Network Intrusion Detection System & Its Analyzer: Snort & ACID
Intrusion Detection Essentials with Snort Primersaiedian/Teaching/Fa07/...11/3/2006 University of...
Transcript of Intrusion Detection Essentials with Snort Primersaiedian/Teaching/Fa07/...11/3/2006 University of...
Intrusion Detection Intrusion Detection EssentialsEssentials
with Snort Primerwith Snort PrimerPaul Jaramillo, CISSP, GCFAPaul Jaramillo, CISSP, GCFA
EECS 710: Information Security & AssuranceEECS 710: Information Security & AssuranceUniversity of KansasUniversity of Kansas
Electrical Engineering & Computer ScienceElectrical Engineering & Computer [email protected]@cyberguardians.org
11/3/2006 2University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
Problem StatementProblem Statement
Faced with ever growing malicious threats to network and Faced with ever growing malicious threats to network and computer assets, IT personnel are charged with protecting computer assets, IT personnel are charged with protecting the confidentiality, integrity, and availability of their the confidentiality, integrity, and availability of their employeremployer’’s data. s data. The 2006 FBI/CSI Computer Crime survey reported that The 2006 FBI/CSI Computer Crime survey reported that 52% of their respondents were victim to a breach in 52% of their respondents were victim to a breach in security last year. security last year. A key mechanism in preventing and detecting cyber attacks A key mechanism in preventing and detecting cyber attacks are Intrusion Detection Systems (IDS). This presentation are Intrusion Detection Systems (IDS). This presentation will outline IDS principles and detail how the open source will outline IDS principles and detail how the open source IDS Snort may be used to increase assurance in your IDS Snort may be used to increase assurance in your systemsystem’’s security.s security.
11/3/2006 3University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
OverviewOverview
1 1 –– Why use IDS?Why use IDS?2 2 –– IDS 101IDS 1013 3 –– Design & ImplementationDesign & Implementation4 4 –– SignaturesSignatures5 5 –– Monitoring & MaintainingMonitoring & Maintaining6 6 –– Skills and ToolsSkills and Tools7 7 –– Legal IssuesLegal Issues8 8 –– Future & ConclusionFuture & Conclusion
11/3/2006 4University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
Buyer BewareBuyer Beware
11/3/2006 5University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
Buyer BewareBuyer Beware
““IDS is deadIDS is dead”” April 2003April 2003-- John John PescatorePescatore, VP Gartner Research, VP Gartner Research-- Reaction of Security Professionals vs. MgmtReaction of Security Professionals vs. Mgmt
““Intrusion detection's permanent placement in the Intrusion detection's permanent placement in the Trough of Disillusionment does not mean that it Trough of Disillusionment does not mean that it is obsolete.is obsolete.”” July 2003July 2003
-- Marketing Hype/Spin vs. Real WorldMarketing Hype/Spin vs. Real World
11/3/2006 6University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
Buyer BewareBuyer Beware
Things to consider prior to purchaseThings to consider prior to purchaseHardware =! SecurityHardware =! SecuritySalespersons = LiesSalespersons = LiesLab Results =! Real World ResultsLab Results =! Real World Results““The Devil is in the detailsThe Devil is in the details””, contract , contract detailsdetailsBleeding Edge vs. Cutting EdgeBleeding Edge vs. Cutting Edge
11/3/2006 7University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
1.0 Why use IDS?1.0 Why use IDS?
Protect the AIC of AssetsProtect the AIC of AssetsOutsider Threats Outsider Threats ––
Hackers/Crackers want what you haveHackers/Crackers want what you haveBandwidth, CPU cycles, DataBandwidth, CPU cycles, DataMalicious acts Malicious acts –– Denial of Service, Defacement, Denial of Service, Defacement, etcetcCorporate Espionage/SabotageCorporate Espionage/Sabotage
Insider Threats Insider Threats ––Disgruntled employees, work errorsDisgruntled employees, work errorsInsider Threat FallacyInsider Threat Fallacy
11/3/2006 8University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
1.1 Why Use IDS?1.1 Why Use IDS?
Legal RequirementsLegal RequirementsMust Demonstrate Due Care/Due Must Demonstrate Due Care/Due DiligenceDiligence33rdrd party auditing > controlsparty auditing > controlsSOX SOX –– Sarbanes Oxley requires audit Sarbanes Oxley requires audit trailtrailIncreasing privacy legislationIncreasing privacy legislation
GLBA, HIPPA, California Laws (SSN, GLBA, HIPPA, California Laws (SSN, Notification)Notification)
11/3/2006 9University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
1.2 Why Use IDS?1.2 Why Use IDS?
Benefits of IDSBenefits of IDSDetection of ongoing attacksDetection of ongoing attacksPrevention of pending attacksPrevention of pending attacksEnforce company policiesEnforce company policiesValuable forensic dataValuable forensic data
Shortcomings of IDSShortcomings of IDSZero Day Attacks, False Positives, Monitoring Zero Day Attacks, False Positives, Monitoring CostsCosts
Cost/Benefit Analysis, Avoid Cost/Benefit Analysis, Avoid ““Mgmt ThinkMgmt Think””
11/3/2006 10University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.0 IDS 1012.0 IDS 101
Primary goal of IDS is to detect when Primary goal of IDS is to detect when computer/network resources are under computer/network resources are under attackattackProperly functioning systems exhibit the Properly functioning systems exhibit the following traits (Denning):following traits (Denning):
Actions of users/processes conform to Actions of users/processes conform to statistically predictable patterns (data theft)statistically predictable patterns (data theft)Actions of users/processes do not include Actions of users/processes do not include commands used to subvert security (attack commands used to subvert security (attack tools)tools)Actions of processes function according to Actions of processes function according to specifications (specifications (rootkitsrootkits))
11/3/2006 11University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.1 IDS 1012.1 IDS 101
A good IDS should do the following:A good IDS should do the following:Detect a wide variety of intrusionsDetect a wide variety of intrusions
Originating from both outside and inside the network. Originating from both outside and inside the network. Both known and unknown attacks should be Both known and unknown attacks should be detected.detected.
Detect intrusions in a timely fashionDetect intrusions in a timely fashionPresent data in an easy to understand formatPresent data in an easy to understand formatBe AccurateBe Accurate
Limit false positives and false negativesLimit false positives and false negatives
11/3/2006 12University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.2 IDS 1012.2 IDS 101
IDS Modeling TheoryIDS Modeling TheoryAnomaly detection Anomaly detection –– compares against compares against expected values, reports mismatchesexpected values, reports mismatches
Thresholding Thresholding –– ( m < Normal Metrics < n)( m < Normal Metrics < n)Statistical Moments Statistical Moments –– mean & std deviation mean & std deviation over time using forward weighting (IDES)over time using forward weighting (IDES)Markov Model Markov Model –– State transitions/histories State transitions/histories based on sequences of commands and not based on sequences of commands and not single events (TIM)single events (TIM)
11/3/2006 13University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.3 IDS 1012.3 IDS 101
IDS Modeling Theory ContinuedIDS Modeling Theory ContinuedMisuse detection Misuse detection –– determines determines whether sequence of instructions whether sequence of instructions violate security (ruleviolate security (rule--based based detection)detection)
Requires extensive knowledge of Requires extensive knowledge of vulnerabilitiesvulnerabilitiesUnknown attacks or variations of Unknown attacks or variations of existing attacksexisting attacks
11/3/2006 14University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.4 IDS 1012.4 IDS 101
IDS Modeling Theory ContinuedIDS Modeling Theory ContinuedSpecificationSpecification--based detection based detection ––determines if a sequences of determines if a sequences of instructions violates a specification of instructions violates a specification of a program or systema program or system
Based on known good statesBased on known good statesExample Example –– rdistrdist remote root exploitremote root exploit
11/3/2006 15University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.5 IDS 1012.5 IDS 101
IDS ComponentsIDS ComponentsSensor (Agent) Sensor (Agent) –– collects raw datacollects raw dataAnalysis Engine (Director) Analysis Engine (Director) ––preprocessing, anomaly and/or rulepreprocessing, anomaly and/or rule--based based detectiondetectionAlerting Engine (Notifier) Alerting Engine (Notifier) –– takes takes predefined action like alarming, logging, predefined action like alarming, logging, or ignoringor ignoringMonitoring & Mgmt interface (Director)Monitoring & Mgmt interface (Director)
11/3/2006 16University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.6 IDS 1012.6 IDS 101
Types of IDSTypes of IDSNetwork IDS(NIDS)Network IDS(NIDS)
Promiscuous Mode Promiscuous Mode –– layer 2layer 2Signature based Signature based –– known bad/good trafficknown bad/good traffic
Protocol & Payload analysisProtocol & Payload analysis
Anomaly based (heuristics) Anomaly based (heuristics) –– baseline profilebaseline profileLearning algorithm & predefinedLearning algorithm & predefined
11/3/2006 17University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.7 IDS 1012.7 IDS 101
HostHost--based IDS(HIDS)based IDS(HIDS)File/OS IntegrityFile/OS IntegrityLog ParsingLog ParsingSystem Calls (Kernel Hooks)System Calls (Kernel Hooks)Host Specific RulesHost Specific RulesResource impact & Compatibility issuesResource impact & Compatibility issues
Distributed IDS(DIDS)Distributed IDS(DIDS)Central Mgmt, combined NIDS & HIDSCentral Mgmt, combined NIDS & HIDSAgent Autonomy (AAFID)Agent Autonomy (AAFID)
11/3/2006 18University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.8 IDS 1012.8 IDS 101
Active vs. Passive IDSActive vs. Passive IDSPassive = monitoring onlyPassive = monitoring only
Stealth ModeStealth Mode
Active ResponseActive ResponseRule triggers response on firewall/routerRule triggers response on firewall/router
Inline Inline –– Intrusion Prevention SystemIntrusion Prevention SystemDirect packet manipulation/blockingDirect packet manipulation/blockingPoint of Failure/Adds LatencyPoint of Failure/Adds LatencyMany modes (i.e. NonMany modes (i.e. Non--Blocking)Blocking)
11/3/2006 19University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3. Design and Implementation3. Design and Implementation
Network PlacementNetwork PlacementTappingTappingCentralize ManagementCentralize ManagementInstallationInstallation
11/3/2006 20University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.1 Design and Implementation3.1 Design and Implementation
Network PlacementNetwork PlacementConsider most critical assetsConsider most critical assets
Outside PerimeterOutside PerimeterInside PerimeterInside PerimeterApplication/Server specific zonesApplication/Server specific zonesRemote & Vendor Access/Wireless zonesRemote & Vendor Access/Wireless zonesHIDS on all mission critical serversHIDS on all mission critical servers
11/3/2006 21University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.2 Design and Implementation3.2 Design and Implementation
11/3/2006 22University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.3 Design and Implementation3.3 Design and Implementation
Connection StrategiesConnection StrategiesHubHub
Simple & Cheap, SOHOSimple & Cheap, SOHOPoor performance, high MTTFPoor performance, high MTTF
11/3/2006 23University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.4 Design and Implementation3.4 Design and Implementation
Connection Strategies ContinuedConnection Strategies ContinuedSwitch, SPAN portSwitch, SPAN port
No additional hardware, software changeNo additional hardware, software changeLimited span ports, backplane bandwidthLimited span ports, backplane bandwidthNo visibility to packet errorsNo visibility to packet errors
11/3/2006 24University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.5 Design and Implementation3.5 Design and Implementation
Connection Strategies ContinuedConnection Strategies ContinuedHardware TapHardware Tap
Expensive, requires additional NICExpensive, requires additional NICFault tolerant to power failuresFault tolerant to power failuresNo traffic flow impactNo traffic flow impact
11/3/2006 25University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.6 Design and Implementation3.6 Design and Implementation
Appliance installationAppliance installationTest first, make install notesTest first, make install notesChange default passwords, remove vendor Change default passwords, remove vendor accessaccessVerify surveillance network connectivityVerify surveillance network connectivityConfigure to corporate standardsConfigure to corporate standardsConnect to mgmt serverConnect to mgmt serverApply relevant patchesApply relevant patchesUpdate signaturesUpdate signaturesBreakBreak--In periodIn period
11/3/2006 26University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.7 Design and Implementation3.7 Design and Implementation
Snort InstallationSnort InstallationHardware SelectionHardware Selection
Dependent on network and requirementsDependent on network and requirementsCPU, memory, network card, storageCPU, memory, network card, storage
OS SelectionOS SelectionCost/Support Contracts/Company rulesCost/Support Contracts/Company rulesLinux, Solaris, BSD, even Windows & OS XLinux, Solaris, BSD, even Windows & OS XGo with what you knowGo with what you know
11/3/2006 27University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.8 Design and Implementation3.8 Design and Implementation
OS HardeningOS HardeningDonDon’’t install GUI or unnecessary servicest install GUI or unnecessary services
KDE/GNOME and DevelopmentKDE/GNOME and DevelopmentGames/Multimedia/Office ApplicationsGames/Multimedia/Office ApplicationsHelp and Support DocsHelp and Support Docs
Kernel tuning, remove devices not usedKernel tuning, remove devices not usedRemove virtual consoles (Remove virtual consoles (ttytty<x>)<x>)Remove the compilerRemove the compiler
11/3/2006 28University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.9 Design and Implementation3.9 Design and Implementation
Other OptionsOther OptionsSecure Linux Secure Linux DistrosDistros
SELinuxSELinux, Bastille, , Bastille, ImmunixImmunix, , KnoppixKnoppix, , PhlackPhlack
Live CDsLive CDsDistrowatch.com, Auditor>BacktrackDistrowatch.com, Auditor>Backtrack
VMWareVMWare –– virtual appliancesvirtual appliances
11/3/2006 29University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.10 Design and Implementation3.10 Design and Implementation
Snort installationSnort installationLibpcap and Libpcre requiredLibpcap and Libpcre requiredApache/MySql, PostgreSql, Oracle, MSApache/MySql, PostgreSql, Oracle, MS--SQLSQLFrom sourceFrom source
Tar Tar ––zxvf <package>; uncompresses fileszxvf <package>; uncompresses files./configure; script that determines your ./configure; script that determines your environmentenvironment./make; compiles code from ./make; compiles code from makefilemakefile./make install; distributes binaries to directory./make install; distributes binaries to directory
11/3/2006 30University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.11 Design and Implementation3.11 Design and Implementation
Installing via Package ManagerInstalling via Package Manager>apt>apt--get install snort (debian)get install snort (debian)>up2date >up2date --i snort (redhat)i snort (redhat)>yum install snort (rpm)>yum install snort (rpm)>yast >yast ––i <rpm_path> (suse)i <rpm_path> (suse)>pkg_add/pkgadd <source_path>(bsd, >pkg_add/pkgadd <source_path>(bsd, solaris)solaris)>emerge snort (gentoo)>emerge snort (gentoo)Nice site Nice site http://rpmfind.net/http://rpmfind.net/
11/3/2006 31University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.12 Design and Maintenance3.12 Design and Maintenance
Install Questions?Install Questions?Which interface will snort listen onWhich interface will snort listen on
eth0, bond0, int0eth0, bond0, int0Channel BondingChannel Bonding
Specify Trusted or Home network rangeSpecify Trusted or Home network range192.168.0.0/16, Any192.168.0.0/16, Any
Who should receive daily mailsWho should receive daily mailsroot@localhost, etcroot@localhost, etc
11/3/2006 32University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.13 Design and Maintenance3.13 Design and Maintenance
Download rulesDownload rulesVRT Rule baseVRT Rule basehttp://www.snort.org/pubhttp://www.snort.org/pub--bin/downloads.cgibin/downloads.cgiBleedingBleeding--Snort Rule baseSnort Rule basehttp://www.bleedingthreats.net/rules/http://www.bleedingthreats.net/rules/Disable unnecessary rulesDisable unnecessary rulesExample Classes:Example Classes:
Backdoor, badBackdoor, bad--traffic, chat, dos, ddos, dns, exploit, finger, traffic, chat, dos, ddos, dns, exploit, finger, ftp, icmp, imap, local, mysql, netbios, oracle, p2p, ftp, icmp, imap, local, mysql, netbios, oracle, p2p, policy, pop3, porn, rpc, scan, shellcode, smtp, Sql, policy, pop3, porn, rpc, scan, shellcode, smtp, Sql, telnet, tftp, virus, webtelnet, tftp, virus, web--attacksattacks
11/3/2006 33University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.14 Design and Implementation3.14 Design and Implementation
Edit /etc/snort/Edit /etc/snort/snort.confsnort.confDefine variablesDefine variablesHTTP_PORTS, EXTERNAL_NET, etcHTTP_PORTS, EXTERNAL_NET, etcDefine path to rules, select rule librariesDefine path to rules, select rule librariesSelect PreSelect Pre--Processors, stream4_reassembleProcessors, stream4_reassembleOutputOutput--PluginsPlugins --> Mysql> Mysql
Test snortTest snort>snort >snort ––T T ––c /etc/snort/snort.confc /etc/snort/snort.conf
11/3/2006 34University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.15 Design and Implementation3.15 Design and Implementation
Important CommandImportant Command--Line switchesLine switches----A <alert> full, fast, or noneA <alert> full, fast, or none----b logs in b logs in tcpdumptcpdump formatformat----c specifies snort.confc specifies snort.conf----D daemon modeD daemon mode----I interfaceI interface----l logging directoryl logging directory----T testing modeT testing mode
11/3/2006 35University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.16 Design and Implementation3.16 Design and Implementation
PreprocessorsPreprocessorsStream4 is very powerfulStream4 is very powerful
Detect_scansDetect_scans, non normal TCP handshakes, non normal TCP handshakesDetect_state_problemsDetect_state_problems, MS issues, MS issuesEvasion_alertsEvasion_alerts, overlapping segments, , overlapping segments, synsyndatadataTtl_limitTtl_limit, session limit on , session limit on ttlttl valuesvalues
Frag2 Frag2 –– rebuilds fragments, detects rebuilds fragments, detects fragfragdosdoshttp_inspect http_inspect –– normalizes URLs, directory normalizes URLs, directory transversal, apache/transversal, apache/iisiis profileprofile
11/3/2006 36University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.17 Design and Implementation3.17 Design and ImplementationSuccessSuccess
11/3/2006 37University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
Protocol
4.0 Signatures4.0 Signatures
Match patterns in network trafficMatch patterns in network trafficSnort Signature StructureSnort Signature Structure
SourceIP DestIPRule Action
Rule Body
Rule Header
11/3/2006 38University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
4.1 Signatures4.1 Signatures
Rule ActionRule ActionAlert, Log, Pass, Activate, DynamicAlert, Log, Pass, Activate, Dynamic
Rule OrderingRule OrderingAlert > Pass > LogAlert > Pass > LogMost specific rule firesMost specific rule fires
Port or IP informationPort or IP informationURI content > URI content > contentcontent
Longer StringsLonger StringsICMP ICMP itypeitypeSame rule, whichever is firstSame rule, whichever is first
11/3/2006 39University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
4.2 Signatures4.2 Signatures
Rule Actions ContinuedRule Actions ContinuedActivate/Dynamic are being phased outActivate/Dynamic are being phased out
activateactivate tcptcp any any anyany --> any 143 > any 143 (content:(content:””|E8CC0FFFFFF|/bin|E8CC0FFFFFF|/bin””; activates: 1;); activates: 1;)
dynamicdynamic tcptcp any any anyany --> any 143 (activated_by:1; count:5;)> any 143 (activated_by:1; count:5;)
TaggingTaggingAlert Alert tcptcp any any anyany --> any 23 (> any 23 (tag:session,10,seconds;tag:session,10,seconds;))Tag: <type>, <count>, <metric>, [direction]Tag: <type>, <count>, <metric>, [direction]
11/3/2006 40University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
4.3 Signatures4.3 Signatures
Rule ContentRule ContentMSGMSGalert tcp any alert tcp any anyany --> any 12345 (> any 12345 (msg:msg:””Test MessageTest Message””;);)
ASCII Content, ASCII Content, nocasenocasealert tcp any alert tcp any anyany --> any > any anyany ((content: content: ““/etc//etc/passwdpasswd””; ; nocasenocase; ; msg:msg:””/etc/passwd/etc/passwd AccessedAccessed””;);)
Binary ContentBinary Contentalert tcp any alert tcp any anyany --> any > any anyany ((content: content: ““|0000 0101 EFF||0000 0101 EFF|””;;msg:msg:””SearchingSearching for Binary datafor Binary data””;);)
11/3/2006 41University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
4.4 Signatures4.4 Signatures
Rule Content ContinuedRule Content ContinuedDepth OptionDepth OptionOffset OptionOffset OptionFlow Control OptionFlow Control Option
alert alert tcptcp $HOME_NET 20034 $HOME_NET 20034 --> $EXTERNAL_NET > $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro 2.0 connection any (msg:"BACKDOOR NetBus Pro 2.0 connection established"; established"; flow:from_server,established;flow:from_server,established;content:"BN|10 00 02 00|"; content:"BN|10 00 02 00|"; depth:6;depth:6;content:"|05 00|"; content:"|05 00|"; depth:2depth:2; ; offset:8offset:8;);)
11/3/2006 42University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
4.4 Signatures4.4 Signatures
Rule Content ContinuedRule Content ContinuedPCRE PCRE –– Perl Compatible Regular Perl Compatible Regular ExpressionExpressionSyntaxSyntaxpcrepcre:[!]:[!]””(/<(/<regexregex>/|m<delim><>/|m<delim><regexregex><delim>) ><delim>) [ismxAEGRUB][ismxAEGRUB]””;;
SampleSamplealert alert tcptcp any any anyany --> any 23 (> any 23 (content:content:””snortsnort””; ; pcre:pcre:””//\\s+s+\\d+d+\\..\\d+.d+.\\d+/Rd+/R””;);)
11/3/2006 43University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
4.5 Signatures4.5 Signatures
Rule Content ContinuedRule Content ContinuedIP, TCP, ICMP optionsIP, TCP, ICMP optionsSID ValuesSID Values
< 100 is future use< 100 is future use100 <> 1,000,000 VRT100 <> 1,000,000 VRT> 1,000,000 custom rules> 1,000,000 custom rules
Rev Number, Severity, Rev Number, Severity, ClasstypeClasstype, , ReferencesReferences
Alert Alert tcptcp any any anyany --> any 31337 (> any 31337 (rev:2;rev:2; priority:1;priority:1; msgmsg: : ””NetbusNetbus DetectedDetected””; ; classtype:trojanclasstype:trojan--activty; activty; reference:CVEreference:CVE, CAN, CAN--20022002--1010; 1010; reference:URLreference:URL, , www.poc2.com;)www.poc2.com;)
11/3/2006 44University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
5.0 Monitoring & Maintaining5.0 Monitoring & Maintaining
PreparationPreparationIdentificationIdentificationContainment & EradicationContainment & EradicationRecovery & FollowRecovery & Follow--upupMaintainingMaintaining
11/3/2006 45University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
5.1 Monitoring & Maintaining5.1 Monitoring & Maintaining
PreparationPreparationDefine procedures & policies firstDefine procedures & policies firstKnow the network, Know the assetsKnow the network, Know the assetsEstablish a standard toolkitEstablish a standard toolkitContact lists are crucialContact lists are crucialSecurity specific trainingSecurity specific training
11/3/2006 46University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
5.2 Monitoring & Maintaining5.2 Monitoring & Maintaining
IdentificationIdentificationWhat is an incident?What is an incident?
Unauthorized AccessUnauthorized AccessMalicious Code Malicious Code –– Viruses/Worms/Viruses/Worms/SpywareSpywareDenial of ServiceDenial of ServiceData Theft/MisuseData Theft/Misuse
Passive vs. Active monitoringPassive vs. Active monitoringPassive tool Passive tool –– HoneypotsHoneypotsAttacker goals unknownAttacker goals unknownDocument everythingDocument everything
11/3/2006 47University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
5.3 Monitoring & Maintaining5.3 Monitoring & Maintaining
Containment & EradicationContainment & EradicationLimit damage, Stop attackLimit damage, Stop attack
Firewall rules, router Firewall rules, router aclsacls, mail & web , mail & web filteringfilteringIsolate networks, disconnect machinesIsolate networks, disconnect machinesPatching, Cleaning, & ReimagingPatching, Cleaning, & Reimaging
Recovery & FollowRecovery & Follow--upup100% Normal operations100% Normal operationsRCA and reportingRCA and reporting
11/3/2006 48University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
5.45.4 Monitoring & MaintainingMonitoring & Maintaining
Snort Monitoring ToolsSnort Monitoring ToolsAcid, Base, Squil, SnortSnarf, Aanval, OSSIMAcid, Base, Squil, SnortSnarf, Aanval, OSSIM
Ideal FeaturesIdeal FeaturesStable & AccurateStable & AccurateStreaming AlertsStreaming AlertsTrending of dataTrending of dataCorrelation of dataCorrelation of dataRaw data and/or payload informationRaw data and/or payload informationReport capabilityReport capability
11/3/2006 49University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
5.5 Monitoring & Maintenance5.5 Monitoring & Maintenance
Keeping your sensors up to dateKeeping your sensors up to dateTrusted sources & File integrity Trusted sources & File integrity Automatic backups and updatesAutomatic backups and updatesUpdating RulesUpdating Rules
Merging vs. OverwritingMerging vs. OverwritingOinkmaster/IDSCenterOinkmaster/IDSCenterTesting rulesTesting rulesChange controlChange controlSecurity Mailing listsSecurity Mailing lists
11/3/2006 50University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
6.0 Skills and Tools6.0 Skills and Tools
Staged Hack ScenarioStaged Hack ScenarioPacket Capturing/SniffingPacket Capturing/Sniffing
Tcpdump, Wireshark (Ethereal)Tcpdump, Wireshark (Ethereal)
11/3/2006 51University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
6.1 Skills and Tools6.1 Skills and Tools
Basic Network ReconnaissanceBasic Network ReconnaissancePing, traceroute, nslookup Ping, traceroute, nslookup –– CyberkitCyberkit
11/3/2006 52University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
6.2 Skills and Tools6.2 Skills and Tools
WhoisWhois –– ArinArin, Ripe, , Ripe, ApnicApnic, , LacnicLacnic, , AfrinicAfrinicGoogle hackingGoogle hacking
11/3/2006 53University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
6.3 Skills and Tools6.3 Skills and Tools
NmapNmap –– Port/OS enumerationPort/OS enumerationnmapnmap --sSsS --O O --T5 T5 --F F --P0 <host or P0 <host or ipip>>telnet host porttelnet host port
11/3/2006 54University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
6.4 Skills and Tools6.4 Skills and Tools
NessusNessus –– Vulnerability ScanVulnerability Scan
11/3/2006 55University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
6.5 Skills and Tools6.5 Skills and Tools
MetasploitMetasploit –– Exploit ToolExploit Tool
11/3/2006 56University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
7.0 Legal Issues7.0 Legal Issues
InternallyInternallyPolicy is key, must be available and Policy is key, must be available and understoodunderstoodLetter of AuthorizationLetter of AuthorizationBe aware of Chain of CustodyBe aware of Chain of CustodyUniform monitoring of traffic/logsUniform monitoring of traffic/logsConsult Legal departmentConsult Legal department
11/3/2006 57University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
7.1 Legal Issues7.1 Legal Issues
Wiretap Act Wiretap Act –– realreal--time interceptiontime interceptionPen/Trap Act Pen/Trap Act –– realreal--time headerstime headers
Pen Registers & TrapPen Registers & Trap\\Trace devicesTrace devices
ECPA ECPA –– stored emails, voicemailsstored emails, voicemailsRequires consent, court Requires consent, court order/subpoenaorder/subpoena
Providers/Sys Admin ExceptionProviders/Sys Admin ExceptionComputer Trespasser ExceptionComputer Trespasser Exception
Sox Sox –– data retention data retention –– ISO17799ISO17799
11/3/2006 58University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
7.2 Legal Issues7.2 Legal Issues
Reporting to LEAReporting to LEA5K in damages, includes response and 5K in damages, includes response and restorationrestorationLocal Law EnforcementLocal Law EnforcementFBI, FBI, infragard.netinfragard.net, RCFL, RCFLSecret ServiceSecret ServiceDHS Hotline, infrastructureDHS Hotline, infrastructureCybercrime.govCybercrime.gov
11/3/2006 59University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
8.0 Future & Conclusion8.0 Future & Conclusion
Current TrendsCurrent TrendsIDS/IPS moving towards SIMIDS/IPS moving towards SIMMore integration, DPI firewallsMore integration, DPI firewallsSecurity at the switch/host Security at the switch/host –– NACNACWireless IDSWireless IDS
Further ReadingFurther ReadingInsertion, Evasion, and Denial of Service: Eluding Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Newsham/PtacekNetwork Intrusion Detection by Newsham/Ptacekhttp://crypto.stanford.edu/cs155/IDSpaper.pdfhttp://crypto.stanford.edu/cs155/IDSpaper.pdfGreat ResourcesGreat Resourceshttp://wwwhttp://www--static.cc.gatech.edu/~wenke/idsstatic.cc.gatech.edu/~wenke/ids--readings.htmlreadings.htmlhttp://www.snort.org/docs/http://www.snort.org/docs/
11/3/2006 60University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
8.1 Future & Conclusion8.1 Future & Conclusion
Summary Summary –– Key ConceptsKey ConceptsIDS Modeling TheoryIDS Modeling TheoryIDS Placement & ImplementationIDS Placement & ImplementationIDS Monitoring & MaintainingIDS Monitoring & MaintainingEffective AIC ToolEffective AIC Tool
Questions?Questions?
11/3/2006 61University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
ReferencesReferences
Beale, Jay (2004). Beale, Jay (2004). ““Snort 2.1 Intrusion Detection 2Snort 2.1 Intrusion Detection 2ndnd
EditionEdition”” Syngress Publishing, Rockland, MASyngress Publishing, Rockland, MA2006 CSI/FBI Computer Crime and Security Survey. 2006 CSI/FBI Computer Crime and Security Survey. Available from Available from http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdfhttp://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdfBishop, Matt (2005). Bishop, Matt (2005). ““Introduction to Computer SecurityIntroduction to Computer Security””Addison Wesley, Boston, MAAddison Wesley, Boston, MALaing, Brian (2000). Laing, Brian (2000). ““How To Guide for implementing How To Guide for implementing NIDSNIDS”” Internet Security Systems, Internet Security Systems, http://www.snort.org/docs/isshttp://www.snort.org/docs/iss--placement.pdfplacement.pdf