Logging and Intrusion Detection Systems Lesson 18
Intrusion and Misuse Detection Remember the operational model of security protection = prevention + (detection + response) Access controls and filters seek to prevent unauthorized or damaging activity. Intrusion and misuse detection mechanisms aim to detect it at its outset or after the fact. Has its roots in audit log files Operate on the principle that it is neither practical nor feasible to prevent all attacks.
Intrusion Detection Can be manual (review of logs), automated, or a combination. Closely related to monitoring. Workplace monitoring used to Ensure quality Assess performance Comply with regulations (e.g. ensure stockbrokers aren’t using high-pressure tactics in violation of stock exchange rules)
Audit Trails Early intrusion detection involved reviewing system log or audit files. What events can be audited varies from system to system. Examples of auditable events include Reading/opening of a file Writing to or modifying a file Creation or deletion of an object Logins and Logouts Other administrative actions Special operations (e.g. changing a password)
Logging Logs can be used to troubleshoot problems track network anomolies trace an intruder provide evidence if case brought to trial determine the extent of damage. You need to establish a logging policy What are you going to log? What tools will be used to create the logs? Who will review logs and how often? How long will logs be stored? Where and how?
Logging tools Most OS’s have logging functions built in but these are some of the first targets of intruders. Tools to help cleanse logs include UTClean, remove, and marry. ‘Rootkits’ usually contain a log cleanser too. Other tools available to report data from logs and collect data from diverse sources SWATCH (system watcher) Watcher LogSurfer NestWatch
SWATCH As an example of logging tools, SWATCH provides real-time monitoring, logging, and reporting. Its features include: A “backfinger” utility to grab finger information from an attacking host. Support for instant paging Conditional execution of commands (e.g. if a certain condition is found in a log file, then execute a certain sequence of commands)
Intrusion Detection Systems Various types of activities that an IDS checks for Attempted/successful break-ins Masquerading Penetration by legitimate users Leakage by legitimate users Inference by legitimate users Trojan horses Viruses Denial-of-service
Approaches to IDS Attempt to define and detect abnormal behavior Attempt to define and detect anomalous activity
Methods to perform IDS Four major methods attempted to perform intrusion detection: User Profiling Intruder Profiling Signature Analysis Action-based (attack “signatures”)
User Profiling Basic Premise: the identity of any specific user can be described by a profile of commonly performed actions. The user’s pattern of behavior is observed and established over a period of time. Each user tends to use certain commands more than others, access the same files, login at certain times and at specific frequencies, and Execute the same programs. A user profile can be established based on these activities and maintained through frequent updating. A masquerading intruder will not match this profile.
User Profiling Types of activity to record may include CPU and I/O usage Connect time and time of connection as well as duration Location of use Command usage Mailer usage Editor and compiler usage Directories and files accessed/modified Errors Network activity Initial profile takes time and can generate many alarms. Weighted actions often used (more recent activities more important than activities accomplished in past)
Intruder Profiling Concept similar to criminal profiles used in the Law Enforcement community. Attempt to define the actions that an intruder will take when unauthorized action is obtained. For example: when an intruder first gains access the action often taken is to check to see who else is on, will examine files and directories, … Can also apply to insiders gaining access to files they are not authorized to access. Problem with this method is that it is hard to define all possible intruder profiles and often the actions of a new user will appear similar to the actions of an intruder.
Signature Analysis Just as an individual has a unique written signature which can be used for identification purposes, individuals also have a “typing signature”. This characteristic first noticed in telegraph days. The time it takes to type certain pairs or triplets of letters can be measured and the collection of these digraphs and trigraphs together form a unique collections used to characterize individuals. This technique requires special equipment. Variation on this is to watch for certain abbreviations for commands and common errors.
Action Based Also sometimes referred to as signature based. Specific activities or actions (attack signatures) known to be indicative of intrusive activity are watched for. E.g. attempts to exploit known security holes. Can also be used to look for unauthorized activity by insiders. Problem is that not all methods are known so new signatures are constantly being created and thus intrusion detection systems constantly need to be updated.
Haystack Audit Data Preprocessor Canonical Audit trail Statistical Analysis Reports Unisys 1100 Z-248 PC 9-track Tape
Intrusion Detection Expert System (IDES) Audit Records Receiver Audit Data Expert System Active Data Collector Anomaly Data Active Data Profile Data Profile Updater Security Admin Interface Anomaly Detector
Multics Intrusion Detection and Alerting System (MIDAS) Command Monitor Audit Records Preprocessor Network Interface Multics Fact BaseStatistical Data Base Rule Base Symbolics System Security Monitor
Different Levels of IDS Host-based Intrusion Detection Will catch users logged directly into a system Will miss network actions (the network as a whole) Network-based Intrusion Detection Passive in nature, other systems won’t even know its there Will miss individual actions on the host the user is logged directly into. Will be able to see attacks on multiple hosts (“door knob rattling”). Where do you place the IDS? On the LAN or on the outside of the router (the connection to the Internet)?
Network Security Monitor (NSM) Network Traffic Packet CatcherFilter Object Detector & analyzer Report Generator Traffic Archive Network Profile – which systems normally connect to which others using what service. During a 2 month period, 110,000 connections analyzed at UC-Davis, NSM correctly identified over 300 intrusions, only 1% had been detected by admins.
Distributed IDS (DIDS) DIDS Director LAN Monitor Monitored Host Unmonitored host Unmonitored host Monitored Host Monitored Host
Cooperating Security Monitors (CSM) Command Monitor Local IDS Intruder Handler CSM User Interface Other CSM’s
SNORT “Snort is designed to, uh, snort (sniff) your network looking for patterns of known attacks and warn you. It has a very large database of more than 500 attack signatures and this database is kept up-to-date. It is an intrusion detection system (IDS), not a firewall. This means that it will detect problems but will not block them. An IDS assumes that someone will receive the warning and manually resolve the problem.”
SNORT Most Snort rules are written in a single line. This was required in versions prior to 1.8. In current versions of Snort, rules may span multiple lines by adding a backslash to the end of the line. Snort rules are divided into two logical sections, the rule header and the rule options. The rule header contains the rule's action, protocol, source and destination IP addresses and netmasks, and the source and destination ports information. The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken. a sample Snort rule. alert tcp any any -> / (content:"| a5|"; msg: "mountd access";) The text up to the first parenthesis is the rule header and the section enclosed in parenthesis is the rule options.
Rule Header The rule header contains the information that defines the "who, where, and what" of a packet, as well as what to do in the event that a packet with all the attributes indicated in the rule should show up. The first item in a rule is the rule action. The rule action tells Snort what to do when it finds a packet that matches the rule criteria. There are 5 available default actions in Snort, 1. alert - generate an alert using the selected alert method, and then log the packet 2. log - log the packet 3. pass - ignore the packet 4. activate - alert and then turn on another dynamic rule 5. dynamic - remain idle until activated by an activate rule, then act as a log rule alert tcp any any -> / (content:"| a5|"; msg: "mountd access";)
Snort Rules The next field in a rule is the protocol. There are four Protocols that Snort currently analyzes for suspicious behavior - tcp, udp, icmp, and ip. In the future there may be more, such as ARP, IGRP, GRE, OSPF, RIP, IPX, etc. The next portion of the rule header deals with the IP address and port information for a given rule. The keyword "any" may be used to define any address. alert tcp any any -> / (content:"| a5|"; msg: "mountd access";)
Rule options Rule options form the heart of Snort's intrusion detection engine, combining ease of use with power and flexibility. All Snort rule options are separated from each other using the semicolon ";" character. Rule option keywords are separated from their arguments with a colon ":" character. alert tcp any any -> / (content:"| a5|"; msg: "mountd access";)
Some Available Keywords msg prints a message in alerts and packet logs flags test the TCP flags for certain values content searches for a pattern in the packet's payload dsize test the packet's payload size against a value alert tcp any any -> / (content:"| a5|"; msg: "mountd access";)
Sample Snort Rule Part of the rule to catch the ILOVEYOU Windows worm: Alert tcp any any -> any 25 (msg: “Outgoing Love Letter Worm”; content: “rem barok – loveletter”; content: Group”;)
Current Common IDS’s McAfee Cisco Secure IDS (old “NetRanger” ) IBM Proventia (ISS RealSecure) Tipping Point (HP now owns) Network Flight Recorder from NFR Snort an open source IDS (or SourceFire)
Comparison of IDS (Network Computing, Aug 2001)
Discussion on current IDS How are signature updates accomplished? How often are signatures updated? How many are there? What is the maximum bandwidth the IDS can monitor? What network protocols can be monitored? What OS platforms does the IDS work on? Does the IDS platform interact with other devices (e.g. firewalls, routers…)? What type of reporting tools are available? How is the security manager notified of events? Host or network based? Enterprise deployable? What training is required to operate and how much time does it take to operate the IDS?
50 ways to defeat an IDS 1 - Inserting extraneous characters into a standard attack typically causes detection failure. As an example, you could insert the string ‘&& true’ into a typical shell command line without ill effect on operation but with degraded IDS performance. 2 - Use tabs instead of spaces in commands. Since most current systems don’t interpret all separators in the same way, changing to non-standard separators can make them fail. You might also try ‘,’ instead of ‘;’ in the Unix shell. 3 – Closely related to number 2, you could change the separator character in the system so that (for example) % is the separator. This would confuse detection systems almost without exception. 4 - Reorder a detected attack sequence. For example, if the attack goes ‘a;b;c’ and it would also work as ‘b;a;c’, most detection systems would rank the one they were not tuned to find as unlikely to be an actual attack. 5 - Split a standard attack across more than one user. Using the ‘a;b;c’ example above, if user X types ‘a;b’ and user Y types ‘c’ the attack is almost certain to go undetected. 6 - Split a standard attack across multiple sessions. Login once and type ‘a;b’, logout, then login and type ‘c’. From 50 Ways to Defeat Your Intrusion Detection System by Fred Cohen of Fred Cohen & Associates
50 ways to defeat an IDS 7 - Split across multiple remote IP addresses/systems. Login from sites X and Y, and type ‘a’ from site X, ‘b’ from site Y, and ‘c’ from site X. 8 - Define a macro for a command used in a standard attack. For example, set a shell variable called ‘$ZZ’ to ‘cp’ and then use ‘$ZZ’ instead of ‘cp’ where appropriate. 9 - Define a macro for a parameter in a standard attack. For example, use the name ‘$P’ instead of the string ‘/etc/passwd’. 10 – Create shell scripts to replace commands you use. If you do this carefully, the detector will not associate the names you use for the scripts to the commands and will miss the whole attack Use different commands to do the same function. For example, ‘echo *’ is almost the same as ‘ls’ in the Unix shell Change the names in standard attacks. For example, if the standard attack uses a temporary file named ‘xxx’, try using ‘yyy’.
50 ways to defeat an IDS 15 - Encrypt your attacks – for example, by using the secure shell facilities intended to increase protection by preventing snooping – including snooping by the IDS Overwhelm the IDS sensor ports. For example, by using an echo virus against a UDP port, you might make the sensor port unable to receive further sensor inputs Crash the IDS with ping packets. By sending long IPNG packets, many systems that run IDS systems can be crashed, causing them to fail to detect subsequent attacks. 23 – Kill the IDS by attacking its platform. Most IDS systems run on regular hosts which can themselves be attacked. Once the platform is taken over, the IDS can be subverted Consume all IDS disk space then launch for real. By (for example) overrunning the disk space consumed by the IDS with innocuous but detected sequences, the IDS will fail and subsequent attacks go undetected Attack over dial-ins instead of a network. Network-based IDS systems will never notice this activity.
Monitoring and the Law Issue is expectation of privacy – does the individual have one? You generally need to inform individuals using the system that their actions are subject to monitoring. Government systems have the warning banner. This advice also issued by CERT (CA-92:19) for anybody wanting to monitor keystrokes. Note that it is considered not enough to notify all authorized users (when they are issued their initial password for example), it must be displayed each time at login.