Lecture 10 Intrusion Detection Systems Supakorn Kungpisdan, Ph.D. [email protected] 1ITEC4621:...

Lecture 10 Intrusion Detection Systems

Supakorn Kungpisdan, [email protected]

1ITEC4621: Network Security

ITEC4621: Network Security 2

Intrusion Detection System (IDS) IDS Types Signature- VS Statistically Anomaly-based IDS Snort

Outline


Intrusion Detection System

Software, hardware, or combination of both used to detect intruder activity

IDS analyses network traffic to look for evidence of attack Scanning access logs and analyzing the characteristics of files

for compromise IDSs just tell us if something wrong occur, but do not

prevent attacks


Definitions

Network IDS (NIDS): an IDS that captures data packets traveling on the network media and match them to a database of signatures

Host IDS (HIDS): an IDS installed as agents on a host. It looks into a system and application log files to detect intruder activity. Reactive send non-real-time alerts Proactive send real-time alerts

Signatures: patterns that you look for inside a data packet used to detect one or more types of attacks


Definitions (cont’d)

Alerts: user notification of an intruder activity e.g. pop-up windows, logging to a console, sending emails

Logs: files contains activities in the system or network. Logs are saved in file. Snort saves messages under /var/log/snort directory by

default. False alarms: alerts generated due to an indication that is not an

intruder activity. Sensors: the machine on which an IDS is running used to “sense”

the network.


IDS Overview


IDS Overview (cont.)



Roadmap


IDS Types

Network Intrusion Detection System (NIDS) System Integrity Verifier (SIV) Log File Monitor (LFM) Honeypot Host Intrusion Detection System (HIDS)


NIDS

A machine running IDS software connects to a hub, switch, or router

Analyze network packet to determine if an attacker is trying to break the system

NIDS captures all passing packets on the network like network analyzer

The system compares the packets with known attack patterns (signatures)

E.g. snort


NIDS (cont.)

For example,1. NIDS notices that a host is sending SYN packets without

attempts to complete the connection2. NIDS identifies it as a SYN attack and take appropriate actions

An NIDS consists of 2 parts: Sensor: captures and analyzes the traffic Console: manage sensor and run all reports

NIDS logs all traffic, requires huge amount of disk space, needs a dedicate machine


System Integrity Verifier

aka “file system IDS” Important because firewall can be broken, NIDS cannot

detect a new kind of attack SIV creates signatures of all critical system files and

regularly re-compares the signature with actual files Rootkit, a type of Trojan, is a collection of utilities, often

masking as legitimate administrative programs, that allow an attacker to gain continued remote control of a system without being detected

The most popular SIV is Tripwire


Log File Monitor

Steps to create a log file monitoring plan1. Determine what information you need out of your system2. Locate the logs that contain that information3. Define what types of entries will trigger alerts

E.g. Swatch


Looking for Unordinary Activities

Users logging in at strange hours Unexplained reboots Unexplained changes to the system clock Unusual error messages from the mailed, ftp daemon, or other

network server Failed login attempts with bad passwords Unauthorized or suspicious use of the su command Users logging in from unfamiliar sites on the network Etc.


Honeypot A series of resources that are meant to be probed, attacked, or

compromised. Has false services with well-known vulnerabilities Used to attract attackers and distract them from an actual system To mislead an attacker or understand his methods (research

honeypot) Advantages

Gather data on how and what attacker does in the system Optimize resources as attacker hits honeypot, not firewall or NIDS

Disadvantages Useless if attacker is not interested The system will be broken if honeypot is not properly configured -> do not

install honeypot unless being sure how to install, monitor, and maintain it!!! Visit http://project.honeynet.org


Host-based IDS

IDS that runs on a single server controlling traffic within a collision domain

Functions like virus scanner When suspicious activity is detected e.g. delete important

files, the IDS attempts to terminate the attacking session and sends an alert to system admin


Flaws of HIDS

Most HIDS can monitor only specific types of systems e.g. web server

HIDS is run on the system you need to protect. If the attacker can find the way to disable IDS before making any changes in your system

Before leaving the system, an attacker usually clean up all activities in log files. It is suggested to forward a copy all log files to remote system.



Roadmap


Knowledge- or Signature-based IDS

Most popular Detection based on signatures Signature is developed from how the attacks are carried

out Any action that is not recognized as an attack is

considered acceptable E.g. a packet that has the same source and destination IP

address is the signature of a “Land Attack” Weak against new types of attacks. Need regular updating software with new signatures


Statistical Anomaly-based IDS Aka behavioral-based IDS Do not use signature Put in a learning mode to build a profile of an environment’s “normal” activities The longer the IDS is put in a learning mode, in most instances, the more accurate

a profile it will build and the better protection it will provide Statistically, IDS looks for anomalies in the network traffic or user activity Anything that does not match the profile is seen as a attack Each packet is given an anomaly score. If the score is higher than the threshold, it

will be considered as an attack Can detect “0 day” attacks May have false alert Need to ensure that no current attack activity is underway during the learning

mode.



Roadmap


Snort

Snort can sniff packets, log packets, detect network intrusion

Types of Snort alerts Full: default, display all information Fast: timestamp, message, src & dest IP and port numbers Socket: send alert to UNIX socket (another program on the

same machine can record the alerts) Syslog: send alert to syslog daemon Smb: use Samba to send a pop-up message to Windows

machines None: generate no alerts


Snort


Snort Components Packet Decoder: prepare packets from different interfaces to be

preprocessed or to be sent to the detection engine Preprocessors: arrange or modify packets before analyzed by the

detection engine Detection engine: detect if any intrusion activity exists in a packet.

Deploy Snort rules Logging and alert system: may log the activity or generate an alert Output modules: control the type of output generated by the

logging and alert system: Log to /var/log/snort/alerts Send messages to syslog facility Log to DBs e,g. My SQL or Oracle Generate XML output Etc.


Components of an IDS


Snort Rules

Alert tcp any any -> 10.0.0.0/8 22 (msg: “ssh login” ;)

AlertLogPass

TCPUDPICMPIP

O:22!22

Src IP Src port


Snort Alert Example

An attacker changes source ports in every packet to scan port 21 on target machines to avoid detection


Where to Place Snort

Snort consists of console and sensor Can have more than one sensor monitoring traffic and sending

data to the console NIDS sensors are running without IP being bound to the

public network segment IP is running on the network card that connects the sensor to

the console invisible to public network segment


Where to Place Snort (cont.)


Dealing with Switches


Dealing with Switches (cont.)


How to Protect IDS Itself

Do not run any service on IDS sensor Patch IDS with the latest releases Configure IDS not to response to ping packets On Linux, use IPTables to block any unwanted data Use IDS machine as necessary including creating user accounts as

necessary Configure snort on stealth mode with no IP interface


Mode of Operations

Sniffer mode Packet logger mode Network Intrusion Detection System (NIDS) mode


Snort Sniffer Mode

Almost similar to tcpdump, but provide more details about how packets are analyzed.

It provides network traffic summary at the end of the capture. To use snort in the sniffer mode, type:

% snort –v To sniff payload, use the combination of –v and –d flags as follows:

% snort –vd To give more details about data-link layer headers, use the

combination of –v, -d, and –e flags % snort -vde


Available Flags in Sniffer Mode

-v : dump packet to standard output (will show the result on screen) Display TCP, UDP, ICMP information

-d : dump packet payloads -a : display ARP packets -e : display link layer data and display data in ASCII format

The above flags can be run individually or in combination with each other.


Snort -v


Snort -dv


Snort -dev


Snort Packet Logger Mode

This mode logs the results from running snort into a log file. You can use –d, -a, -e options to control the amount of

information logged for each packet. % snort –l /var/log/snort –d

Snort can log packets in binary format to be readable by Snort, tcpdump, or ethereal. This greatly increases the speed and portability o f the packet capture. % snort –b –l /usr/local/log/snort

To read the log file using snort, type the following command: % snort –r /usr/local/log/snort


Logging Traffic on Multiple Interfaces

To listen to multiple interfaces,% snort –c /etc/snort/snort.conf –i eth0 –l /var/log/snort0

% snort –c /etc/snort/snort.conf –i eth1 –l /var/log/snort1


Snort NIDS Mode

Snort applies rules on all captured packets. If a packet matches a rule, it is logged or is generated an alert

% snort –c /etc/snort/snort.conf% snort –dev –l /var/log/snort –c \\ /etc/snort/snort.conf


Snort Alert Modes

% Alert icmp any any -> any any (msg: “Ping with TTL=100; \ttl:100;”)

% Ping –n 1 –i 100 192.168.1.3

Fast Mode Full Mode UNIX Socket Mode No Alert Mode Sending Alerts to Syslog Sending Alerts to SNMP Sending Alerts to Windows


Fast Mode

Logs alert with the following information Timestamp Alert message Src/dest IP addresses and ports

% snort –c /etc/snort/snort.conf –q –A fast

Will log alerts in /var/log/snort/alert file

No port numbers are shown… why?

Does not log initialization msg and summary


Full Mode

Default alert mode. It prints alert message and packet header

% snort –c /etc/snort/snort.conf –q –A full


Unix Socket Mode

Send alerts to another program through unix sockets

% snort –c /etc/snort/snort.conf –a unsock

No Alert Mode

• Completely disable snort

% snort –c /etc/snort/snort.conf –A none


Running Snort in Stealth Mode

Other hosts are not able to detect the presence of the snort machine It is feasible in two cases:

A stand-alone snort sensor with only one network adapter A snort sensor with 2 network adapters: one to access from an isolated

network and the other connected to the public network and running in stealth mode


Running Snort in Stealth Mode (cont.)% ifconfig eth0 up

% Snort –c /etc/snort/snort.conf –I eth0 -D


Questions?

Lecture 10 Intrusion Detection Systems Supakorn Kungpisdan, Ph.D. [email protected] 1ITEC4621:...

Documents

Transcript of Lecture 10 Intrusion Detection Systems Supakorn Kungpisdan, Ph.D. [email protected] 1ITEC4621:...