3 Intrusion Detection Systems

Transcription

1 3 Intrusion Detection Systems 3.1 Introduction In Unit 1 the concept of defence-in-depth was discussed, where a defence system has many layers of defence (Figure 3.1). Unfortunately, as in military systems, it is not always possible to protect front-line defences, even if there are multiple layers of them, against breaches in security (Figure 3.2). This can be because an intruder has found a weakness within the security barriers or it could be that the intruder has actually managed to physically locate themselves within the networked systems, thus all the gateway firewalls and DMZ s cannot protect against an intruder once they have managed to base themselves physically within a network. Along with this, most security systems can only guard against known types of attacks, such as in detected known viruses. A particular problem is when new types of attacks occur, as these are more difficult to defend against. A key factor is knowing what is a threat, and how to overcome it. Many organisations are now rehearing plans for how they cope with these threats, and have contingency plans, unfortunately many other organisations have no plans for given threats, and these are the ones which are in most danger of a damaging attack. As in military systems, an allied force would setup spies who s task was to detect instructions, and any covert activities. Figure 3.3 illustrates this concept, where intrusion detection agents are used to listen to network traffic, and network/user activity to try and detect any breaches in security. Data Systems People Enemy can penetrate the main defence, and cause problems Figure 3.1: Network security Unit 3: Intrusion Detection Systems 1

2 even defence in depth can be breached Forth-line defence Third-line defence Second-line defence First-line defence Figure 3.2: Network security intrusion detection can reduce breaches Intrusion detection Figure 3.3: Intrusion detection Most users think the major problem with SUD security is that of the external intruder who wants to do damage to the system, for the glory of it. Unfortunately this is only one part of network security. The threats are many, both from inside and outside the network, thus gateway bastions (such as perimeter routers) can never been seen as an effective method of stopping network intrusions. Figure 3.4 shows some of the threats which exist, from both inside and outside the network. These include data stealing, personal abuse, worms/viruses, DDoS (Distributed Denial-of-Service), fraud and terrorism. It is thus important the intrusion detection and logging agents are places around the network and on hosts, in order that an intrusion could be detected, or, at least, the information on the intrusion is gained for future defences. 2 Network security - W.Buchanan

3 Data stealing Personal abuse Data stealing Worms/Viruses Internal hack Our trusted system Corporate access access WWW access F DoS (Denial-of-Service) External hack Personal abuse Worms/Viruses Fraud Terrorism Network perimeter Terrorism Fraud Figure 3.4: Network threats Untrusted network Audit/ logging De-Militarized Zone (DMZ) WWW server Public FTP server N Intrusion Detection System Intrusion Detection System Thus we need intrusion detection systems throughout our system which will react to internal and external attacks 3.2 Types of intrusion Figure 3.5: Intrusion detection agents There are two main types of intrusion detection: Misuse Detection. This attempts to model attacks on a system as specific patterns, and then scans for occurrences of these. Typical types of misuse include viruses, and worm propagation. Its disadvantage is that it struggles to detect new attacks. Unit 3: Intrusion Detection Systems 3

4 Anomaly Detection. This assumes that abnormal behaviour by a user can be correlated with an intrusion. Its advantage is that it can typically react to new attacks, but can often struggle to detect variants of known attacks, particularly if they fit into the normal usage pattern of a user. Another problem is that the intruder can mimic the behavioural pattern of the user. The main types of intrusion detection systems are: - Network intrusion detection systems (NIDS). These monitor packets on the network and tries to determine an intrusion. This is either host based (where it runs on a host), or can listen to the network using a hub, router or probe. Snort is a good example of this, and is freely available for most systems. - System integrity verifiers (SIV). These monitor system files to determine if an intruder has changed them (a backdoor attack). A good example of this is Tripwire. It can also watch other key system components, such as the Windows registry and root/administrator level privileges. - Log file monitors (LFM). These monitor log files which are generated by network services, and look for key patterns of change. Swatch is a good example. - User profiling. This is currently being research, and involves monitoring the behaviour of a user. The system then checks the normal behaviour of a user against the current user behaviour. - Honey pots. This is where an administrator places a host on the network which is prone to attack, such as having weak or dummy passwords, an unpatched operating system or have ports open for connection. This honey pot is then used to attract the intruder, and detect the intrusion at any early stage. Some advanced honey pots will try and mimic the required responses of an attacked host, but not actually implement the attack. 3.3 Attack patterns It is important to know the main stages of an intrusion, so that it can be detected at an early phase, and overcome before it can do any damage. Basically the intrusion can go through alert phases from yellow, which shows some signs of a potential threat, or red, which involves the potential stealing of data or some form of abuse. The main phases are defined in Figure Host/network-based intrusion detection An intrusion detection system (IDS) can be placed within the network to monitor network traffic, such as looking for known attacks or virus signatures, or can be placed on hosts, where they can detect an intrusion (Figure 3.7). A network-based intrusion detection system cannot obviously decrypt encrypted network data packets, such as with IPsec, thus, in a highly secure network, it is important to run intrusion detection systems on hosts. As threats could be hidden from the IDS, as they can be overcome by intruders who know their operation. 4 Network security - W.Buchanan

5 There are many ways that an IDS can be tricked in its detection. One is to create a denial-of-service against the IDS, where the network traffic is to great for it to cope with. Another is to stagger the threat over several data packets, thus they IDS must be able to backtrack for connections, and buffer each of the received packets. This obviously has a great effect on its performance, and the more it checks, and backtracks, the slower it is likely to become. As a default, the host-based IDS can be seen as the last line of defence, where a threat has been able to transverse over the network, and end-up at the host without being stopped (Figure 3.8). Intruder gains public information about the systems, such as DNS and IP information Intruder gains more specific Information, such as subnet layout, and network devices. Outside Outside reconnaissance reconnaissance Inside Inside reconnaissance reconnaissance From code yellow to code red Exploit Exploit Profit Profit Data stealing, system damage, user abuse, and so on. Foothold Foothold Once into the system, the Intruder can then advance up levels. Intruder finds a weakness, such as cracking a password, breaching a firewall, and so on. Figure 3.6: Intrusion pattern Untrusted network IDS De-Militarized Zone (DMZ) WWW server Public FTP server Intrusion Detection System Host-based IDS listens to the traffic into and out of the host. Network-based IDS listens to all the traffic on the network Intrusion Detection System Host-based Intrusion Detection System Figure 3.7: Intrusion pattern Unit 3: Intrusion Detection Systems 5

6 Untrusted network WWW server De-Militarized Zone (DMZ) Public FTP server The IDS is the last line of defence Host Figure 3.8: IDS As an extension of this the IDS s can be placed on the servers within the DMZ, and on trusted servers (as illustrated in Figure 3.9). It is also important to place IDS agents on either side of a firewall, as an agent placed on one side of the firewall may not be able to detect an attack which has been blocked, thus agents on either side will detect attacks, which have been blocked, and that have been allowed to transverse through the firewall. An IDS agent on the untrusted side of the perimeter will detect an attack, on the main firewall (Figure 3.10). DMZ Untrusted WWW server FTP server Proxy Trusted servers Figure 3.9: Applying IDSs over a network 6 Network security - W.Buchanan

7 This IDS detects attacks against main firewall This IDS detects successful attacks against firewall De-Militarized Zone (DMZ) Public FTP server These IDS s detect internal attacks Host These IDS s detect host attacks Figure 3.10: Using agents to detect attacks The placement of the IDS on certain devices is important. If it is placed on a hub, it can listen to all of the traffic that is on the hub. If it is placed on a switch, it cannot listen to any of the traffic, unless it is configured to forward traffic to a monitoring port (Figure 3.11). One type of system is Cisco s SPAN (Switched Port Analyser), which monitors traffic entering the switch (ingress traffic), traffic leaving the switch (egress traffic). An example of SPAN is shown in Figure 3.12 where the first switch port (FA0/1) monitors FA0/2 and FA05, along with the whole of VLAN2. Thus the switch can monitor individual ports or complete VLANs. Hub Switch IDS can listen to all the incoming and outgoing network This IDS cannot hear any traffic which is not addressed to it as it connects to a switch. Figure 3.11: Agent detection Unit 3: Intrusion Detection Systems 7

8 0/1 0/2 0/5 interface FastEthernet0/1 port monitor FastEthernet0/2 port monitor FastEthernet0/5 port monitor VLAN2! interface FastEthernet0/2! interface FastEthernet0/3 switchport access vlan 2! interface FastEthernet0/4 switchport access vlan 2! interface FastEthernet0/5! interface VLAN1 ip address no ip directed-broadcast no ip route-cache! 3.5 SNORT Figure 3.12: SPAN detection The main IDS is Snort ( Other tools include tcptrace (to identity TCP sessions), tcpflow (to reconstruct TCP sessions) and Ethereal (to capture network traffic). Snort detect intrusions either by: - Signatures detection. Identify well-known patterns of attack. - Anomaly detection. Statistical anomalies, such as user logins, changes to files, and so on. Snort runs as a background process and initially reads-in a set of rules (filename.rules) and monitors the network traffic to produce event data and a log. Rules file (.rules) Snort Event data Log Figure 3.13: Snort The basic format of a Snort rule header is: ACTION PROTOCOL ADDRESS PORT DIRECTION ADDRESS PORT which is then followed by options. A basic statement is: 8 Network security - W.Buchanan

9 alert tcp any any -> / (content:" a5 "; msg:"mountd access";) where the first word on the rule is the action, which are typically: alert Generate an alert and log packet log Log packet pass Ignore the packet activate Alert and activate another rule dynamic Remain idle until activated by an activate rule The second part of the rule defines the protocol, such as: tcp udp icmp ip where TCP and UDP are transport layer protocols, while ICMP and IP are Internet (/network) layer protocols. The next few fields define the source and destination of the traffic, as illustrated in Figure The source and destination address can be defined as any or with the IP address and the subnet mask. For example /24 includes a range of addresses from to Along with this the TCP/UDP port can be defined as either any, a range of ports (m:n which is port m to port n), or a specified port. It should be remembered that when a client connects to a server that the client will use its own source port, and connect, typically to a well-known port on the server. For example a client which connects to a WWW server, would connect to a destination port of 80, and with a unique source port, such as port In this case, when the data packets leave the client, the destination port will be 80, and the source port will be When the data returns from the server, it will have a source port of 80 and a destination one of It is thus key that the -> is pointing in the correct direction, otherwise the <> can be used for both directions. alert tcp any any -> / (content:" a5 "; msg:"mountd access";) Source IP Destination IP Source port (any, or m:n for m to n) Destination port (any, or m:n for m to n) Figure 3.14: Example of source and destination addresses in a Snort rule Unit 3: Intrusion Detection Systems 9

10 Some rules allow a payload in the data packet to be detected. An example of this is given in Figure For this the content element is used to detect a certain sequence in the data packet. This can be defined either in hexadecimal format (between and ) or in plain text format. The content element can have several modifiers, such as offset, distance and within which modify the operation of the search. The end part of the rule in Figure 3.15 displays a message if the rule has been activated. alert tcp any any -> / (content:" a5 "; msg:"mountd access";) Payload detection: Hex sequence Text sequence "USER root" " a5 " Modifiers: rawbytes offset distance within uricontent bytejump Figure 3.15: Example Snort rule There are also various configuration commands that can be used in the rules file, such as: - config decode_arp - snort -a - config payload - config decode_data_link - config interface - config nolog - Disable logging, but alerts still occur - config quiet - snort -q - config verbose - snort -v - config show_year - config min_ttl:x The SID and REV represent known Snort rules: - Less 100 Reserved for future use. - Between 100 and 1,000,000 are rules included with the Snort distribution. - More than 1,000,000 is for local rules. For example: sid:336; rev:7; represents an attempt to change to the system administrator s account in FTP. 10 Network security - W.Buchanan

11 3.6 Defining the policy A key element of security is to have a policy which is defined at the highestlevel in the organisation, and which is well-known to the employees in the organisation. Also, if there is public access to the network, they should be informed as to the security restrictions placed on the network. Figure 3.16 shows a transparent and auditable system where the policy is defined at the highest level, and includes the aims and objectives of the organisation, the legal moral and social responsibilities of the organisation, and the technical feasibility of the policy. These are then decided upon, and a policy is implemented by technical staff. A key feature is that this policy should be audited in some way, and also verified that it achieves the policy requirements. There are possibly many different types of network/user activity that should be detected and which could breach the aims and objectives of the organisation, or which breach the social, moral and legal responsibilities of the organisation. Figure 3.17 shows examples of some of the network traffic/user activity that might be monitored with an IDS. It can be seen that it is not just treats to the network, but also activities that might be wasteful in resources, or which breaches social and moral rules. It can often be just as embarrassing for a user in an organisation to be involved in an immoral activity than it is to have a network intrusion. Thus applications such as peer-to-peer file sharing, such as Kazaa, should be avoided in organisations, as they have many copyright issues. Along with this audio and video streaming, such as from news sites, may be wasteful on bandwidth, and, if they traffic was great enough, might swamp traffic which is important for the organisation. Aims and objectives of the organisation Legal, moral and social responsibilities Technical feasibility Policy Definition Management Technical Policy Implementation Verification Audit Figure 3.16: Security policy definition, implementation and verification Unit 3: Intrusion Detection Systems 11

12 Video/Audio Streaming Why? Wasted bandwidth Hacking Why? Data/System loss. Fraud. Chat Programmes Why? Wasted time. P2P programs Why? Copyright issues. Porn Why? Moral/legal issues. Non-business Why? Wasted resources. Running server applications Why? Corporate issues. Viruses/Worms Why? Data/System loss. Bad Traffic Why? Wasted resources. Figure 3.17: Types of traffic/user activity that might be monitor 3.7 Example rules There are two main variable which are defined in the rules files. These are $HOME_NET which defines all the nodes on our own network, and $EXTERNAL_NET which is every network outside our own network. In the following script the alert is caused from there is a flow of traffic form the external network on any port to our own network on port 21 (the FTP port). It detects that the external intruder is trying to change the current directory to the root s home directory (using the CWD ~root command): alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ftp CWD ~root attempt"; flow:to_server,established; content:"cwd"; nocase; content:"~root"; nocase; distance:1;) The following rule detects incoming traffic which is destined for an FTP server on our own network which tries to get the password file (using the RETR passwd command): alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ftp passwd retrieval attempt"; flow:to_server,established; content:"retr"; nocase; content:"passwd";) P2P detection Peer-to-peer operations are to be avoided in many organisations, as the laws against them are still being developed. One of the most popular is Kazaa which uses port 1214 to allow a remote peer connection, such as: > netstat -a Active Connections Proto Local Address Foreign Address State 12 Network security - W.Buchanan

13 TCP bills:http bills:0 LISTENING TCP bills:epmap bills:0 LISTENING TCP bills:https bills:0 LISTENING TCP bills:microsoft-ds bills:0 LISTENING TCP bills:1025 bills:0 LISTENING TCP bills:1214 bills:0 LISTENING TCP bills:2869 bills:0 LISTENING TCP bills:3620 bills:0 LISTENING TCP bills:5679 bills:0 LISTENING TCP bills:1029 bills:0 LISTENING TCP bills:1047 bills:0 LISTENING TCP bills:1047 localhost:4389 TIME_WAIT TCP bills:1047 localhost:4402 TIME_WAIT To detect Kazaa activities for a GET message: alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"p2p (kazaa/morpheus) GET request"; flow:to_server,established; content:"get "; To detect MSN Messenger, which uses port 1863 for its communications, the MSG command is detected in the data packet payload: alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"chat MSN message"; flow:established; content:"msg ";) Virus/Worm detection For a virus or worm, normally the signature of its propagation is detected, such as: alert tcp any any -> any 139 (msg:"virus - Possible QAZ Worm"; flags:a; content: " a e "; ) which detects the worm propagating through port 139, and detects the A flag in the TCP header. For a virus, Snort can detect its propagation to an server (on port 25 - SMTP), with a certain file attachment (in this case a.vbs file attachment): alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"virus OUTBOUND.vbs file attachment"; flow:to_server,established; content:"content-disposition 3a "; content:"filename= 22 "; distance:0; within:30; content:".vbs 22 "; distance:0; within:30; nocase;) This detects the name of the file as filename.vbs, where the quotes is the ASCII character equivalent of 22 in hexadecimal ( /rfcs/rfc821.html). Unit 3: Intrusion Detection Systems 13

14 3.7.3 Sweeps One activity which typically indicates a potential future security breach is sweeping activities. This typically involves TCP/UDP sweeps (as illustrated in Figure 3.18), TCP/UDP port sweeps (as illustrated in Figure 3.19), OS identification, and account scans (Figure 3.20). For the port sweeps an intruder may scan certain hosts or every host on a subnet, to determine the ports which they have open, as certain ports can be used to gain a foothold on the host. With ping scans, the intruder tries to determine the host which are active on a network. For OS identification the intruder searches hosts for certain machines, which possibly have an OS weakness, such as searching for Windows 95 machines, as these tend to have FAT32 file systems which have very little security associated with them. For account scans, an intruder may scan the user ID s for weak passwords. Open port 10? Open port 11?.. Open port 8888? Typical scans: Ping sweeps. TCP scans. UDP scans. OS identification scans. Account scans. A particular threat is the TCP/UDP port scanner, which scans for open ports on a host. An open port is in the LISTEN state. If an intruder finds one, it may try and connect to it. Figure 3.18: TCP/UDP port sweeps Ping ? Ping ?.. Ping ? Ping ? Typical scans: Ping sweeps. TCP scans. UDP scans. OS identification scans. Account scans. A particular threat is the ping port scanner, which pings multiple hosts to see which ones are alive If an intruder finds one, it may try and connect to it. Typically Typically pings pings are are barred barred the the gateway gateway to to the the organisation organisation Figure 3.19: Ping sweeps 14 Network security - W.Buchanan

15 Login anonymous Login fred fred Login user password Login root Login default Typical scans: Ping sweeps. TCP scans. UDP scans. OS identification scans. Account scans. Anonymous logins Using the same password as user ID Using password as password. Using root login Using system default logins Figure 3.20: Account sweeps An example of a Windows ping sweep is: alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"icmp PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16;) where an ICMP ping packet is detected with the standard contents of abc.op. Programs such as nmap can scan whole networks looking for open ports. A key objective of Snort is to detect this presence. Luckily Snort has a preprocessor rule for this. These prepreocessors act before the rules do. An example is: preprocessor portscan: /24 Ports Time /logs/portscan.log where Ports is set to the number of ports which are open with a number of seconds (Time), and saves it to the portscan.log file. 3.8 Running Snort A typical method of running Snort is: Snort -v -c bill.rules -l /log Where -c identifies the rules file, -v identifies verbose mode, and -l defines the directory for the alerts file (alert.log). An example rule in the file is: alert tcp any any -> any any (content:"the"; msg:"the found...";) Unit 3: Intrusion Detection Systems 15

16 After generating some network traffic with the word The in it gives: [**] [1:0:0] The found... [**] [Priority: 0] 01/16-22:27: :60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x :445 -> :3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF ***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20 [**] [1:0:0] The found... [**] [Priority: 0] 01/16-22:27: :3:6D:FF:2A:51 -> 0:60:B3:68:B1:10 type:0x800 len:0x :3554 -> :445 TCP TTL:128 TOS:0x0 ID:1086 IpLen:20 DgmLen:394 DF ***AP*** Seq: 0x3524EE7B Ack: 0xF842AB06 Win: 0x42E4 TcpLen: 20 [**] [1:0:0] The found... [**] [Priority: 0] 01/16-22:27: :60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x5d :445 -> :3554 TCP TTL:128 TOS:0x0 ID:775 IpLen:20 DgmLen:79 DF ***AP*** Seq: 0xF842AB06 Ack: 0x3524EFDD Win: 0x41BF TcpLen: 20 it can be seen that the date and time is logged for each alert. The source and destination MAC addresses are also defined (Figure 3.21), along with the IP (Figure 3.22) and TCP parts (as shown in Figure 3.23). IP Header Version Version Header length Header length Type of service Type of service Total length Total length Identification Identification 0 0 D M D M Fragment Offset Fragment Offset Time-to-Live Time-to-Live Protocol Protocol Header Checksum Header Checksum Source Source IP IP Address Address Destination IP Destination IP Address Address TCP Header Data offset Data offset Source port Source port Destination port Destination port Sequence number Sequence number Acknowledgement number Acknowledgement number Window Window Checksum Checksum UrgentPtr UrgentPtr Reserved/Flags Reserved/Flags Src MAC Des MAC Type Len IP TCP Ethernet Data frame [**] [1:0:0] The found... [**] [Priority: 0] 01/16-22:27: :60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x :445 -> :3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF ***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20 Remember IP addresses can be spoofed the MAC addresses can t (well it s difficult). Figure 3.21: Ethernet headers 16 Network security - W.Buchanan

17 IP Header Version Version Header length Header length Type of service Type of service Total length Total length Identification Identification 0 0 D M D M Fragment Offset Fragment Offset Time-to-Live Time-to-Live Protocol Protocol Header Checksum Header Checksum Source IP Address Source IP Address Destination IP Destination IP Address Address TCP Header Data offset Data offset Source port Source port Destination port Destination port Sequence number Sequence number Acknowledgement number Acknowledgement number Window Window Checksum Checksum UrgentPtr UrgentPtr Reserved/Flags Reserved/Flags [**] [1:0:0] The found... [**] [Priority: 0] 01/16-22:27: :60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x :445 -> :3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF ***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20 Figure 3.22: IP headers IP Header Version Version Header Header length length Type Type of of service service Total Total length length Identification Identification 0 0 D D M M Fragment Fragment Offset Offset Time-to-Live Time-to-Live Protocol Protocol Header Header Checksum Checksum Source Source IP IP Address Address Destination Destination IP IP Address Address TCP Header Data Data offset offset Source Source port port Destination Destination port port Sequence Sequence number number Acknowledgement Acknowledgement number number Window Window Checksum Checksum UrgentPtr UrgentPtr Reserved/Flags Reserved/Flags [**] [1:0:0] The found... [**] [Priority: 0] 01/16-22:27: :60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x :445 -> :3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF ***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20 Figure 3.23: TCP headers Snort creates logs for each port-to-port connection for each host on the network (as illustrated in Figure 3.24). A key element of detecting different types of traffic is in the analysis of the TCP flags. These are (UAPRSF), U is the urgent flag (URG). A the acknowledgement flag (ACK). P the push function (PSH). R the reset flag (RST). S the sequence synchronize flag (SYN). F the end-of-transmission flag (FIN). Unit 3: Intrusion Detection Systems 17

18 + log TCP_ ids TCP_ ids TCP_ ids TCP_ ids TCP_ ids TCP_ ids Log of traffic between port 3423 and 455 to/from /16-22:11: :3423 -> :445 TCP TTL:128 TOS:0x0 ID:975 IpLen:20 DgmLen:48 DF ******S* Seq: 0x26885B8B Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/16-22:11: :445 -> :3423 TCP TTL:128 TOS:0x0 ID:653 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0xE9A4004C Ack: 0x26885B8C Win: 0x4470 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/16-22:11: :3423 -> :445 TCP TTL:128 TOS:0x0 ID:977 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x26885B8C Ack: 0xE9A4004D Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Figure 3.24: TCP headers A client-server connection is normally involves an initial handshaking to negotiate the connection, such as: Client Server 1. CLOSED LISTEN 2. SYN-SENT -> <SEQ=999><CTL=SYN> SYN-RECEIVED 3. ESTABLISHED <SEQ=100><ACK=1000><CTL=SYN,ACK> <- SYN-RECEIVED 4. ESTABLISHED -> <SEQ=1000><ACK=101> <CTL=ACK> ESTABLISHED This is known as the three-way handshake. An involves a SYN from the client to the server, a SYN,ACK from the server to the client (to acknowledge the connection from the server), and an ACK from the client to the server (to finalise the connection). The SYN flag is thus important in detecting a client connecting to a server. An incoming SYN flag is important in detecting the start of a connection. The main flags are: F FIN S SYN R RST P PSH A ACK U URG and the following modifiers can be set to change the match criteria: + match on the specified bits, plus any others * match if any of the specified bits are set 18 Network security - W.Buchanan

19 ! match if the specified bits are not set An example to test for SYN flag is: alert tcp any any -> any any (flags:s;) It is often important to know the flow direction. The main flow rules options are: to_client. Used for server responses to client. to_server Used for client requests to server. from_client. Used on client responses. from_server. Used on server responses. established. Established TCP connections. For example to test for an FTP connection to the users computer: alert tcp any any -> $HOME_NET 21 (flow: from_client; content: "CWD incoming"; nocase; Figure 3.25 shows an example of the flags that are set. In this case the A and S flags identify the SYN, ACK sequence (which occurs when the server responses back to the client for the connection. IP Header Version Version Header Header length length Type Type of of service service Total Total length length Identification Identification 0 0 D D M M Fragment Fragment Offset Offset Time-to-Live Time-to-Live Protocol Protocol Header Header Checksum Checksum Source Source IP IP Address Address Destination IP Address TCP Header Data offset Data offset Source Source port port Destination Destination port port Sequence Sequence number number Acknowledgement number Acknowledgement number Window Window Checksum Destination IP Address Checksum UrgentPtr UrgentPtr 01/16-22:11: :3423 -> :445 TCP TTL:128 TOS:0x0 ID:975 IpLen:20 DgmLen:48 DF ******S* Seq: 0x26885B8B Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/16-22:11: :445 -> :3423 TCP TTL:128 TOS:0x0 ID:653 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0xE9A4004C Ack: 0x26885B8C Win: 0x4470 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/16-22:11: :3423 -> :445 TCP TTL:128 TOS:0x0 ID:977 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x26885B8C Ack: 0xE9A4004D Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ UAPRSF UAPRSF Figure 3.25: Example flags Unit 3: Intrusion Detection Systems 19

20 Along with this Snort can be used to analyse the ARP translations on the network. This gives a pointer to the devices which are asking to resolve the MAC address of a host. Figure Note that the ARP requests are sent to everyone on the same network (that is one which is bounded by a router). Switch Devices can only communicate directly if they have they have the MAC address and IP address. ARP request: Who has ? ARP request is broadcast to the network 01/16-09:31: ARP who-has tell /16-09:45: ARP who-has tell /16-09:45: ARP reply is-at 0:20:18:38:B8:63 01/16-09:46: ARP who-has tell /16-09:46: ARP who-has tell /16-09:46: ARP who-has tell ARP reply is sent to the network, on which every node on the segment updates its ARP table Figure 3.26: ARP log 3.9 Cisco IDS While Snort gives is extensive IDS, Cisco routers can also be setup to provide a first-level IDS system. As a device it will always be inferior to Snort, as the router lacks memory. Each 2000 ICMP Echo Reply Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 0 (Echo Reply) ICMP Host Unreachable Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 3 (Host Unreachable) ICMP Redirect Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 5 (Redirect) ICMP Echo Request Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 8 (Echo Request). 20 Network security - W.Buchanan

21 For example to setup a post office IDS on Router 1: R1(config)# R1(config)# R1(config)# R1(config)#ip audit po max 300 R1(config)#ip audit po local R1(config)#logging console info R1(config)#exit R1# 22:57:28: %SYS-5-CONFIG_I: Configured from console by console Next the router must be rebooted with: R1#reload An the final setup is created with: R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip audit attack action alarm R1(config)#ip audit info action alarm R1(config)#ip audit signature 2001 list 91 R1(config)#ip audit signature 2002 list 91 R1(config)#ip audit name AUDIT.1 info list 90 action alarm R1(config)#int s0 R1(config-if)#ip address R1(config-if)#ip audit AUDIT.1 in R1(config-if)#no shutdown R1(config-if)#exit R1(config)#exit The following commands can then be used to verify the operation: R1#show ip audit 00:08:12: %SYS-5-CONFIG_I: Configured from console by consoleip aud conf Event notification through syslog is enabled Event notification through Net Director is disabled Default action(s) for info signatures is alarm Default action(s) for attack signatures is alarm Default threshold of recipients for spam signature is 250 Signature 2001 list 91 Signature 2002 list 91 PostOffice:HostID:0 OrgID:0 Msg dropped:0 :Curr Event Buf Size:0 Configured:300 Post Office is not enabled - No connections are active Audit Rule Configuration Audit name AUDIT.1 info acl list 91 actions alarm R1#show ip audit interface Interface Configuration Interface Serial0 Inbound IDS audit rule is AUDIT.1 info acl list 91 actions alarm Outgoing IDS audit rule is not set R1#show ip audit stat Interfaces configured for audit 1 Session creations since subsystem startup or last reset 0 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [0:0:0] Unit 3: Intrusion Detection Systems 21

22 Last session created never Last statistic reset never Post Office is not enabled - No connections are active For example if a distant route is pinging the router with the IDS the message will be in the form of: 00:17:20: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP Echo Request - from to :17:20: %IDS-4-ICMP_ECHO_REPLY_SIG: Sig:2000:ICMP Echo Reply - from to To block any IDS detection on our rules from , the following rules can be applied: R1(config)#access-list 91 deny R1(config)#access-list 91 permit any which will exclude from the IDS detection Honey pots Honey pots are currently under investigation by many researchers, but may have some moral issues, as they are setup to trap intruders. A honey pot is typically setup with required weaknesses, such as: Default administrator/password. Dummy users with weak passwords. Ports open for connection. React to virus/worm systems (but simulate conditions). Sometimes it is possible to create a honey-pot or lures, which attracts an intruder so that they can be caught before they do any damage. It also can help to identify the propagation of viruses and/or worms Conclusions Snort logs a great deal of information on network activity, including: - Logging date/time of alerts and data packets. - Generating alerts (alert.ids) - Logging every data packet and every connection. - Logging ARP requests and responses. - Logging MAC addresses with IP addresses. For most of the time, the monitoring of data packets may not be important but every so often there s a breach, and the evidence must be picked through. A key element is the amount of true positives (the number of alerts which are connect), as apposed to the number of false positives (the number of alerts 22 Network security - W.Buchanan

23 which are not threats). Along with this there is the number of true negatives, which identify the number of actual alerts which are not detected Tutorial Snort tutorial. Complete the Snort tutorial Which Snort command will filter for outgoing requests: A alert tcp any any -? any 21 msg " sent" B alert tcp any any -? any 25 msg " sent" C alert tcp any 21 -? any any msg " sent" D alert tcp any 25 -? any any msg " sent" E alert tcp any 25 -? any 21 msg " sent" Which Snort command will filter for incoming from the server: A alert tcp any any -? any 21 msg " received" B alert tcp any any -? any 25 msg " received" C alert tcp any 21 -? any any msg " received" D alert tcp any 25 -? any any msg " received" " E alert tcp any 25 -? any 21 msg " received" " Which Snort command will filter for outgoing FTP requests: A alert tcp any any -? any 21 msg "FTP out" B alert tcp any any -? any 25 msg "FTP out" C alert tcp any 21 -? any any msg "FTP out" D alert tcp any 25 -? any any msg "FTP out" E alert tcp any 25 -? any 21 msg "FTP out" Which Snort command will filter for incoming FTP response from an FTP server: A alert tcp any any -? any 21 msg "FTP response" B alert tcp any any -? any 25 msg "FTP response" C alert tcp any 21 -? any any msg "FTP response" D alert tcp any 25 -? any any msg "FTP response" E alert tcp any 25 -? any 21 msg "FTP response" Which is the following is unlikely to be a port that a client uses to connect to an FTP server: A 21 B 3100 C 3110 D 3111 E Which Snort command line option is used to define that packets are not logged A -v B -c C -n Unit 3: Intrusion Detection Systems 23

24 D -l E -k Which Snort command line option is used to read a rules file A -v B -c C -n D -l E -k Which Snort command line option is used to run in verbose mode A -v B -c C -n D -l E -k Which Snort command line option is used to define the log directory A -v B -c C -n D -l E -k In Snort how might the home network variable to set A var $HOME_NET= \24 B var $HOME_NET \24 C $HOME_NET \24 D $HOME_NET= \24 E var $HOME_NET is \ In Snort, which is the default alert file A alert.txt B snort.txt C myalerts.ids D alert.ids E source.alert What does the "SYN", "SYN,ACK", "ACK" sequence signify A The identification of a buffer overflow B The retransmission of data C The end of a client-server connection D The handshaking of data for a client-server connection E The initial negotiation of a client-server connection For the "SYN", "SYN,ACK", "ACK" sequence, who generates the initial "SYN" A The client B The server 24 Network security - W.Buchanan

25 C Either the client or the server For the "SYN", "SYN,ACK", "ACK" sequence, who generates the "SYN,ACK" A The client B The server C Either the client or the server For the "SYN", "SYN,ACK", "ACK" sequence, who generates the "ACK" A The client B The server C Either the client or the server Unit 3: Intrusion Detection Systems 25