Scribd Logo
Carica

Benvenuto in Scribd!

  • Ids

    Caricato da

    HomerKhan
    20 visualizzazioni24 pagine
    Intrusion detection systems (ids) are any combination of hardware and software that monitors a system or network for malicious activity. There are host-based and network-based IDS systems. Focus here on network-based. IDS sensors application gateway firewall = IDS sensor Internet Internal network Web server FTP server DNS server Underlying OS needs to be hardened.

    Descrizione originale:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PPT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Intrusion detection systems (ids) are any combination of hardware and software that monitors a system or network for malicious activity. There are host-based and network-based IDS systems. Focus here on network-based. IDS sensors application gateway firewall = IDS sensor Internet Internal network Web server FTP server DNS server Underlying OS needs to be hardened.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PPT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    20 visualizzazioni24 pagine

    Ids

    Caricato da

    HomerKhan
    Intrusion detection systems (ids) are any combination of hardware and software that monitors a system or network for malicious activity. There are host-based and network-based IDS systems. Focus here on network-based. IDS sensors application gateway firewall = IDS sensor Internet Internal network Web server FTP server DNS server Underlying OS needs to be hardened.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PPT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 24

    Intrusion Detection Systems

    An IDS is any combination of hardware & software that monitors a system or network for malicious activity. Examples of IDSs in real life Car alarms Fire detectors House alarms Surveillance systems

    Polytechnic University

    Introduction

    Why IDS
    Can be detected: Mapping Port scans

    Deep Packet Inspection Many organizations deploy

    Tens of thousands of packets Hundreds of thousands of packets

    IDS systems Provide warnings to network administrator

    TCP stack scans

    Administrator can then improve networks security Vigorous investigation could lead to attackers

    There are host-based and network-based IDS systems. Focus here on network-based.

    Polytechnic University

    Introduction

    IDS sensors
    application gateway firewall

    = IDS sensor

    Internet

    Internal network

    Web server
    FTP server

    DNS server

    Underlying OS needs to be hardened: stripped of unnecessary network services

    Demilitarized zone

    Polytechnic University

    Introduction

    False Alarms
    False alarms: False positive: normal traffic or benign action triggers alarm

    Example: fire alarm if wrong password is entered; benign user makes a typo

    False negative: alarm is not fired during

    attack

    Polytechnic University

    Introduction

    Efficiency of IDS system


    Accuracy: low false positive and false negative

    rates Performance: the rate at which traffic and audit events are processed

    To keep up with traffic, may not be able to put IDS at network entry point Instead, place multiple IDSs downstream

    Fault tolerance: resistance to attacks Should be run on a single hardened host that supports only intrusion detection services Timeliness: time elapsed between intrusion and

    detection

    Polytechnic University

    Introduction

    Signature-based IDS
    Sniff traffic on network border router or multiple sensors within a LAN Match sniffed tracffic with signatures attack signatures in database signature: set of rules pertaining to a typical intrusion activity Simple example rule: any ICMP packet > 10,000 bytes Example: more than one thousand SYN packets to different ports on same host under a second skilled security engineers research known attacks; put them in database can configure IDS to exclude certain signatures; can modify signature parameters Warn administrator when signature matches send e-mail, SMS send message to network management system
    Polytechnic University
    Introduction

    Limitations to signature detection


    Requires previous knowledge of attack to

    generate accurate signature

    Blind to unknown attacks

    Signature bases are getting larger


    Every

    packet must be compared with each signature IDS can get overwhelmed with processing; can miss packets

    Polytechnic University

    Introduction

    Anomaly Detection IDS


    Observe traffic during normal operation

    Create normal traffic profile

    Look for packet streams that are statistically

    unusual

    Doesnt rely on having previous knowledge of

    e.g., inordinate percentage of ICMP packet or exponential growth in port scans/sweeps

    attack Research topic in security

    Polytechnic University

    Introduction

    IDS evasion: spy vs. spy


    Attackers do not want to be detected by IDS Often attackers are intimately familiar with the popular IDS products, their weaknesses Idea: manipulate attack data Active area of research in attack community Example: port scan stretched out over long period of time, with different source IP addresses

    Most common approach: fragmentation To detect malicious activity, IDS must capture, store, and analyze fragments. Many fragment streams spread out over long period time IDS must have large buffers
    Requires significant memory and processing power

    Polytechnic University

    Introduction

    IDS evasion: fragmentation


    Send a flood of fragments

    Send so many fragments that IDS system saturates. Once saturated, IDS will not be able detect a new attack

    Fragment packets in unexpected ways Such that the IDS does not understand how to properly reassemble the attack packets

    Polytechnic University

    Introduction

    10

    IDS evasion tool: FragRouter

    Internet
    attack system (eg nmap) attack obfuscation (fragrouter) IDS target

    Runs on Unix/Linux systems Provides over 35 different schemes for

    fragmenting flow of data Separates attack functionality from the fragmentation functionality
    Polytechnic University
    Introduction 11

    Some fragmentation types in FragRouter


    Sends data in ordered 8-byte fragments

    Sends data in ordered 24-byte fragments


    Sends data in ordered 8-byte fragments

    with one fragment out of order Complete TCP handshake, send fake FIN and RST (with bad checksums) before sending data in ordered 1-byte

    Polytechnic University

    Introduction

    12

    Snort
    Popular open source IDS

    Good book: Intrusion Detection with Snort, by Jack Koziol

    Enhanced sniffer

    200,000 installations

    Typical setup
    firewall

    Signatures

    Runs on Linux, Unix, Windows Generic sniffing interface libpcap Can easily handle 100 Mbps of traffic Written and released by Snort community within hours Anyone can create Largest collection of signatures for IDS

    hub snort sensor

    internal network
    Introduction

    Polytechnic University

    13

    Snort deployment
    firewall unidirectional sniffing cable hub snort sensor firewall

    Switch SPAN port: provides monitoring for net admin & security switch copies all traffic to SPAN port can select which switch ports get copied approach doesnt require intro of new hub no need for unidirectional cable

    switch
    internal network internal network

    snort sensor

    Polytechnic University

    Introduction

    14

    Distributing traffic to multiple sensors


    Large organizations

    often have Gbps backbone Snort with full rule set cannot handle all traffic

    Packets can get dropped; attacks go undetected

    Solutions: Put sensors on different 100 Mbps segments Or, multiple sensors on backbone; each sensor processes different range of destination IP addresses

    Tempting to tune

    Snort by trimming rules


    Introduction 15

    Polytechnic University

    snort.conf
    Example: var var Var Var HOME_NET 193.152.1.1/24 EXTERNAL_NET !193.152.1.1/24 HTTP_SERVERS 193.152.1.17 HTTP_PORTS 80 8080

    Polytechnic University

    Introduction

    16

    Snort rule examples


    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:ICMP PING NMAP; dsize: 0; itype: 8;)

    Rule generates alert for ICMP having empty payload, ICMP type 8, and arriving from the outside. This is part of an NMAP ping.

    alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: DOS SMBdie attack:; flags: A+; content:|57724c6568004577a|;)

    Rule generates alert if a TCP packet from outside contains |57724c6568004577a| in payload and is headed to port 139 (netbios) for some internal host. This is part of a buffer overflow attack on a computer running Server Message Block Service.

    Polytechnic University

    Introduction

    17

    Snort rule examples (2)


    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:WEB-IIS ISAPI .ida attempt; uricontent:.ida?; nocase; dsize:>239; flags:A+;)
    Rule

    generates alert for packet heading to Web server with .ida? in URL in GET message Buffer overflow attack that allows attacker to take over server.

    Polytechnic University

    Introduction

    18

    Snort rule files


    chat.rules

    ddos.rules
    ftp.rules multimedia.rules p2p.rules porn.rules virus.rules

    Polytechnic University

    Introduction

    19

    Snort Rule Writing


    Example: Cross-site scripting (XSS): Web site allows scripts to be inserted into dynamically created Web page. Can reek havoc. Look out for HTTP requests containing <SCRIPT> Might first try:

    alert tcp any any -> any any (content: <SCRIPT>; msg: XSS attempt;)

    Then try:

    triggers many false positives: e.g., e-mail message with JavaScript

    alert tcp $EX_NET any -> $HTTP_SRVS $HTTP_PRTS (content: <SCRIPT>; msg: XSS attempt; nocase;)

    Polytechnic University

    Introduction

    20

    Snort Rule Syntax


    Rule is a single line Rule header: everything before parenthesis Rule option: whats in the parenthesis

    Syntax for rule header:


    rule_action protocol src_add_range src_prt_range dir_operator dest_add_range dest_prt_range

    Example: alert tcp 192.168.1/24 1:1024 -> 124.17.8.1 80 rule actions: alert, log, drop protocol: tcp, udp, icmp direction: -> and <> src, dest port ranges :
    Polytechnic University
    Introduction 21

    Snort Rule Syntax (2)


    Syntax for rule option: One or more option keywords
    Example:

    separated by semi-colons

    Content-related keyword examples: content: smtp v2; (ascii) content: |0f 65 a7 7b| ; (binary) uricontent: .ida?; content-list: inappropriate_content.txt; nocase; offset: 20; (start at byte 20 in payload) depth: 124; (stop at byte 124 in payload)

    (msg: XSS attempt; content: <SCRIPT>; nocase;)

    Polytechnic University

    Introduction

    22

    Snort Rule Syntax (3)


    IP-related keyword examples: ttl: <5; id:2345; (id field, used for fragments) fragoffset: 0; dsize: >500; (payload size) ip_proto: 7; ICMP-relayed keyword examples: itype: 8; icode: 3;
    Polytechnic University
    Introduction 23

    Snort Rule Syntax (4)


    TCP-related rules flags: A+; (ACK flag) flags: FUP; (FIN, Urgent, or Push flag)

    + alert if specified bit is discovered, in addition to at least one other ! alert if any of the specified bits is not set

    seq: 12345432;

    ack: 54321234;

    Response examples msg: christmas tree attack; logto: new_rule.log; logs packet when match occurs
    Polytechnic University
    Introduction 24

    Potrebbero piacerti anche