61
Intrusion Detection Intrusion Detection Essentials Essentials with Snort Primer with Snort Primer Paul Jaramillo, CISSP, GCFA Paul Jaramillo, CISSP, GCFA EECS 710: Information Security & Assurance EECS 710: Information Security & Assurance University of Kansas University of Kansas Electrical Engineering & Computer Science Electrical Engineering & Computer Science [email protected] [email protected]

Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

Embed Size (px)

Citation preview

Page 1: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

Intrusion Detection Intrusion Detection EssentialsEssentials

with Snort Primerwith Snort PrimerPaul Jaramillo, CISSP, GCFAPaul Jaramillo, CISSP, GCFA

EECS 710: Information Security & AssuranceEECS 710: Information Security & AssuranceUniversity of KansasUniversity of Kansas

Electrical Engineering & Computer ScienceElectrical Engineering & Computer [email protected]@cyberguardians.org

Page 2: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 2University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

Problem StatementProblem Statement

Faced with ever growing malicious threats to network and Faced with ever growing malicious threats to network and computer assets, IT personnel are charged with protecting computer assets, IT personnel are charged with protecting the confidentiality, integrity, and availability of their the confidentiality, integrity, and availability of their employeremployer’’s data. s data. The 2006 FBI/CSI Computer Crime survey reported that The 2006 FBI/CSI Computer Crime survey reported that 52% of their respondents were victim to a breach in 52% of their respondents were victim to a breach in security last year. security last year. A key mechanism in preventing and detecting cyber attacks A key mechanism in preventing and detecting cyber attacks are Intrusion Detection Systems (IDS). This presentation are Intrusion Detection Systems (IDS). This presentation will outline IDS principles and detail how the open source will outline IDS principles and detail how the open source IDS Snort may be used to increase assurance in your IDS Snort may be used to increase assurance in your systemsystem’’s security.s security.

Page 3: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 3University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

OverviewOverview

1 1 –– Why use IDS?Why use IDS?2 2 –– IDS 101IDS 1013 3 –– Design & ImplementationDesign & Implementation4 4 –– SignaturesSignatures5 5 –– Monitoring & MaintainingMonitoring & Maintaining6 6 –– Skills and ToolsSkills and Tools7 7 –– Legal IssuesLegal Issues8 8 –– Future & ConclusionFuture & Conclusion

Page 4: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 4University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

Buyer BewareBuyer Beware

Page 5: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 5University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

Buyer BewareBuyer Beware

““IDS is deadIDS is dead”” April 2003April 2003-- John John PescatorePescatore, VP Gartner Research, VP Gartner Research-- Reaction of Security Professionals vs. MgmtReaction of Security Professionals vs. Mgmt

““Intrusion detection's permanent placement in the Intrusion detection's permanent placement in the Trough of Disillusionment does not mean that it Trough of Disillusionment does not mean that it is obsolete.is obsolete.”” July 2003July 2003

-- Marketing Hype/Spin vs. Real WorldMarketing Hype/Spin vs. Real World

Page 6: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 6University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

Buyer BewareBuyer Beware

Things to consider prior to purchaseThings to consider prior to purchaseHardware =! SecurityHardware =! SecuritySalespersons = LiesSalespersons = LiesLab Results =! Real World ResultsLab Results =! Real World Results““The Devil is in the detailsThe Devil is in the details””, contract , contract detailsdetailsBleeding Edge vs. Cutting EdgeBleeding Edge vs. Cutting Edge

Page 7: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 7University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

1.0 Why use IDS?1.0 Why use IDS?

Protect the AIC of AssetsProtect the AIC of AssetsOutsider Threats Outsider Threats ––

Hackers/Crackers want what you haveHackers/Crackers want what you haveBandwidth, CPU cycles, DataBandwidth, CPU cycles, DataMalicious acts Malicious acts –– Denial of Service, Defacement, Denial of Service, Defacement, etcetcCorporate Espionage/SabotageCorporate Espionage/Sabotage

Insider Threats Insider Threats ––Disgruntled employees, work errorsDisgruntled employees, work errorsInsider Threat FallacyInsider Threat Fallacy

Page 8: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 8University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

1.1 Why Use IDS?1.1 Why Use IDS?

Legal RequirementsLegal RequirementsMust Demonstrate Due Care/Due Must Demonstrate Due Care/Due DiligenceDiligence33rdrd party auditing > controlsparty auditing > controlsSOX SOX –– Sarbanes Oxley requires audit Sarbanes Oxley requires audit trailtrailIncreasing privacy legislationIncreasing privacy legislation

GLBA, HIPPA, California Laws (SSN, GLBA, HIPPA, California Laws (SSN, Notification)Notification)

Page 9: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 9University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

1.2 Why Use IDS?1.2 Why Use IDS?

Benefits of IDSBenefits of IDSDetection of ongoing attacksDetection of ongoing attacksPrevention of pending attacksPrevention of pending attacksEnforce company policiesEnforce company policiesValuable forensic dataValuable forensic data

Shortcomings of IDSShortcomings of IDSZero Day Attacks, False Positives, Monitoring Zero Day Attacks, False Positives, Monitoring CostsCosts

Cost/Benefit Analysis, Avoid Cost/Benefit Analysis, Avoid ““Mgmt ThinkMgmt Think””

Page 10: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 10University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

2.0 IDS 1012.0 IDS 101

Primary goal of IDS is to detect when Primary goal of IDS is to detect when computer/network resources are under computer/network resources are under attackattackProperly functioning systems exhibit the Properly functioning systems exhibit the following traits (Denning):following traits (Denning):

Actions of users/processes conform to Actions of users/processes conform to statistically predictable patterns (data theft)statistically predictable patterns (data theft)Actions of users/processes do not include Actions of users/processes do not include commands used to subvert security (attack commands used to subvert security (attack tools)tools)Actions of processes function according to Actions of processes function according to specifications (specifications (rootkitsrootkits))

Page 11: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 11University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

2.1 IDS 1012.1 IDS 101

A good IDS should do the following:A good IDS should do the following:Detect a wide variety of intrusionsDetect a wide variety of intrusions

Originating from both outside and inside the network. Originating from both outside and inside the network. Both known and unknown attacks should be Both known and unknown attacks should be detected.detected.

Detect intrusions in a timely fashionDetect intrusions in a timely fashionPresent data in an easy to understand formatPresent data in an easy to understand formatBe AccurateBe Accurate

Limit false positives and false negativesLimit false positives and false negatives

Page 12: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 12University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

2.2 IDS 1012.2 IDS 101

IDS Modeling TheoryIDS Modeling TheoryAnomaly detection Anomaly detection –– compares against compares against expected values, reports mismatchesexpected values, reports mismatches

Thresholding Thresholding –– ( m < Normal Metrics < n)( m < Normal Metrics < n)Statistical Moments Statistical Moments –– mean & std deviation mean & std deviation over time using forward weighting (IDES)over time using forward weighting (IDES)Markov Model Markov Model –– State transitions/histories State transitions/histories based on sequences of commands and not based on sequences of commands and not single events (TIM)single events (TIM)

Page 13: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 13University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

2.3 IDS 1012.3 IDS 101

IDS Modeling Theory ContinuedIDS Modeling Theory ContinuedMisuse detection Misuse detection –– determines determines whether sequence of instructions whether sequence of instructions violate security (ruleviolate security (rule--based based detection)detection)

Requires extensive knowledge of Requires extensive knowledge of vulnerabilitiesvulnerabilitiesUnknown attacks or variations of Unknown attacks or variations of existing attacksexisting attacks

Page 14: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 14University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

2.4 IDS 1012.4 IDS 101

IDS Modeling Theory ContinuedIDS Modeling Theory ContinuedSpecificationSpecification--based detection based detection ––determines if a sequences of determines if a sequences of instructions violates a specification of instructions violates a specification of a program or systema program or system

Based on known good statesBased on known good statesExample Example –– rdistrdist remote root exploitremote root exploit

Page 15: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 15University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

2.5 IDS 1012.5 IDS 101

IDS ComponentsIDS ComponentsSensor (Agent) Sensor (Agent) –– collects raw datacollects raw dataAnalysis Engine (Director) Analysis Engine (Director) ––preprocessing, anomaly and/or rulepreprocessing, anomaly and/or rule--based based detectiondetectionAlerting Engine (Notifier) Alerting Engine (Notifier) –– takes takes predefined action like alarming, logging, predefined action like alarming, logging, or ignoringor ignoringMonitoring & Mgmt interface (Director)Monitoring & Mgmt interface (Director)

Page 16: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 16University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

2.6 IDS 1012.6 IDS 101

Types of IDSTypes of IDSNetwork IDS(NIDS)Network IDS(NIDS)

Promiscuous Mode Promiscuous Mode –– layer 2layer 2Signature based Signature based –– known bad/good trafficknown bad/good traffic

Protocol & Payload analysisProtocol & Payload analysis

Anomaly based (heuristics) Anomaly based (heuristics) –– baseline profilebaseline profileLearning algorithm & predefinedLearning algorithm & predefined

Page 17: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 17University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

2.7 IDS 1012.7 IDS 101

HostHost--based IDS(HIDS)based IDS(HIDS)File/OS IntegrityFile/OS IntegrityLog ParsingLog ParsingSystem Calls (Kernel Hooks)System Calls (Kernel Hooks)Host Specific RulesHost Specific RulesResource impact & Compatibility issuesResource impact & Compatibility issues

Distributed IDS(DIDS)Distributed IDS(DIDS)Central Mgmt, combined NIDS & HIDSCentral Mgmt, combined NIDS & HIDSAgent Autonomy (AAFID)Agent Autonomy (AAFID)

Page 18: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 18University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

2.8 IDS 1012.8 IDS 101

Active vs. Passive IDSActive vs. Passive IDSPassive = monitoring onlyPassive = monitoring only

Stealth ModeStealth Mode

Active ResponseActive ResponseRule triggers response on firewall/routerRule triggers response on firewall/router

Inline Inline –– Intrusion Prevention SystemIntrusion Prevention SystemDirect packet manipulation/blockingDirect packet manipulation/blockingPoint of Failure/Adds LatencyPoint of Failure/Adds LatencyMany modes (i.e. NonMany modes (i.e. Non--Blocking)Blocking)

Page 19: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 19University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3. Design and Implementation3. Design and Implementation

Network PlacementNetwork PlacementTappingTappingCentralize ManagementCentralize ManagementInstallationInstallation

Page 20: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 20University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.1 Design and Implementation3.1 Design and Implementation

Network PlacementNetwork PlacementConsider most critical assetsConsider most critical assets

Outside PerimeterOutside PerimeterInside PerimeterInside PerimeterApplication/Server specific zonesApplication/Server specific zonesRemote & Vendor Access/Wireless zonesRemote & Vendor Access/Wireless zonesHIDS on all mission critical serversHIDS on all mission critical servers

Page 21: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 21University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.2 Design and Implementation3.2 Design and Implementation

Page 22: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 22University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.3 Design and Implementation3.3 Design and Implementation

Connection StrategiesConnection StrategiesHubHub

Simple & Cheap, SOHOSimple & Cheap, SOHOPoor performance, high MTTFPoor performance, high MTTF

Page 23: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 23University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.4 Design and Implementation3.4 Design and Implementation

Connection Strategies ContinuedConnection Strategies ContinuedSwitch, SPAN portSwitch, SPAN port

No additional hardware, software changeNo additional hardware, software changeLimited span ports, backplane bandwidthLimited span ports, backplane bandwidthNo visibility to packet errorsNo visibility to packet errors

Page 24: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 24University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.5 Design and Implementation3.5 Design and Implementation

Connection Strategies ContinuedConnection Strategies ContinuedHardware TapHardware Tap

Expensive, requires additional NICExpensive, requires additional NICFault tolerant to power failuresFault tolerant to power failuresNo traffic flow impactNo traffic flow impact

Page 25: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 25University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.6 Design and Implementation3.6 Design and Implementation

Appliance installationAppliance installationTest first, make install notesTest first, make install notesChange default passwords, remove vendor Change default passwords, remove vendor accessaccessVerify surveillance network connectivityVerify surveillance network connectivityConfigure to corporate standardsConfigure to corporate standardsConnect to mgmt serverConnect to mgmt serverApply relevant patchesApply relevant patchesUpdate signaturesUpdate signaturesBreakBreak--In periodIn period

Page 26: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 26University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.7 Design and Implementation3.7 Design and Implementation

Snort InstallationSnort InstallationHardware SelectionHardware Selection

Dependent on network and requirementsDependent on network and requirementsCPU, memory, network card, storageCPU, memory, network card, storage

OS SelectionOS SelectionCost/Support Contracts/Company rulesCost/Support Contracts/Company rulesLinux, Solaris, BSD, even Windows & OS XLinux, Solaris, BSD, even Windows & OS XGo with what you knowGo with what you know

Page 27: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 27University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.8 Design and Implementation3.8 Design and Implementation

OS HardeningOS HardeningDonDon’’t install GUI or unnecessary servicest install GUI or unnecessary services

KDE/GNOME and DevelopmentKDE/GNOME and DevelopmentGames/Multimedia/Office ApplicationsGames/Multimedia/Office ApplicationsHelp and Support DocsHelp and Support Docs

Kernel tuning, remove devices not usedKernel tuning, remove devices not usedRemove virtual consoles (Remove virtual consoles (ttytty<x>)<x>)Remove the compilerRemove the compiler

Page 28: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 28University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.9 Design and Implementation3.9 Design and Implementation

Other OptionsOther OptionsSecure Linux Secure Linux DistrosDistros

SELinuxSELinux, Bastille, , Bastille, ImmunixImmunix, , KnoppixKnoppix, , PhlackPhlack

Live CDsLive CDsDistrowatch.com, Auditor>BacktrackDistrowatch.com, Auditor>Backtrack

VMWareVMWare –– virtual appliancesvirtual appliances

Page 29: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 29University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.10 Design and Implementation3.10 Design and Implementation

Snort installationSnort installationLibpcap and Libpcre requiredLibpcap and Libpcre requiredApache/MySql, PostgreSql, Oracle, MSApache/MySql, PostgreSql, Oracle, MS--SQLSQLFrom sourceFrom source

Tar Tar ––zxvf <package>; uncompresses fileszxvf <package>; uncompresses files./configure; script that determines your ./configure; script that determines your environmentenvironment./make; compiles code from ./make; compiles code from makefilemakefile./make install; distributes binaries to directory./make install; distributes binaries to directory

Page 30: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 30University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.11 Design and Implementation3.11 Design and Implementation

Installing via Package ManagerInstalling via Package Manager>apt>apt--get install snort (debian)get install snort (debian)>up2date >up2date --i snort (redhat)i snort (redhat)>yum install snort (rpm)>yum install snort (rpm)>yast >yast ––i <rpm_path> (suse)i <rpm_path> (suse)>pkg_add/pkgadd <source_path>(bsd, >pkg_add/pkgadd <source_path>(bsd, solaris)solaris)>emerge snort (gentoo)>emerge snort (gentoo)Nice site Nice site http://rpmfind.net/http://rpmfind.net/

Page 31: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 31University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.12 Design and Maintenance3.12 Design and Maintenance

Install Questions?Install Questions?Which interface will snort listen onWhich interface will snort listen on

eth0, bond0, int0eth0, bond0, int0Channel BondingChannel Bonding

Specify Trusted or Home network rangeSpecify Trusted or Home network range192.168.0.0/16, Any192.168.0.0/16, Any

Who should receive daily mailsWho should receive daily mailsroot@localhost, etcroot@localhost, etc

Page 32: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 32University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.13 Design and Maintenance3.13 Design and Maintenance

Download rulesDownload rulesVRT Rule baseVRT Rule basehttp://www.snort.org/pubhttp://www.snort.org/pub--bin/downloads.cgibin/downloads.cgiBleedingBleeding--Snort Rule baseSnort Rule basehttp://www.bleedingthreats.net/rules/http://www.bleedingthreats.net/rules/Disable unnecessary rulesDisable unnecessary rulesExample Classes:Example Classes:

Backdoor, badBackdoor, bad--traffic, chat, dos, ddos, dns, exploit, finger, traffic, chat, dos, ddos, dns, exploit, finger, ftp, icmp, imap, local, mysql, netbios, oracle, p2p, ftp, icmp, imap, local, mysql, netbios, oracle, p2p, policy, pop3, porn, rpc, scan, shellcode, smtp, Sql, policy, pop3, porn, rpc, scan, shellcode, smtp, Sql, telnet, tftp, virus, webtelnet, tftp, virus, web--attacksattacks

Page 33: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 33University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.14 Design and Implementation3.14 Design and Implementation

Edit /etc/snort/Edit /etc/snort/snort.confsnort.confDefine variablesDefine variablesHTTP_PORTS, EXTERNAL_NET, etcHTTP_PORTS, EXTERNAL_NET, etcDefine path to rules, select rule librariesDefine path to rules, select rule librariesSelect PreSelect Pre--Processors, stream4_reassembleProcessors, stream4_reassembleOutputOutput--PluginsPlugins --> Mysql> Mysql

Test snortTest snort>snort >snort ––T T ––c /etc/snort/snort.confc /etc/snort/snort.conf

Page 34: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 34University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.15 Design and Implementation3.15 Design and Implementation

Important CommandImportant Command--Line switchesLine switches----A <alert> full, fast, or noneA <alert> full, fast, or none----b logs in b logs in tcpdumptcpdump formatformat----c specifies snort.confc specifies snort.conf----D daemon modeD daemon mode----I interfaceI interface----l logging directoryl logging directory----T testing modeT testing mode

Page 35: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 35University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.16 Design and Implementation3.16 Design and Implementation

PreprocessorsPreprocessorsStream4 is very powerfulStream4 is very powerful

Detect_scansDetect_scans, non normal TCP handshakes, non normal TCP handshakesDetect_state_problemsDetect_state_problems, MS issues, MS issuesEvasion_alertsEvasion_alerts, overlapping segments, , overlapping segments, synsyndatadataTtl_limitTtl_limit, session limit on , session limit on ttlttl valuesvalues

Frag2 Frag2 –– rebuilds fragments, detects rebuilds fragments, detects fragfragdosdoshttp_inspect http_inspect –– normalizes URLs, directory normalizes URLs, directory transversal, apache/transversal, apache/iisiis profileprofile

Page 36: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 36University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

3.17 Design and Implementation3.17 Design and ImplementationSuccessSuccess

Page 37: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 37University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

Protocol

4.0 Signatures4.0 Signatures

Match patterns in network trafficMatch patterns in network trafficSnort Signature StructureSnort Signature Structure

SourceIP DestIPRule Action

Rule Body

Rule Header

Page 38: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 38University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

4.1 Signatures4.1 Signatures

Rule ActionRule ActionAlert, Log, Pass, Activate, DynamicAlert, Log, Pass, Activate, Dynamic

Rule OrderingRule OrderingAlert > Pass > LogAlert > Pass > LogMost specific rule firesMost specific rule fires

Port or IP informationPort or IP informationURI content > URI content > contentcontent

Longer StringsLonger StringsICMP ICMP itypeitypeSame rule, whichever is firstSame rule, whichever is first

Page 39: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 39University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

4.2 Signatures4.2 Signatures

Rule Actions ContinuedRule Actions ContinuedActivate/Dynamic are being phased outActivate/Dynamic are being phased out

activateactivate tcptcp any any anyany --> any 143 > any 143 (content:(content:””|E8CC0FFFFFF|/bin|E8CC0FFFFFF|/bin””; activates: 1;); activates: 1;)

dynamicdynamic tcptcp any any anyany --> any 143 (activated_by:1; count:5;)> any 143 (activated_by:1; count:5;)

TaggingTaggingAlert Alert tcptcp any any anyany --> any 23 (> any 23 (tag:session,10,seconds;tag:session,10,seconds;))Tag: <type>, <count>, <metric>, [direction]Tag: <type>, <count>, <metric>, [direction]

Page 40: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 40University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

4.3 Signatures4.3 Signatures

Rule ContentRule ContentMSGMSGalert tcp any alert tcp any anyany --> any 12345 (> any 12345 (msg:msg:””Test MessageTest Message””;);)

ASCII Content, ASCII Content, nocasenocasealert tcp any alert tcp any anyany --> any > any anyany ((content: content: ““/etc//etc/passwdpasswd””; ; nocasenocase; ; msg:msg:””/etc/passwd/etc/passwd AccessedAccessed””;);)

Binary ContentBinary Contentalert tcp any alert tcp any anyany --> any > any anyany ((content: content: ““|0000 0101 EFF||0000 0101 EFF|””;;msg:msg:””SearchingSearching for Binary datafor Binary data””;);)

Page 41: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 41University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

4.4 Signatures4.4 Signatures

Rule Content ContinuedRule Content ContinuedDepth OptionDepth OptionOffset OptionOffset OptionFlow Control OptionFlow Control Option

alert alert tcptcp $HOME_NET 20034 $HOME_NET 20034 --> $EXTERNAL_NET > $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro 2.0 connection any (msg:"BACKDOOR NetBus Pro 2.0 connection established"; established"; flow:from_server,established;flow:from_server,established;content:"BN|10 00 02 00|"; content:"BN|10 00 02 00|"; depth:6;depth:6;content:"|05 00|"; content:"|05 00|"; depth:2depth:2; ; offset:8offset:8;);)

Page 42: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 42University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

4.4 Signatures4.4 Signatures

Rule Content ContinuedRule Content ContinuedPCRE PCRE –– Perl Compatible Regular Perl Compatible Regular ExpressionExpressionSyntaxSyntaxpcrepcre:[!]:[!]””(/<(/<regexregex>/|m<delim><>/|m<delim><regexregex><delim>) ><delim>) [ismxAEGRUB][ismxAEGRUB]””;;

SampleSamplealert alert tcptcp any any anyany --> any 23 (> any 23 (content:content:””snortsnort””; ; pcre:pcre:””//\\s+s+\\d+d+\\..\\d+.d+.\\d+/Rd+/R””;);)

Page 43: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 43University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

4.5 Signatures4.5 Signatures

Rule Content ContinuedRule Content ContinuedIP, TCP, ICMP optionsIP, TCP, ICMP optionsSID ValuesSID Values

< 100 is future use< 100 is future use100 <> 1,000,000 VRT100 <> 1,000,000 VRT> 1,000,000 custom rules> 1,000,000 custom rules

Rev Number, Severity, Rev Number, Severity, ClasstypeClasstype, , ReferencesReferences

Alert Alert tcptcp any any anyany --> any 31337 (> any 31337 (rev:2;rev:2; priority:1;priority:1; msgmsg: : ””NetbusNetbus DetectedDetected””; ; classtype:trojanclasstype:trojan--activty; activty; reference:CVEreference:CVE, CAN, CAN--20022002--1010; 1010; reference:URLreference:URL, , www.poc2.com;)www.poc2.com;)

Page 44: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 44University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

5.0 Monitoring & Maintaining5.0 Monitoring & Maintaining

PreparationPreparationIdentificationIdentificationContainment & EradicationContainment & EradicationRecovery & FollowRecovery & Follow--upupMaintainingMaintaining

Page 45: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 45University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

5.1 Monitoring & Maintaining5.1 Monitoring & Maintaining

PreparationPreparationDefine procedures & policies firstDefine procedures & policies firstKnow the network, Know the assetsKnow the network, Know the assetsEstablish a standard toolkitEstablish a standard toolkitContact lists are crucialContact lists are crucialSecurity specific trainingSecurity specific training

Page 46: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 46University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

5.2 Monitoring & Maintaining5.2 Monitoring & Maintaining

IdentificationIdentificationWhat is an incident?What is an incident?

Unauthorized AccessUnauthorized AccessMalicious Code Malicious Code –– Viruses/Worms/Viruses/Worms/SpywareSpywareDenial of ServiceDenial of ServiceData Theft/MisuseData Theft/Misuse

Passive vs. Active monitoringPassive vs. Active monitoringPassive tool Passive tool –– HoneypotsHoneypotsAttacker goals unknownAttacker goals unknownDocument everythingDocument everything

Page 47: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 47University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

5.3 Monitoring & Maintaining5.3 Monitoring & Maintaining

Containment & EradicationContainment & EradicationLimit damage, Stop attackLimit damage, Stop attack

Firewall rules, router Firewall rules, router aclsacls, mail & web , mail & web filteringfilteringIsolate networks, disconnect machinesIsolate networks, disconnect machinesPatching, Cleaning, & ReimagingPatching, Cleaning, & Reimaging

Recovery & FollowRecovery & Follow--upup100% Normal operations100% Normal operationsRCA and reportingRCA and reporting

Page 48: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 48University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

5.45.4 Monitoring & MaintainingMonitoring & Maintaining

Snort Monitoring ToolsSnort Monitoring ToolsAcid, Base, Squil, SnortSnarf, Aanval, OSSIMAcid, Base, Squil, SnortSnarf, Aanval, OSSIM

Ideal FeaturesIdeal FeaturesStable & AccurateStable & AccurateStreaming AlertsStreaming AlertsTrending of dataTrending of dataCorrelation of dataCorrelation of dataRaw data and/or payload informationRaw data and/or payload informationReport capabilityReport capability

Page 49: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 49University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

5.5 Monitoring & Maintenance5.5 Monitoring & Maintenance

Keeping your sensors up to dateKeeping your sensors up to dateTrusted sources & File integrity Trusted sources & File integrity Automatic backups and updatesAutomatic backups and updatesUpdating RulesUpdating Rules

Merging vs. OverwritingMerging vs. OverwritingOinkmaster/IDSCenterOinkmaster/IDSCenterTesting rulesTesting rulesChange controlChange controlSecurity Mailing listsSecurity Mailing lists

Page 50: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 50University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

6.0 Skills and Tools6.0 Skills and Tools

Staged Hack ScenarioStaged Hack ScenarioPacket Capturing/SniffingPacket Capturing/Sniffing

Tcpdump, Wireshark (Ethereal)Tcpdump, Wireshark (Ethereal)

Page 51: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 51University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

6.1 Skills and Tools6.1 Skills and Tools

Basic Network ReconnaissanceBasic Network ReconnaissancePing, traceroute, nslookup Ping, traceroute, nslookup –– CyberkitCyberkit

Page 52: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 52University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

6.2 Skills and Tools6.2 Skills and Tools

WhoisWhois –– ArinArin, Ripe, , Ripe, ApnicApnic, , LacnicLacnic, , AfrinicAfrinicGoogle hackingGoogle hacking

Page 53: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 53University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

6.3 Skills and Tools6.3 Skills and Tools

NmapNmap –– Port/OS enumerationPort/OS enumerationnmapnmap --sSsS --O O --T5 T5 --F F --P0 <host or P0 <host or ipip>>telnet host porttelnet host port

Page 54: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 54University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

6.4 Skills and Tools6.4 Skills and Tools

NessusNessus –– Vulnerability ScanVulnerability Scan

Page 55: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 55University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

6.5 Skills and Tools6.5 Skills and Tools

MetasploitMetasploit –– Exploit ToolExploit Tool

Page 56: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 56University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

7.0 Legal Issues7.0 Legal Issues

InternallyInternallyPolicy is key, must be available and Policy is key, must be available and understoodunderstoodLetter of AuthorizationLetter of AuthorizationBe aware of Chain of CustodyBe aware of Chain of CustodyUniform monitoring of traffic/logsUniform monitoring of traffic/logsConsult Legal departmentConsult Legal department

Page 57: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 57University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

7.1 Legal Issues7.1 Legal Issues

Wiretap Act Wiretap Act –– realreal--time interceptiontime interceptionPen/Trap Act Pen/Trap Act –– realreal--time headerstime headers

Pen Registers & TrapPen Registers & Trap\\Trace devicesTrace devices

ECPA ECPA –– stored emails, voicemailsstored emails, voicemailsRequires consent, court Requires consent, court order/subpoenaorder/subpoena

Providers/Sys Admin ExceptionProviders/Sys Admin ExceptionComputer Trespasser ExceptionComputer Trespasser Exception

Sox Sox –– data retention data retention –– ISO17799ISO17799

Page 58: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 58University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

7.2 Legal Issues7.2 Legal Issues

Reporting to LEAReporting to LEA5K in damages, includes response and 5K in damages, includes response and restorationrestorationLocal Law EnforcementLocal Law EnforcementFBI, FBI, infragard.netinfragard.net, RCFL, RCFLSecret ServiceSecret ServiceDHS Hotline, infrastructureDHS Hotline, infrastructureCybercrime.govCybercrime.gov

Page 59: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 59University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

8.0 Future & Conclusion8.0 Future & Conclusion

Current TrendsCurrent TrendsIDS/IPS moving towards SIMIDS/IPS moving towards SIMMore integration, DPI firewallsMore integration, DPI firewallsSecurity at the switch/host Security at the switch/host –– NACNACWireless IDSWireless IDS

Further ReadingFurther ReadingInsertion, Evasion, and Denial of Service: Eluding Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Newsham/PtacekNetwork Intrusion Detection by Newsham/Ptacekhttp://crypto.stanford.edu/cs155/IDSpaper.pdfhttp://crypto.stanford.edu/cs155/IDSpaper.pdfGreat ResourcesGreat Resourceshttp://wwwhttp://www--static.cc.gatech.edu/~wenke/idsstatic.cc.gatech.edu/~wenke/ids--readings.htmlreadings.htmlhttp://www.snort.org/docs/http://www.snort.org/docs/

Page 60: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 60University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

8.1 Future & Conclusion8.1 Future & Conclusion

Summary Summary –– Key ConceptsKey ConceptsIDS Modeling TheoryIDS Modeling TheoryIDS Placement & ImplementationIDS Placement & ImplementationIDS Monitoring & MaintainingIDS Monitoring & MaintainingEffective AIC ToolEffective AIC Tool

Questions?Questions?

Page 61: Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make

11/3/2006 61University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer

ReferencesReferences

Beale, Jay (2004). Beale, Jay (2004). ““Snort 2.1 Intrusion Detection 2Snort 2.1 Intrusion Detection 2ndnd

EditionEdition”” Syngress Publishing, Rockland, MASyngress Publishing, Rockland, MA2006 CSI/FBI Computer Crime and Security Survey. 2006 CSI/FBI Computer Crime and Security Survey. Available from Available from http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdfhttp://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdfBishop, Matt (2005). Bishop, Matt (2005). ““Introduction to Computer SecurityIntroduction to Computer Security””Addison Wesley, Boston, MAAddison Wesley, Boston, MALaing, Brian (2000). Laing, Brian (2000). ““How To Guide for implementing How To Guide for implementing NIDSNIDS”” Internet Security Systems, Internet Security Systems, http://www.snort.org/docs/isshttp://www.snort.org/docs/iss--placement.pdfplacement.pdf