unit 2 - intrusion detection systems

© WJ Buchanan. ASMN (1)

Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

Advanced Security and Mobile Networks


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

DataSystemsPeople Enemy can penetrate the main defence, and cause problems

Even the best defence can be breached


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

First-linedefence

Second-linedefence

Forth-linedefence

Third-linedefence

… even defence in depth can be breached

… Defence-in-depth


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

… intrusion detection can reduce breaches

Intrusion detection

Intrusion Detection


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

Worms/Viruses

DoS (Denial-of-Service)

Externalhack

Personalabuse

F

External Threats

Our trustedsystem

Fraud

Data stealing

Terrorism

WWW access

Corporateaccess

Emailaccess

Networkperimeter


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

Our trustedsystem

F

External and Internet Threats

Worms/Viruses


Externalhack

Personalabuse

Fraud

Data stealing

Terrorism

WWW access

Corporateaccess

Emailaccess

Networkperimeter

Worms/Viruses

Fraud

Terrorism

Data stealing Personal abuse

Internalhack


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

External and Internet Threats

Our trustedsystem

F

Worms/Viruses


Externalhack

Personalabuse

Fraud

Data stealing

Terrorism

WWW access

Corporateaccess

Emailaccess

This firewall cannotstop internal attacks

Worms/Viruses

Fraud

Terrorism

Data stealing Personal abuse

Internalhack

CIA found that:80% of abusewas internal


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

FWWWserver

PublicFTPserver

De-MilitarizedZone (DMZ)

N

IntrusionDetectionSystem

Thus we need intrusion detectionsystems throughout our systemwhich will react to internal and external attacks

Untrustednetwork

F

Audit/logging

F

F


Intrusion Detection Systems


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

•Network intrusion detection systems (NIDS). These monitor packets on the network and tries to determine an intrusion. This is either host based (where it runs on a host), or can listen to the network using a hub, router or probe. System integrity verifiers (SIV). These monitor system files to determine if an intruder has changed them (a backdoor attack). A good example of this is Tripwire. It can also watch other key system components, such as the Windows registry and root/administrator level privileges. •Log file monitors (LFM). These monitor log files which are generated by network services, and look for key patterns of change. Swatch is a good example.• User profiling. This is currently being research, and involves monitoring the behaviour of a user. The system then checks the normal behaviour of a user against the current user behaviour.

IDS types


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

Some of the methods that Intruders might use

Software bugs:Buffer overflowsUnexpected combinationsUnhandled inputRace conditionsSystem configuration:

Default configurations:Lazy administratorsHole creation: Trust relationships

Sniffing unsecured traffic:Shared mediumServer sniffingRemote sniffing

Design flaws:TCP/IP protocol flawsUNIX design flaws

These will be covered in Unit 5

Others:DoSIP SpoofingWWW browser attacksWWW server attacksCGI weaknessIMAPSQL/DatabaseJava


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

Intruder gains publicinformation about the systems,such as DNS and IP information

Intruder gains more specificInformation, such as subnet layout,and network devices.

Outside reconnaissance

Outside reconnaissance

Insidereconnaissance

Insidereconnaissance

Exploit Exploit

ProfitProfit Foothold Foothold

From code yellowto code red

Intruder finds a weakness,such as cracking a password,breaching a firewall, and so on.

Data stealing, system damage,user abuse, and so on.

Once into the system, the Intruder can then advance up levels.

Steps that could be taken by an intruder


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

Host-based and Network-based IDS

FWWWserver

PublicFTPserver


N


Host-based IDS listens to the trafficinto and out of the host.Network-based IDS listens to all the traffic on the network

Untrustednetwork

IDS


Host-basedIntrusionDetectionSystem


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms IDS can listen to

all the incomingand outgoing network

Hub

A Network-based IDS must be able to listen to traffic

This IDS cannot hear anytraffic which is not addressed to itas it connects to a switch.

Switch


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

Untrustednetwork

FWWWserver

PublicFTPserver


N

IDS’s are applied to hosts and servers

FF

F

Host

The IDS is thelast line of defence


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

FDMZ

F

IDS’s applied across the system

WWW server FTP server

F

WWWserver

Emailserver

FileServer

Databaseserver

F

Trusted

Untrusted

Proxy


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

FDMZ

F

WWW server FTP server

F

WWWserver

Emailserver

FileServer

Databaseserver

FExternaltrustedtraffic

Untrustedtraffic

Proxy

Servicetraffic

Identifying traffic flows


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

Placing IDS’s

F PublicFTPserver


N

FF

F

Host

This IDS detectsattacks againstmain firewall

This IDS detectssuccessful attacksagainst firewall

These IDS’sdetect internalattacks

These IDS’sdetect host attacks


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

The main IDS is Snort (www.snort.org). Other tools include:

• tcptrace. To identity TCP sessions.• tcpflow. To reconstruct TCP sessions.• Ethereal. To capture network traffic.

SnortSnortEvent data

Rules file (.rules)

Log

Detection either by:• Signatures detection. Identify well-known patterns of attack.• Anomaly detection. Statistical anomalies, such as user logins, changes

to files, and so on.

Snort


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)

alert Generate an alert and log packetlog Log packetpass Ignore the packetactivate Alert and activate another ruledynamic Remain idle until activated by an activate rule

Snort Rules - Actions


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

alert access";)tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd

tcpudpicmpip

Transport layer protocols

Network layer protocol

Snort Rules - Protocols


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms


Source IP

Source port(any, or m:n for m to n)

Destination IP

Destination port (any, or m:n for m to n)

Snort Rules - Source and and Destinations IP/port


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms


Payload detection:Hex sequence "|00 01 86 a5|"

Text sequence "USER root"

Modifiers:rawbytesoffsetdistancewithinuricontentbytejump

Snort Rules - Payload Detection


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)

Message to display

Snort Rules - Displaying a Message


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

There are also various configuration commands thatcan be used in the rules file, such as:

• config decode_arp - snort -a• config payload• config decode_data_link• config interface • config nolog - Disable logging, but alerts still occur• config quiet - snort -q• config verbose - snort -v• config show_year• config min_ttl:x

The SID and REV represent know Snort rules:

• Less 100 Reserved for future use• Between 100 and 1,000,000 are rules included with the Snort distribution• More than 1,000,000 is for local rules

For example: sid:336; rev:7; represents an attempt to change to the system administrator’s account in FTP.

Configuration options in rules file


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

Video/Audio StreamingWhy? Wasted bandwidth

PornWhy? Moral/legal issues.Chat Programmes

Why? Wasted time.

Non-business emailWhy? Wasted resources.

Viruses/WormsWhy? Data/System loss.

Bad TrafficWhy? Wasted resources.

HackingWhy? Data/System loss.Fraud.

P2P programsWhy? Copyright issues.

Running server applicationsWhy? Corporate issues.

Types of Traffic that Organisations Typically Want to Detect


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.# All rights reserved.# $Id: ftp.rules,v 1.45 2003/12/16 22:14:42 cazz Exp $#----------# FTP RULES (edited)#----------

# bad directoriesalert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; nocase; distance:1; pcre:"/^CWD\s+~root/smi"; reference:cve,CVE-1999-0082; reference:arachnids,318; classtype:bad-unknown; sid:336; rev:7;)

# BAD FILESalert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:5;)

# suspicious login attemptsalert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; nocase; distance:1; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; sid:144; classtype:suspicious-login; rev:8;)

FTP server port Attempt to access root account!

Attempt to get the password file!

Suspicious login!

$HOME_NET Our network$EXTERNAL_NET Every network outside our own network

Snort - Some FTP Rules


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.# All rights reserved.# $Id: p2p.rules,v 1.11 2003/10/20 15:03:11 chrisgreen Exp $# These signatures look for usage of P2P protocols, which are usually# against corporate policy

alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login"; flow:to_server,established; content:"|00 0200|"; offset:1; depth:3; classtype:policy-violation; sid:549; rev:6;)alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster new user login"; flow:to_server,established; content:"|00 0600|"; offset:1; depth:3; classtype:policy-violation; sid:550; rev:6;)alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flow:to_server,established; content:"|00 cb00|"; offset:1; depth:3; classtype:policy-violation; sid:551; rev:5;)alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"P2P napster upload request"; flow:from_server,established; content:"|00 5f02|"; offset:1; depth:3; classtype:policy-violation; sid:552; rev:5;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:policy-violation; sid:1432; rev:4;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:556; rev:5;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:557; rev:6;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack (kazaa/morpheus) GET request"; flow:to_server,established; content:"GET "; depth:4; reference:url,www.musiccity.com/technology.htm; reference:url,www.kazaa.com; classtype:policy-violation; sid:1383; rev:4;)

Snort - 2P2 Rules - Detecting Kazaa/Napster/GNUTella


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.# All rights reserved.# $Id: chat.rules,v 1.18 2003/10/20 15:03:05 chrisgreen Exp $# These signatures look for people using various types of chat programs (for# example: AIM, ICQ, and IRC) which may be against corporate policy

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content: "User-Agent\:ICQ"; classtype:misc-activity; sid:541; rev:6;)alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"CHAT ICQ forced user addition"; flow:established,to_client; content:"Content-Type\: application/x-icq"; content:"[ICQ User]"; reference:bugtraq,3226; reference:cve,CAN-2001-1305; classtype:misc-activity; sid:1832; rev:3;)

alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/plain"; distance:1;classtype:misc-activity; sid:540; rev:8;)

alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; nocase; distance:0; content:"text/x-msmsgsinvite"; nocase; distance:0; content:"Application-Name\:"; content:"File Transfer"; nocase; distance:0; classtype:policy-violation; sid:1986; rev:1;)

alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/x-msmsgsinvite"; distance:0; content:"Invitation-Command\:"; content:"ACCEPT"; distance:1; classtype:policy-violation; sid:1988; rev:1;)

alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer reject"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/x-msmsgsinvite"; distance:0; content:"Invitation-Command\:"; content:"CANCEL"; distance:0; content:"Cancel-Code\:"; nocase; content:"REJECT"; nocase; distance:0; classtype:policy-violation; sid:1989; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:1990; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; classtype:policy-violation; sid:1991; rev:1;)

Snort - Chat Rules


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.# All rights reserved.# $Id: multimedia.rules,v 1.6 2003/10/20 15:03:10 chrisgreen Exp $#-------------# MULTIMEDIA RULES#-------------# These signatures look for people using streaming multimedia technologies.# Using streaming media may be a violation of corporate policies.

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MULTIMEDIA Quicktime User Agent access"; flow:to_server,established; content:"User-Agent\: Quicktime"; classtype:policy-violation; sid:1436; rev:2;)alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media audio download"; flow:from_server,established; content:"Content-type\: audio/x-ms-wma"; content:"|0a|"; within:2; classtype:policy-violation; sid:1437; rev:3;)alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media Video download"; flow:from_server,established; content:"Content-type\: video/x-ms-asf"; content:"|0a|"; within:2;classtype:policy-violation; sid:1438; rev:3;)alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Shoutcast playlist redirection"; flow:from_server,established; content:"Content-type\: audio/x-scpls"; content:"|0a|"; within:2; classtype:policy-violation; sid:1439; rev:3;)alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Icecast playlist redirection"; flow:from_server,established; content:"Content-type\: audio/x-mpegurl"; content:"|0a|"; within:2; classtype:policy-violation; sid:1440; rev:3;)alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"MULTIMEDIA audio galaxy keepalive"; flow:established; content:"|45 5F 00 03 05|"; offset:0; depth:5; classtype:misc-activity; sid:1428; rev:3;)

Snort - Streaming Rules


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.# All rights reserved.# $Id: virus.rules,v 1.21 2003/10/20 15:03:13 chrisgreen Exp $#------------# VIRUS RULES#------------alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flags:A; content: "|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:732; classtype:misc-activity; rev:3;)alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .pif file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".pif|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:721; rev:4;)alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".shs|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:4;)alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".exe|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:1;)alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".doc|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:1;)alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".vbs|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:4;)alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".hta|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:1;)

Files, such as PIF, VBS and HTA can breach the system

Port 25 is SMTP (Emailoutbound)SMTP email server

Snort - Some Virus Rules


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

A particular threatis the TCP/UDP port scanner, which scans for open ports on a host.

If an intruder finds one, it may try and connect to it.

Typical scans:Ping sweeps.TCP scans.UDP scans.OS identification scans.Account scans.

Open port 10?Open port 11?..Open port 8888?

An open port is in the LISTENstate.

Port Scanning


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

A particular threatis the ping port scanner, which pings multiplehosts to see which ones are alive



Typically pings are barred the gateway to the organisation

Typically pings are barred the gateway to the organisation

Ping 192.168.0.1?Ping 192.168.0.1?..Ping 192.168.0.253?Ping 192.168.0.254?

Ping Scanning


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

A particular threatis the ping port scanner, which pings multiplehosts to see which ones are alive



Login anonymousLogin fred fredLogin user passwordLogin rootLogin default

Anonymous loginsUsing the same password as user IDUsing password as password.Using root loginUsing system default logins

Ping Scanning


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.# All rights reserved.# $Id: scan.rules,v 1.21 2003/11/20 20:56:57 cazz Exp $#-----------# SCAN RULES#-----------# These signatures are representitive of network scanners. These include# port scanning, ip mapping, and various application scanners.## NOTE: This does NOT include web scanners such as whisker. Those are# in web*#

alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; ttl: >220; ack: 0; flags: S;reference:arachnids,439; classtype:attempted-recon; sid:613; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,established; content: "VERSION|0A|"; depth: 16;reference:arachnids,303;classtype:attempted-recon; sid:616; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; flags: SF12; dsize: 0; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12;classtype:attempted-recon; sid:618; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S,12; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; flags:S,12;classtype:attempted-recon; sid:620; rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flags:S;seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flags:0; seq:0; ack:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN";flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:2;)

Attempt to connect to8080

Snort - Some Scan Rules


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

File bill.rules:

alert tcp any any -> any any (content:"the"; msg:"The found ....";)

Snort -v -c bill.rules -l /log

[**] [1:0:0] The found .... [**][Priority: 0] 01/16-22:27:35.286762 0:60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x169192.168.0.22:445 -> 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20

[**] [1:0:0] The found .... [**][Priority: 0] 01/16-22:27:35.287084 0:3:6D:FF:2A:51 -> 0:60:B3:68:B1:10 type:0x800 len:0x198192.168.0.20:3554 -> 192.168.0.22:445 TCP TTL:128 TOS:0x0 ID:1086 IpLen:20 DgmLen:394 DF***AP*** Seq: 0x3524EE7B Ack: 0xF842AB06 Win: 0x42E4 TcpLen: 20

[**] [1:0:0] The found .... [**][Priority: 0] 01/16-22:27:35.290026 0:60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x5D192.168.0.22:445 -> 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:775 IpLen:20 DgmLen:79 DF***AP*** Seq: 0xF842AB06 Ack: 0x3524EFDD Win: 0x41BF TcpLen: 20

Alert.ids(in \log)

Running Snort


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

16 January 10:27pm


Analysing Snort’s Alert.ids file (Data frame)


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

IP Header TCP HeaderSource portSource port

VersionVersion Header lengthHeader length Type of serviceType of service

Total lengthTotal length

IdentificationIdentification

00 DD MM Fragment OffsetFragment Offset

Time-to-LiveTime-to-Live ProtocolProtocol

Header ChecksumHeader Checksum

Source IP AddressSource IP Address

Destination IP AddressDestination IP Address

Destination portDestination port

Sequence numberSequence number

Acknowledgement numberAcknowledgement number

Data offsetData offset Reserved/FlagsReserved/Flags

WindowWindow

ChecksumChecksum

UrgentPtrUrgentPtr


Src MAC IP TCPDes MAC

Remember… IP addresses can be spoofed … the MAC addresses can’t (wellit’s difficult).

LenType EthernetData frame

Analysing Snort’s Alert.ids file (Data frame)


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

IP Header










TCP HeaderSource portSource port





WindowWindow

ChecksumChecksum

UrgentPtrUrgentPtr

Analysing Snort’s Alert.ids file (IP)


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms










Source portSource port





WindowWindow

ChecksumChecksum

UrgentPtrUrgentPtr

IP Header TCP Header

Analysing Snort’s Alert.ids file (TCP)


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

log+

+ 192.168.0.1+ 192.168.0.2+ 192.168.0.3+ 192.168.0.20+ 192.168.0.21+ 192.168.0.24+ 192.168.0.25+ 192.168.0.60

TCP_3423-445.ids

TCP_3424-139.ids

TCP_3521-445.ids

TCP_3529-139.ids

TCP_3554-445.ids

TCP_3566-445.ids

Log of trafficbetween port 3423 and455 to/from 192.168.0.20

01/16-22:11:15.833440 192.168.0.20:3423 -> 192.168.0.22:445TCP TTL:128 TOS:0x0 ID:975 IpLen:20 DgmLen:48 DF******S* Seq: 0x26885B8B Ack: 0x0 Win: 0x4000 TcpLen: 28TCP Options (4) => MSS: 1460 NOP NOP SackOK=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/16-22:11:15.835497 192.168.0.22:445 -> 192.168.0.20:3423TCP TTL:128 TOS:0x0 ID:653 IpLen:20 DgmLen:48 DF***A**S* Seq: 0xE9A4004C Ack: 0x26885B8C Win: 0x4470 TcpLen: 28TCP Options (4) => MSS: 1460 NOP NOP SackOK=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/16-22:11:15.835571 192.168.0.20:3423 -> 192.168.0.22:445TCP TTL:128 TOS:0x0 ID:977 IpLen:20 DgmLen:40 DF***A**** Seq: 0x26885B8C Ack: 0xE9A4004D Win: 0x4470 TcpLen: 20=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Analysing Snort’s Log


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

TCP HeaderSource portSource port




Data offsetData offset UAPRSFUAPRSF

WindowWindow

ChecksumChecksum

UrgentPtrUrgentPtr

Flags – the flag field is defined as UAPRSF,

• U is the urgent flag (URG).• A the acknowledgement flag (ACK).• P the push function (PSH).• R the reset flag (RST).• S the sequence synchronize flag (SYN).• F the end-of-transmission flag (FIN).

Analysis TCP Flags


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

Flags – the flag field is defined as UAPRSF,

• U is the urgent flag (URG).• A the acknowledgement flag (ACK).• P the push function (PSH).• R the reset flag (RST).• S the sequence synchronize flag (SYN).• F the end-of-transmission flag (FIN).

Originator Recipient1. CLOSED LISTEN2. SYN-SENT -> <SEQ=999><CTL=SYN> SYN-RECEIVED3. ESTABLISHED <SEQ=100><ACK=1000><CTL=SYN,ACK> <- SYN-RECEIVED4. ESTABLISHED -> <SEQ=1000><ACK=101> <CTL=ACK> ESTABLISHED5. ESTABLISHED -> <SEQ=1000><ACK=101> <CTL=ACK><DATA> ESTABLISHED

The SYN flag identifiesa connection

Analysis TCP Flags


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

An incoming SYN flag is important in detecting the start of a connection. The main flags are:

F FIN S SYNR RSTP PSHA ACKU URG

The following modifiers can be set to change the match criteria:

+ match on the specified bits, plus any others* match if any of the specified bits are set! match if the specified bits are not set

Example to test for SYN flag:

alert tcp any any -> any any (flags:S;)

WWWserver

Connection?

Testing Flags in Snort


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

It is often important to know the flow direction. The main flow rules options are:

• to_client. Used for server responses to client.• to_server Used for client requests to server.• from_client. Used on client responses.• from_server. Used on server responses. • established . Established TCP connections.

Example to test for an FTP connection to the users computer:

alert tcp any any -> $HOME_NET 21 (flow: from_client; content: "CWD incoming"; nocase;

WWWserver

Connection?

Testing Flow in Snort


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

01/16-22:11:15.833440 192.168.0.20:3423 -> 192.168.0.22:445TCP TTL:128 TOS:0x0 ID:975 IpLen:20 DgmLen:48 DF******S* Seq: 0x26885B8B Ack: 0x0 Win: 0x4000 TcpLen: 28TCP Options (4) => MSS: 1460 NOP NOP SackOK=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/16-22:11:15.835497 192.168.0.22:445 -> 192.168.0.20:3423TCP TTL:128 TOS:0x0 ID:653 IpLen:20 DgmLen:48 DF***A**S* Seq: 0xE9A4004C Ack: 0x26885B8C Win: 0x4470 TcpLen: 28TCP Options (4) => MSS: 1460 NOP NOP SackOK=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/16-22:11:15.835571 192.168.0.20:3423 -> 192.168.0.22:445TCP TTL:128 TOS:0x0 ID:977 IpLen:20 DgmLen:40 DF***A**** Seq: 0x26885B8C Ack: 0xE9A4004D Win: 0x4470 TcpLen: 20=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+









Source portSource port




Data offsetData offset UAPRSFUAPRSF

WindowWindow

ChecksumChecksum

UrgentPtrUrgentPtr

IP Header TCP Header

Analysing Snort’s Log


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

01/16-09:31:08.785149 ARP who-has 192.168.0.168 tell 192.168.0.2201/16-09:45:59.458607 ARP who-has 192.168.0.42 tell 192.168.0.21601/16-09:45:59.459159 ARP reply 192.168.0.42 is-at 0:20:18:38:B8:6301/16-09:46:03.857325 ARP who-has 192.168.0.104 tell 192.168.0.19801/16-09:46:10.125715 ARP who-has 192.168.0.15 tell 192.168.0.3801/16-09:46:10.125930 ARP who-has 192.168.0.38 tell 192.168.0.15

F

ARP request: Who has 192.168.0.168?

SwitchDevices canonly communicatedirectly if they havethey have theMAC address andIP address.

ARP request is broadcast to the network

ARP reply is sent to the network, on which every node on the segment updates its ARP table

Analysing Snort’s ARP log


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

So what does Snort tell us?

• Logs date/time of alerts and data packets.• Generates alerts (alert.ids)• Logs every data packet and every connection.• Logs ARP requests and responses.• Logs MAC addresses with IP addresses.

But how to we generate evidence for breaches ? … this will be covered in Unit 4 (Forensic Computing)

For 99.99% of the time, the monitoring of data packets maynot be important … but every so often there’s a breach, andthe evidence must be picked through

For 99.99% of the time, the monitoring of data packets maynot be important … but every so often there’s a breach, andthe evidence must be picked through

So how can Snort help us?


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

User profileTyping speed: 20wpmApplications run: Word, ExcelTypical commands run: dir, cdFiles accessed: doc, xlsWorking times: 900-1700… etc…

User profileTyping speed: 20wpmApplications run: Word, ExcelTypical commands run: dir, cdFiles accessed: doc, xlsWorking times: 900-1700… etc…

1. Profile downloadedto agent on host

2. Agent then checks currentusage against user profile.If they differ greatly… contactAdministrator on a possibleintrusion.

3. Profile updatedwhen user completes theirwork

… and finally the ultimate IDS … User profiling


Uni

t 2:I

ntru

sion

Det

ectio

n S

yste

ms

Sometimes it is possible to create a‘honey-pot’ or lures, which attracts an intruder so that they can be caughtbefore they do any damage.

This device has all the required weaknesses, such as:

• Default administrator/password.• Dummy users with weak passwords.• Ports open for connection.• React to virus/worm systems (but simulate conditions).

… and finally (again) … the honeypot

unit 2 - intrusion detection systems

Documents