Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Slides:

Advertisements

Similar presentations

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Advertisements

F3 Collecting Network Based Evidence (NBE)

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 -

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated

Chapter 7 – Transport Layer Protocols

Firewalls and Intrusion Detection Systems

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Network Debugging Organizational Communications and Technologies Prithvi Rao H. John Heinz III School of Public Policy and Management Carnegie Mellon University.

TCP/IP Protocol Suite 1 Chapter 11 Upon completion you will be able to: User Datagram Protocol Be able to explain process-to-process communication Know.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Computer Security and Penetration Testing

COEN 252: Computer Forensics Router Investigation.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.

Module 1: Reviewing the Suite of TCP/IP Protocols.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

FIREWALL Mạng máy tính nâng cao-V1.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Chapter 6: Packet Filtering

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Step-by-Step Intrusion Detection using TCPdump SHADOW.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Firewalls A note on the use of these ppt slides:

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

1 Chapter Overview TCP/IP DoD model. 2 Network Layer Protocols Responsible for end-to-end communications on an internetwork Contrast with data-link layer.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

Examining TCP/IP.

Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

FlowScan at the University of Wisconsin Perry Brunelli, Network Services.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.

MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.

Cs490ns - cotter1 Snort Intrusion Detection System

Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.

Beginning Network Security Monitor and control flow into and out of the LAN Ingress Egress Only let in the good guys Only let out the corp. business.

Linux Networking and Security

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.

Open-Eye Georgios Androulidakis National Technical University of Athens.

1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.

1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.

Role Of Network IDS in Network Perimeter Defense.

TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.

IDS Intrusion Detection Systems

Port Scanning James Tate II

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Principles of Computer Security

Intrusion Detection Systems (IDS)

Session 20 INST 346 Technologies, Infrastructure and Architecture

Intrusion Detection Systems

Presentation transcript:

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Overview What is an audit trail? What is Argus? Overview of IP audit trails Why are they useful? Using audit trails to monitor your network Detecting interesting network events using audit trails Enhancing IDS analysis using audit trails

What is an IP Audit Trail? An IP audit trail is a collection of network flows across some point of a network. A network flow is an identifiable exchange of data between two endpoints on a network. Flows may be delineated by normal protocol (a SYN replied to by an RST) or by timeouts. Flows may become exaggerated, as not all network traffic is readily broken into correct sessions with available information

What is Argus? Written by Carter Bullard as part of a DoD contract while he was at Carnegie-Mellon’s SEI Runs on unix The free version is available at A commercial version is under development by Qosient

More about Argus Argus uses a client server model: – Data collection engine (Server): Monitors the network using libpcap, collects network data into audit trails. This engine can output the data to a file or to a socket. –Argus client: Reads audit data from a file or from a socket. There are a number of clients available for various purposes.

Argus Clients ra: reads Argus data and displays it on stdout ragator: aggregates flows in arbitrary fashions ramon: produce rmon style reports and tables racount: counts bytes and packets rasort: sorts Argus records raxml: display all fields in xml format Others:ratop, ragrep, rahistogram, rasrvstats Lacking: Database client!!

Default RA output timestamp protocol src IP direction dst IP status 17 Apr 02 09:59:16 icmp ECO 17 Apr 02 09:59:16 tcp > FIN 17 Apr 02 09:59:16 icmp ECO 17 Apr 02 09:59:16 tcp > FIN 17 Apr 02 09:59:16 tcp > FIN 17 Apr 02 09:59:16 tcp > EST 17 Apr 02 09:59:16 tcp > FIN 17 Apr 02 09:59:17 tcp > RST 17 Apr 02 10:00:04 tcp > RST 17 Apr 02 09:59:17 tcp > RST 17 Apr 02 10:00:02 icmp > ECO 17 Apr 02 10:00:02 icmp > ECO 17 Apr 02 10:00:02 udp > TIM 17 Apr 02 10:00:02 icmp > ECO There is still a lot of other useful data we can capture!!

Data Model Source IP address Destination IP address Source Port Destination Port Protocol Time of first packet Time of last packet Packets sent Bytes sent Packets received Bytes received This set of data is surprisingly rich!

Why are these useful? This set of data can be analyzed to find network sessions, or sets of session that appear to be suspicious. In the case of a compromise, the audit trails can be examined to find out what else might have happened. Excellent tool for network policy monitoring. Makes finding unauthorized servers, or services, or backdoors much easier to detect. Much smaller than full packet captures, so more can be stored for longer. Well suited to statistical analysis

Reducing Record Counts A major problem with collecting network flows is the extreme rate and large quantity of records Fortunately network flows are readily aggregated All flows with the same source and destination addresses and ports can be collapsed to a single row, with a counter

Portscan Detection IP audit trails are an excellent tool for detecting network enumeration attempts. Snort’s spp_portscan2 uses network flows to detect portscans To detect portscanning simply count connections from external hosts to distinct hosts and ports on your network A well defined concept of home network versus external network is critical A portscan attempt which also correlates to an IDS alert, or to a session that is long or that moves some data might point to a successful compromise

Long Sessions Long sessions are common on networks Due to the more stateless nature of udp and icmp, distinct network flows might be collapsed into a single network flow Long sessions to interesting ports, or inbound to unexpected locations, or with IDS alerts are the things we want to focus on Extensive correlation is critical to making the important long sessions stand out

Traffic to Nonexistent Hosts Inbound traffic to a host that is known to not exist A good way of detecting network enumeration attempts

Traffic to High Ports Sessions being initiated to high ports on your home network should always be viewed with suspicion There are exceptions (ftp traffic) By keeping “state” on your network’s flows you can eliminate many of the valid inbound high port connections High port traffic + IDS alert…

High Connection Rate High connection rates could point to DOS attempts, port scanning, auto rooter, P2P activity, worm activity, and more There are valid network activities which can generate high connection rates Correlation of high connection rates to other anomalous activities is what we need to look for

High Packet Rate Another example of could be bad, could be good activity High packet rates might indicate worm activity, portscanning, or other nastiness A sudden appearance of high packet rates linked to a previous session which had IDS alerts associated could indicate a host that has been successfully compromised

Stepping Stone Detection A stepping stone is a computer that is used as an intermediate point between two other computers Stepping stones are frequently used by attackers to obscure their location/identity Stepping stones can be detected by correlation of on/off times between two network flows. This is prone to false positives. A better approach is to correlate on and off times of packet activity inside the flow, but requires finer granularity in the data than can be provided by argus.

Summary Using IP audit trails is a powerful enhancement to IDS IP audit trails also give new ways of looking for anomalous traffic, new services on your network, or for getting a better perspective on your networks operation There is lots to be done!