Polytechnic University Introduction 1 Intrusion Detection Systems Examples of IDSs in real life r Car alarms r Fire detectors r House alarms r Surveillance

Polytechnic University Introduction 1

Intrusion Detection Systems

Examples of IDSs in real life

Car alarms Fire detectors House alarms Surveillance systems

An IDS is any combination of hardware & software thatmonitors a system or network for malicious activity.


Why IDSCan be detected: Mapping Port scans

Tens of thousands of packets

TCP stack scans Hundreds of thousands

of packets

“Deep Packet Inspection” Many organizations

deploy IDS systems Provide warnings to

network administrator Administrator can then

improve network’s security

Vigorous investigation could lead to attackers

There are host-based and network-basedIDS systems. Focus here on network-based.


IDS sensors

Webserver

FTPserver

DNSserver

applicationgateway

Internet

Demilitarized zone

Internalnetwork

firewall

= IDS sensor

Underlying OS needsto be hardened: stripped of unnecessarynetwork services


False Alarms

False alarms: False positive: normal traffic or benign

action triggers alarm Example: fire alarm if wrong password is

entered; benign user makes a typo False negative: alarm is not fired during

attack


Efficiency of IDS system

Accuracy: low false positive and false negative rates

Performance: the rate at which traffic and audit events are processed To keep up with traffic, may not be able to put IDS at

network entry point Instead, place multiple IDSs downstream

Fault tolerance: resistance to attacks Should be run on a single hardened host that

supports only intrusion detection services

Timeliness: time elapsed between intrusion and detection


Signature-based IDSSniff traffic on network border router or multiple sensors within a LANMatch sniffed traffic with signatures attack signatures in database signature: set of rules pertaining to a typical intrusion

activity Simple example rule: any ICMP packet > 10,000

bytes Example: more than one thousand SYN packets to

different ports on same host under a second skilled security engineers research known attacks; put

them in database can configure IDS to exclude certain signatures; can

modify signature parametersWarn administrator when signature matches send e-mail, SMS send message to network management system


Limitations to signature detection

Requires previous knowledge of attack to generate accurate signature Blind to unknown attacks

Signature bases are getting larger Every packet must be compared with each

signature IDS can get overwhelmed with processing;

can miss packets


Anomaly Detection IDS

Observe traffic during normal operation Create normal traffic profile Look for packet streams that are statistically

unusual e.g., inordinate percentage of ICMP packet or exponential growth in port scans/sweeps

Doesn’t rely on having previous knowledge of attack

Research topic in security


IDS evasion: “spy vs. spy”

Attackers do not want to be detected by IDS Often attackers are intimately familiar with the

popular IDS products, their weaknesses Idea: manipulate attack data

Active area of research in attack community Example: port scan stretched out over long period of

time, with different source IP addresses Most common approach: fragmentation

To detect malicious activity, IDS must capture, store, and analyze fragments.

Many fragment streams spread out over long period time ➜IDS must have large buffers

• Requires significant memory and processing power


IDS evasion: fragmentation Send a flood of fragments

Send so many fragments that IDS system saturates.

Once saturated, IDS will not be able detect a new attack

Fragment packets in unexpected ways Such that the IDS does not understand how

to properly reassemble the attack packets


IDS evasion tool: FragRouter

Runs on Unix/Linux systems Provides over 35 different schemes for

fragmenting flow of data Separates attack functionality from the

fragmentation functionality

attacksystem(eg nmap)

attackobfuscation(fragrouter)

IDS target

Internet


Some fragmentation types in FragRouter

Sends data in ordered 8-byte fragments Sends data in ordered 24-byte

fragments Sends data in ordered 8-byte fragments

with one fragment out of order Complete TCP handshake, send fake FIN

and RST (with bad checksums) before sending data in ordered 1-byte


Snort

Popular open source IDS 200,000 installations

Enhanced sniffer Runs on Linux, Unix,

Windows Generic sniffing

interface libpcap Can easily handle 100

Mbps of traffic Signatures

Written and released by Snort community within hours

Anyone can create Largest collection of

signatures for IDS

Typical setup

snortsensor

hub

internalnetwork

firewall

Good book: Intrusion Detectionwith Snort, by Jack Koziol


Snort deployment

snortsensor

hub

internalnetwork

firewall

snortsensor

internalnetwork

firewall

Switch SPAN port:• provides monitoringfor net admin & security• switch copies all traffic to SPAN port• can select which switchports get copied• approach doesn’t requireintro of new hub• no need for unidirectionalcable

unidirectionalsniffing cable

switch


Distributing traffic to multiple sensors Large organizations

often have Gbps backbone

Snort with full rule set cannot handle all traffic Packets can get

dropped; attacks go undetected

Tempting to tune Snort by trimming rules

Solutions: Put sensors on

different 100 Mbps segments

Or, multiple sensors on backbone; each sensor processes different range of destination IP addresses


snort.conf

Example:

var HOME_NET 193.152.1.1/24

var EXTERNAL_NET !193.152.1.1/24

Var HTTP_SERVERS 193.152.1.17

Var HTTP_PORTS 80 8080


Snort rule examplesalert icmp $EXTERNAL_NET any -> $HOME_NET any

(msg:”ICMP PING NMAP”; dsize: 0; itype: 8;)

Rule generates alert for ICMP having empty payload, ICMP type 8, andarriving from the outside.

This is part of an NMAP ping.

alert tcp $EXTERNAL_NET any -> $HOME_NET 139

(msg: “DOS SMBdie attack”:; flags: A+; content:”|57724c6568004577a|”;)

Rule generates alert if a TCP packet from outside contains |57724c6568004577a| in payload and is headed to port 139 (netbios) for some internal host.

This is part of a buffer overflow attack on a computer running Server Message Block Service.


Snort rule examples (2)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS

(msg:”WEB-IIS ISAPI .ida attempt”; uricontent:”.ida?”;

nocase; dsize:>239; flags:A+;)

Rule generates alert for packet heading to Web server with .ida? in URL in GET messageBuffer overflow attack that allows attacker to take over server.


Snort rule files

chat.rules ddos.rules ftp.rules multimedia.rules p2p.rules porn.rules virus.rules


Snort Rule Writing

Example: Cross-site scripting (XSS): Web site allows scripts to be inserted into

dynamically created Web page. Can reek havoc. Look out for HTTP requests containing <SCRIPT> Might first try:

alert tcp any any -> any any (content: “<SCRIPT>”; msg: “XSS attempt”;) triggers many false positives: e.g., e-mail message with

JavaScript Then try:

alert tcp $EX_NET any -> $HTTP_SRVS $HTTP_PRTS (content: “<SCRIPT>”; msg: “XSS attempt”; nocase;)


Snort Rule Syntax Rule is a single line

Rule header: everything before parenthesis Rule option: what’s in the parenthesis

Syntax for rule header:rule_action protocol src_add_range src_prt_rangedir_operator dest_add_range dest_prt_range

Example:alert tcp 192.168.1/24 1:1024 -> 124.17.8.1 80 rule actions: alert, log, drop protocol: tcp, udp, icmp direction: -> and <> src, dest port ranges :


Snort Rule Syntax (2)

Syntax for rule option: One or more option keywords

separated by semi-colons Example:

(msg: “XSS attempt”; content: “<SCRIPT>”; nocase;)Content-related keyword examples: content: ”smtp v2”; (ascii) content: ”|0f 65 a7 7b|” ; (binary) uricontent: ”.ida?”; content-list: “inappropriate_content.txt”; nocase; offset: 20; (start at byte 20 in payload) depth: 124; (stop at byte 124 in payload)



IP-related keyword examples: ttl: <5; id:2345; (id field, used for fragments) fragoffset: 0; dsize: >500; (payload size) ip_proto: 7; ICMP-relayed keyword examples: itype: 8; icode: 3;



TCP-related rules flags: A+; (ACK flag) flags: FUP; (FIN, Urgent, or Push flag)

+ alert if specified bit is discovered, in addition to at least one other

! alert if any of the specified bits is not set

seq: 12345432; ack: 54321234;Response examples msg: “christmas tree attack”; logto: “new_rule.log”; logs packet when

match occurs

Documents

Polytechnic University Introduction 1 Intrusion Detection Systems Examples of IDSs in real life r Car alarms r Fire detectors r House alarms r Surveillance