1 Intrusion Detection - The Big Picture - SANS GIAC © 2000 1 Intrusion Detection The Big Picture – Part III Stephen Northcutt S. Northcutt – v1.0 – Jul 2000 Edited by J. Kolde – v1.1 – Aug 2000 2 Intrusion Detection - The Big Picture - SANS GIAC © 2000 2 Network-Based Intrusion Detection • Host Based Intrusion Detection –Unix – Windows NT, 95, 98 • Network-Based Intrusion Detection – Libpcap based tools, Snort, Shadow – ISS RealSecure –Cisco Netranger OK, after that in-depth look at host-based intrusion detection, we turn our focus to network-based intrusion detection tools. 3 Intrusion Detection - The Big Picture - SANS GIAC © 2000 3 Network-Based ID 4 Intrusion Detection - The Big Picture - SANS GIAC © 2000 4 Need for Network-Based ID • Most attacks come from the Internet • Detecting these attacks allows a site to tune defenses The statistic that 90% of all attacks are perpetrated by insiders is dead wrong. While insider attacks may cause more damage (because the attacker knows the system assets and what to target), insiders are also usually addressed by traditional security and audit. An insider has a much greater chance of being caught, since you know where they live. So while damaging, insider attacks are infrequent (because of the high risks of detection and arrest or dismissal), by contrast, it is extremely difficult to track and prosecute attackers arriving over the Internet. And because of the perception of low risk, attacks are a daily or hourly occurrence. Expect to see more insiders using their insider knowledge to lower their risks by attacking over the Internet. (Editor’s note: The statement “the statistic that 90% of all attacks are perpetrated by insiders is dead wrong” may be confusing in light of the opposite statistic (i.e., that the majority of attacks come from insiders) being widely quoted, including elsewhere in SANS course material. The author offers this clarification: “The greatest threat in terms of financial loss is insiders. Period, no questions. The greatest number of threats is via internet attacks. A huge percent of these fall to firewalls, even the successful ones, while numerous, do not cause as much harm as an insider that knows exactly where the crown jewels are.” – S. Northcutt -JEK) 5 Intrusion Detection - The Big Picture - SANS GIAC © 2000 5 Firewalls are Most Common Sensor Dec 19 17:18:52 1999 f_kern_tcp a_nil_area t_netprobe p_major srcip: 172.20.20.1 dstip: 192.168.1.88 protocolname: tcp srcburb: 1 srcport: 4645 dstport: 53 Key to Understanding: This sidewinder log is reporting a TCP probe targeted at host 192.168.1.88 to destination port 53. This could be a zone transferor a buffer overflow attempt. Bar none, most network intrusions that are identified are found by firewalls. There are limitations to what can be done with these logs and even the risk of making an error of interpretation, since the log does not provide information like the TCP flags or code bits. That said, these are a great data source and every intrusion analyst should be familiar with their site’s firewall logs. 6 Intrusion Detection - The Big Picture - SANS GIAC © 2000 6 Libpcap-Based Systems FW Analysis/Display Station Collect Data Analyze Data Display Information Most Network-Based Intrusion Detection Systems Unix or Windows are libpcap based The first network-based intrusion detection systems we look at are libpcap based. These include: Shadow, Snort, NetRanger and NFR. Libpcap is designed to get the data from the kernel space and pass it to the application. There are implementations for Windows and Unix, it is reliable and has the big advantage of being free. A sensor is distinguished by how much on-board policy information it has. The Shadow sensor is designed to be stupid. It lives outside the firewall. If it should fall, no information about the site will be lost. This is one of the characteristics that sets Shadow apart from most intrusion detection systems. Most IDS have a lot of information about how sites are configured, how firewalls are set up, hosts that you are watching out for, and attacks that you are particularly concerned about. Should a Shadow sensor fall, all they get are the logs. You can still run Snort though on the inside, simply feed it the TCPdump Shadow files. We’d like to see more vendors take measures to make their sensors attack-resistant, or stealthy, and make them less valuable targets. The sensor is the attacker’s first target. 7 Intrusion Detection - The Big Picture - SANS GIAC © 2000 7 Snort Design Goals • Low cost, lightweight • Suitable for monitoring multiple sites/sensors • Low false alarm rate • Efficient detect system • Low effort for reporting Snort was designed to supplement and be run in parallel with other sensors such as Linux firewalls. It has rules for packet content decodes, and also packet headers. This means it can detect data-driven attacks like buffer overflows and attacks on vulnerable URLs and scripts (like RDS and phf). So if you use Shadow and Snort, you have a good pattern matcher. It is free, scalable and very good at detecting stealthy recon efforts and probes. (And it’s focus on the early warning to be gained from spotting the recon phase is very valuable, since the actual attack can happen in seconds and be all over by the time you notice it started.) It is also a good system to learn and experiment with, since it is easy to modify, being all modular open-source with lots of community developed enhancements. 8 Intrusion Detection - The Big Picture - SANS GIAC © 2000 8 Snort [**] RPC Info Query [**] 06/29-00:15:29.137285 211.72.115.100:623 -> z.y.w.98:111 TCP TTL:46 TOS:0x0 ID:29416 DF *****PA* Seq: 0x1EDB7784 Ack: 0xD4A024FE Win: 0x7D78 TCP Options => NOP NOP TS: 86724706 118751139 80 00 00 28 08 70 BB FF 00 00 00 00 00 00 00 02 (.p 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 The Snort detects are displayed in log files like this separated by blank lines. For this primer we will primarily focus on the various detects. An advantage of Snort is that this trace is easy to cut and paste into an email to send to your CIRT. This is better than several commercial tools that, while they show an easy to understand colorful icon, it’s hard to get to the raw data to verify or report the detect. This is the more detailed log file, notice the rule that found the detect is displayed at the top. Then summary information about the packet. The trace begins with the content of the detect. RPC attacks like this are part of the Top Ten list (www.sans.org/topten.htm). Notice all the zeros? RPC packets are padded to 32-bit words, often to carry a field that only has a choice of single integer, so the zeros are an indication of RPCs. 9 Intrusion Detection - The Big Picture - SANS GIAC © 2000 9 Why TCPdump • Libpcap • Always available • Compiles on many Unix platforms • Runs on Window 9x and NT •High fidelity • Same program for data collection and first order analysis Libpcap is the de facto standard for Unix-based intrusion detection systems. It is a software interface for acquiring the collected information from the interface card and providing it to the IDS application. Shadow uses TCPdump as it’s underlying packet capture mechanism, as does Snort, another popular free open source network IDS (currently the favorite on GIAC). Snort includes packet decodes and pattern matching. 10 Intrusion Detection - The Big Picture - SANS GIAC © 2000 10 IMAP Filter tcp and dst port 143 Here’s an example of a simple filter to detect IMAP probes, or at least all TCP traffic to port 143. # tcpdump tcp and dst port 143 The command above would run tcpdump, only printing to the screen TCP destination port 143 (IMAP) packets. # tcpdump -I eth0 tcp and dst port 143 Tells Red Hat Linux 5.0 to use the eth0 interface to log from. $ tcpdump -r tcplogfile tcp and dst port 143 Would check a file created by tcpdump for access to port 143. [...]... Host- and Network-Based Intrusion Detection • Network-based IDS and host-based intrusion detection on core hosts: DNS, Mail, Web, high value servers is an excellent combination Intrusion Detection - The Big Picture - SANS GIAC © 2000 26 We strongly recommend combining the two types of intrusion detection, as their strengths are complementary For example, the network intrusion detection systems’ bandwidth... host-based intrusion detection software that reports to the analyst console as well So we see the need for both capabilities: host- and networkbased intrusion detection for even smaller organizations As the size and value of the organization increases, the importance of additional countermeasures increases as well 27 Host and Network Based Intrusion Detection • Host-Based Intrusion Detection Qu – Unix – Windows... organization Intrusion Detection - The Big Picture - SANS GIAC © 2000 27 The sensor outside the firewall is positioned to detect attacks that originate from the Internet DNS, email and web servers are the target for about a third of all attacks directed against a site These systems have to be able to interact with Internet systems and can only be partially screened Since their overall risk is high, they should... attacks are directed at these systems • If you lose control of DNS, they own you • Worth the time to give connection attempts to these systems an extra look Intrusion Detection - The Big Picture - SANS GIAC © 2000 11 The “goodhost” filters in the documentation and software distribution give examples of web servers, DNS servers and mail relays If you build a good filter profile for another type of commonly... as an exercise to the Information Warrior to create a powerful scenario from this “architecture” Intrusion Detection - The Big Picture - SANS GIAC © 2000 22 22 Deception Can Drive the Picture S S CIRT Meta CIRT S S CIRT S Intrusion Detection - The Big Picture - SANS GIAC © 2000 23 The point of this page is that one Linux system with a decoy generator (such as nmap 2.08) and a knowledge of which sensors... time the characters “wiz” are seen in the body of the message – CERN HTTP buffer overflow: lights off every time a URL is > X characters Intrusion Detection - The Big Picture - SANS GIAC © 2000 16 Other detects like SYN flood also have very high false positive rates, since it can be triggered by as few as 3-5 connection attempts in a second - a common occurrence with over-eager mail servers and other... affect the speed of the network or add load to the systems it monitors Intrusion Detection - The Big Picture - SANS GIAC © 2000 24 Network intrusion detection systems give good ‘bang per buck’, as one sensor can monitor all traffic to and from the Internet, covering a large number of possible threats with a single sensor It places negligible additional load on the network, no load at all if in a stealth... them, see L0pht’s Anti-Sniff.) 24 Network-Based Intrusion Detection - Cons • Sensors have limited speed • Almost impossible to detect attacks not in rule set • Very susceptible to “low and slow” attacks Intrusion Detection - The Big Picture - SANS GIAC © 2000 25 The increase in bandwidth from 10 to 100 Mbps and beyond is a major challenge for network intrusion detection systems, although few organisations’... events The problem is, to avoid the false positives the threshold needs to be set so high as to miss real attacks 16 Normally a user will select a pre-made policy and edit to customize for their situation Intrusion Detection - The Big Picture - SANS GIAC © 2000 17 Once you have selected a pre-made policy, you can customise it somewhat by selecting which events to ignore (usually because of their high... timestamp, the attack, and the source address) as their primary information source, not raw data Many IDSes create realistic false positives (and the analyst does not have access to raw data to validate) which, if fed up to the CIRTs, could give them a false picture of what is happening I leave it as an exercise to the Information Warrior to create a powerful scenario from this “architecture” Intrusion Detection . 1 Intrusion Detection - The Big Picture - SANS GIAC © 2000 1 Intrusion Detection The Big Picture – Part III Stephen Northcutt S. Northcutt – v1.0 – Jul. Kolde – v1.1 – Aug 2000 2 Intrusion Detection - The Big Picture - SANS GIAC © 2000 2 Network-Based Intrusion Detection • Host Based Intrusion Detection –Unix –