intrusion detection snort - george mason university · intrusion detection • an intrusion...
TRANSCRIPT
IntrusionDetection&SnortDanFleck,[email protected]
IntrusionDetection• Anintrusiondetectionsystem(IDS)analyzestrafficpatternsandreactstoanomalouspatterns bysendingoutalerts.
• NotethatanIDSisinherentlyreactive;theattackhasalreadybegun whentheIDSalerts.
Internal LAN
Firewall
IDS 2
IntrusionDetection:IDSvsIPS
Internal LAN
Firewall
IDS
Internal LAN
Firewall
IPS
What changes if I want to see all attempted attacks?
3
Intrusion Prevention System
FirewallvsIDS vsIPS• Firewall - Adeviceorapplicationthatanalyzespacketheadersandenforcespolicybasedonprotocol type,sourceaddress,destinationaddress, sourceport,and/ordestinationport.Packetsthatdonotmatchpolicyarerejected.
• IntrusionDetectionSystem - Adeviceorapplicationthatanalyzeswholepackets,bothheaderandpayload, looking forknownevents.Whenaknowneventisdetectedalogmessageisgenerateddetailingtheevent.
• IntrusionPreventionSystem - Adeviceorapplicationthatanalyzeswholepackets,bothheaderandpayload, looking forknownevents.Whenaknowneventisdetectedthepacketisrejected.
Somedevicesarenowcombining allofthesefunctions intoasinglesecuritydevice(SmartFirewall,NextGenFirewall,etc…).SnortcanberuninIDSorIPSmodes.
Source: http://security.stackexchange.com/questions/44931/difference-between-ids-and-ips-and-firewall
4
WhatdoIDSdetect?• Anomalydetection:Activitythatdeviatesfromthenormalbehavior
• Misusedetection:Executionofcodethatresultsinbreak-ins
• Specifcationbaseddetection:Activityinvolvingprivilegedsoftwarethatisinconsistentwithrespecttoapolicy/specification
- D.Denning
5
TypesofIDS• HostBasedIDS• Installedlocallyonmachines• Monitoringlocaluseractivity• Monitoringexecutionofsystemprograms• Monitoringlocalsystemlogs
• NetworkIDS(NIDS)• Sensorsareinstalledatstrategiclocationsonthenetwork• Monitorchangesintrafficpattern/connectionrequests• MonitorUsers’networkactivity–DeepPacketinspection
• Inthislabwe’rediscussingNIDS
6
TypesofNIDS• SignatureBasedIDS• Comparesincomingpacketswithknownsignatures• E.g.Snort,Bro,Suricata,etc.
• AnomalyDetectionSystems• Learnsthenormalbehaviorofthesystem• Generatesalertsonpacketsthataredifferentfromthenormalbehavior
7
SignaturebasedNIDSCurrentStandardisSignatureBasedSystems
Problems:• “Zero-day”attacks• Polymorphicattacks• Botnets– Inexpensivere-usableIPaddressesforattackers
8
AnomalyDetectionNIDSAnomalyDetection(AD)Systemsarecapableofidentifying“ZeroDay”Attacks
Problems:• HighFalsePositiveRates• Labeledtrainingdata
OurFocus:• Webapplicationsarepopulartargets 9
transAD&STAND(GMUResearch)
• transAD• TPR90.17%• FPR0.17%
• STAND• TPR88.75%• FPR0.51%
• Whatdoyouthinkasignature-baseddetectorwouldlooklike(roughly)FPR?TPR?
10
AttacksDetectedbytransAD
TypeofAttack HTTP GETRequestBuffer Overflow /?slide=kashdan?slide=pawloski?slide=ascoli?slide=shukla?slide=kabba
ni?slide=ascoli?slide=proteomics?slide=shukla?slide=shuklaRemoteFileInclusion
//forum/adminLogin.php?config[foruminstalled]=http://www.steelcitygray.com/auction/uploaded/golput/ID-RFI.txt??
DirectoryTraversal /resources/index.php?con=/../../../../../../../../etc/passwdCodeInjection //resources-template.php?id=38-999.9+union+select+0Script Attacks /.well-known/autoconfig/mail/config-v1.1.xml?
emailaddress=********%40*********.***.***
11
TransductionbasedAnomalyDetection
• Compareshowtestpacket fitswithrespecttothebaseline• A“Strangeness” functionisusedforcomparingthetestpacket• ThesumofK-NearestNeighborsdistancesisusedasameasureofStrangeness
A
B
B is stranger than A with
respect to the baseline
12
IntrusionDetectionErrorsTherearetwotypesoferrorswhenconsideringanyintrusiondetectionsystem.
Falsenegatives:agenuineattackisnotdetected.Falsepositives:harmlessbehaviorismisclassifiedasanattack.
Whichdothinkisabiggerproblem?
Anintrusiondetectionsystemis:accurate:ifitdetectsallgenuineattacks;precise:ifitneverreportslegitimatebehaviorasanattack.
ItiseasytomakeanIDSthatiseitheraccurateorprecise!Why?It’shardtodobothsimultaneously. 13
IntrusionDetectionErrorsAnundetectedattackmightleadtosevereproblems.Butfrequentfalsealarmscanleadtothesystembeingdisabledorignored.AperfectIDSwouldbebothaccurateandprecise.
• Statistically,attacksarefairlyrareevents.
• Mostintrusiondetectionsystemssufferfromthebase-ratefallacy.
• Supposethatonly1%oftrafficareactuallyattacksandthedetectionaccuracyofyourIDSis90%andthefalsepositiverateis10%.Ifyouhaveanalarmwhatisthechanceit’safalsealarm?
14
Base-RateFallacySupposethatonly1%oftrafficareactuallyattacksandthedetectionaccuracyofyourIDSis90%andthefalsepositiverateis10%.Whatdoesthatmean?
• theIDSclassifiesanattackasanattackwithprobability90%(truepositive)
• theIDSclassifiesavalidconnectionasattackwithprobability10%(falsepositive)
Whatistheprobabilitythataconnectionflaggedasanattackisnotreallyanattack,i.e.,afalsepositive?
Thereisapproximately92%chancethataraisedalarmisfalse. 15
EquationsforBaseRateFallacy
1000events:990benign,10attacks.
10%Falsealarmratemeans:99falsealarms90%Truepositiveratemeans:9truealarms
P(attack|alarm)=9/(9+99)=0.08%
Meaning,92%ofalarmsarefalsealarmsduetothebaserateofbenigntraffic.Thisistogiveyouintuitionaboutbaserate,thiscanbedonemoreformallyusingBayesrule.
16
Lessons• FalsenegativesandfalsepositivesarebothbadforanIDS.
• AnIDSmustbeveryaccurateorsufferfromthebaseratefallacy.
• AnIDSwithtoomanyerrorsbecomesuseless.
17
Snort:Ourlab• Signature-baseddetectionsystem• 1CPUw/1000signaturescanprocess500MBps(notgreat!)
• Gettingfasterinnewerreleases• Canberuninline(IPS)orasasniffer(IDS)• Firstreleasedin1997butstillupdated/maintainedtoday• Competitors:Suricata,Bro• Detailedperformancecomparison:https://www.sans.org/reading-room/whitepapers/intrusion/open-source-ids-high-performance-
shootout-35772
Snort Architecture
18
Snort:Rules• http://manual.snort.org/node1.html• http://books.gigatux.nl/mirror/snortids/0596006616/snortids-CHP-7-SECT-3.html
alerttcp $EXTERNAL_NETany->$HOME_NETany\(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198; \classtype:attempted-recon;sid:624;rev:1;)
ruleheader(ruleoptions)
19
Snort:RuleHeaderalerttcp$EXTERNAL_NETany->$HOME_NETany\(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;\classtype:attempted-recon;sid:624;rev:1;)
Defines“who”theruleappliesto(coarsly).
alerttcp$EXTERNAL_NETany->$HOME_NETany
action protocol
Src IP SrcPort
Direction
Dst IP Dst Port
20
Snort:RuleHeaderActionsalerttcp$EXTERNAL_NETany->$HOME_NETany\(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;\classtype:attempted-recon;sid:624;rev:1;)
alerttcp$EXTERNAL_NETany->$HOME_NETany
action protocol
Src IP SrcPortDirection
Dst IP Dst Port
1. alert:Alertsandlogsthepacketwhentriggered.2. log:Onlylogsthepacketwhentriggered.3. pass :Ignoresordropsthepacketortrafficmatching.4. activate :Alertsthenactivatesadynamicruleorrules.5. dynamic :Ignores,untilstartedbytheactivaterule,atwhichtime,actsasalogrule.6. drop :blockandlogthepacket7. reject :blockthepacket,logit,andthensendaTCPresetiftheprotocolisTCPoran
ICMPportunreachablemessageiftheprotocolisUDP.8. sdrop :blockthepacketbutdonot logit.
21
Snort:RuleHeaderProtocolalerttcp$EXTERNAL_NETany->$HOME_NETany\(msg:"SCANSYNFIN";flags:SF;reference:arachnids,198;\classtype:attempted-recon;sid:624;rev:1;)
alerttcp$EXTERNAL_NETany->$HOME_NETany
action protocol
Src IP SrcPortDirection
Dst IP Dst Port
Protocols:TCP,UDP,ICMP,andIPFuturemayinclude:ARP,IGRP,GRE,OSPF,RIP,IPX,etc.
22
Snort:RuleHeaderIP
alerttcp$EXTERNAL_NETany->$HOME_NETanyalerttcp192.168.1.0/24any->192.168.1.0/241:1024alerttcp![192.168.1.0/24,10.1.1.0/24]any->192.168.1.44
Src IPSrc Port
Dst IP Dst Port
$EXTERNAL_NETisaconfig valuesetinsnort.conf.
IPisspecifiedalsoasdottednotationwithCIDRmasks.“any”isalsovalid.
!isthenegationoperator
MultipleIPspecificationscanbeincludedusingsquarebrackets[]andcomma-separating.Donotaddspaces!
23
Snort:RuleHeaderPort
alerttcp$EXTERNAL_NETany->$HOME_NETanyalerttcp192.168.1.0/24any->192.168.1.0/241:1024alerttcp![192.168.1.0/24,10.1.1.0/24]any->192.168.1.44
Src IPSrc Port
Dst IP Dst Port
Portcanbespecifiedas:any -- anyport1:1024 -- ports1to1024inclusive55: -- ports55andhigher:55 -- ports0to55(inclusive)
negationstillworks:!6000:6001 - matchesanyportexcept6000and6001
24
Snort:RuleHeaderDirection
alerttcp $EXTERNAL_NETany->$HOME_NETanyalerttcp 192.168.1.0/24any->192.168.1.0/241:1024alerttcp ![192.168.1.0/24,10.1.1.0/24]any->192.168.1.44
Src IPSrc Port
Dst IP Dst Port
Directioncanbespecifiedas:-> FromrightIP/Port(source)toleftIP/Port(destination)<> Anydirection
Note:<- doesnotexist…sothesnortrulesalwaysreadconsistently.
25
Snort:RuleOptionsalerttcp $EXTERNAL_NETany->$HOME_NETany\(msg:"SCANSYNFIN";flags:SF; reference:arachnids,198;\classtype:attempted-recon;sid:624;rev:1;)
name:value;
msg:<samplemessage> Logsmessageinto/var/snort/logflags:<AFPRSU210> MatchesspecificTCPflagscontent:<text> Matchesspecifiedtextinpacketcontent:|<hexadecimal>|Matchesspecifiedhexcharssid:<snortID> Uniquenumbertoidentifyruleseasily.Yourrules
shoulduseSIDs>1,000,000rev:<revision#> Rulerevisionnumberreference:<ref> Wheretogetmoreinfoabouttherulegid:<generatorID> IdentifieswhichpartofSnortgeneratedthealert.
See/etc/snort/gen-msg.map forvalues
26
Snort:MoreRuleOptions…Readthedocs..thereareMANYmoreoptions:http://manual.snort.org/node1.html
3.5 Payload Detection Rule Options3.5.1 content3.5.2 protected_content3.5.3 hash3.5.4 length3.5.5 nocase3.5.6 rawbytes3.5.7 depth3.5.8 offset3.5.9 distance3.5.10 within3.5.11 http_client_body3.5.12 http_cookie3.5.13 http_raw_cookie3.5.14 http_header3.5.15 http_raw_header3.5.16 http_method3.5.17 http_uri3.5.18 http_raw_uri3.5.19 http_stat_code3.5.20 http_stat_msg3.5.21 http_encode3.5.22 fast_pattern3.5.23 uricontent3.5.24 urilen3.5.25 isdataat
3.5.26 pcre3.5.27 pkt_data3.5.28 file_data3.5.29 base64_decode3.5.30 base64_data3.5.31 byte_test3.5.32 byte_jump3.5.33 byte_extract3.5.34 ftpbounce3.5.35 asn13.5.36 cvs3.5.37 dce_iface3.5.38 dce_opnum3.5.39 dce_stub_data3.5.40 sip_method3.5.41 sip_stat_code3.5.42 sip_header3.5.43 sip_body3.5.44 gtp_type3.5.45 gtp_info3.5.46 3.5.47 ssl_version3.5.48 ssl_state3.5.49 Payload Detection Quick Reference3.6 Non-Payload Detection Rule
Options3.6.1 fragoffset3.6.2 ttl3.6.3 tos3.6.4 id3.6.5 ipopts3.6.6 fragbits3.6.7 dsize3.6.8 flags3.6.9 flow3.6.10 flowbits3.6.11 seq3.6.12 ack3.6.13 window3.6.14 itype3.6.15 icode3.6.16 icmp_id3.6.17 icmp_seq3.6.18 rpc3.6.19 ip_proto3.6.20 sameip3.6.21 stream_reassemble3.6.22 stream_size3.6.23 Non-Payload Detection Quick Reference
27
Snortruleexamples1. alerttcp anyany->any21(flow:to_server,established;\
content:"root";pcre:"/user\s+root/i";)
Whatdoesitdo?
28
LooksforrootuserloginattemptsonFTPserver(port21)
Snort:Tryitout!• Letsbuildtwonewrulestoseehowtheywork
• Rule1:AlertifaURIislongerthan250bytes.
• Rule2:Alerton.edu websitesthatalsosay“university”inthepagesomewhere.(Becauseweloveschool!!)
Wouldn’tthisbemorefuninIPSmode?J
29
SnortruleexamplesThisisarealrulefrommalware-tools.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS(msg:"MALWARE-TOOLS HOIC http denial of service attack"; flow:to_server,established; content:"User-Agent|3A 20 20|Mozilla"; fast_pattern:only; http_header; content:"Referer|3A 20 20|http"; http_header; content:!"Connection: keep-alive"; nocase; detection_filter:track by_src, count 17, seconds 10; metadata:policy balanced-ips drop, policy security-ipsdrop, service http; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:denial-of-service; sid:21513; rev:6;)
30
SnortruleexamplesThisisarealrulefromblacklist.rules
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain guest-access.net -Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23799; rev:2;)
31
SnortruleexamplesThisisarealrulefromos-windows.rules
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NETany (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppsx&file.zip; file_data; content:"uuid:48fd9e68-0958-11dc-9770-9797abb443b9"; fast_pattern:only; content:"2007-05-23T15:06:10-03:00"; metadata:policy balanced-ips drop, policy security-ipsdrop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:26068; rev:3;) 32
Forthelab…• Putyourrulesin:/etc/snort/rules/local.rules• Therulesincludedinthedefaultdownloadareoldandterrible.ToreallyplaywithSnortyouneedacurrentruleset.Oneplacetogetthemissnort.org
• Thenocase optionisacontent-modifiertoignorecase.Putitrightaftercontentitshouldmodify:
alerttcp $EXTERNAL_NETany->$TELNET_SERVERS23(sid:210;rev:3;msg:"BACKDOORattempt";flow:to_server,established; content:"backdoor";nocase;classtype:attempted-admin;)
• Rememberthatpayloadrulesdon’tworkonencryptedtraffic!(SSL,etc..)
• Use“–Aconsole”todebugalertsontheconsole• Use“–knone”todisabletcp checksums
33