CSCI 530 Lab

Intrusion Detection Systems

IDS

IDS

A collection of techniques and methodologies used to monitor suspicious activities both at the network and the host level It is not a firewall It inspects the content and intent of the network

traffic

IDS

Additional level of security in the network Firewalls will prevent attacks IDS is more like an alarm system

It will perform actions like Alerting, logging , etc upon detection. It can be configured to make changes in the firewall rules

upon detection of attacks Can help detect attacks that pass through the

firewall Protection from the insiders

IDS Deployed with multiple sensors on various location on

the network Report to a centralized management console A sensor

Monitors traffic, matches against the rule sets and raises alerts, logs it or some other action.

A rule set contains Traffic signatures or rules for unwanted behavior Rules

Check for threshold, protocol IP source and destination Signatures

Traffic patterns associated with attack

IDS

Hack I.T.: Security Through Penetration fig 19.2

Host Based IDS

Log Monitors Parse system event Log files Example: Apache,

access log file check for “cgi-bin”

Integrity Checkers check for key system structures to change System files, registry keys Tripwire

File Additions , deletions, flag modifications, access time etc.

Network Based IDS

Signature Based Database of know signatures Similar to virus signatures, but it looks for attack

signatures Anomaly based

Form a baseline for a normal system Raise an alarm when the system is no longer

functioning under normal conditions

Network Based IDS Deployment

It should have access to all the network data Alerts generation Response Policy Environment adaptation

Hacking through the IDS Fragmentation or packet splitting

throughput increases, consuming more resources making the IDS less accurate

Spoofing Spoof the sequence no.

Sending random sequence numbers Causes IDS to be desynchronized from the source and

ignore the true packets

Denial-of-Service IDS software can only handle a limited amount of

data Break the IDS, then attack the network

SNORT, Open source IDS

www.snort.org Components of snort

Packet Decoder Preprocessor Detection Engine Logging and Alerting System Output Modules

Internet Preprocessor

Packet Decoder

DetectionEngine

OutputAlert

Logging and Alerting System

Output Modules

Dropped Packets

Components of Snort Packet Decoder

It takes packets from different interfaces (ethernet, PPP, SLIP) and prepares it for the other stages

Preprocessor Plugins that modify or setup data for the detection engine

Same example GET /cgi-bin/subdirectory/../phf

It rearranges the data to be detectable by the IDS Packet defragmentation

If the packets are too large, then it gets fragmented into smaller packets

Must be reassembled prior to analysis

Components of Snort Detection Engine

Most important part of the engine Uses the detection rules It is time dependent

Speed of the machine Number of rules Load on the network

The Detection Engine applies rules to different parts of the packet Header (IP/TCP/Application) Packet Payload

Policy for matching of rules varies with versions In v2 all the rules are matched , highest priority recorded

Components of snort Logging and Alerting system

Based upon the matched rule Logged, alert generated Logs /var/log/snort -l for the modification of location

Output Modules Changes the location of the generated output

Log in the logfile SNMP traps (Simple Network Managent Protocol, notification to admin) Messages to syslog (network logger) Logging to a Database XML generation for use in another program Send SMB (server message block, protocol for sharing files on the

network for Windows Machines)

Snort Rules A very bad rule Alert ip any any -> any any (msg: “ip packet detected”;)

Alert: the action to be performed, ip : rule applies to all ip packetsany : rule applies to any source ip addressany : rule applies to any source port-> : direction of packetany : rule applies to any destination ip address any : rule applies to any destination port

Rule Structure

Header Actions

Pass, Log, Alert, Activate, Dynamic Protocols

IP, ICMP, TCP, UDP, etc. Address

Exclusion ![192.168.1.0/24] any any…

Rule Header Rule Options

Action Protocol Address Port Direction Address Port

Header

Source Destination

Rule Structure

Options Ack keyword(nmap scanning purposes) Classtype (classification:name:description:priority) Content keyword

Offset Depth Nocase Dsize Content-list

Logto ………

This week’s lab

EagleX Windows front-end for Snort Easier to deploy than Snort by itself

There are many other front-ends for Snort, for Windows or Linux