ids_sp07

Download Report

Transcript ids_sp07 

CSCI 530 Lab
Intrusion Detection Systems
IDS
IDS

A collection of techniques and methodologies
used to monitor suspicious activities both at
the network and the host level


It is not a firewall
It inspects the content and intent of the network
traffic
IDS



Additional level of security in the network
Firewalls will prevent attacks
IDS is more like an alarm system



It will perform actions like
 Alerting, logging , etc upon detection.
 It can be configured to make changes in the firewall rules
upon detection of attacks
Can help detect attacks that pass through the
firewall
Protection from the insiders
IDS



Deployed with multiple sensors on various location on
the network
Report to a centralized management console
A sensor


Monitors traffic, matches against the rule sets and raises
alerts, logs it or some other action.
A rule set contains



Traffic signatures or rules for unwanted behavior
Rules
 Check for threshold, protocol IP source and destination
Signatures
 Traffic patterns associated with attack
IDS
Hack I.T.: Security Through Penetration fig 19.2
Host Based IDS

Log Monitors



Parse system event Log files
Example: Apache,
 access log file
 check for “cgi-bin”
Integrity Checkers



check for key system structures to change
System files, registry keys
Tripwire
 File Additions , deletions, flag modifications, access time
etc.
Network Based IDS

Signature Based



Database of know signatures
Similar to virus signatures, but it looks for attack
signatures
Anomaly based


Form a baseline for a normal system
Raise an alarm when the system is no longer
functioning under normal conditions
Network Based IDS Deployment




It should have access to all the network data
Alerts generation
Response Policy
Environment adaptation
Hacking through the IDS

Fragmentation or packet splitting


throughput increases, consuming more resources
making the IDS less accurate
Spoofing

Spoof the sequence no.



Sending random sequence numbers
Causes IDS to be desynchronized from the source and
ignore the true packets
Denial-of-Service


IDS software can only handle a limited amount of
data
Break the IDS, then attack the network
SNORT, Open source IDS
www.snort.org

Components of snort
 Packet Decoder
 Preprocessor
 Detection Engine
 Logging and Alerting System
 Output Modules
Internet
Preprocessor
Detection
Engine
Logging and
Alerting
System
Output
Alert
Packet
Decoder
Dropped Packets
Output
Modules
Components of Snort

Packet Decoder


It takes packets from different interfaces (ethernet, PPP,
SLIP) and prepares it for the other stages
Preprocessor

Plugins that modify or setup data for the detection engine
 Same example



GET /cgi-bin/subdirectory/../phf
It rearranges the data to be detectable by the IDS
Packet defragmentation
 If the packets are too large, then it gets fragmented
into smaller packets
 Must be reassembled prior to analysis
Components of Snort

Detection Engine
 Most important part of the engine
 Uses the detection rules
 It is time dependent




The Detection Engine applies rules to different parts of the
packet



Speed of the machine
Number of rules
Load on the network
Header (IP/TCP/Application)
Packet Payload
Policy for matching of rules varies with versions

In v2 all the rules are matched , highest priority recorded
Components of snort

Logging and Alerting system
 Based upon the matched rule




Logged, alert generated
Logs /var/log/snort
-l for the modification of location
Output Modules
 Changes the location of the generated output






Log in the logfile
SNMP traps (Simple Network Managent Protocol, notification to admin)
Messages to syslog (network logger)
Logging to a Database
XML generation for use in another program
Send SMB (server message block, protocol for sharing files on the
network for Windows Machines)
Snort Rules

A very bad rule
Alert ip any any -> any any (msg: “ip packet detected”;)
Alert: the action to be performed,
ip : rule applies to all ip packets
any : rule applies to any source ip address
any : rule applies to any source port
-> : direction of packet
any : rule applies to any destination ip address
any : rule applies to any destination port
Rule Structure
Rule Header
Rule Options
Source
Destination
Action Protocol Address Port Direction
Header

Header



Actions
 Pass, Log, Alert, Activate, Dynamic
Protocols
 IP, ICMP, TCP, UDP, etc.
Address
 Exclusion ![192.168.1.0/24] any any…
Address
Port
Rule Structure

Options





Ack keyword(nmap scanning purposes)
Classtype (classification:name:description:priority)
Content keyword
 Offset
 Depth
 Nocase
 Dsize
 Content-list
Logto
………
This week’s lab

EagleX



Windows front-end for Snort
Easier to deploy than Snort by itself
There are many other front-ends for Snort, for
Windows or Linux