IntrusionDetection&SnortDanFleck,PhDdfleck@gmu.edu

IntrusionDetection• Anintrusiondetectionsystem(IDS)analyzestrafficpatternsandreactstoanomalouspatterns bysendingoutalerts.

• NotethatanIDSisinherentlyreactive;theattackhasalreadybegun whentheIDSalerts.

Internal LAN

Firewall

IDS 2

IntrusionDetection:IDSvsIPS

Internal LAN

Firewall

IDS

Internal LAN

Firewall

IPS

What changes if I want to see all attempted attacks?

3

Intrusion Prevention System

FirewallvsIDS vsIPS• Firewall - Adeviceorapplicationthatanalyzespacketheadersandenforcespolicybasedonprotocol type,sourceaddress,destinationaddress, sourceport,and/ordestinationport.Packetsthatdonotmatchpolicyarerejected.

• IntrusionDetectionSystem - Adeviceorapplicationthatanalyzeswholepackets,bothheaderandpayload, looking forknownevents.Whenaknowneventisdetectedalogmessageisgenerateddetailingtheevent.

• IntrusionPreventionSystem - Adeviceorapplicationthatanalyzeswholepackets,bothheaderandpayload, looking forknownevents.Whenaknowneventisdetectedthepacketisrejected.

Somedevicesarenowcombining allofthesefunctions intoasinglesecuritydevice(SmartFirewall,NextGenFirewall,etc…).SnortcanberuninIDSorIPSmodes.

Source: http://security.stackexchange.com/questions/44931/difference-between-ids-and-ips-and-firewall

4

WhatdoIDSdetect?• Anomalydetection:Activitythatdeviatesfromthenormalbehavior

• Misusedetection:Executionofcodethatresultsinbreak-ins

• Specifcationbaseddetection:Activityinvolvingprivilegedsoftwarethatisinconsistentwithrespecttoapolicy/specification

- D.Denning

5

TypesofIDS• HostBasedIDS• Installedlocallyonmachines• Monitoringlocaluseractivity• Monitoringexecutionofsystemprograms• Monitoringlocalsystemlogs

• NetworkIDS(NIDS)• Sensorsareinstalledatstrategiclocationsonthenetwork• Monitorchangesintrafficpattern/connectionrequests• MonitorUsers’networkactivity–DeepPacketinspection

• Inthislabwe’rediscussingNIDS

6

TypesofNIDS• SignatureBasedIDS• Comparesincomingpacketswithknownsignatures• E.g.Snort,Bro,Suricata,etc.

• AnomalyDetectionSystems• Learnsthenormalbehaviorofthesystem• Generatesalertsonpacketsthataredifferentfromthenormalbehavior

7

SignaturebasedNIDSCurrentStandardisSignatureBasedSystems

Problems:• “Zero-day”attacks• Polymorphicattacks• Botnets– Inexpensivere-usableIPaddressesforattackers

8

AnomalyDetectionNIDSAnomalyDetection(AD)Systemsarecapableofidentifying“ZeroDay”Attacks

Problems:• HighFalsePositiveRates• Labeledtrainingdata

OurFocus:• Webapplicationsarepopulartargets 9

transAD&STAND(GMUResearch)

• transAD• TPR90.17%• FPR0.17%

• STAND• TPR88.75%• FPR0.51%

• Whatdoyouthinkasignature-baseddetectorwouldlooklike(roughly)FPR?TPR?

10

AttacksDetectedbytransAD

TypeofAttack HTTP GETRequestBuffer Overflow /?slide=kashdan?slide=pawloski?slide=ascoli?slide=shukla?slide=kabba

ni?slide=ascoli?slide=proteomics?slide=shukla?slide=shuklaRemoteFileInclusion

//forum/adminLogin.php?config[foruminstalled]=http://www.steelcitygray.com/auction/uploaded/golput/ID-RFI.txt??

DirectoryTraversal /resources/index.php?con=/../../../../../../../../etc/passwdCodeInjection //resources-template.php?id=38-999.9+union+select+0Script Attacks /.well-known/autoconfig/mail/config-v1.1.xml?

emailaddress=********%40*********.***.***

11

TransductionbasedAnomalyDetection

• Compareshowtestpacket fitswithrespecttothebaseline• A“Strangeness” functionisusedforcomparingthetestpacket• ThesumofK-NearestNeighborsdistancesisusedasameasureofStrangeness

A

B

B is stranger than A with

respect to the baseline

12

IntrusionDetectionErrorsTherearetwotypesoferrorswhenconsideringanyintrusiondetectionsystem.

Falsenegatives:agenuineattackisnotdetected.Falsepositives:harmlessbehaviorismisclassifiedasanattack.

Whichdothinkisabiggerproblem?

Anintrusiondetectionsystemis:accurate:ifitdetectsallgenuineattacks;precise:ifitneverreportslegitimatebehaviorasanattack.

ItiseasytomakeanIDSthatiseitheraccurateorprecise!Why?It’shardtodobothsimultaneously. 13

IntrusionDetectionErrorsAnundetectedattackmightleadtosevereproblems.Butfrequentfalsealarmscanleadtothesystembeingdisabledorignored.AperfectIDSwouldbebothaccurateandprecise.

• Statistically,attacksarefairlyrareevents.

• Mostintrusiondetectionsystemssufferfromthebase-ratefallacy.

• Supposethatonly1%oftrafficareactuallyattacksandthedetectionaccuracyofyourIDSis90%andthefalsepositiverateis10%.Ifyouhaveanalarmwhatisthechanceit’safalsealarm?

14

Base-RateFallacySupposethatonly1%oftrafficareactuallyattacksandthedetectionaccuracyofyourIDSis90%andthefalsepositiverateis10%.Whatdoesthatmean?

• theIDSclassifiesanattackasanattackwithprobability90%(truepositive)

• theIDSclassifiesavalidconnectionasattackwithprobability10%(falsepositive)

Whatistheprobabilitythataconnectionflaggedasanattackisnotreallyanattack,i.e.,afalsepositive?

Thereisapproximately92%chancethataraisedalarmisfalse. 15

EquationsforBaseRateFallacy

1000events:990benign,10attacks.

10%Falsealarmratemeans:99falsealarms90%Truepositiveratemeans:9truealarms

P(attack|alarm)=9/(9+99)=0.08%

Meaning,92%ofalarmsarefalsealarmsduetothebaserateofbenigntraffic.Thisistogiveyouintuitionaboutbaserate,thiscanbedonemoreformallyusingBayesrule.

16

Lessons• FalsenegativesandfalsepositivesarebothbadforanIDS.

• AnIDSmustbeveryaccurateorsufferfromthebaseratefallacy.

• AnIDSwithtoomanyerrorsbecomesuseless.

17

Snort:Ourlab• Signature-baseddetectionsystem• 1CPUw/1000signaturescanprocess500MBps(notgreat!)

• Gettingfasterinnewerreleases• Canberuninline(IPS)orasasniffer(IDS)• Firstreleasedin1997butstillupdated/maintainedtoday• Competitors:Suricata,Bro• Detailedperformancecomparison:https://www.sans.org/reading-room/whitepapers/intrusion/open-source-ids-high-performance-

shootout-35772

Snort Architecture

18

Snort:Rules• http://manual.snort.org/node1.html• http://books.gigatux.nl/mirror/snortids/0596006616/snortids-CHP-7-SECT-3.html

alerttcp $EXTERNAL_NETany->$HOME_NETany\(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198; \classtype:attempted-recon;sid:624;rev:1;)

ruleheader(ruleoptions)

19

Snort:RuleHeaderalerttcp$EXTERNAL_NETany->$HOME_NETany\(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;\classtype:attempted-recon;sid:624;rev:1;)

Defines“who”theruleappliesto(coarsly).

alerttcp$EXTERNAL_NETany->$HOME_NETany

action protocol

Src IP SrcPort

Direction

Dst IP Dst Port

20

Snort:RuleHeaderActionsalerttcp$EXTERNAL_NETany->$HOME_NETany\(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;\classtype:attempted-recon;sid:624;rev:1;)

alerttcp$EXTERNAL_NETany->$HOME_NETany

action protocol

Src IP SrcPortDirection

Dst IP Dst Port

1. alert:Alertsandlogsthepacketwhentriggered.2. log:Onlylogsthepacketwhentriggered.3. pass :Ignoresordropsthepacketortrafficmatching.4. activate :Alertsthenactivatesadynamicruleorrules.5. dynamic :Ignores,untilstartedbytheactivaterule,atwhichtime,actsasalogrule.6. drop :blockandlogthepacket7. reject :blockthepacket,logit,andthensendaTCPresetiftheprotocolisTCPoran

ICMPportunreachablemessageiftheprotocolisUDP.8. sdrop :blockthepacketbutdonot logit.

21

Snort:RuleHeaderProtocolalerttcp$EXTERNAL_NETany->$HOME_NETany\(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;\classtype:attempted-recon;sid:624;rev:1;)

alerttcp$EXTERNAL_NETany->$HOME_NETany

action protocol

Src IP SrcPortDirection

Dst IP Dst Port

Protocols:TCP,UDP,ICMP,andIPFuturemayinclude:ARP,IGRP,GRE,OSPF,RIP,IPX,etc.

22

Snort:RuleHeaderIP

alerttcp$EXTERNAL_NETany->$HOME_NETanyalerttcp192.168.1.0/24any->192.168.1.0/241:1024alerttcp![192.168.1.0/24,10.1.1.0/24]any->192.168.1.44

Src IPSrc Port

Dst IP Dst Port

$EXTERNAL_NETisaconfig valuesetinsnort.conf.

IPisspecifiedalsoasdottednotationwithCIDRmasks.“any”isalsovalid.

!isthenegationoperator

MultipleIPspecificationscanbeincludedusingsquarebrackets[]andcomma-separating.Donotaddspaces!

23

Snort:RuleHeaderPort

alerttcp$EXTERNAL_NETany->$HOME_NETanyalerttcp192.168.1.0/24any->192.168.1.0/241:1024alerttcp![192.168.1.0/24,10.1.1.0/24]any->192.168.1.44

Src IPSrc Port

Dst IP Dst Port

Portcanbespecifiedas:any -- anyport1:1024 -- ports1to1024inclusive55: -- ports55andhigher:55 -- ports0to55(inclusive)

negationstillworks:!6000:6001 - matchesanyportexcept6000and6001

24

Snort:RuleHeaderDirection

alerttcp $EXTERNAL_NETany->$HOME_NETanyalerttcp 192.168.1.0/24any->192.168.1.0/241:1024alerttcp ![192.168.1.0/24,10.1.1.0/24]any->192.168.1.44

Src IPSrc Port

Dst IP Dst Port

Directioncanbespecifiedas:-> FromrightIP/Port(source)toleftIP/Port(destination)<> Anydirection

Note:<- doesnotexist…sothesnortrulesalwaysreadconsistently.

25

Snort:RuleOptionsalerttcp $EXTERNAL_NETany->$HOME_NETany\(msg:"SCANSYNFIN";flags:SF; reference:arachnids,198;\classtype:attempted-recon;sid:624;rev:1;)

name:value;

msg:<samplemessage> Logsmessageinto/var/snort/logflags:<AFPRSU210> MatchesspecificTCPflagscontent:<text> Matchesspecifiedtextinpacketcontent:|<hexadecimal>|Matchesspecifiedhexcharssid:<snortID> Uniquenumbertoidentifyruleseasily.Yourrules

shoulduseSIDs>1,000,000rev:<revision#> Rulerevisionnumberreference:<ref> Wheretogetmoreinfoabouttherulegid:<generatorID> IdentifieswhichpartofSnortgeneratedthealert.

See/etc/snort/gen-msg.map forvalues

26

Snort:MoreRuleOptions…Readthedocs..thereareMANYmoreoptions:http://manual.snort.org/node1.html

3.5 Payload Detection Rule Options3.5.1 content3.5.2 protected_content3.5.3 hash3.5.4 length3.5.5 nocase3.5.6 rawbytes3.5.7 depth3.5.8 offset3.5.9 distance3.5.10 within3.5.11 http_client_body3.5.12 http_cookie3.5.13 http_raw_cookie3.5.14 http_header3.5.15 http_raw_header3.5.16 http_method3.5.17 http_uri3.5.18 http_raw_uri3.5.19 http_stat_code3.5.20 http_stat_msg3.5.21 http_encode3.5.22 fast_pattern3.5.23 uricontent3.5.24 urilen3.5.25 isdataat

3.5.26 pcre3.5.27 pkt_data3.5.28 file_data3.5.29 base64_decode3.5.30 base64_data3.5.31 byte_test3.5.32 byte_jump3.5.33 byte_extract3.5.34 ftpbounce3.5.35 asn13.5.36 cvs3.5.37 dce_iface3.5.38 dce_opnum3.5.39 dce_stub_data3.5.40 sip_method3.5.41 sip_stat_code3.5.42 sip_header3.5.43 sip_body3.5.44 gtp_type3.5.45 gtp_info3.5.46 3.5.47 ssl_version3.5.48 ssl_state3.5.49 Payload Detection Quick Reference3.6 Non-Payload Detection Rule

Options3.6.1 fragoffset3.6.2 ttl3.6.3 tos3.6.4 id3.6.5 ipopts3.6.6 fragbits3.6.7 dsize3.6.8 flags3.6.9 flow3.6.10 flowbits3.6.11 seq3.6.12 ack3.6.13 window3.6.14 itype3.6.15 icode3.6.16 icmp_id3.6.17 icmp_seq3.6.18 rpc3.6.19 ip_proto3.6.20 sameip3.6.21 stream_reassemble3.6.22 stream_size3.6.23 Non-Payload Detection Quick Reference

27

Snortruleexamples1. alerttcp anyany->any21(flow:to_server,established;\

content:"root";pcre:"/user\s+root/i";)

Whatdoesitdo?

28

LooksforrootuserloginattemptsonFTPserver(port21)

Snort:Tryitout!• Letsbuildtwonewrulestoseehowtheywork

• Rule1:AlertifaURIislongerthan250bytes.

• Rule2:Alerton.edu websitesthatalsosay“university”inthepagesomewhere.(Becauseweloveschool!!)

Wouldn’tthisbemorefuninIPSmode?J

29

SnortruleexamplesThisisarealrulefrommalware-tools.rules

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS(msg:"MALWARE-TOOLS HOIC http denial of service attack"; flow:to_server,established; content:"User-Agent|3A 20 20|Mozilla"; fast_pattern:only; http_header; content:"Referer|3A 20 20|http"; http_header; content:!"Connection: keep-alive"; nocase; detection_filter:track by_src, count 17, seconds 10; metadata:policy balanced-ips drop, policy security-ipsdrop, service http; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:denial-of-service; sid:21513; rev:6;)

30

SnortruleexamplesThisisarealrulefromblacklist.rules

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain guest-access.net -Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23799; rev:2;)

31

SnortruleexamplesThisisarealrulefromos-windows.rules

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NETany (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppsx&file.zip; file_data; content:"uuid:48fd9e68-0958-11dc-9770-9797abb443b9"; fast_pattern:only; content:"2007-05-23T15:06:10-03:00"; metadata:policy balanced-ips drop, policy security-ipsdrop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:26068; rev:3;) 32

Forthelab…• Putyourrulesin:/etc/snort/rules/local.rules• Therulesincludedinthedefaultdownloadareoldandterrible.ToreallyplaywithSnortyouneedacurrentruleset.Oneplacetogetthemissnort.org

• Thenocase optionisacontent-modifiertoignorecase.Putitrightaftercontentitshouldmodify:

alerttcp $EXTERNAL_NETany->$TELNET_SERVERS23(sid:210;rev:3;msg:"BACKDOORattempt";flow:to_server,established; content:"backdoor";nocase;classtype:attempted-admin;)

• Rememberthatpayloadrulesdon’tworkonencryptedtraffic!(SSL,etc..)

• Use“–Aconsole”todebugalertsontheconsole• Use“–knone”todisabletcp checksums

33

References• http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#Basics

• http://www.scmagazine.com/intrusion-detection-systems/products/91/0/

• http://books.gigatux.nl/mirror/snortids/0596006616/snortids-CHP-7-SECT-3.html

• http://seclists.org/snort/2012/q3/894

34