Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids-notes.pdf · Intrusion Detection Essentials with Snort Primer Paul ... condition and creates

1

Intrusion Detection Intrusion Detection EssentialsEssentials

with Snort Primerwith Snort PrimerPaul Jaramillo, CISSP, GCFAPaul Jaramillo, CISSP, GCFA

EECS 710: Information Security & AssuranceEECS 710: Information Security & AssuranceUniversity of KansasUniversity of Kansas

Electrical Engineering & Computer ScienceElectrical Engineering & Computer [email protected]@cyberguardians.org

2

11/3/2006 2University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

Problem StatementProblem Statement

Faced with ever growing malicious threats to network and Faced with ever growing malicious threats to network and computer assets, IT personnel are charged with protecting computer assets, IT personnel are charged with protecting the confidentiality, integrity, and availability of their the confidentiality, integrity, and availability of their employeremployer’’s data. s data. The 2006 FBI/CSI Computer Crime survey reported that The 2006 FBI/CSI Computer Crime survey reported that 52% of their respondents were victim to a breach in 52% of their respondents were victim to a breach in security last year. security last year. A key mechanism in preventing and detecting cyber attacks A key mechanism in preventing and detecting cyber attacks are Intrusion Detection Systems (IDS). This presentation are Intrusion Detection Systems (IDS). This presentation will outline IDS principles and detail how the open source will outline IDS principles and detail how the open source IDS Snort may be used to increase assurance in your IDS Snort may be used to increase assurance in your systemsystem’’s security.s security.

-Over the last 3 years data has trended downward due to increased spending on network security, 911 had a lot to do with this-Unfortunately it often takes bad things to happen or gov regulation for companies to spend money on security-Other big trends are decreases in widespread worms and more targeted attacks, Storm Center-Also more sophisticated and easier to use rootkits have been on the rise, much more difficult to detect

3


OverviewOverview

1 1 –– Why use IDS?Why use IDS?2 2 –– IDS 101IDS 1013 3 –– Design & ImplementationDesign & Implementation4 4 –– SignaturesSignatures5 5 –– Monitoring & MaintainingMonitoring & Maintaining6 6 –– Skills and ToolsSkills and Tools7 7 –– Legal IssuesLegal Issues8 8 –– Future & ConclusionFuture & Conclusion

4


Buyer BewareBuyer Beware

5



““IDS is deadIDS is dead”” April 2003April 2003-- John John PescatorePescatore, VP Gartner Research, VP Gartner Research-- Reaction of Security Professionals vs. MgmtReaction of Security Professionals vs. Mgmt

““Intrusion detection's permanent placement in the Intrusion detection's permanent placement in the Trough of Disillusionment does not mean that it Trough of Disillusionment does not mean that it is obsolete.is obsolete.”” July 2003July 2003

-- Marketing Hype/Spin vs. Real WorldMarketing Hype/Spin vs. Real World

-Managers bought this hook line and sinker and started pushing IPS-Security Geeks said Gartner was wrong in large numbers-Major complaints of IDS were cost of monitoring and large numbers of false positives

6



Things to consider prior to purchaseThings to consider prior to purchaseHardware =! SecurityHardware =! SecuritySalespersons = LiesSalespersons = LiesLab Results =! Real World ResultsLab Results =! Real World Results““The Devil is in the detailsThe Devil is in the details””, contract , contract detailsdetailsBleeding Edge vs. Cutting EdgeBleeding Edge vs. Cutting Edge

-A machine will never replaced an experience security pro, lack of knowledge leads to poor tuning of sensors-Anything a salesman says is a lie until proven otherwise. Try to work with sales engineer if available.-Test results against real world traffic are critical, should provide test box free of charge-Also technical people need to review support contract for details-First adopters are usually beta testers

7


1.0 Why use IDS?1.0 Why use IDS?

Protect the AIC of AssetsProtect the AIC of AssetsOutsider Threats Outsider Threats ––

Hackers/Crackers want what you haveHackers/Crackers want what you haveBandwidth, CPU cycles, DataBandwidth, CPU cycles, DataMalicious acts Malicious acts –– Denial of Service, Defacement, Denial of Service, Defacement, etcetcCorporate Espionage/SabotageCorporate Espionage/Sabotage

Insider Threats Insider Threats ––Disgruntled employees, work errorsDisgruntled employees, work errorsInsider Threat FallacyInsider Threat Fallacy

-Companies that don’t protect their infrastructure won’t be in business long-Covert channel detection, data leaving the company-Who will guard the guardians?-You want security people monitoring system administrators-Insider is only the greatest threat because companies have spent money on defending against outsiders-Perimeter controls provide a false sense of security-Internal security controls often slows business

8


1.1 Why Use IDS?1.1 Why Use IDS?

Legal RequirementsLegal RequirementsMust Demonstrate Due Care/Due Must Demonstrate Due Care/Due DiligenceDiligence33rdrd party auditing > controlsparty auditing > controlsSOX SOX –– Sarbanes Oxley requires audit Sarbanes Oxley requires audit trailtrailIncreasing privacy legislationIncreasing privacy legislation

GLBA, HIPPA, California Laws (SSN, GLBA, HIPPA, California Laws (SSN, Notification)Notification)

-CEO and CIO are liable to protect customer and employee data-Downstream liability is also a factor-Has anybody ever participated in an audit?-Due to regulation the cost of security is going up-Also creates a bad image of security where it is just a checkbox

9


1.2 Why Use IDS?1.2 Why Use IDS?

Benefits of IDSBenefits of IDSDetection of ongoing attacksDetection of ongoing attacksPrevention of pending attacksPrevention of pending attacksEnforce company policiesEnforce company policiesValuable forensic dataValuable forensic data

Shortcomings of IDSShortcomings of IDSZero Day Attacks, False Positives, Monitoring Zero Day Attacks, False Positives, Monitoring CostsCosts

Cost/Benefit Analysis, Avoid Cost/Benefit Analysis, Avoid ““Mgmt ThinkMgmt Think””

-IDS provides correlation for firewall and router logs-IDS logs/console is much more security focused and useable then fw logs or router logs-Tuning is required by someone who knows the environment-Not actively monitoring is an enormous problem, with legal consequences-CBA = small company should run snort, large company would look for companies with significant support features-Management think, nothing bad has happened yet, so why do we need it?

10


2.0 IDS 1012.0 IDS 101

Primary goal of IDS is to detect when Primary goal of IDS is to detect when computer/network resources are under computer/network resources are under attackattackProperly functioning systems exhibit the Properly functioning systems exhibit the following traits (Denning):following traits (Denning):

Actions of users/processes conform to Actions of users/processes conform to statistically predictable patterns (data theft)statistically predictable patterns (data theft)Actions of users/processes do not include Actions of users/processes do not include commands used to subvert security (attack commands used to subvert security (attack tools)tools)Actions of processes function according to Actions of processes function according to specifications (specifications (rootkitsrootkits))

-While it has many functions, IDS meets AIC goals through its primary goal, detecting attacks-To detect misuse, you must first understand normal operations, requires knowledge of systems or networks-Examples – ftp of corporate data, payroll employee suddenly starts downloading customer data off network-Examples – sequence of shell commands ping -> ping sweep, Metasploitmysteriously running on a server-Examples – task manager shows only a subset of running processes, netstatshows only a subset of network connections

11


2.1 IDS 1012.1 IDS 101

A good IDS should do the following:A good IDS should do the following:Detect a wide variety of intrusionsDetect a wide variety of intrusions

Originating from both outside and inside the network. Originating from both outside and inside the network. Both known and unknown attacks should be Both known and unknown attacks should be detected.detected.

Detect intrusions in a timely fashionDetect intrusions in a timely fashionPresent data in an easy to understand formatPresent data in an easy to understand formatBe AccurateBe Accurate

Limit false positives and false negativesLimit false positives and false negatives

-Suggest both pattern matching and anomaly detection-Not necessarily real time, but must allow for a fairly quick response-Color coding is often used (red/green), also stable user interface important with large amts of log data-Define fps and fns? A lot of overhead associated with fps, because everyone wants to error on the side of caution

12


2.2 IDS 1012.2 IDS 101

IDS Modeling TheoryIDS Modeling TheoryAnomaly detection Anomaly detection –– compares against compares against expected values, reports mismatchesexpected values, reports mismatches

Thresholding Thresholding –– ( m < Normal Metrics < n)( m < Normal Metrics < n)Statistical Moments Statistical Moments –– mean & std deviation mean & std deviation over time using forward weighting (IDES)over time using forward weighting (IDES)Markov Model Markov Model –– State transitions/histories State transitions/histories based on sequences of commands and not based on sequences of commands and not single events (TIM)single events (TIM)

-Assumes that unexpected behavior is an intrusion/misuse-Example – Windows logon failures, greater then 3 failed attempts would besuspicious-Problem with thresholding is must determine static values, not real-time-IDES (Intrusion Detection Expert System) developed by SRI in 1987, added more flexibility, but also more complexity-State transitions occur over time, based on past history and event with a low probability of occurrence is anomalous, like a root account with a null password-TIM developed by DEC used time-based inductive learning, looks at data for an event and determines which sequences events lead to the anomalous condition and creates a rule for detecting it in the future, page 461, highly dependent on having good data

13


2.3 IDS 1012.3 IDS 101

IDS Modeling Theory ContinuedIDS Modeling Theory ContinuedMisuse detection Misuse detection –– determines determines whether sequence of instructions whether sequence of instructions violate security (ruleviolate security (rule--based based detection)detection)

Requires extensive knowledge of Requires extensive knowledge of vulnerabilitiesvulnerabilitiesUnknown attacks or variations of Unknown attacks or variations of existing attacksexisting attacks

-Primarily known as signature based detection, also pattern matching, most common by far.-Huge rule base needed and tuning required

14


2.4 IDS 1012.4 IDS 101

IDS Modeling Theory ContinuedIDS Modeling Theory ContinuedSpecificationSpecification--based detection based detection ––determines if a sequences of determines if a sequences of instructions violates a specification of instructions violates a specification of a program or systema program or system

Based on known good statesBased on known good statesExample Example –– rdistrdist remote root exploitremote root exploit

-Somewhat impractical though because every program/cmd would have to be formalized-Rdist does remote updates to binaries, flaw allowed rdist to modify permissions on files it didn’t create via symbolic link-Rdist would create a remote temporary file to be copied over to binary being updated, symbolically link to /bin/sh with setuid-Newer method and still being researched, but it is promising because it formalizes what should happen at a very low level-Detection speeds were extremely quick .06 seconds for rdist

15


2.5 IDS 1012.5 IDS 101

IDS ComponentsIDS ComponentsSensor (Agent) Sensor (Agent) –– collects raw datacollects raw dataAnalysis Engine (Director) Analysis Engine (Director) ––preprocessing, anomaly and/or rulepreprocessing, anomaly and/or rule--based based detectiondetectionAlerting Engine (Notifier) Alerting Engine (Notifier) –– takes takes predefined action like alarming, logging, predefined action like alarming, logging, or ignoringor ignoringMonitoring & Mgmt interface (Director)Monitoring & Mgmt interface (Director)

-Data could be network packets, syslog, windows event logs, sensor will also discard data that is not relevant-Actions could include email or page, or active response-Sensor and Analysis Engine usually on appliance and report back to central mgmt server-Poor mgmt interface is a common problem, especially for updatingsignatures/policies-Monitoring interface is becoming irrelevant over time due to SIM correlation

16


2.6 IDS 1012.6 IDS 101

Types of IDSTypes of IDSNetwork IDS(NIDS)Network IDS(NIDS)

Promiscuous Mode Promiscuous Mode –– layer 2layer 2Signature based Signature based –– known bad/good trafficknown bad/good traffic

Protocol & Payload analysisProtocol & Payload analysis

Anomaly based (heuristics) Anomaly based (heuristics) –– baseline profilebaseline profileLearning algorithm & predefinedLearning algorithm & predefined

-Int listens to all traffic on the wire, not just MAC address. Everything is forwarded up to the next layer for analysis-Looks for protocol violations, like improper use of flags, XMAS scan-Payloads are attack specific or general, an IIS exploit vs a shell passing across a high port or network sweeps-Signature based NIDS are by far the most common-Anomaly based are supposed to be good at detecting zero day stuff, so some companies use both

17


2.7 IDS 1012.7 IDS 101

HostHost--based IDS(HIDS)based IDS(HIDS)File/OS IntegrityFile/OS IntegrityLog ParsingLog ParsingSystem Calls (Kernel Hooks)System Calls (Kernel Hooks)Host Specific RulesHost Specific RulesResource impact & Compatibility issuesResource impact & Compatibility issues

Distributed IDS(DIDS)Distributed IDS(DIDS)Central Mgmt, combined NIDS & HIDSCentral Mgmt, combined NIDS & HIDSAgent Autonomy (AAFID)Agent Autonomy (AAFID)

-Rootkit finders often detect HIDS kernel hooks, also AV software is starting to do this, making them a big target by hackers, attacks against security software is on the rise-HIDS is ideal for your critical servers in a DMZ-Feeding HIDS info back to central server makes monitoring much easier-Finding a vendor that supports every OS configuration you have can be challenging-Fault tolerant, No single failure should cause complete failure, Autonomous Agents for Intrusion Detection

18


2.8 IDS 1012.8 IDS 101

Active vs. Passive IDSActive vs. Passive IDSPassive = monitoring onlyPassive = monitoring only

Stealth ModeStealth Mode

Active ResponseActive ResponseRule triggers response on firewall/routerRule triggers response on firewall/router

Inline Inline –– Intrusion Prevention SystemIntrusion Prevention SystemDirect packet manipulation/blockingDirect packet manipulation/blockingPoint of Failure/Adds LatencyPoint of Failure/Adds LatencyMany modes (i.e. NonMany modes (i.e. Non--Blocking)Blocking)

-Stealth mode, NICs should not have IP addresses, should not respond to queries from other machines, even ARP-Active Response and IPS is often confused-IPS has not been successful in large diverse environments, too afraid of blocking legitimate traffic-Most companies wait 1 year or longer to turn up blocking feature-IPS still faces same issues of IDS with false positives, best selling point is defending against DDOS, but not there yet-Trending and blocking seems to be the only effective route, but not smart enough yet

19


3. Design and Implementation3. Design and Implementation

Network PlacementNetwork PlacementTappingTappingCentralize ManagementCentralize ManagementInstallationInstallation

20


3.1 Design and Implementation3.1 Design and Implementation

Network PlacementNetwork PlacementConsider most critical assetsConsider most critical assets

Outside PerimeterOutside PerimeterInside PerimeterInside PerimeterApplication/Server specific zonesApplication/Server specific zonesRemote & Vendor Access/Wireless zonesRemote & Vendor Access/Wireless zonesHIDS on all mission critical serversHIDS on all mission critical servers

-Outside Perimeter sensor way too noisy, usually there for trending and verification-Also ensure you have identified every ingress and egress point on your network-Inside perimeter will have a broad set of signatures, App/server specific zones can be more well tuned-Don’t forget about wireless, only AES in Enterprise mode (Radius) is secure, best to use VPN authentication on top of wireless-Rule of thumb: If you lose money when the server goes down, then it needs HIDS

21



-Diagram, couldn’t really find anything decent on google, so I did this-Note the Wireless AP location, its logical, they would physically be hanging of the Distro SW and routed as untrusted to the VPN server for strong authentication-Mgmt vlan not shown, however should all be separate and reporting by to central server on internal ntwk

22



Connection StrategiesConnection StrategiesHubHub

Simple & Cheap, SOHOSimple & Cheap, SOHOPoor performance, high MTTFPoor performance, high MTTF

-Easiest to implement, however because a hub is shared media, can lead to a high number of collisions and less throughput-Hubs not designed for HA, however you can buy them that way. But if your going to spend, you should buy a switch or tap

23



Connection Strategies ContinuedConnection Strategies ContinuedSwitch, SPAN portSwitch, SPAN port

No additional hardware, software changeNo additional hardware, software changeLimited span ports, backplane bandwidthLimited span ports, backplane bandwidthNo visibility to packet errorsNo visibility to packet errors

-Switch Port Analyzer, set up by mirroring traffic from a range of ports or a VLAN to a specific port-Often times will get messed up by techs doing troubleshooting for other issues-Large, small packets and packets with CRC errors are not forwarded to the span port

24



Connection Strategies ContinuedConnection Strategies ContinuedHardware TapHardware Tap

Expensive, requires additional NICExpensive, requires additional NICFault tolerant to power failuresFault tolerant to power failuresNo traffic flow impactNo traffic flow impact

-Considered best practices for IDS, however can be pricey especially for fiber tabs-Snort.org and other resources available for constructing your own tap at a fraction of the cost

25



Appliance installationAppliance installationTest first, make install notesTest first, make install notesChange default passwords, remove vendor Change default passwords, remove vendor accessaccessVerify surveillance network connectivityVerify surveillance network connectivityConfigure to corporate standardsConfigure to corporate standardsConnect to mgmt serverConnect to mgmt serverApply relevant patchesApply relevant patchesUpdate signaturesUpdate signaturesBreakBreak--In periodIn period

-Running tcpdump on the listening interface to verify what you should be seeing, could have been tapped wrong-A lot of times you will only see only mgmt traffic, that’s a good bet your span port is misconfigured-Generally a company or vendor will have a best practice or install guide which includes several default settings

26



Snort InstallationSnort InstallationHardware SelectionHardware Selection

Dependent on network and requirementsDependent on network and requirementsCPU, memory, network card, storageCPU, memory, network card, storage

OS SelectionOS SelectionCost/Support Contracts/Company rulesCost/Support Contracts/Company rulesLinux, Solaris, BSD, even Windows & OS XLinux, Solaris, BSD, even Windows & OS XGo with what you knowGo with what you know

-There is no set standard, however the bigger the network you are monitoring, the faster cpu you will need, more bandwidth and more storage-For snort, it seems that at least a gig of ram is required to run the bulk of the rule base, however there is a lowmem runtime option-According to benchmarking Linux 2.6 kernel came out ahead in TCP/IP stack performance

27



OS HardeningOS HardeningDonDon’’t install GUI or unnecessary servicest install GUI or unnecessary services

KDE/GNOME and DevelopmentKDE/GNOME and DevelopmentGames/Multimedia/Office ApplicationsGames/Multimedia/Office ApplicationsHelp and Support DocsHelp and Support Docs

Kernel tuning, remove devices not usedKernel tuning, remove devices not usedRemove virtual consoles (Remove virtual consoles (ttytty<x>)<x>)Remove the compilerRemove the compiler

-Not installing GNOME or KDE saves on disk space and bootime, you don’t need things like OpenOffice or any desktop tools-Linux uses sysctl, but you can view /proc/sys to manually edit stuff-Virtual consoles are found in /etc/inittab, loads up all of them even if you don’t use them-Last thing would be to remove compiler after install

28



Other OptionsOther OptionsSecure Linux Secure Linux DistrosDistros

SELinuxSELinux, Bastille, , Bastille, ImmunixImmunix, , KnoppixKnoppix, , PhlackPhlack

Live CDsLive CDsDistrowatch.com, Auditor>BacktrackDistrowatch.com, Auditor>Backtrack

VMWareVMWare –– virtual appliancesvirtual appliances

29



Snort installationSnort installationLibpcap and Libpcre requiredLibpcap and Libpcre requiredApache/MySql, PostgreSql, Oracle, MSApache/MySql, PostgreSql, Oracle, MS--SQLSQLFrom sourceFrom source

Tar Tar ––zxvf <package>; uncompresses fileszxvf <package>; uncompresses files./configure; script that determines your ./configure; script that determines your environmentenvironment./make; compiles code from ./make; compiles code from makefilemakefile./make install; distributes binaries to directory./make install; distributes binaries to directory

-Very important to review install documentation-Best part of compiling from source is that binaries are custom to your machine, much more efficient then windows install-configure command has a lot of options, none more important then (--enable-mysql=DIR, --enable-dynamicplugin)

30



Installing via Package ManagerInstalling via Package Manager>apt>apt--get install snort (debian)get install snort (debian)>up2date >up2date --i snort (redhat)i snort (redhat)>yum install snort (rpm)>yum install snort (rpm)>yast >yast ––i <rpm_path> (suse)i <rpm_path> (suse)>pkg_add/pkgadd <source_path>(bsd, >pkg_add/pkgadd <source_path>(bsd, solaris)solaris)>emerge snort (gentoo)>emerge snort (gentoo)Nice site Nice site http://rpmfind.net/http://rpmfind.net/

- Package manager can also install dependencies for you

31


3.12 Design and Maintenance3.12 Design and Maintenance

Install Questions?Install Questions?Which interface will snort listen onWhich interface will snort listen on

eth0, bond0, int0eth0, bond0, int0Channel BondingChannel Bonding

Specify Trusted or Home network rangeSpecify Trusted or Home network range192.168.0.0/16, Any192.168.0.0/16, Any

Who should receive daily mailsWho should receive daily mailsroot@localhost, etcroot@localhost, etc

-On a tapping configuration, you have two interfaces listening in each direction, requires a bonding port, ethernet channel bonding-Maybe different on various os’es, setup up alias for bond0 and then bond0 as master to other two interfaces, /etc/sysconfig/network-scripts/ifcfg-ethXX

32


3.13 Design and Maintenance3.13 Design and Maintenance

Download rulesDownload rulesVRT Rule baseVRT Rule basehttp://www.snort.org/pubhttp://www.snort.org/pub--bin/downloads.cgibin/downloads.cgiBleedingBleeding--Snort Rule baseSnort Rule basehttp://www.bleedingthreats.net/rules/http://www.bleedingthreats.net/rules/Disable unnecessary rulesDisable unnecessary rulesExample Classes:Example Classes:

Backdoor, badBackdoor, bad--traffic, chat, dos, ddos, dns, exploit, finger, traffic, chat, dos, ddos, dns, exploit, finger, ftp, icmp, imap, local, mysql, netbios, oracle, p2p, ftp, icmp, imap, local, mysql, netbios, oracle, p2p, policy, pop3, porn, rpc, scan, shellcode, smtp, Sql, policy, pop3, porn, rpc, scan, shellcode, smtp, Sql, telnet, tftp, virus, webtelnet, tftp, virus, web--attacksattacks

-VRT rule base requires registration for 5day old releases-Bleeding snort has less testing, more fp’s, most admins run both though-Just extract to /etc/snort/rules if doing it manually-Local is where you keep all your custom signatures

33



Edit /etc/snort/Edit /etc/snort/snort.confsnort.confDefine variablesDefine variablesHTTP_PORTS, EXTERNAL_NET, etcHTTP_PORTS, EXTERNAL_NET, etcDefine path to rules, select rule librariesDefine path to rules, select rule librariesSelect PreSelect Pre--Processors, stream4_reassembleProcessors, stream4_reassembleOutputOutput--Plugins Plugins --> Mysql> Mysql

Test snortTest snort>snort >snort ––T T ––c /etc/snort/snort.confc /etc/snort/snort.conf

-ORACLE_PORTS, SSH_PORT, DNS_SERVERS-Stream4 will reassemble fragmented packets before rules are applied, also maintains state-To use the mysql option, you need to create a group snort, and user snort with a nologin shell and grant permissions to snort db-Also use scripts from source to create database schemas

34



Important CommandImportant Command--Line switchesLine switches----A <alert> full, fast, or noneA <alert> full, fast, or none----b logs in b logs in tcpdumptcpdump formatformat----c specifies snort.confc specifies snort.conf----D daemon modeD daemon mode----I interfaceI interface----l logging directoryl logging directory----T testing modeT testing mode

--v option for verbose as always, a lot of options are similar to tcpdumpbecause snort functions as a sniffer also-Alert option may cause problems with mysql logging

35



PreprocessorsPreprocessorsStream4 is very powerfulStream4 is very powerful

Detect_scansDetect_scans, non normal TCP handshakes, non normal TCP handshakesDetect_state_problemsDetect_state_problems, MS issues, MS issuesEvasion_alertsEvasion_alerts, overlapping segments, , overlapping segments, synsyndatadataTtl_limitTtl_limit, session limit on , session limit on ttlttl valuesvalues

Frag2 Frag2 –– rebuilds fragments, detects rebuilds fragments, detects fragfragdosdoshttp_inspect http_inspect –– normalizes URLs, directory normalizes URLs, directory transversal, apache/transversal, apache/iisiis profileprofile

-Ack Scans, Syn scans, XMAS scans, FIN scans-During session if a TTL value for a single packet is set shorter then the others, maybe recon attempt, max difference tolerated-Frag2 in response to fragroute, certain OSes have IPstack problems that cause DOS conditions-http_inspect will look for unicode, double decode issues, also ascii in utf_8, base36

36


3.17 Design and Implementation3.17 Design and ImplementationSuccessSuccess

- Daemon mode, Add Int name to alerts, layer2 packet headers

37


Protocol

4.0 Signatures4.0 Signatures

Match patterns in network trafficMatch patterns in network trafficSnort Signature StructureSnort Signature Structure

SourceIP DestIPRule Action

Rule Body

Rule Header

38



Rule ActionRule ActionAlert, Log, Pass, Activate, DynamicAlert, Log, Pass, Activate, Dynamic

Rule OrderingRule OrderingAlert > Pass > LogAlert > Pass > LogMost specific rule firesMost specific rule fires

Port or IP informationPort or IP informationURI content > URI content > contentcontent

Longer StringsLonger StringsICMP ICMP itypeitypeSame rule, whichever is firstSame rule, whichever is first

•Alert = Alert + Log, Pass will allow the traffic through without further matching•Pass is done, when you have a few specific servers that are generating a lot of fp’s•Rule of thumb, when the fps outweigh the number of real hits, its time for a pass rule•Rule order can be changed using –o option on cmd line, or config order in snort.conf

39



Rule Actions ContinuedRule Actions ContinuedActivate/Dynamic are being phased outActivate/Dynamic are being phased out

activateactivate tcptcp any any anyany --> any 143 > any 143 (content:(content:””|E8CC0FFFFFF|/bin|E8CC0FFFFFF|/bin””; activates: 1;); activates: 1;)

dynamicdynamic tcptcp any any anyany --> any 143 (activated_by:1; count:5;)> any 143 (activated_by:1; count:5;)

TaggingTaggingAlert Alert tcptcp any any anyany --> any 23 (> any 23 (tag:session,10,seconds;tag:session,10,seconds;))Tag: <type>, <count>, <metric>, [direction]Tag: <type>, <count>, <metric>, [direction]

•Activate will call a dynamic signature, sigs with dynamic action only called by activate rules•This example will simply log 5 more packets after it fires, being phased out for tagging•Type = session or host, if host, metric = seconds or packets, direction = src or dst

40



Rule ContentRule ContentMSGMSGalert tcp any alert tcp any anyany --> any 12345 (> any 12345 (msg:msg:””Test MessageTest Message””;);)

ASCII Content, ASCII Content, nocasenocasealert tcp any alert tcp any anyany --> any > any anyany ((content: content: ““/etc//etc/passwdpasswd””; ; nocasenocase; ; msg:msg:””/etc/passwd/etc/passwd AccessedAccessed””;);)

Binary ContentBinary Contentalert tcp any alert tcp any anyany --> any > any anyany ((content: content: ““|0000 0101 EFF||0000 0101 EFF|””;;msg:msg:””SearchingSearching for Binary datafor Binary data””;);)

- Binary matching is faster, so choose that over ASCII if possible

41



Rule Content ContinuedRule Content ContinuedDepth OptionDepth OptionOffset OptionOffset OptionFlow Control OptionFlow Control Option

alert alert tcptcp $HOME_NET 20034 $HOME_NET 20034 --> $EXTERNAL_NET > $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro 2.0 connection any (msg:"BACKDOOR NetBus Pro 2.0 connection established"; established"; flow:from_server,established;flow:from_server,established;content:"BN|10 00 02 00|"; content:"BN|10 00 02 00|"; depth:6;depth:6;content:"|05 00|"; content:"|05 00|"; depth:2depth:2; ; offset:8offset:8;);)

-Depth option specifies how many bytes into the packet to analyze-Offset option specifies at what byte location to start searching in a packet-To & From Client & Server and Established, defines packet direction by a client to server relationship

42



Rule Content ContinuedRule Content ContinuedPCRE PCRE –– Perl Compatible Regular Perl Compatible Regular ExpressionExpressionSyntaxSyntaxpcrepcre:[!]:[!]””(/<(/<regexregex>/|m<delim><>/|m<delim><regexregex><delim>) ><delim>) [ismxAEGRUB][ismxAEGRUB]””;;

SampleSamplealert alert tcptcp any any anyany --> any 23 (> any 23 (content:content:””snortsnort””; ; pcre:pcre:””//\\s+s+\\d+d+\\..\\d+.d+.\\d+/Rd+/R””;);)

-Very powerful allows for matching almost any pattern-S = whitespace, d = digits, \ = delimeter, R = relative match, so immediately follows-Looks for Snort 2.4.1 in a data packet

43



Rule Content ContinuedRule Content ContinuedIP, TCP, ICMP optionsIP, TCP, ICMP optionsSID ValuesSID Values

< 100 is future use< 100 is future use100 <> 1,000,000 VRT100 <> 1,000,000 VRT> 1,000,000 custom rules> 1,000,000 custom rules

Rev Number, Severity, Rev Number, Severity, ClasstypeClasstype, , ReferencesReferences

Alert Alert tcptcp any any anyany --> any 31337 (> any 31337 (rev:2;rev:2; priority:1;priority:1; msgmsg: : ””NetbusNetbus DetectedDetected””; ; classtype:trojanclasstype:trojan--activty; activty; reference:CVEreference:CVE, CAN, CAN--20022002--1010; 1010; reference:URLreference:URL, , www.poc2.com;)www.poc2.com;)

-IP=TTL, ToS, Fragbits; TCP=flags, sequence numbers; ICMP=icode, itype-References are huge, allow for much quicker analysis of traffic

44


5.0 Monitoring & Maintaining5.0 Monitoring & Maintaining

PreparationPreparationIdentificationIdentificationContainment & EradicationContainment & EradicationRecovery & FollowRecovery & Follow--upupMaintainingMaintaining

- Key areas for successful IDS implementation

45



PreparationPreparationDefine procedures & policies firstDefine procedures & policies firstKnow the network, Know the assetsKnow the network, Know the assetsEstablish a standard toolkitEstablish a standard toolkitContact lists are crucialContact lists are crucialSecurity specific trainingSecurity specific training

-Very common to through policy out the window in a crisis, don’t do it, fear the after action review-The bigger the network, the more impossible it becomes to know everything-You want commonality in your tools, they must be accurate, don’t want to have to search for a tool on the fly-Hours can be saved by identifying the key groups in advance-IT expertise doesn’t mean security expertise

46



IdentificationIdentificationWhat is an incident?What is an incident?

Unauthorized AccessUnauthorized AccessMalicious Code Malicious Code –– Viruses/Worms/Viruses/Worms/SpywareSpywareDenial of ServiceDenial of ServiceData Theft/MisuseData Theft/Misuse

Passive vs. Active monitoringPassive vs. Active monitoringPassive tool Passive tool –– HoneypotsHoneypotsAttacker goals unknownAttacker goals unknownDocument everythingDocument everything

-Scanning generally not considering an incident, legality varies by country, in US must cause damage to be considered a crime, wireless bandwidth theft is a new area of legal contention. Ultimately a company needs to define for itself what an incident is.-Simply record the actions, do not interfere, favorite of the FBI and most likely to lead to prosecution-Active monitoring makes every possible effort to constrain the attacker, like block rules-Never Hack back, usually ends up targeting another compromised machine, hurts any legal efforts-Honeypots are decoy servers imitating vulnerable servers in order to entice attackers, legality is questionable-When in doubt write it down, more information is always better, timestamp data is often critical

47



Containment & EradicationContainment & EradicationLimit damage, Stop attackLimit damage, Stop attack

Firewall rules, router Firewall rules, router aclsacls, mail & web , mail & web filteringfilteringIsolate networks, disconnect machinesIsolate networks, disconnect machinesPatching, Cleaning, & ReimagingPatching, Cleaning, & Reimaging

Recovery & FollowRecovery & Follow--upup100% Normal operations100% Normal operationsRCA and reportingRCA and reporting

-Stop the problem at the perimeter, also consider IM and p2p software, and AV walls are common now-Isolate infected networks or machines via switches, switch ports-Critical to test patch first, may make problem worse-If on backup, primaries are back online. Lost data restored. Systems should be hardened or brought into compliance-Root Cause analysis must be done or else same problem will occur again-Reporting should be done for awareness, learn from mistakes

48


5.45.4 Monitoring & MaintainingMonitoring & Maintaining

Snort Monitoring ToolsSnort Monitoring ToolsAcid, Base, Squil, SnortSnarf, Aanval, OSSIMAcid, Base, Squil, SnortSnarf, Aanval, OSSIM

Ideal FeaturesIdeal FeaturesStable & AccurateStable & AccurateStreaming AlertsStreaming AlertsTrending of dataTrending of dataCorrelation of dataCorrelation of dataRaw data and/or payload informationRaw data and/or payload informationReport capabilityReport capability

-All of these are free solutions-Tool must be responsive to queries-Web based versus client needs to be considered-Trending done on networks, ip addresses, ports, protocol, and signature-Correlation done between sensors and other network devices-Unprocessed data can sometimes reveal key information-Reports are nice eye candy for management

49


5.5 Monitoring & Maintenance5.5 Monitoring & Maintenance

Keeping your sensors up to dateKeeping your sensors up to dateTrusted sources & File integrity Trusted sources & File integrity Automatic backups and updatesAutomatic backups and updatesUpdating RulesUpdating Rules

Merging vs. OverwritingMerging vs. OverwritingOinkmaster/IDSCenterOinkmaster/IDSCenterTesting rulesTesting rulesChange controlChange controlSecurity Mailing listsSecurity Mailing lists

-Make sure the mirror you are using for updates is trustworthy. Validate md5 hashes before installing.-Autoupdates are probably not good if you don’t backup daily, need a backup incase upgrade goes south-With snort, you don’t really apply patches, each release overwrites the previous one-It takes a lot of work to go through all the rules and mark which ones you want enabled/disabled-Oinkmaster will check for new rules, allow you to comment out the ones youdon’t want, and present new ones for merging--c option will just report on new rules not update, -b option will do a backup first-After big rules update the performance of the sensor could be affected (top, perfmonitor)-Also test to make sure rule actually triggers, requires tools like packet crafters (snot or sneeze), tcpreplay-If you want to compile and run actual exploit, vmware is a good option

50


6.0 Skills and Tools6.0 Skills and Tools

Staged Hack ScenarioStaged Hack ScenarioPacket Capturing/SniffingPacket Capturing/Sniffing

Tcpdump, Wireshark (Ethereal)Tcpdump, Wireshark (Ethereal)

-Not just security related, but essential for any network troubleshooting-Before running tcpdump make sure to run ifconfig –a to see which adapter to sniff on

51



Basic Network ReconnaissanceBasic Network ReconnaissancePing, traceroute, nslookup Ping, traceroute, nslookup –– CyberkitCyberkit

52



WhoisWhois –– ArinArin, Ripe, , Ripe, ApnicApnic, , LacnicLacnic, , AfrinicAfrinicGoogle hackingGoogle hacking

53



NmapNmap –– Port/OS enumerationPort/OS enumerationnmapnmap --sSsS --O O --T5 T5 --F F --P0 <host or P0 <host or ipip>>telnet host porttelnet host port

54



NessusNessus –– Vulnerability ScanVulnerability Scan

55



MetasploitMetasploit –– Exploit ToolExploit Tool

56


7.0 Legal Issues7.0 Legal Issues

InternallyInternallyPolicy is key, must be available and Policy is key, must be available and understoodunderstoodLetter of AuthorizationLetter of AuthorizationBe aware of Chain of CustodyBe aware of Chain of CustodyUniform monitoring of traffic/logsUniform monitoring of traffic/logsConsult Legal departmentConsult Legal department

-Policy should state that all communication is being monitored at minimum-User should have to read and consent prior to working there-Even if your job description is specific, LOA is still a good idea-If you act for law enforcement you are an agent of the government and subject to chain of custody requirements-Cannot pick and choose who you monitor, must demonstrate that it is std practice that all traffic is being monitored

57



Wiretap Act Wiretap Act –– realreal--time interceptiontime interceptionPen/Trap Act Pen/Trap Act –– realreal--time headerstime headers

Pen Registers & TrapPen Registers & Trap\\Trace devicesTrace devices

ECPA ECPA –– stored emails, voicemailsstored emails, voicemailsRequires consent, court Requires consent, court order/subpoenaorder/subpoena

Providers/Sys Admin ExceptionProviders/Sys Admin ExceptionComputer Trespasser ExceptionComputer Trespasser Exception

Sox Sox –– data retention data retention –– ISO17799ISO17799

-First done for phone lines, but also applies to packet headers-Pen is outgoing data, trap/trace is incoming data-ECPA also distinguishes between content and addressing information, covers email and voicemail

58



Reporting to LEAReporting to LEA5K in damages, includes response and 5K in damages, includes response and restorationrestorationLocal Law EnforcementLocal Law EnforcementFBI, FBI, infragard.netinfragard.net, RCFL, RCFLSecret ServiceSecret ServiceDHS Hotline, infrastructureDHS Hotline, infrastructureCybercrime.govCybercrime.gov

- You can also aggregate losses to reach 5K, the cost is over 1 year

59


8.0 Future & Conclusion8.0 Future & Conclusion

Current TrendsCurrent TrendsIDS/IPS moving towards SIMIDS/IPS moving towards SIMMore integration, DPI firewallsMore integration, DPI firewallsSecurity at the switch/host Security at the switch/host –– NACNACWireless IDSWireless IDS

Further ReadingFurther ReadingInsertion, Evasion, and Denial of Service: Eluding Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Newsham/PtacekNetwork Intrusion Detection by Newsham/Ptacekhttp://crypto.stanford.edu/cs155/IDSpaper.pdfhttp://crypto.stanford.edu/cs155/IDSpaper.pdfGreat ResourcesGreat Resourceshttp://wwwhttp://www--static.cc.gatech.edu/~wenke/idsstatic.cc.gatech.edu/~wenke/ids--readings.htmlreadings.htmlhttp://www.snort.org/docs/http://www.snort.org/docs/

60


8.1 Future & Conclusion8.1 Future & Conclusion

Summary Summary –– Key ConceptsKey ConceptsIDS Modeling TheoryIDS Modeling TheoryIDS Placement & ImplementationIDS Placement & ImplementationIDS Monitoring & MaintainingIDS Monitoring & MaintainingEffective AIC ToolEffective AIC Tool

Questions?Questions?

61


ReferencesReferences

Beale, Jay (2004). Beale, Jay (2004). ““Snort 2.1 Intrusion Detection 2Snort 2.1 Intrusion Detection 2ndnd

EditionEdition”” Syngress Publishing, Rockland, MASyngress Publishing, Rockland, MA2006 CSI/FBI Computer Crime and Security Survey. 2006 CSI/FBI Computer Crime and Security Survey. Available from Available from http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdfhttp://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdfBishop, Matt (2005). Bishop, Matt (2005). ““Introduction to Computer SecurityIntroduction to Computer Security””Addison Wesley, Boston, MAAddison Wesley, Boston, MALaing, Brian (2000). Laing, Brian (2000). ““How To Guide for implementing How To Guide for implementing NIDSNIDS”” Internet Security Systems, Internet Security Systems, http://www.snort.org/docs/isshttp://www.snort.org/docs/iss--placement.pdfplacement.pdf

Documents

Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids-notes.pdf · Intrusion Detection Essentials with Snort Primer Paul ... condition and creates