UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Transcription

1 Contents Topic 1: Analogy... 2 Analogy: Deterring Jewel Thieves at a Museum... 2 Topic 2: Module Introduction... 4 Topic 3: Host-Based Intrusion Detection... 5 How Host-Based IDSs Work... 5 Topic 4: IDS vs. IPS... 8 IDS vs. IPS: Characteristics... 8 Topic 5: Intrusion Detection System Taxonomy Types of Intrusion Detection Systems Types of Knowledge-Based IDSs Topic 6: Behavior-Based Intrusion Detection Introduction to Behavior-Based Intrusion Detection Topic 7: Network-Based Intrusion Detection How Network-Based IDSs Work Topic 8: Signature-Based NIDSs Components of Snort Snort Rules Snort General Syntax for Rules Snort Rule Options Snort Activity Snort Activity What Is Bro? Topic 9: Summary Glossary UMUC 2012 Page 1 of 36

2 Topic 1: Analogy Analogy: Deterring Jewel Thieves at a Museum Intrusion Detection and Prevention Systems Module 7 Analogy: Deterring Jewel Thieves at a Museum Imagine the case of a notorious thief who intends to break into a heavily guarded museum. The thief uses various strategies and tools to enter the museum without being apprehended. The museum security personnel, on the other hand, have employed various measures to protect the valuables in the museum. The task of the museum security personnel is similar to that of cybersecurity experts who work to thwart the malicious intent of hackers. Layer 1 Surveillance The thief always cases the premises he is going to rob. Before robbing the museum, the thief tries to find out useful information such as the security measures installed at the museum and the layout of the building. The security team keeps an eye out for anyone probing the security systems or loitering near the premises. Perimeter Monitoring Similarly, a hacker usually performs a reconnaissance of the system that he wants to control. A hacker uses tools such as password attacks, OS and software application exploits, buffer overflow, and structured query language (SQL) injection attacks. Security personnel within an organization keep track of the latest tools used to identify vulnerabilities in their systems and to launch malicious attacks. Layer 2 Break-In Detection The head of museum security uses various types and combinations of measures to thwart thieves. Some of these measures, such as security cameras, are installed at possible entry points, outside the premises and at the periphery of the building. UMUC 2012 Page 2 of 36

3 Other measures such as infrared detection and display cases fitted with antisnatch alarms are deployed to protect specific artifacts inside the museum. Intrusion Detection To prevent cybersecurity attacks, security personnel can install an intrusion detection systems (IDS) at each host in the system or outside the network, or they can use a hybrid approach. Layer 3 Theft Prevention The head of museum security has an ace up his sleeve. He has attached radio frequency identification (RFID) tags to the most precious artifacts. The RFID tags constantly monitor the location of the artifacts. Any deviation in patterns, such as unusual activity around an object or unauthorized movement of an object, generates real-time alerts to security personnel, which can help prevent a theft. Intrusion Prevention Similarly, cybersecurity experts also use a type of IDS that keeps records of normal behavior and flags any deviation from this behavior. Cybersecurity experts use intrusion prevention systems (IPSs) to prevent malicious attacks by stopping harmful traffic from reaching the company s network instead of passively detecting and recording attacks. UMUC 2012 Page 3 of 36

4 Topic 2: Module Introduction An intrusion detection system (IDS) is a software application that monitors network traffic to detect intrusion attacks. An IDS is a warning system that notifies users about anomalies in incoming traffic, but it does not take any action to correct the anomalies. On the other hand, an intrusion prevention system (IPS) is a reactive system that not only detects suspicious incoming traffic but also automatically takes action to block it. This module covers IPSs, host-based IDSs, types of knowledge-based IDSs, and behavior-based IDSs. The module also discusses network-based IDSs and signaturebased IDSs such as Snort. UMUC 2012 Page 4 of 36

5 Topic 3: Host-Based Intrusion Detection How Host-Based IDSs Work Introduction Host-based intrusion detection systems (HIDSs) are installed as agents on a host. An HIDS analyzes internal systems to detect malicious activity or cyber attacks. An HIDS can be passive or reactive. A reactive HIDS informs the user of suspicious activity after it has happened, while a proactive HIDS sniffs the incoming traffic and alerts the user in real time. How an HIDS Works Every operating system, device, and application on a network generates logs or events that can help a user detect any intruder activity. Security log analysis, also known as logbased intrusion detection (LID), uses logs as the main source of information to detect attacks on systems, networks, or applications. LID is also capable of detecting software misuse, policy violations, and a host of other forms of inappropriate activities. Examples of logs include firewall logs, Web server logs, system logs, IDS event logs, and Windows event logs. An HIDS looks into any system or application log files to detect hostile or suspicious intrusion. Reference: Cid, D. (n.d.). What is an HIDS (host-based intrusion detection system)? Retrieved from Step 1 External network traffic flows into the OS. Step 2 Network traffic moves to the Web server. Step 3 UMUC 2012 Page 5 of 36

6 The Web server has correlated log files. Step 4 Log files are read by the HIDS. Step 5 HIDS generates alert messages and sends them to the user through the OS. Open Source Security HIDS The Open Source Security (OSSEC) HIDS is a platform used to monitor and control network systems. The OSSEC performs the following functions. Log Analysis and Monitoring Each operating system, application, and device on your network generates logs to record events and activities on the network as they occur. The OSSEC collects, analyzes, and correlates these logs. The OSSEC generates alerts if there is an indication of any attack, misuse, or error on the network. Integrity Checking An attack on networks and computers changes the system s integrity in some way. File integrity checking or file integrity monitoring (FIM) detects these changes and alerts the user when it happens. FIM detects changes in the system s integrity. This type of integrity checking is an essential part of intrusion detection. Windows Registry Monitoring Changes to the integrity of a system are not always attacks. They may even be a typo by an administrator or executive in a file, a directory, or the registry, or they may be caused by an employee s misuse. The OSSEC monitors Windows registry changes to applications. The changes generate an alert to the user immediately. Rootkit Detection In addition to the log analysis and integrity checking, the OSSEC HIDS performs rootkit detection on Linux-based systems. Rootkits are malicious and covert programs that change the behavior of the operating systems in which they are installed. The main purpose of a rootkit is to hide files, network ports, running processes, and services from the operating system and antivirus software. For example, to detect kernel-level rootkits, the OSSEC HIDS scans the entire file system for unusual files and permissions and looks for the presence of hidden network ports on which Trojans may listen. Active Response The OSSEC HIDS uses the term active response to refer to its solution for automatic execution of commands or fast responses in real time when security violations and threats are detected. This automatic remediation process of the OSSEC HIDS can be used to block specific hosts or services so that a detected threat or violation can be stopped in real time. Reference: Hay, A., Cid, D., & Bray, R. (2008). OSSEC host-based intrusion detection guide. Burlington, MA: Syngress. UMUC 2012 Page 6 of 36

7 OSSEC Alert Example OSSEC is a client-server architecture that can have multiple agents or sensors reporting to the central report server or a single agent running on the same machine as the report server. An OSSEC alert is classified according to the rule it matches and the level of significance of that rule. The OSSEC rules are classified in multiple levels, with 0 being the lowest and 15 the highest. Here is an example of an OSSEC alert that was generated because of an automated scanning of the Apache Web server for vulnerable PHP files. In this example, an attacker tried to access important PHP files such as setup.php in various locations. The OSSEC generated an alert because setup.php file doesn t exist on the Web server Apr 11 01:47:42 Rule Id: level: 10 Location: c13software->/var/log/apache2/access.log Src IP: Multiple web server 400 error codes from same source ip [11/Apr/2011:01:47: ] "GET //phpadmin/scripts/setup.php HTTP/1.1" "-" "-" [11/Apr/2011:01:47: ] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" "-" "-" [11/Apr/2011:01:47: ] "GET //mysqladmin/scripts/setup.php HTTP/1.1" "-" "-" [11/Apr/2011:01:47: ] "GET //mysql/scripts/setup.php HTTP/1.1" "-" "-" [11/Apr/2011:01:47: ] "GET //myadmin/scripts/setup.php HTTP/1.1" "-" "-" [11/Apr/2011:01:47: ] "GET //dbadmin/scripts/setup.php HTTP/1.1" "-" "-" [11/Apr/2011:01:47: ] "GET //db/scripts/setup.php HTTP/1.1" "-" "-" [11/Apr/2011:01:47: ] "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" "-" "-" [11/Apr/2011:01:47: ] "GET //admin/pma/scripts/setup.php HTTP/1.1" "-" "-" [11/Apr/2011:01:47: ] "GET //admin/scripts/setup.php HTTP/1.1" "-" "-" [11/Apr/2011:01:47: ] "GET //scripts/setup.php HTTP/1.1" "-" "-" Line 1: The first line displays the timestamp, rule ID, and severity level. The alert was generated on 2011 Apr 11 01:47:42, due to an event that matched rule # The severity level is 10. Line 2: This line indicates the location in the log file where the log entries are recorded. Line 3: This is the source IP address of the attacker. UMUC 2012 Page 7 of 36

8 Topic 4: IDS vs. IPS IDS vs. IPS: Characteristics An IDS identifies malicious, harmful, or unauthorized attacks or activities on a network. An IPS goes further, stopping the malicious attacks identified by the IDS. Although both systems recognize malicious attacks, they differ primarily in their network placement. Intrusion Detection System The IDS receives a copy of traffic for analysis. An IDS device is considered passive because it cannot block or stop the first or initial malicious packet. It can communicate with a security device or a router to prevent any subsequent network packets from getting through to the system. However, the initial offending packet can reach its destination. An IDS can be used to add value to a network that employs an IPS device by verifying that the IPS device is still operational. Intrusion Prevention System An IPS device resides in line with the traffic and can prevent the first malicious packet from reaching its destination because it can block or drop the traffic inline. An IPS device should be used if an organization wants to block malicious traffic in real time. UMUC 2012 Page 8 of 36

9 Hybrid Approach The image displays a hybrid approach to intrusion detection and prevention. An IDS device can be used to verify whether the IPS device is operational. Furthermore, an IDS device can be used to identify suspicious traffic and send an alert about that traffic without causing the IPS device to drop that particular traffic. Not all suspicious traffic is malicious. Activity Read the question and choose the correct option. Question: Thomas is a systems administrator with a telecom company. Over the past few months, he has had to deal with suspicious traffic entering the company s network. Recently, Thomas has also noticed a rise in the incidence of virus attacks. Which system would be more effective in proactively tackling Thomas s problem an IDS or an IPS? a. IDS b. IPS Correct answer: Option b Feedback: An IPS would proactively prevent harmful traffic from reaching the company s network. An IDS is a passive system, which would warn Thomas and his team about an impending harmful activity but would be unable to prevent it. UMUC 2012 Page 9 of 36

10 Topic 5: Intrusion Detection System Taxonomy Types of Intrusion Detection Systems There are two types of IDSs: knowledge-based and behavior-based. The two types of IDSs differ in their detection methods. A knowledge-based IDS, also known as a signature-based IDS, uses recorded evidence of previous attacks. A behavior-based IDS, also known as an anomaly-based IDS, keeps records of normal or regular behavior. Any deviation from this behavior triggers an alarm. Knowledge-Based IDSs In a knowledge-based IDS, information about previous attacks and vulnerabilities is contained in the system in the form of footprints or signatures. When a similar attack is encountered, an alarm is raised. Any action that does not attempt to exploit these vulnerabilities is considered acceptable and is passed without raising an alarm. Therefore, a signature-based IDS could fail to identify a unique attack. Behavior-Based IDSs A behavior-based intrusion detection system builds a model of normal or valid behavior from existing information. When a deviation from this model is observed, an alarm is raised. In this type of system, any new type of behavior is considered intrusive, triggering an alarm. However, behavior-based IDSs have high false-alarm rates compared to knowledge-based IDSs. UMUC 2012 Page 10 of 36

11 Topic 5: Intrusion Detection System Taxonomy Types of Knowledge-Based IDSs Knowledge-Based IDSs Knowledge-based intrusion detection offers several types of analytical approaches such as signature-based, expert systems-based, and state-transition approaches. Because the signature-based approach is most widely used, knowledge-based intrusion detection is often referred to as signature-based intrusion detection. Signature-Based Approach Most commercial products are based on signature-based systems, which examine the traffic for well-known attack patterns. Using this method, a security engineer must code a pattern match called a signature that can detect a known exploit. Network administrators routinely update the signature files that can detect new attacks. This update is similar to regular antivirus updates that ensure that antivirus software is up-to-date. For example, an IDS could search for a pattern in the Multipurpose Internet Mail Extension (MIME) header of an message. Expert System-Based Approach An expert system-based approach is a commonly used signature-based IDS scheme. Under this method, the expert system contains a set of rules that describe security attacks. This system enables users to record information about various attacks as if-then rules. Conditions indicative of an intrusion are given in the if part of the rule, and when an intrusion condition is met, the corresponding then part of the rule is performed. Here is an example of such a rule: If consecutive failed login attempts of a user > 5, then lock the user account. The above rule says that if a user makes six consecutive failed login attempts, the IDS will lock that user s account. Reference: Debar, H., Dacier, M., & Wespi, A. (1999). Towards a taxonomy of intrusion-detection systems. Computer Networks 31. Retrieved from ftp://polinux2.eui.upv.es/viejo/pub/doc/ids/towards_a_taxonomy_of_intrusion_detection_systems.pdf State Transition-Based Approach The state transition-based approaches use system state and state transitions expressions to describe and detect intrusions. The two main types of models used to apply state transition-based schemes to intrusion detection are: State transition analysis Petri nets State Transition Analysis An attack is described by two parameters, a set of goals, and the transitions that must be achieved by an intruder to enter the system. Transitions are represented on statetransition diagrams. UMUC 2012 Page 11 of 36

12 Colored Petri Nets Petri nets are a graphical formal modeling language in which places represent states and transitions describe relations between places. In a graphical representation, places are drawn as circles, transitions as bars, and tokens as dots. Transitions symbolize actions, and places symbolize states or conditions that need to be satisfied before an action can be executed. Places can hold tokens that may move from one place to another by executing actions. Here is an example of how a colored Petri net issues an alarm if a user with a low clearance logs into a multilevel system and tries to access a highly confidential file more than three consecutive times within five minutes. Step 1 When the user fails to access the confidential file, the transition, represented by a vertical bar, occurs from the start state to s2 if there is a token in state s1. The time of the first unsuccessful attempt is measured. Step 2 The user tries to access the file again and fails. Step 3 The user tries to access the confidential file for the third time and fails. Step 4 The transition from state s4 to state s5 can happen if there is a token in s4, an unsuccessful login attempt, and the time difference between this and the first unsuccessful access attempt is less than 5 minutes. The final state, s5, corresponds to signature matching and raises an alarm. Reference: Debar, H., Dacier, M., & Wespi, A. (1999). Towards a taxonomy of intrusion-detection systems. Computer Networks 31. Retrieved from ftp://polinux2.eui.upv.es/viejo/pub/doc/ids/towards_a_taxonomy_of_intrusion_detection_systems.pdf UMUC 2012 Page 12 of 36

13 State Transition Here is the state transition diagram for the example above. As shown in the diagram, the start state transits to the state s2 when a failed access attempt event takes place. The state s5 is reached after four consecutive failed attempts. UMUC 2012 Page 13 of 36

14 Topic 6: Behavior-Based Intrusion Detection Introduction to Behavior-Based Intrusion Detection Behavior-based intrusion detection is often referred to as profile-based detection. Using this detection approach, security experts build profiles for each user group in a system. A user profile includes information about user habits and usage patterns. If the deviation from this profile reaches a threshold, it triggers an alert. The profile can also build a baseline for network activities such as typical bandwidth usage of a network or a statistical usage of a particular Internet service. The statistical-based IDS is the most commonly used behavior-based intrusion detection approach. Behavior-Based IDSs Advantages Behavior-based IDSs: 1. Enable the detection of new attack vectors as they occur. 2. Control false-positive alarms by changing deviation-threshold values. 3. Offer customized profiles that make it difficult for attackers to identify the activities that could set off an alarm. Disadvantages Some disadvantages of behavior-based IDSs include: 1. Generation of false alarms: When a user activity deviates from the normal routine, the behavior-based IDS generates an alarm even when the activity is not malicious. 2. Maintenance of user profiles: The definition of normal behavior changes over the life of the system. As the system changes, the traffic or user behavior of the system can also change. The profile of the system must be updated to reflect those changes. 3. Nongeneration of alarms: Sometimes, if the intrusive activity imitates a regular user habit, then the activity may not generate an alarm. Statistical-Based Approach In this approach, the behavior of a user, system, or network is measured by a number of variables sampled over a period of time. Some of these variables include the login and logout time of each session, the resource duration, and the amount of processormemory-disk resources consumed during the session. UMUC 2012 Page 14 of 36

15 Example 1 Take the example of an organization that uses the Secure Shell (SSH) session length as a variable to measure the behavior of its systems. When the SSH session length exceeds the average SSH session length, there is a spike or deviation in the session length, which triggers an alarm. Example 2 Take the example of an organization that measures the network traffic on its corporate Web site as one of the variables to monitor deviations in behavior of its systems. Step 1 The organization regularly measures network traffic over a long period. Site statistics show that 45 percent of network traffic is directed to the company s public Web server. UMUC 2012 Page 15 of 36

16 Step 2 A sharp spike in Web traffic, in this case from 45 percent to 85 percent of the company s network traffic, triggers an alarm. UMUC 2012 Page 16 of 36

17 Topic 7: Network-Based Intrusion Detection How Network-Based IDSs Work A network-based IDS (NIDS) captures data packets traveling on cable or wireless network media and is usually implemented at the perimeter of an organization. Unlike an HIDS, an NIDS does not need to be installed on each host in the network. While the placement of the NIDS box depends on the network, it is advisable to place it behind the router or firewall. An NIDS monitors all the incoming and outgoing network traffic of a network for suspicious activity and logs or flags any anomaly. There are two types of NIDSs: signature-based and behavior-based. Signature-Based NIDSs A signature-based NIDS uses pattern matching to detect known attack patterns. An NIDS formats a network event and compares it against its knowledge base by using a pattern-matching analysis engine. The analysis engine searches for predefined patterns known as attacks. If the network event matches the pattern of the known attack, the analysis engine raises an alert. Behavior-Based NIDSs A behavior-based NIDS collects the network data in which behavior considered normal on the network is baselined over a period of time. The data collected is formatted, processed, and stored in the knowledge base. A monitored network event is compared to the knowledge base. An alarm is trigged by any network event that falls outside baseline normal activity. UMUC 2012 Page 17 of 36

18 Topic 8: Signature-Based NIDSs Components of Snort Snort is an open-source signature-based NIDS. It can operate as an IDS or an IPS. It was originally intended to function as a packet sniffer. As a packet sniffer, it can capture all of the packets of data that pass through a given network to detect any intrusions. Snort can be ported to a variety of platforms, such as Windows, FreeBSD, Linux, and Solaris. Snort has various components responsible for different aspects of the system. Reference: Rehman, R. (2003). Intrusion detection with Snort: Advanced IDS techniques using Snort, Apache, MySQL, PHP, and ACID. Copyright (2003) by Prentice Hall PTR. Used under the terms and conditions in the Open Publication License, version 1.0 or later. Packet Decoder The packet decoder receives packets from different types of network interfaces such as Ethernet, Serial Line Internet Protocol (SLIP), and Point-to-Point Protocol (PPP) from the Internet. The packets are prepared for preprocessing or to be sent to the detection engine. Preprocessors Preprocessors can be components of Snort or plug-ins. They arrange or modify data packets so that the packets can be compared against the rules in the detection engine. Some preprocessors look for anomalies in packet headers and generate alerts. Preprocessors are important for any IDS, as they prepare data packets for comparison against the rules in the detection engine. Detection Engine The detection engine uses Snort rules to detect any intrusive activity existing in a packet. If a packet matches any rule, the engine triggers an alert or logs the packet, depending upon what is found inside the packet. Otherwise, the packet is ignored and dropped. Logging and Alerting System This system maintains logs in formats including simple text files and tcpdump-style files. Output Components Output components are plug-ins. They control the output generated by the logging and alerting system. UMUC 2012 Page 18 of 36

19 Topic 8: Signature-Based NIDSs Snort Rules Snort is signature-based, and therefore it can be configured for specific threats. A system administrator can create a set of rules. The Snort rules search for the specific contents in the payload of a packet or for malicious settings in the header of a packet. There are two separate elements that make up a typical Snort rule Snort rule header and option, as shown below. Snort Rule: <rule header> The rule header consists of the following factors: rule actions (for example, log and alert), source IP address, destination IP address, source port, destination port, and protocol. <rule option> The second half of a rule is the rule option (also called a rule body). This rule option defines what is involved in the packet. Reference: Rehman, R. (2003). Intrusion detection with Snort: Advanced IDS techniques using Snort, Apache, MySQL, PHP, and ACID. Copyright (2003) by Prentice Hall PTR. Used under the terms and conditions in the Open Publication License, version 1.0 or later. Example The following rule generates an alert for every IP packet that Snort detects. alert ip any any -> any any (msg: "IP Packet detected";) This alert indicates that the rule will generate an alert message. This ip indicates that the rule will apply to all IP packets. 1 st any: This any is the placeholder for the source IP address. Here, any is a keyword for all IP addresses. 2 nd any: This any is the placeholder for the source port. Here, any is a keyword for all port numbers. ->: The -> symbol indicates the direction of the packet flow. 3 rd any: This any is the placeholder for the destination IP address. Here, any is a keyword for all IP addresses. 4 th any: This any is the placeholder for the destination port. Here, any is a keyword for all port numbers. Msg: The element msg is an element of the rule option. It indicates that the message IP packet detected will output if a network event matches the rule. UMUC 2012 Page 19 of 36

20 Variation A rule may detect one type or multiple types of intrusion activity. The following rule will generate an alert if an ICMP packet is detected going to the IP address with a time-to-live flag of 100. alert icmp any any -> /32 any (msg: "ICMP Packet"; ttl:100;) /32 indicates a subnet mask of the IP address Because /32 is used, the rule scans for an entire 32-bit source IP address that is, the host with IP address Note that there are two options (msg and ttl) specified in the rule option. UMUC 2012 Page 20 of 36

21 Topic 8: Signature-Based NIDSs Snort General Syntax for Rules The following shows an overview of how a Snort rule is laid out. Rule Action Protocol Source IP Address Source Port Header Flow (Direction) Destination IP Address Destination Port Reference: Rehman, R. (2003). Intrusion detection with Snort: Advanced IDS techniques using Snort, Apache, MySQL, PHP, and ACID. Copyright (2003) by Prentice Hall PTR. Used under the terms and conditions in the Open Publication License, version 1.0 or later. Option Additional Tests, Output Messages, Etc. Rule Action Snort has five built-in rule actions: log, alert, pass, activate, and dynamic. In this module, our focus is alert. The alert action writes a log entry and posts a notification when some network event (data packet) exactly matches a rule. The alert action is the most common action. Protocol Protocol specifies both high- and low-level protocols. High-level protocols include http, ftp, and dns. Low-level protocols include tcp, udp, and icmp. Source/Destination IP Address There are two address parts in a Snort rule that are used to check the source from which the packet originated and the destination of the packet. The address may be a single IP address or a network address or any. Notice that the format of the IP address uses Classless Inter-Domain Routing (CIDR). By using CIDR, network addresses are written using the number of bits in the netmask at the end of the IP address. Examples: An address /32 defines a single host with IP address An address /24 defines a class C network with addresses ranging from to Address exclusion: Snort provides a mechanism to exclude addresses by the use of the negation symbol!, an exclamation point. This symbol is used with the address to direct Snort not to test packets coming from or going to that address. Here is an example: alert icmp![ /24] any -> any any (msg: "Ping ;) The above rule will be applied to all ICMP packets that do not originate from the subnet. Notice that the square bracket is used for the exclusion. Snort can specify multiple IPs or ranges as well. Here is an example: alert icmp![ /24, /24] any -> any any (msg: Ping ;) The above example triggers alerts for each ICMP packet that does not originate from the or subnet. UMUC 2012 Page 21 of 36

22 Source/Destination Port These parts of the syntax specify the port numbers. These numbers are relevant only when dealing with TCP or UDP packets. The first number is used to apply a rule on packets originating from a port. The second number is used to apply a rule on packets that go to that port. Learn More A colon can be used to specify a range of ports. For example, the following rule will create an alert for all UDP traffic coming from ports 1024 to 2048 from all hosts. alert udp any 1024: > any any (msg: UDP ports ;) The syntax allows users to specify only a starting port number or an ending port number in the range, if desired. Here is an example: 1000: includes all numbers above port 1000 and also includes :1024 includes all numbers up to It also includes The negation symbol! can be used to exclude a port or range of ports. For example, the following rule logs all UDP traffic except for source port number 53. logudp any!53 -> any any Note that it is invalid to use a comma character in the port field to specify multiple ports. Flow Direction The direction part of the syntax determines the source and destination addresses and port numbers in a rule. The direction symbol -> is typically used to denote the direction of a packet flow. Learn More Use the -> symbol to specify the address and port numbers on the left side of the direction field. Use the source of the packet and the address and port numbers on the right side of the field as the destination. The <- symbol is not used in Snort. A user can make -> equivalent to <- by switching the IP addresses and port numbers. Use the <> symbol to specify that the rule will be applied to packets traveling in either direction. This symbol is useful when you want to monitor data packets for both client and server. UMUC 2012 Page 22 of 36

23 Topic 8: Signature-Based NIDSs Snort Rule Options Snort has the ability to search for signatures inside a packet. The signature may be an ASCII string or binary data in the form of hexadecimal characters. Multiple content keywords can be used to find multiple signatures. Some keywords that can be used to refine content matching include content, offset, depth, nocase, content-list, and flags. Content The content keyword is used to find a string pattern inside a packet payload. The pattern is expressed in the form of an ASCII string or as binary data in the form of hexadecimal characters. Note that content matching is a computational-intensive process. Thus, using many rules for content (pattern) matching can negatively affect system performance. A few examples are illustrated as follows: alert tcp /24 any -> (content: hacking ; msg: malicious packet ;) The above rule says that an alert is generated if the packet ( ) is sent to the e- mail server ( ) containing the word hacking. Note that the mail port number is 25 and most mail packets are sent via TCP. alert tcp /24 any ->![ /24] any (content: "POST"; msg: "HTTP POST";) The above rule finds all http POST requests in the data part of TCP packets that leave the subnet /24 alert tcp any any -> any any (msg: binary string 7c fe in hex format is detected! ; content: 7c fe ;) The above rule says an alert is generated if the packet contains a series of hexadecimal characters (binary data) 7c fe Note that two symbols are used to enclose the hexadecimal characters. Offset The offset keyword can be used to specify the start of a search after a certain byte in the packet. For example, the following rule starts searching for the word password after eight bytes: alert tcp /24 any -> any any (content: password ;offset: 8; msg: Password can be revealed ;) Depth The depth keyword is used to specify a search that is limited to a certain byte in the packet. For example, the following rule tries to find the word HTTP between characters 8 and 40 of the data part of the TCP packet. alert tcp /24 any -> any any (content: "HTTP"; offset: 8; depth: 40; msg: "HTTP matched";) UMUC 2012 Page 23 of 36

24 Nocase The nocase keyword is used to turn off case-sensitive search. Content-List The content-list keyword is used to specify a text file that contains a list of words to be found in the packet. For example, a file named hack may contain a list of words such as password, cracking, and attack on three separate lines. The following rule will search this list of words (password, cracking, and attack) in the data portion of all packets matching the rule criterion. alert ip any any -> /24 any (content-list: "hack"; msg: "Malicious traffic";) Flags The flags keyword is used to find out which flag bits are set inside a TCP header of a packet. For example, the following rule alerts when a TCP ACK packet is received from the /24 subnet. alert tcp /24 any->any any (msg: ACK packet! ; flags: A;) The following TCP flags are used in Snort: F: FIN S: SYN R: RST P: PSH A: ACK U: URG 1: Reserved bit 1 2: Reserved bit 2 0: No flag set UMUC 2012 Page 24 of 36

25 Topic 8: Signature-Based NIDSs Snort Activity 1 Question 1: Select a Snort rule that generates an alert when a UDP packet is viewed from the /16 subnet with a port number greater than a. alert udp any 1000: -> any any b. log udp /16 any <> any any c. log udp / : -> any any d. alert udp / : -> any any Correct answer: Option d Feedback for Option a: Not quite. The rule has to include the IP range /16 and the port range has to be above This rule includes the port Feedback for Option b: Not quite. The rule has to generate an alert. This rule generates a log. In addition, the rule has to exclude ports that are less than This rule includes all ports. In addition, the source of the packet has to be /16. This rule is hit even when the /16 subnet is the destination. Feedback for Option c: Not quite. The rule has to generate an alert. However, this rule generates a log. Feedback for Option d: That's correct. This rule generates alerts when a UDP packet is seen from the /16 subnet with a port number greater than Question 2: Choose the Snort rule that logs when H4X0R is detected in the content of a TCP packet after 20 bytes between the /24 and /24 subnet. a. alert tcp /24 any -> /24 any (content: H4X0R ) b. alert tcp any <> any (content: H4XOR ; offset:20) c. log tcp /24 any <> /24 any (content: H4X0R ; offset: 20;) d. log udp /24 any -> /24 any (content: H4X0R ; offset:20) Correct answer: Option c UMUC 2012 Page 25 of 36

26 Feedback for Option a: Not quite. The subnet mask has to be /24. The rule has to check all TCP packets between /24 and /24. Also, the offset needs to be included in the options, and the rule has to generate a log. Feedback for Option b: Not quite. The rule has to generate a log, not an alert. Also, the content is not typed correctly. Feedback for Option c: That's correct. This rule logs when H4X0R is detected in the content of a TCP packet after 20 bytes between the /24 and /24 subnet. Feedback for Option d: Not quite. The rule has to check all TCP packets (not UDP) between the /24 and /24 subnet. UMUC 2012 Page 26 of 36

27 Topic 8: Signature-Based NIDSs Snort Activity 2 Introduction An organization, CybN Inc., is using Low Orbit Ion Cannon (LOIC) to test its network s robustness against malicious attacks. LOIC is an open source network attack application written in C#. It is a denial-of-service (DoS) or stress-testing tool, popularized by the group Anonymous with its attacks against MasterCard and Sony. LOIC is available for Windows, Mac, and Linux. When the URL or IP address is entered into LOIC, it performs a DoS attack to disrupt the service of a particular host. LOIC floods the server with TCP packets, UDP packets, or HTTP requests. Greg, a security analyst at CybN, has used LOIC attack methods to study the strength of the organization's network security. He has generated some screenshots. Greg now needs to decide whether the network is under a malicious attack and select the relevant Snort rules for two attack scenarios. Workspace Step 1: UDP DoS Attack NAT Diagram In this diagram, the NAT router is the only equipment with a publicly accessible IP address. The router translates all incoming traffic into the private network /16. The IDS is located inside the private network, between the router and all other systems on the network. UMUC 2012 Page 27 of 36

28 Question: The image provided shows the output of a UDP DoS attack. Identify the options that most accurately describe why the network activity shown in the image is malicious. a. A series of UDP packets is sent from the source b. A series of UDP packets targeting the HTTP Port (80) c. A burst of UDP packets within.0018 seconds d. Source Port and Destination port 80 are used Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answers: Options a, b, c Feedback: is a private IP address. If a UDP packet originating from a private IP address is received, it is malicious unless you are not on the same subnet. A range of IP addresses, , is reserved for the private IP. The image shows that UDP traffic uses port 80. Port 80 is reserved for HTTP, and HTTP is based on TCP, not UDP. A sudden burst of UDP packets indicates DoS attacks. Snort Rule to Detect a UDP Attack LOIC's UDP attack generates many UDP packets in a short time. To allow Snort to keep track of the activity within a period from a specific host, a threshold can be set with the option "threshold: type threshold. Additional options can be added, such as "track by_src" to keep track of the traffic on a per source base. To raise the alert when a certain packet count is reached in a certain time frame, "count" and "seconds" flags can also be defined. Here is how to derive a Snort IDS rule that will alert when a UDP attack is detected targeting the private /16 subnet on port 80. alert udp any any -> /16 80 (msg: "LOIC UDP"; threshold: type threshold, track by_src, count 100, seconds 1;) UMUC 2012 Page 28 of 36

29 TCP SYN Flood DoS Question: This image shows the output of a TCP SYN flood DoS attack. Identify the options that most accurately describe why the network activity shown in the image looks malicious. a. A series of TCP packets is sent from the source b. A series of TCP SYN packets connecting to the HTTP Port (80) c. Burst of TCP SYN packets originating from the same source IP d. Random source port is used to connect to HTTP Port (80) Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answers: Options a, c Feedback: is a private IP address, and if a TCP packet originating from a private IP address is received, it is malicious when not on the same subnet. Requesting many TCP SYN connections from the same source in a short period of time is very suspicious. By itself, the information in Option B does not suggest suspicious activity. Browsers often establish multiple connections to a Web server simultaneously from multiple ports. Therefore, this information in Option D by itself is not suspicious. Snort Rule Question: The image provided shows the output of a Snort rule that generates an alert when a TCP SYN flood is detected targeting the /16 subnet. Identify the Snort rule that will generate this output. a. alert tcp any any -> /16 80 (msg: SYN FLOOD ; flags: S; threshold: type threshold, track by_src, count 10, seconds 10;) b. alert tcp any any -> /16 any (msg: SYN FLOOD ; threshold: type threshold, track by_src, count 100, seconds 1;) c. log tcp any any -> /16 any (msg: SYN FLOOD ; flags: S;) d. log tcp any any -> /16 80 (msg: SYN FLOOD ; flags: S; threshold: type threshold, track by_src, count 100, seconds 10;) UMUC 2012 Page 29 of 36

30 Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option a Feedback: This rule will be triggered when 10 SYN packets are observed in a 10-second interval from the same source targeting the HTTP port (80). Malicious Binary Download The image depicts the sequence of events of a user accidentally visiting a malicious Web site and downloading a suspicious binary executable. This is an illustration of the Wireshark screenshot included below. UMUC 2012 Page 30 of 36

31 Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. The image shows a user initiating a download of a suspicious binary named funny_screensaver.exe. The binary may or may not be malicious, but it is definitely suspicious. Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. The image shows a segment of the binary being transferred from the suspicious Web server to the user. Question: Refer to the diagram and the Wireshark images. Evaluate which of the following Snort rules is the most effective in detecting future downloads of the binary executable from the Internet. a. log tcp any any -> any 80 (msg: funny_screensaver.exe! ; content: funny_screensaver ;) UMUC 2012 Page 31 of 36

32 b. log tcp any any -> any any (msg: funny_screensaver.exe! ; content: 7c fe c2 9f 3c d8 ;) c. log tcp /32 any -> any any (msg: funny_screensaver.exe! ;) d. log udp / > any any (msg: funny_screensaver.exe! ; content: funny_screensaver.exe ;) Correct answer: Option b Feedback: The log will be generated if the segment of the binary in hex format is detected in any TCP packet. This is the most effective rule among the ones presented. Review Suspicious binaries can be targeted by looking for parts of the binary, in hex format, in the packets passing through the IDS. This method is very common. However, it may be ineffective when malicious binaries disguise themselves as they spread. In such cases, having a static binary hex in the Snort signature will not detect different versions of the same binary. Further Challenges Besides disguising the binary, how would encryption affect the Snort rule presented in Question 4 of the Workspace tab? Here s the Snort rule for reference: log tcp any any -> any any (msg: funny_screensaver.exe! ; content: 7c fe c2 9f 3c d8 ;) UMUC 2012 Page 32 of 36

33 Topic 8: Signature-Based NIDSs What Is Bro? Bro is an open-source, UNIX-based, signature- and behavior-based NIDS. Bro s Working How Does Bro Work? Bro detects harmful or hostile traffic by first analyzing network traffic to extract its application-level semantics. It then executes event-oriented analyzers that compare the activity with suspicious patterns. Bro s parsing includes detection of specific attacks and unusual activities. The attacks include those defined by signatures and those defined by events. Certain hosts connecting to certain services or patterns of failed connection attempts are examples of unusual activities. Bro s Operation How Does a Site Tailor Bro's Operation? A site tailors Bro s operation using Bro s specialized policy language. When a malicious activity is detected, Bro can be instructed to generate a log entry, generate an alert in real time, or execute an operating system command. An example of executing an operating system command is terminating a connection or blocking a malicious host. Bro Signatures Bro Signatures Bro has a tool called snort2bro that can used to convert Snort signatures into Bro signatures. Reference: Bro Intrusion Detection System. (2011). Retrieved from Example Consider the conversion of the following Snort rule. alert udp / : -> any any () Here is the snort2bro command and the converted output of the Snort rule../snort2bro /etc/snort/rules/test.rules Reading /etc/snort/rules/test.rules signature sid-unknown-0 { ip-proto == udp src-ip == /16 src-port>= 1001 src-port<= } UMUC 2012 Page 33 of 36

34 Topic 9: Summary We have come to the end of Module 7. The key concepts covered in this module are listed below. An intrusion detection system (IDS) is a warning system that notifies users about any anomalies in incoming traffic, but it does not take any action to correct the anomalies. An intrusion prevention system (IPS) is a reactive system that not only detects suspicious incoming traffic but also automatically takes necessary action to block it. Host-based intrusion detection systems (HIDSs) are installed as agents on a host. An HIDS analyzes internal systems to detect malicious activity or cyber attacks. There are two types of IDSs: knowledge-based and anomaly-based. In a knowledge-based IDS, information about previous attacks and vulnerabilities is contained in the system in the form of footprints or signatures. A behavior-based intrusion detection system builds a model of normal or valid behavior from existing information. When a deviation from this model is observed, an alarm is raised. Knowledge-based IDSs includes signature-based IDSs, expert-based IDSs, and transition-based IDSs. Snort is an open-source signature-based NIDS that can operate as an IDS or an IPS. Snort rules are created using information about signatures of intruder activities. Bro is an open-source, UNIX-based, signature-, and behavior-based NIDS. UMUC 2012 Page 34 of 36

35 Glossary Bandwidth Term Behavior-Based Intrusion Detection System Bro Classless Inter-Domain Routing File Integrity Monitoring Firewall Host Host-Based Intrusion Detection System Intrusion Detection System Intrusion Prevention System Knowledge-Based Intrusion Detection System Log Analysis Definition Bandwidth is the speed at which data is transferred. A behavior-based intrusion detection system uses information about the normal behavior of the system it is monitoring. Bro is an open-source, UNIX-based signature- and behaviorbased network intrusion detection system. Classless Inter-Domain Routing (CIDR) is a method of interpreting IP addresses and routing Internet Protocol packets. File integrity monitoring is the process of verifying the authenticity of a file with the help of algorithms. A firewall is the hardware or software that prevents unauthorized users from accessing a computer or a network. A host is a network connected computer that provides facilities to other computers. A host-based intrusion detection system (HIDS) performs detection of any suspicious activity from within the system. An intrusion detection system (IDS) detects malicious activities on the network and reports them to the system administrator. An intrusion prevention system (IPS) monitors and blocks any malicious activity in a network or system. A knowledge-based intrusion detection system uses information about a malicious attack. Log analysis is the technique involved in comprehending computer-generated records or logs. MIME Header Multipurpose Internet Mail Extensions (MIMEs) enable e- mail to support characters other than ASCII, nontext attachments, message bodies with multiple parts and header information in non-ascii character form. A MIME header indicates that the message is MIME-formatted. Network-Based Intrusion Detection System Packet Petri Nets A network-based intrusion detection system (NIDS) is an IDS that tries to detect malicious activity by checking traffic on a network. A packet is a unit into which a larger piece of data is broken down for more efficient transmission. Petri nets are a graphical formal modeling language in which places represent states and transitions describe relations between places. UMUC 2012 Page 35 of 36

36 POP Rootkit Router Snort Spyware SSH Term Standard Deviation TCP Flags TCP SYN Packets Telnet User Datagram Protocol Windows Registry Monitoring Definition Post Office Protocol (POP) is a protocol which brings from and to a mail server. A rootkit is software or tools that allow intruders to get administrative-level access to a target system, and at the same time, hide their presence. A router is a device that facilitates the movement of packets of data between two points on a network. Snort is an open-source signature-based NIDS. Spyware is a type of malware that resides on a user s computer and gathers information about the user without his or her knowledge. Secure Shell (SSH) is a data exchange protocol that allows data to be exchanged using a secure channel between two network devices. Standard deviation is a measure of the variation in a distribution, equal to the square root of the arithmetic mean of the squares of the deviations from the arithmetic mean. TCP flags are control bits that show different connection states or give information about how a packet should be handled. TCP SYN packets are cookies that are the key element of a technique used to guard against SYN flood attacks. Telnet enables remote use and supervision of systems. Network administrators monitor and control systems remotely using Telnet. User Datagram Protocol (UDP) is a network protocol that allows computers to exchange messages over an Internet network without the need for special transmission channels or data paths. Windows registry monitoring is a tool that enables users to view all registry activity in real time. UMUC 2012 Page 36 of 36