Upload
rangle
View
24
Download
2
Embed Size (px)
DESCRIPTION
CSCI 530 Lab. Intrusion Detection Systems IDS. IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and the host level It is not a firewall It inspects the content and intent of the network traffic. IDS. - PowerPoint PPT Presentation
Citation preview
CSCI 530 Lab
Intrusion Detection Systems
IDS
IDS
A collection of techniques and methodologies used to monitor suspicious activities both at the network and the host level It is not a firewall It inspects the content and intent of the network
traffic
IDS
Additional level of security in the network Firewalls will prevent attacks IDS is more like an alarm system
It will perform actions like Alerting, logging , etc upon detection. It can be configured to make changes in the firewall rules
upon detection of attacks Can help detect attacks that pass through the
firewall Protection from the insiders
IDS Deployed with multiple sensors on various location on
the network Report to a centralized management console A sensor
Monitors traffic, matches against the rule sets and raises alerts, logs it or some other action.
A rule set contains Traffic signatures or rules for unwanted behavior Rules
Check for threshold, protocol IP source and destination Signatures
Traffic patterns associated with attack
IDS
Hack I.T.: Security Through Penetration fig 19.2
Host Based IDS
Log Monitors Parse system event Log files Example: Apache,
access log file check for “cgi-bin”
Integrity Checkers check for key system structures to change System files, registry keys Tripwire
File Additions , deletions, flag modifications, access time etc.
Network Based IDS
Signature Based Database of know signatures Similar to virus signatures, but it looks for attack
signatures Anomaly based
Form a baseline for a normal system Raise an alarm when the system is no longer
functioning under normal conditions
Network Based IDS Deployment
It should have access to all the network data Alerts generation Response Policy Environment adaptation
Hacking through the IDS Fragmentation or packet splitting
throughput increases, consuming more resources making the IDS less accurate
Spoofing Spoof the sequence no.
Sending random sequence numbers Causes IDS to be desynchronized from the source and
ignore the true packets
Denial-of-Service IDS software can only handle a limited amount of
data Break the IDS, then attack the network
SNORT, Open source IDS
www.snort.org Components of snort
Packet Decoder Preprocessor Detection Engine Logging and Alerting System Output Modules
Internet Preprocessor
Packet Decoder
DetectionEngine
OutputAlert
Logging and Alerting System
Output Modules
Dropped Packets
Components of Snort Packet Decoder
It takes packets from different interfaces (ethernet, PPP, SLIP) and prepares it for the other stages
Preprocessor Plugins that modify or setup data for the detection engine
Same example GET /cgi-bin/subdirectory/../phf
It rearranges the data to be detectable by the IDS Packet defragmentation
If the packets are too large, then it gets fragmented into smaller packets
Must be reassembled prior to analysis
Components of Snort Detection Engine
Most important part of the engine Uses the detection rules It is time dependent
Speed of the machine Number of rules Load on the network
The Detection Engine applies rules to different parts of the packet Header (IP/TCP/Application) Packet Payload
Policy for matching of rules varies with versions In v2 all the rules are matched , highest priority recorded
Components of snort Logging and Alerting system
Based upon the matched rule Logged, alert generated Logs /var/log/snort -l for the modification of location
Output Modules Changes the location of the generated output
Log in the logfile SNMP traps (Simple Network Managent Protocol, notification to admin) Messages to syslog (network logger) Logging to a Database XML generation for use in another program Send SMB (server message block, protocol for sharing files on the
network for Windows Machines)
Snort Rules A very bad rule Alert ip any any -> any any (msg: “ip packet detected”;)
Alert: the action to be performed, ip : rule applies to all ip packetsany : rule applies to any source ip addressany : rule applies to any source port-> : direction of packetany : rule applies to any destination ip address any : rule applies to any destination port
Rule Structure
Header Actions
Pass, Log, Alert, Activate, Dynamic Protocols
IP, ICMP, TCP, UDP, etc. Address
Exclusion ![192.168.1.0/24] any any…
Rule Header Rule Options
Action Protocol Address Port Direction Address Port
Header
Source Destination
Rule Structure
Options Ack keyword(nmap scanning purposes) Classtype (classification:name:description:priority) Content keyword
Offset Depth Nocase Dsize Content-list
Logto ………
This week’s lab
EagleX Windows front-end for Snort Easier to deploy than Snort by itself
There are many other front-ends for Snort, for Windows or Linux