1 1 Intrusion Detection - The Big Picture – SANS GIAC ©2000 Intrusion Detection The Big Picture – Part IV Stephen Northcutt S. Northcutt – v1.0 – Jul 2000 Edited by J. Kolde – v1.1 – Aug 2000 2 Intrusion Detection - The Big Picture – SANS GIAC ©2000 2 Intrusion Detection Roadmap What are the pieces and how they play together •Honeypots • Firewalls –Proxy, State Aware, Filtering Routers • Risk Assessment and Auditing –Introduction to Risk Management –Knowledge-Based Risk Assessment –Online Auditing Tools As we begin our next section, we are going to cover a really interesting technology. The timing of this is really interesting. I am poring over 30 MB of logs from Lance Spitzner’s honeypot system. We have logs of hackers bragging about their conquests; trading stolen credit card numbers, passwords and IDs for compromised systems; the list continues. If you want more details on the approach Lance uses, try: http://www.enteract.com/~lspitz/honeypot.html A honeypot can be a tool and process that is used to capture the tools, plans, and techniques of attackers, or it can be as simple as a decoy tool that is used to deflect attackers from a compromised system or a system under fire. A third good use of a honeypot is a sensor - if you have an old, slow system lying around, it can serve a productive life as a honeypot. In fact, that may be ideal! There is one important rule of a honeypot: try to engineer it so that it collects information, but it is not used to attack anyone else. An old 75Mhz Pentium limits the harm that could be caused if the sandbox is breached. 3 Intrusion Detection - The Big Picture – SANS GIAC ©2000 3 Honeypots • What are they? • Example honeypots: Lance, TIS Toolkit, DTK • Why you might choose to run them • Why you want others to run them Thanks to Tim Aldrich and Lance Spitzner for their research into honeypots! There are a number of technologies that can be used for a honeypot and everyone has a strong opinion about their approach. Obviously the more sophisticated attackers are only going to be fooled by an operating system that exactly mirrors what they expect and this includes when they “compromise” it, the system must fail correctly. The only honeypot that will work at that level of fidelity is a an operating system itself; this is the approach Lance uses. This is a very advanced and dangerous technique, since the system can easily be used to attack others. To make his system work, he relies on multiple layers of monitoring and has modified the syslog facility to do a lot of logging, but not in a way attackers will notice. He has also modified the operating system shell to log commands to the syslog facility and then monitors everything with a Snort IDS. Still, when he published his work, the attackers figured out they had been had and laid waste to the system. This is evidence a few more safety measures would be a good thing! 4 Intrusion Detection - The Big Picture – SANS GIAC ©2000 4 Honeypots • What are they? –A trap - they run real services on a sacrificial computer or simulated instrumented services, (or fake a core dump) –TIS Toolkit smap example So, are there safer alternatives? Network Associates sells a commercial honeypot (CyberSting) that stands up to a fair amount of scrutiny. We will talk about DTK in some depth. I have had good success with the free firewall code that was written by Marcus Ranum and has gone by various names, but was classically known as the TIS toolkit. How would a proxy firewall work as a honeypot? To use an attack against sendmail as an example, the toolkit had a sendmail replacement called “smap”. Smap would take any file that was sent to it and write it into a directory on the system. Then a separate program takes the file and delivers it. This meant that I could simply place this mail system up and examine the files for malicious one. Since there were no real users, most of the mail was either SPAM (a product of Hormel foods) or malicious code. I would check it once a month or so and see what the pot would catch. The beauty of this approach is that it meets the important rule of honeypots: smap is a small easily understood program that is not going to suffer a buffer overflow. 5 Intrusion Detection - The Big Picture – SANS GIAC ©2000 5 What are they? • A decoy - if a machine becomes “hot”, change the IP address and name and put in a honeypot • DNS, Mail, Web servers make great honeypots on their unused ports Attackers will not succeed in being able to crack it to attack other systems. Of course, smap is not sendmail and just changing the banner from “smap” to “sendmail” will not fool the wise attacker. The higher the fidelity of the honeypot, the greater the risk. Where do you put a honeypot, how do you make it effective? Well to be sure, every IP address gets attacked - ask any cablemodem user. However, there are things you can do to optimize performance. Perhaps the most effective honeypots are machines that have become “hot”. In such a case, it is a good idea to move that machine to a new name and IP address, (think “witness protection program”), and deploy a honeypot on that system’s address. Domain servers, mail servers and web servers’ non-service ports make a great place to put honeypot code. 6 Intrusion Detection - The Big Picture – SANS GIAC ©2000 6 Deception Tool Kit (DTK) • What is it? • A Perl script that executes state machine scripts on specified ports, C binaries for telnetd, web – Includes state machine scripts for ports: • 0, systat(11), qotd(17), chargen(19), ftp (21), telnet(23), smtp(25), time(37), domain(53), 65, 66, tftp(69), finger (79), http (80), pop-3(110), 365, 507, 508, exec (512), login (513), shell (514), 893, nfs (2049), 5999, 6001, 8000, 10000, 12000, 12345, 12346, 14000, 28000, 31337 The Deception Tool Kit (DTK) was created by Fred Cohen, one of the most brilliant and well-loved individuals on the Internet (one out of two ain’t bad), and was available for free with a funky license at www.all.net/dtk/ There are DTK groupies that can make this code sing, but we want to learn from the architecture of this tool to understand the processes a honeypot needs to go through. On the next slide we see that DTK makes use of port 365. If you query a DTK on port 365, it will tell you it is a DTK. If a substantial number of people ran honeypots such as DTK, and a substantial people who DIDN’T ran the port 365 service, it would increase the price of hacking. I am sorry to report that after extensive study of thousands upon thousands of network traces, I have not seen this in action. In the notes pages of the next slide, take a minute to look over the logs. This is nice high fidelity information about what the attackers are attempting. 7 Intrusion Detection - The Big Picture – SANS GIAC ©2000 7 DTK • What can it do? (cont.) – Port 365 • Reports that DTK is running on this machine. Can be run on machines without DTK on other ports. • May confuse the hackers in the short term. • Can also be used to access /dtk/log with password. – Can time-tag and log every typed command. – Can email notification of break in. • Example detect in notes pages JUNE 1999. Also from the latest DTK logs '198.143.200.52', '13392', '10752', '1999/06/24 17:37:35', '18023', '275', '1', 'listen.pl', 'S0', 'R-Peace', 'Init' '198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275', '1', 'listen.pl', 'S', 'RPeace-Peace', 'trap '' SIGALRM SIGTRAP' '198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275', '1', 'listen.pl', 'S', 'RPeace-Peace', 'PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin;export PATH' '198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275', '1', 'listen.pl', 'S', 'RPeace-Peace', '/usr/sbin/rpc.mountd </dev/null' '198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275', '1', 'listen.pl', 'S', 'RPeace-Peace', '/bin/uname -a;/usr/bin/id;echo 'moof::0:0::/:/bin/bash' >>/etc/passwd;rm -rf /etc/securetty;exit;' 8 Intrusion Detection - The Big Picture – SANS GIAC ©2000 8 DTK • Sample state machine script: # State Input NexStat Exit lf/file output/filename # initial prompt 0 START 112@23.login # 2 user IDs 1 guest 214Password: 1root214Password: # 2 passwords 2toor310$ 2 tseug 310$ # some commands 3ls312@23.ls 3df312@23.df 3pwd312@23.pwd # Exceptions 0NIL010borge login: 0 ERROR 010borge login: 1NIL110borge login: 1 ERROR 110borge login: 2NIL110borge login: 2 ERROR 110borge login: 3NIL100coredumped 3 ERROR 100coredumped What is a state machine? If you meet the condition at the first state, you can transition to the next. Please take a minute to read the slide. State 0 is initiated with someone makes contact with the system on TCP port 23, telnet with an active open, or the SYN flag is set. The system responds with “login”. If the answer is either guest or root, the system moves to State 1. In State 1 it offers “Password” and if the password matches the list with root or guest spelled backwards, the system “logs them in” and gives them a prompt. We move to State 2. Here we are looking for one of the operating system commands off the list: ls, df, pwd. As you can see, an attacker will quickly discover this is not a real system. However, it is fine to collect information about script based attacks. 9 Intrusion Detection - The Big Picture – SANS GIAC ©2000 9 DTK • Sample log output: 256.160.234.245 13067 110 1998/07/12 12:03:03 27017 176:1 listen.pl S0 Init 256.160.234.245 13067 110 1998/07/12 12:03:03 27017 176:1 listen.pl S0 NoInput 128.38.330.25 1063 110 1998/07/13 11:00:36 31394 176:2 listen.pl S0 Init 128.38.330.25 1063 110 1998/07/13 11:00:40 31394 176:2 listen.pl S0 PASS^M 128.38.330.25 1063 110 1998/07/13 11:00:46 31394 176:2 listen.pl S0 USER taldric^M 128.38.330.25 1063 110 1998/07/13 11:00:53 31394 176:2 listen.pl S0 PASS taldric^M 128.38.330.25 1063 110 1998/07/13 11:01:02 31394 176:2 listen.pl S0 USER taldric^M 128.38.330.25 1063 110 1998/07/13 11:01:09 31394 176:2 listen.pl S0 PASS toor^M 128.38.330.25 1063 110 1998/07/13 11:01:11 31394 176:2 listen.pl S0 ^M 128.38.330.25 1063 110 1998/07/13 11:01:13 31394 176:2 listen.pl S0 ^M 128.38.330.25 1063 110 1998/07/13 11:01:15 31394 176:2 listen.pl S0 QUIT^M 128.38.330.25 1063 110 1998/07/13 11:01:15 31394 176:2 listen.pl S0 WeClose This slide shows the result of running DTK. This serves as a sensor and has a lot of value. If someone has sniffed a password or obtained it by other measures, the honeypot allows you to see that it is in use. Most organizations have no or minimal logging internally, so this is one way you can know something is wrong. 10 Intrusion Detection - The Big Picture – SANS GIAC ©2000 10 DTK • Recommendation: – A good tool available for honeypot use today. – Can use inetd to start DTK, but listen.pl provides better logging. •Problems: – Relies on non-portable assumptions. – Yet another log file to check. – Yet another log file format. The bottom line on DTK is that it is in use and organizations are getting good results from it. On Unix computers, the Internet Daemon, or inetd, listens for incoming connections and “wakes up” the appropriate daemon if the system offers that service. For instance, the telnet daemon is not always running. Instead, when the system receives a packet with the SYN flag set and destination port 23 (the well-known address for telnet), inetd wakes up telnetd to service the connection. DTK prefers to run all the time, which is a shade wasteful of CPU and memory, but not too bad. The bigger problems are shown below. DTK can be a bear to configure, and nobody on the mailing list has proven to be too friendly. In addition, the issue of checking another log is not minor. The approach used by Lance to modify the Unix System Logger (syslog) facility allows him to collect a lot of data in a single place and as busy as we all are, this has a lot of advantages. [...]... several of them would end up being arrested In the next section of the course, we will discuss Firewalls These are not only the primary defense tool, they are one of the most important intrusion detection sensors on the Internet 16 Intrusion Detection Roadmap What are the pieces and how they play together • Honeypots • Firewalls – Proxy, State Aware, Filtering Routers • Risk Assessment and Auditing – Introduction... in the big picture? Defender Attacker P Negation P Detection P Late Negation P Late Detection P Host Negation P Host Detection P Host Late Detection P Host Very Late Negation P = Probability of P Early Negation P Early Detection P Indications and Warning A firewall is the primary opportunity for attack negation Intrusion Detection - The Big Picture – SANS GIAC ©2000 18 Before we dive down into the. .. simulate all/any services – Looks and acts like the real thing – No indication that it is simulated – Low CPU/disk overhead • Will not provide any “real” services – As it becomes more complex, risk increases • Easily customized for each machine Intrusion Detection - The Big Picture – SANS GIAC ©2000 11 The telnetd and the web demon are “real” They are compiled C code They simply simulate the services This... anything about the attack, (if it is TCP), and that might be bad Intrusion Detection - The Big Picture – SANS GIAC ©2000 15 Firewalls impact network traffic In the slide above, the packet is addressed to TCP port 143, the IMAP service If the site does not allow IMAP through the firewall, then there will never be a SYN/ACK response, the TCP three way handshake will not complete and we never know the attacker’s... Firewalls • State Aware Firewalls • Intrusion Detection with Firewalls Intrusion Detection - The Big Picture – SANS GIAC ©2000 21 Well, let’s get into it, we have a number of issues to cover 21 Egress Filtering INTERNET Protected Net 128.38.0.0 Only addresses that belong to the protected net are allowed out onto the Internet Intrusion Detection - The Big Picture – SANS GIAC ©2000 22 Ingress filtering... block on at least the SYN packet, ergo no content Can you name a situation where you might really want to know the content of the TCP conversation? Intrusion Detection - The Big Picture – SANS GIAC ©2000 14 In this slide we see the steps that are required to complete a TCP connection Take a minute and think about the question on the bottom of the slide Many times we just want to block the traffic and... from www.yahoo.com Intrusion Detection - The Big Picture – SANS GIAC ©2000 31 The response to a SYN is a SYN/ACK, as shown on the slide Yahoo responds back to the NAT IP address Yahoo also responds back to the source address, and since it is a response, this is now the destination address The firewall NAT has reserved connections to 2160 from Yahoo for the internal host that initiated the connection and... not be the ideal proxy for sendmail Intrusion Detection - The Big Picture – SANS GIAC ©2000 33 An example of a proxy is shown in this slide An internal host is receiving email from an attacker Do you remember in the honeypot section we talked about smap? Smap would receive the email and drop it in a directory and then a second process would deliver it Smap is a proxy application for sendmail If the computer... a look 34 Intrusion Detection Using Firewall Logs • Common and obvious point to detect intrusions • Logs can be very tricky to analyze • Proxy firewalls can potentially detect very subtle attacks since the application runs in proxy Intrusion Detection - The Big Picture – SANS GIAC ©2000 35 Firewalls account for more intrusion and anomaly detects than any other class of sensors They have their limitations,... outside the firewall or allow the traffic through the firewall to the honeypot on an isolated network, we can collect information as to what the attacker is trying to do 15 Why you want others to run them • Remember port 365? • Name servers, mail servers, and web servers draw the most fire on the Internet What if they had their nonservice ports instrumented? • The end result could be to slow down the pace . 1 1 Intrusion Detection - The Big Picture – SANS GIAC ©2000 Intrusion Detection The Big Picture – Part IV Stephen Northcutt S. Northcutt – v1.0 – Jul. Kolde – v1.1 – Aug 2000 2 Intrusion Detection - The Big Picture – SANS GIAC ©2000 2 Intrusion Detection Roadmap What are the pieces and how they play together •Honeypots •