e-mail alert when a rogue DHCP server is detected (with
attacking MAC address).
 For ‘Sensor status’, ‘ARP alert’ and ‘DHCP servers’, an e-mail is sent
immediately.
RE P OR T T YP E
 Mail – summary: a summary of the report by e-mail
 Mail – detail: the report details by e-mail
 Mail – summary + detail: the complete report by e -mail
 Mail – IDMEF detail: the report details by mail in IDMEF format, an XML
format dedicated to intrusion detection information
 RSS – summary: a summary of the report via an RSS feed
 RSS – summary + detail: the complete report via an RSS feed
SE V ER IT Y
 For the ‘All attacks’ and ‘Own ranges’ templat es: specification of the attack
type(s) you want in the report.
 For the ‘Sensor status’ template: specification of the sensor status (es) you
want in the report.
25
FR EQ U E NC Y
Reports from the ‘All attacks’ and ‘Own ranges’ templates can be sent to you:
 every hour
 every day
 every week
 when a threshold occurs, e.g. you want to receive a report if more than 20
attacks have occurred within one hour. For this example, fill in the
threshold options as follows:
- Operator: > (greater than)
- Threshold amount: 20
- Time span: last hour
3. Click on Add to confirm.
Subscribe to an RSS feed

After setting up a RSS feed report, you must subscribe to the RSS fee d to be
able to view the report. You have two options for accomplishing this:
1. In the reports list, click on , login with your IDS username and password
and follow the instructions of your web browser.
2. In the reports list, right click on and copy the RSS link to your RSS
reader (e.g. Bloglines or Google Reader). Note that this reader must
support the login functionality.
Other actions
 Click on the report name to edit the report properties.
 In the edit mode, set the ‘Status’ field to ‘inactive’ to disable the report.
 Click on [Delete] to delete a report.
 Set the status of all reports by clicking Enable all reports or Disable all
reports.
 Click on Reset all timestamps to set all data in the ‘Last sent’ column to
‘never’. Reports will be sent again if applicable.
26
Report examples
AL L AT TA CK S / OW N RA N G ES
Mailreport generated at 12-12-2007 00:00:02
Results from 05-12-2007 00:00:02 till 12-12-2007 00:00:02
######### Summary #########
Malicious attack: 1235
######### Detail overview #########
Sensor Source IP Timestamp Additional info
sensor11 *.*.194.102 05-12-2007 00:39:36 SAV
sensor11 *.*.20.68 05-12-2007 00:39:48 SAV
sensor11 *.*.82.166 05-12-2007 01:13:06 SAV
sensor11 *.*.194.102 05-12-2007 01:19:00 SAV
sensor11 *.*.115.9 05-12-2007 01:37:29 SAV
sensor11 *.*.115.9 05-12-2007 01:40:09 SAV
sensor11 *.*.251.246 05-12-2007 01:41:02 SMB
sensor11 *.*.198.112 05-12-2007 01:52:54 DCOM
SE NS O R S TA TU S
sensor1 is down!
sensor11 is down!
ARP A L ER T
ARP Poisoning attack detected on sensor11!
An attacker with MAC address 11:22:33:44:55:66 is trying to take over
*.*.15.1 (aa:bb:cc:dd:ee:ff)!
D HC P S ERV ER S
Rogue DHCP server detected on sensor11!
A host with source address aa:bb:cc:dd:ee:ff (*.*.175.11) is trying to
offer DHCP leases!
27
6. ANALYZE
This chapter describes the tabs under the ‘Analyze’ menu item.
6.1 Attacks
Fig. 23 Attacks overview
This window displays the (possible) attacks that were detected by the SURFids
central component:
 possible malicious attacks: all the connections that were logged by

Nepenthes, both harmless and malicious connections.
 malicious attacks: connections that are certainly malicious co nnections,

detected by Nepenthes, Argos, ARP poisoning and Rogue DHCP server .
 malware offered: attacks that have offered malware, which Nepenthes has
tried to download.
 malware downloaded: attacks of which Nepenthes has successfully

downloaded the malware offered.
You can:
 hover over to see information on the items.
 click on to see the details of the data in the ‘Statistics’ column. For an
28
6.2 Exploits
Fig. 24 Exploits overview
This window displays the type of exploits that were detected by Nepenthes. An
exploit is a piece of software code which uses vulnerabili ties in software
applications or operating systems, in order to gain unauthorised access to a
computer (network).
 Click on the exploit name for additional information on the exploit.
6.3 Malware Offered
Fig. 25 Malware offered top 10
Attackers enter the network using exploits (see section 6.2). When the attack
offers malware (software code intended to damage or infiltrate a computer
system), Nepenthes extracts the following information:
 the protocol used to transfer the malware
 the IP address where the malware can be downloaded from
 the filename of the malware
Nepenthes uses this information to generate the overview of malware which

has been offered. This overview shows the top 10 of malware offered to
Nepenthes through your sensors.
29
 Click on ALL to see the complete list of offered malware.
6.4 Malware Downloaded
Fig. 26 Malware downloaded
This window gives an overview of the malware downloaded by Nepenthes, and

the way the virus scanners detected the malware.
 Click on in the ‘Stats’ column for information on the specific occasions

that this malware was downloaded (including source and destination IP
addresses). For an explanation of this details window, s ee section 6.6.
 Click on the binary name (this is the MD5 sum of the malware) in the
‘Malware’ column to get detailed binary information, with the following
items:
B INAR Y IN F O
Binary ID, size, description, first seen date, last seen date.
Fig. 27 Binary info
30
N ORM AN S AN DB O X AN D/ OR C WSA N DB O X R E SU LT
This report gives detailed information on the worm, such as the network
connections it makes and the registry changes it causes.
Fig. 28 Norman sandbox result
B INAR Y H IS T OR Y
The binary history shows when the malware was first detected and by which
virus scanner. It indicates how new the detected viruses are and gives, to
some extent, a review of the virus scanners you use.
In the example below, you can see that on January 25 th, only BitDefender
detected the binary as an SDBot. On January 29th, AntiVir also detected it,
whereas the other virus scanners did not detect the SDBot.
Fig. 29 Binary history
F IL E NA M ES U S ED
The various filenames that were used for this binary.
Fig. 30 Filenames used
31
6.5 ARP cache
Fig. 31 ARP cache
You can view the ARP cache, for each sensor separately. The ARP cache shows
which MAC addresses are bound to specific IP addresses within the LAN where
the sensor is located.
You can set which MAC addresses must be monitored by the ARP poisoning
module. The gateway of your network is monitored by default.
Not all MAC addresses need to be monitored by the ARP poisoning module:
only crucial systems, like important servers or PCs that are known to be
hacked.
Select a sensor for ARP cache information. The information is displayed:
Fig. 32 ARP cache information
 Click on Add to static list to add the MAC address to the list of MAC
addresses that are monitored by the ARP poisoning module. You can view
this list under Configuration > ARP (see section 7.2).
 Click on Clear ARP cache to clear the MAC – IP address combinations that
were reported up to this moment.
32
6.6 Search
Fig. 33 Search criteria
You can search for specific attack information in the IDS database. You can
set up queries using destination address and port, source address and port
and severity value.
 Click on IP exclusion to set the IP exclusions (see section 7.3).
 Use % as a wildcard, where applicable, e.g. enter ‘%.exe’ to search for all
file names containing ‘.exe’.
 Click on Clear to clear all fields.
33
 Click on Search to perform the query:
Fig. 34 Search results
 If an IP address is in red and marked with a flag, it is a n IP address in

your own range.
Save search result

You can save search results:
 as a PDF.
 as an IDMEF file (IDMEF is an XML format dedicated to intrusion detection

information).
 as a search template. In this case, the result is saved and can be viewed
under ‘My reports’ (see section 5.8). Enter a template title and the time
span to be saved with the result. Select Don’t save time span info, to
use the time span which is selected at the moment you view the search
result under ‘My reports’.
Other actions
 Clear and change the search criteria in the ‘Criteria’ box.
 Click in the ‘Severity’ column to see details of the attack. For detail
examples, see page 35.
 Click on the source IP address for a whois query (RIPE, ARIN, APNI,
LACNIC, AFRINIC or KRNIC).
 Click in the ‘Additional info’ column for more information on the attack.
34
Examples of attack details
MA L IC IOU S A T TA CK - AR G O S
Fig. 35 Malicious attack detected by Argos
Argos has logged this attack under ID 1550 111091. The attack was related to
process number 212, and module services.exe. The operating system of the
Argos image was Windows 2000, and the image name was win2k.img.
The TCP and UDP ports that were open during the attack are also shown.
More information is stored at the Argos server and can be requested via ids-
beheer@surfnet.nl. Don not forget to mention the Argos ID and time stamp of
the attack.
MA L IC IOU S A T TA CK - N E P E N TH E S
Fig. 36 Malicious attack detected by nepenthes
This window shows the dialogue Nepenthes had used, i.e. the code Nepenthes
uses to detect attacks. In this case it was the DCOM dialogue, which indicates
that this malicious attack was a DCOM attack.
You can also see the shellcode handler that was used.
35
MA LW AR E OFF ER E D
Fig. 37 Attack which offered malware
This windows shows the URL where to download the malware. You can see
that the tftp protocol is used if the malware is downloaded.
MA LW AR E D O WN L OA D ED
Fig. 38 Attack of which malware was downloaded
This window shows the download URL of the downloaded malware and the
MD5 hash of the malware. The link opens details of the downloaded malware.
36
7. CONFIGURATION
This chapter describes the tabs under the ‘Configuration’ menu item.
7.1 Sensor Status
Fig. 39 Sensor status
This page gives an overview of the status of your sensors.
 Perform various actions on the sensors. Choose the appropriate action

from the drop-down box and click on Update.
- Reboot: performs a physical reboot of the sensor.
- SSH on: enables the management service on the sensor (only for
administrators).
- SSH off: disables the management service on the sensor (only for
administrators).
- Stop: stops the sensor (stop script will be run).
- Start: starts the sensor (start script will be run).
- Disable: disables the sensor, it cannot start anymore.
- Enable: enables the sensor, it can start again.
- Ignore: ignores the sensor; sensor does not appear in status reports.
- Unignore: sensor will appear in status reports again.
- Enable/Disable ARP: enables or disables the ARP detection module.
 Note: After an action is selected, it takes up to an hour to perform it.

The sensor checks hourly whether an action must be performed. This
means a new action cannot be entered until the ‘Action’ field has
turned to ‘none’.
37
 Click on the sensor name or the label name to view sensor details (such as
IP addresses, MAC address on the server side, logging information) .
 Note: for (VLAN) static sensors, you must enter the IP address. This is
not done automatically. Note that the IP address you enter here
cannot be identical to the address you configured on the sensor.
7.2 ARP
Fig. 40 ARP module configuration
You can configure the ARP poisoning module, for each sensor separately. This
module checks for ARP poisoning attacks (see section 2.4 for more
information).
Select a sensor. The MAC addresses that are being monitored for ARP
poisoning, are displayed:
Fig. 41 ARP module details
Enable/disable
In the ‘Actions’ box you can enable or disable the ARP poisoning module .
38
Add a MAC address

1. Enter a MAC address and the corresponding IP address.
2. Select the device type: router/gateway, server and/or host.
3. Select ‘DHCP server’ if the MAC address must be monitored by the Rogue
DHCP server module, which checks for DHCP servers that are not
controlled by the network owner but by an attacker (see section 2.4 for
more information).
4. Click on Add to add the new entry to the list.
In the ‘Action’ box, you can now edit or delete the entry.
7.3 IP Exclusions
IP addresses that you trust at all times can be excluded from IDS checks, for
example your port scan machine. In the event that a machine in your network
often appears to be generating possible malicious traffic, check this machine.
If it proves to send legitimate traffic, you can add this machine to the IP
exclusions.
 Add or delete IP addresses.
7.4 Argos
Fig. 42 Argos overview
In SURFids, Nepenthes is the default honeypot for detecting attacks (see

section 2.3). For specific IP addresses directing traffic to a sensor, you can
redirect the attacks to Argos, to get a more detailed analysis of these attacks.
This is done using an IP switching technology.
39
In this window, you define these IP addresses. For example: you can redirect
the top 100 IP addresses that have sent possible malicious (but not
malicious) traffic, to all sensors in your network during the last 24 hours.
Sensor redirects
To add a sensor from which traffic must be redirected to Argos :
1. In the ‘Sensor’ column, choose a new sensor.
2. In the ‘Image name’ column, choose the OS image Argos must use.
Normally you will use the image based on your own OS. If you choose an
older OS, which is more vulnerable to attacks, attacks are more likely to
succeed.
 These images are set up by the administrators; other users cannot

define images.
3. In the ‘Template’ column, choose the set of source IP addresses which

must be handled by Argos:
- all traffic to the sensor.
- top 100 of all your sensors: the top 100 IP addresses that have sent
possible malicious traffic to all sensors in your network, but could not
be identified as ‘malicious’ by Nepenthes.
- top 100 of all sensors: the top 100 IP addresses that have sent
possible malicious traffic to all sensors in the SURFids network, but
could not be identified as ‘malicious’ by Nepenthes.
- top 100 sensor: the top 100 IP addresses that have sent possible
malicious traffic to this sensor, but could not be identified as
‘malicious’ by Nepenthes.
 SURFids uses a top 100 of IP addresses because attacks coming from

these addresses are most likely to occur again. That’s why it is useful
to have traffic from these IP addresses checked by Argos.
4. In the ‘Timespan’ column, choose the time s pan to narrow down the set of
IP addresses that are redirected to Argos.
5. Click on Add.
 After setting a sensor redirect for the first time, it can take up to 1
hour before the redirect is effective.
Other actions:
 Hover over to see information on the items.
 Click on Update to confirm changes in sensor settings.
40
 Click on Delete to delete a sensor from this list.
Redirect to ranges
You can also redirect specific IP ranges to an Argos image in the ‘Sensor
redirects’ list:
1. Choose a sensor and a source IP address or range.
2. Click on Add.
 After setting an IP range redirect for the first time, it can take up to 5
minutes before the redirect is effective.
7.5 Argos Templates (for administrators only)
You can configure the operating system images that run on the Argos server.
To add an image:
 Enter a name for the new image. This name will appear in the ‘Argos’
menu under the ‘Image name’ column.
 Enter the server IP address.
 Enter the image name, i.e. the file name of the image on the Argos
server.
 Choose the OS which must be simulated by the Argos image.
 Choose the OS language of the image.
 Enter the MAC address of the image (normally, you can leave this field
empty as it is filled with a random MAC address).
 Choose which organisations may use this image.
 Click on Add to confirm.
You can also:
 update changes in existing images.
 delete images.
41
7.6 Config Info (for administrators only)
Fig. 43 Logging server information
This window gives information on how the logging server is configured and
which versions of the virus scanners are used .
 means ‘on’
means ‘off’.
42
8. ADMINISTRATION
8.1 My Account
Fig. 44 My account
Enter the fields that you want to change for your account and click on Update
to confirm.
 You can only reduce your access rights, not upgrade.
The ‘ Email signing’ and the ‘Access’ fields are explained below:
E MA IL S IG N I N G
E-mails from SURFids to you can be signed with a GPG key, a way to assure
you that the e-mail is actually sent by SURFnet.
ACC E SS: S E NS OR
 0 – Read only access: you can only view sensor information.
 1 – Remote control access: you can give commands to the sensor (e.g. to
reboot or change the sensor name).
 2 – ARP & ARGOS access: you can configure Argos and the ARP poisoning
module.
43
ACC E SS: US E R AD M IN
 0 – No access: you cannot change accounts (not even your own).
 1 – Own account: you can only change your own account.
 2 – Domain accounts: you can change or add accounts of other users in

the same domain.
8.2 Users
Fig. 45 Users
You can manage users in this domain if you have domain account rights.
Add user
1. Click on Add user.
2. Fill in the fields; see section 8.1 for details.
3. Click on Insert to confirm.
Modify user
1. Click on [Modify] to edit a user.
2. Change the appropriate fields; see section 8.1 for details.
3. Click on Update to confirm.
Other actions
 Click on [Delete] to delete a user.
 Click on [Edit] to view the reports defined for this user.
44
8.3 Domains (for administrators only)
Fig. 46 Domains
Insert domain
You can insert a new domain, e.g. when a sensor has been moved.
1. Enter the new domain name.
2. Click on Insert to confirm.
Edit domain
1. Click on [Edit].
Fig. 47 Edit domain
You can:
 Edit the domain name.
 Add IP ranges to the domain, if this was not done automatically. These IP
ranges will be treated as your own. (see ‘Cross domain’, section 5.2)
45
 Set identifiers. Identifiers identify sensors and group them in the same
domain. These identifiers are added automatically.
Enter an identifier name and choose from the following identifier types:
- whois netname: is most commonly used. Sensors coming from this net
range will all be identified as the same domain, e.g. ‘SURFNET’.
- Domain name identifier: identifies sensors coming from the same

domain, e.g. ‘surfnet.nl’).
- SOAP identifier (if enabled): uses a SOAP server to extract a name for
the domain. This SOAP feature is SURFnet specific.
You can also generate a random identifier string, by clicking on Generate

Random Identifier String. If you copy this string into a file
‘identifier.ris’ and place this file on the sensor, the sensor will be grouped
into the domain where you generated the string.
46
GLOSSARY
Argos Honeypot which detects both known and unknown

attacks
ARP cache List of combinations of MAC addresses and IP

addresses in a network
ARP poisoning Attacking method in which the attacker tries to

associate his MAC-address with the IP-address of a
node in the attacked network, such as the default
gateway. If he is successful , all traffic meant for that
node will be sent to the attacker, who can decide
what to do with it. He can for example forward it to
the actual default gateway, or change the data
before he forwards it.
Exploit Code which uses vulnerabilities in software

applications on operating systems, in order to gain
unauthorised access to a computer (network).
Honeypot Application which is set to detect and identify attack

attempts.
IDMEF Intrusion Detection Message Exchange Format. An

XML document format dedicated to intrusion
detection information.
Malicious attack Attempt to gain unauthorized access to a computer

(network)
Malware Software code which is offered during an attack, with

the purpose of damaging or infiltrating a computer
system.
Nepenthes Honeypot which simulates numerous known

vulnerabilities in Windows and other applications
Rogue DHCP server A DHCP server which is not controlled by the network
owner. A rogue DHCP server can be a network device
(e.g. a router) unintentionally connected to the
network by a user, but it can also be used for
network attacks.
Sensor PC which builds up a direct link (through a VPN

tunnel) between the client LAN and the central
server.
Traffic Data offered to a sensor through a port/protocol.
47

Manual IDS v1.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Manual IDS v1.0

Uploaded by

Copyright:

Available Formats

SURFids USER MANUAL

version 1.0, March 2007

SURFNET BV, RADBOUDKWARTIER 273, POSTBUS 19035, 3501 DA UTRECHT

2. SURFids Operation ..................................................................... 5

2.1 In short ........................................................................... 5

2.2 Sensors ........................................................................... 6

2.3 Honeypots ........................................................................ 6

2.4 Other Detection Modules ....................................................... 8

2.5 Web Interface .................................................................... 9

3. Logging in and out .................................................................... 10

3.1 Before using SURFids .......................................................... 10

3.2 Logging in ....................................................................... 10

3.3 Logging out ...................................................................... 10

4. SURFids Overview ..................................................................... 11

4.1 Menu Bar ........................................................................ 11

4.2 Time span selector ............................................................. 12

4.3 Attacks ........................................................................... 13

4.4 Exploits .......................................................................... 14

4.5 Attackers ......................................................................... 14

4.6 Ports .............................................................................. 15

5.1 Ranking .......................................................................... 16

5.2 Cross Domain ................................................................... 17

5.3 Google Map ...................................................................... 18

5.4 Traffic ............................................................................ 19

5.5 Server Info (for administrators only) ........................................ 20

5.6 Detected Protocols ............................................................. 21

5.7 Graphs ........................................................................... 22

5.8 My Reports ...................................................................... 23

6.1 Attacks ........................................................................... 28

6.2 Exploits .......................................................................... 29

6.3 Malware Offered ................................................................ 29

6.4 Malware Downloaded .......................................................... 30

6.5 ARP cache ....................................................................... 32

6.6 Search ............................................................................ 33

7.1 Sensor Status ................................................................... 37

7.2 ARP ............................................................................... 38

7.3 IP Exclusions .................................................................... 39

7.4 Argos ............................................................................. 39

7.5 Argos Templates (for administrators only) .................................. 41

7.6 Config Info (for administrators only) ........................................ 42

8.1 My Account ...................................................................... 43

8.2 Users ............................................................................. 44

8.3 Domains (for administrators only) ........................................... 45

SURFids is an innovative intrusion detection system. It specifically aims at

SURFids is a distributed solution: sensors are located at several locations in a

This manual gives an overview of the technical details of SURFids, and

If you have any questions or comments on SURFids, do not hesitate to contact

 sensors in the client networks

 a central component (a set of dedicated IDS servers) that analyses client

Through a VPN tunnel connection, the central component obtains an IP

Fig. 1 SURFids network overview

Fig. 2 Multiple VPN tunnels

In action, a honeypot is waiting for malicious traffic on the sensors, mainly

to ‘play the attacker’s game’, in order to gain as much information as possible

In short: the honeypots will do everything in their power to co-operate in a

SURFids uses this honeypot by default to detect attacks on client LANs.

High performance Low performance

Detailed attack analysis Global analysis only

Detects known attacks only Detects both known and unknown

 Nepenthes has detected ‘possible malicious’ traffic (a possible attack) on a

 A sensor runs in a protected and controlled LAN. Normally, it will not be

 An IP address or range attracts your attention bec ause it shows up often

2.4 Other Detection Modules

ARP poisoning module