Transcript lec25

CSCE 815 Network Security
Lecture 25
Data Control in HoneyNets
SSH
April 22, 2003
Machines to Attack
129.252.140.3
129.252.140.7
NOT!!!
129.252.140.1 - gateway
–2–
CSCE 815 Sp 03
Honeynet Bridge
129.252.140.3
192.252.140.7
Eth1-NO IP
Eth0-NO IP
Eth2- 129.252.xxx.yyy
Administrative
Interface
SSH Connections
Trusted Hosts
Internet
–3–
CSCE 815 Sp 03
Honeynet Communication Channel
Eth1-Promiscuous Mode
Source IP: 129.252.140.7
Destination IP: 208.122.101.1
TTL : 30
Source MAC :
07 E2 G5 89 P1
Destination MAC:0H F5 7F 2L G2
Eth0-Promiscuous Mode
Application
Application
Presentation
Presentation
Session
Session
Transport
Transport
Network
Network
Src IP: 129.252.140.7
Dest IP: 208.122.101.1
TTL : 30
Src MAC:07 E2 G5 89 P1
Dest MAC:0H F5 7F 2L G
Hub
Data Link
Physical
–4–
IP Forwarding
Data Link
Physical
CSCE 815 Sp 03
What is Data Control and Why?
Process used to control or contain traffic to a honeynet
Upstream liability – an attck from one of your
honeypots
Snort-inline – South Florida Honeynet Project
–5–
CSCE 815 Sp 03
GEN II Data Control
Gen II :





–6–
Incorporates a firewall and IDS in one system
Provides more stealthy data control
Can be implemented for layer 2 bridging or
Layer 3 NAT translation
Packets passed from internet to honeynet as layer 2
(datalink) layer packets  no TTL decrement
CSCE 815 Sp 03
IPTables for GEN II Honeynet
IPTables is a free, stateful, Open Source firewall for
Linux 2.4.x and 2.5.x kernels
Each packet header is compared to a set of “chains”
Chains contain rules: ACCEPT, DROP, REJECT, Queue
Custom Chains



–7–
tcpHandler
udpHandler
icmpHandler
CSCE 815 Sp 03
Example Rule
Shell Script
$IPTABLES –A tcpHandler –j LOG –log-prefix “OUTBOUND”
if test $QUEUE = “yes” then
$IPTABLES –A tcpHandler –j QUEUE
fi
$IPTABLES –A tcpHandler –j ACCEPT
Environment variable “$QUEUE” controls action of the rule
Queueing
Connection limits
–8–
CSCE 815 Sp 03
Snort-Inline
Snort: The Open Source Network Intrusion Detection
System http://www.snort.org/
Snort-Inline: Snort + ability to retrieve packets from the
Queue target
Gen I : Alert.sh operated at Layer 3 (IP layer) which
made it visible by TTL decrement and routing
Gen II Data Control
if attacker runs traceroute to view router hops then
“I see nothing” Sargeant Schultz
/sbin/traceroute 129.252.140.3
–9–
CSCE 815 Sp 03
Set Up
lsmod
modprobe ip_queue // to load the ip_queue module into
kernel space
lsmod
modprobe -r ip_queue // to remove
– 10 –
CSCE 815 Sp 03
Data Control: Snort-Inline and
IPTables
Modes of Operation



– 11 –
Connection Limiting Mode: Count packets by protocol type
Drop Mode: Libipq reads packets from kernel space.Packets
are matched against snort signatures and dropped if there is
a match
Replace Mode: Packets are matched against snort
signatures and if they match the harmful content of packet is
scrubbed and returned to the attacker
CSCE 815 Sp 03
Connection Limiting Mode
Hub
Enemy
Data Control
Snort-Inline
IPTables
IPTables
Packet No =10
DROP
– 12 –
CSCE 815 Sp 03
Snort-Inline Drop Mode
Hub
Enemy
Data Control
Snort-Inline
IPTables
Drop
IP Tables
Snort-Inline
Snort Rules=Drop
Ip_queue
– 13 –
CSCE 815 Sp 03
Snort-Inline Replace Mode
Hub
Enemy
Data Control
Snort-Inline
IPTables
IP Tables
Snort-Inline
Snort Rules=Replace
bin/sh->ben/sh
Ip_queue
– 14 –
CSCE 815 Sp 03
Supporting Tools for Gen II
libipq – development library for iptables


Netfilter provides a mechanism for passing packets out of
the stack for queueing to userspace, then receiving these
packets back into the kernel
http://www.cs.princeton.edu/~nakao/libipq.htm
Libpcap libpcap is a packet capture library used by
most Open Source sniffers
Bridge-Utils: Bridge-Utils is used to set up the Linux
Ethernet bridge
Latest Snort Rules
rc.firewall script: everything you need to set up the
GenII data control system
http://project.honeynet.org/papers/honeynet/tools/rc.firewall
– 15 –
CSCE 815 Sp 03
Rc.firewall script
This script uses IPTables to create a gateway that
counts inbound # and outbound connections and
blocks connections once a limit # has been met.
Kernel must be compiled with Bridge support
Modifications History

– 16 –
21 Apr 2003: Added STOP_OUT option to allow user to block
# all outbound connections. Think of this as the # honeynet
safe mode.
CSCE 815 Sp 03
Protect the Administrator Interface
Portsentry


– 17 –
Detects SYN/Half Open, FIN, NULL scans
Will block host in real time and report to the administrator
CSCE 815 Sp 03
Data Control: Tripwire
Maintains integrity of data on the system
Creates cryptographic checksums of files and
directories
Reports when changes are made to

Access permissions, inode number, Userid, groupid, date
and time, size
http://www.tripwire.com/
– 18 –
CSCE 815 Sp 03
Data Capture Mechanisms
Snort-Inline
Comlog: Log commands executed by cmd.exe
(Windows)
Eventlog: forwards packets to syslog server(Windows)
Sebek: (Linux)


Keystroke logging
Uses UDP connection
USCSh – Unix keystroke logging 1984
Windows Keystroke logging PhD dissertation 1990s
– 19 –
CSCE 815 Sp 03
Data Collection
Syslog:


To deceive intruder maintain another Syslog.conf file in a
different location
Remote Syslog
 Stored data on remote machine
– 20 –
CSCE 815 Sp 03
Data Analysis
Log Sentry:
•
Audits logs and reports any violations
The @stake Sleuth Kit:
•
Analyses images generated by dd command
 Converts and copies a file
•
•
– 21 –
Displays deleted files
Creates timeline for file activity
CSCE 815 Sp 03
Risk Analysis
Placed on the 129.252.140 Subnet

Can be shut down in case of emergency
Efficient Data Control Mechanisms


– 22 –
Firewall (Connection Limiting Mode)
Snort-Inline (Drop Mode)
CSCE 815 Sp 03
References
Librenix: http://librenix.comfirewalls



types of firewalls
configurations
access contro
Newsforge: http://newsforge.com/newsforge
Deploying a GenII Honeynet: MS Thesis Harish
Siripurapu
http://www.honeynet.ie/main.htm
GenII Data Control for Honeynets – Univ South Florida
http://cert.uni-stuttgart.de/archive/honeypots/2003/02/msg00056.html
– 23 –
CSCE 815 Sp 03