•Shabbir Bashir, SANS GSECshabbirbashir1@yahoo.com

?? Detect Intrusions.Detect Intrusions.

?? What is an Intrusion ?What is an Intrusion ?

?? Two types of IDS. Two types of IDS.

?? Host based or Network based.Host based or Network based.

?? HIDS or NIDSHIDS or NIDS

?? Examples of host based IDSExamples of host based IDS

?? Examples of Network based IDSExamples of Network based IDS

?? Snort is an open source real time network Snort is an open source real time network Intrusion detection system that uses rules and Intrusion detection system that uses rules and signatures to check malicious traffic on a network signatures to check malicious traffic on a network segment and triggers alerts and various forms of segment and triggers alerts and various forms of logging.logging.

?? Snort holds an inherent advantage over closed Snort holds an inherent advantage over closed source source IDSsIDSs, in that the IDS itself can be tailored , in that the IDS itself can be tailored and customized for each individual deployment to and customized for each individual deployment to a level not possible for closed source competitors.a level not possible for closed source competitors.

?? Like most IDS, snort works on rules or Like most IDS, snort works on rules or signatures.signatures.

?? All network traffic is passed through a rule set.All network traffic is passed through a rule set.

?? All packets are decoded and parsed.All packets are decoded and parsed.

?? If a packet matches a rule, one of many actions If a packet matches a rule, one of many actions can be taken.can be taken.

?? Actions : Log, Alert, block, or all of the above.Actions : Log, Alert, block, or all of the above.

?? Rules are stored as plain text files, can be self Rules are stored as plain text files, can be self written or downloaded from snortwritten or downloaded from snort’’s website and s website and are read by snort upon startup.are read by snort upon startup.

?? Almost 2000 default rules which are categorized Almost 2000 default rules which are categorized in simple text files named to reflect the types of in simple text files named to reflect the types of attacks they detect.attacks they detect.

?? Rules are updated on a regular basis by snort Rules are updated on a regular basis by snort developers and users to detect new exploits and developers and users to detect new exploits and worm like activity.worm like activity.

?? Custom snort rules can be created to detect Custom snort rules can be created to detect insider attacks and violations of a companyinsider attacks and violations of a company’’s s acceptable use policyacceptable use policy

?? alertalert tcptcp $EXTERNAL_NET$EXTERNAL_NET anyany -->>$HOME_NET$HOME_NET 7979 (msg:"FINGER version query"; (msg:"FINGER version query"; flow:to_server,establishedflow:to_server,established; ; content:"version";content:"version";classtype:attemptedclasstype:attempted--reconrecon; ; sid:1541sid:1541; ; rev:4;)rev:4;)

?? Rule Header Rule Header : : Alert, Protocol, Source IP, Source Alert, Protocol, Source IP, Source port, Dest IP, Dest port.port, Dest IP, Dest port.

?? Rule Options Rule Options : : message, flow, content, classtype, message, flow, content, classtype, sid and revsid and rev

?? Defining an Acceptable use policy.Defining an Acceptable use policy.

?? An AUP "defines acceptable use of equipment, An AUP "defines acceptable use of equipment, computing services and the appropriate employee computing services and the appropriate employee security measures to protect the organizationsecurity measures to protect the organization’’s s corporate resources and proprietary information.corporate resources and proprietary information.””

?? A list of prohibited activities should be be A list of prohibited activities should be be included in the acceptable use policy.included in the acceptable use policy.

?? Port scanning of internal or external hosts for Port scanning of internal or external hosts for vulnerabilities.vulnerabilities.

?? Launching a denial of service attack against a Launching a denial of service attack against a internal or external host.internal or external host.

?? Setting up unauthorized wireless access points.Setting up unauthorized wireless access points.

?? Setting up unauthorized services such as web, Setting up unauthorized services such as web, DHCP and DNS serversDHCP and DNS servers

?? Surfing the Internet for potentially offensive sites.Surfing the Internet for potentially offensive sites.

?? Attempting to log in to a host by using another Attempting to log in to a host by using another users network credentials.users network credentials.

?? Users, business partners, contractors and vendors Users, business partners, contractors and vendors that are allowed to use network and computing that are allowed to use network and computing resources.resources.

?? Example of resources are file and print services, Example of resources are file and print services, Intranet web server and mail servers.Intranet web server and mail servers.

?? Using legitimate access to do illegitimate Using legitimate access to do illegitimate activities on the network. For exampleactivities on the network. For example…………..

?? Installing Web ServersInstalling Web Servers

?? DHCP ServersDHCP Servers

?? IRC chat servers IRC chat servers

?? Probing Internal and External hosts for operating Probing Internal and External hosts for operating system and application level vulnerabilities.system and application level vulnerabilities.

?? Stealing confidential HR, R&D or finance data.Stealing confidential HR, R&D or finance data.

?? Selling it on the Internet or to competitors. Selling it on the Internet or to competitors.

?? Disgruntle Employees.Disgruntle Employees.

?? Plain mischief purposes, Plain mischief purposes, ““Look, I can hack the Look, I can hack the server ! server ! ””

?? The Network administrator at XVZ Corporation The Network administrator at XVZ Corporation receives a call on a Friday afternoon.receives a call on a Friday afternoon.

?? Users on a remote segment are losing their Users on a remote segment are losing their network connectivity.network connectivity.

?? Upon further investigation, it appears there is Upon further investigation, it appears there is an an unknown DHCP server on the network.unknown DHCP server on the network.

?? This DHCP server is assigning nonThis DHCP server is assigning non--standard IP standard IP addresses, gateway and DNS information to hosts causing loss of addresses, gateway and DNS information to hosts causing loss of connectivity.connectivity.

?? If there was a snort sensor monitoring that If there was a snort sensor monitoring that segment of the network, this could have been segment of the network, this could have been triggered an alert long before a large number of triggered an alert long before a large number of users lost connectivity.users lost connectivity.

?? alert alert udpudp !!$DHCP_SERVERS $DHCP_SERVERS 6767 --> any > any 6868 (msg: (msg: "Rogue DHCPserver...");"Rogue DHCPserver...");

?? Imagine your work place, around 9:00 PM.Imagine your work place, around 9:00 PM.

?? How many people are around ?How many people are around ?

?? Jack, the programmer is at his desk tapping away.Jack, the programmer is at his desk tapping away.

?? Just another hard working employee working late Just another hard working employee working late trying to meet dead lines, right ?trying to meet dead lines, right ?

?? Think again !Think again !

?? Jack is scanning your internal file servers for Jack is scanning your internal file servers for vulnerabilities.vulnerabilities.

?? He is scanning all servers to see what services are He is scanning all servers to see what services are open.open.

?? But the servers are behind a firewall, and port But the servers are behind a firewall, and port scans are not allowed so we are protected, right ?scans are not allowed so we are protected, right ?

?? Where do you think Jack is ? Where do you think Jack is ?

?? You guessed itYou guessed it……..

?? Inside your network !Inside your network !

JACK

?? How many of you are aware of How many of you are aware of ““FullFull--DisclosureDisclosure””Mailing list ?Mailing list ?

?? If there was a snort sensor monitoring that If there was a snort sensor monitoring that segment of the network, this could have been segment of the network, this could have been triggered an alert long before Jack had a chance triggered an alert long before Jack had a chance to exploit internal file and print servers for his to exploit internal file and print servers for his benefits.benefits.

?? alert tcp any 4444 alert tcp any 4444 --> any any (msg:"ATTACK> any any (msg:"ATTACK--RESPONSE successful DCom RPC System Shell RESPONSE successful DCom RPC System Shell Exploit Response"; flow:from_server,established; Exploit Response"; flow:from_server,established; content:"|3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65|"; content:"|3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65|"; classtype:successfulclasstype:successful--admin;)admin;)

?? alert tcp any 3333 alert tcp any 3333 --> any any (msg:"ATTACK> any any (msg:"ATTACK--RESPONSE successful DCom RPC System Shell RESPONSE successful DCom RPC System Shell Exploit Response"; flow:from_server,established; Exploit Response"; flow:from_server,established; content:"|3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65|"; content:"|3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65|"; classtype:successfulclasstype:successful--admin;)admin;)

?? What is a honey token ?What is a honey token ?

?? "A honey pot is an information system resource "A honey pot is an information system resource whose value lies in unauthorized or illicit use of whose value lies in unauthorized or illicit use of that resource."that resource."

?? A resource which no one should use.A resource which no one should use.

?? Examples of honey token are Examples of honey token are ………………......

?? A bogus medical record called "John F. A bogus medical record called "John F. KennedyKennedy”” inserted in a database at a hospital.inserted in a database at a hospital.

?? If an intruder/attacker/insider is looking at If an intruder/attacker/insider is looking at records, this one will stick out and make them records, this one will stick out and make them curious.curious.

?? If the words If the words ““John F KennedyJohn F Kennedy”” appear in a data appear in a data packet on a network segment that a snort sensor packet on a network segment that a snort sensor is monitoring, It will trigger an alert. is monitoring, It will trigger an alert.

?? This method can be used to detect insiders This method can be used to detect insiders accessing information they shouldnaccessing information they shouldn’’t.t.

?? Create a document in your Human Resources Create a document in your Human Resources network share and call it Execnetwork share and call it Exec--Bonuses.doc, Bonuses.doc, make a snort rule to alert on traffic that has this make a snort rule to alert on traffic that has this ASCII content in it, ASCII content in it, ““ExecExec--Bonuses.docBonuses.doc””. .

?? If an insider is misusing his/her access and If an insider is misusing his/her access and scanning for docs that look interesting, they will scanning for docs that look interesting, they will be identified.be identified.

HR NETWORK SHARE

Guess which one of these files is a honey-token ?

?? alert ip any any alert ip any any --> any any > any any (msg:"HoneytokenAccess(msg:"HoneytokenAccess----Potential Potential Unauthorized Activity";content:Unauthorized Activity";content:””ExecExec--Bounses.doc";)Bounses.doc";)

INTERNET SERVICEPROVIDER

ROUTERSWITCH

PC Laptop Laptop

PC PC

PC PC PC

ROUTER

POINT TO POINT LINK

SNORT SENSOR

PC Laptop Laptop

PC PC

PC PC PC

SNORT SENSORSWITCH

IDS-Analyst's-Console

SNORT SENSORSNORT SENSOR

Remote NetworkSegment

HQ NetworkSegment

Firewall

?? They are, donThey are, don’’t buy them !t buy them !

?? Use a combination of snort and acid on apache Use a combination of snort and acid on apache and and redhatredhat. .

?? All of them are FREE ! to use.All of them are FREE ! to use.

?? Analysis Console for Intrusion Detection.Analysis Console for Intrusion Detection.

?? Html based front end to Snort.Html based front end to Snort.

?? Open Source. ( FREE )Open Source. ( FREE )

?? Alert management.Alert management.

?? QueryQuery--builder and search interfacebuilder and search interface

?? Chart and statistics generation.Chart and statistics generation.

?? Packet viewer (decoder) Packet viewer (decoder)

?? Do not use a single shared logon account for Do not use a single shared logon account for multiple employees.multiple employees.

?? When temporary employees leave, disable their When temporary employees leave, disable their user accounts on your computer systems user accounts on your computer systems immediately!immediately!

?? In your corporate security policy, explain that all In your corporate security policy, explain that all use of corporate computers and networks is use of corporate computers and networks is subject to monitoring.subject to monitoring.

?? Utilize the principle of least privileges.Utilize the principle of least privileges.

?? Activate logging and intrusionActivate logging and intrusion--detection systems detection systems on sensitive internal computers and network.on sensitive internal computers and network.

?? While companies often spend a great deal of time While companies often spend a great deal of time and money preventing attacks from outsiders, and money preventing attacks from outsiders, many ignore these threats from the malicious many ignore these threats from the malicious insider.insider.

?? With the economy sputtering and layoffs With the economy sputtering and layoffs mounting, a large segment of many companiesmounting, a large segment of many companies’’employee population is in a disgruntled state.employee population is in a disgruntled state.

?? as companies cut back on fullas companies cut back on full--time employees, time employees, the use of temporary workers is increasing. This the use of temporary workers is increasing. This environment represents a dangerous mix from a environment represents a dangerous mix from a security perspective.security perspective.

?? http://www.giac.org/practical/GSEC/Mohammadhttp://www.giac.org/practical/GSEC/Mohammad_Bashir_GSEC.pdf_Bashir_GSEC.pdf..

?? http://www.jaxdug.com/jaxdug/meeting.aspxhttp://www.jaxdug.com/jaxdug/meeting.aspx

?? http://www.jaxlug.org/modules.php?op=modloadhttp://www.jaxlug.org/modules.php?op=modload&name=News&file=article&sid=36&name=News&file=article&sid=36

?? www.shabbir.mine.nu/Intro_to_tcpdump.pdfwww.shabbir.mine.nu/Intro_to_tcpdump.pdf

?? http://cert.unihttp://cert.uni--stuttgart.de/archive/intrusions/2004/01/msg00039stuttgart.de/archive/intrusions/2004/01/msg00039.html.html

?? www.sans.orgwww.sans.org

?? www.giac.org/GCIA.phpwww.giac.org/GCIA.php

?? www.incidents.orgwww.incidents.org

?? http://www.securityfocus.com/infocus/1520http://www.securityfocus.com/infocus/1520

?? http://www.securityfocus.com/infocus/1558http://www.securityfocus.com/infocus/1558

?? www.snort.orgwww.snort.org

?? www.dshield.orgwww.dshield.org

This document was created with Win2PDF available at http://www.daneprairie.com.The unregistered version of Win2PDF is for evaluation or non-commercial use only.