Advanced Security and Forensic Computing. Advanced Security and Forensic Computing

Transcription

1 Advanced Security and Forensic Computing Dr Dr Bill Buchanan, Reader, School of of Computing. >Unit 3: 3: Intrusion Detection Systems Advanced Security and Forensic Computing WJ Buchanan. ASFC (1)

2 Data Systems People Enemy can penetrate the main defence, and cause problems Even the best defence can be breached WJ Buchanan. ASFC (2)

3 even defence in depth can be breached Forth-line defence Third-line defence Second-line defence First-line defence Defence-in-depth WJ Buchanan. ASFC (3)

4 intrusion detection can reduce breaches Intrusion detection Intrusion Detection WJ Buchanan. ASFC (4)

5 Data stealing Worms/Viruses Our trusted system Corporate access access WWW access Network perimeter Terrorism DoS (Denial-of-Service) External hack Personal abuse Fraud External Threats WJ Buchanan. ASFC (5)

6 Data stealing Personal abuse Data stealing Worms/Viruses Internal hack Our trusted system Worms/Viruses Fraud Corporate access access WWW access Terrorism Network perimeter Terrorism DoS (Denial-of-Service) External hack Personal abuse Fraud External and Internet Threats WJ Buchanan. ASFC (6)

7 Data stealing Personal abuse CIA found that: 80% of abuse was internal Data stealing Worms/Viruses Internal hack Our trusted system Worms/Viruses Fraud Corporate access access WWW access Terrorism External and Internet Threats This firewall cannot stop internal attacks DoS (Denial-of-Service) External hack Personal abuse Terrorism Fraud WJ Buchanan. ASFC (7)

8 Untrusted network Audit/ logging De-Militarized Zone (DMZ) WWW server Public FTP server Thus we need intrusion detection systems throughout our system which will react to internal and external attacks N Intrusion Detection System Intrusion Detection System Intrusion Detection Systems WJ Buchanan. ASFC (8)

9 Intrusion Detection - Misuse Detection. This attempts to model attacks on a system as specific patterns, and then scans for occurrences of these. Its disadvantage is that it struggles to detect new attacks. - Anomaly Detection. This assumes that abnormal behaviour by a user can be correlated with an intrusion. Its advantage is that it can typically react to new attacks, but can often struggle to detect variants of known attacks, particularly if they fit into the normal usage pattern of a user. Another problem is that the intruder can mimic the behavioural pattern of the user. Intrusion Detection WJ Buchanan. ASFC (9)

10 Intrusion Detection Types - Network intrusion detection systems (NIDS). These monitor packets on the network and tries to determine an intrusion. This is either host based (where it runs on a host), or can listen to the network using a hub, router or probe. - System integrity verifiers (SIV). These monitor system files to determine if an intruder has changed them (a backdoor attack). A good example of this is Tripwire. It can also watch other key system components, such as the Windows registry and root/administrator level privileges. - Log file monitors (LFM). These monitor log files which are generated by network services, and look for key patterns of change. Swatch is a good example. - User profiling. This is currently being research, and involves monitoring the behaviour of a user. The system then checks the normal behaviour of a user against the current user behaviour. Intrusion Detection Types WJ Buchanan. ASFC (10)

11 Software bugs: Buffer overflows Unexpected combinations Unhandled input Race conditions System configuration: These will be covered in Unit 5 Default configurations: Lazy administrators Hole creation: Trust relationships Sniffing unsecured traffic: Shared medium Server sniffing Remote sniffing Design flaws: TCP/IP protocol flaws UNIX design flaws Others: DoS IP Spoofing WWW browser attacks WWW server attacks CGI weakness IMAP SQL/Database Java Some of the methods that Intruders might use WJ Buchanan. ASFC (11)

12 Intruder gains public information about the systems, such as DNS and IP information Intruder gains more specific Information, such as subnet layout, and network devices. Outside Outside reconnaissance reconnaissance Inside Inside reconnaissance reconnaissance From code yellow to code red Profit Profit Data stealing, system damage, user abuse, and so on. Foothold Foothold Once into the system, the Intruder can then advance up levels. Exploit Exploit Intruder finds a weakness, such as cracking a password, breaching a firewall, and so on. Steps that could be taken by an intruder WJ Buchanan. ASFC (12)

13 Untrusted network IDS De-Militarized Zone (DMZ) WWW server Public FTP server Host-based IDS listens to the traffic into and out of the host. Network-based IDS listens to all the traffic on the network Intrusion Detection System Host-based Intrusion Detection System Intrusion Detection System Host-based and Network-based IDS WJ Buchanan. ASFC (13)

14 Hub Switch IDS can listen to all the incoming and outgoing network This IDS cannot hear any traffic which is not addressed to it as it connects to a switch. A Network-based IDS must be able to listen to traffic WJ Buchanan. ASFC (14)

15 WJ Buchanan. ASFC (15) 0/1 0/2 0/5 interface FastEthernet0/1 port monitor FastEthernet0/2 port monitor FastEthernet0/5 port monitor VLAN2! interface FastEthernet0/2! interface FastEthernet0/3 switchport access vlan 2! interface FastEthernet0/4 switchport access vlan 2! interface FastEthernet0/5! interface VLAN1 ip address no ip directed-broadcast no ip route-cache!

16 Untrusted network WWW server De-Militarized Zone (DMZ) Public FTP server Host The IDS is the last line of defence IDS s are applied to hosts and servers WJ Buchanan. ASFC (16)

17 DMZ Untrusted WWW server FTP server Proxy Trusted Trusted IDS s applied across the system WJ Buchanan. ASFC (17)

18 Untrusted DMZ Trusted WWW server FTP server Proxy Trusted IDS s applied across the system WJ Buchanan. ASFC (18)

19 This IDS detects successful attacks against firewall This IDS detects attacks against main firewall Host These IDS s detect host attacks De-Militarized Zone (DMZ) Public FTP server These IDS s detect internal attacks Placing IDS s WJ Buchanan. ASFC (19)

20 The main IDS is Snort ( Other tools include: tcptrace. To identity TCP sessions. tcpflow. To reconstruct TCP sessions. Ethereal. To capture network traffic. Rules file (.rules) Snort Event data Log Detection either by: Signatures detection. Identify well-known patterns of attack. Anomaly detection. Statistical anomalies, such as user logins, changes to files, and so on. Snort WJ Buchanan. ASFC (20)

21 alert tcp any any -> / (content:" a5 "; msg:"mountd access";) alert log pass activate dynamic Generate an alert and log packet Log packet Ignore the packet Alert and activate another rule Remain idle until activated by an activate rule Snort Rules - Actions WJ Buchanan. ASFC (21)

22 alert tcp any any -> / (content:" a5 "; msg:"mountd access";) tcp udp icmp ip Transport layer protocols Network layer protocol Snort Rules - Protocols WJ Buchanan. ASFC (22)

23 alert tcp any any -> / (content:" a5 "; msg:"mountd access";) Source IP Destination IP Source port (any, or m:n for m to n) Destination port (any, or m:n for m to n) Snort Rules - Source and and Destinations IP/port WJ Buchanan. ASFC (23)

24 alert tcp any any -> / (content:" a5 "; msg:"mountd access";) Payload detection: Hex sequence Text sequence " a5 " "USER root" Modifiers: rawbytes offset distance within uricontent bytejump Snort Rules - Payload Detection WJ Buchanan. ASFC (24)

25 alert tcp any any -> / (content:" a5 "; msg:"mountd access";) Message to display Snort Rules - Displaying a Message WJ Buchanan. ASFC (25)

26 There are also various configuration commands that can be used in the rules file, such as: config decode_arp - snort -a config payload config decode_data_link config interface config nolog - Disable logging, but alerts still occur config quiet - snort -q config verbose - snort -v config show_year config min_ttl:x The SID and REV represent know Snort rules: Less 100 Reserved for future use Between 100 and 1,000,000 are rules included with the Snort distribution More than 1,000,000 is for local rules For example: sid:336; rev:7; represents an attempt to change to the system administrator s account in FTP. Configuration options in rules file WJ Buchanan. ASFC (26)

27 WJ Buchanan. ASFC (27) Aims and objectives of the organisation Legal, moral and social responsibilities Technical feasibility Policy Definition Policy Implementation Management Technical Verification Audit

28 Video/Audio Streaming Why? Wasted bandwidth Hacking Why? Data/System loss. Fraud. Chat Programmes Why? Wasted time. P2P programs Why? Copyright issues. Viruses/Worms Why? Data/System loss. Porn Why? Moral/legal issues. Non-business Why? Wasted resources. Running server applications Why? Corporate issues. Bad Traffic Why? Wasted resources. Types of Traffic that Organisations Typically Want to Detect WJ Buchanan. ASFC (28)

29 # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al. # All rights reserved. # $Id: ftp.rules,v /12/16 22:14:42 cazz Exp $ # # FTP RULES (edited) # FTP server port Attempt to access root account! # bad directories alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ftp CWD ~root attempt"; flow:to_server,established; content:"cwd"; nocase; content:"~root"; nocase; distance:1; pcre:"/^cwd\s+~root/smi"; reference:cve,cve ; reference:arachnids,318; classtype:badunknown; sid:336; rev:7;) Attempt to get the password file! # BAD FILES alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ftp passwd retrieval attempt"; flow:to_server,established; content:"retr"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:5;) Suspicious login! # suspicious login attempts alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ftp ADMw0rm ftp login attempt"; flow:to_server,established; content:"user"; nocase; content:"w0rm"; nocase; distance:1; pcre:"/^user\s+w0rm/smi"; reference:arachnids,01; sid:144; classtype:suspicious-login; rev:8;) $HOME_NET $EXTERNAL_NET Our network Every network outside our own network Snort - Some FTP Rules WJ Buchanan. ASFC (29)

30 # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al. # All rights reserved. # $Id: p2p.rules,v /10/20 15:03:11 chrisgreen Exp $ # These signatures look for usage of P2P protocols, which are usually # against corporate policy alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"p2p napster login"; flow:to_server,established; content:" "; offset:1; depth:3; classtype:policy-violation; sid:549; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"p2p napster new user login"; flow:to_server,established; content:" "; offset:1; depth:3; classtype:policy-violation; sid:550; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"p2p napster download attempt"; flow:to_server,established; content:" 00 cb00 "; offset:1; depth:3; classtype:policy-violation; sid:551; rev:5;) alert tcp $EXTERNAL_NET > $HOME_NET any (msg:"p2p napster upload request"; flow:from_server,established; content:" 00 5f02 "; offset:1; depth:3; classtype:policyviolation; sid:552; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET!80 (msg:"p2p GNUTella GET"; flow:to_server,established; content:"get "; offset:0; depth:4; classtype:policy-violation; sid:1432; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"p2p Outbound GNUTella client request"; flow:to_server,established; content:"gnutella CONNECT"; depth:40; classtype:policy-violation; sid:556; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"p2p GNUTella client request"; flow:to_server,established; content:"gnutella OK"; depth:40; classtype:policy-violation; sid:557; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"p2p Fastrack (kazaa/morpheus) GET request"; flow:to_server,established; content:"get "; depth:4; reference:url, reference:url, classtype:policyviolation; sid:1383; rev:4;) Snort - 2P2 Rules - Detecting Kazaa/Napster/GNUTella WJ Buchanan. ASFC (30)

31 # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al. # All rights reserved. # $Id: chat.rules,v /10/20 15:03:05 chrisgreen Exp $ # These signatures look for people using various types of chat programs (for # example: AIM, ICQ, and IRC) which may be against corporate policy alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"chat ICQ access"; flow:to_server,established; content: "User-Agent\:ICQ"; classtype:misc-activity; sid:541; rev:6;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"chat ICQ forced user addition"; flow:established,to_client; content:"content-type\: application/x-icq"; content:"[icq User]"; reference:bugtraq,3226; reference:cve,can ; classtype:misc-activity; sid:1832; rev:3;) alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"chat MSN message"; flow:established; content:"msg "; depth:4; content:"content-type\:"; content:"text/plain"; distance:1; classtype:misc-activity; sid:540; rev:8;) alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"chat MSN file transfer request"; flow:established; content:"msg "; depth:4; content:"content-type\:"; nocase; distance:0; content:"text/x-msmsgsinvite"; nocase; distance:0; content:"application-name\:"; content:"file Transfer"; nocase; distance:0; classtype:policy-violation; sid:1986; rev:1;) alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"chat MSN file transfer accept"; flow:established; content:"msg "; depth:4; content:"content-type\:"; content:"text/xmsmsgsinvite"; distance:0; content:"invitation-command\:"; content:"accept"; distance:1; classtype:policy-violation; sid:1988; rev:1;) alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"chat MSN file transfer reject"; flow:established; content:"msg "; depth:4; content:"content-type\:"; content:"text/xmsmsgsinvite"; distance:0; content:"invitation-command\:"; content:"cancel"; distance:0; content:"cancel-code\:"; nocase; content:"reject"; nocase; distance:0; classtype:policyviolation; sid:1989; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"chat MSN user search"; flow:to_server,established; content:"cal "; depth:4; nocase; classtype:policy-violation; sid:1990; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"chat MSN login attempt"; flow:to_server,established; content:"usr "; depth:4; nocase; content:" TWN "; distance:1; nocase; classtype:policy-violation; sid:1991; rev:1;) Snort - Chat Rules WJ Buchanan. ASFC (31)

32 # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al. # All rights reserved. # $Id: multimedia.rules,v /10/20 15:03:10 chrisgreen Exp $ # # MULTIMEDIA RULES # # These signatures look for people using streaming multimedia technologies. # Using streaming media may be a violation of corporate policies. alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"multimedia Quicktime User Agent access"; flow:to_server,established; content:"user-agent\: Quicktime"; classtype:policy-violation; sid:1436; rev:2;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"multimedia Windows Media audio download"; flow:from_server,established; content:"content-type\: audio/x-ms-wma"; content:" 0a "; within:2; classtype:policy-violation; sid:1437; rev:3;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"multimedia Windows Media Video download"; flow:from_server,established; content:"content-type\: video/x-ms-asf"; content:" 0a "; within:2;classtype:policy-violation; sid:1438; rev:3;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"multimedia Shoutcast playlist redirection"; flow:from_server,established; content:"content-type\: audio/x-scpls"; content:" 0a "; within:2; classtype:policy-violation; sid:1439; rev:3;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"multimedia Icecast playlist redirection"; flow:from_server,established; content:"content-type\: audio/x-mpegurl"; content:" 0a "; within:2; classtype:policy-violation; sid:1440; rev:3;) alert tcp $HOME_NET any -> /23 any (msg:"multimedia audio galaxy keepalive"; flow:established; content:" 45 5F "; offset:0; depth:5; classtype:misc-activity; sid:1428; rev:3;) Snort - Streaming Rules WJ Buchanan. ASFC (32)

33 # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al. # All rights reserved. Files, such as PIF, VBS and # $Id: virus.rules,v /10/20 15:03:13 chrisgreen Exp $ # HTA can breach the system # VIRUS RULES # alert tcp any any -> any 139 (msg:"virus - Possible QAZ Worm Infection"; flags:a; content: " a e "; reference:mcafee,98775; sid:732; classtype:misc-activity; rev:3;) alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"virus OUTBOUND.pif file attachment"; flow:to_server,established; content:"content-disposition 3a "; content:"filename= 22 "; distance:0; within:30; content:".pif 22 "; distance:0; within:30; nocase; classtype:suspiciousfilename-detect; sid:721; rev:4;) alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"virus OUTBOUND.shs file attachment"; flow:to_server,established; content:"content-disposition 3a "; content:"filename= 22 "; distance:0; within:30; content:".shs 22 "; distance:0; within:30; nocase; classtype:suspiciousfilename-detect; sid:730; rev:4;) alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"virus OUTBOUND.exe file attachment"; flow:to_server,established; content:"content-disposition 3a "; content:"filename= 22 "; distance:0; within:30; content:".exe 22 "; distance:0; within:30; nocase; classtype:suspiciousfilename-detect; sid:2160; rev:1;) alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"virus OUTBOUND.doc file attachment"; flow:to_server,established; content:"content-disposition 3a "; content:"filename= 22 "; distance:0; within:30; content:".doc 22 "; distance:0; within:30; nocase; classtype:suspiciousfilename-detect; sid:2161; rev:1;) alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"virus OUTBOUND.vbs file attachment"; flow:to_server,established; content:"content-disposition 3a "; content:"filename= 22 "; distance:0; within:30; content:".vbs 22 "; distance:0; within:30; nocase; classtype:suspiciousfilename-detect; sid:793; rev:4;) alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"virus OUTBOUND.hta file attachment"; flow:to_server,established; content:"content-disposition 3a "; content:"filename= 22 "; distance:0; within:30; content:".hta 22 "; distance:0; within:30; nocase; classtype:suspiciousfilename-detect; sid:2162; rev:1;) Port 25 is SMTP ( SMTP server outbound) Snort - Some Virus Rules WJ Buchanan. ASFC (33)

34 Open port 10? Open port 11?.. Open port 8888? Typical scans: Ping sweeps. TCP scans. UDP scans. OS identification scans. Account scans. A particular threat is the TCP/UDP port scanner, which scans for open ports on a host. If an intruder finds one, it may try and connect to it. An open port is in the LISTEN state. Port Scanning WJ Buchanan. ASFC (34)

35 Ping ? Ping ?.. Ping ? Ping ? Typical scans: Ping sweeps. TCP scans. UDP scans. OS identification scans. Account scans. A particular threat is the ping port scanner, which pings multiple hosts to see which ones are alive If an intruder finds one, it may try and connect to it. Typically Typically pings pings are are barred barred the the gateway gateway to to the the organisation organisation Ping Scanning WJ Buchanan. ASFC (35)

36 Login anonymous Login fred fred Login user password Login root Login default Typical scans: Ping sweeps. TCP scans. UDP scans. OS identification scans. Account scans. Anonymous logins Using the same password as user ID Using password as password. Using root login Using system default logins Account Scanning WJ Buchanan. ASFC (36)

37 # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al. # All rights reserved. # $Id: scan.rules,v /11/20 20:56:57 cazz Exp $ # # SCAN RULES # # These signatures are representitive of network scanners. These include # port scanning, ip mapping, and various application scanners. # # NOTE: This does NOT include web scanners such as whisker. Those are # in web* # Attempt to connect to 8080 alert tcp $EXTERNAL_NET > $HOME_NET any (msg:"scan myscan"; ttl: >220; ack: 0; flags: S;reference:arachnids,439; classtype:attempted-recon; sid:613; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"scan ident version request"; flow:to_server,established; content: "VERSION 0A "; depth: 16;reference:arachnids,303; classtype:attempted-recon; sid:616; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"scan cybercop os probe"; flags: SF12; dsize: 0; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"scan Squid Proxy attempt"; flags:s,12; classtype:attempted-recon; sid:618; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"scan SOCKS Proxy attempt"; flags:s,12; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"scan Proxy Port 8080 attempt"; flags:s,12; classtype:attempted-recon; sid:620; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"scan FIN"; flags:f,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"scan ipeye SYN scan"; flags:s; seq: ; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"scan NULL"; flags:0; seq:0; ack:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"scan SYN FIN";flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:2;) Snort - Some Scan Rules WJ Buchanan. ASFC (37)

38 File bill.rules: alert tcp any any -> any any (content:"the"; msg:"the found...";) Snort -v -c bill.rules -l /log Alert.ids (in \log) [**] [1:0:0] The found... [**] [Priority: 0] 01/16-22:27: :60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x :445 -> :3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF ***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20 [**] [1:0:0] The found... [**] [Priority: 0] 01/16-22:27: :3:6D:FF:2A:51 -> 0:60:B3:68:B1:10 type:0x800 len:0x :3554 -> :445 TCP TTL:128 TOS:0x0 ID:1086 IpLen:20 DgmLen:394 DF ***AP*** Seq: 0x3524EE7B Ack: 0xF842AB06 Win: 0x42E4 TcpLen: 20 [**] [1:0:0] The found... [**] [Priority: 0] 01/16-22:27: :60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x5d :445 -> :3554 TCP TTL:128 TOS:0x0 ID:775 IpLen:20 DgmLen:79 DF ***AP*** Seq: 0xF842AB06 Ack: 0x3524EFDD Win: 0x41BF TcpLen: 20 Running Snort WJ Buchanan. ASFC (38)

39 16 January 10:27pm [**] [1:0:0] The found... [**] [Priority: 0] 01/16-22:27: :60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x :445 -> :3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF ***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20 Analysing Snort s Alert.ids file (Data frame) WJ Buchanan. ASFC (39)

40 0 0 Version Version D D IP Header Header Header length length Total length Type Type of of service service Total length Identification Identification M Fragment Fragment Offset Offset Time-to-Live Time-to-Live Protocol Protocol Header Header Checksum Checksum Source Source IP IP Address Address Destination Destination IP IP Address Address TCP Header Data offset Data offset Src MAC Des MAC Type Len IP TCP Source Source port port Destination Destination port port Sequence number Sequence number Acknowledgement number Acknowledgement number Reserved/Flags Reserved/Flags Window Window Checksum Checksum UrgentPtr UrgentPtr [**] [1:0:0] The found... [**] [Priority: 0] 01/16-22:27: :60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x :445 -> :3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF ***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20 Remember IP addresses can be spoofed the MAC addresses can t (well it s difficult). Analysing Snort s Alert.ids file (Data frame) Ethernet Data frame WJ Buchanan. ASFC (40)

41 0 0 Version Version D D IP Header Header Header length length Total length Type Type of of service service Total length Identification Identification M Fragment Fragment Offset Offset Time-to-Live Time-to-Live Protocol Protocol Header Header Checksum Checksum Source Source IP IP Address Address Destination Destination IP IP Address Address TCP Header Data offset Data offset Source Source port port Destination Destination port port Sequence number Sequence number Acknowledgement number Acknowledgement number Reserved/Flags Reserved/Flags Window Window Checksum Checksum UrgentPtr UrgentPtr [**] [1:0:0] The found... [**] [Priority: 0] 01/16-22:27: :60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x :445 -> :3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF ***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20 Analysing Snort s Alert.ids file (IP) WJ Buchanan. ASFC (41)

42 0 0 Version Version D D IP Header Header Header length length Total length Type Type of of service service Total length Identification Identification M Fragment Fragment Offset Offset Time-to-Live Time-to-Live Protocol Protocol Header Header Checksum Checksum Source Source IP IP Address Address Destination Destination IP IP Address Address TCP Header Data offset Data offset Source Source port port Destination Destination port port Sequence number Sequence number Acknowledgement number Acknowledgement number Reserved/Flags Reserved/Flags Window Window Checksum Checksum UrgentPtr UrgentPtr [**] [1:0:0] The found... [**] [Priority: 0] 01/16-22:27: :60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x :445 -> :3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF ***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20 Analysing Snort s Alert.ids file (TCP) WJ Buchanan. ASFC (42)

43 + log TCP_ ids TCP_ ids TCP_ ids TCP_ ids TCP_ ids TCP_ ids 01/16-22:11: :3423 -> :445 TCP TTL:128 TOS:0x0 ID:975 IpLen:20 DgmLen:48 DF ******S* Seq: 0x26885B8B Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/16-22:11: :445 -> :3423 TCP TTL:128 TOS:0x0 ID:653 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0xE9A4004C Ack: 0x26885B8C Win: 0x4470 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/16-22:11: :3423 -> :445 TCP TTL:128 TOS:0x0 ID:977 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x26885B8C Ack: 0xE9A4004D Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Analysing Snort s Log Log of traffic between port 3423 and 455 to/from WJ Buchanan. ASFC (43)

44 TCP Header Source Source port port Destination port Destination port Sequence number Sequence number Acknowledgement number Acknowledgement number Data Data offset offset Window Window Checksum Checksum UrgentPtr UrgentPtr UAPRSF UAPRSF Flags the flag field is defined as UAPRSF, U is the urgent flag (URG). A the acknowledgement flag (ACK). P the push function (PSH). R the reset flag (RST). S the sequence synchronize flag (SYN). F the end-of-transmission flag (FIN). Analysis TCP Flags WJ Buchanan. ASFC (44)

45 Originator Recipient 1. CLOSED LISTEN 2. SYN-SENT -> <SEQ=999><CTL=SYN> SYN-RECEIVED 3. ESTABLISHED <SEQ=100><ACK=1000><CTL=SYN,ACK> <- SYN-RECEIVED 4. ESTABLISHED -> <SEQ=1000><ACK=101> <CTL=ACK> ESTABLISHED 5. ESTABLISHED -> <SEQ=1000><ACK=101> <CTL=ACK><DATA> ESTABLISHED Flags the flag field is defined as UAPRSF, U is the urgent flag (URG). A the acknowledgement flag (ACK). P the push function (PSH). R the reset flag (RST). S the sequence synchronize flag (SYN). F the end-of-transmission flag (FIN). The SYN flag identifies a connection Analysis TCP Flags WJ Buchanan. ASFC (45)

46 An incoming SYN flag is important in detecting the start of a connection. The main flags are: F FIN S SYN R RST P PSH A ACK U URG The following modifiers can be set to change the match criteria: + match on the specified bits, plus any others * match if any of the specified bits are set! match if the specified bits are not set Example to test for SYN flag: alert tcp any any -> any any (flags:s;) Connection? WWW server Testing Flags in Snort WJ Buchanan. ASFC (46)

47 It is often important to know the flow direction. The main flow rules options are: to_client. Used for server responses to client. to_server Used for client requests to server. from_client. Used on client responses. from_server. Used on server responses. established. Established TCP connections. Example to test for an FTP connection to the users computer: alert tcp any any -> $HOME_NET 21 (flow: from_client; content: "CWD incoming"; nocase; Connection? WWW server Testing Flow in Snort WJ Buchanan. ASFC (47)

48 0 0 Version Version D D IP Header Header Header length length Total length Type Type of of service service Total length Identification Identification M Fragment Fragment Offset Offset Time-to-Live Time-to-Live Protocol Protocol Header Header Checksum Checksum Source Source IP IP Address Address Destination Destination IP IP Address Address Data offset Data offset Source Source port port Destination Destination port port Sequence number Sequence number Acknowledgement number Acknowledgement number Window Window Checksum Checksum UrgentPtr UrgentPtr 01/16-22:11: :3423 -> :445 TCP TTL:128 TOS:0x0 ID:975 IpLen:20 DgmLen:48 DF ******S* Seq: 0x26885B8B Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/16-22:11: :445 -> :3423 TCP TTL:128 TOS:0x0 ID:653 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0xE9A4004C Ack: 0x26885B8C Win: 0x4470 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/16-22:11: :3423 -> :445 TCP TTL:128 TOS:0x0 ID:977 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x26885B8C Ack: 0xE9A4004D Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Analysing Snort s Log TCP Header UAPRSF UAPRSF WJ Buchanan. ASFC (48)

49 Switch Devices can only communicate directly if they have they have the MAC address and IP address. ARP request: Who has ? ARP request is broadcast to the network 01/16-09:31: ARP who-has tell /16-09:45: ARP who-has tell /16-09:45: ARP reply is-at 0:20:18:38:B8:63 01/16-09:46: ARP who-has tell /16-09:46: ARP who-has tell /16-09:46: ARP who-has tell ARP reply is sent to the network, on which every node on the segment updates its ARP table Analysing Snort s ARP log WJ Buchanan. ASFC (49)

50 So what does Snort tell us? Logs date/time of alerts and data packets. Generates alerts (alert.ids) Logs every data packet and every connection. Logs ARP requests and responses. Logs MAC addresses with IP addresses. But how to we generate evidence for breaches? this will be covered in Unit 6 (Forensic Computing) For For 99.99% 99.99% of of the the time, time, the the monitoring monitoring of of data data packets packets may may not not be be important important but but every every so so often often there s there s a breach, breach, and and the the evidence evidence must must be be picked picked through through So how can Snort help us? WJ Buchanan. ASFC (50)

51 User User profile profile Typing Typing speed: speed: 20wpm 20wpm Applications Applications run: run: Word, Word, Excel Excel Typical Typical commands commands run: run: dir, dir, cd cd Files Files accessed: accessed: doc, doc, xls xls Working Working times: times: etc etc 1. Profile downloaded to agent on host 2. Agent then checks current usage against user profile. If they differ greatly contact Administrator on a possible intrusion. 3. Profile updated when user completes their work and finally the ultimate IDS User profiling WJ Buchanan. ASFC (51)

52 This device has all the required weaknesses, such as: Default administrator/password. Dummy users with weak passwords. Ports open for connection. React to virus/worm systems (but simulate conditions). Sometimes it is possible to create a honey-pot or lures, which attracts an intruder so that they can be caught before they do any damage. and finally (again) the honeypot WJ Buchanan. ASFC (52)