CONTEXT-BASEDINTRUSION DETECTION

USING SNORT, NESSUS AND BUGTRAQ DATABASES

Presented by Frédéric Massicotte

Communications Research Centre Canada

Department of Systems and Computer Engineering, Carleton University

Privacy, Security and Trust

October 2005

Motivations Current IDS Problems

– Some IDS do not provide a declarative rule specification language• Difficult to verify, compare and update attack scenarios

– Many IDS only rely on one packet or on one TCP stream to identify intrusions• More complex attacks need to be programmed (two specification systems)• False negatives and false positives

– Intrusion signatures do not include a precise network context• Increases the number of false positives (session state not enough)

IDS functionality needed– The IDS signature language should

• be a declarative rule specification language• be independent of the monitoring engine• enable multi-packet rules• specify network-context gathering other than alarms and session states• be used on well-defined models (Packet Model and Network Model)

– The IDS monitoring engine should• be multi-packet• maintain a network-context knowledge base

Our Contributions A multi-packet monitoring engine A declarative rule specification language that uses

the Object Constraint Language A formal packet model and a formal network

model A library of passive information gathering rules to

acquire the network context Missing :

– A library of intrusion detection rules with network context• Prove that these rules could be used to reduce the number

of false positives• Study the correlation potential and accuracy of freely

available security databases

Rule Specification

?OCL

Packet Stream Model Network Model

alarmpacket

Network Model

description : string

Exploitconsequences : stringrequirements : string

Vulnerability

vulnerability

1

exploits

0..*

id : stringorganization : string

Reference

refs

0..*1

time : long

Alarm

OPERATING_SYSTEM : stringFTP : stringTELNET : stringprodname : stringtype : stringversion : string

Productname : string

Vendor

vendor

10..*

CLOSE : boolOPEN : boolTCP : intUDP : intnumber : intstate : booltype : int

Port DOWN : boolUP : booldnsServers[0..*] : stringgateway : stringipAddress : stringmask : stringnames[0..*] : stringrole : intstate : bool

IPStack

macAddress : string

Interface

Host

Session

0..*

destinationPort

1

0..*

sourcePort 1

ports

0..* 1

interfaces1..*

1

exploit1

0..*

configuration

0..*0..*

daemon1

0..*

vulnerabilities0..*

affected1..*

vendor1

0..*

ipStacks

0..* 1

correlates

0..*

0..*

0..*

sourcePort0..1

0..*

destinationPort

0..1

0..*

destinationAddress

1

0..*

sourceAddress 1

0..*

sourceAddress

1

0..*

destinationAddress 1

Network Model

description : string

Exploitconsequences : stringrequirements : string

Vulnerability

vulnerability

1

exploits

0..*

id : stringorganization : string

Reference

refs

0..*1

time : long

Alarm

OPERATING_SYSTEM : stringFTP : stringTELNET : stringprodname : stringtype : stringversion : string

Productname : string

Vendor

vendor

10..*

CLOSE : boolOPEN : boolTCP : intUDP : intnumber : intstate : booltype : int

Port DOWN : boolUP : booldnsServers[0..*] : stringgateway : stringipAddress : stringmask : stringnames[0..*] : stringrole : intstate : bool

IPStack

macAddress : string

Interface

Host

Session

0..*

destinationPort

1

0..*

sourcePort 1

ports

0..* 1

interfaces1..*

1

exploit1

0..*

configuration

0..*0..*

daemon1

0..*

vulnerabilities0..*

affected1..*

vendor1

0..*

ipStacks

0..* 1

correlates

0..*

0..*

0..*

sourcePort0..1

0..*

destinationPort

0..1

0..*

destinationAddress

1

0..*

sourceAddress 1

0..*

sourceAddress

1

0..*

destinationAddress 1

IDS Rules with Network ContextPacket

characteristics

p1.data.match(”/ˆ STAT\s+[ˆ \n]*\x3f/smi”)p1.tcp.destinationPort = 21 and

Session::sessionOpen(p1.ip.sourceAddress,p1.ip.destinationAddress, p1.tcp.sourePort,p1.tcp.destinationPort) and

(IPStack::hasDaemonOnPort(p1.ip.destinationAddress,p1.tcp.destinationPort, Port.TCP, ”IIS”, ”5.0”) or

IPStack::hasDaemonOnPort(p1.ip.destinationAddress,p1.tcp.destinationPort, Port.TCP, ”IIS”, ”5.1”))

Sessionstate

Propernetwork context

IDS Rules with Network Context

IDS Rules Network Context

Bugtraq (VDB)Nessus (VDS)Snort (IDS)

IDS Rules

p1.data.match(”/ˆ STAT\s+[ˆ \n]*\x3f/smi”)

p1.tcp.destinationPort = 21 and

Session::sessionOpen(p1.ip.sourceAddress,p1.ip.destinationAddress, p1.tcp.sourePort,p1.tcp.destinationPort)

with Network Context

(IPStack::hasDaemonOnPort(p1.ip.destinationAddress,p1.tcp.destinationPort, Port.TCP, ”IIS”, ”5.0”) orIPStack::hasDaemonOnPort(p1.ip.destinationAddress,p1.tcp.destinationPort, Port.TCP, ”IIS”, ”5.1”))

Context Packetinv: Packet.allInstances()->forAll(p1 | p1.data.match(”Microsoft IIS 5.0”) andp1.tcp.destinationPort = 80 and...

Context Packetinv: Packet.allInstances()->forAll(p1 | p1.data.match(”Microsoft IIS 5.0”) andp1.tcp.destinationPort = 80 and...

Snort References

CVE and Bugtraq21%

Bugtraq and Nessus

3%

CVE, Bugtraq and Nessus15%

Other types of references

21%

Only Nessus4%

CVE and Nessus3%

Only Bugtraq7%

Only CVE3%

No reference at all23%

Group 1: Direct and Indirect Group 4: No Bugtraq nor

Nessus reference47%

Group 3: Incomplete and Non-Inferable

19%

Group 2: Incomplete but

Inferable18%

Group 1: Direct and Indirect

16%

Bugtraq (VDB)Nessus (VDS)Snort (IDS)

Group 2: Incomplete but Inferable

Group 4: No Bugtraq nor

Nessus reference47%

Group 3: Incomplete and Non-Inferable

19%

Group 2: Incomplete but

Inferable18%

Group 1: Direct and Indirect

16%

Bugtraq (VDB)Nessus (VDS)Snort (IDS)

Group 2: Incomplete but Inferable

Group 4: No Bugtraq nor

Nessus reference47%

Group 3: Incomplete and Non-Inferable

19%

Group 2: Incomplete but

Inferable18%

Group 1: Direct and Indirect

16%

Bugtraq (VDB)Nessus (VDS)Snort (IDS)

Group 3: Incomplete and Non-Inferable

Group 4: No Bugtraq nor

Nessus reference47%

Group 3: Incomplete and Non-Inferable

19%

Group 2: Incomplete but

Inferable18%

Group 1: Direct and Indirect

16%

Bugtraq (VDB)Nessus (VDS)Snort (IDS)

Group 4: No Reference Group 4: No Bugtraq nor

Nessus reference47%

Group 3: Incomplete and Non-Inferable

19%

Group 2: Incomplete but

Inferable18%

Group 1: Direct and Indirect

16%

Bugtraq (VDB)Nessus (VDS)Snort (IDS)

Group 1: Direct and Indirect

Group 1.4: Direct and Indirect Strictly

Intersect5%

Group 1.3: Direct and Indirect are

Disjoint6%

Group 1.2: Indirect Strictly Includes

Direct12%

Group 1.1: Direct Strictly Includes

Indirect6%

Group 1.5: Direct and Indirect are the

Same71%

Results of Relationship Analysis

Only 16% of the Snort rules have references to Bugtraq and Nessus. – Only 11.4% have the same set of Bugtraq references

whether we use the Snort to Bugtraq references or the Snort to Nessus to Bugtraq references.

– 29% of the Group 1 Snort rules present discrepancies, depending on whether we use the direct or indirect relationship to Bugtraq.

– 6% of Group 1 seem to refer to different Bugtraq vulnerabilities.

Results Built a library of small IDS rules with network

context using group 1 Snort rules Tested 20 attack programs against 12 systems

– Reduced the number of false positives, compared to Snort

– Proved that network context is important to reduce false positives

Test Cases

Attacker 1

Attacker 2

Attack

Snort

2.4.18-14

Linux 2..4.19-4GB

OS X

Sun 4.x

PNMT

Attack Attack Attack

Results Results Oraclevs vs

Conclusion The relationships between Snort IDS signatures, Nessus

and Bugtraq still need to be improved Correlation systems using events for these systems only

use a small proportion of relationship potential For the small number of Snort rules that provide accurate

relationships, network context is important to reduce false positives.

Future Work on IDS Rules– Test more context-based intrusion detection rules

– Continue the development of a virtual exploit testing network

– Test rules to identify more complex attacks such as DDOS and Network Discovery Techniques

Questions