se ids secsymp01
TRANSCRIPT
-
8/16/2019 Se Ids Secsymp01
1/241
Intrusion Detection&
Network Forensics
Mark Mellis & Phil Cox
-
8/16/2019 Se Ids Secsymp01
2/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Just checking...
This is a top level bulletThis is the next level in
This would be level 3This would be level 4
Can you hear?Check 1…2…3…Check Is it too hot?
Too cold?
-
8/16/2019 Se Ids Secsymp01
3/241
V 1.0 Copyright SystemExperts 2001,2002,2003
An ounce of preventionis worth a pound of
detection
-
8/16/2019 Se Ids Secsymp01
4/241
-
8/16/2019 Se Ids Secsymp01
5/241V 1.0 Copyright SystemExperts 2001,2002,2003
Goals of the Tutorial
The student recognizes the N major classes of IDStechnology, and can correctly classify a new
productThe student understands the strength and weaknessof the N major classes of IDS
The student knows what IDS technology can andcannot doGiven a network drawing, the student can discussdifferent IDS deployment strategies for that network The student can do some unknown thing withnetwork forensicsGreat evals ☺
-
8/16/2019 Se Ids Secsymp01
6/241V 1.0 Copyright SystemExperts 2001,2002,2003
Where are we?
High level theoryDeployment examplesIntegrating DataSources
Benchmarks andPerformanceChoosing a System
Eluding IDSForensics andResponseEthics, Policies,
LegalitiesConclusions
-
8/16/2019 Se Ids Secsymp01
7/241V 1.0 Copyright SystemExperts 2001,2002,2003
Section Contents
GeneralIDS ModelsIDS Data SourcesTypes of IDSTechnical Caveats
-
8/16/2019 Se Ids Secsymp01
8/241V 1.0 Copyright SystemExperts 2001,2002,2003
Why Talk about IDS?
Emerging new technologyVery interesting
...but...About to be over-hyped
Being informed is the best weapon in thesecurity analyst’s arsenalIt also helps keep vendors honest!
-
8/16/2019 Se Ids Secsymp01
9/241
V 1.0 Copyright SystemExperts 2001,2002,2003
What is an Intrusion?!
Difficult to defineNot everyone agreesThis is a big problem
How about someone telnetting your system?And trying to log in as “root”?
What about a ping sweep?What about them running an ISS scan?What about them trying phf on your web server?
What about succeeding with phf and logging in?
-
8/16/2019 Se Ids Secsymp01
10/241
V 1.0 Copyright SystemExperts 2001,2002,2003
What is IDS?
The ideal Intrusion Detection System willnotify the system/network manager of asuccessful attack in progress:
With 100% accuracy
Promptly (in under a minute)With complete diagnosis of the attackWith recommendations on how to block it
…Too bad it doesn’t exist!! Or does it?
-
8/16/2019 Se Ids Secsymp01
11/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Objectives: 100% Accuracy, 0% False Positives
A False Positive is when a system raises anincorrect alert
“The boy who cried ‘wolf!’” syndrome
0% false positives is the goal
It’s easy to achieve this: simply detect nothing0% false negatives is another goal: don’t letan attack pass undetected
-
8/16/2019 Se Ids Secsymp01
12/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Objectives: Prompt Notification
To be as accurate as possible the system mayneed to “sit on” information for a while untilall the details come in
e.g.: Slow-scan attacks may not be detected forhoursThis has important implications for how “real-time”IDS can be!
IDS should notify user as to detection lag
-
8/16/2019 Se Ids Secsymp01
13/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Objectives: Prompt Notification (cont)
Notification channel must be protected What if attacker is able to sever/block notificationmechanism?An IDS that uses E-mail to notify you is going tohave problems notifying you that your E-mail server
is under a denial of service attack!
-
8/16/2019 Se Ids Secsymp01
14/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Objectives: Diagnosis
Ideally, an IDS will categorize/identify theattack
Few network managers have the time to knowintimately how many network attacks are performed
This is a difficult thing to doEspecially with things that “look weird” and don’tmatch well-known attacks
-
8/16/2019 Se Ids Secsymp01
15/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Objectives: Recommendation
The ultimate IDS would not only identify anattack, it would:
Assess the target’s vulnerabilityIf the target is vulnerable it would notify theadministrator If the vulnerability has a known “fix” it would includedirections for applying the fix
This requires huge, detailed knowledge
-
8/16/2019 Se Ids Secsymp01
16/241
V 1.0 Copyright SystemExperts 2001,2002,2003
IDS: Pros
A reasonably effective IDS can identifyInternal hackingExternal hacking attempts
Allows the system administrator to quantify
the level of attack the site is under May act as a backstop if a firewall or othersecurity measures fail
-
8/16/2019 Se Ids Secsymp01
17/241
V 1.0 Copyright SystemExperts 2001,2002,2003
IDS: Cons
IDS’ don’t typically act to prevent or blockattacks
They don’t replace firewalls, routers, etc.
If the IDS detects trouble on your interior
network what are you going to do?By definition it is already too late
-
8/16/2019 Se Ids Secsymp01
18/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Privacy: a Problem
Some governments/states mandate levels of privacy protection for employees or students
This may make it impossible to adequately gatherdata for the IDSThis may make it impossible to gather forensic datafor analysis or prosecution
-
8/16/2019 Se Ids Secsymp01
19/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Privacy: a Problem (cont)
Is it prying if it’s done by a computer?What if a human never sees it?
What if the information is never acted upon?At what point is privacy violated?
Looking at packet headers?Looking at packet contents?Looking at /var/mail/user?
-
8/16/2019 Se Ids Secsymp01
20/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Paradigms for Deploying IDS
Attack DetectionIntrusion Detection
-
8/16/2019 Se Ids Secsymp01
21/241
V 1.0 Copyright SystemExperts 2001,2002,2003
InternalNetworkInternetRouter w/somescreening
Firewall
DMZ
Network
WWWServer
Desktop
Attack Detection
IDS detects (and counts) attacks against
the Web Server and firewallIDS
-
8/16/2019 Se Ids Secsymp01
22/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Attack Detection
Placing an IDS outside of the security perimeter records attack level
Presumably if the perimeter is well designed theattacks should not affect it!Still useful information for management (“we havebeen attacked 3,201 times this month…)Prediction: AD Will generate a lot of noise and beignored quickly
-
8/16/2019 Se Ids Secsymp01
23/241
V 1.0 Copyright SystemExperts 2001,2002,2003
InternalNetworkInternetRouter w/somescreening
Firewall
DMZ
Network
WWWServer
Desktop
Intrusion Detection
IDS detects hacking activity WITHINthe protected network, incoming or outgoing IDS
-
8/16/2019 Se Ids Secsymp01
24/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Intrusion Detection
Placing an IDS within the perimeter willdetect instances of clearly improper behavior
Hacks via backdoorsHacks from staff against other sitesHacks that got through the firewall
When the IDS alarm goes off, it’s a red alert
-
8/16/2019 Se Ids Secsymp01
25/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Attack vs. Intrusion Detection
Ideally do bothRealistically, do ID first then AD
Or, deploy AD to justify security effort tomanagement, then deploy ID (more of a politicalproblem than a technical one)
The real question here is one of staffing coststo deal with alerts generated by AD systems
-
8/16/2019 Se Ids Secsymp01
26/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Section Contents
GeneralIDS ModelsIDS Data SourcesTypes of IDSTechnical Caveats
-
8/16/2019 Se Ids Secsymp01
27/241
V 1.0 Copyright SystemExperts 2001,2002,2003
IDS Models
IDESAuditInlineHybrid (a mix of both)
-
8/16/2019 Se Ids Secsymp01
28/241
V 1.0 Copyright SystemExperts 2001,2002,2003
IDES
Dorothy Denning (1986) publishes “AnIntrusion Detection Model” which definesmuch IDS thinking
Defines components of an IDS in terms of:Subjects - initiators of activityObjects - targets of activityProfiles - characterization of how subjects operate onobjects (may be statistical models or pattern matching)
-
8/16/2019 Se Ids Secsymp01
29/241
V 1.0 Copyright SystemExperts 2001,2002,2003
IDES (cont)Audit Records - trace information about the occurrence ofevents in timeAnomaly Records - trace information about the occurrence
of unusual events in time, often generated by the IDS orapplicationsAlarms - information that the system brings to the securityadministrator’s attention
Systems evolved from IDES: DIDs, Stalker, Emerald
-
8/16/2019 Se Ids Secsymp01
30/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Block Diagram: Generic IDS
HostSystem
or NetworkSniffer
Pre-Processing Statisticalanalysis
Signaturematching
Alert manager
GUI
Response
manager Knowledge
baseLong term
storage
-
8/16/2019 Se Ids Secsymp01
31/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Audit Based IDS
Audit based IDS post-process audit trail (andother) information
Activity is first logged then post-processedBatch oriented approach allows for virtually infinitecorrelation if enough data is present
AuditDatabase
Kerneland
applications
IDScorrelation
reportsalerts
-
8/16/2019 Se Ids Secsymp01
32/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Audit Data
Determining what is a good audit probe point(where to record something) is a difficult
problemOrange book includes 23 probe points within UNIXkernel and applications
open read/write process forkcreation of IPC create/remove filebad login password change
add/remove user/group etc...
-
8/16/2019 Se Ids Secsymp01
33/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Networked Auditable Events
Users logging in at unusual hours*Unexplained rebootsUnexplained time changesUnusual error messagesFailed login attemptsUsers logging in from unfamiliar sites*
* (implies that per-user “history” is kept)
-
8/16/2019 Se Ids Secsymp01
34/241
V 1.0 Copyright SystemExperts 2001,2002,2003
CIDF
ARPA sponsored effort to achieve Common Intrusion Detection Framework
Architectural conventions for IDS modulesMessaging specification for audit data and itstransmissionInformation on CIDF on the web:
http://www.seclab.ucdavis.edu/cidf/spec/cidf.txt
-
8/16/2019 Se Ids Secsymp01
35/241
V 1.0 Copyright SystemExperts 2001,2002,2003
CIDF (cont)
Conceptual components are modulesEvent generators - collect or generate data
Analysis engines - processing and correlationStorage mechanisms - archival and short termstorage including of logs and audit records
Response components - outputs
-
8/16/2019 Se Ids Secsymp01
36/241
V 1.0 Copyright SystemExperts 2001,2002,2003
CIDF (cont)
Will CIDF work?Pro: It’s a generalization of most IDS; all the pieces
are thereCon: Will IDS vendors see any value in aninteroperable, modular solution?
Can it be made to work at all?
-
8/16/2019 Se Ids Secsymp01
37/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Inline IDS (a.k.a. Real-Time)
Inline IDS process audit data as it isgenerated
Typically discard audit data that it does notrecognize as significantAmount of correlation tends to be limited
Kerneland
applications
reportsalerts
IDScorrelation
Bit bucket
Incidentdatabase
-
8/16/2019 Se Ids Secsymp01
38/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Audit vs. Inline
Inline is faster but only provides a “local”view unless a lot of data is forwarded inrealtime to a central locationAudit is deeper but requires keeping lots of
dataHybrid systems exploit both: inline detection
of significant events to an audit stationYou really need both
-
8/16/2019 Se Ids Secsymp01
39/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Section Contents
GeneralIDS ModelsIDS Data SourcesTypes of IDSTechnical caveats
-
8/16/2019 Se Ids Secsymp01
40/241
V 1.0 Copyright SystemExperts 2001,2002,2003
IDS Data Sources
Host Based Network Based
H B d IDS
-
8/16/2019 Se Ids Secsymp01
41/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Host Based IDS
Collect data usually from within theoperating system
C2 audit logsSystem logsApplication logs
More of an “Audit” approachData collected in very compact form
But application / system specific
H B d P
-
8/16/2019 Se Ids Secsymp01
42/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Host Based: Pro
Quality of information is very highSoftware can “tune” what information it needs (e.g.:
C2 logs are configurable)Kernel logs “know” who user is
Density of information is very highOften logs contain pre-processed information (e.g.:“badsu” in syslog)Ability to “contextualize” the event is unparalleled
H t B d C
-
8/16/2019 Se Ids Secsymp01
43/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Host Based: Con
Capture is often highly system specificUsually only 1, 2 or 3 platforms are supported (“you
can detect intrusions on any platform you like aslong as it’s Solaris or NT!”)Information needs to be “normalized” before it is
taken off the systemPerformance is a wild-card
To unload computation from host logs are usuallysent to an external processor system
See above bullet #2
H t B d C
-
8/16/2019 Se Ids Secsymp01
44/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Host Based: Con (cont)
Hosts are often the target of attack If they are compromised their logs may be
subvertedData sent to the IDS may be corruptedIf the IDS runs on the host itself it may be subverted
Denial of Service “kills 2 birds with one stone”
Net ork Based IDS
-
8/16/2019 Se Ids Secsymp01
45/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Network Based IDS
Collect data from the network or a hub /switch
Reassemble packetsLook at headers
Try to determine what is happening from thecontents of the network trafficUser identities, etc inferred from actions
Need to worry about performanceMust be able to look at all traffic
More performance sensitive than host based
Network Based: Pro
-
8/16/2019 Se Ids Secsymp01
46/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Network Based: Pro
No performance impact on the systemrunning the IDS
A Ping-O-Death against another host will not affectthe IDS
More tamper resistant No management impact on platforms
Just need to manage one system, not many like
host based
Network Based: Pro
-
8/16/2019 Se Ids Secsymp01
47/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Network Based: Pro (cont)
Works across O/S’Can derive information that host based logsmight not provide
Packet fragmenting, port scanning, etc.
Network Based: Con
-
8/16/2019 Se Ids Secsymp01
48/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Network Based: Con
May lose packets on flooded networksPerformance sensitive
May improperly reassemble packetsOr not reassemble them at all
May not understand O/S specific application protocols (e.g.: SMB/NetBIOS)This is one place “Host” based shines
Network Based: Con
-
8/16/2019 Se Ids Secsymp01
49/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Network Based: Con (cont)
May not understand obsolete network protocols
Basically IP centricDoes not handle encrypted data
How do you check something you can’t read?
Hybrid IDS
-
8/16/2019 Se Ids Secsymp01
50/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Hybrid IDS
The current crop of commercial IDS aremostly hybrids
Misuse detection (signatures or simple patterns)Expert logic (network-based inference of commonattacks)
Statistical anomaly detection (values that are out ofbounds)
Properties of : Per-Host Network IDS
-
8/16/2019 Se Ids Secsymp01
51/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Properties of : Per-Host Network IDS
Network IDS “shim” layer inserted intonetwork stack on each host
IssuesProperties of network IDS
ButTraffic processed per-host onlyDoes not have same performance sensitivity as NIDS“Local” only view of traffic (but no drops)
Properties of : Firewall IDS
-
8/16/2019 Se Ids Secsymp01
52/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Properties of : Firewall IDS
Place network IDS capability in a firewall or bridge type device
IssuesNo packet loss issues
May slowdown network
Hybrid IDS (cont)
-
8/16/2019 Se Ids Secsymp01
53/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Hybrid IDS (cont)
At present, the hybrids’ main strengthappears to be the misuse detection capability
Statistical anomaly detection is useful more asbackfill information in the case of something goingwrong
Too many false positives - many sites turn anomalydetection off
Hybrid IDS (cont)
-
8/16/2019 Se Ids Secsymp01
54/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Hybrid IDS (cont)
The ultimate hybrid IDS would incorporatelogic from vulnerability scanners*
Build maps of existing vulnerabilities into its logic ofwhere to watch for attacks
Backfeed statistical information into misusedetection via a user interface
* Presumably, a clueful networkadmin would just fix the vulnerability
What to keep
-
8/16/2019 Se Ids Secsymp01
55/241
V 1.0 Copyright SystemExperts 2001,2002,2003
What to keep
EverythingThis is where we start the process
What to throw away
-
8/16/2019 Se Ids Secsymp01
56/241
V 1.0 Copyright SystemExperts 2001,2002,2003
What to throw away
Things that you know aren’t interestingConsider keeping counts of the number of
uninteresting events occur The number of times and uninteresting event occursmaybe interesting ☺
Event frequency of uninteresting events may beinteresting!See Appendix (“artificial ignorance”)
Build a stop list and forward all remaining output to ahuman intelligence
Section Contents
-
8/16/2019 Se Ids Secsymp01
57/241
V 1.0 Copyright SystemExperts 2001,2002,2003
GeneralIDS ModelsIDS Data SourcesTypes of IDS
Technical Caveats
Types of IDS
-
8/16/2019 Se Ids Secsymp01
58/241
V 1.0 Copyright SystemExperts 2001,2002,2003
yp
Anomaly Detection - the AI approachMisuse Detection - simple and easyBurglar Alarms - policy based detectionHoney Pots - lure the hackers inHybrids - a bit of this and that
Anomaly Detection
-
8/16/2019 Se Ids Secsymp01
59/241
V 1.0 Copyright SystemExperts 2001,2002,2003
y
Goals:Analyze the network or system and infer what is
normalApply statistical or heuristic measures tosubsequent events and determine if they match the
model/statistic of “normal”If events are outside of a probability window of“normal” generate an alert (tunable control of falsepositives)
Anomaly Detection (cont)
-
8/16/2019 Se Ids Secsymp01
60/241
V 1.0 Copyright SystemExperts 2001,2002,2003
y
Typical anomaly detection approaches:Neural networks - probability-based pattern
recognitionStatistical analysis - modeling behavior of usersand looking for deviations from the norm
State change analysis - modeling system’s stateand looking for deviations from the norm
Anomaly Detection: Pro
-
8/16/2019 Se Ids Secsymp01
61/241
V 1.0 Copyright SystemExperts 2001,2002,2003
y
If it works it could conceivably catch any possible attack
If it works it could conceivably catch attacksthat we haven’t seen before
Or close variants to previously-known attacksBest of all it won’t require constantly keepingup on hacking technique
Anomaly Detection: Con
-
8/16/2019 Se Ids Secsymp01
62/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Current implementations don’t work verywell
Too many false positives/negativesCannot categorize attacks very well
“Something looks abnormal”Requires expertise to figure out what triggered thealert
Ex: Neural nets can’t say why they trigger
Anomaly Detection: Examples
-
8/16/2019 Se Ids Secsymp01
63/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Most of the research is in anomaly detectionBecause it’s a harder problem
Because it’s a more interesting problemThere are many examples, these are just afew
Most are at the proof of concept stage
Anomaly Detection (cont)
-
8/16/2019 Se Ids Secsymp01
64/241
V 1.0 Copyright SystemExperts 2001,2002,2003
IDES/NIDESReal-time IDS using statistical anomaly detection combinedwith rule-based misuse detection
Relies on system’s audit records for inputRule base is limited
ftp://ftp.csl.sri.com/pub/nides/index1.html
GrIDSGraph-basedModels network activity based on analysis of graph matching
Includes a policy language for translating organizationalpolicies into analysis rulesetshttp://seclab.cs.ucdavis.edu
Misuse Detection
-
8/16/2019 Se Ids Secsymp01
65/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Goals:Know what constitutes an attack
Detect it
Misuse Detection (cont)
-
8/16/2019 Se Ids Secsymp01
66/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Typical misuse detection approaches:“Network grep” - look for strings in network
connections which might indicate an attack inprogressPattern matching - encode series of states that arepassed through during the course of an attack
e.g.: “change ownership of /etc/passwd ” -> “open/etc/passwd for write” -> alert
Misuse Detection: Pro (cont)
-
8/16/2019 Se Ids Secsymp01
67/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Easy to implementState machine
SignaturesStorageReport generator
Managers and agentsEasy to deploy
Up quicklyNo need to get “History”
Misuse Detection: Pro (cont)
-
8/16/2019 Se Ids Secsymp01
68/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Easy to updatePush signatures
Easy to understand “Blinking” Lights
Low false positivesFast
Misuse Detection: Con
-
8/16/2019 Se Ids Secsymp01
69/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Cannot detect something previouslyunknown
Reactive by natureConstantly needs to be updated with newrules
Always behind the curve
Easier to foolE.g., URL encoding
Misuse Detection (cont)
-
8/16/2019 Se Ids Secsymp01
70/241
V 1.0 Copyright SystemExperts 2001,2002,2003
A number of commercial misuse detection products are on the market
ISS RealSecure/Black ICEAxent/Symantec Intruder AlertCisco NetRanger NFR Network Flight Recorder
Deployment model is to feed rulesets to
customer as subscription service
Misuse Detection (cont)
-
8/16/2019 Se Ids Secsymp01
71/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Things misusedetection looks for:*
IP Frag attackPing floodingSource routing
Ping of deathISS Scan checkSATAN scan check
Rwhod checkRlogin decodeRlogin -froot
TFTP get passwd checkIMAP buffer smashSMTP WIZ check … etc.
* (From ISS RealSecure)
Misuse Detection (cont)
-
8/16/2019 Se Ids Secsymp01
72/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Misuse detection systems are similar to virusscanning systems:
Both rely on meta-rules of vulnerabilitiesBoth need frequent rules updatesBoth are easily fooled by slight mutations in
virus/attack signatureBoth are fairly low in generating false positives
Moving to dumber systems with broaderknowledge bases
Burglar Alarms
-
8/16/2019 Se Ids Secsymp01
73/241
V 1.0 Copyright SystemExperts 2001,2002,2003
A burglar alarm is a misuse detection systemthat is carefully targeted
You may not care about people port-scanning yourfirewall from the outsideYou may care profoundly about people port-
scanning your mainframe from the insideSet up a misuse detector to watch for misusesviolating site policy
Boobey-Traps are an option with this as wellPut sensors where likely intrusion may occur
Burglar Alarms (cont)
-
8/16/2019 Se Ids Secsymp01
74/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Goals:Based on site policy alert administrator to policyviolationsDetect events that may not be “security” eventswhich may indicate a policy violation
New routers: New MAC address providing routing?New subnets: Ones that you haven’t seen?New web servers: Port 80?
Burglar Alarms (cont)
-
8/16/2019 Se Ids Secsymp01
75/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Trivial burglar alarms can be built withtcpdump and perl
Netlog and NFR are useful event recorderswhich may be used to trigger alarmshttp://www.nswc.navy.mil/ISSEC/Docs/loggingproject.htmlftp://coast.cs.purdue.edu/pub/tools/unix/netlog/http://www.nfr.net/download
Burglar Alarms (cont)
-
8/16/2019 Se Ids Secsymp01
76/241
V 1.0 Copyright SystemExperts 2001,2002,2003
The ideal burglar alarm will be situated sothat it fires when an attacker performs an
action that they normally would try once theyhave successfully broken in
Adding a useridZapping a log fileMaking a program setuid root
Burglar Alarms (cont)
-
8/16/2019 Se Ids Secsymp01
77/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Burglar alarms are a big win for the networkmanager:
Leverage local knowledge of the local networklayoutLeverage knowledge of commonly used hacker
tricksAre site/architecture dependant
You have to make the alarms specific to what yousee as a threat at your site
Burglar Alarms: Pro
-
8/16/2019 Se Ids Secsymp01
78/241
V 1.0 Copyright SystemExperts 2001,2002,2003
ReliablePredictable
Easy to implementEasy to understand
Generate next to no false positivesCan (sometimes) detect previously unknown
attacks
Burglar Alarms: Con
-
8/16/2019 Se Ids Secsymp01
79/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Policy-directed Requires knowledge about your network
Requires a certain amount of stability within yournetworkIf not, you will be getting a lot of them
Requires care not to trigger them yourself
Honey Pots
-
8/16/2019 Se Ids Secsymp01
80/241
V 1.0 Copyright SystemExperts 2001,2002,2003
A honey pot is a system that is deliberatelynamed and configured so as to invite attack
swift-terminal.bigbank.comwww-transact.site.comsource-r-us.company.com
admincenter.noc.company.net
Honey Pots (cont)
-
8/16/2019 Se Ids Secsymp01
81/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Goals:Make it look inviting
Make it look weak and easy to crackMicrosoft IIS 4.0 ☺Instrument every piece of the system
Monitor all traffic going in or outAlert administrator whenever someone accessesthe system
Honey Pots (cont)
-
8/16/2019 Se Ids Secsymp01
82/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Trivial honey pots can be built using toolslike:
tcpwrapper Burglar alarm tools (see “burglar alarms”)restricted/logging shells (sudo, adminshell)
C2 security features (ugh!)See Cheswick’s paper “An evening with
Berferd” for exampleshttp://project.honeynet.org
Honey Pots: Pro
-
8/16/2019 Se Ids Secsymp01
83/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Easy to implementDo you make them equal in security of your regularsystems? Or lower?
Easy to understand Reliable
No performance cost
Honey Pots: Con
-
8/16/2019 Se Ids Secsymp01
84/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Assumes the hackers your really care aboutare really stupid
They aren’tYour Time
Entrapment issues: Ask your lawyer
Section Contents
-
8/16/2019 Se Ids Secsymp01
85/241
V 1.0 Copyright SystemExperts 2001,2002,2003
GeneralIDS Models
IDS Data SourcesTypes of IDS
Technical Caveats
Other IDS Issues
-
8/16/2019 Se Ids Secsymp01
86/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Other things affecting speed and detectionability
TCP fragment re-assemblyTCP packet re-orderingTCP state/sequence tracking
FIN, ACK, SYN, SYN/ACK,RSTAnalyzing only selected sessions
Need to understand deliberate avoidance
Fragment Re-assembly and Re-ordering
-
8/16/2019 Se Ids Secsymp01
87/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Re-assemblyTakes significant CPU time as well as memory tobuffer packets
Re-orderingTakes significant CPU time as well as memory to
buffer packetsIDS can be impacted by unintentional or deliberate packetdrops since it tries to buffer out-of-sequence packetsHow does IDS handle re-ordering?
Does it just flag out-of-sequence packets or does it ???
TCP State Tracking & Session Analyzing
-
8/16/2019 Se Ids Secsymp01
88/241
V 1.0 Copyright SystemExperts 2001,2002,2003
TCP State TrackingHave to have large tables to maintain all TCPsession state dataHow many states can you handle?Are you sure you have the right context
FIN, ACK, SYN, SYN/ACK,RSTAnalyzing Selected Sessions
Have to have the ability to select the sessionsThis has similar problems to the TCP stat tracking
Where are we?
-
8/16/2019 Se Ids Secsymp01
89/241
V 1.0 Copyright SystemExperts 2001,2002,2003
High level theoryDeployment examples
Integrating DataSourcesBenchmarks andPerformanceChoosing a System
Eluding IDSForensics and
ResponseEthics, Policies,Legalities
Conclusions
Section Contents
-
8/16/2019 Se Ids Secsymp01
90/241
V 1.0 Copyright SystemExperts 2001,2002,2003
VPNCorporate network
E-Commerce site (n-tiered)Other Issues
FirewallsSwitches
IDS and VPNs
VPN (Vi l P i N k )
-
8/16/2019 Se Ids Secsymp01
91/241
V 1.0 Copyright SystemExperts 2001,2002,2003
VPN (Virtual Private Networks) encrypttraffic
Host based IDS is probably bestNetwork-oriented IDS’ cannot (presumably!)monitor/analyze it correctly
Actually: no - when a VPN fails to sync because theattacker has an invalid key, the IDS can pull the syncfailure from the stream
Many VPN packages provide good loggingA sync failure may mean an attack attempt
A Visual
-
8/16/2019 Se Ids Secsymp01
92/241
V 1.0 Copyright SystemExperts 2001,2002,2003
VPN CLient- HIDS
VPN Server -HIDS
IDS Collector
IDS Logs
Corporate network
Utili All f f l
-
8/16/2019 Se Ids Secsymp01
93/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Utilize All forms of log sourcesHIDS on critical systems
Application logs and specific IDS modules
NIDS for each networkNative systems logs
SyslogPerl or Python to get others
Need to integrate some end node infoWhere do your Virus scanners log?
Log to a central server Netcool, from MicroMUSEPrivateI from www.opensystems.comManHunt from Recourse Technologies for example
A Visual
-
8/16/2019 Se Ids Secsymp01
94/241
V 1.0 Copyright SystemExperts 2001,2002,2003
SupportingServices
CriticalServers
IDSCollector
Internet
NIDS
Monitor Station
Desktop
E-Commerce site (n-tiered)
M h th th i
-
8/16/2019 Se Ids Secsymp01
95/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Much the same as the previous oneLog to a central server
FW Rules need to be in place to allow thisCorporate FW logs internally, not to production IDSWeb Servers and Firewalls are a logicalcandidates
For SSL you have the Web server or an SSLapplianceUse network-based IDS to profile scans and sweepsagainst web servers
A Visual
-
8/16/2019 Se Ids Secsymp01
96/241
V 1.0 Copyright SystemExperts 2001,2002,2003
SupportingServices Web
Servers
AppServer
IDS Collector DB
FW
Internet
Corporate
IDS Collector
NIDS
NIDS
NIDS
NIDS
Other Issues/Thoughts
Networks are increasingly moving toward switched
-
8/16/2019 Se Ids Secsymp01
97/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Networks are increasingly moving toward switchedarchitectures
It is difficult for a network-oriented IDS to tap all traffic movingthrough a switch
Swamp the IDSSwamp the switch
Solutions are not yet forthcomingBest approach to date is to plug a hub in front of critical systemsto be watched
Shomiti taps for high speed full duplex connections – need two interfaces on IDS – one for each side ofthe full duplex conversation
Other Issues/Thoughts, cont.
Put a connection based load balancer in front
-
8/16/2019 Se Ids Secsymp01
98/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Put a connection based load balancer in frontof an array of IDS machines
Use Cisco’s IDS blade that plugs into the
switch backplane - some folks are usingmultiple blades in a 6xxx series chassis and just sending it all the VLANs they want tomonitor.
Other Issues/Thoughts
Firewalls and IDS will eventually be
-
8/16/2019 Se Ids Secsymp01
99/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Firewalls and IDS will eventually becombined into a single capability
Many firewalls can trigger alerts when traffic to “baddestination” is seenUse this capability to build burglar alarms by
overloading the firewall rulesets
IDS Firewall Alarm
-
8/16/2019 Se Ids Secsymp01
100/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Internal
NetworkInternet Router w/somescreening
Firewall
DMZNetwork
WWWServer
Desktop
Firewall trips analert: why would theweb server try to
telnet in!?!?!
HackedWebServer
Where are we?
High level theory Eluding IDS
-
8/16/2019 Se Ids Secsymp01
101/241
V 1.0 Copyright SystemExperts 2001,2002,2003
High level theoryDeployment examples
Integrating DataSourcesBenchmarks andPerformanceChoosing a System
Eluding IDSForensics andResponseEthics, Policies,Legalities
Conclusions
Section Contents
Goals of Integrating Data Sources
-
8/16/2019 Se Ids Secsymp01
102/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Goals of Integrating Data SourcesCommercial Integrated Systems
What Goes Into Integrating Data?Misuse Information and Classification
Goals of Integrating Data Sources
Turn sensor events into intrusions
-
8/16/2019 Se Ids Secsymp01
103/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Turn sensor events into intrusionsTurn intrusions into reports and alarms
Integration = Sales
Integration is the chief value-add of
-
8/16/2019 Se Ids Secsymp01
104/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Integration is the chief value add ofestablished IDS products – and how they got
that way
Commercial Integrated Systems
In the past closed or proprietary systems
-
8/16/2019 Se Ids Secsymp01
105/241
V 1.0 Copyright SystemExperts 2001,2002,2003
In the past, closed or proprietary systemsvendor might not keep up with state of the artvendor might be strong in one area and weak inanother can’t add your own sensors to compensate forvendor’s weaknessthat won’t do in today’s environment
New players in this spaceOpen and extensibleStill can’t get the whole job done off the shelf
What goes into doing integrating data?
Let’s look at how it is done
-
8/16/2019 Se Ids Secsymp01
106/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Let s look at how it is doneEither by a vendor or by you
Looking at the pieces helps you understandthe challenges and the strengths and
weaknesses of a particular approach
Things you need
Data Sources
-
8/16/2019 Se Ids Secsymp01
107/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Data SourcesAnalysis and Reporting
Long Term Storage
Data Sources
HIDS
-
8/16/2019 Se Ids Secsymp01
108/241
V 1.0 Copyright SystemExperts 2001,2002,2003
HIDS NIDS
Firewall logsRouter logs
ACL matchesReconfiguration eventsAuthentication events
More Data Sources
Host OS logsl
-
8/16/2019 Se Ids Secsymp01
109/241
V 1.0 Copyright SystemExperts 2001,2002,2003
g lastcomm lastlog
authentication eventsaudit records
Application logsWeb server Oracle or other databaseLDAP server RADIUS server
Virus scanner outputIn-kernel packet filter logsVPN gateway appliance logs
About those data sources
Each one has a different output format
-
8/16/2019 Se Ids Secsymp01
110/241
V 1.0 Copyright SystemExperts 2001,2002,2003
p“normalize” output of each source to
common formatSpecial software adapter for each class of datasource – can be perl script
Gives tremendous power to correlate andquery
Not everyone does this
Normalizing events
Widely varying levels of abstraction
-
8/16/2019 Se Ids Secsymp01
111/241
V 1.0 Copyright SystemExperts 2001,2002,2003
y y g“Got this funny packet” – router ACL“Phf attack in progress” – NIDS or Application IDS“Login failed on router” – RADIUS server
Notion of “subject” and “object” to provide
generalization beyond packetsUniform representation for source anddestinationUniform time format
Make sure clocks are synched – use NTP
More things you need
Data analysis and reporting
-
8/16/2019 Se Ids Secsymp01
112/241
V 1.0 Copyright SystemExperts 2001,2002,2003
y p gArtificial IgnoranceCorrelation toolsCounting/thresholding software
Artificial Ignorance
Log processing technique of determining
-
8/16/2019 Se Ids Secsymp01
113/241
V 1.0 Copyright SystemExperts 2001,2002,2003
g p g q gstep-wise what to ignore
Everything not uninteresting must beinterestingSet up log scanning filters to delete uninterestingrecordsBring everything else to the system admin’sattention
Artificial Ignorance (continued)
Use grep -v -f to filter log messages
-
8/16/2019 Se Ids Secsymp01
114/241
V 1.0 Copyright SystemExperts 2001,2002,2003
g gagainst a pattern list of uninteresting stuff
Iteratively build the list using severalweeks/months’ logs
Tune as necessaryOutput is periodic report – hourly, daily,weekly
Artificial Ignorance (continued)
Logcheck h // i i /l h k h l
-
8/16/2019 Se Ids Secsymp01
115/241
V 1.0 Copyright SystemExperts 2001,2002,2003
http://www.psionic.com/logcheck.html
Monitors syslog files and applies search listsof violations to look for as well as strings toignore
Includes a pretty good set of log filters as a baseline
Artificial Ignorance (continued)
Logsurfer
-
8/16/2019 Se Ids Secsymp01
116/241
V 1.0 Copyright SystemExperts 2001,2002,2003
http://www.cert.dfn.de/eng/logsurf/home.html
provides close-to-real-time notificationmatches regexp patterns across multiplelines, with timeoutscan invoke external programs
nasty config language - but worth itcan only read one file at a time
Artificial Ignorance (finished)
You can see that this log processing is hardk d k l i i h
-
8/16/2019 Se Ids Secsymp01
117/241
V 1.0 Copyright SystemExperts 2001,2002,2003
work, and takes a long time to get right
The good news is that commercial productsare starting to enter this space, both assoftware products and as servicesThe bad news is that no product does thewhole job yet
Correlation tools
Effective correlation is the hardest partN f l d d j b i d
-
8/16/2019 Se Ids Secsymp01
118/241
V 1.0 Copyright SystemExperts 2001,2002,2003
No freeware tool does as good a job as a trainedanalystTrained analysts aren’t freeware, either
Excel is your friend
So are gnuplot and other similar tools
Long Term Storage
Flat files run out of steam for busy sitesB t i ht t t k d t f f i
-
8/16/2019 Se Ids Secsymp01
119/241
V 1.0 Copyright SystemExperts 2001,2002,2003
But you might want to keep raw data for forensicpurposesRAIDWrite-once mediaEncrypt to protect confidentialityDigital signature to ensure integrity
Databases are popular Easy to queryTransaction oriented
A Visual
-
8/16/2019 Se Ids Secsymp01
120/241
V 1.0 Copyright SystemExperts 2001,2002,2003
LogData
S N M P
S y s l o
g
S Q L
N T S y
s l o g
O t h e r
Processing
Scripts
Reports
Misuse Information and Classification
What do you call a vulnerability or attack?bl d f k d l b l
-
8/16/2019 Se Ids Secsymp01
121/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Public dictionaries of attack and vulnerability
information now existSnort database also serves as input to NIDS!
CERTCVE
CVE: Common Vulnerabilities and Exposures
Common Vulnerabilities and Exposures(CVE) is:
-
8/16/2019 Se Ids Secsymp01
122/241
V 1.0 Copyright SystemExperts 2001,2002,2003
(CVE) is:list of standardized names for vulnerabilities andexposures — CVE standardizes names , notdetailed technical descriptionsdictionary, NOT databasecommunity-wide effortfreely available
http://cve.mitre.org
How is CVE used?
CVE Compatibletool uses CVE names such that it can cross link with
-
8/16/2019 Se Ids Secsymp01
123/241
V 1.0 Copyright SystemExperts 2001,2002,2003
tool uses CVE names such that it can cross-link withother repositories that use CVE namesuser can search using CVE name to find relatedinformationtool’s output includes the related CVE name(s)tool maps to a specific version of CVE, good faitheffort to ensure accuracy of mapping
Sample CVE Entry
CVE-2000-0217default configuration of SSH allows X forwarding
-
8/16/2019 Se Ids Secsymp01
124/241
V 1.0 Copyright SystemExperts 2001,2002,2003
default configuration of SSH allows X forwarding,which could allow a remote attacker to control aclient's X sessions via a malicious xauth program.References
BUGTRAQ:20000224 SSH & xauth
BID:1006
Where are we?
High level theoryDeployment examples
Eluding IDSForensics and
-
8/16/2019 Se Ids Secsymp01
125/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Deployment examplesIntegrating DataSourcesBenchmarks and
PerformanceChoosing a System
Forensics andResponseEthics, Policies,Legalities
Conclusions
IDS: Performance
Network-based IDS (current tests) don’t farewell in high speed networks (but the
-
8/16/2019 Se Ids Secsymp01
126/241
V 1.0 Copyright SystemExperts 2001,2002,2003
well in high speed networks (but the
definition of high speed is changing)Many silently drop packets at over 30mb/sTcpdump on many systems does too(!)
Only way to tell is hardware packet counts versuswhat IDS claims to see
Be careful to check performance of any IDSyou plan to install
Building: Performance
If you are trying to build your own sniffer:At speeds above 20Mb/sec you will begin to lose
-
8/16/2019 Se Ids Secsymp01
127/241
V 1.0 Copyright SystemExperts 2001,2002,2003
At speeds above 20Mb/sec you will begin to losepackets on most versions of UNIXIf you want to go above 30Mb/sec you will need tomodify the kernelIf you want to go above 50Mb/sec you will need towrite your own device drivers
Building: Performance (cont)
Techniques for going faster New algorithms
-
8/16/2019 Se Ids Secsymp01
128/241
V 1.0 Copyright SystemExperts 2001,2002,2003
New algorithmsChange what you look for
flows
Faster HardwareMultiprocessingDividing up the data stream
Load balancer
IDS in hardware
IDS Benchmarking
How hard can it be?Very!
-
8/16/2019 Se Ids Secsymp01
129/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Very!Lots of ways to get it wrong
AccidentallyDeliberately
Not doing it wrong, does not mean you did itright
Analyzing Selected Sessions
IDS can “optimize” performance by onlyreassembling or tracking TCP related with
-
8/16/2019 Se Ids Secsymp01
130/241
V 1.0 Copyright SystemExperts 2001,2002,2003
reassembling or tracking TCP related withknown signatures
IDS might have extremely good performanceagainst random traffic but poor performance against(e.g.) Web trafficTradeoff is coverage versus performance; vendorsdo not usually document this
Naïve Simulation Network
-
8/16/2019 Se Ids Secsymp01
131/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Test
Network
AttackGenerator
Target Host
AttackStream NIDS
What’s Wrong?
The Naïve test network permits traffic that isnot likely to be seen in a “real world”
-
8/16/2019 Se Ids Secsymp01
132/241
V 1.0 Copyright SystemExperts 2001,2002,2003
ydeployment - e.g.: ARP cache poisoning (yousee a lot of this on DEFCON CTF networks)The presence of a router would “smooth”spikes somewhat and actually achieve highersustained loads
Naïve Simulation Network #2
-
8/16/2019 Se Ids Secsymp01
133/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Test
Network #2
Target Host
AttackStream NIDS
Router w/somescreening
Test
Network #1
AttackGenerator
SmartbitsLoadGenerator
What’s Wrong?
SmartBits style traffic generators do notgenerate “real” TCP traffic
-
8/16/2019 Se Ids Secsymp01
134/241
V 1.0 Copyright SystemExperts 2001,2002,2003
gThis penalizes IDS that actually look at streams andtry to reassemble them (which are desirableproperties of a good IDS)
Skunking a Benchmark
-
8/16/2019 Se Ids Secsymp01
135/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Test
Network
AttackGenerator
Target Hostw/Host-Net
AttackStream
Target Hostw/Host-Net
Target Hostw/Host-Net
SmartbitsLoadGenerator
What’s Wrong?
Packet style counts are not relevant to host-network IDS
-
8/16/2019 Se Ids Secsymp01
136/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Skunking a Benchmark: #2
-
8/16/2019 Se Ids Secsymp01
137/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Test
Network
AttackGenerator
Target Host
AttackStream
SmartbitsLoadGenerator
NIDS withselective detectionturned on
What’s Wrong?
IDS with selective detection can beconfigured to only look at traffic aimed to
-
8/16/2019 Se Ids Secsymp01
138/241
V 1.0 Copyright SystemExperts 2001,2002,2003
local subnetSmartBits style generators’ random traffic largelygets seen and discarded
Effective Simulation Network
-
8/16/2019 Se Ids Secsymp01
139/241
V 1.0 Copyright SystemExperts 2001,2002,2003
TestNetwork
Replayedpackets dumpedback onto network
NIDSRecorded attackand normal traffic onhard disk
What’s Wrong?
Nothing:Predictable baseline
-
8/16/2019 Se Ids Secsymp01
140/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Can verify traffic rate with simple mathCan scale load arbitrarily (use multiple machineseach with different capture data)Traffic is real including “real” data contentsNID cannot be configured to watch a specificmachine (there are no targets)
Tools to Use
Fragrouter - generates fragmented packetsWhisker - generates out-of-sequence packets
-
8/16/2019 Se Ids Secsymp01
141/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Pcap-pace - replays packets from a hard diskwith original inter-packet timing
Notes:
-
8/16/2019 Se Ids Secsymp01
142/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Notes:
-
8/16/2019 Se Ids Secsymp01
143/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Notes:
-
8/16/2019 Se Ids Secsymp01
144/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Where are we?
High level theoryDeployment examples
Eluding IDSForensics andResponse
-
8/16/2019 Se Ids Secsymp01
145/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Integrating DataSourcesBenchmarks and
PerformanceChoosing a System
ResponseEthics, Policies,Legalities
Conclusions
Choosing a System
What are we looking for?What matters?
-
8/16/2019 Se Ids Secsymp01
146/241
V 1.0 Copyright SystemExperts 2001,2002,2003
What differentiates?Deal breakers!
One step at a time
What are we looking for?
Primary criterion: Ability to detect anintrusion
-
8/16/2019 Se Ids Secsymp01
147/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Secondary are other issuesFalse positives: false alarmsFalse negatives : missed attacks
Performance impact: throughput delay or CPUusage
What Matters?
ScalabilityHow many systems now?In 3 5 years?
-
8/16/2019 Se Ids Secsymp01
148/241
V 1.0 Copyright SystemExperts 2001,2002,2003
In 3-5 years?
Organizational IssuesAre you central or distributed control?
SupportWho will support it? (TCO)Will the vendor be responsive to your needs?Do you have the staff to maintain the signatures?
What Differentiates?
Data Source FlexibilityWhat and where can they pull the data from?The more options the better
-
8/16/2019 Se Ids Secsymp01
149/241
V 1.0 Copyright SystemExperts 2001,2002,2003
The more options, the better
Extensive SignaturesBut make sure to compare apples to apples
SecurityData and transport
What Differentiates? (cont)
Flexible Alert FacilityHow will the system let you know there is aproblem?
-
8/16/2019 Se Ids Secsymp01
150/241
V 1.0 Copyright SystemExperts 2001,2002,2003
problem?
Robust Reporting SystemYou need something that you can use to get thedata in a format you require
How its administered Ease of Management
How to push out updates and configs
A method to evaluate
11440Support
52450Scalability
IDS#4IDS#3IDS#2WeightCategory
-
8/16/2019 Se Ids Secsymp01
151/241
V 1.0 Copyright SystemExperts 2001,2002,2003
33515Flexible Alert Facility
42315Robust Reporting System
24310Ease of Administration
6504257451000Total Score
31320Security
43425Extensive Signatures33325Data Source Flexibility
Deal Breakers!
Poor support historyRemember: “You never get treated better than whenyou are dating!”
-
8/16/2019 Se Ids Secsymp01
152/241
V 1.0 Copyright SystemExperts 2001,2002,2003
y g
2 tier systems No or weak encryption
Unacceptable evaluation in multiplecategories
One step at a time
How do you eat an Elephant? One bite at a timeStart with the following, in order of preference
Network ID at the firewall/perimeter networks
-
8/16/2019 Se Ids Secsymp01
153/241
V 1.0 Copyright SystemExperts 2001,2002,2003
p
Host and Application ID on most critical externally accessiblesystemsHost and Application on critical internal serversNetwork ID on critical internal networksHost and Application on secondary internal serversNetwork ID on internal networksHost ID on desktop/user systems
Where are we?
High level theoryDeployment examplesIntegrating Data
Eluding IDSForensics andResponse
-
8/16/2019 Se Ids Secsymp01
154/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Integrating DataSourcesBenchmarks and
PerformanceChoosing a System
espo seEthics, Policies,Legalities
Conclusions
Seminal Paper on Eluding IDSs
Paper by Ptacek and Newsham of Secure Networks, Inc.
-
8/16/2019 Se Ids Secsymp01
155/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection (1998)
Commercial and “free” systems analyzed No one passed!
Issues to overcomeInsufficiency of Information on the WireVulnerability to Denial of Service
Resource exhaustion: CPU, Memory, Disk, Bandwidth
Issues
-
8/16/2019 Se Ids Secsymp01
156/241
V 1.0 Copyright SystemExperts 2001,2002,2003
IssuesObscured dataPacket fragmentation and reassembly
Sequence
Overlapping FragmentsIP Options in Fragment StreamsTCP Transport Layer ProblemsIDS State Transition
Bugs in IP stacksMalformed Header Fields
Data SynchronizationAbusing Reactive ID Systems
Types of Attacks
InsertionAn IDS can accept a packet that an end-systemrejects
-
8/16/2019 Se Ids Secsymp01
157/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Evasion
An end-system can accept a packet that an IDSrejects
Proximity matters
The farther away the IDS is from the sourceof the data the more vulnerable it is tospoofing
-
8/16/2019 Se Ids Secsymp01
158/241
V 1.0 Copyright SystemExperts 2001,2002,2003
spoofingNetwork-oriented IDS will have trouble makingsense of:
$ stty erase R
$ rxRoxRotkit
$ stty erase ^?
A logging shell would not be fooled
Signal to Noise
Flooding networks with data may also beused to mask an attack against an IDSOf course, this is a dead giveaway!
-
8/16/2019 Se Ids Secsymp01
159/241
V 1.0 Copyright SystemExperts 2001,2002,2003
, g yFew systems are capable of doing packet capture atspeeds greater than 20Mb/s
If all else fails, the attacker can try to crashthe IDS itself (another dead giveaway!)
Packet fragmenting
Not all network based IDS do full TCPreassembly; they are vulnerable to attemptsto manipulate TCP stream
-
8/16/2019 Se Ids Secsymp01
160/241
V 1.0 Copyright SystemExperts 2001,2002,2003
pSuch attempts should be detected asunusual/noteworthy events in their own right(Usually networks do not fragment large packetsinto 40-byte fragments, etc)
Obscuring Data
As an example,www.nwi.net/~pchelp/obscure.htmor
-
8/16/2019 Se Ids Secsymp01
161/241
V 1.0 Copyright SystemExperts 2001,2002,2003
3513587746@3466536962/%7ep%63h%65l%70/o%62s%63ur%65%2e%68t%6D
Nothing matters before the @Double word representation of dotted quad IPaddressHexidecimal number representation /individual characters interspersed
Anti IDS Tools
Whisker URL encodingdirectory insertion (/../)
-
8/16/2019 Se Ids Secsymp01
162/241
V 1.0 Copyright SystemExperts 2001,2002,2003
premature URL endinglong URLfake parameter session splicingNULL method
More Anti IDS Tools
Fragrouter Most attacks implemented correspond to those listed in thePtacek and Newsham paper Examples
-
8/16/2019 Se Ids Secsymp01
163/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Preserve the entire protocol header in the first fragment.This is useful in bypassing packet filters that deny short IPfragmentsSend data in ordered 8-byte IP fragments, with one fragmentsent out of order Send data in ordered 8-byte IP fragments, sending themarked last fragment firstComplete TCP handshake, send fake FIN and RST (with badchecksums) before sending data in ordered 1-byte segments
Complete TCP handshake, send data in out of order 1-bytesegments.Complete TCP handshake, send data in ordered 1-bytesegments interleaved with SYN packets for the sameconnection parameters.
More Anti IDS Tools
MUTATE v1.1Used to bypass/test NIDSSimilar to whisker
Snot
-
8/16/2019 Se Ids Secsymp01
164/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Arbitrary packet generator Uses snort rules files as its source of packet informationAttempts to randomize information prevent detection by 'snot
detection' snort rulesCan be used as an IDS evasion tool, by using specific decoyhosts
NmapTimingDecoy parameter
Where are we?
High level theoryDeployment examplesIntegrating Data
Eluding IDSForensics andResponse
-
8/16/2019 Se Ids Secsymp01
165/241
V 1.0 Copyright SystemExperts 2001,2002,2003
SourcesBenchmarks and
PerformanceChoosing a System
Ethics, Policies,Legalities
Conclusions
Forensics
The art of gathering evidence during or aftera crimeReconstructing the criminal’s actions
-
8/16/2019 Se Ids Secsymp01
166/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Providing evidence for prosecution
Forensics for computer networks is extremely
difficult and depends completely on thequality of information you maintain
Forensics: Tools
TcpdumpArgus
NFR
TripwireBackupsThe Coroners Toolkit
-
8/16/2019 Se Ids Secsymp01
167/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Tcpwrapper Sniffers
NnstatA line printer
(TCT)TCTUTILS
AutospyIncident ResponseCollection Report(IRCR)
The Coroners Toolkit (TCT)
A collection of programs by Dan Farmer andWietse Venema for a post-mortem analysis of aUNIX system after break-in
-
8/16/2019 Se Ids Secsymp01
168/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Most important partsgrave-robber: captures informationils and mactime: display access patterns of files dead or aliveunrm and lazarus: recover deleted filesFindkey: recovers cryptographic keys from a running processor from files
OSes: Solaris, SunOS, FreeBSD, Linux, BSD/OS,
OpenBSDhttp://www.porcupine.org/forensics
TCTUTILS
Add functionality to TCTList directory inode contents to view file, device, anddirectory names
Allows deleted file names to be viewed and possibly recovered
-
8/16/2019 Se Ids Secsymp01
169/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Get Modified, Accessed, and Created time data on deletedfilesFind the names of files and directories that are using a giveninodeFind the inode that is using a given block Display the contents of a given block in several formatsDisplay the details of an inode (including all block numbers)Requires TCT 1.06 or greater
Autopsy
HTML-based graphical interface to TCT,TCTUTILs, and basic UNIX utilitiesIt integrates many command line based tools to
-
8/16/2019 Se Ids Secsymp01
170/241
V 1.0 Copyright SystemExperts 2001,2002,2003
automate the tedious tasksHelps in using the individual tools for morecomplex scenarios
Offers 4 methods of browsingFileInodeBlockBlock Search.
www.cerias.purdue.edu/homes/carrier/forensics/
Incident Response Collection Report (IRCR)
Basically TCT for WindowsGather and/or analyze forensic data on a MicrosoftWindows system
-
8/16/2019 Se Ids Secsymp01
171/241
V 1.0 Copyright SystemExperts 2001,2002,2003
You can think of this as a snapshot of the system inthe past
Like TCT, mostly oriented towards data collectionrather than analysisPremise is that person who gets the data know what
to do with it ☺http://www.incident-response.org/IRCR.htm
Forensics: Response
Split response efforts into two teamsTeam A: Learn what you can about what theattacker is doing, feed the information to team B
-
8/16/2019 Se Ids Secsymp01
172/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Team B: generate a “shutout plan” based on theattackers’ techniques to lock them (and keep them)out
Determine in advance when team A will give up andteam B will perform shutout
Response
Examine log filesLook for sniffers
-
8/16/2019 Se Ids Secsymp01
173/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Look for remote control programs (netbus, backorifice, etc)Look for possible hacker file sharing orcommunications programs (eggdrop, irc, etc)
Response (cont)
Look for privileged programsfind / -perm -4000 -printLook for file system tampering (use tripwire
-
8/16/2019 Se Ids Secsymp01
174/241
V 1.0 Copyright SystemExperts 2001,2002,2003
or backups)Examine cron and at jobsLook for unauthorized servicesnetstat -a
check inetd.conf
-
8/16/2019 Se Ids Secsymp01
175/241
Forensics: Backtracking
Nowadays hackers are increasinglysophisticated about hiding tracksThe ones that are good, you won’t catchTh h h ’ h hi
-
8/16/2019 Se Ids Secsymp01
176/241
V 1.0 Copyright SystemExperts 2001,2002,2003
The ones that you can catch aren’t worth catchingVery few good tools for backtracking are
available
Hidden Directories
Warez: Cute term for pirated softwareWarez are often hidden in FTP or web areasusing weird directory names:
-
8/16/2019 Se Ids Secsymp01
177/241
V 1.0 Copyright SystemExperts 2001,2002,2003
“...”“ “ (space)
“normal “ (normal with space after it)Check FTP areas for new directories
Finding Hacker-Prints
Search suspected infected system for newfiles: find / -mtime -30 -print
U t i i
-
8/16/2019 Se Ids Secsymp01
178/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Use tripwireRestore filesystems to a different disk and compareall the files (slow and painful!)
Names of Tools to Look for
nuke - icmp bomb programrootkit - trojans and patches
l k l g l
-
8/16/2019 Se Ids Secsymp01
179/241
V 1.0 Copyright SystemExperts 2001,2002,2003
cloak - log clearer zap - file date changer
icepick - penetration test tooltoneloc - wargames dialer
Law Enforcement
FBI:Jurisdiction over electronic crimeSecret Service: (Treasury Dept)
Credit card fra d
-
8/16/2019 Se Ids Secsymp01
180/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Credit card fraudAttacks against financial organizations
Law enforcement interest depends onsexiness of case
Law Enforcement (cont)
Law enforcement still Internet-ignorantExpect to have to educate them
Not worth it
h i i i i i idl
-
8/16/2019 Se Ids Secsymp01
181/241
V 1.0 Copyright SystemExperts 2001,2002,2003
The situation is improving rapidlyYour mileage, however, may vary wildly depending
on location
A Quick Response Example
Look at the logsFigure out who needs to be contacted
Contact them
-
8/16/2019 Se Ids Secsymp01
182/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Contact themWait for results
Look over the logs
Original Snort log showed:
May 15 02:37:55 212.247.185.41:111 ->
216.27.176.114:111 SYNFIN ******SF
-
8/16/2019 Se Ids Secsymp01
183/241
V 1.0 Copyright SystemExperts 2001,2002,2003
6. . 6. : S S
May 15 02:37:55 212.247.185.41:111 ->216.27.176.115:111 SYNFIN ******SF
May 15 02:37:55 212.247.185.41:111 ->216.27.176.116:111 SYNFIN ******SF
Lookup contacts
A “Whois” lookup showed route: 212.247.0.0/16descr: SWIPNET
descr: In case of improper use originating
from our network
-
8/16/2019 Se Ids Secsymp01
184/241
V 1.0 Copyright SystemExperts 2001,2002,2003
from our network,
descr: please mail customer or [email protected]: AS1257
notify: [email protected]: AS1257-MNT
changed: [email protected] 19990202
changed: [email protected] 20001115source: RIPE
Send a messageFrom: Philip Cox
Sent: Tuesday, May 15, 2001 7:10 AMTo: [email protected]: Scans from 212.247.185.41Dear Sirs,Three of my systems was scanned for portmapper by the IP
address 212.247.185.41. These actions are not authorized.l h h f h
-
8/16/2019 Se Ids Secsymp01
185/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Please have the user of this system stop scanning mysystems. The relevant portion of the logs are included.They are all US PST:
May 15 02:37:55 212.247.185.41:111 -> 216.27.176.114:111SYNFIN ******SF
May 15 02:37:55 212.247.185.41:111 -> 216.27.176.115:111SYNFIN ******SF
May 15 02:37:55 212.247.185.41:111 -> 216.27.176.116:111SYNFIN ******SF
Phil CoxSystem Owner
ResponseHello,
The customer has been contacted and the compromised server has been taken offline . Please let us knowif this continues or happens again.
Sincerely
-
8/16/2019 Se Ids Secsymp01
186/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Sincerely,
Niklas Odebo
Tele2 Abuse Dep.============================MvhKundsäkerhetsavd
Tele 2 [email protected] [email protected]============================
Under Attack
Decide if you want to:Observe the attackerChase them away and lock them out
Catch the attacker
-
8/16/2019 Se Ids Secsymp01
187/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Catch the attacker Prosecute them if you catch them
If you may want to prosecute:Contact legal counsel immediatelyFind about local laws of evidence
If you are Under Attack
Do a complete system backup immediatelyHackers tend to zap system disks if caughtGet a system with tcpdump running acomplete packet log to disk
-
8/16/2019 Se Ids Secsymp01
188/241
V 1.0 Copyright SystemExperts 2001,2002,2003
complete packet log to disk What protocol packets went to/from where
Possibly contents for some sessions (telnet, rlogin,IRC, FTP)
Shutting Down (For Paranoids)
Sync the disks, and halt the systemDo not execute a clean shutdownDo not disconnect the network
Bring system back up to single user mode
-
8/16/2019 Se Ids Secsymp01
189/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Bring system back up to single user modeMake and verify backups in single user modeConsider making image dump (dd) of disks
Phone Companies
Backtracking phone calls is nearly impossibleDeregulation makes phone company boundariesvery hard to track across
Even with a hard fix on the login session phonecompanies take 20 30 minutes to track a call
-
8/16/2019 Se Ids Secsymp01
190/241
V 1.0 Copyright SystemExperts 2001,2002,2003
g pcompanies take 20-30 minutes to track a callVery frustrating
Where are They Coming From?
Use tcpdump / who / syslog to see where theyare coming in fromRun finger against remote system
If finger is working on attacker system you may be
-
8/16/2019 Se Ids Secsymp01
191/241
V 1.0 Copyright SystemExperts 2001,2002,2003
If finger is working on attacker system you may beable to correlate activity with times of attack anduser idle timeUsually attacker will be using a stolen account onremote machine
Backtracking
Do not mail to root@attackermachine sayingyou are under attack Attackers watch root’s mail
Check NIC registry for attacker domain and
-
8/16/2019 Se Ids Secsymp01
192/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Check NIC registry for attacker domain andtelephone the site technical contact
Remember: your communications are compromised
Watching the Bad Guy
Get a copy of cloak and watch the attackersemi-invisiblyIf they see they are being watched they will leave
and may destroy the machine
-
8/16/2019 Se Ids Secsymp01
193/241
V 1.0 Copyright SystemExperts 2001,2002,2003
y yIf they have forgotten to disable shellcommand history you can get a good ideawhat commands they are using
Fight Fire with Fire
Building booby-trapped telnet/rlogin clients lets youmonitor everything the attacker does
Sometimes the attacker will reveal themselves
Social engineer the attacker Sometimes the attacker will brag on IRC
-
8/16/2019 Se Ids Secsymp01
194/241
V 1.0 Copyright SystemExperts 2001,2002,2003
gSometimes the attacker will brag on IRCSometimes you can learn who it is by piquing their ego
If they leave warez or tools in FTP areaLog who retrieves themReplace warez with files of white noise
Contact site admins at sites downloading the software
Legal Issues
You may not be able to use hackertechniques against themLaws for gathering evidence are confusingLogs may or may not be admissible
-
8/16/2019 Se Ids Secsymp01
195/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Logs may or may not be admissiblePerpetrator may or may not be prosecutable
Know when to Quit
Eventually it may be easier to unplug thenetwork for a day or two and just clean upUse clean up time to improve security andlogging
-
8/16/2019 Se Ids Secsymp01
196/241
V 1.0 Copyright SystemExperts 2001,2002,2003
gg g
Forensics: Practice
The Honeynet Project releases “Scan of theMonth”This captured in the wild with the honeypot
A “challenge” for each
-
8/16/2019 Se Ids Secsymp01
197/241
V 1.0 Copyright SystemExperts 2001,2002,2003
gFigure out
TechniqueTool usedAnything else
tool captured in the wild. As always:http://project.honeynet.org/scans/
Notes:
-
8/16/2019 Se Ids Secsymp01
198/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Notes:
-
8/16/2019 Se Ids Secsymp01
199/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Notes:
-
8/16/2019 Se Ids Secsymp01
200/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Where are we?
High level theoryDeployment examplesIntegrating Data
SourcesB h k d
Eluding IDSForensics andResponse
Ethics, Policies,Legalities
-
8/16/2019 Se Ids Secsymp01
201/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Benchmarks andPerformanceChoosing a System
LegalitiesConclusions
Section Contents
Q ui s cust odi et i psos cust odes?
What are Logs?Packet Sniffing = Wiretapping?Policies and Laws
-
8/16/2019 Se Ids Secsymp01
202/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Policies and LawsResources
Quis custodiet ipsos custodes?
Who Watches the Watchmen?We don’t always think about the data in ourcustodyHow is our IDS different from the FBI’s
-
8/16/2019 Se Ids Secsymp01
203/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Carnivore?
-
8/16/2019 Se Ids Secsymp01
204/241
Packet Sniffing = Wiretapping?
It DependsAn analogy can be made between capturing
packets and recording phone conversationsSome jurisdictions are already going there
-
8/16/2019 Se Ids Secsymp01
205/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Make sure you know where you stand
Policies and Laws
Organizational Regulationsappropriate use policy
privacy of email and files
maintenance/retention of electronic recordsTalk to your management!
-
8/16/2019 Se Ids Secsymp01
206/241
V 1.0 Copyright SystemExperts 2001,2002,2003
y g
Policies and Laws
Governmental RegulationsDifferent applicability
private vs. publicfor-profit vs. non-profit…
El i C i i P i A (ECPA)
-
8/16/2019 Se Ids Secsymp01
207/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Electronic Communications Privacy Act (ECPA)Family Educational Rights and Privacy Act (FERPA)Health Insurance Portability and Accountability Act (HIPAA)
…Talk to your legal staff!
Resources
Honeyman/Saul Invited Talk from LISA 97 Computer Professionals for SocialResponsibility www.cpsr.orgElectronic Freedom Foundation www.eff.org
-
8/16/2019 Se Ids Secsymp01
208/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Your policy documentsYour Legal Department
Where are we?
High level theoryDeployment examplesIntegrating Data
SourcesBenchmarks and
Eluding IDSForensics andResponse
Ethics, Policies,Legalities
-
8/16/2019 Se Ids Secsymp01
209/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Benchmarks andPerformanceChoosing a System
gConclusions
Closing Thoughts
There are a lot of different optionsYou have to start with “Policy”You can’t deploy it in a day/week/month
It is an ongoing process
-
8/16/2019 Se Ids Secsymp01
210/241
V 1.0 Copyright SystemExperts 2001,2002,2003
It’s not cheapA lot of blood, sweat, and tears OR …$$$ and some blood, sweat, and tears
The best time to start is NOW!
The End
Thank you forattending!
Thank you for your
Please fill out theInstructor EvaluationForm!!
-
8/16/2019 Se Ids Secsymp01
211/241
V 1.0 Copyright SystemExperts 2001,2002,2003
comments!
Resources
BooksWeb SitesMailing lists
-
8/16/2019 Se Ids Secsymp01
212/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Books
Intrusion Detection : Network Security Beyond the Firewall by Terry Escamilla published by John Wiley and Sons
Intrusion Detection; An Introduction toInternet Surveillance Correlation
-
8/16/2019 Se Ids Secsymp01
213/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Internet Surveillance, Correlation,
Traps, Trace Back, and Response by Edward G. Amoroso published byintrusion.net books
Books
Computer Crime: A Crimefighter’s Handbook , by David Icove, Karl Seger andWilliam VonStorch, from O’Reilly
Associates in August 95Coping with the Threat of Computer Security
-
8/16/2019 Se Ids Secsymp01
214/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Coping with the Threat of Computer Security
Incidents: A Primer from PreventionThrough Recovery, by Russell Brand
Books
Internet Security and Firewalls: Repellingthe Wily Hacker , by Bill Cheswick and SteveBellovin, from Addison Wesley
Internet Firewalls 2 nd Edition, by ElizabethZwicky Simon Cooper and Brent Chapman
-
8/16/2019 Se Ids Secsymp01
215/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Zwicky, Simon Cooper, and Brent Chapman
-
8/16/2019 Se Ids Secsymp01
216/241
URLs
IDS FAQs (warning: vendor sponsored)http://www.ticm.com/kb/faq/idsfaq.htmlhttp://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
-
8/16/2019 Se Ids Secsymp01
217/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Addresses
IDS mailing list:[email protected]
-
8/16/2019 Se Ids Secsymp01
218/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Addresses
Firewalls mailing list
-
8/16/2019 Se Ids Secsymp01
219/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Firewalls mailing list
[email protected]: subscribe firewallsWeb security mailing list
[email protected]: subscribe www-security
Addresses
Firewalls Wizards mailing [email protected]: subscribe firewall-wizards
http://www.nfr.net/forum/firewall-wizards.html
Searchable online archive onhttp://www.nfr.net/firewall-wizards/
-
8/16/2019 Se Ids Secsymp01
220/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Mark Mellis
Consultantk ll @
-
8/16/2019 Se Ids Secsymp01
221/241
626-852-8639 direct626-852-8739 fax978-440-9388 main
http://www.SystemExperts.com/
Philip Cox
ConsultantPhil C @S E
-
8/16/2019 Se Ids Secsymp01
222/241
530-887-9251 direct530-887-9253 fax978-440-9388 main
http://www.SystemExperts.com/
Appendix 1: Advanced Burglar Alarms
These are for people with too much free timeon their hands :)
-
8/16/2019 Se Ids Secsymp01
223/241
V 1.0 Copyright SystemExperts 2001,2002,2003
-
8/16/2019 Se Ids Secsymp01
224/241
ls-o-matic
Train yourself not to run “ls” as rootReplace “ls” with a program that mails youor shuts the system down if it is ever run asrootUse “echo *” instead of “ls”
-
8/16/2019 Se Ids Secsymp01
225/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Use echo instead of ls
... This trick takes a lot of discipline!
Shared-Library boobytrap
Systems with shared libraries are a great place to add alarmsGenerate a custom version of the exec()library family that logs every commandexecution that isn’t one of a small expected
-
8/16/2019 Se Ids Secsymp01
226/241
V 1.0 Copyright SystemExperts 2001,2002,2003
setGood for firewalls or web servers!
Nit-pick
Many times when a break-in occurs hackerswill set up a sniffer If NIT device is not configured they oftenadd itReplace NIT device with something that
-
8/16/2019 Se Ids Secsymp01
227/241
V 1.0 Copyright SystemExperts 2001,2002,2003
p g
triggers a warning instead /dev/nit driver can be replaced with a driver thathalts the system
-
8/16/2019 Se Ids Secsymp01
228/241
File shrinkener
Write a program to check if the inode numberof /var/log/messages has changed at the sametime the file has shrunk
Use ls -i, and ls -l in a shell scriptUse stat in C code
-
8/16/2019 Se Ids Secsymp01
229/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Terrify Suzy*
May make people think twice about whatkind of monitoring is going on in the system
# cat > main.cmain()
{
while(1) sleep(30);
} ^D
# cc -o watchdog main.c
# h hd &
-
8/16/2019 Se Ids Secsymp01
230/241
V 1.0 Copyright SystemExperts 2001,2002,2003
# nohup watchdog&
* based on an old story from Boyd Roberts
-
8/16/2019 Se Ids Secsymp01
231/241
Fake Holes
Install a phf.pl script in your CGI directoryon your web server
Have it generate an alert
-
8/16/2019 Se Ids Secsymp01
232/241
V 1.0 Copyright SystemExperts 2001,2002,2003
DumDum Users
Have a user with a crackable but not obvious password
Put something in their .login to alert you when they
log inIf they ever log in, you know someone hasgotten hold of your password file somehow
-
8/16/2019 Se Ids Secsymp01
233/241
V 1.0 Copyright SystemExperts 2001,2002,2003
gotten hold of your password file, somehow
Roto-Router
Redirect incoming traceroute queries to auser-mode process which responds withcarefully crafted packets
Looks like you go into the networkThen to microsoft.com
Then to whitehouse.gov
-
8/16/2019 Se Ids Secsymp01
234/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Then to playboy.cometc.
Louis Mamakos (I think) invented this one
Scan Slower
Set up services on a port, that listen andaccept connections
Set keepalive
Never send dataThis could be very nicely implemented in aborder device that simulates an entire
-
8/16/2019 Se Ids Secsymp01
235/241
V 1.0 Copyright SystemExperts 2001,2002,2003
border device that simulates an entirenetwork or system
Phat WarezCompress a few gigabytes of zeros into a .zipfile (it’ll get pretty small!)
Leave it in your Warez directory
-
8/16/2019 Se Ids Secsymp01
236/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Redirector Set up something (kind of like a dynamicLocalDirector or a firewall with proxytransparency) on the border of your network
that takes traffic destined to certain machinesRewrites the destination to be the sourceSends it back out
-
8/16/2019 Se Ids Secsymp01
237/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Sends it back out“Wow! He’s scanning me back really quickly! Heknows all my tricks!”
Socket Stuffer For scanning tools that collect data off the
ports and record/parse/log itHave a listener on many man ports
Each listener, if connected to, sends back a fewUSENET postings from talk.bizarreThis would be lots of fun against the auditors who
-
8/16/2019 Se Ids Secsymp01
238/241
V 1.0 Copyright SystemExperts 2001,2002,2003
like to run ISS scans against you and charge youbig $$ for the result
Auditor Biter One nice way of catching clueless auditorswho send an intern to run ISS against youand charge you big $$$ is to create fake
vulnerabilities in your system and wait to seeif they appear in the report
Measure how much deviance exists between the
-
8/16/2019 Se Ids Secsymp01
239/241
V 1.0 Copyright SystemExperts 2001,2002,2003
Measure how much deviance exists between thereport and the ISS output
-
8/16/2019 Se Ids Secsymp01
240/241
Noset ExecutableFor dedicated service machines, considerremoving the ability to set the execute bit inmultiuser mode
Must also be attached to a terminal Log whenever it isn’t!!!
Log and alert attempts to set execute permission
-
8/16/2019 Se Ids Secsymp01
241/241
V 1.0 Copyright SystemExperts 2001,2002,2003