the stateful network intrusion detection system · maintains information about entire data stream...
TRANSCRIPT
![Page 1: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/1.jpg)
RenaissanceCore IDS
The StatefulNetwork Intrusion Detection System
![Page 2: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/2.jpg)
RenaissanceCore IDS
Vulnerability exploits are continually
becoming more stealthy and effective.
The security tools available to analysts
for protecting information technology
assets must keep up the pace.
![Page 3: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/3.jpg)
RenaissanceCore IDSSecurity Tools
● Information technology security tools are host
or network based
● Protection/intrusion prevention: Access controls
● SELinux, Router ACLs, Firewalls
● Monitoring: Warn of intrusions, help harden protection
● Tripwire, NIDS
● Scanners: Probe to find vulnerabilities
● Coverity, Nessus, Metasploit
![Page 4: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/4.jpg)
RenaissanceCore IDSSecurity Tool Issues
● Host based: The most effective--until compromised—but
are less dynamic than the organization's environment
● Network protection: Assume attack points are known in
advance
● Monitoring: False positives, false negatives
● Scanners: Snapshot view of the data center
![Page 5: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/5.jpg)
RenaissanceCore IDSSecurity Tool Issues
● More is better, but information overload is worse
● There are no social engineering firewalls● Never forget that the capabilities of security tools are limited
● Security funding is frequently low to non-existent
![Page 6: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/6.jpg)
RenaissanceCore IDS
● IT environments are increasingly complex and
exploits are increasingly sophisticated
● Security tools must provide more bang for the
buck:● Perform sophisticated, automated analysis
● Provide information about security environment
● Provide maximum information about intrusion attempts
● Provide tracking capability to help analysts build on experience
Project Philosophy
![Page 7: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/7.jpg)
RenaissanceCore IDS
● External source of information, less likely to be
compromised
● Aggregated knowledge of exploits by
researchers
● Zero day exploit detection
Network Intrusion Detection SystemsThe case for NIDS
![Page 8: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/8.jpg)
RenaissanceCore IDS
● Based on individual packets (minimal reassembly)
● Overabundance of false positives
● False negatives● How can you know what you do not know?
● Inefficient use of data points● Correlation of multiple pieces of data is what provides analysts
with useful information
Network Intrusion Detection SystemsCurrent NIDS Technology
![Page 9: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/9.jpg)
RenaissanceCore IDS
● RenaissanceCore is Free software: All code is
licensed under GPLv2+
● The IDS is built on the RenaissanceCore
Analysis Engine library
● Detected security events are stored in a
PostgreSQL database
● The User Interface uses the Eclipse Standard
Widget Toolkit
![Page 10: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/10.jpg)
RenaissanceCore IDS
● Stateful● Maintains information about entire data stream
● Associates data streams to analyze both halves of TCP session
● Can associate other data streams, such as FTP control and data
● Significant reduction of false positives
● User interface provides trends tracking
● Definitive evidence of intrusions
Ritasa IDS Technology
![Page 11: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/11.jpg)
RenaissanceCore IDS
Intrusion Detection System:Collect dataAnalyze dataReport detected Events
User Interface:Display EventsDisplay Stream dataProvide sensor managementProvide system administration
Database Daemon:Receive detected Events from IDSInsert Event data into databaseSend and receive messages to and from IDS
Database
External Systems:ReportsTrouble ticketingVisualization
Live data File data
Encrypted orUnencrypted
Encrypted orUnencrypted
![Page 12: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/12.jpg)
RenaissanceCore IDSDatabaseor other
Application
Spooler:Interface to external host___________
Buffers: Detects data Analysis statistics System status Reconfiguration
Data Source
Control
Manager: Start Analysis plugins and Spooler Manage shared memory buffers Adjust plugin execution priorities Handle administration commands Handle clean shutdown
Collector Level: Collect data
Stream Analyzer Level: Find Triggers in Stream data and save for Action analysis
Action Analyzer Level: Associate Triggers with Actions and save for Event analysis
Stream Handler Level: Add Streams to Stream table Add data logically to Streams Determine end of Stream and remove from Stream table
Event Analyzer Level: Associate Actions with Events Associate multiple Streams Build Analysis Record of Events
Data
Stream Information
Triggers
Actions
AnalysisRecord
Administration
Analysis Data
AdministrationCommands
![Page 13: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/13.jpg)
RenaissanceCore IDS
● The analysis engine static library includes the
following features:● Interprocess communication using shared memory
● XML file handling and macros for simplified parsing
● Networking for encrypted and unencrypted sessions
● Memory management for multiple processes
● Load balancing of multiple processes
● Efficient string matching
![Page 14: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/14.jpg)
RenaissanceCore IDS
Messages in the Analysis Engine
and the NIDS are documented
using Doxygen
![Page 15: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/15.jpg)
RenaissanceCore IDS
![Page 16: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/16.jpg)
RenaissanceCore IDS
![Page 17: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/17.jpg)
RenaissanceCore IDS
The Analysis Reports are stored
in the PostgreSQL database and
examined using the User Interface
![Page 18: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/18.jpg)
RenaissanceCore IDS
![Page 19: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/19.jpg)
RenaissanceCore IDS
Examine detected security events
displayed in the main analysis window
![Page 20: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/20.jpg)
RenaissanceCore IDS
![Page 21: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/21.jpg)
RenaissanceCore IDS
![Page 22: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/22.jpg)
RenaissanceCore IDS
![Page 23: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/23.jpg)
RenaissanceCore IDS
Define rules to detect exploits
![Page 24: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/24.jpg)
RenaissanceCore IDS
![Page 25: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/25.jpg)
RenaissanceCore IDS
![Page 26: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/26.jpg)
RenaissanceCore IDS
![Page 27: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/27.jpg)
RenaissanceCore IDS
![Page 28: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/28.jpg)
RenaissanceCore IDS
![Page 29: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/29.jpg)
RenaissanceCore IDS
Define analysis statistics to be collected.
![Page 30: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/30.jpg)
RenaissanceCore IDS
![Page 31: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/31.jpg)
RenaissanceCore IDS
Export analysis configuration files.
![Page 32: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/32.jpg)
RenaissanceCore IDS
![Page 33: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/33.jpg)
RenaissanceCore IDS
![Page 34: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/34.jpg)
RenaissanceCore IDS
![Page 35: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/35.jpg)
RenaissanceCore IDS
![Page 36: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/36.jpg)
RenaissanceCore IDS
Analysis statistics are formatted
in simple table displays.
![Page 37: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/37.jpg)
RenaissanceCore IDS
![Page 38: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/38.jpg)
RenaissanceCore IDS
Create an incident report
![Page 39: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/39.jpg)
RenaissanceCore IDS
![Page 40: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/40.jpg)
RenaissanceCore IDS
![Page 41: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/41.jpg)
RenaissanceCore IDS
Perform administrative tasks
![Page 42: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/42.jpg)
RenaissanceCore IDS
![Page 43: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/43.jpg)
RenaissanceCore IDS
![Page 44: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/44.jpg)
RenaissanceCore IDS
![Page 45: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/45.jpg)
RenaissanceCore IDS
![Page 46: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/46.jpg)
RenaissanceCore IDS
![Page 47: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/47.jpg)
RenaissanceCore IDS
![Page 48: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/48.jpg)
RenaissanceCore IDS
System Requirements●Sensors:
● CPU and memory intensive
● Disk size depends on network reliability
●Server:● CPU and IO intensive
● Disk size depends on number of sensors
![Page 49: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/49.jpg)
RenaissanceCore IDS
● Protocol and application anomaly detection: Based
on expected request/reply interaction
● Encrypted session detects: Every session type has a
unique pattern (interactive sessions have short requests
followed by longer replies)
● Server profiles and internal threats: Statistics for
specific servers allow unusual activity to be detected (high
database activity outside normal working hours)
Future Directions
![Page 50: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/50.jpg)
RenaissanceCore IDS
● Reports: Charts and visualization software
● Export to other applications: Trouble ticketing
systems, Wireshark (formerly Ethereal)
● Interface with network management systems: Nagios
● Use alternate database backends: Oracle, MySQL
Future Directions
![Page 51: The Stateful Network Intrusion Detection System · Maintains information about entire data stream Associates data streams to analyze both halves of TCP session Can associate other](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5b3bb6f0d42d09635c432d/html5/thumbnails/51.jpg)
RenaissanceCore IDS
The StatefulNetwork Intrusion Detection System