1 cs691 chow C. Edward Chow IDS: Intrusion Detection System.
35
1 cs69 1 chow C. Edward Chow IDS: Intrusion Detection System
-
Upload
valerie-zoe-osborne -
Category
Documents
-
view
236 -
download
2
Transcript of 1 cs691 chow C. Edward Chow IDS: Intrusion Detection System.
1cs691 chow
C. Edward ChowC. Edward Chow
IDS: Intrusion Detection System
IDS: Intrusion Detection System
2cs691 chow
Outline of The TalkOutline of The Talk
Definition, Concepts Network Intrusion Detection: Snort A2D2 (Integrating NIDS with Firewall) Host Intrusion Detection: Tripwire References:
Chapter 25 Intrusion Detection, by Matt Bishop. Chapter 7 Network Intrusion Detection, Inside Network Perimeter
Security, by Northcutt et al (reserved in UCCS Library) NIST IDS Survey: http://cs.uccs.edu/~chow/pub/ids/NISTsp800-31.pdf A2D2: http://cs.uccs.edu/~chow/pub/master/acearns/doc/ http://cs.uccs.edu/~chow/pub/ids/2001_vigna_kemmerer_blix_raid01.p
df Snort: http://www.snort.org/ Tripwire: http://www.tripwire.org/
3cs691 chow
Architecture of IDSArchitecture of IDS
HOST AHIDS
HOST AHIDS
HOST ANIDS
HOST AHIDS
Director(Analyzer
)
Notifier
HIDS: Host Intrusion Detection System
NIDS: Network Intrusion Detection System(logger)
4cs691 chow
HIDS vs. NIDSHIDS vs. NIDS
Two Basic Types of IDS: Host-based IDS:
Periodically analyze logs, perform file system integrity check. Examples:
– Generic: ISS RealSecure Server Sensor.– Check host file system: Tripwire, AIDE– Check host network connections: BlackICE, PortSentry– Check host’s log files: LogSentry, Swatch
Network-based IDS: Analyze network traffic content and pattern for signs of intrusion Examples:
– Snort, Cisco IDS4235,
5cs691 chow
IDS PlacementIDS PlacementDNS
Server
Intra1
Internet
Outer Firewall
Firewall
Inner Firewall
Firewall
SW
SW
MailServer
WebServer
DMZ
Router
IDS
IDS
IDS
DNSServer
Intra1
Internet
Outer Firewall
Firewall
Inner Firewall
Firewall
SW
SW
MailServer
WebServer
DMZ
Router
IDS
IDS
IDS
6cs691 chow
SnortSnort
A popular network intrusion public domain package, available on www.snort.org.
It allows the user to specify a set of rules which specifies the pattern in the packets, and the corresponding actions (typically just an alert msg) for matched packets.
It also allows the user to create their own plug-in for additional detection that is not available with default pattern matching. For example, the subnet flooding, it requires modification of preprocessing step.
It was used by many other packages and products. On snort download site, installation steps are given for integrating
snort with mysql, apache, webmin, and ACID for easy web-based access and display of the intrusion instance, statistics, and related intrusion event databases, such as CVE, arachNIDS.
See http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf for more details.
7cs691 chow
Snort-based IDS
Setup Example(from Steven Scott’s
tutorial)
Snort-based IDS
Setup Example(from Steven Scott’s
tutorial)
8cs691 chow
Basic Snort UsageBasic Snort Usage Snort has three main modes:
Sniffer mode: read packets and display on console.– E.g., >Snort -dev– v: verbose; d: dump application data data; e: extensive
Packet Logger: read packets and log to the disk.– E.g., > snort –dev –l ./log –h 192.168.1.0/24– l: log, h: only capture packets relative to the host
NIDS: analyze packets and matched against user defined rules and perform actions.– E.g., > snort –dev –l ./log –c snort.conf– add –D will have snort run as daemon.– -A [fast | full | unsock | non]– -b for binary (tcpdump) format; faster.
Use –r snort.og to read it back for offline analysis.– -o: change the normal (alertpasslog rules) processing order to (passalertlog).– You can use SMB alert. That use smbclient to send WinPopup alert msg to window
machines.– Use –O for (obsuscates) the ip addresses in log file for hiding IP addresses when
sharing with others the logs.
Snort has three main modes: Sniffer mode: read packets and display on console.
– E.g., >Snort -dev– v: verbose; d: dump application data data; e: extensive
Packet Logger: read packets and log to the disk.– E.g., > snort –dev –l ./log –h 192.168.1.0/24– l: log, h: only capture packets relative to the host
NIDS: analyze packets and matched against user defined rules and perform actions.– E.g., > snort –dev –l ./log –c snort.conf– add –D will have snort run as daemon.– -A [fast | full | unsock | non]– -b for binary (tcpdump) format; faster.
Use –r snort.og to read it back for offline analysis.– -o: change the normal (alertpasslog rules) processing order to (passalertlog).– You can use SMB alert. That use smbclient to send WinPopup alert msg to window
machines.– Use –O for (obsuscates) the ip addresses in log file for hiding IP addresses when
sharing with others the logs.
9cs691 chow
/etc/snort/snort.conf/etc/snort/snort.conf Snort read the snort.conf file for the default variables, additional pre/post
processing plug-in (if any), output specification (to a mysql for example), and a set of rule files. For example, http://cs.uccs.edu/~chow/pub/snort/snort.conf
output database: log, mysql, user=snort password=xxxx dbname=snort host=localhost
include bad-traffic.rulesinclude exploit.rulesinclude scan.rulesinclude finger.rulesinclude ftp.rulesinclude telnet.rulesinclude rpc.rulesinclude rservices.rulesinclude dos.rulesinclude ddos.rulesinclude dns.rules
10cs691 chow
Snort Rule SyntaxSnort Rule Syntax
Most rules written in single line. If multiple line use \ Each snort rule has two logical section: rule header and rule options.
alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht agent->handler (skillz)"; content:"skillz"; itype:0; icmp_id:6666; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:2;) alert any any -> 192.168.1.0/24 any (flags:A; ack:0; msg: “NMAP TCP ping”;) # nmap send TCP ACK pkt with ack field set to 0alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:5;)
Rule header contains action, protocol, source (IPaddr/port), direction, destination (IPaddr/port)
Rule option contains alert msgs, info on which parts of packet to be inspected.
-> and <> are the only two direction operators.
Most rules written in single line. If multiple line use \ Each snort rule has two logical section: rule header and rule options.
alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht agent->handler (skillz)"; content:"skillz"; itype:0; icmp_id:6666; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:2;) alert any any -> 192.168.1.0/24 any (flags:A; ack:0; msg: “NMAP TCP ping”;) # nmap send TCP ACK pkt with ack field set to 0alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:5;)
Rule header contains action, protocol, source (IPaddr/port), direction, destination (IPaddr/port)
Rule option contains alert msgs, info on which parts of packet to be inspected.
-> and <> are the only two direction operators.
11cs691 chow
Snort Rule SyntaxSnort Rule Syntax Var: <name> <value>
var: EXTERNAL_NET [128.198.160.0/19, 128.198.61.0/26]var: HOME_LAN [192.168.0.0/24, 10.1.1,0/24]var NON_WIRELESS !128.198.61.128/25# use ! for negative operator for specifying the CIDR address not within a range.
Use $<variable> to reference them later. alert tcp $EXTERNAL_NET any $HOME_LAN any (flags: S; msg: “SYN packet”;) Rule Actions:
Alert Log Pass (ignore the packet) Activate (alert then turn on another dynamic rule (being phase out) Dynamic– remain idle until activated by an activeate rule, then act as a log rule.
You can also define your own rule types. Then use it as rule actioin. ruletype redalert {
type alert outputalert_syslog LOG_AUTH LOG_ALERToutput database: log, mysql,user=snort dbname=snort host=localhost
}
Var: <name> <value>var: EXTERNAL_NET [128.198.160.0/19, 128.198.61.0/26]var: HOME_LAN [192.168.0.0/24, 10.1.1,0/24]var NON_WIRELESS !128.198.61.128/25# use ! for negative operator for specifying the CIDR address not within a range.
Use $<variable> to reference them later. alert tcp $EXTERNAL_NET any $HOME_LAN any (flags: S; msg: “SYN packet”;) Rule Actions:
Alert Log Pass (ignore the packet) Activate (alert then turn on another dynamic rule (being phase out) Dynamic– remain idle until activated by an activeate rule, then act as a log rule.
You can also define your own rule types. Then use it as rule actioin. ruletype redalert {
type alert outputalert_syslog LOG_AUTH LOG_ALERToutput database: log, mysql,user=snort dbname=snort host=localhost
}
12cs691 chow
Rule option: Contentcontent: [!] “<content string>”;
Rule option: Contentcontent: [!] “<content string>”;
It allows the user to set rules that search for specific content in packet payload and trigger response based on the data.
Case sensitive. Can be mixed text and binary. Use | to specify the byte code (hexadecimal number). ! For negation; nocase to make case-insensitive matching. Examples:
Alert tcp any any -> 192.168.1.0/24 143 (content: “|90CB C0FF FFFF|/bin/sh”;\
msg: “IMAP buffer overflow!”) Alert tcp any any -> 192.168.1.0/24 21 (content: !”GET”; depth:
3; nocase; \dsize: >100; msg: “Long Non-Get FTP
command!”) Dsize: payload size.
Related IMAP buffer overflow, http://www.securityfocus.com/bid/130/discussion/
13cs691 chow
Rule option: offset and depthRule option: offset and depth
Offset: < number> Specify the number of bytes to skip before starting
pattern matching. Depth: <number> Set maximum search depth for content pattern match. alert tcp any any -> $HLAN 80
(content: “cmd.exe”; offset: 3; depth: 22: msg: “com.exe attack”;)
Offset: < number> Specify the number of bytes to skip before starting
pattern matching. Depth: <number> Set maximum search depth for content pattern match. alert tcp any any -> $HLAN 80
(content: “cmd.exe”; offset: 3; depth: 22: msg: “com.exe attack”;)
14cs691 chow
Rule option: sid & flowRule option: sid & flow
Sid specifies unique snort rule. <100 reserved for future use. 100-1,000,000 rule included in snort distirbution. >1,000,000 for local rule usage. Flow: use in conjunction with TCP stream reassembly. Option: to_server (client request), to client (server
response), from_client, from_server. E.g., alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:5;)
Sid specifies unique snort rule. <100 reserved for future use. 100-1,000,000 rule included in snort distirbution. >1,000,000 for local rule usage. Flow: use in conjunction with TCP stream reassembly. Option: to_server (client request), to client (server
response), from_client, from_server. E.g., alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:5;)
15cs691 chow
16cs691 chow
17cs691 chow
Detection ResultsDetection Results
#0-(3-1) [snort] WEB-IIS cmd.exe access 2003-04-14 21:14:00 65.106.21.153:1541 128.198.161.110:80 TCP
C:\work\cucs\cs691\S2003>nslookup 65.106.21.153
Server: evans.eas.uccs.edu
Address: 128.198.160.66
Name: diahost153.dia.cnc.net
Address: 65.106.21.153
18cs691 chow
Detection ResultsDetection Results
ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(4-39) [snort] SCAN Proxy (8080) attempt 2003-04-1619:11:51 128.198.161.110:63906 128.198.61.61:8080 TCP
#1-(4-38) [snort] SCAN Proxy (8080) attempt 2003-04-16 19:11:51 128.198.161.110:63905 128.198.61.61:8080 TCP
#2-(4-37) [cve][icat][cve][icat][snort] SNMP AgentX/tcp request 2003-04-16 19:11:49 128.198.161.110:63906 128.198.61.61:705 TCP
#3-(4-36) [cve][icat][cve][icat][snort] SNMP AgentX/tcp request 2003-04-16 19:11:49 128.198.161.110:63905 128.198.61.61:705 TCP
#4-(4-35) url[snort] SCAN SOCKS Proxy attempt 2003-04-16 19:11:48 128.198.161.110:63906 128.198.61.61:1080 TCP
#5-(4-34) url[snort] SCAN SOCKS Proxy attempt 2003-04-16 19:11:48 128.198.161.110:63905 128.198.61.61:1080 TCP
#6-(4-33) [cve][icat][cve][icat][snort] SNMP request tcp 2003-04-16 19:11:30 128.198.161.110:63906 128.198.61.61:161 TCP
#7-(4-32) [cve][icat][cve][icat][snort] SNMP request tcp 2003-041619:11:29 128.198.161.110:63905 128.198.61.61:161 TCP
#8-(4-31) [snort] SCAN Squid Proxy attempt 2003-04-16 19:11:27 128.198.161.110:63906 128.198.61.61:3128 TCP
#9-(4-30) [snort] SCAN Squid Proxy attempt 2003-04-16 19:11:27 128.198.161.110:63905 128.198.61.61:3128 TCP
19cs691 chow
False Positives vs False NegativesFalse Positives vs False Negatives
False positives: something occurs that causes IDS to incorrectly identify an intrusion when none has occurred.
False negatives: something occurs that causes IDS to incorrectly fail to identify an intrustion when one has in fact occurred.
Accuracy of IDS: reflect the number of false positives. Completeness: reflect the number of false negatives.
False positives: something occurs that causes IDS to incorrectly identify an intrusion when none has occurred.
False negatives: something occurs that causes IDS to incorrectly fail to identify an intrustion when one has in fact occurred.
Accuracy of IDS: reflect the number of false positives. Completeness: reflect the number of false negatives.
20cs691 chow
Attack Response RulesAttack Response Rules Check on the responses of server for obvious pattern that the system has be
attacked/compromised. https://128.198.61.61:10000/snort/conf_rules.cgi?rule=attack-responses Examples: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any
(msg:"ATTACK RESPONSES index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; classtype:bad-unknown; sid:1666; rev:3;)
alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSE successful gobbles ssh exploit (GOBBLE)"; flow:from_server,established; content:"|2a|GOBBLE|2a|"; reference:bugtraq,5093; classtype:successful-admin; sid:1810; rev:2;)
http://www.securityfocus.com/bid/5093 alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSE
successful kadmind bufferflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:cve,CAN-2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900; rev:1;)
21cs691 chow
BackDoor TrojanBackDoor Trojan
Try to detect know ports and content of packet that are used and generated by the backdoor trojan.
alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; content: "|57 74 7a 75 70 20 55 73 65|"; flags: A+; depth: 32; reference:arachnids,312; sid:119; classtype:misc-activity; rev:3;)
http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids312&view=research
https://128.198.61.61:10000/snort/conf_rules.cgi?rule=backdoor
Try to detect know ports and content of packet that are used and generated by the backdoor trojan.
alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; content: "|57 74 7a 75 70 20 55 73 65|"; flags: A+; depth: 32; reference:arachnids,312; sid:119; classtype:misc-activity; rev:3;)
http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids312&view=research
https://128.198.61.61:10000/snort/conf_rules.cgi?rule=backdoor
22cs691 chow
DDoS RulesDDoS Rules
DDoS with know protocol/port/content. https://128.198.61.61:10000/snort/conf_rules.cgi?rule=ddos alert icmp $EXTERNAL_NET any <> $HOME_NET any
(msg:"DDOS Stacheldraht handler->agent (ficken)"; content:"ficken"; itype:0; icmp_id:6667; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00\:DaemontoMaster(PONGdetected)"; content:"PONG";reference:arachnids,187; classtype:attempted-recon; sid:223; rev:1;)
DDoS with know protocol/port/content. https://128.198.61.61:10000/snort/conf_rules.cgi?rule=ddos alert icmp $EXTERNAL_NET any <> $HOME_NET any
(msg:"DDOS Stacheldraht handler->agent (ficken)"; content:"ficken"; itype:0; icmp_id:6667; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00\:DaemontoMaster(PONGdetected)"; content:"PONG";reference:arachnids,187; classtype:attempted-recon; sid:223; rev:1;)
23cs691 chow
DNS rulesDNS rules
Zone transfer, DNS buffer overflow exploit. https://128.198.61.61:10000/snort/conf_rules.cgi?rule=dns alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53
(msg:"DNS zone transfer TCP"; flow:to_server,established; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:7;)
alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS EXPLOIT x86 linux overflow attempt (ADMv2)"; flow:to_server,established; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|"; classtype:attempted-admin; sid:265; rev:3;)
24cs691 chow
Scan rulesScan rules
Scan certain node/ports. (network scan vs port scan) https://128.198.61.61:10000/snort/conf_rules.cgi?rule=scan alert tcp $EXTERNAL_NET any -> $HOME_NET 3128
(msg:"SCAN Squid Proxy attempt"; flags:S; classtype:attempted-recon; sid:618; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; id: 39426; flags: SF;reference:arachnids,441; classtype:attempted-recon; sid:630; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP";flags:A;ack:0; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SolarWinds IP scan attempt"; content:"SolarWinds.Net"; itype:8; icode:0; classtype:network-scan; sid:1918; rev:3;)
25cs691 chow
WEB-CGI RulesWEB-CGI Rules
https://128.198.61.61:10000/snort/conf_rules.cgi?rule=web-cgi alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-CGI perl.exe access"; flow:to_server,established; uricontent:"/perl.exe"; nocase; reference:cve,CAN-1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; reference:arachnids,219; reference:nessus,10173; classtype:attempted-recon; sid:832; rev:8;)
.. (DOT DOT) ATTACK.alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI technote main.cgi file directory traversal attempt"; flow:to_server,established; uricontent:"/technote/main.cgi"; nocase; content:"filename="; nocase; content:"../../"; reference:cve,CVE-2001-0075; reference:bugtraq,2156; classtype:web-application-attack; sid:1051; rev:7;)
https://128.198.61.61:10000/snort/conf_rules.cgi?rule=web-cgi alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-CGI perl.exe access"; flow:to_server,established; uricontent:"/perl.exe"; nocase; reference:cve,CAN-1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; reference:arachnids,219; reference:nessus,10173; classtype:attempted-recon; sid:832; rev:8;)
.. (DOT DOT) ATTACK.alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI technote main.cgi file directory traversal attempt"; flow:to_server,established; uricontent:"/technote/main.cgi"; nocase; content:"filename="; nocase; content:"../../"; reference:cve,CVE-2001-0075; reference:bugtraq,2156; classtype:web-application-attack; sid:1051; rev:7;)
26cs691 chow
WEB-IIS RulesWEB-IIS Rules
https://128.198.61.61:10000/snort/conf_rules.cgi?rule=web-iis
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; classtype:web-application-attack; reference:cve,CVE-2000-0884; sid:981; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:5;)
27cs691 chow
SMTP RulesSMTP Rules SMTP has quite a few buffer overlfow exploit. https://128.198.61.61:10000/snort/conf_rules.cgi?rule=smtp alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP
RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3a|"; nocase; content:!"|0a|"; within:800; reference:cve,CAN-2001-0260; reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3a207c|/usr/ucb/tail"; nocase; reference:arachnids,122; classtype:attempted-user; sid:665; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; content:"From\:"; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"("; distance:1; content:")"; distance:1; reference:cve,CAN-2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:2;)
28cs691 chow
Bad TrafficBad Traffic
Bad packet header content https://128.198.61.61:10000/snort/conf_rules.cgi?rule=b
ad-traffic alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"BAD TRAFFIC data in TCP SYN packet"; flags:S; dsize:>6; reference:url,www.cert.org/incident_notes/IN-99-07.html; sid:526; classtype:misc-activity; rev:4;)
alert ip any any -> any any (msg:"BAD TRAFFIC same SRC/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:3;)
29cs691 chow
HIDS: Host-based Intrusion DetectionHIDS: Host-based Intrusion Detection
Detect and examine malicious activity (same as network-based intrusion detection.)
Optimize for monitoring individual hosts. Monitor system network activity, file system, log files,
user actions. Integrate the finding of several host-based intrusion
detection provide unified view of multiple systems in the network.
Detect escalation of privileges for a user or system account. (from guest user to have admin privilege).
NIDS can not usually see or interpret such actions which takes place on a host.
Detect and examine malicious activity (same as network-based intrusion detection.)
Optimize for monitoring individual hosts. Monitor system network activity, file system, log files,
user actions. Integrate the finding of several host-based intrusion
detection provide unified view of multiple systems in the network.
Detect escalation of privileges for a user or system account. (from guest user to have admin privilege).
NIDS can not usually see or interpret such actions which takes place on a host.
30cs691 chow
HIDS’ Advantages over NIDSHIDS’ Advantages over NIDS
HIDS can monitor user-specific activity of the system Check process listing, local log files, system calls. It is difficult for NIDS to associate packets to specific users
(except when content switch-based NIDS is used!) and to determine if the commands in the packets violate specific user’s access privilege.
HIDS sensor can monitor encrypted traffic by tapping in at the connection endpoint such as VPN connection. (NIDS can not check encrypted IPsec/SSL payload.)
HIDS can help detect attack that evade NIDS detection.For example, attacks encode dangerous commands in non-standard Unicode encoding. checking for ".ida". An example request would look like: GET /himom.id%u0061 HTTP/1.0
31cs691 chow
Tripwire: A Host-based IDSTripwire: A Host-based IDS
Original version developed at Purdue Univ. 1992 by Dr. Eugene Spafford and Gene Kim, now CTO of Tripwire
http://www.tripwire.org/downloads/index.php Linux public domain software download. http://www.tripwire.org/qanda/faq.php
Commercial evaluation version tripwire3.0 (with manager and server, run on both Linux/windows) available at http://www.tripwire.com/downloads/ Tripwire managers provide gui and unified interface to monitor
multiple instances of tripwire program. Can monitor configuration of routers/switches. Here is a presentation from tripwire.com.
There is Advanced Intrusion Detection Environment (AIDE) available at http://www..cs.tut.fi/~rammer/aide.html. It is actively maintained and developed. Not on windows. Does not encrypt and sign the baseline datagbase. (The tripwire does this).
32cs691 chow
33cs691 chow
34cs691 chow
File Access Permission ChangeFile Access Permission Change
35cs691 chow
Example of Policy FileExample of Policy File
For windows systems,http://cs.uccs.edu/~cs691/tripwire/windows/Policy/twpol.txt
For linux,http://cs.uccs.edu/~cs691/tripwire/linux/Policy/twpol.txt
http://cs.uccs.edu/~cs691/tripwire/windows/Documents/reference_guide.pdf page 25.
Rule: object -> properties;
