NETE46301 People Layer Security Lecture 9 Supakorn Kungpisdan [email protected].
Lecture 10 Intrusion Detection Systems Supakorn Kungpisdan, Ph.D. [email protected] 1ITEC4621:...
-
Upload
kristopher-parks -
Category
Documents
-
view
219 -
download
0
Transcript of Lecture 10 Intrusion Detection Systems Supakorn Kungpisdan, Ph.D. [email protected] 1ITEC4621:...
Lecture 10 Intrusion Detection Systems
Supakorn Kungpisdan, [email protected]
1ITEC4621: Network Security
ITEC4621: Network Security 2
Intrusion Detection System (IDS) IDS Types Signature- VS Statistically Anomaly-based IDS Snort
Outline
ITEC4621: Network Security 3
Intrusion Detection System
Software, hardware, or combination of both used to detect intruder activity
IDS analyses network traffic to look for evidence of attack Scanning access logs and analyzing the characteristics of files
for compromise IDSs just tell us if something wrong occur, but do not
prevent attacks
ITEC4621: Network Security 4
Definitions
Network IDS (NIDS): an IDS that captures data packets traveling on the network media and match them to a database of signatures
Host IDS (HIDS): an IDS installed as agents on a host. It looks into a system and application log files to detect intruder activity. Reactive send non-real-time alerts Proactive send real-time alerts
Signatures: patterns that you look for inside a data packet used to detect one or more types of attacks
ITEC4621: Network Security 5
Definitions (cont’d)
Alerts: user notification of an intruder activity e.g. pop-up windows, logging to a console, sending emails
Logs: files contains activities in the system or network. Logs are saved in file. Snort saves messages under /var/log/snort directory by
default. False alarms: alerts generated due to an indication that is not an
intruder activity. Sensors: the machine on which an IDS is running used to “sense”
the network.
ITEC4621: Network Security 6
IDS Overview
ITEC4621: Network Security 7
IDS Overview (cont.)
ITEC4621: Network Security 8
Intrusion Detection System (IDS) IDS Types Signature- VS Statistically Anomaly-based IDS Snort
Roadmap
ITEC4621: Network Security 9
IDS Types
Network Intrusion Detection System (NIDS) System Integrity Verifier (SIV) Log File Monitor (LFM) Honeypot Host Intrusion Detection System (HIDS)
ITEC4621: Network Security 10
NIDS
A machine running IDS software connects to a hub, switch, or router
Analyze network packet to determine if an attacker is trying to break the system
NIDS captures all passing packets on the network like network analyzer
The system compares the packets with known attack patterns (signatures)
E.g. snort
ITEC4621: Network Security 11
NIDS (cont.)
For example,1. NIDS notices that a host is sending SYN packets without
attempts to complete the connection2. NIDS identifies it as a SYN attack and take appropriate actions
An NIDS consists of 2 parts: Sensor: captures and analyzes the traffic Console: manage sensor and run all reports
NIDS logs all traffic, requires huge amount of disk space, needs a dedicate machine
ITEC4621: Network Security 12
System Integrity Verifier
aka “file system IDS” Important because firewall can be broken, NIDS cannot
detect a new kind of attack SIV creates signatures of all critical system files and
regularly re-compares the signature with actual files Rootkit, a type of Trojan, is a collection of utilities, often
masking as legitimate administrative programs, that allow an attacker to gain continued remote control of a system without being detected
The most popular SIV is Tripwire
ITEC4621: Network Security 13
Log File Monitor
Steps to create a log file monitoring plan1. Determine what information you need out of your system2. Locate the logs that contain that information3. Define what types of entries will trigger alerts
E.g. Swatch
ITEC4621: Network Security 14
Looking for Unordinary Activities
Users logging in at strange hours Unexplained reboots Unexplained changes to the system clock Unusual error messages from the mailed, ftp daemon, or other
network server Failed login attempts with bad passwords Unauthorized or suspicious use of the su command Users logging in from unfamiliar sites on the network Etc.
ITEC4621: Network Security 15
Honeypot A series of resources that are meant to be probed, attacked, or
compromised. Has false services with well-known vulnerabilities Used to attract attackers and distract them from an actual system To mislead an attacker or understand his methods (research
honeypot) Advantages
Gather data on how and what attacker does in the system Optimize resources as attacker hits honeypot, not firewall or NIDS
Disadvantages Useless if attacker is not interested The system will be broken if honeypot is not properly configured -> do not
install honeypot unless being sure how to install, monitor, and maintain it!!! Visit http://project.honeynet.org
ITEC4621: Network Security 16
Host-based IDS
IDS that runs on a single server controlling traffic within a collision domain
Functions like virus scanner When suspicious activity is detected e.g. delete important
files, the IDS attempts to terminate the attacking session and sends an alert to system admin
ITEC4621: Network Security 17
Flaws of HIDS
Most HIDS can monitor only specific types of systems e.g. web server
HIDS is run on the system you need to protect. If the attacker can find the way to disable IDS before making any changes in your system
Before leaving the system, an attacker usually clean up all activities in log files. It is suggested to forward a copy all log files to remote system.
ITEC4621: Network Security 18
Intrusion Detection System (IDS) IDS Types Signature- VS Statistically Anomaly-based IDS Snort
Roadmap
ITEC4621: Network Security 19
Knowledge- or Signature-based IDS
Most popular Detection based on signatures Signature is developed from how the attacks are carried
out Any action that is not recognized as an attack is
considered acceptable E.g. a packet that has the same source and destination IP
address is the signature of a “Land Attack” Weak against new types of attacks. Need regular updating software with new signatures
ITEC4621: Network Security 20
Statistical Anomaly-based IDS Aka behavioral-based IDS Do not use signature Put in a learning mode to build a profile of an environment’s “normal” activities The longer the IDS is put in a learning mode, in most instances, the more accurate
a profile it will build and the better protection it will provide Statistically, IDS looks for anomalies in the network traffic or user activity Anything that does not match the profile is seen as a attack Each packet is given an anomaly score. If the score is higher than the threshold, it
will be considered as an attack Can detect “0 day” attacks May have false alert Need to ensure that no current attack activity is underway during the learning
mode.
ITEC4621: Network Security 21
Intrusion Detection System (IDS) IDS Types Signature- VS Statistically Anomaly-based IDS Snort
Roadmap
ITEC4621: Network Security 22
Snort
Snort can sniff packets, log packets, detect network intrusion
Types of Snort alerts Full: default, display all information Fast: timestamp, message, src & dest IP and port numbers Socket: send alert to UNIX socket (another program on the
same machine can record the alerts) Syslog: send alert to syslog daemon Smb: use Samba to send a pop-up message to Windows
machines None: generate no alerts
ITEC4621: Network Security 23
Snort
ITEC4621: Network Security 24
Snort Components Packet Decoder: prepare packets from different interfaces to be
preprocessed or to be sent to the detection engine Preprocessors: arrange or modify packets before analyzed by the
detection engine Detection engine: detect if any intrusion activity exists in a packet.
Deploy Snort rules Logging and alert system: may log the activity or generate an alert Output modules: control the type of output generated by the
logging and alert system: Log to /var/log/snort/alerts Send messages to syslog facility Log to DBs e,g. My SQL or Oracle Generate XML output Etc.
ITEC4621: Network Security 25
Components of an IDS
ITEC4621: Network Security 26
Snort Rules
Alert tcp any any -> 10.0.0.0/8 22 (msg: “ssh login” ;)
AlertLogPass
TCPUDPICMPIP
O:22!22
Src IP Src port
ITEC4621: Network Security 27
Snort Alert Example
An attacker changes source ports in every packet to scan port 21 on target machines to avoid detection
ITEC4621: Network Security 28
Where to Place Snort
Snort consists of console and sensor Can have more than one sensor monitoring traffic and sending
data to the console NIDS sensors are running without IP being bound to the
public network segment IP is running on the network card that connects the sensor to
the console invisible to public network segment
ITEC4621: Network Security 29
Where to Place Snort (cont.)
ITEC4621: Network Security 30
Dealing with Switches
ITEC4621: Network Security 31
Dealing with Switches (cont.)
ITEC4621: Network Security 32
Dealing with Switches (cont.)
ITEC4621: Network Security 33
How to Protect IDS Itself
Do not run any service on IDS sensor Patch IDS with the latest releases Configure IDS not to response to ping packets On Linux, use IPTables to block any unwanted data Use IDS machine as necessary including creating user accounts as
necessary Configure snort on stealth mode with no IP interface
ITEC4621: Network Security 34
Mode of Operations
Sniffer mode Packet logger mode Network Intrusion Detection System (NIDS) mode
ITEC4621: Network Security 35
Snort Sniffer Mode
Almost similar to tcpdump, but provide more details about how packets are analyzed.
It provides network traffic summary at the end of the capture. To use snort in the sniffer mode, type:
% snort –v To sniff payload, use the combination of –v and –d flags as follows:
% snort –vd To give more details about data-link layer headers, use the
combination of –v, -d, and –e flags % snort -vde
ITEC4621: Network Security 36
Available Flags in Sniffer Mode
-v : dump packet to standard output (will show the result on screen) Display TCP, UDP, ICMP information
-d : dump packet payloads -a : display ARP packets -e : display link layer data and display data in ASCII format
The above flags can be run individually or in combination with each other.
ITEC4621: Network Security 37
Snort -v
ITEC4621: Network Security 38
Snort -dv
ITEC4621: Network Security 39
Snort -dev
ITEC4621: Network Security 40
Snort Packet Logger Mode
This mode logs the results from running snort into a log file. You can use –d, -a, -e options to control the amount of
information logged for each packet. % snort –l /var/log/snort –d
Snort can log packets in binary format to be readable by Snort, tcpdump, or ethereal. This greatly increases the speed and portability o f the packet capture. % snort –b –l /usr/local/log/snort
To read the log file using snort, type the following command: % snort –r /usr/local/log/snort
ITEC4621: Network Security 41
Logging Traffic on Multiple Interfaces
To listen to multiple interfaces,% snort –c /etc/snort/snort.conf –i eth0 –l /var/log/snort0
% snort –c /etc/snort/snort.conf –i eth1 –l /var/log/snort1
ITEC4621: Network Security 42
Snort NIDS Mode
Snort applies rules on all captured packets. If a packet matches a rule, it is logged or is generated an alert
% snort –c /etc/snort/snort.conf% snort –dev –l /var/log/snort –c \\ /etc/snort/snort.conf
ITEC4621: Network Security 43
Snort Alert Modes
% Alert icmp any any -> any any (msg: “Ping with TTL=100; \ttl:100;”)
% Ping –n 1 –i 100 192.168.1.3
Fast Mode Full Mode UNIX Socket Mode No Alert Mode Sending Alerts to Syslog Sending Alerts to SNMP Sending Alerts to Windows
ITEC4621: Network Security 44
Fast Mode
Logs alert with the following information Timestamp Alert message Src/dest IP addresses and ports
% snort –c /etc/snort/snort.conf –q –A fast
Will log alerts in /var/log/snort/alert file
No port numbers are shown… why?
Does not log initialization msg and summary
ITEC4621: Network Security 45
Full Mode
Default alert mode. It prints alert message and packet header
% snort –c /etc/snort/snort.conf –q –A full
ITEC4621: Network Security 46
Unix Socket Mode
Send alerts to another program through unix sockets
% snort –c /etc/snort/snort.conf –a unsock
No Alert Mode
• Completely disable snort
% snort –c /etc/snort/snort.conf –A none
ITEC4621: Network Security 47
Running Snort in Stealth Mode
Other hosts are not able to detect the presence of the snort machine It is feasible in two cases:
A stand-alone snort sensor with only one network adapter A snort sensor with 2 network adapters: one to access from an isolated
network and the other connected to the public network and running in stealth mode
ITEC4621: Network Security 48
Running Snort in Stealth Mode (cont.)% ifconfig eth0 up
% Snort –c /etc/snort/snort.conf –I eth0 -D
ITEC4621: Network Security 49
Questions?