Privateye - Educause

Download Report

Transcript Privateye - Educause

Your Network Security Babelfish
a.k.a.
Security Event Actionable Log Parser
Mike Halsall
&
Graeme Connell
©, Michael T. Halsall, 2006
Why We’re Here
• Scripting
• Creativity
• Automation
2
What We Had
• Pure Cisco architecture
– Managed switches, 802.1q trunking capable
– Small SNMP/Net::Telnet based scripts
– Logging (via syslog) to a central location
3
Evolution of a System
• Purchased Bradford Networks’ Campus
Manager
– Forced us to trunk out to the edges to provide
Registration VLAN, Quarantine VLAN and
Penalty Box VLAN
– Gave us a database centralizing users, their
MAC addresses, their currently leased IP
address and the port/switch they appear on,
in real time
4
Campus Manager Benefits,
Cont.
• Forced black hole DNS techniques
• Added multi-interfaced web server to
handle each VLAN
• Forced Windows Update for students
– Used GP to force Updates for Fac/Staff
5
Purchased Enterprise Level IPS
• Very fast
• Signature/Anomaly based detection of
attacks
• In-line, allowing us to drop attack packets
• Custom signatures (not as nice as Snort)
• Exports alerts, in real time, to syslog
6
Privateye’s Conception (v. 1.0)
• Initially, a simple log parser (like swatch)
for dealing with IPS logs
– Hard-coded database capabilities
– Threshold based
– Ran external scripts
7
Privateye 1.0’s Config File
#<TRIGGERTYPE>:::<TRIGGER>:::<ACTIONTYPE>:::<ACTION>:::<THRESHOLD_VAL>:::<THRESHOLD_DUR>
ID ::: 0x40009a00 ::: SH ::: shun.sh ${7} ::: 0 ::: week
ID ::: 0x49700500 ::: SH ::: penalty.sh ${4} ::: 5 ::: day
RE_NAME ::: /NULL/ ::: SH ::: shun.sh ${7} ::: 0 ::: week
RE_NAME ::: /Buffer Overflow/ ::: SH ::: shun.sh ${7} ::: 2 ::: week
RE_NAME ::: /Apache/ ::: MAIL :::emails/email1.txt::: 15 ::: hour
8
Problems With v. 1.0
• Not extensible
• Too specialized (IPS, CM)
• Restrictive triggers
– Inside/Outside
– CM/Non-CM users
– Standard/Non-standard ports
9
Privateye 2.0
• Pushed functionality to config file
• Object oriented
• Complex trigger set
– Boolean chaining
– Regular expressions
– Math
AND
OR
NOT
• Ability to remember user states
10
Privateye 2.0
Alert Data Flow
Input → AlertParser → UserHash →
RuleList → Rule
Rule = Trigger + Threshold + Action
11
Input → AlertParser → UserHash → RuleList → Rule
• Log file (syslog data)
#####2006-03-17 15:40:59 EST#####Medium#####irc#####Signature
#####IRC: IRC Client Activity Detected#####140.233.203.41:1048
#####65.98.55.82:8080#####tcp#####Outbound#####0x40f00100
• TCP session
• STDIN
12
Input → AlertParser → UserHash → RuleList → Rule
• Uses Regular Expression to split input into
relevent fields
#####2006-03-17 15:40:59 EST#####Medium#####irc#####Signature
#####IRC: IRC Client Activity Detected#####140.233.203.41:1048
#####65.98.55.82:8080#####tcp#####Outbound#####0x40f00100
Becomes
•
•
•
•
•
Severity: Medium
Input_IP: 140.233.203.41
Output_Port: 8080
CM_User: jstudent
Etc….
13
Input → AlertParser → UserHash → RuleList → Rule
•
•
•
•
•
Severity: Medium
Input_IP: 140.233.203.41
Output_Port: 8080
CM_User: jstudent
Etc….
User_abc
User_def
Becomes
• User_ jstudent
• User_everybody
• User_inside
User_Everyone
User_jstudent
User_jstudent
User_inside
Rule1 data
Rule2 data
Rule3 data
…
User_outside
User_xyz
14
Input → AlertParser → UserHash → RuleList → Rule
• Chain of rules
• Checked serially
• Rules can execute RuleLists
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Rule 1
Rule 2
Rule 3
Rule 1
Rule 2
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
15
Input → AlertParser → UserHash → RuleList → Rule
• All rules are threshold based
• Each rule contains
– Trigger
– Threshold data
– Action
TRIGGER ssh_scan SUBSTR name "SSH"
ACTION src_shun SH scripts/shun.pl "${src_ip}"
RULE ssh_scan_rule ssh_scan src_shun 5 60
#####2006-03-20 13:41:41 EST#####Informational#####ssh#####Signature
#####SSH: SSH Version 1 Server Detected#####216.180.225.242:43346
#####140.233.190.2:22#####tcp#####Inbound#####0x45b00300
16
Recap
Input
AlertParser
UserHash
RuleList
Rule
17
External Actions
• Shun at firewall
– Our IPS does not possess this capability for our
model firewalls
• Flip a port into penalty VLAN
– Fortunately, we could do this via an SNMP trap to
CM, maintaining central user status
– We can also flip ports using same technique below
• Shut a port, if need be
– Given an IP, find the port on campus network, even if
not known to CM (CDP walk)
– Send a port ‘shutdown’ command to the switch
• Disconnect user from dial-in/VPN
• TCP Reset
– Out of band
18
– Sends TCP resets to internal host when triggered
(pattern match)
The Internet
Logging
Server
Privateye
Campus
Manager
FW
Sniffer
IPS
Current
Network
Layout
VLAN
Webserver
Internal
Network
Switch
Hosts
The Internet
Logging
Server
Privateye
Campus
Manager
FW
Sniffer
IPS
Privateye
Input
Vectors
VLAN
Webserver
Internal
Network
Switch
Hosts
Firewall shun
VLAN switch
Campus
Manager
The Internet
Logging
Server
Privateye
Port Shut
FW
VLAN
switch
cont.
Sniffer
IPS
Privateye
Mitigation/
Remediation
Vectors
VLAN
Webserver
Internal
Network
Switch
Hosts
The Internet
Logging
Server
Privateye
Campus
Manager
FW
Sniffer
IPS
VLAN
Webserver
Internal
Network
Switch
Example
Single client infected by bot, sends bot command request
out to IRC server
Hosts
The Internet
Logging
Server
Privateye
Campus
Manager
FW
Sniffer
IPS
VLAN
Webserver
Internal
Network
Switch
Example
IPS Alert seen by Privateye through Logging Server
Hosts
VLAN switch
The Internet
Logging
Server
Privateye
Campus
Manager
FW
VLAN
switch
cont.
Sniffer
IPS
VLAN
Webserver
Internal
Network
Switch
Example
Privateye contacts Campus Manager, which switches
client into quarantined VLAN
Hosts
The Internet
Logging
Server
Privateye
Campus
Manager
FW
Sniffer
IPS
VLAN
Webserver
Internal
Network
Switch
Example
Client redirected to web server by DNS black-holing,
outside access to client disabled.
Hosts
The Internet
Logging
Server
Privateye
Campus
Manager
FW
Sniffer
IPS
VLAN
Webserver
Internal
Network
Switch
Example
Client and web server are now in same VLAN
Hosts
27
FYI
How do they get here?
Document root’s Index page is a PHP script
• Get IP of machine user is coming from
• Look at local ARP table to get user’s MAC
address
• Match MAC address to “Actions Done” DB
table Privateye updated when it told CM to
place user in Penalty
• Redirect user to static “reason” page
28
29
Privateye 2.1
•
•
•
•
•
User flags: Multi-alert correlation
Rule Action thresholding
User-state Backups
Real time configuration
Protected TCP sessions
30
Privateye Speed
• It all depends…
– Database lookups
– Trigger types / complexity
• Regular expression? Substring? Equality?
– Script speed
• Speed bottlenecks do occur in current version
– Everything done serially
– Second alert never starts until first finished
• Fully processed (including DB lookups, etc.)
• All actions completed
31
The possibilities are
endless…
Look for SQL
Injection
Look for
Port Scans
Look for
Misbehavior
Look for
Recon
Logging
Server
Privateye
32
Real Time
Configuration
The possibilities are
endless…
Look for SQL
Injection
Look for
Port Scans
Look for
Misbehavior
Look for
Recon
Logging
Server
Privateye
33
What Privateye Has Handled
Version 2.0 was put into production in
September, 2005
• 264 unique machines have visited the Penalty Box
– 162 due to IRC Botnet activity
• Successfully stopped virus proliferation as soon as
rule was added, on 3 separate occasions
• Mitigated thousands of attacks from outside world
– Most popular:
• SSH Brute Force attacks
• XMLRPC Exploits
34
IPS and CM Are Not Requirements
• If you have managed switches, you can
find clients on network using creative
scripting
• Snort can certainly be used
• ARP manipulation can take the place of
VLAN switching (not as secure)
35
Scripting
• Be creative
– Building blocks – small scripts beget big scripts
• PHP
• Net-SNMP
• Perl
– Net::Telnet::Cisco (cpan.org)
• Automate the mundane
• Obsolete yourself
• Automate carefully
36
Questions?
37