1

cs591
chow
C. Edward Chow
IDS: Intrusion Detection
System

2
cs591
chow
Outline of The Talk
Definition, Concepts
Network Intrusion Detection:
A2D2 (Integrating NIDS with Firewall)
Host Intrusion Detection: Tripwire
References:
Chapter 7.5 Intrusion Detection System, Security in Computing.
Chapter 25 Intrusion Detection, Computer Security, Matt Bishop.
Chapter 7 Network Intrusion Detection, Inside Network Perimeter
Security, by Northcutt et al (reserved in UCCS Library)
NIST IDS Survey: http://cs.uccs.edu/~chow/pub/ids/NISTsp800-31.pdf
A2D2: http://cs.uccs.edu/~chow/pub/master/acearns/doc/
http://cs.uccs.edu/~chow/pub/ids/2001_vigna_kemmerer_blix_raid01.p
df
Snort: http://www.snort.org/
http://cs.uccs.edu/~cs591/ids/snort/snort2_9_0/rules/
http://cs.uccs.edu/~cs591/ids/snort/snort_manual2_9_0.pdf
Tripwire: http://www.tripwire.org/


3
cs591
chow
Architecture of IDS
HOST A
HIDS
HOST A
HIDS
HOST A
NIDS
HOST A
HIDS
Director
(Analyzer)
Notifier
HIDS: Host Intrusion Detection System
NIDS: Network Intrusion Detection System
(logger)
4
cs591
chow
HIDS vs. NIDS
Two Basic Types of IDS:
Host-based IDS:
Periodically analyze logs, perform file system integrity check.
Examples:
Generic: ISS RealSecure Server Sensor.
Check host file system: Tripwire, AIDE
Check host network connections: BlackICE, PortSentry
Check hosts log files: LogSentry, Swatch
Network-based IDS:
Analyze network traffic content and pattern for signs of intrusion
Examples:
Snort, Cisco IDS4235,

5
cs591
chow
IDS Placement
DNS
Server
Intra1
Internet
Outer Firewall
Firewall
Inner Firewall
Firewall
SW
SW
Mail
Server
Web
Server
DMZ
Router
IDS
IDS
IDS
6
cs591
chow
Snort
A popular network intrusion public domain package, available on
www.snort.org.
It allows the user to specify a set of rules which specifies the pattern in the
packets, and the corresponding actions (typically just an alert msg) for
matched packets.
It also allows the user to create their own plug-in for additional detection
that is not available with default pattern matching. For example, the subnet
flooding, it requires modification of preprocessing step.
It was used by many other packages and products.
On snort download site, installation steps are given for integrating snort
with mysql, apache, webmin, and ACID (new one called BASE) for easy
web-based access and display of the intrusion instance, statistics, and
related intrusion event databases, such as CVE, arachNIDS.
See http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf for more
details.
7
cs591
chow
Snort-based
IDS
Setup Example
(from Steven Scotts
tutorial)
8
cs591
chow
Basic Snort Usage
Snort has three main modes:
Sniffer mode: read packets and display on console.
E.g., >Snort -dev
v: verbose; d: dump application data data; e: extensive
Packet Logger: read packets and log to the disk.
E.g., > snort dev l ./log h 192.168.1.0/24
l: log, h: only capture packets relative to the host
NIDS: analyze packets and matched against user defined rules and perform actions.
E.g., > snort dev l ./log c snort.conf
add D will have snort run as daemon.
-A [fast | full | unsock | non]
-b for binary (tcpdump) format; faster.
Use r snort.og to read it back for offline analysis.
-o: change the normal (alertpasslog rules) processing order to (passalertlog).
You can use SMB alert. That use smbclient to send WinPopup alert msg to window
machines.
Use O for (obsuscates) the ip addresses in log file for hiding IP addresses when
sharing with others the logs.
9
cs591
chow
/etc/snort/snort.conf
Snort read the snort.conf file for the default variables, additional pre/post processing
plug-in (if any), output specification (to a mysql for example), and a set of rule files.
For example, http://cs.uccs.edu/~chow/pub/snort/snort.conf
output database: log, mysql, user=snort password=xxxx dbname=snort host=localhost
include bad-traffic.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules

new snort.conf http://cs.uccs.edu/~cs591/ids/snort/snort2_9_0/etc/snort.conf

The set of new rule v2900 are available at
http://cs.uccs.edu/~cs591/ids/snort/snort2_9_0/rules//



10
cs591
chow
Snort Rule Syntax
Most rules written in single line. If multiple line use \
Each snort rule has two logical section: rule header and rule options.
alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS
Stacheldraht agent->handler (skillz)"; content:"skillz"; itype:0;
icmp_id:6666;
reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis;
classtype:attempted-dos; sid:1855; rev:2;)
alert any any -> 192.168.1.0/24 any (flags:A; ack:0; msg: NMAP TCP
ping;)
# nmap send TCP ACK pkt with ack field set to 0
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-IIS cmd.exe access"; flow:to_server,established;
content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002;
rev:5;)
Rule header contains action, protocol, source (IPaddr/port), direction,
destination (IPaddr/port)
Rule option contains alert msgs, info on which parts of packet to be
inspected.
-> and <> are the only two direction operators.

11
cs591
chow
Snort Rule Syntax
Var: <name> <value>
var: EXTERNAL_NET [128.198.160.0/19, 128.198.61.0/26]
var: HOME_LAN [192.168.0.0/24, 10.1.1,0/24]
var NON_WIRELESS !128.198.61.128/25
# use ! for negative operator for specifying the CIDR address not within a range.
Use $<variable> to reference them later.
alert tcp $EXTERNAL_NET any $HOME_LAN any (flags: S; msg: SYN packet;)
Rule Actions:
Alert
Log
Pass (ignore the packet)
Activate (alert then turn on another dynamic rule (being phase out)
Dynamic remain idle until activated by an activeate rule, then act as a log rule.
You can also define your own rule types. Then use it as rule actioin.
ruletype redalert {
type alert output
alert_syslog LOG_AUTH LOG_ALERT
output database: log, mysql,user=snort dbname=snort host=localhost
}

12
cs591
chow
Rule option: Content
content: [!] <content string>;
It allows the user to set rules that search for specific content in
packet payload and trigger response based on the data.
Case sensitive. Can be mixed text and binary.
Use | to specify the byte code (hexadecimal number).
! For negation; nocase to make case-insensitive matching.
Examples:
Alert tcp any any -> 192.168.1.0/24 143 (content: |90CB C0FF
FFFF|/bin/sh;\
msg: IMAP buffer overflow!)
Alert tcp any any -> 192.168.1.0/24 21 (content: !GET; depth:
3; nocase; \
dsize: >100; msg: Long Non-Get FTP command!)
Dsize: payload size.
Related IMAP buffer overflow,
http://www.securityfocus.com/bid/130/discussion/
13
cs591
chow
Rule option: offset and depth
Offset: < number>
Specify the number of bytes to skip before starting
pattern matching.
Depth: <number>
Set maximum search depth for content pattern match.
alert tcp any any -> $HLAN 80
(content: cmd.exe; offset: 3; depth: 22: msg: com.exe
attack;)

14
cs591
chow
Rule option: sid & flow
Sid specifies unique snort rule.
<100 reserved for future use.
100-1,000,000 rule included in snort distirbution.
>1,000,000 for local rule usage.
Flow: use in conjunction with TCP stream reassembly.
Option: to_server (client request), to client (server
response), from_client, from_server.
E.g., alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
cmd.exe access"; flow:to_server,established;
content:"cmd.exe"; nocase; classtype:web-application-
attack; sid:1002; rev:5;)
15
cs591
chow
16
cs591
chow
17
cs591
chow
Detection Results
#0-(3-1) [snort] WEB-IIS cmd.exe access 2003-04-14
21:14:00 65.106.21.153:1541 128.198.161.110:80 TCP


C:\work\cucs\cs691\S2003>nslookup 65.106.21.153
Server: evans.eas.uccs.edu
Address: 128.198.160.66

Name: diahost153.dia.cnc.net
Address: 65.106.21.153

18
cs591
chow
Detection Results
ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto >
#0-(4-39) [snort] SCAN Proxy (8080) attempt 2003-04-1619:11:51 128.198.161.110:63906 128.198.61.61:8080 TCP
#1-(4-38) [snort] SCAN Proxy (8080) attempt 2003-04-16 19:11:51 128.198.161.110:63905 128.198.61.61:8080 TCP
#2-(4-37) [cve][icat][cve][icat][snort] SNMP AgentX/tcp request 2003-04-16 19:11:49 128.198.161.110:63906 128.198.61.61:705 TCP
#3-(4-36) [cve][icat][cve][icat][snort] SNMP AgentX/tcp request 2003-04-16 19:11:49 128.198.161.110:63905 128.198.61.61:705 TCP
#4-(4-35) url[snort] SCAN SOCKS Proxy attempt 2003-04-16 19:11:48 128.198.161.110:63906 128.198.61.61:1080 TCP
#5-(4-34) url[snort] SCAN SOCKS Proxy attempt 2003-04-16 19:11:48 128.198.161.110:63905 128.198.61.61:1080 TCP
#6-(4-33) [cve][icat][cve][icat][snort] SNMP request tcp 2003-04-16 19:11:30 128.198.161.110:63906 128.198.61.61:161 TCP
#7-(4-32) [cve][icat][cve][icat][snort] SNMP request tcp 2003-041619:11:29 128.198.161.110:63905 128.198.61.61:161 TCP
#8-(4-31) [snort] SCAN Squid Proxy attempt 2003-04-16 19:11:27 128.198.161.110:63906 128.198.61.61:3128 TCP
#9-(4-30) [snort] SCAN Squid Proxy attempt 2003-04-16 19:11:27 128.198.161.110:63905 128.198.61.61:3128 TCP
19
cs591
chow
False Positives vs False Negatives
False positives: something occurs that causes IDS to
incorrectly identify an intrusion when none has occurred.
False negatives: something occurs that causes IDS to
incorrectly fail to identify an intrustion when one has in
fact occurred.
Accuracy of IDS: reflect the number of false positives.
Completeness: reflect the number of false negatives.

20
cs591
chow
Attack Response Rules
Check on the responses of server for obvious pattern that the system has be
attacked/compromised.
https://128.198.61.61:10000/snort/conf_rules.cgi?rule=attack-responses
Examples:
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any
(msg:"ATTACK RESPONSES index of /cgi-bin/ response";
flow:from_server,established; content:"Index of /cgi-bin/"; nocase; classtype:bad-
unknown; sid:1666; rev:3;)
alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSE
successful gobbles ssh exploit (GOBBLE)"; flow:from_server,established;
content:"|2a|GOBBLE|2a|"; reference:bugtraq,5093; classtype:successful-admin;
sid:1810; rev:2;)
http://www.securityfocus.com/bid/5093
alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSE
successful kadmind bufferflow attempt"; flow:established,from_server;
content:"*GOBBLE*"; depth:8; reference:cve,CAN-2002-1235;
reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900;
rev:1;)

21
cs591
chow
BackDoor Trojan
Try to detect know ports and content of packet that are
used and generated by the backdoor trojan.
alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any
(msg:"BACKDOOR Doly 2.0 access"; content: "|57 74
7a 75 70 20 55 73 65|"; flags: A+; depth: 32;
reference:arachnids,312; sid:119; classtype:misc-
activity; rev:3;)
http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids
312&view=research
https://128.198.61.61:10000/snort/conf_rules.cgi?rule=b
ackdoor
22
cs591
chow
DDoS Rules
DDoS with know protocol/port/content.
https://128.198.61.61:10000/snort/conf_rules.cgi?rule=ddos
alert icmp $EXTERNAL_NET any <> $HOME_NET any
(msg:"DDOS Stacheldraht handler->agent (ficken)";
content:"ficken"; itype:0; icmp_id:6667;
reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysi
s; classtype:attempted-dos; sid:1856; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 31335
(msg:"DDOS Trin00\:DaemontoMaster(PONGdetected)";
content:"PONG";reference:arachnids,187; classtype:attempted-
recon; sid:223; rev:1;)
23
cs591
chow
DNS rules
Zone transfer, DNS buffer overflow exploit.
https://128.198.61.61:10000/snort/conf_rules.cgi?rule=dns
alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53
(msg:"DNS zone transfer TCP"; flow:to_server,established; content:
"|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532;
reference:arachnids,212; classtype:attempted-recon; sid:255;
rev:7;)
alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53
(msg:"DNS EXPLOIT x86 linux overflow attempt (ADMv2)";
flow:to_server,established; content:"|89f7 29c7 89f3 89f9 89f2 ac3c
fe|"; classtype:attempted-admin; sid:265; rev:3;)

24
cs591
chow
Scan rules
Scan certain node/ports. (network scan vs port scan)
https://128.198.61.61:10000/snort/conf_rules.cgi?rule=scan
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128
(msg:"SCAN Squid Proxy attempt"; flags:S; classtype:attempted-
recon; sid:618; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN
synscan portscan"; id: 39426; flags: SF;reference:arachnids,441;
classtype:attempted-recon; sid:630; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN
nmap TCP";flags:A;ack:0; reference:arachnids,28;
classtype:attempted-recon; sid:628; rev:1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN SolarWinds IP scan attempt";
content:"SolarWinds.Net"; itype:8; icode:0; classtype:network-scan;
sid:1918; rev:3;)
25
cs591
chow
WEB-CGI Rules
https://128.198.61.61:10000/snort/conf_rules.cgi?rule=web-cgi
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-CGI perl.exe access";
flow:to_server,established; uricontent:"/perl.exe"; nocase;
reference:cve,CAN-1999-0509;
reference:url,www.cert.org/advisories/CA-1996-11.html;
reference:arachnids,219; reference:nessus,10173;
classtype:attempted-recon; sid:832; rev:8;)
.. (DOT DOT) ATTACK.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-CGI technote main.cgi file directory
traversal attempt"; flow:to_server,established;
uricontent:"/technote/main.cgi"; nocase; content:"filename=";
nocase; content:"../../"; reference:cve,CVE-2001-0075;
reference:bugtraq,2156; classtype:web-application-attack; sid:1051;
rev:7;)
26
cs591
chow
WEB-IIS Rules
https://128.198.61.61:10000/snort/conf_rules.cgi?rule=w
eb-iis
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-IIS unicode directory
traversal attempt"; flow:to_server,established;
content:"/..%c0%af../"; nocase; classtype:web-
application-attack; reference:cve,CVE-2000-0884;
sid:981; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-IIS cmd.exe access";
flow:to_server,established; content:"cmd.exe"; nocase;
classtype:web-application-attack; sid:1002; rev:5;)

27
cs591
chow
SMTP Rules
SMTP has quite a few buffer overlfow exploit.
https://128.198.61.61:10000/snort/conf_rules.cgi?rule=smtp
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP
RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3a|";
nocase; content:!"|0a|"; within:800; reference:cve,CAN-2001-0260;
reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP
sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL
FROM|3a207c|/usr/ucb/tail"; nocase; reference:arachnids,122;
classtype:attempted-user; sid:665; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP
From comment overflow attempt"; flow:to_server,established;
content:"From\:";
content:"<><><><><><><><><><><><><><><><><><><><><><>";
distance:0; content:"("; distance:1; content:")"; distance:1;
reference:cve,CAN-2002-1337;
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin;
sid:2087; rev:2;)
28
cs591
chow
Bad Traffic
Bad packet header content
https://128.198.61.61:10000/snort/conf_rules.cgi?rule=b
ad-traffic
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"BAD TRAFFIC data in TCP SYN packet"; flags:S;
dsize:>6; reference:url,www.cert.org/incident_notes/IN-
99-07.html; sid:526; classtype:misc-activity; rev:4;)
alert ip any any -> any any (msg:"BAD TRAFFIC same
SRC/DST"; sameip; reference:cve,CVE-1999-0016;
reference:url,www.cert.org/advisories/CA-1997-28.html;
classtype:bad-unknown; sid:527; rev:3;)

29
cs591
chow
HIDS: Host-based Intrusion Detection
Detect and examine malicious activity (same as
network-based intrusion detection.)
Optimize for monitoring individual hosts.
Monitor system network activity, file system, log files,
user actions.
Integrate the finding of several host-based intrusion
detection provide unified view of multiple systems in the
network.
Detect escalation of privileges for a user or system
account. (from guest user to have admin privilege).
NIDS can not usually see or interpret such actions
which takes place on a host.

30
cs591
chow
HIDS Advantages over NIDS
HIDS can monitor user-specific activity of the system
Check process listing, local log files, system calls.
It is difficult for NIDS to associate packets to specific users
(except when content switch-based NIDS is used!) and to
determine if the commands in the packets violate specific users
access privilege.
HIDS sensor can monitor encrypted traffic by tapping in at the
connection endpoint such as VPN connection. (NIDS can not check
encrypted IPsec/SSL payload.)
HIDS can help detect attack that evade NIDS detection.
For example, attacks encode dangerous commands in non-
standard Unicode encoding. checking for ".ida". An example
request would look like: GET /himom.id%u0061 HTTP/1.0



31
cs591
chow
Tripwire: A Host-based IDS
Original version developed at Purdue Univ. 1992 by Dr. Eugene
Spafford and Gene Kim, now CTO of Tripwire
http://www.tripwire.org/downloads/index.php Linux public domain
software download. http://www.tripwire.org/qanda/faq.php
Commercial evaluation version tripwire3.0 (with manager and
server, run on both Linux/windows) available at
http://www.tripwire.com/downloads/
Tripwire managers provide gui and unified interface to monitor
multiple instances of tripwire program.
Can monitor configuration of routers/switches.
Here is a presentation from tripwire.com.
There is Advanced Intrusion Detection Environment (AIDE)
available at http://www..cs.tut.fi/~rammer/aide.html. It is actively
maintained and developed. Not on windows. Does not encrypt and
sign the baseline datagbase. (The tripwire does this).

32
cs591
chow
33
cs591
chow
34
cs591
chow
File Access Permission Change
35
cs591
chow
Example of Policy File
For windows systems,
http://cs.uccs.edu/~cs691/tripwire/windows/Policy/twpol.
txt
For linux,
http://cs.uccs.edu/~cs691/tripwire/linux/Policy/twpol.txt
http://cs.uccs.edu/~cs691/tripwire/windows/Documents/r
eference_guide.pdf page 25.
Rule: object -> properties;