Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection Systems

Published byJohannes Schuler Modified over 5 years ago

Similar presentations

Presentation on theme: "Intrusion Detection Systems"— Presentation transcript:

1 Intrusion Detection Systems
An IDS is any combination of hardware & software that monitors a system or network for malicious activity. Examples of IDSs in real life Car alarms Fire detectors House alarms Surveillance systems Introduction

2 Why IDS There are host-based and network-based
“Deep Packet Inspection” Many organizations deploy IDS systems Provide warnings to network administrator Administrator can then improve network’s security Vigorous investigation could lead to attackers Can be detected: Mapping Port scans Tens of thousands of packets TCP stack scans Hundreds of thousands of packets There are host-based and network-based IDS systems. Focus here on network-based. Introduction

3 IDS sensors = IDS sensor Internet Internal network Demilitarized zone
application gateway firewall Internet Underlying OS needs to be hardened: stripped of unnecessary network services Internal network Web server DNS server FTP server Demilitarized zone Introduction

4 False Alarms False alarms:
False positive: normal traffic or benign action triggers alarm Example: fire alarm if wrong password is entered; benign user makes a typo False negative: alarm is not fired during attack Introduction

5 Efficiency of IDS system
Accuracy: low false positive and false negative rates Performance: the rate at which traffic and audit events are processed To keep up with traffic, may not be able to put IDS at network entry point Instead, place multiple IDSs downstream Fault tolerance: resistance to attacks Should be run on a single hardened host that supports only intrusion detection services Timeliness: time elapsed between intrusion and detection Introduction

6 Signature-based IDS Sniff traffic on network
border router or multiple sensors within a LAN Match sniffed tracffic with signatures attack signatures in database signature: set of rules pertaining to a typical intrusion activity Simple example rule: any ICMP packet > 10,000 bytes Example: more than one thousand SYN packets to different ports on same host under a second skilled security engineers research known attacks; put them in database can configure IDS to exclude certain signatures; can modify signature parameters Warn administrator when signature matches send , SMS send message to network management system Introduction

7 Limitations to signature detection
Requires previous knowledge of attack to generate accurate signature Blind to unknown attacks Signature bases are getting larger Every packet must be compared with each signature IDS can get overwhelmed with processing; can miss packets Introduction

8 Anomaly Detection IDS Observe traffic during normal operation
Create normal traffic profile Look for packet streams that are statistically unusual e.g., inordinate percentage of ICMP packet or exponential growth in port scans/sweeps Doesn’t rely on having previous knowledge of attack Research topic in security Introduction

9 IDS evasion: “spy vs. spy”
Attackers do not want to be detected by IDS Often attackers are intimately familiar with the popular IDS products, their weaknesses Idea: manipulate attack data Active area of research in attack community Example: port scan stretched out over long period of time, with different source IP addresses Most common approach: fragmentation To detect malicious activity, IDS must capture, store, and analyze fragments. Many fragment streams spread out over long period time ➜IDS must have large buffers Requires significant memory and processing power Introduction

10 IDS evasion: fragmentation
Send a flood of fragments Send so many fragments that IDS system saturates. Once saturated, IDS will not be able detect a new attack Fragment packets in unexpected ways Such that the IDS does not understand how to properly reassemble the attack packets Introduction

11 IDS evasion tool: FragRouter
Internet attack system (eg nmap) attack obfuscation (fragrouter) IDS target Runs on Unix/Linux systems Provides over 35 different schemes for fragmenting flow of data Separates attack functionality from the fragmentation functionality Introduction

12 Some fragmentation types in FragRouter
Sends data in ordered 8-byte fragments Sends data in ordered 24-byte fragments Sends data in ordered 8-byte fragments with one fragment out of order Complete TCP handshake, send fake FIN and RST (with bad checksums) before sending data in ordered 1-byte Introduction

13 Snort Typical setup Popular open source IDS Enhanced sniffer
Good book: Intrusion Detection with Snort, by Jack Koziol Popular open source IDS 200,000 installations Enhanced sniffer Runs on Linux, Unix, Windows Generic sniffing interface libpcap Can easily handle 100 Mbps of traffic Signatures Written and released by Snort community within hours Anyone can create Largest collection of signatures for IDS Typical setup snort sensor hub internal network firewall Introduction

14 Snort deployment Switch SPAN port:
provides monitoring for net admin & security switch copies all traffic to SPAN port can select which switch ports get copied approach doesn’t require intro of new hub no need for unidirectional cable snort sensor hub internal network firewall unidirectional sniffing cable firewall switch snort sensor internal network Introduction

15 Distributing traffic to multiple sensors
Large organizations often have Gbps backbone Snort with full rule set cannot handle all traffic Packets can get dropped; attacks go undetected Tempting to tune Snort by trimming rules Solutions: Put sensors on different 100 Mbps segments Or, multiple sensors on backbone; each sensor processes different range of destination IP addresses Introduction

16 snort.conf Example: var HOME_NET 193.152.1.1/24
var EXTERNAL_NET ! /24 Var HTTP_SERVERS Var HTTP_PORTS Introduction

17 Snort rule examples alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP PING NMAP”; dsize: 0; itype: 8;) Rule generates alert for ICMP having empty payload, ICMP type 8, and arriving from the outside. This is part of an NMAP ping. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: “DOS SMBdie attack”:; flags: A+; content:”|57724c a|”;) Rule generates alert if a TCP packet from outside contains |57724c a| in payload and is headed to port 139 (netbios) for some internal host. This is part of a buffer overflow attack on a computer running Server Message Block Service. Introduction

18 Snort rule examples (2) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”WEB-IIS ISAPI .ida attempt”; uricontent:”.ida?”; nocase; dsize:>239; flags:A+;) Rule generates alert for packet heading to Web server with .ida? in URL in GET message Buffer overflow attack that allows attacker to take over server. Introduction

19 Snort rule files chat.rules ddos.rules ftp.rules multimedia.rules
p2p.rules porn.rules virus.rules Introduction

20 Snort Rule Writing Example: Cross-site scripting (XSS):
Web site allows scripts to be inserted into dynamically created Web page. Can reek havoc. Look out for HTTP requests containing <SCRIPT> Might first try: alert tcp any any -> any any (content: “<SCRIPT>”; msg: “XSS attempt”;) triggers many false positives: e.g., message with JavaScript Then try: alert tcp $EX_NET any -> $HTTP_SRVS $HTTP_PRTS (content: “<SCRIPT>”; msg: “XSS attempt”; nocase;) Introduction

21 Snort Rule Syntax Rule is a single line Syntax for rule header:
Rule header: everything before parenthesis Rule option: what’s in the parenthesis Syntax for rule header: rule_action protocol src_add_range src_prt_range dir_operator dest_add_range dest_prt_range Example: alert tcp /24 1:1024 -> rule actions: alert, log, drop protocol: tcp, udp, icmp direction: -> and <> src, dest port ranges : Introduction

22 Snort Rule Syntax (2) Syntax for rule option:
One or more option keywords separated by semi-colons Example: (msg: “XSS attempt”; content: “<SCRIPT>”; nocase;) Content-related keyword examples: content: ”smtp v2”; (ascii) content: ”|0f 65 a7 7b|” ; (binary) uricontent: ”.ida?”; content-list: “inappropriate_content.txt”; nocase; offset: 20; (start at byte 20 in payload) depth: 124; (stop at byte 124 in payload) Introduction

23 Snort Rule Syntax (3) IP-related keyword examples: ttl: <5;
id:2345; (id field, used for fragments) fragoffset: 0; dsize: >500; (payload size) ip_proto: 7; ICMP-relayed keyword examples: itype: 8; icode: 3; Introduction

24 Snort Rule Syntax (4) TCP-related rules flags: A+; (ACK flag)
flags: FUP; (FIN, Urgent, or Push flag) + alert if specified bit is discovered, in addition to at least one other ! alert if any of the specified bits is not set seq: ; ack: ; Response examples msg: “christmas tree attack”; logto: “new_rule.log”; logs packet when match occurs Introduction

Download ppt "Intrusion Detection Systems"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology

Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Department Of Computer Engineering

Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Port Scanning.

Port Scanning.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Polytechnic University Introduction 1 Intrusion Detection Systems Examples of IDSs in real life r Car alarms r Fire detectors r House alarms r Surveillance.

Polytechnic University Introduction 1 Intrusion Detection Systems Examples of IDSs in real life r Car alarms r Fire detectors r House alarms r Surveillance.

Similar presentations

Ads by Google