IDS: Intrusion Detection SystemOutline of The TalkArchitecture of IDSHIDS vs. NIDSIDS PlacementSnortSnort-based IDS Setup Example (from Steven Scott’s tutorial)Basic Snort Usage/etc/snort/snort.confSnort Rule SyntaxSlide 11Rule option: Content content: [!] “<content string>”;Rule option: offset and depthRule option: sid & flowSlide 15Slide 16Detection ResultsSlide 18False Positives vs False NegativesAttack Response RulesBackDoor TrojanDDoS RulesDNS rulesScan rulesWEB-CGI RulesWEB-IIS RulesSMTP RulesBad TrafficHIDS: Host-based Intrusion DetectionHIDS’ Advantages over NIDSTripwire: A Host-based IDSSlide 32Slide 33File Access Permission ChangeExample of Policy File1cs691chowC. Edward ChowC. Edward ChowIDS: Intrusion Detection SystemIDS: Intrusion Detection System2cs691chowOutline of The TalkOutline of The TalkDefinition, ConceptsNetwork Intrusion Detection: SnortA2D2 (Integrating NIDS with Firewall)Host Intrusion Detection: TripwireReferences:Chapter 25 Intrusion Detection, by Matt Bishop.Chapter 7 Network Intrusion Detection, Inside Network Perimeter Security, by Northcutt et al (reserved in UCCS Library)NIST IDS Survey: http://cs.uccs.edu/~chow/pub/ids/NISTsp800-31.pdfA2D2: http://cs.uccs.edu/~chow/pub/master/acearns/doc/http://cs.uccs.edu/~chow/pub/ids/2001_vigna_kemmerer_blix_raid01.pdfSnort: http://www.snort.org/Tripwire: http://www.tripwire.org/3cs691chowArchitecture of IDSArchitecture of IDSHOST AHIDSHOST AHIDSHOST ANIDSHOST AHIDSDirector(Analyzer)NotifierHIDS: Host Intrusion Detection SystemNIDS: Network Intrusion Detection System(logger)4cs691chowHIDS vs. NIDSHIDS vs. NIDSTwo Basic Types of IDS:Host-based IDS:Periodically analyze logs, perform file system integrity check.Examples: –Generic: ISS RealSecure Server Sensor.–Check host file system: Tripwire, AIDE–Check host network connections: BlackICE, PortSentry–Check host’s log files: LogSentry, SwatchNetwork-based IDS:Analyze network traffic content and pattern for signs of intrusionExamples:–Snort, Cisco IDS4235,5cs691chowIDS PlacementIDS Placement6cs691chowSnortSnortA popular network intrusion public domain package, available on www.snort.org.It allows the user to specify a set of rules which specifies the pattern in the packets, and the corresponding actions (typically just an alert msg) for matched packets.It also allows the user to create their own plug-in for additional detection that is not available with default pattern matching. For example, the subnet flooding, it requires modification of preprocessing step.It was used by many other packages and products.On snort download site, installation steps are given for integrating snort with mysql, apache, webmin, and ACID for easy web-based access and display of the intrusion instance, statistics, and related intrusion event databases, such as CVE, arachNIDS.See http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf for more details.7cs691chowSnort-based IDS Setup Example(from Steven Scott’s tutorial)Snort-based IDS Setup Example(from Steven Scott’s tutorial)8cs691chowBasic Snort UsageBasic Snort UsageSnort has three main modes:Sniffer mode: read packets and display on console.–E.g., >Snort -dev–v: verbose; d: dump application data data; e: extensivePacket Logger: read packets and log to the disk.–E.g., > snort –dev –l ./log –h 192.168.1.0/24–l: log, h: only capture packets relative to the hostNIDS: analyze packets and matched against user defined rules and perform actions.–E.g., > snort –dev –l ./log –c snort.conf– add –D will have snort run as daemon.–-A [fast | full | unsock | non]–-b for binary (tcpdump) format; faster.Use –r snort.og to read it back for offline analysis.–-o: change the normal (alertpasslog rules) processing order to (passalertlog).–You can use SMB alert. That use smbclient to send WinPopup alert msg to window machines.–Use –O for (obsuscates) the ip addresses in log file for hiding IP addresses when sharing with others the logs.Snort has three main modes:Sniffer mode: read packets and display on console.–E.g., >Snort -dev–v: verbose; d: dump application data data; e: extensivePacket Logger: read packets and log to the disk.–E.g., > snort –dev –l ./log –h 192.168.1.0/24–l: log, h: only capture packets relative to the hostNIDS: analyze packets and matched against user defined rules and perform actions.–E.g., > snort –dev –l ./log –c snort.conf– add –D will have snort run as daemon.–-A [fast | full | unsock | non]–-b for binary (tcpdump) format; faster.Use –r snort.og to read it back for offline analysis.–-o: change the normal (alertpasslog rules) processing order to (passalertlog).–You can use SMB alert. That use smbclient to send WinPopup alert msg to window machines.–Use –O for (obsuscates) the ip addresses in log file for hiding IP addresses when sharing with others the logs.9cs691chow/etc/snort/snort.conf/etc/snort/snort.confSnort read the snort.conf file for the default variables, additional pre/post processing plug-in (if any), output specification (to a mysql for example), and a set of rule files. For example, http://cs.uccs.edu/~chow/pub/snort/snort.confoutput database: log, mysql, user=snort password=xxxx dbname=snort host=localhostinclude bad-traffic.rulesinclude exploit.rulesinclude scan.rulesinclude finger.rulesinclude ftp.rulesinclude telnet.rulesinclude rpc.rulesinclude rservices.rulesinclude dos.rulesinclude ddos.rulesinclude dns.rules10cs691chowSnort Rule SyntaxSnort Rule SyntaxMost rules written in single line. If multiple line use \Each snort rule has two logical section: rule header and rule options.alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht agent->handler (skillz)"; content:"skillz"; itype:0; icmp_id:6666; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:2;) alert any any -> 192.168.1.0/24 any (flags:A; ack:0; msg: “NMAP TCP ping”;) # nmap send TCP ACK pkt with ack field set to 0alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:5;) Rule header contains action, protocol, source (IPaddr/port), direction, destination (IPaddr/port)Rule option contains alert