scarica la presentazione

Download Report

Transcript scarica la presentazione

INTRUSION
DETECTION SYSTEM
Implementation of an all-in-one IDS machine
Professor: Massimiliano Rak
Student: Pasquale Cirillo
Matr.: A18/45
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
SUMMARY
• Objective
• Security requirements
• Intrusion Detection Systems
• IDS classification
•
•
•
•
Sensor Soft-Hardering
NIDS/IPS SNORT
Basic Analysis and Security Engine (BASE): SNORT WEB Interface
Honeypot Systems
• Honeypot classification
•
•
•
•
•
Nepenthes
Amun
SURFids
Antivirus Installation
Penetration Test
• Penetration Testing Software: Metasploit
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
2
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Objective
• Implement a Distributed Intrusion Detection System based on the
SURFcert IDS Project
• Install HoneyPot to support the IDS
• Test the system
Assumptions
• The Distributed Intrusion Detection System (D-IDS) considered is based on
a client-server approach where the client is called a sensor. These sensors
often contain a honeypot and/or a passive analysis tool like Snort
• However, we refer to an All-In-One Machine to simplify the installation
and the configuration of the tools
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
3
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
What is Security?
ISO 27001 AND ISO 27002 DEFINITION
Information security is all about protecting and preserving
information. It’s all about protecting and preserving the
confidentiality, integrity, authenticity, availability, and
reliability of information.
Secutity Objectives:
• Ensure the application of the CIA Paradigm:
• Confidentiality: the information must be accessible only by the
authorized users
• Integrity: the information must be modified only by the authorized
users. All others unauthorized access must be blocked
• Availability: the information must be always available for the
authorized users in the time and modes provided by the security
policies
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
4
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Security Area
BRUCE SCHENEIER DEFINITION (‘Secrets and Lies’)
• Prevention: block any threat or attack
• Detection: eventually the prevention fails, with the detection it seeks to
control attacks in progress
• Reaction: after detected an attack, it responds to attackers
Attack Definition
An attack is any attempt to destroy, expose, alter, disable, steal or gain
unauthorized access to or make unauthorized use of any tangible or
intangible thing that has value to an organization
• Passive attack: the attacker attempts to learn or make use of information
from the system but does not affect system resources
• Active attack: the attacker attempts to alter system resources or affect their
operation
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
5
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
IDS Definition
An intrusion detection system (IDS) is a device or software application that
monitors network and/or system activities for malicious activities or
policy violations and produces reports to a Management Station
IDS Components
• Sensors: one or more sensors are typically used to receive information
from the network or from controlled hosts
• Console: is used to monitor the status of network and hosts
• Engine: used to analyze the data collected by the sensors, provides to
detect possible intrusions
• Database: the analysis engine is based on a database that stores the rules
used to identify security breaches
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
6
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
CIDF
• The Common Intrusion Detection Framework (CIDF) is an effort to
develop protocols and application programming interfaces so that intrusion
detection research projects can share information and resources and so that
intrusion detection components can be reused in other systems
• Some of the ideas involved in CIDF have encouraged the creation of an
Internet Engineering Task Force (IETF) working group, named the
Intrusion Detection Working Group (IDWG)
CIDF Components
• CIDF adopts a view of Intrusion Detection Systems in which they consist
of discrete components which communicate via message passing
• The four kinds of components exchange data in the form of ‘generalized
intrusion detection objects (gidos)’ which are represented via a standard
common format
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
7
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
CIDF Components (Continue)
• Event generators (‘E-boxes’): the role of an event generator is to obtain
events from the larger computational environment outside the intrusion
detection system and provide them in the CIDF gido format to the rest of
the system
• Event analyzers (‘A-boxes’): they receive gidos from other components,
analyze them, and return new gidos (which presumably represent some
kind of synthesis or summary of the input events)
• Event databases (‘D-boxes’): these components simply exist to give
persistence to CIDF gidos
• Response units (‘R-boxes’): they consume gidos which direct them to
carry out some kind of action on behalf of other CIDF components, and
they carry out this action. This includes such things as killing processes,
resetting connections, altering file permissions, etc
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
8
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
IDS Classification
Sources
• NIDS – Network-Based IDS
• HIDS – Host-Based IDS
• Application-Based IDS
• Hybrid IDS
Detection Mechanism
• Misuse Detection
• Anomaly Detection
• Protocol Analysis
DIDS – Distributed IDS
IPS – Intrusion Prevention System
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
9
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
NIDS (1/2)
Objective
• Monitor a network segment
Functioning
• Change the operating mode of the network interface by placing it in
promiscuous mode in such a way as to be listening on every packet on the
network segmet
• Analyze all network traffic looking for a match with known attack
signatures, or looking for statistically anomalous traffic
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
10
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
NIDS (2/2)
Detect
• Buffer overflows, format string attacks, transmission of suspicious files
• Port Scanning, SYN attacks or based on fragmentation of packets
• Spoofed IP addresses
Disadvantages
• Not be able to block the flow of packets in the presence of an attack
• Inability to deal with encrypted traffic
• Powerful HW to handle high volume of traffic
• Problems with fragmented packets
• Detect intrusions but do not know their results
• Require considerable resources to keep logs
• Frequent updating of signatures
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
11
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
HIDS
Objective
• Monitor and analyze a single Host
Functioning
• Analysis of system logs, audit logs, security logs, system call and the
changes undergone by the file system
• For each element are stored its attributes and performed a checksum
calculation with hash functions. The data are compared with the checksum
to detect an attack
Advantages
• Understand if the attack was successful or not
• Analyze cypher messages
Disadvantages
• Subject of attacks
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
12
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Application IDS
Objective
• An application IDS will work solely with the application itself
• They tend to be tailored to a specific product
Functioning
• An IDS will report when anomalous activity is detected most usually using
logs generated by the application
Hybrid IDS
• Known as NNIDS (Network Node IDS) an Hybrid IDS is network-based
but installed on a single Host
• Analyze the network traffic that is directed to themselves
• Advantage: detect encrypted traffic before it can cause an intrusion into the
system
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
13
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Misuse Detection
• To detect an intrusion, uses a pattern matching algorithms, which are the
true engine of the IDS
• Signatures database constantly updated
• Control all incoming packets looking for a match with the signatures
present in the database
• Stateful Pattern Matching Analysis is used to detect an attack performed
with a string payload divided into multiple packets
Advantages
• Low number of false alarms
Disadvantages
• High computational load
• New signatures are not recognized
• Frequent updates of the database
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
14
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Anomaly Detection
• Search abnormal behavior which differs from a system model which
characterizes the correct operations
• Require a learning phase:
• Self learning: the model is learned from examples
• Programmed learning: require in-depth mathematic knowledge to
create models
Advantages
• Very flexible technique since
• Allow to detect unknown attacks
Disadvantages
• High number of false alarms
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
15
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Protocol Analysis
• Based on the control of the technical specifications of the protocols defined
in the RFC
• Generate an alarm for each violation in the standard protocol:
i.e.: SYN-FLOOD Attack
Advantages
• Decrease the number of false alarms
Disadvantages
• Management of ambiguity in RFC
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
16
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
DIDS
• Constituted by sensors and central monitor system
• Sensor generates logs that track the attacks and sends they in the central
system
• The central system collects the data and create a global repository
• Communication between the sensors and central system provided with
encrypted VPN
Disadvantages
• Sensor heterogeneity requires a standard communication interface
• Inherits all the IDS sensors disadvantage
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
17
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
IPS
• Evolution of IDS
• To achieve the ability to prevention, in addition to the normal capacity of
an IDS, the IPS implement instruments to block malicious traffic in real
time
Capabilities
• Block the intrusion through actions such as termination of a network
connection
• Change the security policies when an attack is detected
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
18
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
System Architecture
All-in-one machine:
Attacker:
IP: 192.168.0.20
IP: 192.168.0.19
• All-in-one machine is constituded by a NIDS and two Honeypots that
alternatively work. BASE and SurfnetIDS have been installed to provide a
web interface to analyze the IDS logs
• On the attacker machine Metasploit Penetration Software has been used to
perform a penetration test
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
19
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Sensor Soft-Hardering (1/2)
• Set permission 500 on wget – curl – GET – links – ftp – telnet
root@allinone:/# whereis wget curl GET links lynx ftp tftp telnet
wget: /usr/bin/wget /usr/bin/X11/wget /usr/share/man/man1/wget.1.gz
curl: /usr/bin/curl /usr/bin/X11/curl /usr/share/man/man1/curl.1.gz
GET: /usr/bin/GET /usr/bin/X11/GET /usr/share/man/man1/GET.1p.gz
links: /usr/bin/links /usr/bin/X11/links /usr/share/man/man1/links.1.gz
lynx:
ftp: /usr/bin/ftp /usr/bin/X11/ftp /usr/share/man/man1/ftp.1.gz
tftp:
telnet: /usr/bin/telnet /usr/bin/telnet.netkit /usr/bin/X11/telnet /usr/bin/X11/telnet.netkit
/usr/share/man/man1/telnet.1.gz
root@allinone:/# chmod 500 wget curl GET links ftp telnet.netkit
• Install RootKit Hunter and start scan
Ref.: http://www.lifelinux.com/how-to-install-rootkit-hunter/
• Install Fail2Ban script:
root@allinone:/# apt-get install fail2ban
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
20
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Sensor Soft-Hardering (2/2)
• Configure /etc/fail2ban/fail2ban.conf:
Set log file as path /var/log/fail2ban.log
•
and /etc/fail2ban/jail.conf:
bantime = 3600
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
21
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
SNORT (1/3)
• Snort® is an open source network intrusion prevention and detection
system (IDS/IPS)
• Combine the benefits of signature, protocol, and anomaly-based inspection
• Install Snort with mysql support
root@allinone:/# apt-get install snort-mysql
• Configure /etc/snort/snort.conf
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.0.20/32
ipvar EXTERNAL_NET !$HOME_NET
# List of the ports you run web servers on
portvar HTTP_PORTS 80
# List of ports you want to look for SHELLCODE on
portvar SHELLCODE_PORTS !80
# Path to your rules files
var RULE_PATH /etc/snort/rules
# Target-based IP defragmentation
preprocessor frag3_global: max_frags 65536
…
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
22
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
SNORT (2/3)
...
# Detect anomalies
preprocessor frag3_engine: policy linux detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
preprocessor stream5_tcp: policy linux, use_static_footprint_sizes
# HTTP normalization and anomaly detection
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080 } oversize_dir_length 500
# FTP/Telnet normalization and anomaly detection
preprocessor ftp_telnet: global encrypted_traffic yes inspection_type stateful
preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
# Portscan detection
preprocessor sfportscan: proto { all } scan_type { all } memcap { 10000000 } sense_level { high }
logfile { pscan }
# Database parameters
output database: log, mysql, user=snort password=XXX dbname=snort host=localhost
# Site specific rules
include $RULE_PATH/local.rules
include $RULE_PATH/badtraffic.rules
include $RULE_PATH/exploit.rules
...
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
23
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
SNORT (3/3)
• Create Snort Database
root@allinone:/# mysql -u root
mysql>set password for root@localhost=password('PASSWD_ROOT');
create database snort;
grant insert,select on root.* to snort@localhost;
set password for snort@localhost=password('PASSWD_SNORT');
grant create,delete,insert,select,update on snort.* to snort@localhost;
grant create,delete,insert,select,update on snort.* to snort;
exit
• Download and import Snort DB scheme
root@allinone:/# mysql -u root -d snort -p < create_mysql
• Create init script in /etc/init.d
#!/bin/sh -e
snort -c /etc/snort/snort.conf -D -u snort -g snort -y
• Start SNORT
root@allinone:/# snort -c /etc/snort/snort.conf -D -u snort -g snort -y
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
24
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
BASE (1/2)
• BASE (Basic Analysis and Security Engine) is a web interface to perform
analysis of intrusions that snort has detected on the network
• Download BASE and install it in the webserver webroot
root@allinone:/BASE/base-1.4.5# mkdir /var/www/base
root@allinone:/BASE/base-1.4.5# mv * /var/www/base
• Install dependencies
root@allinone:# apt-get install libphp-adodb php5-gd php-pear
root@allinone:# pear install Image_Color
root@allinone:# pear install Image_Canvasalpha
root@allinone:# pear install Image_Graphalpha
• Download and Install AdoDB (database abstraction library for PHP)
Ref.: http://adodb.sourceforge.net/
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
25
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
BASE (2/2)
• Configure base_config.php
root@allinone:/var/www/base# mv base_conf.php.dist base_config.php
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "passwd_snortdb";
• Add dynamic extensions in /etc/php5/apache2/php.ini
extension=mysql.so
extension=gd.so
• Restart Apache2 and Start BASE
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
26
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Honeypot
Honeypot: ‘barattolo di miele’
What is an Honeypot?
• HW or SW that works as bait or trap for potential hackers or malware
• Provide services that are open and visible from internet and easy to break
• Identify and analyze the attacks, intrusion techniques, the flaws of the
system and the malicious code
Advantages
• Quality and quantity of the information that it collects
• Low number of false positives compared to IDS
Disadvantages
• They may themselves be compromised and therefore can bring risks to the
infrastructure that hosts them
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
27
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Honeypot Classification
Scope
• Production Honeypots: used to protect organizations in real production
operating environments. They are implemented parallel to data networks or
IT Infrastructures and are subject to constant attacks 24/7
• Research Honeypots: are not implemented with the objective of protecting
networks. They represent educational resources of demonstrative and
research nature whose objective is centered towards studying all sorts of
attack patterns and threats
Interaction Level
• Low Interaction Honeypots: work exclusively emulating operating
systems and services. The attacker’s activities are limited to the Honeypot’s
level and quality of emulation
• High Interaction Honeypots: constitute a complex solution because they
involve the utilization of operating systems and real applications
implemented in real hardware, without using emulation software
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
28
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Considerations on the Honeypots
Advantages
• Clean logs
• Minimal resources when offers emulated services
The true value of a honeypot for a company is when it can be demonstrated
that the security systems adopted have not been enough to keep out the bad
guys
Disadvantages
• Cannot detect events that do not see them as recipients
• It is a system designed to be attached, if not well configured and isolated
can be a point of access for the attacker
• Disabling: the attacker disables the honeypot and / or changes the log files
• Violation: the attacker is able to use the honeypot for making illegal
activities
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
29
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Nepenthes (1/4)
• Nepenthes is a low-interacion Honeypot and a
versatile tool to collect malware
• It acts passively by emulating known vulnerabilities and downloading
malware trying to exploit these vulnerabilities
• Install Nepenthes
root@allinone:/# apt-get install nepenthes
• Configure /etc/nepenthes/nepenthes.conf
# need to add the the sqlhandler and log-surfnet lines
// SQL handler
"sqlhandlerpostgres.so",
"",
""
// logging
"logdownload.so",
// "logirc.so",
"logsurfnet.so",
""
"" // needs configuration
"" // needs configuration
"log-download.conf",
"log-irc.conf",
"log-surfnet.conf",
…
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
30
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Nepenthes (2/4)
…
# Active preferred vulnerability modules
"vulnbagle.so",
"vulnbagle.conf",
""
"vulndameware.so",
"vulndameware.conf",
"vulndcom.so", "vulndcom.conf",
""
"vulnftpd.so",
"vulnftpd.conf",
""
"vulniis.so",
"vulniis.conf",
""
…
""
• Configure /etc/nepenthes/vulniis.conf
vulniis
{
ports ("443","8080");
accepttimeout "30";
};
• Modify /etc/nepenthes/log-surfnet.conf
server "127.0.0.1"; // must be ip
user "nepenthes";
pass "password";
db "idsserver";
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
31
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Nepenthes (3/4)
• Create init script in /etc/init.d
#!/bin/sh
check=`ps -ef | grep -v grep | grep -v init.d | grep -v postgres | grep nepenthes | wc -l`
echo "CHECK: $check"
if [ $check != 0 ]; then
neppid=`ps -ef | grep -v grep | grep -v init.d | grep -v postgres | grep nepenthes | grep none |
awk '{print $2}' | head -n1`
echo "PID: $neppid"
`kill -9 $neppid`
fi
/bin/nepenthes -u nepenthes -g nepenthes -l none -R -D --chroot=/etc/nepenthes
• Start Nepenthes
root@allinone:/bin/# nepenthes -u nepenthes -g nepenthes -l none -R -D --chroot=/
etc/nepenthes
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
32
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Nepenthes (4/4)
• Attacker starts nmap
root@attacker:/home/attacker# nmap -sS -PN -v 192.168.0.20
Starting Nmap 5.21 ( http://nmap.org ) at 2012-12-07 23:23 CET
Initiating ARP Ping Scan at 23:23
Scanning 192.168.0.20 [1 port]
Completed ARP Ping Scan at 23:23, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:23
Completed Parallel DNS resolution of 1 host. at 23:23, 0.04s elapsed
Initiating SYN Stealth Scan at 23:23
Scanning 192.168.0.20 [1000 ports]
Discovered open port 1025/tcp on 192.168.0.20
Discovered open port 135/tcp on 192.168.0.20
Discovered open port 445/tcp on 192.168.0.20
Discovered open port 143/tcp on 192.168.0.20
Discovered open port 139/tcp on 192.168.0.20
Discovered open port 80/tcp on 192.168.0.20
Discovered open port 110/tcp on 192.168.0.20
Discovered open port 443/tcp on 192.168.0.20
Discovered open port 8080/tcp on 192.168.0.20
Discovered open port 993/tcp on 192.168.0.20
Discovered open port 2105/tcp on 192.168.0.20
Discovered open port 10000/tcp on 192.168.0.20
Discovered open port 465/tcp on 192.168.0.20
Discovered open port 3372/tcp on 192.168.0.20
Discovered open port 2107/tcp on 192.168.0.20
…
Completed SYN Stealth Scan at 23:23, 1.17s elapsed (1000 total ports)
Nmap scan report for 192.168.0.20
Host is up (0.000094s latency).
Not shown: 976 closed ports
PORT
STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
42/tcp open nameserver
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
465/tcp open smtps
993/tcp open imaps
995/tcp open pop3s
1023/tcp open netvenuechat
1025/tcp open NFS-or-IIS
2103/tcp open zephyr-clt
…
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
33
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Amun (1/4)
• Amun is a low-interaction Python Honeypot
• It has a modular implementation as Nepenthes:
• Amun Kernel
• Request Handler
• Vulnerability Modules
• Shellcode Analyzer
• Download Modules
• Logging Modules
• Install Amun
# need to install some more python modules (PostgreSQL adapter for the Python programming
# language)
root@allinone:/# apt-get install python-psycopg2
# download the package from the subversion repository of Amun
cd /opt/
svn co https://amunhoney.svn.sourceforge.net/svnroot/amunhoney amunhoney
cd /opt/amunhoney
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
34
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Amun (2/4)
• Configure /opt/amunhoney/conf/amun.conf
# if you also run other honeypot comment out the modules listening on the same ports
### define ports for vulnerability modules
### (can be changed while running)
# You will also need to uncomment the modules in the vuln_modules section:
vuln_modules: # vuln-ms08067,
…
Surfids
In the log_modules section uncomment the log-surfnet module:
### define logging modules
log_modules: log-surfnet
#
log-syslog
Configure /opt/amunhoney/conf/log-surfnet.conf
[Log-Surfnet]
sensorIP: 127.0.0.1
…
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
35
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Amun (3/4)
…
PGHost: enter-ip-database
PGPort: 5432
PGUser: nepenthes
PGPass: enter-your-password
PGDB: idsserver
# To download binaries to the normal surfids location:
cd /opt/amunhoney/malware
mv md5sum md5sum.orig
ln -s /opt/surfnetids/binaries md5sum
# change the file /opt/amunhoney/submit_modules/submitmd5/submit_md5.py
# modify
filename = "malware/md5sum/%s.bin" % (md5hash)
# in
filename = "malware/md5sum/%s" % (md5hash)
• Start Amun
./amun_server.py
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
36
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Amun (4/4)
• Attacker starts nmap
root@attacker:/home/attacker# nmap -sS -PN -v 192.168.0.20
Starting Nmap 5.21 ( http://nmap.org ) at 2012-12-09 18:18 CET
Initiating ARP Ping Scan at 18:18
Scanning 192.168.0.20 [1 port]
Completed ARP Ping Scan at 18:18, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:18
Completed Parallel DNS resolution of 1 host. at 18:18, 0.05s elapsed
Initiating SYN Stealth Scan at 18:18
Scanning 192.168.0.20 [1000 ports]
Discovered open port 23/tcp on 192.168.0.20
Discovered open port 443/tcp on 192.168.0.20
Discovered open port 1025/tcp on 192.168.0.20
Discovered open port 80/tcp on 192.168.0.20
Discovered open port 8080/tcp on 192.168.0.20
Discovered open port 587/tcp on 192.168.0.20
Discovered open port 143/tcp on 192.168.0.20
Discovered open port 110/tcp on 192.168.0.20
Discovered open port 22/tcp on 192.168.0.20
Discovered open port 139/tcp on 192.168.0.20
Discovered open port 445/tcp on 192.168.0.20
Discovered open port 554/tcp on 192.168.0.20
Discovered open port 42/tcp on 192.168.0.20
Discovered open port 1023/tcp on 192.168.0.20
Discovered open port 1080/tcp on 192.168.0.20
Completed SYN Stealth Scan at 18:18, 1.31s elapsed (1000 total ports)
Nmap scan report for 192.168.0.20
Host is up (0.00028s latency).
Not shown: 966 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
42/tcp open nameserver
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
554/tcp open rtsp
587/tcp open submission
617/tcp open sco-dtmgr
…
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
37
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
SURFIDS
• The SURFids is a Distributed Intrusion Detection framework
• It is based on the following rules:
• The sensor should run out-of-the-box
• The sensor should be completely passive and therefore maintenance
free
• The D-IDS should not generate any false positive alerts
• A sensor should be able to run in a standard LAN
• Comparison of statistics generated by sensors and groups of sensors
should be possible
• The detection tools are installed on a central server (called tunnel server)
• Distributed sensors connect to the tunnel server and tunnel all their layer 2
and higher traffic to the tunnel server
• All information is presented to the users by a webinterface (logging server)
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
38
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
SURFIDS Components
Tunnel/Honeypot Server
• The tunnel end-point on the server is called a tap device
• Tap device is a virtual interface which delivers the traffic from the tunnel
on the server. The tap device will receive an IP address from the client
network address pool. This will make the server virtually present in the
client network
Sensor
• The only purpose of the sensor is to be a transparent bridge between the
client network and the tunnel/honeypot server
• The sensor manages the creation and destruction of the tunnel that is used
to connect the tunnel/honeypot server to the client network
Logging Server
• The logging server consists of two parts, the database and a web interface
• The database is used to store the analysis information from the honeypot
server. This information is presented to the users by a web interface
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
39
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
SURFIDS Installation (1/6)
• Logging Server Installation
# add the SURFids key to your local key chain
wget -q http://repo.ids.surfnet.nl/key.pub -O- | sudo apt-key add –
# create a file /etc/apt/sources.list.d/surfids.list with the content:
deb http://repo.ids.surfnet.nl/surfnetids/ lenny main
# to start the SURFids logging server installation we use apt-get
apt-get update
apt-get install surfids-logserver sendmail sendmail-bin
- Set database Host
- Insert Admin database user
- Create a postgresql user:
sudo -u postgres createuser -s -d -r -P <adminuser>
- Set admin user password
- Set database listening port
- Set database name
- Set SURFids database user and SURFids user password
- Set nepethes, pof, argos user password
- Download the latest GeoIP database
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
40
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
SURFIDS Installation (2/6)
• Logging Server Configuration
# configuration file is located at /etc/surfnetids/surfnetids-log.conf
####################### # Database connection # #######################
# User info for the logging user in the postgresql database
$c_pgsql_pass = "enter_password_here";
$c_pgsql_user = "idslog";
# Postgresql database info
$c_pgsql_host = "localhost";
$c_pgsql_dbname = "idsserver";
# The port number where the postgresql database is running on
$c_pgsql_port = "5432";
# Enable or disable the download option of binaries in the webinterface
$c_download_binaries = 1;
####################### # GeoIP Location Info # #######################
# Enable GeoIP location database to enable source IP country identification.
$c_geoip_enable = 1;
…
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
41
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
SURFIDS Installation (3/6)
…
# The key used for the Googlemap API
$c_googlemap_key = "enter_googlemap_key_here";
# Generate a GnuPG key used to sign mail-reports:
gpg --gen-key
# and insert the key in
# Maillog GNUPG passphrase.
$c_passphrase = "enter_gnupg_passphrase_here";
################# # Sandbox Email #################
# Settings needed to retrieve the Norman reports from the mailbox they were sent to
# login credentials
$c_mail_username = 'email_username';
$c_mail_password = 'email_pass';
# mailhost and port
$c_mail_mailhost = 'mailhost';
$c_mail_port = '995';
# replace the “enter_database_pass_here” text with the actual password needed for connecting
with the database in /opt/surfnetids/webinterface/.htaccess
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
42
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
SURFIDS Installation (4/6)
• Tunnel Server Installation
# Add the Dapper repository in sources.list:
deb http://ubuntu.mirror.cambrium.nl/ubuntu / hardy main universe
# to start the SURFids tunnel server installation we use apt-get
apt-get update
apt-get install surfids-tunnel
- Set OpenVPN key size
- Insert attribute for certificates
- Set Xinetd listening address
- Set IP address of tunnel server that is accepting the OpenVPN connections
- Set the password used by the sensor to communicate with the tunnel server
• Tunnel Server Configuration
# configuration file is located at /etc/surfnetids/surfnetids-tn.conf
#################### # SURF IDS Options # ####################
# The root directory for the SURF IDS files (no trailing forward slash).
$c_surfidsdir = "/opt/surfnetids";
…
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
43
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
SURFIDS Installation (5/6)
…
####################### # Database connection # #######################
# User info for the logging user in the postgresql database
$c_pgsql_pass = "enter_password_here";
$c_pgsql_user = "idslog";
# Postgresql database info
$c_pgsql_host = "enter_database_servername_here";
$c_pgsql_dbname = "idsserver";
# The port number where the postgresql database is running on.
$c_pgsql_port = "5432";
################ # Mail logging # ################
# Maillog From: address. This is the email addres that appears in the From header.
$c_from_address = 'enter_email_address_here';
# Maillog GNUPG passphrase.
$c_passphrase = "enter_GNU_passphrase_here";
# Prefix for the subject of email reports
$c_subject_prefix = "[SURF IDS] ";
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
44
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
SURFIDS Installation (5/6)
• Add Local Static Sensor to SURFids database
cd /opt/surfnetids/logtools
./localsensor.pl -p 192.168.0.20
/opt/surfnetids/logtools/localsensor.pl -i eth0 -s Nepenthes -o Evil_Sensor
• Open the web interface available at
http://<logserver:80>/surfnetids/
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
45
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
AV Installation (1/3)
• Local scan of Suspicious Files with:
•
•
•
F-Prot
AVAST
ClamAV
• Create a Directory
cd /opt
mkdir scanner
cd scanner
• Install ClamAV
apt-get install unzip libwww-perl
apt-get -y install clamav
Freshclam
• Install F-Prot
# Download fp-Linux.x86.32-ws.tar.gz from F-Prot official website
tar -xvf fp-Linux.x86.32-ws.tar.gz
cd f-prot
./install-f-prot.pl
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
46
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
AV Installation (2/3)
• Install Avast
# Download avast4workstation-1.3.0.tar.gz from AVAST official website
tar -xvf avast4workstation-1.3.0.tar.gz
# Download avast4workstation_1.3.0-2_i386.deb from AVAST official website
dpkg -i avast4workstation_1.3.0-2_i386.deb
sysctl -w kernel.shmmax=100000000
# AVAST requires a free registration to work
• Configure /opt/surfnetids/scripts/scanbinaries.pl
####################
# Define scanners
####################
$scanners->{"F-Prot"} = {
'cmd' => "/opt/scanner/f-prot/fpscan -v 2 --report --adware",
'update' => "/opt/scanner/f-prot/fpupdate",
'version' => "/opt/scanner/f-prot/fpscan --version | grep \"F-PROT
Antivirus version\" | awk -F'(' '{print \$1}' | awk '{print \$NF}'",
'batchmode' => 0,
};
…
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
47
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
AV Installation (3/3)
…
$scanners->{"AVAST"} = {
'cmd' => "/opt/scanner/avast4workstation-1.3.0/bin/avast -n",
'update' => "/opt/scanner/avast4workstation-1.3.0/bin/avast-update",
'version' => "/opt/scanner/avast4workstation-1.3.0/bin/avast --version |
head -n1 | awk -F\"avast \" '{print \$2}'",
'batchmode' => 1,
};
$scanners->{"ClamAV"} = {
'cmd' => "clamscan --no-summary",
'update' => "freshclam",
'version' => "clamscan --version | awk '{print \$2}' | awk -F\"/\"
'{print \$1}'",
'batchmode' => 0,
};
• Add to crontab
00,30 * * * * /opt/surfnetids/scripts/scanbinaries.pl >/dev/null
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
48
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Metasploit:
Penetration Test Software
• Metasploit® software helps security and IT professionals
• Identify security issues, verify vulnerability mitigations, and manage
expert-driven security assessments
• Download from http://www.metasploit.com/download/ for FREE
• Install it on the attacker machine and test the all-in-one machine:
• Discover open ports
• Exploit target system (require registration)
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
49
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Metasploit:
Testing Nepenthes
VS
+
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
50
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Metasploit:
Testing Nepenthes
VS
+
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
51
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Metasploit:
Testing Amun
VS
+
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
52
INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST
Metasploit:
Testing Amun
VS
+
Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12
53