Intrusion Detection Systems An IDS is any combination

Intrusion Detection Systems An IDS is any combination of hardware & software that monitors a system or network for malicious activity. Examples of IDSs in real life r Car alarms r Fire detectors r House alarms r Surveillance systems Polytechnic University Introduction 1

Why IDS Can be detected: r Mapping r Port scans m Tens of thousands of packets r TCP stack scans m Hundreds of thousands of packets r “Deep Packet Inspection” r Many organizations deploy IDS systems r Provide warnings to network administrator m m Administrator can then improve network’s security Vigorous investigation could lead to attackers There are host-based and network-based IDS systems. Focus here on network-based. Polytechnic University Introduction 2

IDS sensors application gateway Internal network Web server FTP server = IDS sensor firewall Internet DNS server Underlying OS needs to be hardened: stripped of unnecessary network services Demilitarized zone Polytechnic University Introduction 3

False Alarms False alarms: r False positive: normal traffic or benign action triggers alarm m Example: fire alarm if wrong password is entered; benign user makes a typo r False negative: alarm is not fired during attack Polytechnic University Introduction 4

Efficiency of IDS system r Accuracy: low false positive and false negative rates r Performance: the rate at which traffic and audit events are processed m m To keep up with traffic, may not be able to put IDS at network entry point Instead, place multiple IDSs downstream r Fault tolerance: resistance to attacks m Should be run on a single hardened host that supports only intrusion detection services r Timeliness: time elapsed between intrusion and detection Polytechnic University Introduction 5

Signature-based IDS Sniff traffic on network r border router or multiple sensors within a LAN Match sniffed tracffic with signatures r attack signatures in database r signature: set of rules pertaining to a typical intrusion activity m Simple example rule: any ICMP packet > 10, 000 bytes m Example: more than one thousand SYN packets to different ports on same host under a second r skilled security engineers research known attacks; put them in database r can configure IDS to exclude certain signatures; can modify signature parameters Warn administrator when signature matches r send e-mail, SMS r send message to network management system Polytechnic University Introduction 6

Limitations to signature detection r Requires previous knowledge of attack to generate accurate signature m Blind to unknown attacks r Signature bases are getting larger m Every packet must be compared with each signature m IDS can get overwhelmed with processing; can miss packets Polytechnic University Introduction 7

Anomaly Detection IDS r Observe traffic during normal operation r Create normal traffic profile r Look for packet streams that are statistically unusual m m e. g. , inordinate percentage of ICMP packet or exponential growth in port scans/sweeps r Doesn’t rely on having previous knowledge of attack r Research topic in security Polytechnic University Introduction 8

IDS evasion: “spy vs. spy” r Attackers do not want to be detected by IDS m Often attackers are intimately familiar with the popular IDS products, their weaknesses r Idea: manipulate attack data m Active area of research in attack community m Example: port scan stretched out over long period of time, with different source IP addresses r Most common approach: fragmentation m To detect malicious activity, IDS must capture, store, and analyze fragments. m Many fragment streams spread out over long period time ➜IDS must have large buffers • Requires significant memory and processing power Polytechnic University Introduction 9

IDS evasion: fragmentation r Send a flood of fragments m Send so many fragments that IDS system saturates. m Once saturated, IDS will not be able detect a new attack r Fragment packets in unexpected ways m Such that the IDS does not understand how to properly reassemble the attack packets Polytechnic University Introduction 10

IDS evasion tool: Frag. Router Internet attack system (eg nmap) attack obfuscation (fragrouter) IDS target r Runs on Unix/Linux systems r Provides over 35 different schemes for fragmenting flow of data r Separates attack functionality from the fragmentation functionality Polytechnic University Introduction 11

Some fragmentation types in Frag. Router r Sends data in ordered 8 -byte fragments r Sends data in ordered 24 -byte fragments r Sends data in ordered 8 -byte fragments with one fragment out of order r Complete TCP handshake, send fake FIN and RST (with bad checksums) before sending data in ordered 1 -byte Polytechnic University Introduction 12

Snort r Popular open source IDS m 200, 000 installations r Enhanced sniffer m Runs on Linux, Unix, Windows m Generic sniffing interface libpcap m Can easily handle 100 Mbps of traffic r Signatures m Written and released by Snort community within hours m Anyone can create m Largest collection of signatures for IDS Polytechnic University Good book: Intrusion Detection with Snort, by Jack Koziol Typical setup firewall hub snort sensor internal network Introduction 13

Snort deployment firewall unidirectional sniffing cable firewall hub snort sensor switch internal network Polytechnic University internal network Switch SPAN port: • provides monitoring for net admin & security • switch copies all traffic to SPAN port • can select which switch ports get copied • approach doesn’t require intro of new hub • no need for unidirectional cable snort sensor Introduction 14

Distributing traffic to multiple sensors r Large organizations often have Gbps backbone r Snort with full rule set cannot handle all traffic m Packets can get dropped; attacks go undetected r Solutions: m Put sensors on different 100 Mbps segments m Or, multiple sensors on backbone; each sensor processes different range of destination IP addresses r Tempting to tune Snort by trimming rules Polytechnic University Introduction 15

snort. conf Example: var Var HOME_NET 193. 152. 1. 1/24 EXTERNAL_NET !193. 152. 1. 1/24 HTTP_SERVERS 193. 152. 1. 17 HTTP_PORTS 80 8080 Polytechnic University Introduction 16

Snort rule examples alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: ”ICMP PING NMAP”; dsize: 0; itype: 8; ) m m Rule generates alert for ICMP having empty payload, ICMP type 8, and arriving from the outside. This is part of an NMAP ping. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: “DOS SMBdie attack”: ; flags: A+; content: ”|57724 c 6568004577 a|”; ) m m Rule generates alert if a TCP packet from outside contains |57724 c 6568004577 a| in payload and is headed to port 139 (netbios) for some internal host. This is part of a buffer overflow attack on a computer running Server Message Block Service. Polytechnic University Introduction 17

Snort rule examples (2) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: ”WEB-IIS ISAPI. ida attempt”; uricontent: ”. ida? ”; nocase; dsize: >239; flags: A+; ) m. Rule generates alert for packet heading to Web server with. ida? in URL in GET message m. Buffer overflow attack that allows attacker to take over server. Polytechnic University Introduction 18

Snort rule files r chat. rules r ddos. rules r ftp. rules r multimedia. rules r p 2 p. rules r porn. rules r virus. rules Polytechnic University Introduction 19

Snort Rule Writing Example: Cross-site scripting (XSS): r Web site allows scripts to be inserted into dynamically created Web page. Can reek havoc. r Look out for HTTP requests containing <SCRIPT> r Might first try: alert tcp any -> any (content: “<SCRIPT>”; msg: “XSS attempt”; ) m m triggers many false positives: e. g. , e-mail message with Java. Script r Then try: alert tcp $EX_NET any -> $HTTP_SRVS $HTTP_PRTS (content: “<SCRIPT>”; msg: “XSS attempt”; nocase; ) m Polytechnic University Introduction 20

Snort Rule Syntax r Rule is a single line m Rule header: everything before parenthesis m Rule option: what’s in the parenthesis Syntax for rule header: rule_action protocol src_add_range src_prt_range dir_operator dest_add_range dest_prt_range Example: alert tcp 192. 168. 1/24 1: 1024 -> 124. 17. 8. 1 80 r rule actions: alert, log, drop r protocol: tcp, udp, icmp r direction: -> and <> r src, dest port ranges : Polytechnic University Introduction 21

Snort Rule Syntax (2) Syntax for rule option: r One or more option keywords m separated by semi-colons m (msg: “XSS attempt”; content: “<SCRIPT>”; nocase; ) r Example: Content-related keyword examples: r content: ”smtp v 2”; (ascii) r content: ”|0 f 65 a 7 7 b|” ; (binary) r uricontent: ”. ida? ”; r content-list: “inappropriate_content. txt”; r nocase; r offset: 20; (start at byte 20 in payload) r depth: 124; (stop at byte 124 in payload) Polytechnic University Introduction 22

Snort Rule Syntax (3) IP-related keyword examples: r ttl: <5; r id: 2345; (id field, used for fragments) r fragoffset: 0; r dsize: >500; (payload size) r ip_proto: 7; ICMP-relayed keyword examples: r itype: 8; r icode: 3; Polytechnic University Introduction 23

Snort Rule Syntax (4) TCP-related rules r flags: A+; (ACK flag) r flags: FUP; (FIN, Urgent, or Push flag) m m + alert if specified bit is discovered, in addition to at least one other ! alert if any of the specified bits is not set r seq: 12345432; ack: 54321234; Response examples r msg: “christmas tree attack”; r logto: “new_rule. log”; logs packet when match occurs Polytechnic University Introduction 24