Se Ids Secsymp01

Intrusion Detection
&
Network Forensics
Mark Mellis & Phil Cox
Just checking...
This is a top level bullet

This is the next level in

This would be level 3

This would be level 4
Can you hear?

Check 123Check
Is it too hot?
Too cold?
V 1.0 Copyright SystemExperts 2001,2002,2003
An ounce of prevention
is worth a pound of
detection
What is this Course is NOT?

A detailed list of commercial IDS products,

their shortcomings, and configurations
Goals of the Tutorial

The student recognizes the N major classes of IDS

technology, and can correctly classify a new
product
The student understands the strength and weakness
of the N major classes of IDS
The student knows what IDS technology can and
cannot do
Given a network drawing, the student can discuss
different IDS deployment strategies for that network
The student can do some unknown thing with
network forensics
Great evals
Where are we?

High level theory

Deployment examples
Integrating Data
Sources
Benchmarks and
Performance
Choosing a System

Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Section Contents

General
IDS Models
IDS Data Sources
Types of IDS
Technical Caveats
Why Talk about IDS?

Emerging new technology

Very interesting
...but...
About to be over-hyped
Being informed is the best weapon in the

security analysts arsenal
It also helps keep vendors honest!
What is an Intrusion?!
Difficult to define

Not everyone agrees

This is a big problem

How about someone telnetting your system?

And trying to log in as root?
What about a ping sweep?
What about them running an ISS scan?
What about them trying phf on your web server?
What about succeeding with phf and logging in?
What is IDS?
The ideal Intrusion Detection System will

notify the system/network manager of a
successful attack in progress:

With 100% accuracy

Promptly (in under a minute)
With complete diagnosis of the attack
With recommendations on how to block it
Too bad it doesnt exist!! Or does it?
Objectives: 100% Accuracy, 0% False Positives

A False Positive is when a system raises an

incorrect alert
0% false positives is the goal

The boy who cried wolf! syndrome

Its easy to achieve this: simply detect nothing
0% false negatives is another goal: dont let

an attack pass undetected
Objectives: Prompt Notification

To be as accurate as possible the system may

need to sit on information for a while until
all the details come in

e.g.: Slow-scan attacks may not be detected for

hours
This has important implications for how real-time
IDS can be!
IDS should notify user as to detection lag
Objectives: Prompt Notification

(cont)
Notification channel must be protected

What if attacker is able to sever/block notification

mechanism?
An IDS that uses E-mail to notify you is going to
have problems notifying you that your E-mail server
is under a denial of service attack!
Objectives: Diagnosis
Ideally, an IDS will categorize/identify the

attack
Few network managers have the time to know

intimately how many network attacks are performed
This is a difficult thing to do

Especially with things that look weird and dont

match well-known attacks
Objectives: Recommendation
The ultimate IDS would not only identify an

attack, it would:

Assess the targets vulnerability

If the target is vulnerable it would notify the
administrator
If the vulnerability has a known fix it would include
directions for applying the fix
This requires huge, detailed knowledge
IDS: Pros
A reasonably effective IDS can identify

Internal hacking
External hacking attempts
Allows the system administrator to quantify

the level of attack the site is under
May act as a backstop if a firewall or other
security measures fail
IDS: Cons
IDS dont typically act to prevent or block

attacks
They dont replace firewalls, routers, etc.
If the IDS detects trouble on your interior

network what are you going to do?
By definition it is already too late
Privacy: a Problem
Some governments/states mandate levels of

privacy protection for employees or students

This may make it impossible to adequately gather

data for the IDS
This may make it impossible to gather forensic data
for analysis or prosecution
Privacy: a Problem
Is it prying if its done by a computer?

(cont)
What if a human never sees it?

What if the information is never acted upon?
At what point is privacy violated?

Looking at packet headers?

Looking at packet contents?
Looking at /var/mail/user?
Paradigms for Deploying IDS

Attack Detection
Intrusion Detection
Attack Detection
DMZ
Network
Desktop
WWW
Server
Internet
Router
w/some
screening
Internal
Network
Firewall
IDS detects (and counts) attacks against
the Web Server and firewall
IDS
Attack Detection
Placing an IDS outside of the security

perimeter records attack level

Presumably if the perimeter is well designed the

attacks should not affect it!
Still useful information for management (we have
been attacked 3,201 times this month)
Prediction: AD Will generate a lot of noise and be
ignored quickly
Intrusion Detection
DMZ
Network
Desktop
WWW
Server
Internet
Router
w/some
screening
Internal
Network
Firewall
IDS detects hacking activity WITHIN

the protected network, incoming or outgoing
IDS
Intrusion Detection
Placing an IDS within the perimeter will

detect instances of clearly improper behavior

Hacks via backdoors

Hacks from staff against other sites
Hacks that got through the firewall
When the IDS alarm goes off, its a red alert
Attack vs. Intrusion Detection

Ideally do both
Realistically, do ID first then AD
Or, deploy AD to justify security effort to

management, then deploy ID (more of a political
problem than a technical one)
The real question here is one of staffing costs

to deal with alerts generated by AD systems
Section Contents

General
IDS Models
IDS Data Sources
Types of IDS
Technical Caveats
IDS Models

IDES
Audit
Inline
Hybrid (a mix of both)
IDES
Dorothy Denning (1986) publishes An

Intrusion Detection Model which defines
much IDS thinking
Defines components of an IDS in terms of:

Subjects - initiators of activity

Objects - targets of activity
Profiles - characterization of how subjects operate on
objects (may be statistical models or pattern matching)
IDES
(cont)

Audit Records - trace information about the occurrence of

events in time
Anomaly Records - trace information about the occurrence
of unusual events in time, often generated by the IDS or
applications
Alarms - information that the system brings to the security
administrators attention
Systems evolved from IDES: DIDs, Stalker, Emerald
Block Diagram: Generic IDS

Pre-Processing
Host
System
or
Network
Sniffer
Response
manager
Statistical
analysis
Signature
matching
Alert manager
GUI
Knowledge
base
Long term
storage
Audit Based IDS

Audit based IDS post-process audit trail (and

other) information

Activity is first logged then post-processed

Batch oriented approach allows for virtually infinite
correlation if enough data is present
IDS
correlation
Kernel
and
applications
Audit
Database
reports
alerts
Audit Data
Determining what is a good audit probe point

(where to record something) is a difficult
problem
Orange book includes 23 probe points within UNIX

kernel and applications

open read/write
creation of IPC
bad login
add/remove user/group
process fork
create/remove file
password change
etc...
Networked Auditable Events

Users logging in at unusual hours*

Unexplained reboots
Unexplained time changes
Unusual error messages
Failed login attempts
Users logging in from unfamiliar sites*
* (implies that per-user history is kept)

CIDF
ARPA sponsored effort to achieve Common

Intrusion Detection Framework

Architectural conventions for IDS modules

Messaging specification for audit data and its
transmission
Information on CIDF on the web:
http://www.seclab.ucdavis.edu/cidf/spec/cidf.txt
CIDF
(cont)
Conceptual components are modules

Event generators - collect or generate data

Analysis engines - processing and correlation
Storage mechanisms - archival and short term
storage including of logs and audit records
Response components - outputs
CIDF
(cont)
Will CIDF work?

Pro: Its a generalization of most IDS; all the pieces

are there
Con: Will IDS vendors see any value in an
interoperable, modular solution?
Can it be made to work at all?
Inline IDS (a.k.a. Real-Time)

Inline IDS process audit data as it is

generated

Typically discard audit data that it does not

recognize as significant
Amount of correlation tends to be limited
reports
alerts
Kernel
and
applications
IDS
correlation
Incident
database
Bit bucket
Audit vs. Inline

Inline is faster but only provides a local

view unless a lot of data is forwarded in
realtime to a central location
Audit is deeper but requires keeping lots of
data
Hybrid systems exploit both: inline detection
of significant events to an audit station
You really need both
Section Contents

General
IDS Models
IDS Data Sources
Types of IDS
Technical caveats
IDS Data Sources

Host Based
Network Based
Host Based IDS

Collect data usually from within the

operating system

C2 audit logs
System logs
Application logs
More of an Audit approach

Data collected in very compact form
But application / system specific
Host Based: Pro

Quality of information is very high

Software can tune what information it needs (e.g.:

C2 logs are configurable)
Kernel logs know who user is
Density of information is very high

Often logs contain pre-processed information (e.g.:

badsu in syslog)
Ability to contextualize the event is unparalleled
Host Based: Con

Capture is often highly system specific

Usually only 1, 2 or 3 platforms are supported (you

can detect intrusions on any platform you like as
long as its Solaris or NT!)
Information needs to be normalized before it is
taken off the system
Performance is a wild-card
To unload computation from host logs are usually

sent to an external processor system
See above bullet #2
Host Based: Con

(cont)
Hosts are often the target of attack

If they are compromised their logs may be

subverted
Data sent to the IDS may be corrupted
If the IDS runs on the host itself it may be subverted
Denial of Service kills 2 birds with one stone
Network Based IDS

Collect data from the network or a hub /

switch

Try to determine what is happening from the

contents of the network traffic
Reassemble packets
Look at headers
User identities, etc inferred from actions
Need to worry about performance

Must be able to look at all traffic

More performance sensitive than host based
Network Based: Pro

No performance impact on the system

running the IDS

A Ping-O-Death against another host will not affect

the IDS
More tamper resistant

No management impact on platforms
Just need to manage one system, not many like

host based
Network Based: Pro

(cont)
Works across O/S

Can derive information that host based logs
might not provide
Packet fragmenting, port scanning, etc.
Network Based: Con

May lose packets on flooded networks

May improperly reassemble packets

Performance sensitive
Or not reassemble them at all
May not understand O/S specific application

protocols (e.g.: SMB/NetBIOS)
This is one place Host based shines
Network Based: Con

May not understand obsolete network

protocols
(cont)
Basically IP centric
Does not handle encrypted data

How do you check something you cant read?
Hybrid IDS
The current crop of commercial IDS are

mostly hybrids

Misuse detection (signatures or simple patterns)

Expert logic (network-based inference of common
attacks)
Statistical anomaly detection (values that are out of
bounds)
Properties of : Per-Host Network IDS

Network IDS shim layer inserted into

network stack on each host
Issues

Properties of network IDS

But

Traffic processed per-host only

Does not have same performance sensitivity as NIDS
Local only view of traffic (but no drops)
Properties of : Firewall IDS

Place network IDS capability in a firewall or

bridge type device
Issues

No packet loss issues

May slowdown network
Hybrid IDS
(cont)
At present, the hybrids main strength

appears to be the misuse detection capability
Statistical anomaly detection is useful more as

backfill information in the case of something going
wrong
Too many false positives - many sites turn anomaly
detection off
Hybrid IDS
The ultimate hybrid IDS would incorporate

logic from vulnerability scanners*
(cont)
Build maps of existing vulnerabilities into its logic of

where to watch for attacks
Backfeed statistical information into misuse

detection via a user interface
* Presumably, a clueful network

admin would just fix the vulnerability
What to keep
Everything
This is where we start the process
What to throw away

Things that you know arent interesting

Consider keeping counts of the number of

uninteresting events occur

The number of times and uninteresting event occurs

maybe interesting
Event frequency of uninteresting events may be

interesting!
See Appendix (artificial ignorance)
Build a stop list and forward all remaining output to a

human intelligence
Section Contents

General
IDS Models
IDS Data Sources
Types of IDS
Technical Caveats
Types of IDS

Anomaly Detection - the AI approach

Misuse Detection - simple and easy
Burglar Alarms - policy based detection
Honey Pots - lure the hackers in
Hybrids - a bit of this and that
Anomaly Detection
Goals:

Analyze the network or system and infer what is

normal
Apply statistical or heuristic measures to
subsequent events and determine if they match the
model/statistic of normal
If events are outside of a probability window of
normal generate an alert (tunable control of false
positives)
Anomaly Detection
(cont)
Typical anomaly detection approaches:

Neural networks - probability-based pattern

recognition
Statistical analysis - modeling behavior of users
and looking for deviations from the norm
State change analysis - modeling systems state
and looking for deviations from the norm
Anomaly Detection: Pro

If it works it could conceivably catch any

possible attack
If it works it could conceivably catch attacks
that we havent seen before
Or close variants to previously-known attacks
Best of all it wont require constantly keeping

up on hacking technique
Anomaly Detection: Con

Current implementations dont work very

well
Too many false positives/negatives
Cannot categorize attacks very well

Something looks abnormal

Requires expertise to figure out what triggered the
alert
Ex: Neural nets cant say why they trigger
Anomaly Detection: Examples

Most of the research is in anomaly detection

Because its a harder problem

Because its a more interesting problem
There are many examples, these are just a

few
Most are at the proof of concept stage
Anomaly Detection
(cont)
IDES/NIDES

Real-time IDS using statistical anomaly detection combined

with rule-based misuse detection
Relies on systems audit records for input
Rule base is limited
ftp://ftp.csl.sri.com/pub/nides/index1.html
GrIDS

Graph-based
Models network activity based on analysis of graph matching
Includes a policy language for translating organizational
policies into analysis rulesets
http://seclab.cs.ucdavis.edu
Misuse Detection
Goals:

Know what constitutes an attack

Detect it
Misuse Detection
(cont)
Typical misuse detection approaches:

Network grep - look for strings in network

connections which might indicate an attack in
progress
Pattern matching - encode series of states that are
passed through during the course of an attack
e.g.: change ownership of /etc/passwd -> open

/etc/passwd for write -> alert
Misuse Detection: Pro

Easy to implement

State machine
Signatures
Storage
Report generator
Managers and agents
Easy to deploy

Up quickly
No need to get History
(cont)
Misuse Detection: Pro

Easy to update
Easy to understand

Push signatures
Blinking Lights
Low false positives

Fast
(cont)
Misuse Detection: Con

Cannot detect something previously

unknown
Constantly needs to be updated with new

rules
Reactive by nature
Always behind the curve
Easier to fool
E.g., URL encoding
Misuse Detection
A number of commercial misuse detection

products are on the market

(cont)
ISS RealSecure/Black ICE

Axent/Symantec Intruder Alert
Cisco NetRanger
NFR Network Flight Recorder
Deployment model is to feed rulesets to

customer as subscription service
Misuse Detection
(cont)
Things misuse
detection looks for:*

IP Frag attack
Ping flooding
Source routing
Ping of death
ISS Scan check
SATAN scan check

Rwhod check
Rlogin decode
Rlogin -froot
TFTP get passwd check
IMAP buffer smash
SMTP WIZ check etc.
* (From ISS RealSecure)

Misuse Detection
Misuse detection systems are similar to virus

scanning systems:

(cont)
Both rely on meta-rules of vulnerabilities

Both need frequent rules updates
Both are easily fooled by slight mutations in
virus/attack signature
Both are fairly low in generating false positives
Moving to dumber systems with broader

knowledge bases
Burglar Alarms
A burglar alarm is a misuse detection system

that is carefully targeted

You may not care about people port-scanning your

firewall from the outside
You may care profoundly about people portscanning your mainframe from the inside
Set up a misuse detector to watch for misuses
violating site policy
Boobey-Traps are an option with this as well

Put sensors where likely intrusion may occur
Burglar Alarms
(cont)
Goals:

Based on site policy alert administrator to policy

violations
Detect events that may not be security events
which may indicate a policy violation

New routers: New MAC address providing routing?

New subnets: Ones that you havent seen?
New web servers: Port 80?
Burglar Alarms
(cont)
Trivial burglar alarms can be built with

tcpdump and perl
Netlog and NFR are useful event recorders
which may be used to trigger alarms
http://www.nswc.navy.mil/ISSEC/Docs/loggingproject.html
ftp://coast.cs.purdue.edu/pub/tools/unix/netlog/
http://www.nfr.net/download
Burglar Alarms
(cont)
The ideal burglar alarm will be situated so

that it fires when an attacker performs an
action that they normally would try once they
have successfully broken in

Adding a userid
Zapping a log file
Making a program setuid root
Burglar Alarms
Burglar alarms are a big win for the network

manager:

(cont)
Leverage local knowledge of the local network

layout
Leverage knowledge of commonly used hacker
tricks
Are site/architecture dependant

You have to make the alarms specific to what you

see as a threat at your site
Burglar Alarms: Pro

Reliable
Predictable
Easy to implement
Easy to understand
Generate next to no false positives
Can (sometimes) detect previously unknown
attacks
Burglar Alarms: Con

Policy-directed

Requires knowledge about your network

Requires a certain amount of stability within your
network
If not, you will be getting a lot of them
Requires care not to trigger them yourself
Honey Pots
A honey pot is a system that is deliberately

named and configured so as to invite attack

swift-terminal.bigbank.com
www-transact.site.com
source-r-us.company.com
admincenter.noc.company.net
Honey Pots
(cont)
Goals:

Make it look inviting

Make it look weak and easy to crack

Microsoft IIS 4.0
Instrument every piece of the system

Monitor all traffic going in or out
Alert administrator whenever someone accesses
the system
Honey Pots
Trivial honey pots can be built using tools

like:

(cont)
tcpwrapper
Burglar alarm tools (see burglar alarms)
restricted/logging shells (sudo, adminshell)
C2 security features (ugh!)
See Cheswicks paper An evening with

Berferd for examples
http://project.honeynet.org
Honey Pots: Pro

Easy to implement

Do you make them equal in security of your regular

systems? Or lower?
Easy to understand
Reliable
No performance cost
Honey Pots: Con

Assumes the hackers your really care about

are really stupid

They arent
Your Time
Entrapment issues: Ask your lawyer
Section Contents

General
IDS Models
IDS Data Sources
Types of IDS
Technical Caveats
Other IDS Issues

Other things affecting speed and detection

ability

TCP fragment re-assembly

TCP packet re-ordering
TCP state/sequence tracking
FIN, ACK, SYN, SYN/ACK,RST
Analyzing only selected sessions
Need to understand deliberate avoidance
Fragment Re-assembly and Re-ordering

Re-assembly
Takes significant CPU time as well as memory to

buffer packets
Re-ordering
Takes significant CPU time as well as memory to

buffer packets

IDS can be impacted by unintentional or deliberate packet

drops since it tries to buffer out-of-sequence packets
How does IDS handle re-ordering?
Does it just flag out-of-sequence packets or does it ???
TCP State Tracking & Session Analyzing

TCP State Tracking

Have to have large tables to maintain all TCP

session state data
How many states can you handle?
Are you sure you have the right context
FIN, ACK, SYN, SYN/ACK,RST
Analyzing Selected Sessions

Have to have the ability to select the sessions

This has similar problems to the TCP stat tracking
Where are we?

High level theory

Deployment examples
Integrating Data
Sources
Benchmarks and
Performance
Choosing a System

Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Section Contents

VPN
Corporate network
E-Commerce site (n-tiered)
Other Issues

Firewalls
Switches
IDS and VPNs

VPN (Virtual Private Networks) encrypt

traffic
Host based IDS is probably best
Network-oriented IDS cannot (presumably!)

monitor/analyze it correctly
Actually: no - when a VPN fails to sync because the

attacker has an invalid key, the IDS can pull the sync
failure from the stream
Many VPN packages provide good logging

A sync failure may mean an attack attempt
A Visual
VPN Server
-HIDS
VPN CLient
- HIDS
IDS Logs
IDS Collector
Corporate network
Utilize All forms of log sources

HIDS on critical systems

NIDS for each network

Native systems logs

Syslog
Perl or Python to get others
Need to integrate some end node info

Application logs and specific IDS modules
Where do your Virus scanners log?
Log to a central server

Netcool, from MicroMUSE

PrivateI from www.opensystems.com
ManHunt from Recourse Technologies for example
A Visual
NIDS
Supporting
Services
IDS
Collector
Internet
Desktop
Monitor
Station
Critical
Servers
E-Commerce site (n-tiered)

Much the same as the previous one

Log to a central server

FW Rules need to be in place to allow this
Corporate FW logs internally, not to

production IDS
Web Servers and Firewalls are a logical
candidates

For SSL you have the Web server or an SSL

appliance
Use network-based IDS to profile scans and sweeps
against web servers
A Visual
NIDS
Supporting
Services
Web
Servers
Internet
NIDS
Corporate
NIDS
IDS Collector
IDS Collector
FW
DB
NIDS
App
Server
Other Issues/Thoughts
Networks are increasingly moving toward switched

architectures
It is difficult for a network-oriented IDS to tap all traffic moving

through a switch

Solutions are not yet forthcoming

Swamp the IDS

Swamp the switch
Best approach to date is to plug a hub in front of critical systems
to be watched
Shomiti taps for high speed full duplex connections

need two interfaces on IDS one for each side of
the full duplex conversation
Other Issues/Thoughts, cont.

Put a connection based load balancer in front

of an array of IDS machines
Use Ciscos IDS blade that plugs into the

switch backplane - some folks are using
multiple blades in a 6xxx series chassis and
just sending it all the VLANs they want to
monitor.
Other Issues/Thoughts
Firewalls and IDS will eventually be

combined into a single capability

Many firewalls can trigger alerts when traffic to bad

destination is seen
Use this capability to build burglar alarms by
overloading the firewall rulesets
IDS Firewall Alarm
Hacked
Web
Server
Desktop
WWW
Server
Internet
Internal
Network
Router
w/some
screening
Firewall
DMZ
Network
Firewall trips an
alert: why would the
web server try to
telnet in!?!?!
Where are we?

High level theory

Deployment examples
Integrating Data
Sources
Benchmarks and
Performance
Choosing a System

Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Section Contents

Goals of Integrating Data Sources

Commercial Integrated Systems
What Goes Into Integrating Data?
Misuse Information and Classification
Goals of Integrating Data Sources

Turn sensor events into intrusions

Turn intrusions into reports and alarms
Integration = Sales
Integration is the chief value-add of

established IDS products and how they got
that way
Commercial Integrated Systems

In the past, closed or proprietary systems

vendor might not keep up with state of the art

vendor might be strong in one area and weak in
another
cant add your own sensors to compensate for
vendors weakness
that wont do in todays environment
New players in this space

Open and extensible

Still cant get the whole job done off the shelf
What goes into doing integrating data?

Lets look at how it is done

Either by a vendor or by you
Looking at the pieces helps you understand
the challenges and the strengths and
weaknesses of a particular approach
Things you need

Data Sources
Analysis and Reporting
Long Term Storage
Data Sources

HIDS
NIDS
Firewall logs
Router logs

ACL matches
Reconfiguration events
Authentication events
More Data Sources

Host OS logs

Application logs

lastcomm
lastlog
authentication events
audit records
Web server
Oracle or other database
LDAP server
RADIUS server
Virus scanner output

In-kernel packet filter logs
VPN gateway appliance logs
About those data sources

Each one has a different output format

normalize output of each source to
common format
Special software adapter for each class of data

source can be perl script
Gives tremendous power to correlate and

query
Not everyone does this
Normalizing events
Widely varying levels of abstraction

Got this funny packet router ACL

Phf attack in progress NIDS or Application IDS
Login failed on router RADIUS server
Notion of subject and object to provide

generalization beyond packets
Uniform representation for source and
destination
Uniform time format
Make sure clocks are synched use NTP

More things you need

Data analysis and reporting

Artificial Ignorance
Correlation tools
Counting/thresholding software
Artificial Ignorance
Log processing technique of determining

step-wise what to ignore
Everything not uninteresting must be
interesting

Set up log scanning filters to delete uninteresting

records
Bring everything else to the system admins
attention
Artificial Ignorance (continued)

Use grep -v -f to filter log messages

against a pattern list of uninteresting stuff
Iteratively build the list using several
weeks/months logs
Tune as necessary
Output is periodic report hourly, daily,
weekly

Logcheck
http://www.psionic.com/logcheck.html
Monitors syslog files and applies search lists

of violations to look for as well as strings to
ignore
Includes a pretty good set of log filters as a
baseline

Logsurfer

http://www.cert.dfn.de/eng/
logsurf/home.html
provides close-to-real-time notification

matches regexp patterns across multiple
lines, with timeouts
can invoke external programs
nasty config language - but worth it
can only read one file at a time
Artificial Ignorance (finished)

You can see that this log processing is hard

work, and takes a long time to get right
The good news is that commercial products
are starting to enter this space, both as
software products and as services
The bad news is that no product does the
whole job yet
Correlation tools
Effective correlation is the hardest part

No freeware tool does as good a job as a trained

analyst
Trained analysts arent freeware, either
Excel is your friend

So are gnuplot and other similar tools
Long Term Storage

Flat files run out of steam for busy sites

But you might want to keep raw data for forensic

purposes
RAID
Write-once media
Encrypt to protect confidentiality
Digital signature to ensure integrity
Databases are popular

Easy to query
Transaction oriented
A Visual
Log
Data
Processing
Scripts
SN
MP
Reports
SQ
L
NT
Sy
slo
g
og
l
s
Sy
O
th
er
Misuse Information and Classification

What do you call a vulnerability or attack?

Public dictionaries of attack and vulnerability
information now exist
Snort database also serves as input to NIDS!
CERT
CVE
CVE: Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures

(CVE) is:

list of standardized names for vulnerabilities and

exposures CVE standardizes names, not
detailed technical descriptions
dictionary, NOT database
community-wide effort
freely available
http://cve.mitre.org
How is CVE used?

CVE Compatible

tool uses CVE names such that it can cross-link with

other repositories that use CVE names
user can search using CVE name to find related
information
tools output includes the related CVE name(s)
tool maps to a specific version of CVE, good faith
effort to ensure accuracy of mapping
Sample CVE Entry

CVE-2000-0217
default configuration of SSH allows X forwarding,

which could allow a remote attacker to control a
client's X sessions via a malicious xauth program.
References
BUGTRAQ:20000224 SSH & xauth

BID:1006
Where are we?

High level theory

Deployment examples
Integrating Data
Sources
Benchmarks and
Performance
Choosing a System

Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
IDS: Performance
Network-based IDS (current tests) dont fare

well in high speed networks (but the
definition of high speed is changing)

Many silently drop packets at over 30mb/s

Tcpdump on many systems does too(!)
Only way to tell is hardware packet counts versus
what IDS claims to see
Be careful to check performance of any IDS

you plan to install
Building: Performance
If you are trying to build your own sniffer:

At speeds above 20Mb/sec you will begin to lose

packets on most versions of UNIX
If you want to go above 30Mb/sec you will need to
modify the kernel
If you want to go above 50Mb/sec you will need to
write your own device drivers
Building: Performance
(cont)
Techniques for going faster

New algorithms
Change what you look for

Faster Hardware
Multiprocessing
Dividing up the data stream
flows
Load balancer
IDS in hardware
IDS Benchmarking
How hard can it be?

Very!
Lots of ways to get it wrong

Accidentally
Deliberately
Not doing it wrong, does not mean you did it

right
Analyzing Selected Sessions

IDS can optimize performance by only

reassembling or tracking TCP related with
known signatures
IDS might have extremely good performance

against random traffic but poor performance against
(e.g.) Web traffic
Tradeoff is coverage versus performance; vendors
do not usually document this
Nave Simulation Network
Target Host
Test
Network
Attack
Generator
Attack
Stream
NIDS
Whats Wrong?
The Nave test network permits traffic that is

not likely to be seen in a real world
deployment - e.g.: ARP cache poisoning (you
see a lot of this on DEFCON CTF networks)
The presence of a router would smooth
spikes somewhat and actually achieve higher
sustained loads
Nave Simulation Network #2
Test
Network #1
Attack
Generator
Smartbits
Load
Generator
Router
w/some
screening
Target Host
Test
Network #2
Attack
Stream
NIDS
Whats Wrong?
SmartBits style traffic generators do not

generate real TCP traffic
This penalizes IDS that actually look at streams and

try to reassemble them (which are desirable
properties of a good IDS)
Skunking a Benchmark
Smartbits
Load
Generator
Target Host
w/Host-Net
Attack
Generator
Target Host
w/Host-Net
Test
Network
Attack
Stream
Target Host
w/Host-Net
Whats Wrong?
Packet style counts are not relevant to hostnetwork IDS
Skunking a Benchmark: #2
Smartbits
Load
Generator
Attack
Generator
Target Host
Test
Network
Attack
Stream
NIDS with
selective detection
turned on
Whats Wrong?
IDS with selective detection can be

configured to only look at traffic aimed to
local subnet
SmartBits style generators random traffic largely

gets seen and discarded
Effective Simulation Network
Replayed
packets dumped
back onto network
Test
Network
Recorded attack
and normal traffic on
hard disk
NIDS
Whats Wrong?
Nothing:

Predictable baseline
Can verify traffic rate with simple math
Can scale load arbitrarily (use multiple machines
each with different capture data)
Traffic is real including real data contents
NID cannot be configured to watch a specific
machine (there are no targets)
Tools to Use

Fragrouter - generates fragmented packets

Whisker - generates out-of-sequence packets
Pcap-pace - replays packets from a hard disk
with original inter-packet timing
Notes:
Notes:
Notes:
Where are we?

High level theory

Deployment examples
Integrating Data
Sources
Benchmarks and
Performance
Choosing a System

Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Choosing a System

What are we looking for?

What matters?
What differentiates?
Deal breakers!
One step at a time
What are we looking for?

Primary criterion: Ability to detect an

intrusion
Secondary are other issues

False positives: false alarms

False negatives : missed attacks
Performance impact: throughput delay or CPU
usage
What Matters?
Scalability

Organizational Issues
How many systems now?

In 3-5 years?
Are you central or distributed control?
Support

Who will support it? (TCO)

Will the vendor be responsive to your needs?
Do you have the staff to maintain the signatures?
What Differentiates?
Data Source Flexibility

Extensive Signatures
What and where can they pull the data from?

The more options, the better
But make sure to compare apples to apples
Security
Data and transport
What Differentiates? (cont)

Flexible Alert Facility

Robust Reporting System

How will the system let you know there is a

problem?
You need something that you can use to get the
data in a format you require
How its administered

Ease of Management
How to push out updates and configs
A method to evaluate
Category
Weight
IDS#2
IDS#3
IDS#4
Scalability
50
Support
40
Data Source Flexibility
25
Extensive Signatures
25
Security
20
Flexible Alert Facility
15
Robust Reporting System
15
Ease of Administration
10
1000
745
425
650
Total Score
Deal Breakers!
Poor support history

Remember: You never get treated better than when

you are dating!
2 tier systems
No or weak encryption
Unacceptable evaluation in multiple
categories
One step at a time

How do you eat an Elephant? One bite at a time

Start with the following, in order of preference

Network ID at the firewall/perimeter networks

Host and Application ID on most critical externally accessible
systems
Host and Application on critical internal servers
Network ID on critical internal networks
Host and Application on secondary internal servers
Network ID on internal networks
Host ID on desktop/user systems
Where are we?

High level theory

Deployment examples
Integrating Data
Sources
Benchmarks and
Performance
Choosing a System

Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Seminal Paper on Eluding IDSs

Paper by Ptacek and Newsham of Secure

Networks, Inc.
Insertion, Evasion, and Denial of Service:
Eluding Network Intrusion Detection (1998)
Commercial and free systems analyzed
No one passed!
Issues to overcome

Insufficiency of Information on the Wire

Vulnerability to Denial of Service
Resource exhaustion: CPU, Memory, Disk, Bandwidth
Issues

Obscured data
Packet fragmentation and reassembly

TCP Transport Layer Problems

IDS State Transition
Bugs in IP stacks

Sequence
Overlapping Fragments
IP Options in Fragment Streams
Malformed Header Fields
Data Synchronization
Abusing Reactive ID Systems
Types of Attacks
Insertion
An IDS can accept a packet that an end-system

rejects
Evasion
An end-system can accept a packet that an IDS

rejects
Proximity matters
The farther away the IDS is from the source

of the data the more vulnerable it is to
spoofing
Network-oriented IDS will have trouble making

sense of:
$ stty erase R
$ rxRoxRotkit
$ stty erase ^?
A logging shell would not be fooled
Signal to Noise
Flooding networks with data may also be

used to mask an attack against an IDS

Of course, this is a dead giveaway!

Few systems are capable of doing packet capture at
speeds greater than 20Mb/s
If all else fails, the attacker can try to crash

the IDS itself (another dead giveaway!)
Packet fragmenting
Not all network based IDS do full TCP

reassembly; they are vulnerable to attempts
to manipulate TCP stream

Such attempts should be detected as

unusual/noteworthy events in their own right
(Usually networks do not fragment large packets
into 40-byte fragments, etc)
Obscuring Data
As an example,
www.nwi.net/~pchelp/obscure.htm
or

3513587746@3466536962/%7ep%63h%65l
%70/o%62s%63ur%65%2e%68t%6D
Nothing matters before the @
Double word representation of dotted quad IP
address
Hexidecimal number representation /
individual characters interspersed
Anti IDS Tools

Whisker

URL encoding
directory insertion (/../)
premature URL ending
long URL
fake parameter
session splicing
NULL method
More Anti IDS Tools

Fragrouter

Most attacks implemented correspond to those listed in the

Ptacek and Newsham paper
Examples

Preserve the entire protocol header in the first fragment.

This is useful in bypassing packet filters that deny short IP
fragments
Send data in ordered 8-byte IP fragments, with one fragment
sent out of order
Send data in ordered 8-byte IP fragments, sending the
marked last fragment first
Complete TCP handshake, send fake FIN and RST (with bad
checksums) before sending data in ordered 1-byte segments
Complete TCP handshake, send data in out of order 1-byte
segments.
Complete TCP handshake, send data in ordered 1-byte
segments interleaved with SYN packets for the same
connection parameters.
More Anti IDS Tools

MUTATE v1.1

Snot

Used to bypass/test NIDS

Similar to whisker
Arbitrary packet generator
Uses snort rules files as its source of packet information
Attempts to randomize information prevent detection by 'snot
detection' snort rules
Can be used as an IDS evasion tool, by using specific decoy
hosts
Nmap

Timing
Decoy parameter
Where are we?

High level theory

Deployment examples
Integrating Data
Sources
Benchmarks and
Performance
Choosing a System

Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Forensics
The art of gathering evidence during or after

a crime

Reconstructing the criminals actions

Providing evidence for prosecution
Forensics for computer networks is extremely

difficult and depends completely on the
quality of information you maintain
Forensics: Tools

Tcpdump
Argus
NFR
Tcpwrapper
Sniffers
Nnstat
A line printer

Tripwire
Backups
The Coroners Toolkit
(TCT)
TCTUTILS
Autospy
Incident Response
Collection Report
(IRCR)
The Coroners Toolkit (TCT)

A collection of programs by Dan Farmer and

Wietse Venema for a post-mortem analysis of a
UNIX system after break-in
Most important parts

grave-robber: captures information

ils and mactime: display access patterns of files dead or alive
unrm and lazarus: recover deleted files
Findkey: recovers cryptographic keys from a running process
or from files
OSes: Solaris, SunOS, FreeBSD, Linux, BSD/OS,

OpenBSD
http://www.porcupine.org/forensics
TCTUTILS

Add functionality to TCT

List directory inode contents to view file, device, and
directory names

Allows deleted file names to be viewed and possibly recovered
Get Modified, Accessed, and Created time data on deleted

files
Find the names of files and directories that are using a given
inode
Find the inode that is using a given block
Display the contents of a given block in several formats
Display the details of an inode (including all block numbers)
Requires TCT 1.06 or greater
Autopsy

HTML-based graphical interface to TCT,

TCTUTILs, and basic UNIX utilities
It integrates many command line based tools to
automate the tedious tasks
Helps in using the individual tools for more
complex scenarios
Offers 4 methods of browsing

File
Inode
Block
Block Search.
www.cerias.purdue.edu/homes/carrier/forensics/
Incident Response Collection Report (IRCR)

Basically TCT for Windows

Gather and/or analyze forensic data on a Microsoft
Windows system
You can think of this as a snapshot of the system in
the past
Like TCT, mostly oriented towards data collection
rather than analysis
Premise is that person who gets the data know what
to do with it
http://www.incident-response.org/IRCR.htm
Forensics: Response
Split response efforts into two teams

Team A: Learn what you can about what the

attacker is doing, feed the information to team B
Team B: generate a shutout plan based on the
attackers techniques to lock them (and keep them)
out
Determine in advance when team A will give up and
team B will perform shutout
Response

Examine log files

Look for sniffers
Look for remote control programs (netbus,
backorifice, etc)
Look for possible hacker file sharing or
communications programs (eggdrop, irc, etc)
Response
(cont)
Look for privileged programs

find / -perm -4000 -print

Look for file system tampering (use tripwire

or backups)
Examine cron and at jobs
Look for unauthorized services
netstat -a
check inetd.conf
Response

Look for password file changes or new users

Check system and network configurations
Pay close attention to filtering rules
Look for unusual files

(cont)
Depending on the size of your disks:

find / -print | more
Look at all your hosts, especially servers
Forensics: Backtracking
Nowadays hackers are increasingly

sophisticated about hiding tracks

The ones that are good, you wont catch

The ones that you can catch arent worth catching
Very few good tools for backtracking are

available
Hidden Directories

Warez: Cute term for pirated software

Warez are often hidden in FTP or web areas
using weird directory names:

...
(space)
normal (normal with space after it)
Check FTP areas for new directories
Finding Hacker-Prints
Search suspected infected system for new

files:
find / -mtime -30 -print
Use tripwire
Restore filesystems to a different disk and compare
all the files (slow and painful!)
Names of Tools to Look for

nuke
rootkit
cloak
zap
icepick
toneloc
- icmp bomb program

- trojans and patches
- log clearer
- file date changer
- penetration test tool
- wargames dialer
Law Enforcement
FBI:
Secret Service: (Treasury Dept)

Jurisdiction over electronic crime

Credit card fraud
Attacks against financial organizations
Law enforcement interest depends on

sexiness of case
Law Enforcement

Law enforcement still Internet-ignorant

Expect to have to educate them
(cont)
Not worth it
The situation is improving rapidly

Your mileage, however, may vary wildly depending

on location
A Quick Response Example

Look at the logs

Figure out who needs to be contacted
Contact them
Wait for results
Look over the logs

Original Snort log showed:

May 15 02:37:55 212.247.185.41:111 ->
216.27.176.114:111 SYNFIN ******SF
May 15 02:37:55 212.247.185.41:111 ->
216.27.176.115:111 SYNFIN ******SF
May 15 02:37:55 212.247.185.41:111 ->
216.27.176.116:111 SYNFIN ******SF
Lookup contacts
A Whois lookup showed

route:
descr:
descr:
descr:
origin:
notify:
mnt-by:
changed:
changed:
source:
212.247.0.0/16
SWIPNET
In case of improper use originating
from our network,
please mail customer or abuse@swip.net
AS1257
staff@swip.net
AS1257-MNT
ip@swip.net 19990202
per@swip.net 20001115
RIPE
Send a message
From: Philip Cox
Sent: Tuesday, May 15, 2001 7:10 AM
To: abuse@swip.net
Subject: Scans from 212.247.185.41
Dear Sirs,
Three of my systems was scanned for portmapper by the IP
address 212.247.185.41. These actions are not authorized.
Please have the user of this system stop scanning my
systems. The relevant portion of the logs are included.
They are all US PST:
May 15 02:37:55 212.247.185.41:111 -> 216.27.176.114:111
SYNFIN ******SF
May 15 02:37:55 212.247.185.41:111 -> 216.27.176.115:111
SYNFIN ******SF
May 15 02:37:55 212.247.185.41:111 -> 216.27.176.116:111
SYNFIN ******SF
Phil Cox
System Owner
Response
Hello,
The customer has been contacted and the compromised
server has been taken offline. Please let us know
if this continues or happens again.
Sincerely,
Niklas Odebo
Tele2 Abuse Dep.
============================
Mvh
Kundskerhetsavd
Tele 2 AB
abuse@swip.net abuse@tele2.se
============================
Under Attack
Decide if you want to:

Observe the attacker

Chase them away and lock them out
Catch the attacker
Prosecute them if you catch them
If you may want to prosecute:

Contact legal counsel immediately

Find about local laws of evidence
If you are Under Attack

Do a complete system backup immediately

Hackers tend to zap system disks if caught
Get a system with tcpdump running a

complete packet log to disk

What protocol packets went to/from where

Possibly contents for some sessions (telnet, rlogin,
IRC, FTP)
Shutting Down (For Paranoids)

Sync the disks, and halt the system

Do not execute a clean shutdown

Do not disconnect the network
Bring system back up to single user mode

Make and verify backups in single user mode

Consider making image dump (dd) of disks
Phone Companies
Backtracking phone calls is nearly impossible

Deregulation makes phone company boundaries

very hard to track across
Even with a hard fix on the login session phone
companies take 20-30 minutes to track a call
Very frustrating
Where are They Coming From?

Use tcpdump / who / syslog to see where they

are coming in from
Run finger against remote system
If finger is working on attacker system you may be

able to correlate activity with times of attack and
user idle time
Usually attacker will be using a stolen account on
remote machine
Backtracking
Do not mail to root@attackermachine saying

you are under attack
Attackers watch roots mail
Check NIC registry for attacker domain and

telephone the site technical contact
Remember: your communications are compromised
Watching the Bad Guy

Get a copy of cloak and watch the attacker

semi-invisibly
If they see they are being watched they will leave

and may destroy the machine
If they have forgotten to disable shell

command history you can get a good idea
what commands they are using
Fight Fire with Fire

Building booby-trapped telnet/rlogin clients lets you

monitor everything the attacker does
Social engineer the attacker

Sometimes the attacker will reveal themselves
Sometimes the attacker will brag on IRC

Sometimes you can learn who it is by piquing their ego
If they leave warez or tools in FTP area

Log who retrieves them

Replace warez with files of white noise
Contact site admins at sites downloading the software
Legal Issues

You may not be able to use hacker

techniques against them
Laws for gathering evidence are confusing
Logs may or may not be admissible
Perpetrator may or may not be prosecutable
Know when to Quit

Eventually it may be easier to unplug the

network for a day or two and just clean up
Use clean up time to improve security and
logging
Forensics: Practice

The Honeynet Project releases Scan of the

Month
This captured in the wild with the honeypot
A challenge for each
Figure out

Technique
Tool used
Anything else
tool captured in the wild. As always:
http://project.honeynet.org/scans/
Notes:
Notes:
Notes:
Where are we?

High level theory

Deployment examples
Integrating Data
Sources
Benchmarks and
Performance
Choosing a System

Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Section Contents

Quis custodiet ipsos custodes?

What are Logs?
Packet Sniffing = Wiretapping?
Policies and Laws
Resources
Quis custodiet ipsos custodes?

Who Watches the Watchmen?

We dont always think about the data in our
custody
How is our IDS different from the FBIs
Carnivore?
What are Logs?

Logs are Electronic Records

So are packet captures
They are subject to retention policies
They can be subpoenaed
They contain information about people in
your organization and elsewhere
Packet Sniffing = Wiretapping?

It Depends
An analogy can be made between capturing
packets and recording phone conversations
Some jurisdictions are already going there
Make sure you know where you stand
Policies and Laws

Organizational Regulations

appropriate use policy

privacy of email and files
maintenance/retention of electronic records
Talk to your management!
Policies and Laws

Governmental Regulations
Different applicability

private vs. public

for-profit vs. non-profit
Electronic Communications Privacy Act (ECPA)

Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and
Accountability Act (HIPAA)
Talk to your legal staff!

Resources

Honeyman/Saul Invited Talk from LISA 97

Computer Professionals for Social
Responsibility www.cpsr.org
Electronic Freedom Foundation www.eff.org
Your policy documents
Your Legal Department
Where are we?

High level theory

Deployment examples
Integrating Data
Sources
Benchmarks and
Performance
Choosing a System

Eluding IDS
Forensics and
Response
Ethics, Policies,
Legalities
Conclusions
Closing Thoughts

There are a lot of different options

You have to start with Policy
You cant deploy it in a day/week/month
Its not cheap

It is an ongoing process
A lot of blood, sweat, and tears OR
$$$ and some blood, sweat, and tears
The best time to start is NOW!
The End
Thank you for

attending!
Thank you for your

comments!
Please fill out the

Instructor Evaluation
Form!!
Resources

Books
Web Sites
Mailing lists
Books
Intrusion Detection : Network Security

Beyond the Firewall by Terry Escamilla
published by John Wiley and Sons
Intrusion Detection; An Introduction to
Internet Surveillance, Correlation,
Traps, Trace Back, and Response
by Edward G. Amoroso published by
intrusion.net books
Books
Computer Crime: A Crimefighters

Handbook, by David Icove, Karl Seger and
William VonStorch, from OReilly
Associates in August 95
Coping with the Threat of Computer Security
Incidents: A Primer from Prevention
Through Recovery, by Russell Brand
Books
Internet Security and Firewalls: Repelling

the Wily Hacker, by Bill Cheswick and Steve
Bellovin, from Addison Wesley
Internet Firewalls 2nd Edition, by Elizabeth
Zwicky, Simon Cooper, and Brent Chapman
URLs
Spafs Security Page

Mjrs home page

http://www.cs.purdue.edu/people/spaf
http://www.clark.net/pub/mjr
Hacker sites: the fringe

http://www.lopht.com
http://www.digicrime.com
URLs
IDS FAQs (warning: vendor sponsored)

http://www.ticm.com/kb/faq/idsfaq.html
http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
Addresses
IDS mailing list:

ids@uow.edu.au
Addresses
CERT
CIAC
Ciac@llnl.gov
Firewalls mailing list

cert@cert.org
majordomo@gnac.com: subscribe firewalls
Web security mailing list

majordomo@ns.rutgers.edu: subscribe wwwsecurity
Addresses
Firewalls Wizards mailing list

majordomo@nfr.net: subscribe firewall-wizards

http://www.nfr.net/forum/firewall-wizards.html
Searchable online archive on

http://www.nfr.net/firewall-wizards/
Mark Mellis
Consultant
Mark.Mellis@SystemExperts.com
626-852-8639 direct
626-852-8739 fax
978-440-9388 main
http://www.SystemExperts.com/
Philip Cox
Consultant
Phil.Cox@SystemExperts.com
530-887-9251 direct
530-887-9253 fax
978-440-9388 main
http://www.SystemExperts.com/
Appendix 1: Advanced Burglar Alarms

These are for people with too much free time

on their hands :)
Chroot-a-nono
A process that is already chrooted probably

should not chroot again

If kernel source is available this is easy to do

(vfs_syscalls.c)
Check within chroot system call for root inode !=
real root and log alarm
/* new! */
if (fdp->fd_rdir != NULL)
log(LOG_ERR,"WARNING! chroot when already chrooted!");
ls-o-matic

Train yourself not to run ls as root

Replace ls with a program that mails you
or shuts the system down if it is ever run as
root
Use echo * instead of ls
... This trick takes a lot of discipline!
Shared-Library boobytrap
Systems with shared libraries are a great

place to add alarms
Generate a custom version of the exec()
library family that logs every command
execution that isnt one of a small expected
set
Good for firewalls or web servers!
Nit-pick
Many times when a break-in occurs hackers

will set up a sniffer
If NIT device is not configured they often
add it
Replace NIT device with something that
triggers a warning instead
/dev/nit driver can be replaced with a driver that

halts the system
File-change-o
Very simple cron job can be made to

Copy critical files to a hidden directory

/etc/passwd, /etc/group, /etc/inetd.conf

find / -user root -print
Diff the files against whats currently installed on the

system
Bring differences to the administrators attention
File shrinkener
Write a program to check if the inode number

of /var/log/messages has changed at the same
time the file has shrunk

Use ls -i, and ls -l in a shell script

Use stat in C code
Terrify Suzy*
May make people think twice about what

kind of monitoring is going on in the system
# cat > main.c
main()
{
while(1) sleep(30);
} ^D
# cc -o watchdog main.c
# nohup watchdog&
* based on an old story from Boyd Roberts

Fake Hacktools
Install something that pretends to be a hacker

program

Backofficer friendly: pretends to be a back orifice

server
an eggdrop or FSP server that logs everything
Fake Holes
Install a phf.pl script in your CGI directory

on your web server
Have it generate an alert
DumDum Users
Have a user with a crackable but not obvious

password
Put something in their .login to alert you when they

log in
If they ever log in, you know someone has

gotten hold of your password file, somehow
Roto-Router
Redirect incoming traceroute queries to a

user-mode process which responds with
carefully crafted packets
Looks like you go into the network

Then to microsoft.com
Then to whitehouse.gov
Then to playboy.com
etc.
Louis Mamakos (I think) invented this one
Scan Slower
Set up services on a port, that listen and

accept connections

Set keepalive
Never send data
This could be very nicely implemented in a

border device that simulates an entire
network or system
Phat Warez
Compress a few gigabytes of zeros into a .zip

file (itll get pretty small!)
Leave it in your Warez directory
Redirector
Set up something (kind of like a dynamic

LocalDirector or a firewall with proxy
transparency) on the border of your network
that takes traffic destined to certain machines

Rewrites the destination to be the source

Sends it back out
Wow! Hes scanning me back really quickly! He
knows all my tricks!
Socket Stuffer
For scanning tools that collect data off the

ports and record/parse/log it

Have a listener on many man ports

Each listener, if connected to, sends back a few
USENET postings from talk.bizarre
This would be lots of fun against the auditors who
like to run ISS scans against you and charge you
big $$ for the result
Auditor Biter
One nice way of catching clueless auditors

who send an intern to run ISS against you
and charge you big $$$ is to create fake
vulnerabilities in your system and wait to see
if they appear in the report
Measure how much deviance exists between the

report and the ISS output
Rat Poison Files

Collect a string (a single encrypted password)

that is in your shadow password file /
customer database / credit card database
Have a sniffer watching your system that will

scream as soon as it sees that string leave the
system
Noset Executable
For dedicated service machines, consider

removing the ability to set the execute bit in
multiuser mode
Must also be attached to a terminal

Log whenever it isnt!!!
Log and alert attempts to set execute permission

Se Ids Secsymp01

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Se Ids Secsymp01

Загружено:

Авторское право:

Доступные форматы

Intrusion Detection

This is a top level bullet

This is the next level in

This would be level 3

Can you hear?

V 1.0 Copyright SystemExperts 2001,2002,2003

What is this Course is NOT?

A detailed list of commercial IDS products,

V 1.0 Copyright SystemExperts 2001,2002,2003

Goals of the Tutorial

The student recognizes the N major classes of IDS

Where are we?

High level theory

V 1.0 Copyright SystemExperts 2001,2002,2003

V 1.0 Copyright SystemExperts 2001,2002,2003

Why Talk about IDS?

Emerging new technology

Being informed is the best weapon in the

It also helps keep vendors honest!

V 1.0 Copyright SystemExperts 2001,2002,2003

Not everyone agrees

How about someone telnetting your system?

V 1.0 Copyright SystemExperts 2001,2002,2003

The ideal Intrusion Detection System will

With 100% accuracy

Too bad it doesnt exist!! Or does it?

V 1.0 Copyright SystemExperts 2001,2002,2003

Objectives: 100% Accuracy, 0% False Positives

A False Positive is when a system raises an

0% false positives is the goal

The boy who cried wolf! syndrome

0% false negatives is another goal: dont let

V 1.0 Copyright SystemExperts 2001,2002,2003

Objectives: Prompt Notification

To be as accurate as possible the system may

e.g.: Slow-scan attacks may not be detected for

V 1.0 Copyright SystemExperts 2001,2002,2003

Objectives: Prompt Notification

Notification channel must be protected

What if attacker is able to sever/block notification

V 1.0 Copyright SystemExperts 2001,2002,2003

Ideally, an IDS will categorize/identify the

Few network managers have the time to know

This is a difficult thing to do

Especially with things that look weird and dont

V 1.0 Copyright SystemExperts 2001,2002,2003

The ultimate IDS would not only identify an

Assess the targets vulnerability

This requires huge, detailed knowledge

V 1.0 Copyright SystemExperts 2001,2002,2003

A reasonably effective IDS can identify

Allows the system administrator to quantify

V 1.0 Copyright SystemExperts 2001,2002,2003

IDS dont typically act to prevent or block

They dont replace firewalls, routers, etc.

If the IDS detects trouble on your interior

By definition it is already too late

V 1.0 Copyright SystemExperts 2001,2002,2003

Some governments/states mandate levels of

This may make it impossible to adequately gather

V 1.0 Copyright SystemExperts 2001,2002,2003

Is it prying if its done by a computer?

What if a human never sees it?

At what point is privacy violated?