Академический Документы
Профессиональный Документы
Культура Документы
&
Network Forensics
Mark Mellis & Phil Cox
Just checking...
An ounce of prevention
is worth a pound of
detection
Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Section Contents
General
IDS Models
IDS Data Sources
Types of IDS
Technical Caveats
What is an Intrusion?!
Difficult to define
What is IDS?
(cont)
Objectives: Diagnosis
Objectives: Recommendation
IDS: Pros
Internal hacking
External hacking attempts
IDS: Cons
Privacy: a Problem
Privacy: a Problem
(cont)
Attack Detection
Intrusion Detection
Attack Detection
DMZ
Network
Desktop
WWW
Server
Internet
Router
w/some
screening
Internal
Network
Firewall
IDS detects (and counts) attacks against
the Web Server and firewall
IDS
V 1.0 Copyright SystemExperts 2001,2002,2003
Attack Detection
Intrusion Detection
DMZ
Network
Desktop
WWW
Server
Internet
Router
w/some
screening
Internal
Network
Firewall
IDS
Intrusion Detection
Ideally do both
Realistically, do ID first then AD
Section Contents
General
IDS Models
IDS Data Sources
Types of IDS
Technical Caveats
IDS Models
IDES
Audit
Inline
Hybrid (a mix of both)
IDES
IDES
(cont)
Response
manager
Statistical
analysis
Signature
matching
Alert manager
GUI
Knowledge
base
Long term
storage
Audit
Database
reports
alerts
Audit Data
open read/write
creation of IPC
bad login
add/remove user/group
process fork
create/remove file
password change
etc...
CIDF
CIDF
(cont)
CIDF
(cont)
IDS
correlation
Incident
database
Bit bucket
Section Contents
General
IDS Models
IDS Data Sources
Types of IDS
Technical caveats
Host Based
Network Based
C2 audit logs
System logs
Application logs
Performance is a wild-card
(cont)
Reassemble packets
Look at headers
(cont)
Performance sensitive
Or not reassemble them at all
(cont)
Basically IP centric
Hybrid IDS
Hybrid IDS
(cont)
Hybrid IDS
(cont)
What to keep
Everything
Section Contents
General
IDS Models
IDS Data Sources
Types of IDS
Technical Caveats
Types of IDS
Anomaly Detection
Goals:
Anomaly Detection
(cont)
Anomaly Detection
(cont)
IDES/NIDES
ftp://ftp.csl.sri.com/pub/nides/index1.html
GrIDS
Graph-based
Models network activity based on analysis of graph matching
Includes a policy language for translating organizational
policies into analysis rulesets
http://seclab.cs.ucdavis.edu
Misuse Detection
Goals:
Misuse Detection
(cont)
Easy to implement
State machine
Signatures
Storage
Report generator
Managers and agents
Easy to deploy
Up quickly
No need to get History
(cont)
Easy to update
Easy to understand
Push signatures
Blinking Lights
(cont)
Reactive by nature
Easier to fool
Misuse Detection
(cont)
Misuse Detection
(cont)
Things misuse
detection looks for:*
IP Frag attack
Ping flooding
Source routing
Ping of death
ISS Scan check
SATAN scan check
Rwhod check
Rlogin decode
Rlogin -froot
TFTP get passwd check
IMAP buffer smash
SMTP WIZ check etc.
Misuse Detection
(cont)
Burglar Alarms
Burglar Alarms
(cont)
Goals:
Burglar Alarms
(cont)
Burglar Alarms
(cont)
Adding a userid
Zapping a log file
Making a program setuid root
Burglar Alarms
(cont)
Reliable
Predictable
Easy to implement
Easy to understand
Generate next to no false positives
Can (sometimes) detect previously unknown
attacks
Policy-directed
Honey Pots
swift-terminal.bigbank.com
www-transact.site.com
source-r-us.company.com
admincenter.noc.company.net
Honey Pots
(cont)
Goals:
Honey Pots
(cont)
tcpwrapper
Burglar alarm tools (see burglar alarms)
restricted/logging shells (sudo, adminshell)
C2 security features (ugh!)
Easy to implement
Easy to understand
Reliable
No performance cost
They arent
Your Time
Entrapment issues: Ask your lawyer
Section Contents
General
IDS Models
IDS Data Sources
Types of IDS
Technical Caveats
Re-assembly
Re-ordering
Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Section Contents
VPN
Corporate network
E-Commerce site (n-tiered)
Other Issues
Firewalls
Switches
A Visual
VPN Server
-HIDS
VPN CLient
- HIDS
IDS Logs
IDS Collector
Corporate network
Syslog
Perl or Python to get others
A Visual
NIDS
Supporting
Services
IDS
Collector
Internet
Desktop
Monitor
Station
Critical
Servers
A Visual
NIDS
Supporting
Services
Web
Servers
Internet
NIDS
Corporate
NIDS
IDS Collector
IDS Collector
FW
DB
NIDS
App
Server
Other Issues/Thoughts
Other Issues/Thoughts
Hacked
Web
Server
Desktop
WWW
Server
Internet
Internal
Network
Router
w/some
screening
Firewall
DMZ
Network
Firewall trips an
alert: why would the
web server try to
telnet in!?!?!
Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Section Contents
Integration = Sales
Data Sources
Analysis and Reporting
Long Term Storage
Data Sources
HIDS
NIDS
Firewall logs
Router logs
ACL matches
Reconfiguration events
Authentication events
Host OS logs
Application logs
lastcomm
lastlog
authentication events
audit records
Web server
Oracle or other database
LDAP server
RADIUS server
Normalizing events
Artificial Ignorance
Correlation tools
Counting/thresholding software
Artificial Ignorance
Logcheck
http://www.psionic.com/logcheck.html
Logsurfer
http://www.cert.dfn.de/eng/
logsurf/home.html
Correlation tools
Easy to query
Transaction oriented
A Visual
Log
Data
Processing
Scripts
SN
MP
Reports
SQ
L
NT
Sy
slo
g
og
l
s
Sy
O
th
er
http://cve.mitre.org
CVE Compatible
CVE-2000-0217
Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
IDS: Performance
Building: Performance
Building: Performance
(cont)
New algorithms
Change what you look for
Faster Hardware
Multiprocessing
Dividing up the data stream
flows
Load balancer
IDS in hardware
IDS Benchmarking
Very!
Lots of ways to get it wrong
Accidentally
Deliberately
Target Host
Test
Network
Attack
Generator
Attack
Stream
NIDS
Whats Wrong?
Test
Network #1
Attack
Generator
Smartbits
Load
Generator
Router
w/some
screening
Target Host
Test
Network #2
Attack
Stream
NIDS
Whats Wrong?
Skunking a Benchmark
Smartbits
Load
Generator
Target Host
w/Host-Net
Attack
Generator
Target Host
w/Host-Net
Test
Network
Attack
Stream
Target Host
w/Host-Net
Whats Wrong?
Skunking a Benchmark: #2
Smartbits
Load
Generator
Attack
Generator
Target Host
Test
Network
Attack
Stream
NIDS with
selective detection
turned on
Whats Wrong?
Replayed
packets dumped
back onto network
Test
Network
Recorded attack
and normal traffic on
hard disk
V 1.0 Copyright SystemExperts 2001,2002,2003
NIDS
Whats Wrong?
Nothing:
Predictable baseline
Can verify traffic rate with simple math
Can scale load arbitrarily (use multiple machines
each with different capture data)
Traffic is real including real data contents
NID cannot be configured to watch a specific
machine (there are no targets)
Tools to Use
Notes:
Notes:
Notes:
Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Choosing a System
What Matters?
Scalability
Organizational Issues
Support
What Differentiates?
Extensive Signatures
Security
Ease of Management
How to push out updates and configs
A method to evaluate
Category
Weight
IDS#2
IDS#3
IDS#4
Scalability
50
Support
40
25
Extensive Signatures
25
Security
20
15
15
Ease of Administration
10
1000
745
425
650
Total Score
Deal Breakers!
2 tier systems
No or weak encryption
Unacceptable evaluation in multiple
categories
Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Issues to overcome
Issues
Obscured data
Packet fragmentation and reassembly
Sequence
Overlapping Fragments
IP Options in Fragment Streams
Data Synchronization
Abusing Reactive ID Systems
V 1.0 Copyright SystemExperts 2001,2002,2003
Types of Attacks
Insertion
Evasion
Proximity matters
$ stty erase R
$ rxRoxRotkit
$ stty erase ^?
Signal to Noise
Packet fragmenting
Obscuring Data
As an example,
www.nwi.net/~pchelp/obscure.htm
or
3513587746@3466536962/%7ep%63h%65l
%70/o%62s%63ur%65%2e%68t%6D
Nothing matters before the @
Double word representation of dotted quad IP
address
Hexidecimal number representation /
individual characters interspersed
V 1.0 Copyright SystemExperts 2001,2002,2003
Whisker
URL encoding
directory insertion (/../)
premature URL ending
long URL
fake parameter
session splicing
NULL method
Fragrouter
MUTATE v1.1
Snot
Nmap
Timing
Decoy parameter
Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Forensics
Forensics: Tools
Tcpdump
Argus
NFR
Tcpwrapper
Sniffers
Nnstat
A line printer
Tripwire
Backups
The Coroners Toolkit
(TCT)
TCTUTILS
Autospy
Incident Response
Collection Report
(IRCR)
TCTUTILS
Autopsy
File
Inode
Block
Block Search.
www.cerias.purdue.edu/homes/carrier/forensics/
V 1.0 Copyright SystemExperts 2001,2002,2003
Forensics: Response
Response
Response
(cont)
Response
(cont)
Forensics: Backtracking
Hidden Directories
...
(space)
normal (normal with space after it)
Finding Hacker-Prints
Use tripwire
Restore filesystems to a different disk and compare
all the files (slow and painful!)
nuke
rootkit
cloak
zap
icepick
toneloc
Law Enforcement
FBI:
Law Enforcement
(cont)
Not worth it
Lookup contacts
212.247.0.0/16
SWIPNET
In case of improper use originating
from our network,
please mail customer or abuse@swip.net
AS1257
staff@swip.net
AS1257-MNT
ip@swip.net 19990202
per@swip.net 20001115
RIPE
Send a message
From: Philip Cox
Sent: Tuesday, May 15, 2001 7:10 AM
To: abuse@swip.net
Subject: Scans from 212.247.185.41
Dear Sirs,
Three of my systems was scanned for portmapper by the IP
address 212.247.185.41. These actions are not authorized.
Please have the user of this system stop scanning my
systems. The relevant portion of the logs are included.
They are all US PST:
May 15 02:37:55 212.247.185.41:111 -> 216.27.176.114:111
SYNFIN ******SF
May 15 02:37:55 212.247.185.41:111 -> 216.27.176.115:111
SYNFIN ******SF
May 15 02:37:55 212.247.185.41:111 -> 216.27.176.116:111
SYNFIN ******SF
Phil Cox
System Owner
V 1.0 Copyright SystemExperts 2001,2002,2003
Response
Hello,
The customer has been contacted and the compromised
server has been taken offline. Please let us know
if this continues or happens again.
Sincerely,
Niklas Odebo
Tele2 Abuse Dep.
============================
Mvh
Kundskerhetsavd
Tele 2 AB
abuse@swip.net abuse@tele2.se
============================
Under Attack
Phone Companies
Backtracking
Legal Issues
Forensics: Practice
Technique
Tool used
Anything else
tool captured in the wild. As always:
http://project.honeynet.org/scans/
V 1.0 Copyright SystemExperts 2001,2002,2003
Notes:
Notes:
Notes:
Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Section Contents
It Depends
An analogy can be made between capturing
packets and recording phone conversations
Some jurisdictions are already going there
Make sure you know where you stand
Organizational Regulations
Governmental Regulations
Different applicability
Resources
Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Closing Thoughts
It is an ongoing process
A lot of blood, sweat, and tears OR
$$$ and some blood, sweat, and tears
The End
Resources
Books
Web Sites
Mailing lists
Books
Books
Books
URLs
http://www.cs.purdue.edu/people/spaf
http://www.clark.net/pub/mjr
http://www.lopht.com
http://www.digicrime.com
URLs
http://www.ticm.com/kb/faq/idsfaq.html
http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
Addresses
ids@uow.edu.au
Addresses
CERT
CIAC
Ciac@llnl.gov
cert@cert.org
Addresses
http://www.nfr.net/forum/firewall-wizards.html
http://www.nfr.net/firewall-wizards/
Mark Mellis
Consultant
Mark.Mellis@SystemExperts.com
626-852-8639 direct
626-852-8739 fax
978-440-9388 main
http://www.SystemExperts.com/
Philip Cox
Consultant
Phil.Cox@SystemExperts.com
530-887-9251 direct
530-887-9253 fax
978-440-9388 main
http://www.SystemExperts.com/
Chroot-a-nono
/* new! */
if (fdp->fd_rdir != NULL)
log(LOG_ERR,"WARNING! chroot when already chrooted!");
ls-o-matic
Shared-Library boobytrap
Nit-pick
File-change-o
File shrinkener
Terrify Suzy*
Fake Hacktools
Fake Holes
DumDum Users
Roto-Router
Then to microsoft.com
Then to whitehouse.gov
Then to playboy.com
etc.
Scan Slower
Set keepalive
Never send data
Phat Warez
Redirector
Socket Stuffer
Auditor Biter
Noset Executable