1. CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Network Monitoring

2. CIT 380: Securing Computer SystemsSlide #2 Example: snort Network Intrusion Detection System –Sniffs packets off wire. –Checks packets for matches against rule sets. –Logs detected signs of misuse. –Alerts adminstrator when misuse detected.

3. CIT 380: Securing Computer SystemsSlide #3 Snort Rules Rule Header –Action: pass, log, alert –Network Protocol –Source Address (Host or Network) + Port –Destination Address (Host or Network) + Port Rule Body –Content: packet ASCII or binary content –TCP/IP flags and options to match –Message to log, indicating nature of misuse detected

4. CIT 380: Securing Computer SystemsSlide #4 Snort Rule Example Example: rule for ssh shell code exploit alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,CVE-2001- 0144; classtype:shellcode-detect; sid:1326; rev:3;)

5. CIT 380: Securing Computer SystemsSlide #5 Comparison and Contrast Misuse detection: if all policy rules known, easy to construct rulesets to detect violations. –Usual case is that much of policy is unspecified, so rulesets describe attacks, and are not complete. Anomaly detection: detects unusual events, but these are not necessarily security problems.

6. CIT 380: Securing Computer SystemsSlide #6 False Positives A new test for a disease that is 95% accurate Assume 1 in 1000 people have disease. Should everyone get the test? –Sample size: 1000 –Expect 0.95 + (999 * 0.05) positives –Ergo, 50 people will be told they have disease –If you test positive, only 2% chance you have it.

7. CIT 380: Securing Computer SystemsSlide #7 IDS Architecture An IDS is essentially a sophisticated audit system –Agent gathers data for analysis. –Director analyzes data obtained from the agents according to its internal rules. –Notifier acts on director results. May simply notify security officer. May reconfigure agents, director to alter collection, analysis methods. May activate response mechanism.

8. CIT 380: Securing Computer SystemsSlide #8 Agents Obtain information and sends to director. Preprocessing –Simplifying and reformatting of data. Push vs Pull –Agents may push data to Director, or –Director may pull data from Agents.

9. CIT 380: Securing Computer SystemsSlide #9 Host-Based Agents 1.Obtain information from logs –May use many logs as sources. –May be security-related or not. –May use virtual logs if agent is part of the kernel. 2.Agent generates its information –Analyzes state of system. –Treats results of analysis as log data.

10. CIT 380: Securing Computer SystemsSlide #10 Network-Based Agents Sniff traffic from network. –Use hubs, SPAN ports, or taps to see traffic. –Need agents on all switches to see entire network. Agent needs same view of traffic as destination –TTL tricks, fragmentation may obscure this. End-to-end encryption defeats content monitoring –Not traffic analysis, though.

11. CIT 380: Securing Computer SystemsSlide #11 Aggregation of Information Agents produce information at multiple layers of abstraction. –Application-monitoring agents provide one view of an event. –System-monitoring agents provide a different view of an event. –Network-monitoring agents provide yet another view (involving many packets) of an event.

12. CIT 380: Securing Computer SystemsSlide #12 Director Reduces information from agents –Eliminates unnecessary, redundant records. Analyzes information to detect attacks –Analysis engine can use any of the modelling techniques. Usually run on separate system –Does not impact performance of monitored systems. –Rules, profiles not available to ordinary users.

13. CIT 380: Securing Computer SystemsSlide #13 Example Jane logs in to perform system maintenance during the day. She logs in at night to write reports. One night she begins recompiling the kernel. Agent #1 reports logins and logouts. Agent #2 reports commands executed. –Neither agent spots discrepancy. –Director correlates log, spots it at once.

14. CIT 380: Securing Computer SystemsSlide #14 Adaptive Directors Modify profiles, rulesets to adapt their analysis to changes in system –Usually use machine learning or planning to determine how to do this. Example: use neural nets to analyze logs –Network adapted to users’ behavior over time. –Used learning techniques to improve classification of events as anomalous. Reduced number of false alarms.

15. CIT 380: Securing Computer SystemsSlide #15 Notifier Accepts information from director Takes appropriate action –Notify system security officer –Respond to attack Often GUIs –Use visualization to convey information.

16. CIT 380: Securing Computer SystemsSlide #16 Example Architecture: snort

17. CIT 380: Securing Computer SystemsSlide #17 IDS Deployment IDS deployment should reflect your threat model. Major classes of attackers: 1.External attackers intruding from Internet. 2.Internal attackers intruding from your LANs. Where should you place IDS systems? 1.Perimeter (outside firewall) 2.DMZ 3.Intranet 4.Wireless

18. CIT 380: Securing Computer SystemsSlide #18 IDS Deployment

19. CIT 380: Securing Computer SystemsSlide #19 Sguil NSM Console

20. CIT 380: Securing Computer SystemsSlide #20 Intrusion Prevention Systems What else can you do with IDS alerts? –Identify attack before it completes. –Prevent it from completing. How to prevent attacks? –Directly: IPS drops attack packets. –Indirectly: IPS modifies firewall rules. Is IPS a good idea? –How do you deal with false positives?

21. CIT 380: Securing Computer SystemsSlide #21 IPS Deployment Types Inline IPS Intranet Non-Inline Intranet IPS

22. CIT 380: Securing Computer SystemsSlide #22 Active Responses by Network Layer Data Link: Shut down a switch port. Only useful for local intrusions. Rate limit switch ports. Network: Block a particular IP address. –Inline: can perform blocking itself. –Non-inline: send request to firewall. Transport: Send TCP RST or ICMP messages to sender and target to tear down TCP sessions.

23. Active Responses by Network Layer Application: Inline IPS can modify application data to be harmless: /bin/sh -> /ben/sh CIT 380: Securing Computer SystemsSlide #23

24. CIT 380: Securing Computer SystemsSlide #24 Host IDS and IPS Anti-virus and anti-spyware –AVG anti-virus, SpyBot S&D Log monitors –swatch, logwatch Integrity checkers –tripwire, osiris, samhain –Monitor file checksums, etc. Application shims –mod_security

25. CIT 380: Securing Computer SystemsSlide #25 Evading IDS and IPS Alter appearance to prevent sig match –URL encode parameters to avoid match. –Use ‘ or 783>412-- for SQL injection. Alter context –Change TTL so IDS sees different packets than target hosts receives. –Fragment packets so that IDS and target host reassemble the packets differently.

26. CIT 380: Securing Computer SystemsSlide #26 Fragment Evasion Techniques Use fragments –Older IDS cannot handle reassembly. Flood of fragments –DoS via heavy use of CPU/RAM on IDS. Tiny fragment –Break attack into multiple fragments, none of which match signature. –ex: frag 1:“cat /etc”, frag 2: “/shadow” Overlapping fragments –Offset of later fragments overwrites earlier fragments. –ex: frag 1: “cat /etc/fred”, frag 2: offset=10, “shadow” –Different OSes deal differently with overlapping.

27. CIT 380: Securing Computer SystemsSlide #27 Web Evasion Techniques URL encoding –GET /%63%67%69%2d%62%69%6e/bad.cgi /./ directory insertion –GET /./cgi-bin/./bad.cgi Long directory insertion –GET /junklongdirectorypathstuffhereuseless/../cgi-bin/bad.cgi –IDS may only read first part of URL for speed. Tab separation –GET /cgi-bin/bad.cgi –Tabs usually work on servers, but may not be in sig. Case sensitivity –GET /CGI-BIN/bad.cgi –Windows filenames are case insensitive, but signature may not be.

28. CIT 380: Securing Computer SystemsSlide #28 Countering Evasion Keep IDS/IPS signatures up to date. –On daily or weekly basis. Use both host and network IDS/IPS. –Host-based harder to evade as runs on host. –Fragment attacks can’t evade host IDS. –Network IDS still useful as overall monitor. Like any alarm, IDS/IPS has –False positives –False negatives

29. CIT 380: Securing Computer SystemsSlide #29 Key Points Models of IDS: –Anomaly detection: unexpected events. –Misuse detection: violations of policy. IDS Architecture: –Agents. –Director. –Notifiers. Types of IDS –Host: agent on host checks files, procs to detect attacks. –Network: sniffs and analyzes packets to detect intrusions. IDS/IPS Evasion –Alter appearance to avoid signature match. –Alter context to so IDS interprets differently than host.

30. CIT 380: Securing Computer SystemsSlide #30 References 1.Richard Bejtlich, The Tao of Network Security Monitoring, Addison-Wesley, 2004. 2.Matt Bishop, Computer Security: Art and Science, Addison-Wesley, 2003. 3.Brian Caswell, et. al., Snort 2.0 Intrusion Detection, Snygress, 2003. 4.William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2 nd edition, 2003. 5.The Honeynet Project, Know Your Enemy, 2 nd edition, Addison-Wesley, 2004. 6.Richard A. Kemmerer and Giovanni Vigna, “Intrusion Detection: A Brief History and Overview,” IEEE Security & Privacy, v1 n1, Apr 2002, pp 27-30. 7.Steven Northcutt and Julie Novak, Network Intrusion Detection, 3 rd edition, New Riders, 2002. 8.Michael Rash et. al., Intrusion Prevention and Active Response, Syngress, 2005. 9.Rafiq Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID, Prentice Hall, 2003. 10.Ed Skoudis, Counter Hack Reloaded 2/e, Prentice Hall, 2006. 11.Ed Skoudis and Lenny Zeltser, Malware: Fighting Malicious Code, Prentice Hall, 2003.