Transcript Intrusion detection: signature-based,Snort, and statistical

Intrusion Detection Systems
An IDS is any combination of hardware & software that
monitors a system or network for malicious activity.
Examples of IDSs in real life
 Car alarms
 Fire detectors
 House alarms
 Surveillance systems
Polytechnic University
Introduction
1
Why IDS
Can be detected:
 Mapping
 Port scans

Tens of thousands of
packets
 TCP stack scans

Hundreds of thousands of
packets
 “Deep Packet Inspection”
 Many organizations deploy
IDS systems
 Provide warnings to
network administrator


Administrator can then
improve network’s security
Vigorous investigation
could lead to attackers
There are host-based and network-based
IDS systems. Focus here on network-based.
Polytechnic University
Introduction
2
IDS sensors
application
gateway
Internal
network
Web
server
FTP
server
= IDS sensor
firewall
Internet
DNS
server
Underlying OS needs
to be hardened:
stripped of unnecessary
network services
Demilitarized zone
Polytechnic University
Introduction
3
False Alarms
False alarms:
 False positive: normal traffic or benign
action triggers alarm

Example: fire alarm if wrong password is
entered; benign user makes a typo
 False negative: alarm is not fired during
attack
Polytechnic University
Introduction
4
Efficiency of IDS system
 Accuracy: low false positive and false negative
rates
 Performance: the rate at which traffic and audit
events are processed


To keep up with traffic, may not be able to put IDS at
network entry point
Instead, place multiple IDSs downstream
 Fault tolerance: resistance to attacks
 Should be run on a single hardened host that supports
only intrusion detection services
 Timeliness: time elapsed between intrusion and
detection
Polytechnic University
Introduction
5
Signature-based IDS
Sniff traffic on network
 border router or multiple sensors within a LAN
Match sniffed traffic with signatures
 attack signatures in database
 signature: set of rules pertaining to a typical intrusion
activity
 Simple example rule: any ICMP packet > 10,000 bytes
 Example: more than one thousand SYN packets to
different ports on same host under a second
 skilled security engineers research known attacks; put them
in database
 can configure IDS to exclude certain signatures; can modify
signature parameters
Warn administrator when signature matches
 send e-mail, SMS
 send message to network management system
Polytechnic University
Introduction
6
Limitations to signature detection
 Requires previous knowledge of attack to
generate accurate signature

Blind to unknown attacks
 Signature bases are getting larger
 Every
packet must be compared with each
signature
 IDS can get overwhelmed with processing; can
miss packets
Polytechnic University
Introduction
7
Anomaly Detection IDS
 Observe traffic during normal operation
 Create normal traffic profile
 Look for packet streams that are statistically
unusual


e.g., inordinate percentage of ICMP packet
or exponential growth in port scans/sweeps
 Doesn’t rely on having previous knowledge of
attack
 Research topic in security
Polytechnic University
Introduction
8
IDS evasion: “spy vs. spy”
 Attackers do not want to be detected by IDS
 Often attackers are intimately familiar with the popular
IDS products, their weaknesses
 Idea: manipulate attack data
 Active area of research in attack community
 Example: port scan stretched out over long period of
time, with different source IP addresses
 Most common approach: fragmentation
 To detect malicious activity, IDS must capture, store,
and analyze fragments.
 Many fragment streams spread out over long period time
➜IDS must have large buffers
• Requires significant memory and processing power
Polytechnic University
Introduction
9
IDS evasion: fragmentation
 Send a flood of fragments
 Send so many fragments that IDS system
saturates.
 Once saturated, IDS will not be able detect a
new attack
 Fragment packets in unexpected ways
 Such that the IDS does not understand how to
properly reassemble the attack packets
Polytechnic University
Introduction
10
IDS evasion tool: FragRouter
Internet
attack
system
(eg nmap)
attack
obfuscation
(fragrouter)
IDS
target
 Runs on Unix/Linux systems
 Provides over 35 different schemes for
fragmenting flow of data
 Separates attack functionality from the
fragmentation functionality
Polytechnic University
Introduction
11
Some fragmentation types in
FragRouter
 Sends data in ordered 8-byte fragments
 Sends data in ordered 24-byte fragments
 Sends data in ordered 8-byte fragments
with one fragment out of order
 Complete TCP handshake, send fake FIN
and RST (with bad checksums) before
sending data in ordered 1-byte
Polytechnic University
Introduction
12
Snort
 Popular open source IDS

200,000 installations
Good book: Intrusion Detection
with Snort, by Jack Koziol
Typical setup
 Enhanced sniffer



Runs on Linux, Unix,
Windows
Generic sniffing interface
libpcap
Can easily handle 100
Mbps of traffic
firewall
hub
snort
sensor
 Signatures



Written and released by
Snort community within
hours
Anyone can create
Largest collection of
signatures for IDS
Polytechnic University
internal
network
Introduction
13
Snort deployment
firewall
unidirectional
sniffing cable
firewall
hub
snort
sensor
switch
internal
network
Polytechnic University
internal
network
Switch SPAN port:
• provides monitoring
for net admin & security
• switch copies all
traffic to SPAN port
• can select which switch
ports get copied
• approach doesn’t require
intro of new hub
• no need for unidirectional
cable
snort
sensor
Introduction
14
Distributing traffic to multiple
sensors
 Large organizations
often have Gbps
backbone
 Snort with full rule
set cannot handle all
traffic

Packets can get
dropped; attacks go
undetected
 Solutions:
 Put sensors on
different 100 Mbps
segments
 Or, multiple sensors on
backbone; each sensor
processes different
range of destination IP
addresses
 Tempting to tune
Snort by trimming
rules
Polytechnic University
Introduction
15
snort.conf
Example:
var
var
Var
Var
HOME_NET 193.152.1.1/24
EXTERNAL_NET !193.152.1.1/24
HTTP_SERVERS 193.152.1.17
HTTP_PORTS 80 8080
Polytechnic University
Introduction
16
Snort rule examples
alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:”ICMP PING NMAP”; dsize: 0; itype: 8;)


Rule generates alert for ICMP having empty payload, ICMP type 8, and
arriving from the outside.
This is part of an NMAP ping.
alert tcp $EXTERNAL_NET any -> $HOME_NET 139
(msg: “DOS SMBdie attack”:; flags: A+; content:”|57724c6568004577a|”;)


Rule generates alert if a TCP packet from outside contains
|57724c6568004577a| in payload and is headed to port 139 (netbios)
for some internal host.
This is part of a buffer overflow attack on a computer running Server
Message Block Service.
Polytechnic University
Introduction
17
Snort rule examples (2)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:”WEB-IIS ISAPI .ida attempt”; uricontent:”.ida?”;
nocase; dsize:>239; flags:A+;)
Rule
generates alert for packet heading to Web server with .ida? in
URL in GET message
Buffer overflow attack that allows attacker to take over server.
Polytechnic University
Introduction
18
Snort rule files
 chat.rules
 ddos.rules
 ftp.rules
 multimedia.rules
 p2p.rules
 porn.rules
 virus.rules
Polytechnic University
Introduction
19
Snort Rule Writing
Example: Cross-site scripting (XSS):
 Web site allows scripts to be inserted into dynamically
created Web page. Can reek havoc.
 Look out for HTTP requests containing <SCRIPT>
 Might first try:
alert tcp any any -> any any
(content: “<SCRIPT>”; msg: “XSS attempt”;)


triggers many false positives: e.g., e-mail message with
JavaScript
 Then try:
alert tcp $EX_NET any -> $HTTP_SRVS $HTTP_PRTS
(content: “<SCRIPT>”; msg: “XSS attempt”; nocase;)

Polytechnic University
Introduction
20
Snort Rule Syntax
 Rule is a single line
 Rule header: everything before parenthesis
 Rule option: what’s in the parenthesis
Syntax for rule header:
rule_action protocol src_add_range src_prt_range
dir_operator dest_add_range dest_prt_range
Example:
alert tcp 192.168.1/24 1:1024 -> 124.17.8.1 80
 rule actions: alert, log, drop
 protocol: tcp, udp, icmp
 direction: -> and <>
 src, dest port ranges :
Polytechnic University
Introduction
21
Snort Rule Syntax (2)
Syntax for rule option:
 One or more option keywords

separated by semi-colons

(msg: “XSS attempt”; content: “<SCRIPT>”; nocase;)
 Example:
Content-related keyword examples:
 content: ”smtp v2”;
(ascii)
 content: ”|0f 65 a7 7b|” ; (binary)
 uricontent: ”.ida?”;
 content-list: “inappropriate_content.txt”;
 nocase;
 offset: 20;
(start at byte 20 in payload)
 depth: 124;
(stop at byte 124 in payload)
Polytechnic University
Introduction
22
Snort Rule Syntax (3)
IP-related keyword examples:
 ttl: <5;
 id:2345;
(id field, used for fragments)
 fragoffset: 0;
 dsize: >500;
(payload size)
 ip_proto: 7;
ICMP-relayed keyword examples:
 itype: 8;
 icode: 3;
Polytechnic University
Introduction
23
Snort Rule Syntax (4)
TCP-related rules
 flags: A+;
(ACK flag)
 flags: FUP; (FIN, Urgent, or Push flag)


+ alert if specified bit is discovered, in addition to at
least one other
! alert if any of the specified bits is not set
 seq: 12345432;
ack: 54321234;
Response examples
 msg: “christmas tree attack”;
 logto: “new_rule.log”; logs packet when match
occurs
Polytechnic University
Introduction
24