Document

Download Report

Transcript Document 

Computer Security
Workshops
Module 6 –
Intrusion Detection Systems
Intrusion Detection Systems
System monitoring software


Developed to monitor suspicious activity
Optionally, report or respond to such activity
Two major levels/types

Misuse-based
Host-based
Network-based (NIDS)

Anomaly-based
Increasing use of both for maximum security
Host Based Intrusion Detection
Systems
Dependent on operating system
Main activities




Check system logs
Monitor user logins
Monitor processes
Look for trojans
Advantages: can be quite sophisticated
Disadvantages:


Deal with known problems
Active: consume CPU cycles
Host-Based IDS - Details
Events to watch





Creation of accounts
Protection violations (actual, attempted)
Logins
Failed Logins
Kernel activity as well as user activity
Network Based Intrusion Detection
Systems (NIDS)
High level: packet sniffers



Examine network traffic
Compare actual traffic to known attack patterns
If find these patterns/signatures, theorize that
intrusion taking place
Advantage: passive (analyzing network, not
particular system – hard to detect)
Disadvantages


Switches can reduce amount of visible traffic to
analyze
Packet fragmenting can fool system
IDS Tools
Open Source

Snort (Linux, Windows)
Shadow (Virtual IDS)
BlackICE (http://www.iss.net/blackice)
ISS RealSecure
Example System: Snort
http://www.snort.org
Need to define signatures/rules

available on internet, updated frequently
Multiple level architecture



Main application (doing analysis)
Web client – ACID (Analysis Console for
Intrusion Databases)
Barnyard – analysis of results
SNORT - more
Now supports preprocessor analysis
Problems with signatures


False positives – too wide a net
False negatives – too narrow a net
Preprocessors allow customizing


Start using anomaly-based detection
Customize rules based on users
Examples (see in /etc/snort/snort.conf)


stream4 – TCP statefulness, session reassembly
frag2 – packet fragmenting/reassembly
Problems

Difficult to work with, generates large amount of data
Other Tools for Intrusion Detection
Linux





last (user analysis)
lsof (file analysis)
tripwire (file analysis)
chkrootkit (file analysis)
swatch (log file analysis)
Windows



Microsoft Port Reporter
GFI LANguard System Integrity Monitor
GFI LANguard Security Event Log Monitor
http://www.extralan.co.uk
last
displays list of recent user logons
Usage: last (-N)

E.g. last -20
// display last 20 users
lsof
Lists open files on your system
Useful to see what processes are working
with what files, possibly identify tampering
Usage: lsof

E.g. lsof | more
// one screen at a time
tripwire
tripwire (http://sourceforge.net/projects/tripwire/ ;
also a commercial product)





uses digital hashing (MD5) to create secure file
signatures
change in file size and/or signature potentially shows
intrusion
database now signed itself, but still best to store it on
write-protected media/hw
expanded to define policy language for what to
monitor
Linux version is open source; commercial Windows
version available
Security usage: identify presence of tampered
files, symptomatic of rootkits
chkrootkit
Root Kit / rootkit – a package of cracker tools
placed on a system for purposes of taking
control or otherwise using it


May include modified system utilities (e.g. ls, ps)
Examples: t0rn, HKRK, Romanian, others…
chkrootkit - program to check system for
common root kits
Checks

common files for substitutions
based on known signatures, not just changes


evidence of rootkit runs
other suspicious files and directories
Responding To Root Kits
If minimal number of files affected, may be
able to replace those files from original
media
If larger infection, may have to re-image
system

Can be difficult to eradicate all traces
swatch
Log file watcher
Many log files to watch



/var/log/messages
/var/log/secure
More in separate directories
httpd
samba
snort
Goal: automatically be notified when a (certain
type of) log file entry is made
Windows Tools
Many tools available for help in intrusion
detection (as well as previous steps)
Several from www.sysinternals.com


Process Explorer (process monitoring, including CPU
usage)
Autoruns (service start-up monitoring)
Others

CurrPorts (port/service information)
More Information on IDS
SANS IDS FAQ

http://www.sans.org/resources/idfaq/