Presentation is loading. Please wait.

Presentation is loading. Please wait.

Common Intrusion Detection Framework By Ganesh Godavari.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Common Intrusion Detection Framework By Ganesh Godavari."— Presentation transcript:

1 Common Intrusion Detection Framework By Ganesh Godavari

2 Review CIDF architectecture Producer consumer

3 Scenario1: malicious user Malicious user logs in deletes the passwd file how does the GIDO look like between E- box to A-box ?

4 GIDO InSequence (Login (Location (Time '14:57:36 24 Feb 1998') ) (Initiator (HostName ‘doctor.evil.com') ) (Account (UserName 'minime') (RealName ‘minie me') (HostName ‘austin.powers.mov') (ReferAs 0x12345678) ) (Delete (World Unix) (Location (HostName ‘austin.powers.mov') (Time '14:58:12 24 Feb 1998') ) (Initiator (ReferTo 0x12345678) ) (Source (AbsoluteFileName '/etc/passwd') ) (Login (World Unix) (Outcome (CIDFReturnCode Failed) (Comment '/etc/passwd missing') ) (Location (Time '15:02:48 24 Feb 1998') ) (Initiator (HostName 'small.world.com') ) (Account (UserName ‘austin') (RealName ‘austin powers') (HostName ‘small.world.com') ) continued

5 Snort nmap alert CIDF E-box raised the following error How does the GIDO look like from E-box to R-box? [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] 10/15-03:10:18.489131 128.198.60.188 -> 128.198.60.195 ICMP TTL:56 TOS:0x0 ID:25681 IpLen:20 DgmLen:28 Type:8 Code:0 ID:56447 Seq:0 ECHO [Xref => http://www.whitehats.com/info/IDS162]

6 GIDO ( ByMeansOf ( Attack ( Initiator ( IPV4Address 128.198.60.188 ) ) ( Observer ( ProcessName snortIDS ) ) ( Target ( IPV4Address 128.198.60.195 ) ) ( AttackSpecifics ( Certainty 100 ) ( Severity 100 ) ( AttackID 0000000100000001 ) ) ( Outcome ( CIDFReturnCode 2 ) ) (Do (BlockMessage ( Message ( IPV4Protocol 4 ) ( SourceIPV4Address 128.198.60.188 ) ( DestinationIPV4Address 128.198.60.195 ) ) ( When ( BeginTime Wed Jun 15 03:10:18 1999 MDT ) ( EndTime thu Jun 16 03:10:18 1999 MDT ) ) continued

7 Snort based E-box Ad filter ( Filter ( Fragment ( ByMeansOf ( Attack ( when (Time "!+::*")) ( AttackSpecifics ( Attack-ID "!-::{{0x00000005}}", "!+::{*}") ( AtackNickname "!-::{*}")) ( Initiator "!+::{*}") (IPV4Address "!+::{*}") ( HostName "?-::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!+::{{10.0.0.1,10.0.0.2}, {10.0.0.3,10.0.0.4},10.0.1.0/8}) ( HostName "?-::{*}") ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "!-::{{'snort'}}") ( HostName "!-::{{'hercales'}}"))) ( SendMessage ( when (Time "!-::*")) ( Initiator (IPV4Address "!+::{*}") ( HostName "?-::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!-::{*}) ( HostName "?-::{*}") ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "!-::{{'snort'}}") ( HostName "!-::{{'hercales'}}")) ( Message ( TransportProtocol "?+::{{'tcp'}}") ( IPV4SetviceType "?+::{*}") ( IPV4Identifier "?+::{*}") ( IPV4TTL "?+::{*}") ( TCPSequenceNumber "?+::{*}") ( TCPAckNumber "?+::{*}") ( TCPWindow "?+::{*}") ( TCPFlags "?+::{*}") ( TCPMSS "?+::{*}";))))) continued !: field always available ?: field might or might not be available -: field is not negotiable +: field is negotiable

8 A-box Template proposal ( Filter ( Fragment ( Attack ( When ( Time "!-::*")) ( AttackSpecifics ( Attack-ID "!-::{{0x00000005}}", "!+::{0x00000000,0x000000001}") ( AtackNickname "!-::{*}")) ( Initiator ( IPV4Address "!+::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!+::{{10.0.0.1,10.0.1.17,10.0.1.18}) ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "?+::{*}") ( HostName "?+::{*}") ( IPv4Address "?+::{*}")))) ( Permit, ''ByMeansOf', 'And', ''HelpedCause')) Permit allows the filter matching code to search for GIDO from the root. So here we are looking for fragment like “ByMeansOf”, “And”, “HelpedCause”

9 Candidate proposal A-box to E-box ( Filter ( Fragment ( Attack ( When ( Time "!-::*")) ( AttackSpecifics ( Attack-ID "!-::{{0x00000005}}", "!+::{0x00000000,0x000000001}") ( AtackNickname "!-::{*}")) ( Initiator ( IPV4Address "!+::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!+::{{10.0.0.1,10.0.0.2},10.0.1.0/8}) ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "!+::{{'snort'}}") ( HostName "!-::{'heracles'}}"))))))

10 Possible GIDO from A-box to ( ByMeansOf ( Attack ( when ( time "10/04-16:21:48")) ( AttackSpecifics ( Attack-ID 0x00000005, 0x000000000) ( AttackNickname "NMAP TCP Ping")) ( Initiator ( IPV4Address 10.0.0.2) ( TCPSourcePort 52716)) ( Target ( IPV4Address 10.0.0.5) ( TCPDestinationPort 39241)) ( Observer (ProcessName 'snort') (HostName 'heracles')))

11 CIDF – good & bad Good Very extensible S-expression form Easily readable S-expression form Bad Work stopped in ’99 Not actually implemented anywhere Difficult to parse Not as efficient as other reporting formats ?

Download ppt "Common Intrusion Detection Framework By Ganesh Godavari."

Similar presentations

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Unit 5 – User Administration Randy Marchany VA Tech Computing Center.

Unit 5 – User Administration Randy Marchany VA Tech Computing Center.
Report on Common Intrusion Detection Framework By Ganesh Godavari.

Report on Common Intrusion Detection Framework By Ganesh Godavari.
Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
Intrusion Detection and Information Fusion/Decision Making By Ganesh Godavari.

Intrusion Detection and Information Fusion/Decision Making By Ganesh Godavari.
Application of Bayesian Network in Computer Networks Raza H. Abedi.

Application of Bayesian Network in Computer Networks Raza H. Abedi.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
Fusing Intrusion Data for Pro-Active Detection and Containment Mallikarjun (Arjun) Shankar, Ph.D. (Joint work with Nageswara Rao and Stephen Batsell)

Fusing Intrusion Data for Pro-Active Detection and Containment Mallikarjun (Arjun) Shankar, Ph.D. (Joint work with Nageswara Rao and Stephen Batsell)
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Collaborative Intrusion Detection and Response. Limitations of Monolithic ID Single point of failure Limited access to data sources Only one perspective.

Collaborative Intrusion Detection and Response. Limitations of Monolithic ID Single point of failure Limited access to data sources Only one perspective.
2000 Copyrights, Danielle S. Lahmani UNIX Tools G22.2245-001, Fall 2000 Danielle S. Lahmani Lecture 11.

2000 Copyrights, Danielle S. Lahmani UNIX Tools G , Fall 2000 Danielle S. Lahmani Lecture 11.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Report on statistical Intrusion Detection systems By Ganesh Godavari.

Report on statistical Intrusion Detection systems By Ganesh Godavari.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Report on Common Intrusion Detection Framework By Ganesh Godavari.

Report on Common Intrusion Detection Framework By Ganesh Godavari.
Log Analysis and Intrusion Detection By Srikrishna Gudavalli Venkata Naga Vamsi Krishna Ravi Kiran Yellepeddy.

Log Analysis and Intrusion Detection By Srikrishna Gudavalli Venkata Naga Vamsi Krishna Ravi Kiran Yellepeddy.
Defeating Large Scale Attacks: Technology and Strategies for Global Network Monitoring The NetViewer Experiment PAVG in collaboration with Networking Systems.

Defeating Large Scale Attacks: Technology and Strategies for Global Network Monitoring The NetViewer Experiment PAVG in collaboration with Networking Systems.
ECatalog 20131 eCatalog User Guide Next Content. eCatalog 20132 Content – Login Login – Navigation Navigation – Search Search – Extended Search Extended.

ECatalog eCatalog User Guide Next Content. eCatalog Content – Login Login – Navigation Navigation – Search Search – Extended Search Extended.
Day 19. Security Tools Firewalls –Host Based –Network based IDS/IPS –Host Based –Network based –Signature based detection –Anomaly based detection Anti.

Day 19. Security Tools Firewalls –Host Based –Network based IDS/IPS –Host Based –Network based –Signature based detection –Anomaly based detection Anti.

Similar presentations

Ads by Google