se ids secsymp01

8/16/2019 Se Ids Secsymp01

1/241

Intrusion Detection&

Network Forensics

Mark Mellis & Phil Cox


2/241

V 1.0 Copyright SystemExperts 2001,2002,2003

Just checking...

This is a top level bulletThis is the next level in

This would be level 3This would be level 4

Can you hear?Check 1…2…3…Check Is it too hot?

Too cold?


3/241


An ounce of preventionis worth a pound of

detection


4/241


5/241V 1.0 Copyright SystemExperts 2001,2002,2003

Goals of the Tutorial

The student recognizes the N major classes of IDStechnology, and can correctly classify a new

productThe student understands the strength and weaknessof the N major classes of IDS

The student knows what IDS technology can andcannot doGiven a network drawing, the student can discussdifferent IDS deployment strategies for that network The student can do some unknown thing withnetwork forensicsGreat evals ☺



Where are we?

High level theoryDeployment examplesIntegrating DataSources

Benchmarks andPerformanceChoosing a System

Eluding IDSForensics andResponseEthics, Policies,

LegalitiesConclusions



Section Contents

GeneralIDS ModelsIDS Data SourcesTypes of IDSTechnical Caveats



Why Talk about IDS?

Emerging new technologyVery interesting

...but...About to be over-hyped

Being informed is the best weapon in thesecurity analyst’s arsenalIt also helps keep vendors honest!


9/241


What is an Intrusion?!

Difficult to defineNot everyone agreesThis is a big problem

How about someone telnetting your system?And trying to log in as “root”?

What about a ping sweep?What about them running an ISS scan?What about them trying phf on your web server?

What about succeeding with phf and logging in?


10/241


What is IDS?

The ideal Intrusion Detection System willnotify the system/network manager of asuccessful attack in progress:

With 100% accuracy

Promptly (in under a minute)With complete diagnosis of the attackWith recommendations on how to block it

…Too bad it doesn’t exist!! Or does it?


11/241


Objectives: 100% Accuracy, 0% False Positives

A False Positive is when a system raises anincorrect alert

“The boy who cried ‘wolf!’” syndrome

0% false positives is the goal

It’s easy to achieve this: simply detect nothing0% false negatives is another goal: don’t letan attack pass undetected


12/241


Objectives: Prompt Notification

To be as accurate as possible the system mayneed to “sit on” information for a while untilall the details come in

e.g.: Slow-scan attacks may not be detected forhoursThis has important implications for how “real-time”IDS can be!

IDS should notify user as to detection lag


13/241


Objectives: Prompt Notification (cont)

Notification channel must be protected What if attacker is able to sever/block notificationmechanism?An IDS that uses E-mail to notify you is going tohave problems notifying you that your E-mail server

is under a denial of service attack!


14/241


Objectives: Diagnosis

Ideally, an IDS will categorize/identify theattack

Few network managers have the time to knowintimately how many network attacks are performed

This is a difficult thing to doEspecially with things that “look weird” and don’tmatch well-known attacks


15/241


Objectives: Recommendation

The ultimate IDS would not only identify anattack, it would:

Assess the target’s vulnerabilityIf the target is vulnerable it would notify theadministrator If the vulnerability has a known “fix” it would includedirections for applying the fix

This requires huge, detailed knowledge


16/241


IDS: Pros

A reasonably effective IDS can identifyInternal hackingExternal hacking attempts

Allows the system administrator to quantify

the level of attack the site is under May act as a backstop if a firewall or othersecurity measures fail


17/241


IDS: Cons

IDS’ don’t typically act to prevent or blockattacks

They don’t replace firewalls, routers, etc.

If the IDS detects trouble on your interior

network what are you going to do?By definition it is already too late


18/241


Privacy: a Problem

Some governments/states mandate levels of privacy protection for employees or students

This may make it impossible to adequately gatherdata for the IDSThis may make it impossible to gather forensic datafor analysis or prosecution


19/241


Privacy: a Problem (cont)

Is it prying if it’s done by a computer?What if a human never sees it?

What if the information is never acted upon?At what point is privacy violated?

Looking at packet headers?Looking at packet contents?Looking at /var/mail/user?


20/241


Paradigms for Deploying IDS

Attack DetectionIntrusion Detection


21/241


InternalNetworkInternetRouter w/somescreening

Firewall

DMZ

Network

WWWServer

Desktop

Attack Detection

IDS detects (and counts) attacks against

the Web Server and firewallIDS


22/241


Attack Detection

Placing an IDS outside of the security perimeter records attack level

Presumably if the perimeter is well designed theattacks should not affect it!Still useful information for management (“we havebeen attacked 3,201 times this month…)Prediction: AD Will generate a lot of noise and beignored quickly


23/241


InternalNetworkInternetRouter w/somescreening

Firewall

DMZ

Network

WWWServer

Desktop

Intrusion Detection

IDS detects hacking activity WITHINthe protected network, incoming or outgoing IDS


24/241


Intrusion Detection

Placing an IDS within the perimeter willdetect instances of clearly improper behavior

Hacks via backdoorsHacks from staff against other sitesHacks that got through the firewall

When the IDS alarm goes off, it’s a red alert


25/241


Attack vs. Intrusion Detection

Ideally do bothRealistically, do ID first then AD

Or, deploy AD to justify security effort tomanagement, then deploy ID (more of a politicalproblem than a technical one)

The real question here is one of staffing coststo deal with alerts generated by AD systems


26/241


Section Contents

GeneralIDS ModelsIDS Data SourcesTypes of IDSTechnical Caveats


27/241


IDS Models

IDESAuditInlineHybrid (a mix of both)


28/241


IDES

Dorothy Denning (1986) publishes “AnIntrusion Detection Model” which definesmuch IDS thinking

Defines components of an IDS in terms of:Subjects - initiators of activityObjects - targets of activityProfiles - characterization of how subjects operate onobjects (may be statistical models or pattern matching)


29/241


IDES (cont)Audit Records - trace information about the occurrence ofevents in timeAnomaly Records - trace information about the occurrence

of unusual events in time, often generated by the IDS orapplicationsAlarms - information that the system brings to the securityadministrator’s attention

Systems evolved from IDES: DIDs, Stalker, Emerald


30/241


Block Diagram: Generic IDS

HostSystem

or NetworkSniffer

Pre-Processing Statisticalanalysis

Signaturematching

Alert manager

GUI

Response

manager Knowledge

baseLong term

storage


31/241


Audit Based IDS

Audit based IDS post-process audit trail (andother) information

Activity is first logged then post-processedBatch oriented approach allows for virtually infinitecorrelation if enough data is present

AuditDatabase

Kerneland

applications

IDScorrelation

reportsalerts


32/241


Audit Data

Determining what is a good audit probe point(where to record something) is a difficult

problemOrange book includes 23 probe points within UNIXkernel and applications

open read/write process forkcreation of IPC create/remove filebad login password change

add/remove user/group etc...


33/241


Networked Auditable Events

Users logging in at unusual hours*Unexplained rebootsUnexplained time changesUnusual error messagesFailed login attemptsUsers logging in from unfamiliar sites*

* (implies that per-user “history” is kept)


34/241


CIDF

ARPA sponsored effort to achieve Common Intrusion Detection Framework

Architectural conventions for IDS modulesMessaging specification for audit data and itstransmissionInformation on CIDF on the web:

http://www.seclab.ucdavis.edu/cidf/spec/cidf.txt


35/241


CIDF (cont)

Conceptual components are modulesEvent generators - collect or generate data

Analysis engines - processing and correlationStorage mechanisms - archival and short termstorage including of logs and audit records

Response components - outputs


36/241


CIDF (cont)

Will CIDF work?Pro: It’s a generalization of most IDS; all the pieces

are thereCon: Will IDS vendors see any value in aninteroperable, modular solution?

Can it be made to work at all?


37/241


Inline IDS (a.k.a. Real-Time)

Inline IDS process audit data as it isgenerated

Typically discard audit data that it does notrecognize as significantAmount of correlation tends to be limited

Kerneland

applications

reportsalerts

IDScorrelation

Bit bucket

Incidentdatabase


38/241


Audit vs. Inline

Inline is faster but only provides a “local”view unless a lot of data is forwarded inrealtime to a central locationAudit is deeper but requires keeping lots of

dataHybrid systems exploit both: inline detection

of significant events to an audit stationYou really need both


39/241


Section Contents

GeneralIDS ModelsIDS Data SourcesTypes of IDSTechnical caveats


40/241


IDS Data Sources

Host Based Network Based

H B d IDS


41/241


Host Based IDS

Collect data usually from within theoperating system

C2 audit logsSystem logsApplication logs

More of an “Audit” approachData collected in very compact form

But application / system specific

H B d P


42/241


Host Based: Pro

Quality of information is very highSoftware can “tune” what information it needs (e.g.:

C2 logs are configurable)Kernel logs “know” who user is

Density of information is very highOften logs contain pre-processed information (e.g.:“badsu” in syslog)Ability to “contextualize” the event is unparalleled

H t B d C


43/241


Host Based: Con

Capture is often highly system specificUsually only 1, 2 or 3 platforms are supported (“you

can detect intrusions on any platform you like aslong as it’s Solaris or NT!”)Information needs to be “normalized” before it is

taken off the systemPerformance is a wild-card

To unload computation from host logs are usuallysent to an external processor system

See above bullet #2

H t B d C


44/241


Host Based: Con (cont)

Hosts are often the target of attack If they are compromised their logs may be

subvertedData sent to the IDS may be corruptedIf the IDS runs on the host itself it may be subverted

Denial of Service “kills 2 birds with one stone”

Net ork Based IDS


45/241


Network Based IDS

Collect data from the network or a hub /switch

Reassemble packetsLook at headers

Try to determine what is happening from thecontents of the network trafficUser identities, etc inferred from actions

Need to worry about performanceMust be able to look at all traffic

More performance sensitive than host based

Network Based: Pro


46/241


Network Based: Pro

No performance impact on the systemrunning the IDS

A Ping-O-Death against another host will not affectthe IDS

More tamper resistant No management impact on platforms

Just need to manage one system, not many like

host based

Network Based: Pro


47/241


Network Based: Pro (cont)

Works across O/S’Can derive information that host based logsmight not provide

Packet fragmenting, port scanning, etc.

Network Based: Con


48/241


Network Based: Con

May lose packets on flooded networksPerformance sensitive

May improperly reassemble packetsOr not reassemble them at all

May not understand O/S specific application protocols (e.g.: SMB/NetBIOS)This is one place “Host” based shines

Network Based: Con


49/241


Network Based: Con (cont)

May not understand obsolete network protocols

Basically IP centricDoes not handle encrypted data

How do you check something you can’t read?

Hybrid IDS


50/241


Hybrid IDS

The current crop of commercial IDS aremostly hybrids

Misuse detection (signatures or simple patterns)Expert logic (network-based inference of commonattacks)

Statistical anomaly detection (values that are out ofbounds)

Properties of : Per-Host Network IDS


51/241


Properties of : Per-Host Network IDS

Network IDS “shim” layer inserted intonetwork stack on each host

IssuesProperties of network IDS

ButTraffic processed per-host onlyDoes not have same performance sensitivity as NIDS“Local” only view of traffic (but no drops)

Properties of : Firewall IDS


52/241


Properties of : Firewall IDS

Place network IDS capability in a firewall or bridge type device

IssuesNo packet loss issues

May slowdown network

Hybrid IDS (cont)


53/241


Hybrid IDS (cont)

At present, the hybrids’ main strengthappears to be the misuse detection capability

Statistical anomaly detection is useful more asbackfill information in the case of something goingwrong

Too many false positives - many sites turn anomalydetection off

Hybrid IDS (cont)


54/241


Hybrid IDS (cont)

The ultimate hybrid IDS would incorporatelogic from vulnerability scanners*

Build maps of existing vulnerabilities into its logic ofwhere to watch for attacks

Backfeed statistical information into misusedetection via a user interface

* Presumably, a clueful networkadmin would just fix the vulnerability

What to keep


55/241


What to keep

EverythingThis is where we start the process

What to throw away


56/241


What to throw away

Things that you know aren’t interestingConsider keeping counts of the number of

uninteresting events occur The number of times and uninteresting event occursmaybe interesting ☺

Event frequency of uninteresting events may beinteresting!See Appendix (“artificial ignorance”)

Build a stop list and forward all remaining output to ahuman intelligence

Section Contents


57/241


GeneralIDS ModelsIDS Data SourcesTypes of IDS

Technical Caveats

Types of IDS


58/241


yp

Anomaly Detection - the AI approachMisuse Detection - simple and easyBurglar Alarms - policy based detectionHoney Pots - lure the hackers inHybrids - a bit of this and that

Anomaly Detection


59/241


y

Goals:Analyze the network or system and infer what is

normalApply statistical or heuristic measures tosubsequent events and determine if they match the

model/statistic of “normal”If events are outside of a probability window of“normal” generate an alert (tunable control of falsepositives)

Anomaly Detection (cont)


60/241


y

Typical anomaly detection approaches:Neural networks - probability-based pattern

recognitionStatistical analysis - modeling behavior of usersand looking for deviations from the norm

State change analysis - modeling system’s stateand looking for deviations from the norm

Anomaly Detection: Pro


61/241


y

If it works it could conceivably catch any possible attack

If it works it could conceivably catch attacksthat we haven’t seen before

Or close variants to previously-known attacksBest of all it won’t require constantly keepingup on hacking technique

Anomaly Detection: Con


62/241


Current implementations don’t work verywell

Too many false positives/negativesCannot categorize attacks very well

“Something looks abnormal”Requires expertise to figure out what triggered thealert

Ex: Neural nets can’t say why they trigger

Anomaly Detection: Examples


63/241


Most of the research is in anomaly detectionBecause it’s a harder problem

Because it’s a more interesting problemThere are many examples, these are just afew

Most are at the proof of concept stage

Anomaly Detection (cont)


64/241


IDES/NIDESReal-time IDS using statistical anomaly detection combinedwith rule-based misuse detection

Relies on system’s audit records for inputRule base is limited

ftp://ftp.csl.sri.com/pub/nides/index1.html

GrIDSGraph-basedModels network activity based on analysis of graph matching

Includes a policy language for translating organizationalpolicies into analysis rulesetshttp://seclab.cs.ucdavis.edu

Misuse Detection


65/241


Goals:Know what constitutes an attack

Detect it

Misuse Detection (cont)


66/241


Typical misuse detection approaches:“Network grep” - look for strings in network

connections which might indicate an attack inprogressPattern matching - encode series of states that arepassed through during the course of an attack

e.g.: “change ownership of /etc/passwd ” -> “open/etc/passwd for write” -> alert

Misuse Detection: Pro (cont)


67/241


Easy to implementState machine

SignaturesStorageReport generator

Managers and agentsEasy to deploy

Up quicklyNo need to get “History”

Misuse Detection: Pro (cont)


68/241


Easy to updatePush signatures

Easy to understand “Blinking” Lights

Low false positivesFast

Misuse Detection: Con


69/241


Cannot detect something previouslyunknown

Reactive by natureConstantly needs to be updated with newrules

Always behind the curve

Easier to foolE.g., URL encoding



70/241


A number of commercial misuse detection products are on the market

ISS RealSecure/Black ICEAxent/Symantec Intruder AlertCisco NetRanger NFR Network Flight Recorder

Deployment model is to feed rulesets to

customer as subscription service



71/241


Things misusedetection looks for:*

IP Frag attackPing floodingSource routing

Ping of deathISS Scan checkSATAN scan check

Rwhod checkRlogin decodeRlogin -froot

TFTP get passwd checkIMAP buffer smashSMTP WIZ check … etc.

* (From ISS RealSecure)



72/241


Misuse detection systems are similar to virusscanning systems:

Both rely on meta-rules of vulnerabilitiesBoth need frequent rules updatesBoth are easily fooled by slight mutations in

virus/attack signatureBoth are fairly low in generating false positives

Moving to dumber systems with broaderknowledge bases

Burglar Alarms


73/241


A burglar alarm is a misuse detection systemthat is carefully targeted

You may not care about people port-scanning yourfirewall from the outsideYou may care profoundly about people port-

scanning your mainframe from the insideSet up a misuse detector to watch for misusesviolating site policy

Boobey-Traps are an option with this as wellPut sensors where likely intrusion may occur

Burglar Alarms (cont)


74/241


Goals:Based on site policy alert administrator to policyviolationsDetect events that may not be “security” eventswhich may indicate a policy violation

New routers: New MAC address providing routing?New subnets: Ones that you haven’t seen?New web servers: Port 80?



75/241


Trivial burglar alarms can be built withtcpdump and perl

Netlog and NFR are useful event recorderswhich may be used to trigger alarmshttp://www.nswc.navy.mil/ISSEC/Docs/loggingproject.htmlftp://coast.cs.purdue.edu/pub/tools/unix/netlog/http://www.nfr.net/download



76/241


The ideal burglar alarm will be situated sothat it fires when an attacker performs an

action that they normally would try once theyhave successfully broken in

Adding a useridZapping a log fileMaking a program setuid root



77/241


Burglar alarms are a big win for the networkmanager:

Leverage local knowledge of the local networklayoutLeverage knowledge of commonly used hacker

tricksAre site/architecture dependant

You have to make the alarms specific to what yousee as a threat at your site

Burglar Alarms: Pro


78/241


ReliablePredictable

Easy to implementEasy to understand

Generate next to no false positivesCan (sometimes) detect previously unknown

attacks

Burglar Alarms: Con


79/241


Policy-directed Requires knowledge about your network

Requires a certain amount of stability within yournetworkIf not, you will be getting a lot of them

Requires care not to trigger them yourself

Honey Pots


80/241


A honey pot is a system that is deliberatelynamed and configured so as to invite attack

swift-terminal.bigbank.comwww-transact.site.comsource-r-us.company.com

admincenter.noc.company.net

Honey Pots (cont)


81/241


Goals:Make it look inviting

Make it look weak and easy to crackMicrosoft IIS 4.0 ☺Instrument every piece of the system

Monitor all traffic going in or outAlert administrator whenever someone accessesthe system

Honey Pots (cont)


82/241


Trivial honey pots can be built using toolslike:

tcpwrapper Burglar alarm tools (see “burglar alarms”)restricted/logging shells (sudo, adminshell)

C2 security features (ugh!)See Cheswick’s paper “An evening with

Berferd” for exampleshttp://project.honeynet.org

Honey Pots: Pro


83/241


Easy to implementDo you make them equal in security of your regularsystems? Or lower?

Easy to understand Reliable

No performance cost

Honey Pots: Con


84/241


Assumes the hackers your really care aboutare really stupid

They aren’tYour Time

Entrapment issues: Ask your lawyer

Section Contents


85/241


GeneralIDS Models

IDS Data SourcesTypes of IDS

Technical Caveats

Other IDS Issues


86/241


Other things affecting speed and detectionability

TCP fragment re-assemblyTCP packet re-orderingTCP state/sequence tracking

FIN, ACK, SYN, SYN/ACK,RSTAnalyzing only selected sessions

Need to understand deliberate avoidance

Fragment Re-assembly and Re-ordering


87/241


Re-assemblyTakes significant CPU time as well as memory tobuffer packets

Re-orderingTakes significant CPU time as well as memory to

buffer packetsIDS can be impacted by unintentional or deliberate packetdrops since it tries to buffer out-of-sequence packetsHow does IDS handle re-ordering?

Does it just flag out-of-sequence packets or does it ???

TCP State Tracking & Session Analyzing


88/241


TCP State TrackingHave to have large tables to maintain all TCPsession state dataHow many states can you handle?Are you sure you have the right context

FIN, ACK, SYN, SYN/ACK,RSTAnalyzing Selected Sessions

Have to have the ability to select the sessionsThis has similar problems to the TCP stat tracking

Where are we?


89/241


High level theoryDeployment examples

Integrating DataSourcesBenchmarks andPerformanceChoosing a System

Eluding IDSForensics and

ResponseEthics, Policies,Legalities

Conclusions

Section Contents


90/241


VPNCorporate network

E-Commerce site (n-tiered)Other Issues

FirewallsSwitches

IDS and VPNs

VPN (Vi l P i N k )


91/241


VPN (Virtual Private Networks) encrypttraffic

Host based IDS is probably bestNetwork-oriented IDS’ cannot (presumably!)monitor/analyze it correctly

Actually: no - when a VPN fails to sync because theattacker has an invalid key, the IDS can pull the syncfailure from the stream

Many VPN packages provide good loggingA sync failure may mean an attack attempt

A Visual


92/241


VPN CLient- HIDS

VPN Server -HIDS

IDS Collector

IDS Logs

Corporate network

Utili All f f l


93/241


Utilize All forms of log sourcesHIDS on critical systems

Application logs and specific IDS modules

NIDS for each networkNative systems logs

SyslogPerl or Python to get others

Need to integrate some end node infoWhere do your Virus scanners log?

Log to a central server Netcool, from MicroMUSEPrivateI from www.opensystems.comManHunt from Recourse Technologies for example

A Visual


94/241


SupportingServices

CriticalServers

IDSCollector

Internet

NIDS

Monitor Station

Desktop

E-Commerce site (n-tiered)

M h th th i


95/241


Much the same as the previous oneLog to a central server

FW Rules need to be in place to allow thisCorporate FW logs internally, not to production IDSWeb Servers and Firewalls are a logicalcandidates

For SSL you have the Web server or an SSLapplianceUse network-based IDS to profile scans and sweepsagainst web servers

A Visual


96/241


SupportingServices Web

Servers

AppServer

IDS Collector DB

FW

Internet

Corporate

IDS Collector

NIDS

NIDS

NIDS

NIDS

Other Issues/Thoughts

Networks are increasingly moving toward switched


97/241


Networks are increasingly moving toward switchedarchitectures

It is difficult for a network-oriented IDS to tap all traffic movingthrough a switch

Swamp the IDSSwamp the switch

Solutions are not yet forthcomingBest approach to date is to plug a hub in front of critical systemsto be watched

Shomiti taps for high speed full duplex connections – need two interfaces on IDS – one for each side ofthe full duplex conversation

Other Issues/Thoughts, cont.

Put a connection based load balancer in front


98/241


Put a connection based load balancer in frontof an array of IDS machines

Use Cisco’s IDS blade that plugs into the

switch backplane - some folks are usingmultiple blades in a 6xxx series chassis and just sending it all the VLANs they want tomonitor.

Other Issues/Thoughts

Firewalls and IDS will eventually be


99/241


Firewalls and IDS will eventually becombined into a single capability

Many firewalls can trigger alerts when traffic to “baddestination” is seenUse this capability to build burglar alarms by

overloading the firewall rulesets

IDS Firewall Alarm


100/241


Internal

NetworkInternet Router w/somescreening

Firewall

DMZNetwork

WWWServer

Desktop

Firewall trips analert: why would theweb server try to

telnet in!?!?!

HackedWebServer

Where are we?

High level theory Eluding IDS


101/241



Integrating DataSourcesBenchmarks andPerformanceChoosing a System

Eluding IDSForensics andResponseEthics, Policies,Legalities

Conclusions

Section Contents

Goals of Integrating Data Sources


102/241


Goals of Integrating Data SourcesCommercial Integrated Systems

What Goes Into Integrating Data?Misuse Information and Classification

Goals of Integrating Data Sources

Turn sensor events into intrusions


103/241


Turn sensor events into intrusionsTurn intrusions into reports and alarms

Integration = Sales

Integration is the chief value-add of


104/241


Integration is the chief value add ofestablished IDS products – and how they got

that way

Commercial Integrated Systems

In the past closed or proprietary systems


105/241


In the past, closed or proprietary systemsvendor might not keep up with state of the artvendor might be strong in one area and weak inanother can’t add your own sensors to compensate forvendor’s weaknessthat won’t do in today’s environment

New players in this spaceOpen and extensibleStill can’t get the whole job done off the shelf

What goes into doing integrating data?

Let’s look at how it is done


106/241


Let s look at how it is doneEither by a vendor or by you

Looking at the pieces helps you understandthe challenges and the strengths and

weaknesses of a particular approach

Things you need

Data Sources


107/241


Data SourcesAnalysis and Reporting

Long Term Storage

Data Sources

HIDS


108/241


HIDS NIDS

Firewall logsRouter logs

ACL matchesReconfiguration eventsAuthentication events

More Data Sources

Host OS logsl


109/241


g lastcomm lastlog

authentication eventsaudit records

Application logsWeb server Oracle or other databaseLDAP server RADIUS server

Virus scanner outputIn-kernel packet filter logsVPN gateway appliance logs

About those data sources

Each one has a different output format


110/241


p“normalize” output of each source to

common formatSpecial software adapter for each class of datasource – can be perl script

Gives tremendous power to correlate andquery

Not everyone does this

Normalizing events

Widely varying levels of abstraction


111/241


y y g“Got this funny packet” – router ACL“Phf attack in progress” – NIDS or Application IDS“Login failed on router” – RADIUS server

Notion of “subject” and “object” to provide

generalization beyond packetsUniform representation for source anddestinationUniform time format

Make sure clocks are synched – use NTP

More things you need

Data analysis and reporting


112/241


y p gArtificial IgnoranceCorrelation toolsCounting/thresholding software

Artificial Ignorance

Log processing technique of determining


113/241


g p g q gstep-wise what to ignore

Everything not uninteresting must beinterestingSet up log scanning filters to delete uninterestingrecordsBring everything else to the system admin’sattention

Artificial Ignorance (continued)

Use grep -v -f to filter log messages


114/241


g gagainst a pattern list of uninteresting stuff

Iteratively build the list using severalweeks/months’ logs

Tune as necessaryOutput is periodic report – hourly, daily,weekly


Logcheck h // i i /l h k h l


115/241


http://www.psionic.com/logcheck.html

Monitors syslog files and applies search listsof violations to look for as well as strings toignore

Includes a pretty good set of log filters as a baseline


Logsurfer


116/241


http://www.cert.dfn.de/eng/logsurf/home.html

provides close-to-real-time notificationmatches regexp patterns across multiplelines, with timeoutscan invoke external programs

nasty config language - but worth itcan only read one file at a time

Artificial Ignorance (finished)

You can see that this log processing is hardk d k l i i h


117/241


work, and takes a long time to get right

The good news is that commercial productsare starting to enter this space, both assoftware products and as servicesThe bad news is that no product does thewhole job yet

Correlation tools

Effective correlation is the hardest partN f l d d j b i d


118/241


No freeware tool does as good a job as a trainedanalystTrained analysts aren’t freeware, either

Excel is your friend

So are gnuplot and other similar tools

Long Term Storage

Flat files run out of steam for busy sitesB t i ht t t k d t f f i


119/241


But you might want to keep raw data for forensicpurposesRAIDWrite-once mediaEncrypt to protect confidentialityDigital signature to ensure integrity

Databases are popular Easy to queryTransaction oriented

A Visual


120/241


LogData

S N M P

S y s l o

g

S Q L

N T S y

s l o g

O t h e r

Processing

Scripts

Reports

Misuse Information and Classification

What do you call a vulnerability or attack?bl d f k d l b l


121/241


Public dictionaries of attack and vulnerability

information now existSnort database also serves as input to NIDS!

CERTCVE

CVE: Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures(CVE) is:


122/241


(CVE) is:list of standardized names for vulnerabilities andexposures — CVE standardizes names , notdetailed technical descriptionsdictionary, NOT databasecommunity-wide effortfreely available

http://cve.mitre.org

How is CVE used?

CVE Compatibletool uses CVE names such that it can cross link with


123/241


tool uses CVE names such that it can cross-link withother repositories that use CVE namesuser can search using CVE name to find relatedinformationtool’s output includes the related CVE name(s)tool maps to a specific version of CVE, good faitheffort to ensure accuracy of mapping

Sample CVE Entry

CVE-2000-0217default configuration of SSH allows X forwarding


124/241


default configuration of SSH allows X forwarding,which could allow a remote attacker to control aclient's X sessions via a malicious xauth program.References

BUGTRAQ:20000224 SSH & xauth

BID:1006

Where are we?


Eluding IDSForensics and


125/241


Deployment examplesIntegrating DataSourcesBenchmarks and

PerformanceChoosing a System

Forensics andResponseEthics, Policies,Legalities

Conclusions

IDS: Performance

Network-based IDS (current tests) don’t farewell in high speed networks (but the


126/241


well in high speed networks (but the

definition of high speed is changing)Many silently drop packets at over 30mb/sTcpdump on many systems does too(!)

Only way to tell is hardware packet counts versuswhat IDS claims to see

Be careful to check performance of any IDSyou plan to install

Building: Performance

If you are trying to build your own sniffer:At speeds above 20Mb/sec you will begin to lose


127/241


At speeds above 20Mb/sec you will begin to losepackets on most versions of UNIXIf you want to go above 30Mb/sec you will need tomodify the kernelIf you want to go above 50Mb/sec you will need towrite your own device drivers

Building: Performance (cont)

Techniques for going faster New algorithms


128/241


New algorithmsChange what you look for

flows

Faster HardwareMultiprocessingDividing up the data stream

Load balancer

IDS in hardware

IDS Benchmarking

How hard can it be?Very!


129/241


Very!Lots of ways to get it wrong

AccidentallyDeliberately

Not doing it wrong, does not mean you did itright

Analyzing Selected Sessions

IDS can “optimize” performance by onlyreassembling or tracking TCP related with


130/241


reassembling or tracking TCP related withknown signatures

IDS might have extremely good performanceagainst random traffic but poor performance against(e.g.) Web trafficTradeoff is coverage versus performance; vendorsdo not usually document this

Naïve Simulation Network


131/241


Test

Network

AttackGenerator

Target Host

AttackStream NIDS

What’s Wrong?

The Naïve test network permits traffic that isnot likely to be seen in a “real world”


132/241


ydeployment - e.g.: ARP cache poisoning (yousee a lot of this on DEFCON CTF networks)The presence of a router would “smooth”spikes somewhat and actually achieve highersustained loads

Naïve Simulation Network #2


133/241


Test

Network #2

Target Host

AttackStream NIDS

Router w/somescreening

Test

Network #1

AttackGenerator

SmartbitsLoadGenerator

What’s Wrong?

SmartBits style traffic generators do notgenerate “real” TCP traffic


134/241


gThis penalizes IDS that actually look at streams andtry to reassemble them (which are desirableproperties of a good IDS)

Skunking a Benchmark


135/241


Test

Network

AttackGenerator

Target Hostw/Host-Net

AttackStream




What’s Wrong?

Packet style counts are not relevant to host-network IDS


136/241


Skunking a Benchmark: #2


137/241


Test

Network

AttackGenerator

Target Host

AttackStream


NIDS withselective detectionturned on

What’s Wrong?

IDS with selective detection can beconfigured to only look at traffic aimed to


138/241


local subnetSmartBits style generators’ random traffic largelygets seen and discarded

Effective Simulation Network


139/241


TestNetwork

Replayedpackets dumpedback onto network

NIDSRecorded attackand normal traffic onhard disk

What’s Wrong?

Nothing:Predictable baseline


140/241


Can verify traffic rate with simple mathCan scale load arbitrarily (use multiple machineseach with different capture data)Traffic is real including “real” data contentsNID cannot be configured to watch a specificmachine (there are no targets)

Tools to Use

Fragrouter - generates fragmented packetsWhisker - generates out-of-sequence packets


141/241


Pcap-pace - replays packets from a hard diskwith original inter-packet timing

Notes:


142/241


Notes:


143/241


Notes:


144/241


Where are we?


Eluding IDSForensics andResponse


145/241


Integrating DataSourcesBenchmarks and


ResponseEthics, Policies,Legalities

Conclusions

Choosing a System

What are we looking for?What matters?


146/241


What differentiates?Deal breakers!

One step at a time

What are we looking for?

Primary criterion: Ability to detect anintrusion


147/241


Secondary are other issuesFalse positives: false alarmsFalse negatives : missed attacks

Performance impact: throughput delay or CPUusage

What Matters?

ScalabilityHow many systems now?In 3 5 years?


148/241


In 3-5 years?

Organizational IssuesAre you central or distributed control?

SupportWho will support it? (TCO)Will the vendor be responsive to your needs?Do you have the staff to maintain the signatures?

What Differentiates?

Data Source FlexibilityWhat and where can they pull the data from?The more options the better


149/241


The more options, the better

Extensive SignaturesBut make sure to compare apples to apples

SecurityData and transport

What Differentiates? (cont)

Flexible Alert FacilityHow will the system let you know there is aproblem?


150/241


problem?

Robust Reporting SystemYou need something that you can use to get thedata in a format you require

How its administered Ease of Management

How to push out updates and configs

A method to evaluate

11440Support

52450Scalability

IDS#4IDS#3IDS#2WeightCategory


151/241


33515Flexible Alert Facility

42315Robust Reporting System

24310Ease of Administration

6504257451000Total Score

31320Security

43425Extensive Signatures33325Data Source Flexibility

Deal Breakers!

Poor support historyRemember: “You never get treated better than whenyou are dating!”


152/241


y g

2 tier systems No or weak encryption

Unacceptable evaluation in multiplecategories

One step at a time

How do you eat an Elephant? One bite at a timeStart with the following, in order of preference

Network ID at the firewall/perimeter networks


153/241


p

Host and Application ID on most critical externally accessiblesystemsHost and Application on critical internal serversNetwork ID on critical internal networksHost and Application on secondary internal serversNetwork ID on internal networksHost ID on desktop/user systems

Where are we?

High level theoryDeployment examplesIntegrating Data



154/241


Integrating DataSourcesBenchmarks and


espo seEthics, Policies,Legalities

Conclusions

Seminal Paper on Eluding IDSs

Paper by Ptacek and Newsham of Secure Networks, Inc.


155/241


Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection (1998)

Commercial and “free” systems analyzed No one passed!

Issues to overcomeInsufficiency of Information on the WireVulnerability to Denial of Service

Resource exhaustion: CPU, Memory, Disk, Bandwidth

Issues


156/241


IssuesObscured dataPacket fragmentation and reassembly

Sequence

Overlapping FragmentsIP Options in Fragment StreamsTCP Transport Layer ProblemsIDS State Transition

Bugs in IP stacksMalformed Header Fields

Data SynchronizationAbusing Reactive ID Systems

Types of Attacks

InsertionAn IDS can accept a packet that an end-systemrejects


157/241


Evasion

An end-system can accept a packet that an IDSrejects

Proximity matters

The farther away the IDS is from the sourceof the data the more vulnerable it is tospoofing


158/241


spoofingNetwork-oriented IDS will have trouble makingsense of:

$ stty erase R

$ rxRoxRotkit

$ stty erase ^?

A logging shell would not be fooled

Signal to Noise

Flooding networks with data may also beused to mask an attack against an IDSOf course, this is a dead giveaway!


159/241


, g yFew systems are capable of doing packet capture atspeeds greater than 20Mb/s

If all else fails, the attacker can try to crashthe IDS itself (another dead giveaway!)

Packet fragmenting

Not all network based IDS do full TCPreassembly; they are vulnerable to attemptsto manipulate TCP stream


160/241


pSuch attempts should be detected asunusual/noteworthy events in their own right(Usually networks do not fragment large packetsinto 40-byte fragments, etc)

Obscuring Data

As an example,www.nwi.net/~pchelp/obscure.htmor


161/241


3513587746@3466536962/%7ep%63h%65l%70/o%62s%63ur%65%2e%68t%6D

Nothing matters before the @Double word representation of dotted quad IPaddressHexidecimal number representation /individual characters interspersed

Anti IDS Tools

Whisker URL encodingdirectory insertion (/../)


162/241


premature URL endinglong URLfake parameter session splicingNULL method

More Anti IDS Tools

Fragrouter Most attacks implemented correspond to those listed in thePtacek and Newsham paper Examples


163/241


Preserve the entire protocol header in the first fragment.This is useful in bypassing packet filters that deny short IPfragmentsSend data in ordered 8-byte IP fragments, with one fragmentsent out of order Send data in ordered 8-byte IP fragments, sending themarked last fragment firstComplete TCP handshake, send fake FIN and RST (with badchecksums) before sending data in ordered 1-byte segments

Complete TCP handshake, send data in out of order 1-bytesegments.Complete TCP handshake, send data in ordered 1-bytesegments interleaved with SYN packets for the sameconnection parameters.

More Anti IDS Tools

MUTATE v1.1Used to bypass/test NIDSSimilar to whisker

Snot


164/241


Arbitrary packet generator Uses snort rules files as its source of packet informationAttempts to randomize information prevent detection by 'snot

detection' snort rulesCan be used as an IDS evasion tool, by using specific decoyhosts

NmapTimingDecoy parameter

Where are we?




165/241


SourcesBenchmarks and


Ethics, Policies,Legalities

Conclusions

Forensics

The art of gathering evidence during or aftera crimeReconstructing the criminal’s actions


166/241


Providing evidence for prosecution

Forensics for computer networks is extremely

difficult and depends completely on thequality of information you maintain

Forensics: Tools

TcpdumpArgus

NFR

TripwireBackupsThe Coroners Toolkit


167/241


Tcpwrapper Sniffers

NnstatA line printer

(TCT)TCTUTILS

AutospyIncident ResponseCollection Report(IRCR)

The Coroners Toolkit (TCT)

A collection of programs by Dan Farmer andWietse Venema for a post-mortem analysis of aUNIX system after break-in


168/241


Most important partsgrave-robber: captures informationils and mactime: display access patterns of files dead or aliveunrm and lazarus: recover deleted filesFindkey: recovers cryptographic keys from a running processor from files

OSes: Solaris, SunOS, FreeBSD, Linux, BSD/OS,

OpenBSDhttp://www.porcupine.org/forensics

TCTUTILS

Add functionality to TCTList directory inode contents to view file, device, anddirectory names

Allows deleted file names to be viewed and possibly recovered


169/241


Get Modified, Accessed, and Created time data on deletedfilesFind the names of files and directories that are using a giveninodeFind the inode that is using a given block Display the contents of a given block in several formatsDisplay the details of an inode (including all block numbers)Requires TCT 1.06 or greater

Autopsy

HTML-based graphical interface to TCT,TCTUTILs, and basic UNIX utilitiesIt integrates many command line based tools to


170/241


automate the tedious tasksHelps in using the individual tools for morecomplex scenarios

Offers 4 methods of browsingFileInodeBlockBlock Search.

www.cerias.purdue.edu/homes/carrier/forensics/

Incident Response Collection Report (IRCR)

Basically TCT for WindowsGather and/or analyze forensic data on a MicrosoftWindows system


171/241


You can think of this as a snapshot of the system inthe past

Like TCT, mostly oriented towards data collectionrather than analysisPremise is that person who gets the data know what

to do with it ☺http://www.incident-response.org/IRCR.htm

Forensics: Response

Split response efforts into two teamsTeam A: Learn what you can about what theattacker is doing, feed the information to team B


172/241


Team B: generate a “shutout plan” based on theattackers’ techniques to lock them (and keep them)out

Determine in advance when team A will give up andteam B will perform shutout

Response

Examine log filesLook for sniffers


173/241


Look for remote control programs (netbus, backorifice, etc)Look for possible hacker file sharing orcommunications programs (eggdrop, irc, etc)

Response (cont)

Look for privileged programsfind / -perm -4000 -printLook for file system tampering (use tripwire


174/241


or backups)Examine cron and at jobsLook for unauthorized servicesnetstat -a

check inetd.conf


175/241

Forensics: Backtracking

Nowadays hackers are increasinglysophisticated about hiding tracksThe ones that are good, you won’t catchTh h h ’ h hi


176/241


The ones that you can catch aren’t worth catchingVery few good tools for backtracking are

available

Hidden Directories

Warez: Cute term for pirated softwareWarez are often hidden in FTP or web areasusing weird directory names:


177/241


“...”“ “ (space)

“normal “ (normal with space after it)Check FTP areas for new directories

Finding Hacker-Prints

Search suspected infected system for newfiles: find / -mtime -30 -print

U t i i


178/241


Use tripwireRestore filesystems to a different disk and compareall the files (slow and painful!)

Names of Tools to Look for

nuke - icmp bomb programrootkit - trojans and patches

l k l g l


179/241


cloak - log clearer zap - file date changer

icepick - penetration test tooltoneloc - wargames dialer

Law Enforcement

FBI:Jurisdiction over electronic crimeSecret Service: (Treasury Dept)

Credit card fra d


180/241


Credit card fraudAttacks against financial organizations

Law enforcement interest depends onsexiness of case

Law Enforcement (cont)

Law enforcement still Internet-ignorantExpect to have to educate them

Not worth it

h i i i i i idl


181/241


The situation is improving rapidlyYour mileage, however, may vary wildly depending

on location

A Quick Response Example

Look at the logsFigure out who needs to be contacted

Contact them


182/241


Contact themWait for results

Look over the logs

Original Snort log showed:

May 15 02:37:55 212.247.185.41:111 ->

216.27.176.114:111 SYNFIN ******SF


183/241


6. . 6. : S S

May 15 02:37:55 212.247.185.41:111 ->216.27.176.115:111 SYNFIN ******SF

May 15 02:37:55 212.247.185.41:111 ->216.27.176.116:111 SYNFIN ******SF

Lookup contacts

A “Whois” lookup showed route: 212.247.0.0/16descr: SWIPNET

descr: In case of improper use originating

from our network


184/241


from our network,

descr: please mail customer or [email protected]: AS1257

notify: [email protected]: AS1257-MNT

changed: [email protected] 19990202

changed: [email protected] 20001115source: RIPE

Send a messageFrom: Philip Cox

Sent: Tuesday, May 15, 2001 7:10 AMTo: [email protected]: Scans from 212.247.185.41Dear Sirs,Three of my systems was scanned for portmapper by the IP

address 212.247.185.41. These actions are not authorized.l h h f h


185/241


Please have the user of this system stop scanning mysystems. The relevant portion of the logs are included.They are all US PST:

May 15 02:37:55 212.247.185.41:111 -> 216.27.176.114:111SYNFIN ******SF

May 15 02:37:55 212.247.185.41:111 -> 216.27.176.115:111SYNFIN ******SF

May 15 02:37:55 212.247.185.41:111 -> 216.27.176.116:111SYNFIN ******SF

Phil CoxSystem Owner

ResponseHello,

The customer has been contacted and the compromised server has been taken offline . Please let us knowif this continues or happens again.

Sincerely


186/241


Sincerely,

Niklas Odebo

Tele2 Abuse Dep.============================MvhKundsäkerhetsavd

Tele 2 [email protected] [email protected]============================

Under Attack

Decide if you want to:Observe the attackerChase them away and lock them out

Catch the attacker


187/241


Catch the attacker Prosecute them if you catch them

If you may want to prosecute:Contact legal counsel immediatelyFind about local laws of evidence

If you are Under Attack

Do a complete system backup immediatelyHackers tend to zap system disks if caughtGet a system with tcpdump running acomplete packet log to disk


188/241


complete packet log to disk What protocol packets went to/from where

Possibly contents for some sessions (telnet, rlogin,IRC, FTP)

Shutting Down (For Paranoids)

Sync the disks, and halt the systemDo not execute a clean shutdownDo not disconnect the network

Bring system back up to single user mode


189/241


Bring system back up to single user modeMake and verify backups in single user modeConsider making image dump (dd) of disks

Phone Companies

Backtracking phone calls is nearly impossibleDeregulation makes phone company boundariesvery hard to track across

Even with a hard fix on the login session phonecompanies take 20 30 minutes to track a call


190/241


g pcompanies take 20-30 minutes to track a callVery frustrating

Where are They Coming From?

Use tcpdump / who / syslog to see where theyare coming in fromRun finger against remote system

If finger is working on attacker system you may be


191/241


If finger is working on attacker system you may beable to correlate activity with times of attack anduser idle timeUsually attacker will be using a stolen account onremote machine

Backtracking

Do not mail to root@attackermachine sayingyou are under attack Attackers watch root’s mail

Check NIC registry for attacker domain and


192/241


Check NIC registry for attacker domain andtelephone the site technical contact

Remember: your communications are compromised

Watching the Bad Guy

Get a copy of cloak and watch the attackersemi-invisiblyIf they see they are being watched they will leave

and may destroy the machine


193/241


y yIf they have forgotten to disable shellcommand history you can get a good ideawhat commands they are using

Fight Fire with Fire

Building booby-trapped telnet/rlogin clients lets youmonitor everything the attacker does

Sometimes the attacker will reveal themselves

Social engineer the attacker Sometimes the attacker will brag on IRC


194/241


gSometimes the attacker will brag on IRCSometimes you can learn who it is by piquing their ego

If they leave warez or tools in FTP areaLog who retrieves themReplace warez with files of white noise

Contact site admins at sites downloading the software

Legal Issues

You may not be able to use hackertechniques against themLaws for gathering evidence are confusingLogs may or may not be admissible


195/241


Logs may or may not be admissiblePerpetrator may or may not be prosecutable

Know when to Quit

Eventually it may be easier to unplug thenetwork for a day or two and just clean upUse clean up time to improve security andlogging


196/241


gg g

Forensics: Practice

The Honeynet Project releases “Scan of theMonth”This captured in the wild with the honeypot

A “challenge” for each


197/241


gFigure out

TechniqueTool usedAnything else

tool captured in the wild. As always:http://project.honeynet.org/scans/

Notes:


198/241


Notes:


199/241


Notes:


200/241


Where are we?


SourcesB h k d




201/241



LegalitiesConclusions

Section Contents

Q ui s cust odi et i psos cust odes?

What are Logs?Packet Sniffing = Wiretapping?Policies and Laws


202/241


Policies and LawsResources

Quis custodiet ipsos custodes?

Who Watches the Watchmen?We don’t always think about the data in ourcustodyHow is our IDS different from the FBI’s


203/241


Carnivore?


204/241

Packet Sniffing = Wiretapping?

It DependsAn analogy can be made between capturing

packets and recording phone conversationsSome jurisdictions are already going there


205/241


Make sure you know where you stand

Policies and Laws

Organizational Regulationsappropriate use policy

privacy of email and files

maintenance/retention of electronic recordsTalk to your management!


206/241


y g

Policies and Laws

Governmental RegulationsDifferent applicability

private vs. publicfor-profit vs. non-profit…

El i C i i P i A (ECPA)


207/241


Electronic Communications Privacy Act (ECPA)Family Educational Rights and Privacy Act (FERPA)Health Insurance Portability and Accountability Act (HIPAA)

…Talk to your legal staff!

Resources

Honeyman/Saul Invited Talk from LISA 97 Computer Professionals for SocialResponsibility www.cpsr.orgElectronic Freedom Foundation www.eff.org


208/241


Your policy documentsYour Legal Department

Where are we?


SourcesBenchmarks and




209/241



gConclusions

Closing Thoughts

There are a lot of different optionsYou have to start with “Policy”You can’t deploy it in a day/week/month

It is an ongoing process


210/241


It’s not cheapA lot of blood, sweat, and tears OR …$$$ and some blood, sweat, and tears

The best time to start is NOW!

The End

Thank you forattending!

Thank you for your

Please fill out theInstructor EvaluationForm!!


211/241


comments!

Resources

BooksWeb SitesMailing lists


212/241


Books

Intrusion Detection : Network Security Beyond the Firewall by Terry Escamilla published by John Wiley and Sons

Intrusion Detection; An Introduction toInternet Surveillance Correlation


213/241


Internet Surveillance, Correlation,

Traps, Trace Back, and Response by Edward G. Amoroso published byintrusion.net books

Books

Computer Crime: A Crimefighter’s Handbook , by David Icove, Karl Seger andWilliam VonStorch, from O’Reilly

Associates in August 95Coping with the Threat of Computer Security


214/241


Coping with the Threat of Computer Security

Incidents: A Primer from PreventionThrough Recovery, by Russell Brand

Books

Internet Security and Firewalls: Repellingthe Wily Hacker , by Bill Cheswick and SteveBellovin, from Addison Wesley

Internet Firewalls 2 nd Edition, by ElizabethZwicky Simon Cooper and Brent Chapman


215/241


Zwicky, Simon Cooper, and Brent Chapman


216/241

URLs

IDS FAQs (warning: vendor sponsored)http://www.ticm.com/kb/faq/idsfaq.htmlhttp://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html


217/241


Addresses

IDS mailing list:[email protected]


218/241


Addresses

[email protected]

[email protected]

Firewalls mailing list


219/241


Firewalls mailing list

[email protected]: subscribe firewallsWeb security mailing list

[email protected]: subscribe www-security

Addresses

Firewalls Wizards mailing [email protected]: subscribe firewall-wizards

http://www.nfr.net/forum/firewall-wizards.html

Searchable online archive onhttp://www.nfr.net/firewall-wizards/


220/241


Mark Mellis

Consultantk ll @


221/241

[email protected]

626-852-8639 direct626-852-8739 fax978-440-9388 main

http://www.SystemExperts.com/

Philip Cox

ConsultantPhil C @S E


222/241

[email protected]

530-887-9251 direct530-887-9253 fax978-440-9388 main

http://www.SystemExperts.com/

Appendix 1: Advanced Burglar Alarms

These are for people with too much free timeon their hands :)


223/241



224/241

ls-o-matic

Train yourself not to run “ls” as rootReplace “ls” with a program that mails youor shuts the system down if it is ever run asrootUse “echo *” instead of “ls”


225/241


Use echo instead of ls

... This trick takes a lot of discipline!

Shared-Library boobytrap

Systems with shared libraries are a great place to add alarmsGenerate a custom version of the exec()library family that logs every commandexecution that isn’t one of a small expected


226/241


setGood for firewalls or web servers!

Nit-pick

Many times when a break-in occurs hackerswill set up a sniffer If NIT device is not configured they oftenadd itReplace NIT device with something that


227/241


p g

triggers a warning instead /dev/nit driver can be replaced with a driver thathalts the system


228/241

File shrinkener

Write a program to check if the inode numberof /var/log/messages has changed at the sametime the file has shrunk

Use ls -i, and ls -l in a shell scriptUse stat in C code


229/241


Terrify Suzy*

May make people think twice about whatkind of monitoring is going on in the system

# cat > main.cmain()

{

while(1) sleep(30);

} ^D

# cc -o watchdog main.c

# h hd &


230/241


# nohup watchdog&

* based on an old story from Boyd Roberts


231/241

Fake Holes

Install a phf.pl script in your CGI directoryon your web server

Have it generate an alert


232/241


DumDum Users

Have a user with a crackable but not obvious password

Put something in their .login to alert you when they

log inIf they ever log in, you know someone hasgotten hold of your password file somehow


233/241


gotten hold of your password file, somehow

Roto-Router

Redirect incoming traceroute queries to auser-mode process which responds withcarefully crafted packets

Looks like you go into the networkThen to microsoft.com

Then to whitehouse.gov


234/241


Then to playboy.cometc.

Louis Mamakos (I think) invented this one

Scan Slower

Set up services on a port, that listen andaccept connections

Set keepalive

Never send dataThis could be very nicely implemented in aborder device that simulates an entire


235/241


border device that simulates an entirenetwork or system

Phat WarezCompress a few gigabytes of zeros into a .zipfile (it’ll get pretty small!)

Leave it in your Warez directory


236/241


Redirector Set up something (kind of like a dynamicLocalDirector or a firewall with proxytransparency) on the border of your network

that takes traffic destined to certain machinesRewrites the destination to be the sourceSends it back out


237/241


Sends it back out“Wow! He’s scanning me back really quickly! Heknows all my tricks!”

Socket Stuffer For scanning tools that collect data off the

ports and record/parse/log itHave a listener on many man ports

Each listener, if connected to, sends back a fewUSENET postings from talk.bizarreThis would be lots of fun against the auditors who


238/241


like to run ISS scans against you and charge youbig $$ for the result

Auditor Biter One nice way of catching clueless auditorswho send an intern to run ISS against youand charge you big $$$ is to create fake

vulnerabilities in your system and wait to seeif they appear in the report

Measure how much deviance exists between the


239/241


Measure how much deviance exists between thereport and the ISS output


240/241

Noset ExecutableFor dedicated service machines, considerremoving the ability to set the execute bit inmultiuser mode

Must also be attached to a terminal Log whenever it isn’t!!!

Log and alert attempts to set execute permission


241/241


se ids secsymp01

Documents