Alert Correlation of IDS and Vulnerability

Objective
Intrusion Intrusion Detection System Vulnerability Vulnerability Assessment Alert Correlation

Intrusion
An intrusion is any malicious activity carried out by hacker to mainly
Get unauthorized access to the System Read/Write the data Disturb the normal functionality of network Steal the confidential data

Intrusion Detection System

An intrusion detection system (IDS) is a software application/tool that find out the intrusion in network. IDS keeps set of Signatures/Rules to find out the the malicious activity. It captures all packets and then compare with all Signatures/Rules. If any packet matches with signature then sends the alert.

Intrusion Detection System(cont..)

Sample Signature/Rule of IDS:
alert tcp SRC-IP SRC-PORT -> DST-IP 3306 (msg:"MS-SQL login attempt; content:mysql u root"; reference:CVE,2004-1234; reference:bugtraq,5310; sid:2003; rev:2;) [Above rule says that, if any incoming packet from external world to local network on port 3306 has content as mysql u root then, its an attempt to login on the mysql server without password. This rule has been created based on the CVE and Bugtraq reference]

CVE or Bugtraq
CVE (Common vulnerability Exposure) is an organisation which defines about the malicious activity. Bugtraq is an another system, which defines the problem of any application/software.

CVE Details

IDS deployment
Computer Computer

IDS
Computer Computer Local Area Network

Router

External world Internet IDS captures all packets and further analyze it.

Vulnerability
A vulnerability is a weakness/Problem in any computer system or application which allows an attacker/hacker to attack on the system.
E.g. Mysql has vulnerability where any remote user can login in the database without providing the password.

Vulnerability can have different level of severity: High, Medium and Low.

Vulnerability Assessment
Vulnerability assessment is a process to find out all problem exists in the system. Like X-ray scans the fracture in bone. Vulnerability Assessment tool keeps a set of plugins/rules to test the vulnerability for a given system/application/service. Plugins are created based on the problem described by CVE or Bugtraq.

Alert Correlation

Alert correlation is process to correlates the alert sent by IDS and vulnerability report sent by the vulnerability assessment tools to find out the valid attack.

Need of Alert correlation

IDS has huge no of rules and all rules are not so valid/perfect. IDS sends huge no of alerts. In which more than 70% are FALSE POSITIVES alerts. To analyze and find out the valid alert by system administrator is a time consuming activity. There is a possibility that he/she may miss the real attack. So, Alert correlation can help to solve above issue

How Alert correlation works

Alert correlation system collects the alert sent by IDS. It parses and stores the vulnerability report in database. And finally, compares the vulnerability result with IDS alert based on the Host, service and CVE or bugtraq id.

Architecture of AC
AN AF AV AP

Alert

DC ADB VDB Vul Scanner Vul Parser Report Engine

Module Description
Data Collector
Collects the alert from IDS

Alert Normalization
Change the alert in standard form (Alert-id, SRC IP, SRC Port, Dst IP, Dst Port, Rule-Id, References, Sensor Id)

Alert preprocessing
Set the create time of alert if its not there.

Alert Fusion
Remove duplicate alert sent by different sensor

Module Description
Alert verification
Verifies each received alert with vulnerability report Takes the destination IP from alert and checks in the vulnerability report to find the vulnerability for given destination IP. If vulnerability exists in the database for given destination ip then further checks that attacked service is running or not. If service is running in the system then it checks the CVE details to make sure that alert is fired for valid service version.

Case Study:
If IDS alert says that there is attack for mysql server version 1.2.5 then, first of all alert verifier checks that, is mysql running on the system or not. If mysql is not running then it is a False Positive. If mysql is running on the system then Alert verifier checks the vulnerability report that, is mysql 1.2.5 version is running or not. If mysql version 1.2.5 is running then it is a valid alert otherwise it is a False positive.

Module description
Alert Profiler
Create the group of alert based on the attacker, victim.

Vulnerability Scanner
Runs the vulnerability scanner with all plugins.

Vulnerability Parser
Parses the vulnerability report and stores in the database.

ADB
All alerts are stored in Alert database.

VDB
Vulnerability database.

Report Engine
View the alert details online.

Design : Use case sample

Design: Subsystem Diagram

Design: ER-Diagram

Example of Vulnerability
<Host: 172.16.2.3> <Service: Mysql> <port: 3306> <Severity: high> <plugin-id: 2234> <reference: CVE-2003-2345> <Desription: Mysql does not has the root password> </Service> <Service: Apache> <port: 80> <Severity: low> <plugin-id: 1234> <references: Bugtraq-1234> <Desription: Apache web server has issue> </Service> </Host> <Host:192.168.12.13> </Host> Above example shows that, how vulnerability report has been generated for host 172.16.2.3. This report will get parsed and stored in the Vulnerability Database.

Testing
To test the alert verification process following steps has been followed:
Nemesis tool has been used to create the packet e.g. $nemesis tcp -s 134.13.21.21 d 202.153.144.25 p payload/rule2 Ran the vulnerability scanner and stored the report after parsing in the database. Ran the alert verifier to verify that RULE2 fired by IDS is matching with existing vulnerability database or not.

Tools Used
Snort (as an IDS) Nessus (A Vulnerability Scanner) Nemesis (Packet creation for testing) Nmap (Get the details of services are running on the system) Xerces (XML parser to parse the vulnerability report stored by scanner in xml format) GDB (Program debugging)

Attack report

Attack type

Vulnerability Parsing

Thanks To
IGNOU & Rajiv Ranjan(Guide)