Week 13-1 Week 13: Intrusion Detection Systems - Introduction When computer network is involved in a crime the evidence is often distributed on many computers

Week 13-1

Week 13: Intrusion Detection Systems

- Introduction• When computer network is involved in a

crime the evidence is often distributed on many computers.

• Difficult to isolate the crime scene since criminal can be several places on the network at any given time.

• Extra effort required to collect evidence and document it thoroughly to protect collection methods against every criticism.

Week 13-2


Tools:• Netstat – both on Unix and Windows can

show services and state of connections.• Whois – command line or Web versions to

research domains of an IP address.• Traceroute – Unix and Windows utility to

show network path between remote and local hosts.

• Visual route – Commercial tool that will show graphically the path between remote and local hosts.

Week 13-3


• TCP Services started by master network daemon, inetd (Unix) can be wrapped with a program called tcpd. (open source available at CERT) May be used as a limited host intrusion detection system (IDS). (show inetd.conf)

• UDP is another story – not connection oriented. Firewall is best defense for UDP.

• ICMP same problem – again the Firewall is the best defense for ICMP.

Week 13-4


• TCP services wrapped with tcpd gives fine grained host security control and logging using “hosts.allow” and “hosts.deny”.

• Log files should be compressed and archived for 30 days or longer.

• Linux all TCP services started by the master xinetd daemon and those by bootup scripts have the tcpd library compiled in. (show xinetd.d)

• Host IDS and/or Firewall should be used for those services that can’t be wrapped.

Week 13-5


• Three types of IDS– Application-based (AIDS)– Host Intrusion Detection (HIDS)– Network Intrusion Detection (NIDS)

Q. Do you need all three?

A. Yes, not possible to install IDS in embedded devices (print servers, cameras, wireless AP)

IPS Intrusion Prevention Systems (more about this later)

Week 13-6


• AIDS – Honeypot (Honeyd) - Web Applications (mod_security)

• HIDS – Many security companies offer IDS (Tripwire, NetIQ, Juniper, Cisco, etc.)

• Open Source – AIDE (open version of Tripwire), Honeynet, sXid, Chrookit, Prelude– Ref: www.devx.com/security/Article/22442/0

Week 13-7


• NIDS – are divided into three categories– Port scan detectors (PSD)– Sniffers– Firewalls

• PortSentry (PSD)• Scanlogd (PSD)• Snort (Sniffer) best known and best open

source NIDS– ECS currently has 2 Snort systems “seeall” and

“ispy”– Network Lab http://seeall.ecs.csus.edu/acid/– Computer Room http://ispy.ecs.csus.edu/base/

http://seeall.ecs.csus.edu/acid/



http://ispy.ecs.csus.edu/base/



Week 13-8


| Fiber to ARC Building ______|_______ ECS Security Infrastructure | ECS Switch | | HP Procurve | |______________| <--- mirrored port ____________| | |__________________ <--- sensor #1 _____|________ _____|________ ______|_______ | ECSFire 1 | | ECSFire 2 | | ISPY (IDS) | | SonicWall | | SonicWall | | Linux/Snort | |______________| |______________| |______________| | ______________ | | | | | | | | | ECS Main | | | |____| Switch |_| | | 196 ports |______________________| |______________| <--- Unix hosts with security wrapper _______/ \______ <--- WinXP hosts with firewall enabled _____|________ ______|_______ | CISCO Lab | | ECSfire3 | | HP Procurve | | SonicWall | |______________| |______________|<---> ECS Wireless Network

Week 13-9


• NIDS – use 2 basic methodologies– Anomaly based – Rule based

• IDS<->Firewall Human link required to decide actions

• False positives (annoying)• False negatives (bad)• Firewalls – 3 capable of automatic input

from NIDS but?

Week 13-10


• Firewalls:– Network (hardware)

• Cisco PIX (campus), Nokia, Sonic Wall (ECS 6)• Computer Room http://sonic.ecs.csus.edu/• Network Lab http://netfire1.ecs.csus.edu/• (soon campus Juniper Firewalls replace PIXs)

– Host (software)• Windows – several commercial companies, I

like Zone Labs (ZoneAlarm) the best.• WinXP SP2 has built-in firewall but only for

inbound traffic.

http://sonic.ecs.csus.edu/



http://netfire1.ecs.csus.edu/

Week 13-11


• Firewalls: (host continued)•Linux – ipchains (stateless) early

versions of kernel•Linux – iptables (state full) part of

recent kernel can have rules for TCP, UDP and ICMP (show live output)

•Administrators can add local rules e.g. local chain coupled with program/script can then become IPS (sshwatch.pl ftpwatch.pl)

Week 13-12


Internet <--- OC-3c (155.52 Mbps) from CENIC.NET ^ | <--- Packet over SONET (POS) ______v_______ | CENIC.NET | | Router | |______________| INTERNET ^ INTERNET ------------------------- | ---------------------------------------- Campus ______v_______ <--1000 Mbps Campus | CSUS Cisco | | Border RTR | ______________ |______________| | Perfigo Cisco| _________________|____________________________| clean Access | | | | |______________| _____|________ _____|________ _____|________ ^ | Campus Cisco | | Campus Cisco | | Campus Cisco | | | PIX Firewall <--> PIX Firewall | | VPN Server | | |______________| |______________| |______________| | | <--- 1000 Mbps ---> | | v | ______________ | | Campus | | Campus | | | Wireless | | Cisco | | | |____| Router |_| | <-- 100 Mbps | |__________________| |______________| \ ECS V

Week 13-13


• IPS Intrusion Prevention Systems• Need to have state and do deep packet

inspections.• Must have hardware to scale• Sonic Wall has software ($$) that gives

limited IPS• Others: Countersnipe, Barbedwire

Technologies, McAfee, Top Layer* (IPS 5500) $15K, Internet Security Systems, NFR, SonicWall, Sourcefire* (IS-2000) $13K, Symantec, TippingPoint and V-Secure

Week 13-14


• Security Incident Friday April 15, 2005 at 3:02 AM. User “dialm” logged in from Moscow, Russia as command “who” on gaia shows:

dialm pts/2 Apr 15 02:21 (d123.z194-58-101.relcom.ru)

You are the person responsible for security for this

company.

Q. What step would you have taken next?

Week 13-15


• Step 1. “su” to root and changed the password for user dialm

Q. What next step would you have done?

Week 13-16


• Step 2. Type command ps –adef| grep dialm dumped process table and grep for processes running as user dialm. One interesting process was:

“./pine”

Q. Why is this interesting?


Week 13-17


• Step 3. netstat -a (look at network connections and any strange services – noted many connections to IP’s that were not local and the service “SOCKS”

Q. What next step would you have performed?

Week 13-18


• Step 4. kill –1 (login process number for /bin/csh – this will log the user off and break the network connection)

• because password was changed he/she won’t get back in.

Q. unless what???? Note yours truly forgot to capture the

output from netstat!!! (next time do “script”)


Week 13-19


• Step 5. cd ~dialm (change directory to the hacked account – and do the ls –alt command to list the files and directories in chronological order with most recent first)

drwxr-xr-x 1645 root root 28672 Apr 15 03:20 ..-rwx------ 1 dialm stdcsc 583 Apr 15 03:13 .historydrwxr-xr-x 11 dialm stdcsc 4096 Apr 15 03:09 .dt-rw-------- 1 dialm stdcsc 14733 Jan 10

08:19 .pinerc… rest of listing were old files

Q. What next step would you have performed?

Week 13-20


• Step 6. more .history (see if hacker removed traces of his actions)

#+1113558361gcc scan.c -s -o pine#+1113558364gcc scan.c -s -o pine#+1113558368./pine#+1113558440./pine#+1113558481gcc scan.c -s -o pine#+1113558487gcc scan.c -s -o pine#+1113558542gcc scan.c -s -o pine#+1113558547./pine#+1113558982man sleep

Week 13-21


• Step 6. more .history continued #+1113559107gcc scan.c -o pine -s#+1113559111./pine#+1113559228gcc scan.c -o pine -s#+1113559231gcc scan.c -o pine -s#+1113559251./pine#+1113559352gcc scan.c -o pine -s#+1113559355gcc scan.c -o pine -s#+1113559360./pine#+1113559788gcc scan.c -o pine -s#+1113559791gcc scan.c -o pine -s#+1113559795./pine


Week 13-22


• Step 7. cd .dt (change to the system directory .dt – note this normally won’t show because it starts with the dot)


Week 13-23


• Step 8. ls –alt|more (list the contents with most recent first) (show live results on gaia - more

timestamp)

Q.What next step would you have done?

Week 13-24


• Live on gaia “more scan.c”• Live on gaia “more list” (IPs)• Q. Why would a hacker be interested in

“proxy servers”????• Examine “messages” log (if time permits, then nmap remote host) (also finger @remote host)• “Think outside the box!”

Q. What is another possible step in the process?

Week 13-25


• Step 9. Check for any “backdoors”• UCBerkeley “r” commands

(ruptime, rcp, rlogin, rsh, rexec)• Hosts.equiv (+ or ++ wild cards)• .rhosts (individual authentication)• Security compromise recently

exposed for Windows clients remote shell (.rhosts).

Week 13-26


• Backdoor Examples:• “inetd.conf” or /etc/xinetd.d

backdoor• Added account to /etc/passwd file• Perl script called “back.pl”• + + wild card in users .rhosts• Most recent backdoor from the

UN-ROOT team Brazil “./bindz”

Week 13-27


• Summary Network IDS and Host IDS can hold evidence

of break-ins. (not prevent only after the fact)

Use scp or sftp to make copies of evidence and perform MD5 and SHA-1 to verify identical to original.

Never trust system unless completely reinstalled. Especially if your unable to tell how it was compromised in the first place.

Keep copies of evidence obtained from security incidents.

Documents

Week 13-1 Week 13: Intrusion Detection Systems - Introduction When computer network is involved in a crime the evidence is often distributed on many computers