Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
An IDS is any combination of hardware & software that monitors a system or network for malicious activity. Examples of IDSs in real life Car alarms Fire detectors House alarms Surveillance systems
Polytechnic University
Introduction
Why IDS
Can be detected: Mapping Port scans
Administrator can then improve networks security Vigorous investigation could lead to attackers
There are host-based and network-based IDS systems. Focus here on network-based.
Polytechnic University
Introduction
IDS sensors
application gateway firewall
= IDS sensor
Internet
Internal network
Web server
FTP server
DNS server
Demilitarized zone
Polytechnic University
Introduction
False Alarms
False alarms: False positive: normal traffic or benign action triggers alarm
Example: fire alarm if wrong password is entered; benign user makes a typo
attack
Polytechnic University
Introduction
rates Performance: the rate at which traffic and audit events are processed
To keep up with traffic, may not be able to put IDS at network entry point Instead, place multiple IDSs downstream
Fault tolerance: resistance to attacks Should be run on a single hardened host that supports only intrusion detection services Timeliness: time elapsed between intrusion and
detection
Polytechnic University
Introduction
Signature-based IDS
Sniff traffic on network border router or multiple sensors within a LAN Match sniffed tracffic with signatures attack signatures in database signature: set of rules pertaining to a typical intrusion activity Simple example rule: any ICMP packet > 10,000 bytes Example: more than one thousand SYN packets to different ports on same host under a second skilled security engineers research known attacks; put them in database can configure IDS to exclude certain signatures; can modify signature parameters Warn administrator when signature matches send e-mail, SMS send message to network management system
Polytechnic University
Introduction
packet must be compared with each signature IDS can get overwhelmed with processing; can miss packets
Polytechnic University
Introduction
unusual
Polytechnic University
Introduction
Most common approach: fragmentation To detect malicious activity, IDS must capture, store, and analyze fragments. Many fragment streams spread out over long period time IDS must have large buffers
Requires significant memory and processing power
Polytechnic University
Introduction
Send so many fragments that IDS system saturates. Once saturated, IDS will not be able detect a new attack
Fragment packets in unexpected ways Such that the IDS does not understand how to properly reassemble the attack packets
Polytechnic University
Introduction
10
Internet
attack system (eg nmap) attack obfuscation (fragrouter) IDS target
fragmenting flow of data Separates attack functionality from the fragmentation functionality
Polytechnic University
Introduction 11
with one fragment out of order Complete TCP handshake, send fake FIN and RST (with bad checksums) before sending data in ordered 1-byte
Polytechnic University
Introduction
12
Snort
Popular open source IDS
Enhanced sniffer
200,000 installations
Typical setup
firewall
Signatures
Runs on Linux, Unix, Windows Generic sniffing interface libpcap Can easily handle 100 Mbps of traffic Written and released by Snort community within hours Anyone can create Largest collection of signatures for IDS
internal network
Introduction
Polytechnic University
13
Snort deployment
firewall unidirectional sniffing cable hub snort sensor firewall
Switch SPAN port: provides monitoring for net admin & security switch copies all traffic to SPAN port can select which switch ports get copied approach doesnt require intro of new hub no need for unidirectional cable
switch
internal network internal network
snort sensor
Polytechnic University
Introduction
14
often have Gbps backbone Snort with full rule set cannot handle all traffic
Solutions: Put sensors on different 100 Mbps segments Or, multiple sensors on backbone; each sensor processes different range of destination IP addresses
Tempting to tune
Polytechnic University
snort.conf
Example: var var Var Var HOME_NET 193.152.1.1/24 EXTERNAL_NET !193.152.1.1/24 HTTP_SERVERS 193.152.1.17 HTTP_PORTS 80 8080
Polytechnic University
Introduction
16
Rule generates alert for ICMP having empty payload, ICMP type 8, and arriving from the outside. This is part of an NMAP ping.
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: DOS SMBdie attack:; flags: A+; content:|57724c6568004577a|;)
Rule generates alert if a TCP packet from outside contains |57724c6568004577a| in payload and is headed to port 139 (netbios) for some internal host. This is part of a buffer overflow attack on a computer running Server Message Block Service.
Polytechnic University
Introduction
17
generates alert for packet heading to Web server with .ida? in URL in GET message Buffer overflow attack that allows attacker to take over server.
Polytechnic University
Introduction
18
ddos.rules
ftp.rules multimedia.rules p2p.rules porn.rules virus.rules
Polytechnic University
Introduction
19
alert tcp any any -> any any (content: <SCRIPT>; msg: XSS attempt;)
Then try:
alert tcp $EX_NET any -> $HTTP_SRVS $HTTP_PRTS (content: <SCRIPT>; msg: XSS attempt; nocase;)
Polytechnic University
Introduction
20
Example: alert tcp 192.168.1/24 1:1024 -> 124.17.8.1 80 rule actions: alert, log, drop protocol: tcp, udp, icmp direction: -> and <> src, dest port ranges :
Polytechnic University
Introduction 21
separated by semi-colons
Content-related keyword examples: content: smtp v2; (ascii) content: |0f 65 a7 7b| ; (binary) uricontent: .ida?; content-list: inappropriate_content.txt; nocase; offset: 20; (start at byte 20 in payload) depth: 124; (stop at byte 124 in payload)
Polytechnic University
Introduction
22
+ alert if specified bit is discovered, in addition to at least one other ! alert if any of the specified bits is not set
seq: 12345432;
ack: 54321234;
Response examples msg: christmas tree attack; logto: new_rule.log; logs packet when match occurs
Polytechnic University
Introduction 24