unit 2 - intrusion detection systems
TRANSCRIPT
© WJ Buchanan. ASMN (1)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
Advanced Security and Mobile Networks
© WJ Buchanan. ASMN (2)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
DataSystemsPeople Enemy can penetrate the main defence, and cause problems
Even the best defence can be breached
© WJ Buchanan. ASMN (3)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
First-linedefence
Second-linedefence
Forth-linedefence
Third-linedefence
… even defence in depth can be breached
… Defence-in-depth
© WJ Buchanan. ASMN (4)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
… intrusion detection can reduce breaches
Intrusion detection
Intrusion Detection
© WJ Buchanan. ASMN (5)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
Worms/Viruses
DoS (Denial-of-Service)
Externalhack
Personalabuse
F
External Threats
Our trustedsystem
Fraud
Data stealing
Terrorism
WWW access
Corporateaccess
Emailaccess
Networkperimeter
© WJ Buchanan. ASMN (6)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
Our trustedsystem
F
External and Internet Threats
Worms/Viruses
DoS (Denial-of-Service)
Externalhack
Personalabuse
Fraud
Data stealing
Terrorism
WWW access
Corporateaccess
Emailaccess
Networkperimeter
Worms/Viruses
Fraud
Terrorism
Data stealing Personal abuse
Internalhack
© WJ Buchanan. ASMN (7)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
External and Internet Threats
Our trustedsystem
F
Worms/Viruses
DoS (Denial-of-Service)
Externalhack
Personalabuse
Fraud
Data stealing
Terrorism
WWW access
Corporateaccess
Emailaccess
This firewall cannotstop internal attacks
Worms/Viruses
Fraud
Terrorism
Data stealing Personal abuse
Internalhack
CIA found that:80% of abusewas internal
© WJ Buchanan. ASMN (8)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
FWWWserver
PublicFTPserver
De-MilitarizedZone (DMZ)
N
IntrusionDetectionSystem
Thus we need intrusion detectionsystems throughout our systemwhich will react to internal and external attacks
Untrustednetwork
F
Audit/logging
F
F
IntrusionDetectionSystem
Intrusion Detection Systems
© WJ Buchanan. ASMN (9)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
•Network intrusion detection systems (NIDS). These monitor packets on the network and tries to determine an intrusion. This is either host based (where it runs on a host), or can listen to the network using a hub, router or probe. System integrity verifiers (SIV). These monitor system files to determine if an intruder has changed them (a backdoor attack). A good example of this is Tripwire. It can also watch other key system components, such as the Windows registry and root/administrator level privileges. •Log file monitors (LFM). These monitor log files which are generated by network services, and look for key patterns of change. Swatch is a good example.• User profiling. This is currently being research, and involves monitoring the behaviour of a user. The system then checks the normal behaviour of a user against the current user behaviour.
IDS types
© WJ Buchanan. ASMN (10)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
Some of the methods that Intruders might use
Software bugs:Buffer overflowsUnexpected combinationsUnhandled inputRace conditionsSystem configuration:
Default configurations:Lazy administratorsHole creation: Trust relationships
Sniffing unsecured traffic:Shared mediumServer sniffingRemote sniffing
Design flaws:TCP/IP protocol flawsUNIX design flaws
These will be covered in Unit 5
Others:DoSIP SpoofingWWW browser attacksWWW server attacksCGI weaknessIMAPSQL/DatabaseJava
© WJ Buchanan. ASMN (11)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
Intruder gains publicinformation about the systems,such as DNS and IP information
Intruder gains more specificInformation, such as subnet layout,and network devices.
Outside reconnaissance
Outside reconnaissance
Insidereconnaissance
Insidereconnaissance
Exploit Exploit
ProfitProfit Foothold Foothold
From code yellowto code red
Intruder finds a weakness,such as cracking a password,breaching a firewall, and so on.
Data stealing, system damage,user abuse, and so on.
Once into the system, the Intruder can then advance up levels.
Steps that could be taken by an intruder
© WJ Buchanan. ASMN (12)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
Host-based and Network-based IDS
FWWWserver
PublicFTPserver
De-MilitarizedZone (DMZ)
N
IntrusionDetectionSystem
Host-based IDS listens to the trafficinto and out of the host.Network-based IDS listens to all the traffic on the network
Untrustednetwork
IDS
IntrusionDetectionSystem
Host-basedIntrusionDetectionSystem
© WJ Buchanan. ASMN (13)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms IDS can listen to
all the incomingand outgoing network
Hub
A Network-based IDS must be able to listen to traffic
This IDS cannot hear anytraffic which is not addressed to itas it connects to a switch.
Switch
© WJ Buchanan. ASMN (14)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
Untrustednetwork
FWWWserver
PublicFTPserver
De-MilitarizedZone (DMZ)
N
IDS’s are applied to hosts and servers
FF
F
Host
The IDS is thelast line of defence
© WJ Buchanan. ASMN (15)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
FDMZ
F
IDS’s applied across the system
WWW server FTP server
F
WWWserver
Emailserver
FileServer
Databaseserver
F
Trusted
Untrusted
Proxy
© WJ Buchanan. ASMN (16)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
FDMZ
F
WWW server FTP server
F
WWWserver
Emailserver
FileServer
Databaseserver
FExternaltrustedtraffic
Untrustedtraffic
Proxy
Servicetraffic
Identifying traffic flows
© WJ Buchanan. ASMN (17)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
Placing IDS’s
F PublicFTPserver
De-MilitarizedZone (DMZ)
N
FF
F
Host
This IDS detectsattacks againstmain firewall
This IDS detectssuccessful attacksagainst firewall
These IDS’sdetect internalattacks
These IDS’sdetect host attacks
© WJ Buchanan. ASMN (18)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
The main IDS is Snort (www.snort.org). Other tools include:
• tcptrace. To identity TCP sessions.• tcpflow. To reconstruct TCP sessions.• Ethereal. To capture network traffic.
SnortSnortEvent data
Rules file (.rules)
Log
Detection either by:• Signatures detection. Identify well-known patterns of attack.• Anomaly detection. Statistical anomalies, such as user logins, changes
to files, and so on.
Snort
© WJ Buchanan. ASMN (19)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)
alert Generate an alert and log packetlog Log packetpass Ignore the packetactivate Alert and activate another ruledynamic Remain idle until activated by an activate rule
Snort Rules - Actions
© WJ Buchanan. ASMN (20)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
alert access";)tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd
tcpudpicmpip
Transport layer protocols
Network layer protocol
Snort Rules - Protocols
© WJ Buchanan. ASMN (21)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
alert access";)tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd
Source IP
Source port(any, or m:n for m to n)
Destination IP
Destination port (any, or m:n for m to n)
Snort Rules - Source and and Destinations IP/port
© WJ Buchanan. ASMN (22)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
alert access";)tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd
Payload detection:Hex sequence "|00 01 86 a5|"
Text sequence "USER root"
Modifiers:rawbytesoffsetdistancewithinuricontentbytejump
Snort Rules - Payload Detection
© WJ Buchanan. ASMN (23)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)
Message to display
Snort Rules - Displaying a Message
© WJ Buchanan. ASMN (24)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
There are also various configuration commands thatcan be used in the rules file, such as:
• config decode_arp - snort -a• config payload• config decode_data_link• config interface • config nolog - Disable logging, but alerts still occur• config quiet - snort -q• config verbose - snort -v• config show_year• config min_ttl:x
The SID and REV represent know Snort rules:
• Less 100 Reserved for future use• Between 100 and 1,000,000 are rules included with the Snort distribution• More than 1,000,000 is for local rules
For example: sid:336; rev:7; represents an attempt to change to the system administrator’s account in FTP.
Configuration options in rules file
© WJ Buchanan. ASMN (25)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
Video/Audio StreamingWhy? Wasted bandwidth
PornWhy? Moral/legal issues.Chat Programmes
Why? Wasted time.
Non-business emailWhy? Wasted resources.
Viruses/WormsWhy? Data/System loss.
Bad TrafficWhy? Wasted resources.
HackingWhy? Data/System loss.Fraud.
P2P programsWhy? Copyright issues.
Running server applicationsWhy? Corporate issues.
Types of Traffic that Organisations Typically Want to Detect
© WJ Buchanan. ASMN (26)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.# All rights reserved.# $Id: ftp.rules,v 1.45 2003/12/16 22:14:42 cazz Exp $#----------# FTP RULES (edited)#----------
# bad directoriesalert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; nocase; distance:1; pcre:"/^CWD\s+~root/smi"; reference:cve,CVE-1999-0082; reference:arachnids,318; classtype:bad-unknown; sid:336; rev:7;)
# BAD FILESalert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:5;)
# suspicious login attemptsalert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; nocase; distance:1; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; sid:144; classtype:suspicious-login; rev:8;)
FTP server port Attempt to access root account!
Attempt to get the password file!
Suspicious login!
$HOME_NET Our network$EXTERNAL_NET Every network outside our own network
Snort - Some FTP Rules
© WJ Buchanan. ASMN (27)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.# All rights reserved.# $Id: p2p.rules,v 1.11 2003/10/20 15:03:11 chrisgreen Exp $# These signatures look for usage of P2P protocols, which are usually# against corporate policy
alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login"; flow:to_server,established; content:"|00 0200|"; offset:1; depth:3; classtype:policy-violation; sid:549; rev:6;)alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster new user login"; flow:to_server,established; content:"|00 0600|"; offset:1; depth:3; classtype:policy-violation; sid:550; rev:6;)alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flow:to_server,established; content:"|00 cb00|"; offset:1; depth:3; classtype:policy-violation; sid:551; rev:5;)alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"P2P napster upload request"; flow:from_server,established; content:"|00 5f02|"; offset:1; depth:3; classtype:policy-violation; sid:552; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:policy-violation; sid:1432; rev:4;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:556; rev:5;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:557; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack (kazaa/morpheus) GET request"; flow:to_server,established; content:"GET "; depth:4; reference:url,www.musiccity.com/technology.htm; reference:url,www.kazaa.com; classtype:policy-violation; sid:1383; rev:4;)
Snort - 2P2 Rules - Detecting Kazaa/Napster/GNUTella
© WJ Buchanan. ASMN (28)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.# All rights reserved.# $Id: chat.rules,v 1.18 2003/10/20 15:03:05 chrisgreen Exp $# These signatures look for people using various types of chat programs (for# example: AIM, ICQ, and IRC) which may be against corporate policy
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content: "User-Agent\:ICQ"; classtype:misc-activity; sid:541; rev:6;)alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"CHAT ICQ forced user addition"; flow:established,to_client; content:"Content-Type\: application/x-icq"; content:"[ICQ User]"; reference:bugtraq,3226; reference:cve,CAN-2001-1305; classtype:misc-activity; sid:1832; rev:3;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/plain"; distance:1;classtype:misc-activity; sid:540; rev:8;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; nocase; distance:0; content:"text/x-msmsgsinvite"; nocase; distance:0; content:"Application-Name\:"; content:"File Transfer"; nocase; distance:0; classtype:policy-violation; sid:1986; rev:1;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/x-msmsgsinvite"; distance:0; content:"Invitation-Command\:"; content:"ACCEPT"; distance:1; classtype:policy-violation; sid:1988; rev:1;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer reject"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/x-msmsgsinvite"; distance:0; content:"Invitation-Command\:"; content:"CANCEL"; distance:0; content:"Cancel-Code\:"; nocase; content:"REJECT"; nocase; distance:0; classtype:policy-violation; sid:1989; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:1990; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; classtype:policy-violation; sid:1991; rev:1;)
Snort - Chat Rules
© WJ Buchanan. ASMN (29)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.# All rights reserved.# $Id: multimedia.rules,v 1.6 2003/10/20 15:03:10 chrisgreen Exp $#-------------# MULTIMEDIA RULES#-------------# These signatures look for people using streaming multimedia technologies.# Using streaming media may be a violation of corporate policies.
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MULTIMEDIA Quicktime User Agent access"; flow:to_server,established; content:"User-Agent\: Quicktime"; classtype:policy-violation; sid:1436; rev:2;)alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media audio download"; flow:from_server,established; content:"Content-type\: audio/x-ms-wma"; content:"|0a|"; within:2; classtype:policy-violation; sid:1437; rev:3;)alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media Video download"; flow:from_server,established; content:"Content-type\: video/x-ms-asf"; content:"|0a|"; within:2;classtype:policy-violation; sid:1438; rev:3;)alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Shoutcast playlist redirection"; flow:from_server,established; content:"Content-type\: audio/x-scpls"; content:"|0a|"; within:2; classtype:policy-violation; sid:1439; rev:3;)alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Icecast playlist redirection"; flow:from_server,established; content:"Content-type\: audio/x-mpegurl"; content:"|0a|"; within:2; classtype:policy-violation; sid:1440; rev:3;)alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"MULTIMEDIA audio galaxy keepalive"; flow:established; content:"|45 5F 00 03 05|"; offset:0; depth:5; classtype:misc-activity; sid:1428; rev:3;)
Snort - Streaming Rules
© WJ Buchanan. ASMN (30)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.# All rights reserved.# $Id: virus.rules,v 1.21 2003/10/20 15:03:13 chrisgreen Exp $#------------# VIRUS RULES#------------alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flags:A; content: "|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:732; classtype:misc-activity; rev:3;)alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .pif file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".pif|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:721; rev:4;)alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".shs|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:4;)alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".exe|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:1;)alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".doc|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:1;)alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".vbs|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:4;)alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".hta|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:1;)
Files, such as PIF, VBS and HTA can breach the system
Port 25 is SMTP (Emailoutbound)SMTP email server
Snort - Some Virus Rules
© WJ Buchanan. ASMN (31)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
A particular threatis the TCP/UDP port scanner, which scans for open ports on a host.
If an intruder finds one, it may try and connect to it.
Typical scans:Ping sweeps.TCP scans.UDP scans.OS identification scans.Account scans.
Open port 10?Open port 11?..Open port 8888?
An open port is in the LISTENstate.
Port Scanning
© WJ Buchanan. ASMN (32)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
A particular threatis the ping port scanner, which pings multiplehosts to see which ones are alive
If an intruder finds one, it may try and connect to it.
Typical scans:Ping sweeps.TCP scans.UDP scans.OS identification scans.Account scans.
Typically pings are barred the gateway to the organisation
Typically pings are barred the gateway to the organisation
Ping 192.168.0.1?Ping 192.168.0.1?..Ping 192.168.0.253?Ping 192.168.0.254?
Ping Scanning
© WJ Buchanan. ASMN (33)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
A particular threatis the ping port scanner, which pings multiplehosts to see which ones are alive
If an intruder finds one, it may try and connect to it.
Typical scans:Ping sweeps.TCP scans.UDP scans.OS identification scans.Account scans.
Login anonymousLogin fred fredLogin user passwordLogin rootLogin default
Anonymous loginsUsing the same password as user IDUsing password as password.Using root loginUsing system default logins
Ping Scanning
© WJ Buchanan. ASMN (34)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.# All rights reserved.# $Id: scan.rules,v 1.21 2003/11/20 20:56:57 cazz Exp $#-----------# SCAN RULES#-----------# These signatures are representitive of network scanners. These include# port scanning, ip mapping, and various application scanners.## NOTE: This does NOT include web scanners such as whisker. Those are# in web*#
alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; ttl: >220; ack: 0; flags: S;reference:arachnids,439; classtype:attempted-recon; sid:613; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,established; content: "VERSION|0A|"; depth: 16;reference:arachnids,303;classtype:attempted-recon; sid:616; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; flags: SF12; dsize: 0; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12;classtype:attempted-recon; sid:618; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S,12; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; flags:S,12;classtype:attempted-recon; sid:620; rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flags:S;seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flags:0; seq:0; ack:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN";flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:2;)
Attempt to connect to8080
Snort - Some Scan Rules
© WJ Buchanan. ASMN (35)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
File bill.rules:
alert tcp any any -> any any (content:"the"; msg:"The found ....";)
Snort -v -c bill.rules -l /log
[**] [1:0:0] The found .... [**][Priority: 0] 01/16-22:27:35.286762 0:60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x169192.168.0.22:445 -> 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20
[**] [1:0:0] The found .... [**][Priority: 0] 01/16-22:27:35.287084 0:3:6D:FF:2A:51 -> 0:60:B3:68:B1:10 type:0x800 len:0x198192.168.0.20:3554 -> 192.168.0.22:445 TCP TTL:128 TOS:0x0 ID:1086 IpLen:20 DgmLen:394 DF***AP*** Seq: 0x3524EE7B Ack: 0xF842AB06 Win: 0x42E4 TcpLen: 20
[**] [1:0:0] The found .... [**][Priority: 0] 01/16-22:27:35.290026 0:60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x5D192.168.0.22:445 -> 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:775 IpLen:20 DgmLen:79 DF***AP*** Seq: 0xF842AB06 Ack: 0x3524EFDD Win: 0x41BF TcpLen: 20
Alert.ids(in \log)
Running Snort
© WJ Buchanan. ASMN (36)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
16 January 10:27pm
[**] [1:0:0] The found .... [**][Priority: 0] 01/16-22:27:35.286762 0:60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x169192.168.0.22:445 -> 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20
Analysing Snort’s Alert.ids file (Data frame)
© WJ Buchanan. ASMN (37)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
IP Header TCP HeaderSource portSource port
VersionVersion Header lengthHeader length Type of serviceType of service
Total lengthTotal length
IdentificationIdentification
00 DD MM Fragment OffsetFragment Offset
Time-to-LiveTime-to-Live ProtocolProtocol
Header ChecksumHeader Checksum
Source IP AddressSource IP Address
Destination IP AddressDestination IP Address
Destination portDestination port
Sequence numberSequence number
Acknowledgement numberAcknowledgement number
Data offsetData offset Reserved/FlagsReserved/Flags
WindowWindow
ChecksumChecksum
UrgentPtrUrgentPtr
[**] [1:0:0] The found .... [**][Priority: 0] 01/16-22:27:35.286762 0:60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x169192.168.0.22:445 -> 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20
Src MAC IP TCPDes MAC
Remember… IP addresses can be spoofed … the MAC addresses can’t (wellit’s difficult).
LenType EthernetData frame
Analysing Snort’s Alert.ids file (Data frame)
© WJ Buchanan. ASMN (38)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
IP Header
[**] [1:0:0] The found .... [**][Priority: 0] 01/16-22:27:35.286762 0:60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x169192.168.0.22:445 -> 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20
VersionVersion Header lengthHeader length Type of serviceType of service
Total lengthTotal length
IdentificationIdentification
00 DD MM Fragment OffsetFragment Offset
Time-to-LiveTime-to-Live ProtocolProtocol
Header ChecksumHeader Checksum
Source IP AddressSource IP Address
Destination IP AddressDestination IP Address
TCP HeaderSource portSource port
Destination portDestination port
Sequence numberSequence number
Acknowledgement numberAcknowledgement number
Data offsetData offset Reserved/FlagsReserved/Flags
WindowWindow
ChecksumChecksum
UrgentPtrUrgentPtr
Analysing Snort’s Alert.ids file (IP)
© WJ Buchanan. ASMN (39)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
[**] [1:0:0] The found .... [**][Priority: 0] 01/16-22:27:35.286762 0:60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x169192.168.0.22:445 -> 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20
VersionVersion Header lengthHeader length Type of serviceType of service
Total lengthTotal length
IdentificationIdentification
00 DD MM Fragment OffsetFragment Offset
Time-to-LiveTime-to-Live ProtocolProtocol
Header ChecksumHeader Checksum
Source IP AddressSource IP Address
Destination IP AddressDestination IP Address
Source portSource port
Destination portDestination port
Sequence numberSequence number
Acknowledgement numberAcknowledgement number
Data offsetData offset Reserved/FlagsReserved/Flags
WindowWindow
ChecksumChecksum
UrgentPtrUrgentPtr
IP Header TCP Header
Analysing Snort’s Alert.ids file (TCP)
© WJ Buchanan. ASMN (40)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
log+
+ 192.168.0.1+ 192.168.0.2+ 192.168.0.3+ 192.168.0.20+ 192.168.0.21+ 192.168.0.24+ 192.168.0.25+ 192.168.0.60
TCP_3423-445.ids
TCP_3424-139.ids
TCP_3521-445.ids
TCP_3529-139.ids
TCP_3554-445.ids
TCP_3566-445.ids
Log of trafficbetween port 3423 and455 to/from 192.168.0.20
01/16-22:11:15.833440 192.168.0.20:3423 -> 192.168.0.22:445TCP TTL:128 TOS:0x0 ID:975 IpLen:20 DgmLen:48 DF******S* Seq: 0x26885B8B Ack: 0x0 Win: 0x4000 TcpLen: 28TCP Options (4) => MSS: 1460 NOP NOP SackOK=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/16-22:11:15.835497 192.168.0.22:445 -> 192.168.0.20:3423TCP TTL:128 TOS:0x0 ID:653 IpLen:20 DgmLen:48 DF***A**S* Seq: 0xE9A4004C Ack: 0x26885B8C Win: 0x4470 TcpLen: 28TCP Options (4) => MSS: 1460 NOP NOP SackOK=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/16-22:11:15.835571 192.168.0.20:3423 -> 192.168.0.22:445TCP TTL:128 TOS:0x0 ID:977 IpLen:20 DgmLen:40 DF***A**** Seq: 0x26885B8C Ack: 0xE9A4004D Win: 0x4470 TcpLen: 20=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Analysing Snort’s Log
© WJ Buchanan. ASMN (41)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
TCP HeaderSource portSource port
Destination portDestination port
Sequence numberSequence number
Acknowledgement numberAcknowledgement number
Data offsetData offset UAPRSFUAPRSF
WindowWindow
ChecksumChecksum
UrgentPtrUrgentPtr
Flags – the flag field is defined as UAPRSF,
• U is the urgent flag (URG).• A the acknowledgement flag (ACK).• P the push function (PSH).• R the reset flag (RST).• S the sequence synchronize flag (SYN).• F the end-of-transmission flag (FIN).
Analysis TCP Flags
© WJ Buchanan. ASMN (42)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
Flags – the flag field is defined as UAPRSF,
• U is the urgent flag (URG).• A the acknowledgement flag (ACK).• P the push function (PSH).• R the reset flag (RST).• S the sequence synchronize flag (SYN).• F the end-of-transmission flag (FIN).
Originator Recipient1. CLOSED LISTEN2. SYN-SENT -> <SEQ=999><CTL=SYN> SYN-RECEIVED3. ESTABLISHED <SEQ=100><ACK=1000><CTL=SYN,ACK> <- SYN-RECEIVED4. ESTABLISHED -> <SEQ=1000><ACK=101> <CTL=ACK> ESTABLISHED5. ESTABLISHED -> <SEQ=1000><ACK=101> <CTL=ACK><DATA> ESTABLISHED
The SYN flag identifiesa connection
Analysis TCP Flags
© WJ Buchanan. ASMN (43)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
An incoming SYN flag is important in detecting the start of a connection. The main flags are:
F FIN S SYNR RSTP PSHA ACKU URG
The following modifiers can be set to change the match criteria:
+ match on the specified bits, plus any others* match if any of the specified bits are set! match if the specified bits are not set
Example to test for SYN flag:
alert tcp any any -> any any (flags:S;)
WWWserver
Connection?
Testing Flags in Snort
© WJ Buchanan. ASMN (44)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
It is often important to know the flow direction. The main flow rules options are:
• to_client. Used for server responses to client.• to_server Used for client requests to server.• from_client. Used on client responses.• from_server. Used on server responses. • established . Established TCP connections.
Example to test for an FTP connection to the users computer:
alert tcp any any -> $HOME_NET 21 (flow: from_client; content: "CWD incoming"; nocase;
WWWserver
Connection?
Testing Flow in Snort
© WJ Buchanan. ASMN (45)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
01/16-22:11:15.833440 192.168.0.20:3423 -> 192.168.0.22:445TCP TTL:128 TOS:0x0 ID:975 IpLen:20 DgmLen:48 DF******S* Seq: 0x26885B8B Ack: 0x0 Win: 0x4000 TcpLen: 28TCP Options (4) => MSS: 1460 NOP NOP SackOK=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/16-22:11:15.835497 192.168.0.22:445 -> 192.168.0.20:3423TCP TTL:128 TOS:0x0 ID:653 IpLen:20 DgmLen:48 DF***A**S* Seq: 0xE9A4004C Ack: 0x26885B8C Win: 0x4470 TcpLen: 28TCP Options (4) => MSS: 1460 NOP NOP SackOK=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/16-22:11:15.835571 192.168.0.20:3423 -> 192.168.0.22:445TCP TTL:128 TOS:0x0 ID:977 IpLen:20 DgmLen:40 DF***A**** Seq: 0x26885B8C Ack: 0xE9A4004D Win: 0x4470 TcpLen: 20=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
VersionVersion Header lengthHeader length Type of serviceType of service
Total lengthTotal length
IdentificationIdentification
00 DD MM Fragment OffsetFragment Offset
Time-to-LiveTime-to-Live ProtocolProtocol
Header ChecksumHeader Checksum
Source IP AddressSource IP Address
Destination IP AddressDestination IP Address
Source portSource port
Destination portDestination port
Sequence numberSequence number
Acknowledgement numberAcknowledgement number
Data offsetData offset UAPRSFUAPRSF
WindowWindow
ChecksumChecksum
UrgentPtrUrgentPtr
IP Header TCP Header
Analysing Snort’s Log
© WJ Buchanan. ASMN (46)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
01/16-09:31:08.785149 ARP who-has 192.168.0.168 tell 192.168.0.2201/16-09:45:59.458607 ARP who-has 192.168.0.42 tell 192.168.0.21601/16-09:45:59.459159 ARP reply 192.168.0.42 is-at 0:20:18:38:B8:6301/16-09:46:03.857325 ARP who-has 192.168.0.104 tell 192.168.0.19801/16-09:46:10.125715 ARP who-has 192.168.0.15 tell 192.168.0.3801/16-09:46:10.125930 ARP who-has 192.168.0.38 tell 192.168.0.15
F
ARP request: Who has 192.168.0.168?
SwitchDevices canonly communicatedirectly if they havethey have theMAC address andIP address.
ARP request is broadcast to the network
ARP reply is sent to the network, on which every node on the segment updates its ARP table
Analysing Snort’s ARP log
© WJ Buchanan. ASMN (47)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
So what does Snort tell us?
• Logs date/time of alerts and data packets.• Generates alerts (alert.ids)• Logs every data packet and every connection.• Logs ARP requests and responses.• Logs MAC addresses with IP addresses.
But how to we generate evidence for breaches ? … this will be covered in Unit 4 (Forensic Computing)
For 99.99% of the time, the monitoring of data packets maynot be important … but every so often there’s a breach, andthe evidence must be picked through
For 99.99% of the time, the monitoring of data packets maynot be important … but every so often there’s a breach, andthe evidence must be picked through
So how can Snort help us?
© WJ Buchanan. ASMN (48)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
User profileTyping speed: 20wpmApplications run: Word, ExcelTypical commands run: dir, cdFiles accessed: doc, xlsWorking times: 900-1700… etc…
User profileTyping speed: 20wpmApplications run: Word, ExcelTypical commands run: dir, cdFiles accessed: doc, xlsWorking times: 900-1700… etc…
1. Profile downloadedto agent on host
2. Agent then checks currentusage against user profile.If they differ greatly… contactAdministrator on a possibleintrusion.
3. Profile updatedwhen user completes theirwork
… and finally the ultimate IDS … User profiling
© WJ Buchanan. ASMN (49)
Uni
t 2:I
ntru
sion
Det
ectio
n S
yste
ms
Sometimes it is possible to create a‘honey-pot’ or lures, which attracts an intruder so that they can be caughtbefore they do any damage.
This device has all the required weaknesses, such as:
• Default administrator/password.• Dummy users with weak passwords.• Ports open for connection.• React to virus/worm systems (but simulate conditions).
… and finally (again) … the honeypot