Network Intrusion DetectionTopicsWhat is IDS?HIDS v. NIDSSlide 5Signature-based NIDSSignaturesSlide 8Slide 9NIDS – ManagementNIDS – PlacementNIDS – DrawbacksNIDS - DrawbacksActive ResponseSlide 15Intrusion PreventionNIDS on the CheapAdditional ResourcesSlide 19Slide 20Network Intrusion DetectionDavid [email protected]What is IDS?HIDS v. NIDSSignaturesActive Response / IPSNIDS on the CheapAdditional ResourcesWhat is IDS?the art of detecting inappropriate, incorrect, or anomalous activity. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems, and ID systems that operate on network data flows are called network-based ID systems.http://www.sans.org/newlook/resources/IDFAQ/what_is_ID.htmHIDS v. NIDSDefense in depth, layered securityHIDSTypically software installed on a systemAgent-basedMonitors multiple data sources, including file system meta-data, log filesWrapper-basedActs like a firewall – denies or accepts connections or logins based on defined policyHIDS v. NIDSNIDSMonitors traffic on a networkReports on traffic not considered “normal”Anomaly-basedPacket sizes, destinations, protocol distributions, etcHard to determine what “normal” traffic looks likeSignature-basedMost products use signature-based technologiesSignature-based NIDSSignature-basedMatches header fields, port numbers, contentNetwork “grep”AdvantagesNo learning curveWorks out-of-box for well known attacksSnort has ~1900 signaturesDragon has ~1700 signaturesDisadvantagesNew attacks cannot be detected False positivesMaintenance/tweakingNot very hard to evadeStateless, lacks thresholdingSignaturesT A A S 10 20 6668 IRC:XDCC /5Bxdcc/5Dslt| | | | | | | | || | | | | | | | SEARCH STRING| | | | | | | EVENT NAME| | | | | | PORT| | | | | || | | | | COMPARE BYTES | | | | || | | | DYNAMIC LOG| | | || | | BINARY OR STRING| | || | PROTECTED NETWORKS| || DIRECTION|PROTOCOLSignaturesOn the console…Time Dir Source Destination Proto Event Name Group Sensor Session Raw Data 11:02 02Nov04 from 128.103.a.b:4295 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 11:01 02Nov04 from 128.103.a.b:1141 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 10:59 02Nov04 from 128.103.a.b:2582 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5 10:57 02Nov04 from 128.103.a.b:3341 207.44.x.y:6667 tcp IRC:XDCC UNKNOWN ids5NICK [XDCC]SLT-L482{A}USER b0b 32 . :XDCC{A}MODE [XDCC]SLT-L482 +i{A}NICK [XDCC]SLT-L482{A}USER b0b 32 . :XDCC{A}MODE [XDCC]SLT-L482 +i{A}NICK [XDCC]SLT-L482{A}USER b0b 32 . :XDCC{A}MODE [XDCC]SLT-L482 +i{A}{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Looking up your hostname...{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A}:snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC][email protected]{D}{A}:snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1.4(34){D}{A}:snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A}:snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc{D}{A}:snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TOPICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this server{D}{A}:snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A}:snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A}:snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A}:snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A}:snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A}:snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A}:snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A}:snagged.wi.us.criten.net NOTICE [XD:snagged.wi.us.criten.net NOTICE AUTH :*** Found your hostname, cached{A}:snagged.wi.us.criten.net NOTICE AUTH :*** Checking Ident{A}:snagged.wi.us.criten.net 001 [XDCC]SLT-L482 :Welcome to the Criten IRC Network [XDCC][email protected]{D}{A}:snagged.wi.us.criten.net 002 [XDCC]SLT-L482 :Your host is snagged.wi.us.criten.net[@0.0.0.0], running version bahamut-1.4(34){D}{A}:snagged.wi.us.criten.net 003 [XDCC]SLT-L482 :This server was created Fri Oct 18 2002 at 12:49:34 CDT{D}{A}:snagged.wi.us.criten.net 004 [XDCC]SLT-L482 snagged.wi.us.criten.net bahamut-1.4(34) oiwscrknfydaAbghe biklLmMnoprRstvc{D}{A}:snagged.wi.us.criten.net 005 [XDCC]SLT-L482 NOQUIT WATCH=128 SAFELIST MODES=13 MAXCHANNELS=15 MAXBANS=100 NICKLEN=30 TOPICLEN=307 KICKLEN=307 CHANTYPES=&# PREFIX=(ov)@+ NETWORK=Criten SILENCE=10 CASEMAPPING=ascii :are available on this server{D}{A}:snagged.wi.us.criten.net 251 [XDCC]SLT-L482 :There are 59 users and 6470 invisible on 17 servers{D}{A}:snagged.wi.us.criten.net 252 [XDCC]SLT-L482 30 :IRC Operators online{D}{A}:snagged.wi.us.criten.net 253 [XDCC]SLT-L482 84 :unknown connection(s){D}{A}:snagged.wi.us.criten.net 254 [XDCC]SLT-L482 738 :channels formed{D}{A}:snagged.wi.us.criten.net 255 [XDCC]SLT-L482 :I have 705 clients and 1 servers{D}{A}:snagged.wi.us.criten.net 265 [XDCC]SLT-L482 :Current local users: 705 Max: 3506{D}{A}:snagged.wi.us.criten.net 266 [XDCC]SLT-L482 :Current global users: 6529 Max: 13238{D}{A}:snagged.wi.us.criten.net NOTICE [XD{A}NIDS – ManagementCorrelation is keyMultiple sensorsSingle data repositorySyslogDBMSText filesNIDS – PlacementInside firewallLimits false positives – “cleaner” dataOutside firewallShows overall interestNeed to collect all trafficSwitch port won’t cut itHubSwitch SPAN portPassive tapDifficult on high-bandwidth links (>300Mbps)Distribution devices (TopLayer, etc)HardwareNIDS – DrawbacksFalse PositivesLOTS of dataWe generate 3-4GB of logs each day on a ~250Mbps sustained linkMakes alerting difficultInteroperabilityESM – Intellitactics, PentaSafe, etc.NIDS - DrawbacksEvasionPacket fragmentationOut of order,
View Full Document