Your SlideShare is downloading. ×
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Network intrusi detection system
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Network intrusi detection system

384

Published on

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
384
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. FORESEC ACADEMY© FORESEC
  • 2. FORESEC ACADEMYNetwork-based intrusion detection systems (NIDSs) are an excellent way to monitornetworks for anomalies that could indicate an attack or signs of electronic tamperingon your network. In this chapter, we explore the need for NIDS and discuss some ofthe available offerings. In particular, we look at commercial tools such as BlackICEDefender, as well as an extremely popular open-source tool called Snort. We alsodiscuss the advantages associated with building a distributed NIDS and provideexamples of creating custom signatures for your own network environment.Our journey begins with a single network attack and culminates with a myriad of realworld intrusion attempts. The objective is to present you with the knowledgenecessary to understand the basics of intrusion detection and to spark some ideas ofhow this technology can be deployed on your own network. Finally, after reading thischapter, you should be able to tell the difference between an innocuous scan and amalicious scan and how to react and respond accordingly.© FORESEC
  • 3. FORESEC ACADEMYNeed for Network-based Intrusion DetectionInsider attacks can cause more financial damage than third party attacks becauseinsiders have intimate knowledge of internal networks. Traditional audit and securitymechanisms can address these threats and organizations can prosecute. Thegreater concern though should be attacks originating from the Internet.The volume of attacks originating from the public network is (or should be!)significantly higher than the number of attacks coming from an internal host. Mostoutside attacks can be stopped by a properly configured firewall. However, we needto be concerned with attacks that are able to bypass, or otherwise penetrate, theoutside perimeter. You may be asking if the firewall can prevent many or mostattacks, then why do we need to be concerned about the few that make it through?The reason is simple: volume. The sheer number of outside attacks hitting yournetwork will eventually take their toll and compromise the system. There is a sayingthat even a blind squirrel can find a nut, and that can be applied to the perimeternetwork. Attacks on your network, even if poorly targeted, will eventually result inmalicious activity passing through your perimeter and causing damage to yoursystems.© FORESEC
  • 4. FORESEC ACADEMYBy detecting even the most benign attacks hitting our network perimeter, we can usethat data to properly tune our system defences and mitigate or render useless alarge percentage of the attacks. As the sophistication of network-based attackscontinues to increase, we owe it to ourselves to use NIDS to investigate intrusions,analyze threats and prepare the needed countermeasures. There is also the distinctadvantage of being able to correlate data from a variety of NIDS deployments toincrease our capability in responding to various attacks. We will discuss eventcorrelation later in this chapter.© FORESEC
  • 5. FORESEC ACADEMYInside a Network AttackSome people call this classic attack an out of band attack; however, it is betterknown as WinNuke. WinNuke sends a single, specially crafted packet with OOB datato a remote listening port, TCP 139. This is known to crash older versions ofWindows. (Note that Out of Band is a misnomer; WinNuke actually uses the TCPUrgent flag and the urgent pointer.) Even if NetBIOS is not enabled, a vulnerablesystem attacked by WinNuke will typically experience the dreaded “Blue Screen ofDeath.” Although this is a dated attack tool, it does an excellent job in visuallyexplaining the concept of network-based attacks. It should also be noted that thereare still millions of Windows 95 machines connected to the Internet. It is safe to saythat this attack tool could still bring down countless machines.© FORESEC
  • 6. FORESEC ACADEMYHow do we create this special packet capable of bringing Windows 95 to its knees?That answer is quite simple, Nuke.eM. Nuke’em (shown in the previous slide) worksby establishing a TCP connection with a remote host and delivering the illegalpacket. It doesn’t take any skill and it can turn the most inept person into a hacker.© FORESEC
  • 7. FORESEC ACADEMYThe previous screenshot shows how the Nuke.eM attack was detected and blockedby BlackICE PC Protection, a leading commercial personal firewall. The highlightedarea illustrates the NetBIOS probe (Nuke.eM) was detected and successfullyblocked six times.We can see that a NetBIOS port probe from the IP address 192.168.1.100 wasdetected and blocked by the firewall engine. The information window at the bottom ofthe screen gives a brief description of the attack and clicking on the “advICE” buttonto the right will give more detailed information.NoteInternet Security Systems (ISS) acquired the BlackICE product line in April 2001.The BlackICE PC protection suite is their first offering from their new acquisition.Okay, let’s sum up what we have seen as we have explored a single network attack.We have identified a vulnerability, a flaw in the Microsoft implementation ofnetworking. We have described the flaw technically and demonstrated one of theattacker tools that takes advantage of the threat. Finally, we have seen a detectionand protection tool in action. Actually, this is another example of threat,countermeasure, and counter-countermeasure. Winnuke was dropping systems leftand right and Microsoft responded with a patch. Instead of fixing the problem the firsttime, they released a quick hack. The attackers instantly countered with amodification to their attack tools, finally forcing Microsoft to release a complete patchthat adequately resolved the initial problem.© FORESEC
  • 8. FORESEC ACADEMYNetwork Intrusion Detection 101Generally, when we think of utilizing a personal firewall, it is to protect our PC that isdirectly connected to the Internet. However, we don’t always think about detection:Many personal firewalls on the market today have the capability to block attacks andthey can also detect and log attacks. Logging the attack allows an analyst to studythe attributes of an attack. In fact, with the increasing rate of broadband installations,personal firewalls with intrusion detection capability are becoming extremely valuablenetwork sensors for the IDS community. The Internet Storm Center has a free clientthat can be used in conjunction with many personal firewalls and intrusion detectionsystems that will allow you to upload your logs to their site for further research andinvestigation. If want a way to do your part and give back to the information securitycommunity, then this is a great opportunity. Detailed information is available from theweb site at http://isc.incidents.org.The Importance of LoggingThe previous screen shot depicts activity on an extremely busy and hostile network.We can see a variety of attacks including nmap pings, SNMP port probes and DNSzone transfers. Although it is useful to be able to view these events in real-time, it iseven more useful to have the ability to view these events with a network protocolanalyzer like Ethereal to gain a better understanding of the attack and how ithappened. Most personal firewalls include a logging feature that should be enabledto get the most from the product.© FORESEC
  • 9. FORESEC ACADEMYLogging is an integral part of intrusion detection. Being able to refer back to logsafter an event happens is extremely useful from a learning perspective and in thecase of criminal prosecution. Having logs of the events that led to a compromisewould be a valuable asset if you seek damages or prosecution from a network attackor system compromise.© FORESEC
  • 10. FORESEC ACADEMYIn this example, we demonstrate how to enable logging in the BlackICE personalfirewall. The firewall engine settings are managed from the tool menu and can beeasily accessed from the main screen. Looking around, we can see multiple tabsthat allow you to alter the functionality of the firewall. For our purposes, we focus onthe Evidence Log and Packet Log options.It is important to ensure that logging is enabled on the Evidence Log tab. The rest isself-explanatory, but it is useful to use the % sign at the end of the evd file prefix.Using the special character will add a date/time stamp to the log files. This is helpfulin the event you need to go back and look up the information for an attack thatoccurred at a particular time. You may also wish to adjust the maximum file size andmaximum number of files settings to reflect your network.Another useful feature is the Packet Log tab; enabling the Packet Log feature ofBlackICE allows you to capture all the traffic that comes across the listeninginterface. This can prove extremely valuable when you need to perform networkdiagnostics or just to learn how your network operates at various points in time.However, remember that with this feature enabled, large amounts of disk space willbe consumed to accommodate all of the network traffic. You might want to watch theremaining disk space when utilizing this logging feature.© FORESEC
  • 11. FORESEC ACADEMYNoteBlackICE is often thought of as a host-based IDS because it is typically installed onindividual machines, but let’s think about what it is really doing - monitoring networktraffic. A traditional HIDS monitors log files, file changes, registry changes, and otherrights/permissions of the host operating system. We use BlackICE in this chapter toillustrate the basics of network-based intrusion detection systems.© FORESEC
  • 12. FORESEC ACADEMYViewing BlackICE LogsThere is a common misconception that BlackICE log files are viewable only byinstalling a commercial third-party application such as VisualICE or ICEcap. Althoughthese add-on programs do a great job of parsing the data and creating nice lookingreports, the only thing necessary is to view the files with an available packet analysistool. In the previous example, we used a program called Ethereal to view the data.Ethereal, a free packet analysis program is an excellent tool for decoding andviewing the BlackICE log files. In default installations of BlackICE, the log files arelocated at C:program filesISSBlackICEevd%*.encNoteEthereal is one of the killer apps to rise from the open-source movement. It ismaintained by a core group of developers who continually add features and updatethe program. It is easy to use, flexible, and free to download. I would happily put it upagainst any commercially available protocol analyzer. Although our example is basic,the other features of Ethereal are worth checking out. Ethereal can be downloadedat http://www.ethereal.com.© FORESEC
  • 13. FORESEC ACADEMYBlackICE Visualization ToolsThe previous screenshot shows a spike in activity in the Events window that was the result ofsomeone probing this network. This gives us an idea of where to look to find this data in theevidence log file. As a helpful hint, find the approximate time of an event and if you happento be looking for a scan, always look at the biggest file first since port scans tend to generatea lot of traffic.This screen also allows you to view network trends over a period of minutes, hours, or daysand it can be useful in learning the intricacies of your network. For example, once a baselinehas been established, you can then use this screen to look for any anomalies that don’tcorrelate with usual network traffic patterns.We used a host-based intrusion detection engine to examine how a network attack functions.Now that you have a basic understanding of network-based attacks, let’s shift our focus toNIDS.© FORESEC
  • 14. FORESEC ACADEMYLibpcap-Based Intrusion Detection SystemsMost network-based intrusion detection systems are Libpcap-based. Libpcap is anopen source packet capture library designed to retrieve data from the kernel andpass it to the application layer. Libpcap has the advantage of being free to use andhas proven, since its inception, to be extremely reliable. Products that use theLibpcap library include Shadow, Snort, Cisco IDS (formerly NetRanger), and NFR.NoteComplete information, including the source code for Libpcap can be downloaded at:http://www.tcpdump.org/. If you are running on a Windows-based platform,you are in luck! Winpcap is the Win32 version of Libpcap and can be downloaded athttp://winpcap.polito.it/.In the previous diagram, you see a remote sensor collecting data and forwarding it toanother machine for display and analysis. The Shadow Intrusion Detection Systemuses this configuration and is one of the few NIDS that essentially uses a “dumb”probe to forward the packets it captures to another device for processing. If theShadow sensor should fail or somehow get compromised, no information about thesite will be lost.© FORESEC
  • 15. FORESEC ACADEMYNetwork Intrusion Detection with SnortSnort is billed as a lightweight network intrusion detection system. It was introducedto the open-source community in 1998 by its developer, Marty Roesch. Snort hasquickly gained a reputation for being an extremely efficient, lightweight, and low-costNIDS solution and owes its popularity and extensive features to a devoted team ofcore developers and an active user base.© FORESEC
  • 16. FORESEC ACADEMYSnort’s design allows for easy integration into most networks and it can beconfigured to monitor multiple sites, networks, or interfaces with relative ease. It hasrules for packet content decodes and packet headers. This means it can detect data-driven attacks like buffer overflow errors, as well as attacks on vulnerable URLs andscripts (for example, RDS and phf).Because Snort is open-source and has such an active user community, it is an idealsystem to learn how to analyze intrusions and to experiment with differentconfigurations. There are many community-developed enhancements available (wediscuss them later in this chapter) and help is just an e-mail message away.NoteA great resource to learn more about Snort is the FAQ, which is available at:http://www.snort.org/docs/faq.html. The FAQ is actively maintained anddescribes the many features of Snort.© FORESEC
  • 17. FORESEC ACADEMYAnalyzing a Snort DetectSnort detects are displayed in log files, like the one shown previously, and separatedby blank lines. The logs are flat files, also called text files, and have the advantage ofbeing easy to sort, search, and analyze. Another advantage of Snort logs is theability to cut and paste the various detects into an e-mail message to be sent toother analysts, your CIRT, or the offending party. This feature alone is unavailable inmany commercial products.In this example, you see that the name of the detect, RPC Info Query, is listed at thetop and the summary information is given in the following. The last three lines showthe actual payload of this particular attack. Remote procedure call (RPC) attacks likethis are part of the FORESEC Top Twenty list(http://www.foresecacademy.com/top20/) and could indicate a potentialvulnerability on your network. Pay particular attention to all of the zeros in thepayload. This is because RPC packets are padded to 32-bit words, often to carry afield that only has a choice of single integers, so the zeros are an indication ofRemote Procedure Calls. Another item worthy of mention is the hex string, 01 86 A000 00 00 02 00 00 00 04. This is the string for the rpcinfo –p command that liststhe available RPC ports on a remote host.© FORESEC
  • 18. FORESEC ACADEMYWriting Snort RulesSnort provides the ability to create custom rules, or signatures, to filter on specificcontent. The compiled source code provides hundreds of pre-written rules. However,there might be times when you need to create rules that are not included by default.Given the fast-paced world of intrusion detection and that new threats are releasedon a daily, the ability to quickly write custom rules can often make or break yourcareer as an information security professional!Snort rules are simple to write yet powerful enough to capture most types of traffic.There are five options to keep in mind when writing rules: • Pass - This means you wish to drop the packets and take no action. • Log - This option allows you to log the particular action to the location you specified in your snort configuration file (e.g. snort.conf). • Alert - This option allows you to send alerts to a central syslog server, popup windows via SMB or writing the file to a separate alert file. This alert file is commonly used with tools like Swatch (Simple Watcher) to alert the analyst to signs of intrusion or electronic tampering. Once the alert is sent, the packet is logged.© FORESEC
  • 19. FORESEC ACADEMY • Activate - This option specifies that Snort is to send the alert and then activate another dynamic rule. For example, Snort can be configured to dynamically block© FORESEC

×