Introduction To Gateway IDS

Download Report

Transcript Introduction To Gateway IDS

An Introduction To
Gateway Intrusion Detection
Systems
Hogwash GIDS
Jed Haile
Nitro Data Systems
What Is a Gateway IDS?
• Gateway Intrusion Detection System
– A network intrusion detection system which
acts as a network gateway
– Designed to stop malicious traffic and generate
alerts on suspicious traffic
– An “ideal” gateway IDS is able to stop all
known exploits
© Jed Haile, Nitro Data Systems 2002
GIDS vs NIDS
•
•
•
•
GIDS
Acts as network
gateway
Stops suspect packets
Prevents successful
intrusions
False positives are
VERY bad
© Jed Haile, Nitro Data Systems 2002
•
•
•
•
NIDS
Only observes
network traffic
Logs suspect packets
and generates alerts
Cannot stop an
intruder
False positives are not
as big of an issue
About Hogwash
• Based on the Snort intrusion detection
system
• Operation is similar to some bridging
firewalls
• Uses snort rules with some additional
keywords to make forward/drop decisions
• Compatible with most snort plugins
• Freely available under the GPL
© Jed Haile, Nitro Data Systems 2002
Basic Theory of Operation
• Much like a bridging firewall, Hogwash
makes forward/drop decisions…
– This packet is always good so pass it into my
network.
– This packet is always bad so drop it and tell me
about it.
– This packet is sometimes bad so tell me about
it, but don't drop it.
© Jed Haile, Nitro Data Systems 2002
Typical Hogwash Installation
© Jed Haile, Nitro Data Systems 2002
New Hogwash Keywords
• drop Drops a packet, sends an rst, logs
the packet
• ignore Drops a packet without sending an
rst
• sdrop Drops a packet, sends an rst, does
not log the packet
© Jed Haile, Nitro Data Systems 2002
Multipacket Signature Matching
• Hogwash cannot do traditional stream reassembly
• Instead, hogwash can watch for partial content matches at
the end of a packet
• If there is a partial match, hogwash goes ahead and
forwards the packet and caches a copy
• When then next packet comes hogwash will reassemble the
two packets and run it back through the detection engine, if
it matches the second packet is dropped
• Works for out of order packets also
• Enabled by using the “multi” keyword in a rule
© Jed Haile, Nitro Data Systems 2002
Defeating Portscans
Hogwash uses state counting to detect portscans
– Each time a new session (tcp, udp, icmp) is initiated in
your network, hogwash notes it
– All sessions are tracked from a host until it is idle for
some period of time, 60 seconds by default
– If a host hits more than 20 unique ports or 5 unique
targets, he is determined to be portscanning. These
thresholds are user configurable.
– Hogwash will then drop all that portscanner’s packets
© Jed Haile, Nitro Data Systems 2002
Content Replacement
Hogwash can replace content in a packet
– “replace” keyword tells hogwash to replace a detected
string with another string.
– Example:
alert tcp any any -> $IIS_SERVERS 80 (content:”cmd.exe”; replace:”yyy.yyy”;)
– Any content in the packet payload can be replaced.
– A great way to break an exploit without dropping the
packet!!
© Jed Haile, Nitro Data Systems 2002
Stealth
• Stackless Operation
– Hogwash does not require an ip stack to be
loaded on it’s network interfaces
– Hogwash can invisibly forward traffic, no
decreased TTLs, etc
© Jed Haile, Nitro Data Systems 2002
Stackless Control Protocol
• Stackless Control Protocol
– Hogwash can be remotely controlled, even when
running in stackless mode
– To send a command simply send a control packet so
that it will pass through the hogwash box
– Packets can be any combination of TCP, UDP, ICMP
– The stackless control protocol uses twofish or AES
cryptography and a custom protocol to ensure security
© Jed Haile, Nitro Data Systems 2002
Stackless Control Protocol Theory
Each packet that passes through hogwash is
checked for a “magic token” in the payload.
If the token is found, then hogwash will
attempt to decrypt the payload following the
magic token. If the token is found again
immediately following the first magic
token, then hogwash knows it has found a
control packet and processes the command.
© Jed Haile, Nitro Data Systems 2002
Stackless Control Protocol Theory
HEADER
34.12.34.5 -> 112.76.219.9
HEADER
34.12.34.5 -> 112.76.219.9
02 3A 50 10 EF 4D 28 0C
39 01 00 02 9A 04 A2 B5
00 4D 82 0A 93 84 71 0D
0A 83 27 02 10 73 AC 61
E1 0F 56 82 0C 19 00 C2
02 3A 50 10 EF 4D 28 0C
39 01 00 02 9A 00 02 9A
20 3A 42 9A 23 81 00 0C
4B 43 92 AA CD 01 36 61
A2 0D 56 64 1A CE 01 B2
Magic Token
© Jed Haile, Nitro Data Systems 2002
DECRYPT
Tokens Match
}
Command
Stackless Control Protocol
Commands
• hping - ping the hogwash box to see if its alive.
• hstat - get statistics from the hogwash box
• hbuff -retrieve either RULES, ALERT, or LOG
file
• hfilesync - store the retrieved file in a file, can be
used to feed standard snort toys
• hsetbuf - transfer a file to the hogwash box
• hsetrules - transfer a new rules file to the hogwash
box, restart hogwash
© Jed Haile, Nitro Data Systems 2002
Sample Hogwash Rules
• To drop incoming port 80 connections:
drop tcp any any -> $HOMENET 80 (msg:”Port 80 tcp”)
• To drop cmd.exe calls to your webservers:
drop tcp any any -> $HOMENET 80 (msg:“cmd.exe
attempt”; content: “cmd.exe”)
© Jed Haile, Nitro Data Systems 2002
Running Hogwash
hogwash <options>
-c <rules file>
-i <internal interface>
-e <external interface>
-l <log directory>
-n <no rules mode>
% hogwash –i eth0 –e eth1 –c hogwash.conf –l
/var/log/hogwash
© Jed Haile, Nitro Data Systems 2002
References
http://hogwash.sourceforge.net
http://www.snort.org
Securing an Unpatchable Web Server
http://www.securityfocus.com/infocus/1208
Jed Haile [email protected]
Jason Larsen [email protected]
© Jed Haile, Nitro Data Systems 2002