`Intrusion Detection SystemsIntroduction                                            EveThreats                            ...
Intrusion Detection Systems                 Eve                                         (Intruder)IntroductionThreats     ...
Enemy takes some time to breach each of the levels of defence                                                  Defence  De...
DMZ – an area Trusted     where military          Untrusted                                                               ...
Assets                 Hello. How are                  you? Is this                     okay?             Data            ...
Intrusion Detection Systems can help to reduce breachesIntrusionDetection                                                 ...
Intrusion Detection Systems                 Eve                                         (Intruder)IntroductionThreats     ...
DataCorporate access                              stealingEmail access                                                    ...
CSI (Computer Security Institute) found:         70% of organisation had breaches         60% of all breaches came from in...
Eve                   (Intruder)                                                                 Public Web    Public FTP ...
Intrusion Detection Systems                  Eve                                          (Intruder)IntroductionThreats   ...
Intrusion                                      Detection                                                                  ...
Network intrusion                                                                     detection systems (NIDS)            ...
Intruder gains public information             Intruder gains more specificabout the systems, such as DNS and            in...
Intrusion Detection Systems                  Eve                                          (Intruder)IntroductionThreats   ...
Public Web Public FTP            Public Proxy                                                                             ...
FirewallIntrusion Detection      System                                               DMZ                                 ...
Hub                           Intrusion                           Detection      IDS can listen to                        ...
interface FastEthernet0/1                                port monitor FastEthernet0/2                                port ...
Intrusion                                    Detection                                                This IDS detects    ...
Intrusion Detection Systems                 Eve                                         (Intruder)IntroductionThreats     ...
Security agent  Management agent                     QoS agent                                                SNORT agentA...
IDS        Agent-basedAuthor: Bill Buchanan
Intrusion Detection Systems                 Eve                                         (Intruder)IntroductionThreats     ...
User-defined            Wireshark            SNORT                                                       agent            ...
IDS         WinPCapAuthor: Bill Buchanan
using System;using Tamir.IPLib;namespace NapierCapture{   public class ShowDevices   {      public static void Main(string...
namespace NapierCapture                       {                          public class CapturePackets                      ...
Intrusion Detection Systems                  Eve                                          (Intruder)IntroductionThreats   ...
Other tools:                                Tcptrace. Identity TCP streams.                                Tcpflow. Recons...
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)alert      Generate an alert and lo...
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)[Source IP] [Port]       [Destinati...
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)Payload detection:Hex sequence "|00...
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)                                   ...
alert tcp $HOME_NET any -> $EXTERNAL_NET 1863(msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; de...
Intrusion Detection Systems                 Eve                                         (Intruder)IntroductionThreats     ...
alert tcp any any -> any any (content:"the"; msg:"The found ....";)      Snort -v -c bill.rules -l /log                   ...
IP header                                                 TCP headerVersion     Header len.             Type of service   ...
IP header                                                 TCP headerVersion     Header len.             Type of service   ...
IP header                                                 TCP headerVersion     Header len.             Type of service   ...
+       log    +    192.168.0.1            TCP_3423-445.ids    +    192.168.0.2            TCP_3424-139.ids    +    192.16...
TCP header                         TCP Source Port                        TCP Destination Port                         Seq...
Originator                                                                        Recipient 1. CLOSED                     ...
An incoming SYN flag is important in detectingthe start of a connection. The main flags are:F FINS SYNR RSTP PSHA ACKU URG...
IP header                                              TCP headerVersion     Header len.             Type of service      ...
SwitchDevices canonly communicate                               ARP request: Who has 192.168.0.168?directly if they haveth...
Intrusion Detection Systems                 Eve                                         (Intruder)IntroductionThreats     ...
Aims/objectives                                       of the organisationLegal, moral andsocial responsibilities          ...
alert tcp $HOME_NET any -> $EXTERNAL_NET 1863(msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; de...
FTP server                              (listening on port 21)Intrusion Detection      System                             ...
220-Microsoft FTP Service 220 NTXPW35 530 Please login with USER and PASS. 331 Password required for        . 230-FTP Serv...
Intrusion Detection      System                                                                           Author: Bill Buc...
Author: Bill Buchanan                        Author: Prof Bill BuchananIntrusions/Policy Violations
Author: Bill Buchanan                        Author: Prof Bill BuchananIntrusions/Policy Violations
Email for Fred                                  Email server                                     (SMTP –                  ...
<SYN, FIN>                 Server                                                                  Author: Bill Buchanan  ...
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET      (msg:"TELNET  any (msg:"TELNET root login";  flow:from_server,establish...
Typical scans:                     Open port 10?                                         Ping sweeps.                     ...
Ping 192.168.0.1?                                   Typical scans:          Ping 192.168.0.1?                             ...
Login anonymous               Typical scans:             Login fred fred               Ping sweeps.             Login user...
IDS        Agent-basedAuthor: Bill Buchanan
Intrusion Detection Systems                 Eve                                         (Intruder)IntroductionThreats     ...
Name: Fred McLean                                                                      Nationality: USA                   ...
Name: Fred McLean                                                                           Login: fmclean                ...
Intrusion Detection Systems                 Eve                                         (Intruder)IntroductionThreats     ...
This device has all the required weaknesses,                      such as:                        Default administrator/pa...
create default                                                                            set default personality "Windows...
#!/usr/bin/perl# Copyright 2002 Niels Provos <provos@citi.umich.edu># All rights reserved.# For the license refer to the m...
Intrusion Detection Systems                   Eve                                                 (Intruder)      Introduc...
In-line IDS, which can decide             to drop a packet, alarm             (send an alert/log) or reset a             c...
Example Cisco IDSsignatures                           (config)# ip audit ?1001 – Bad IP Options                  attack   ...
Intrusion Detection Systems                   Eve                                           (Intruder)IntroductionThreats ...
Bob          Anomaly detection:      Learn normal activity, such as:              User activity.             System activi...
BobUser anomaly:Typing speedPackages usedWorking hoursEmails sent/hrWeb sites visited  System anomaly:  CPU Usage/min  Thr...
BobNetwork anomalyIP packets (%)TCP packets (%)HTTP (%)FTP (%) FTP threshold (2%)                                         ...
Intrusion Detection Systems                 Eve                                         (Intruder)IntroductionThreats     ...
Upcoming SlideShare
Loading in...5
×

Ids

997

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
997
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Ids

  1. 1. `Intrusion Detection SystemsIntroduction EveThreats (Intruder)TypesHost or Network? IntrusionAgent-based DetectionSnortA simple rule DefenceA few intrusionsUser profiling DefenceHoneypotsIPSConclusions Author: Bill Buchanan Author: Prof Bill Buchanan
  2. 2. Intrusion Detection Systems Eve (Intruder)IntroductionThreats IntrusionTypes DetectionHost or Network?Agent-based DefenceSnortA simple ruleA few intrusions DefenceUser profilingHoneypotsIPSConclusions Introduction Author: Bill Buchanan Author: Prof Bill Buchanan
  3. 3. Enemy takes some time to breach each of the levels of defence Defence Defence Defence Defence Author: Bill BuchananForth-level Third-level Second-level First-level defence defence defence defence Author: Prof Bill Buchanan Defence-in-the-depth
  4. 4. DMZ – an area Trusted where military Untrusted Author: Bill Buchanan(our side) actions (their side) are prohibited Author: Prof Bill Buchanan DMZ
  5. 5. Assets Hello. How are you? Is this okay? Data Author: Bill BuchananUsers Systems Even with the best defences, intruders can penetrate them Author: Prof Bill Buchanan Protecting
  6. 6. Intrusion Detection Systems can help to reduce breachesIntrusionDetection Intrusion Detection Intrusion Detection UsersSystems Intrusion Detection DataAssets Author: Bill Buchanan Forth-level Third-level Second-level First-level defence defence defence defence Author: Prof Bill Buchanan Defence-in-the-depth
  7. 7. Intrusion Detection Systems Eve (Intruder)IntroductionThreats Intrusion DetectionTypesHost or Network?Agent-based DefenceSnortA simple rule DefenceA few intrusionsUser profilingHoneypotsIPSConclusions Threats Author: Bill Buchanan Author: Prof Bill Buchanan
  8. 8. DataCorporate access stealingEmail access ExternalWeb access hack Intrusion Detection DoS (Denial-of- sevice) Personal Users Firewall/ abuse gateway Systems Worms/viruses Data Assets Author: Bill Buchanan Network/ Organisational Terrorism/ Fraud perimeter extortion Author: Prof Bill Buchanan Outside threats
  9. 9. CSI (Computer Security Institute) found: 70% of organisation had breaches 60% of all breaches came from inside their own systems DataCorporate access stealingEmail access ExternalWeb access hack Intrusion Detection DoS (Denial-of- sevice) Firewall/ Gateway Personal Users (cannot deal with abuse Systems internal threats) Worms/viruses Data Assets Author: Bill Buchanan Network/ Organisational Terrorism/ Fraud perimeter extortion Author: Prof Bill Buchanan Internal threats (often Protecting a great threat than from outside)
  10. 10. Eve (Intruder) Public Web Public FTP Public Proxy Defence Server Server Server DefenceAudit/ Firewalllogging Intrusion Detection System Intrusion Detection DMZ Intrusion Detection Defence Intrusion Detection System NAT DeviceDefence-in-depth puts as manyobstacles in the way of anintruder, so that it becomes Intrusion Detection Systemharder to penetrate the network, Intrusion Detection Defenceand easier to detect Author: Bill Buchanan Users Author: Prof Bill Buchanan Defence-in-depth (multiple obstacles)
  11. 11. Intrusion Detection Systems Eve (Intruder)IntroductionThreats Intrusion DetectionTypesHost or Network?Agent-based DefenceSnortA simple rule DefenceA few intrusionsUser profilingHoneypotsIPSConclusions Types Author: Bill Buchanan Author: Prof Bill Buchanan
  12. 12. Intrusion Detection Anomaly Detection. Misuse Detection This assumes that abnormal This attempts to model behaviour by a user can be attacks on a system as correlated with an intrusion. specific patterns, and then Its advantage is that it can scans for occurrences of IDS agent typically react to new these. Its disadvantage is attacks, but can often that it struggles to detect struggle to detect variants of new attacks. known attacks, particularly if they fit into the normal usage pattern of a user. Another problem is that the intruder can mimic the behavioural pattern of the Personal abuse user.Viruses/Worms External hack (scripting) Author: Bill Buchanan External hack DataDenial-of-Service Fraud (human) stealing Author: Prof Bill Buchanan IDS types
  13. 13. Network intrusion detection systems (NIDS) These monitor packets on the network and tries to determine an intrusion. This is either host base (where it runs on a host), Intrusion Detection or can listen to the System network using a hub, router or probe. User profilingSystem Integrity Verifier These monitor system files to determine if anintruder has changed them (a backdoor attack). A good example of this is Log file monitors (LFM)Tripwire. It can also watch other key system components, such as the These monitor log filesWindows registry and root/ which are generated by administrator level network services, and look privileges. for key patterns of change. Swatch is a good Author: Bill Buchanan example. Author: Prof Bill Buchanan IDS Types
  14. 14. Intruder gains public information Intruder gains more specificabout the systems, such as DNS and information such as subnet layout, andIP information networked devices. Outside Inside reconnaissance Intrusion reconnaissance Intrusion Detection Detection Eve (Intruder) From code yellow to code Exploit red ... Intruder finds a weakness, such as cracking a password, breaching a firewall, and so on. Profit Foothold Intrusion Intrusion Author: Bill Buchanan Detection Detection Data stealing, system Once into the system, the damage, intruder can then advance user abuse, and so on. up the privilege levels, Author: Prof Bill Buchanan Typical pattern of intrusion
  15. 15. Intrusion Detection Systems Eve (Intruder)IntroductionThreats Intrusion DetectionTypesHost or Network?Agent-based DefenceSnortA simple rule DefenceA few intrusionsUser profilingHoneypotsIPSConclusions Host or Network? Author: Bill Buchanan Author: Prof Bill Buchanan
  16. 16. Public Web Public FTP Public Proxy Server Server Server Intrusion DetectionAudit/ Firewalllogging Intrusion Detection SystemIntrusionDetection DMZ Intrusion Detection System NAT Device Network-based IDS listens to Intrusion Detection some/all System network traffic Intrusion Detection Intrusion Detection Intrusion Detection System Author: Bill Buchanan Host-based IDS listens to traffic in/out of a host Author: Prof Bill Buchanan Host or network?
  17. 17. FirewallIntrusion Detection System DMZ NAT Device Author: Bill Buchanan Author: Prof Bill Buchanan Protecting
  18. 18. Hub Intrusion Detection IDS can listen to all the incomingSwitch and outgoing network Intrusion Detection This IDS cannot hear any traffic which is not addressed to it as it connects to a switch. Author: Bill Buchanan Author: Prof Bill Buchanan IDS location
  19. 19. interface FastEthernet0/1 port monitor FastEthernet0/2 port monitor FastEthernet0/5 port monitor VLAN2 ! interface FastEthernet0/2 0/1 0/2 0/5Intrusion !Detection interface FastEthernet0/3 switchport access vlan 2 ! interface FastEthernet0/4 switchport access vlan 2 ! interface FastEthernet0/5 ! interface VLAN1 ip address 192.168.0.1 255.255.255.0 no ip directed-broadcast no ip route-cache ! Author: Bill Buchanan Author: Prof Bill Buchanan Using the span port
  20. 20. Intrusion Detection This IDS detects IDS detects Intrusion Detection successful attacks attacks against Intrusion against firewall server Detection DMZ This IDS detects attacks against main firewall HostIntrusionDetection Intrusion Detection IDS detects internal IDS detects attacks attacks against Author: Bill Buchanan host ` Author: Prof Bill Buchanan Protecting
  21. 21. Intrusion Detection Systems Eve (Intruder)IntroductionThreats Intrusion DetectionTypesHost or Network?Agent-based DefenceSnortA simple rule DefenceA few intrusionsUser profilingHoneypotsIPSConclusions Agent-based Author: Bill Buchanan Author: Prof Bill Buchanan
  22. 22. Security agent Management agent QoS agent SNORT agentAuditing agent Author: Bill Buchanan Reconfig agent Author: Prof Bill Buchanan Agent-based system allows for distributed security
  23. 23. IDS Agent-basedAuthor: Bill Buchanan
  24. 24. Intrusion Detection Systems Eve (Intruder)IntroductionThreats Intrusion DetectionTypesHost or Network?Agent-based DefenceSnortA simple rule DefenceA few intrusionsUser profilingHoneypotsIPSConclusions WinPCap Author: Bill Buchanan Author: Prof Bill Buchanan
  25. 25. User-defined Wireshark SNORT agent API InterfaceCapture filter WinPCap libpcap Network Interface: Ethernet, Wireless, ADSL, etc Author: Bill Buchanan Author: Prof Bill Buchanan Integrating with WinPCap – capturing packets
  26. 26. IDS WinPCapAuthor: Bill Buchanan
  27. 27. using System;using Tamir.IPLib;namespace NapierCapture{ public class ShowDevices { public static void Main(string[] args) { string verWinPCap =null; int count=0; verWinPCap= Tamir.IPLib.Version.GetVersionString(); PcapDeviceList getNetConnections = SharpPcap.GetAllDevices(); Console.WriteLine("WinPCap Version: {0}", verWinPCap); Console.WriteLine("Connected devices:rn"); foreach(PcapDevice net in getNetConnections) { Console.WriteLine("{0}) {1}",count,net.PcapDescription); Console.WriteLine("tName:t{0}",net.PcapName); Console.WriteLine("tMode:ttt{0}",net.PcapMode); Console.WriteLine("tIP Address: tt{0}",net.PcapIpAddress); Console.WriteLine("tLoopback: tt{0}",net.PcapLoopback); Console.WriteLine(); count++; } Console.Write("Press any <RETURN> to exit"); Console.Read(); } } Tamir Code Wrapper (.NET interface)} Author: Bill Buchanan WinPCap Author: Prof Bill Buchanan Integrating with WinPCap – showing the interface
  28. 28. namespace NapierCapture { public class CapturePackets { public static void Main(string[] args) { PcapDeviceList getNetConnections = SharpPcap.GetAllDevices(); NetworkDevice netConn = (NetworkDevice)getNetConnections[1]; PcapDevice device = netConn; device.PcapOnPacketArrival += new SharpPcap.PacketArrivalEvent(device_PcapOnPacketArrival); Console.WriteLine("Network connection: {0}", device.PcapDescription); device.PcapStartCapture(); Console.Write("Press any <RETURN> to exit"); Console.Read(); device.PcapStopCapture(); device.PcapClose(); } private static void device_PcapOnPacketArrival(object sender, Packet packet) { DateTime time = packet.PcapHeader.Date; int len = packet.PcapHeader.PacketLength; Console.WriteLine("{0}:{1}:{2},{3} Len={4}",time.Hour, time.Minute, time.Second, time.Millisecond, len); } } } Tamir Code Wrapper (.NET interface) Author: Bill Buchanan13:17:56,990 Len=69513:17:57,66 Len=28813:17:57,68 Len=69413:18:4,363 Len=319 WinPCap13:18:4,364 Len=373 Author: Prof Bill Buchanan13:18:4,364 Len=37113:18:4,365 Len=37513:18:4,366 Len=367 Protecting
  29. 29. Intrusion Detection Systems Eve (Intruder)IntroductionThreats Intrusion DetectionTypesHost or Network?Agent-based DefenceSnortA simple rule DefenceA few intrusionsUser profilingHoneypotsIPSConclusions Snort Author: Bill Buchanan Author: Prof Bill Buchanan
  30. 30. Other tools: Tcptrace. Identity TCP streams. Tcpflow. Reconstruct TCP streams. Event dataSNORT rules SNORT agent Log data file Signature detection. Anomaly detection. Author: Bill Buchanan Identify well-known Statistical anomalies, patterns of attack. such as user logins, changes to files, and so on. Author: Prof Bill Buchanan Snort rules
  31. 31. alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)alert Generate an alert and log packetlog Log packetpass Ignore the packetactivate Alert and activate another ruleDynamic Remain idle until activated by an activate rule Event data SNORT agent Log data Author: Bill Buchanan Author: Prof Bill Buchanan Snort rules
  32. 32. alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)[Source IP] [Port] [Destination IP] [Port] Event data SNORT agent Log data Author: Bill Buchanan Author: Prof Bill Buchanan Snort rules
  33. 33. alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)Payload detection:Hex sequence "|00 01 86 a5|" Modifiers:Text sequence "USER root" rawbytes offset distance within uricontent bytejump Event data SNORT agent Log data Author: Bill Buchanan Author: Prof Bill Buchanan Payload detection
  34. 34. alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";) Message-to-display Event data SNORT agent Log data Author: Bill Buchanan Author: Prof Bill Buchanan Payload detection
  35. 35. alert tcp $HOME_NET any -> $EXTERNAL_NET 1863(msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4;nocase; content:" TWN "; distance:1; nocase;classtype:policy-violation; sid:1991; rev:1;) Event data SNORT agent Log data The SID and REV represent know Snort rules: Less 100 Reserved for future use Between 100 and 1,000,000 are rules included with the Snort distribution Author: Bill Buchanan More than 1,000,000 is for local rules For example: sid:336; rev:7; represents an attempt to change to the system administrator’s account in FTP. Author: Prof Bill Buchanan Snort rule
  36. 36. Intrusion Detection Systems Eve (Intruder)IntroductionThreats Intrusion DetectionTypesHost or Network?Agent-based DefenceSnortA simple rule DefenceA few intrusionsUser profilingHoneypotsIPSConclusions A simple rule Author: Bill Buchanan Author: Prof Bill Buchanan
  37. 37. alert tcp any any -> any any (content:"the"; msg:"The found ....";) Snort -v -c bill.rules -l /log [**] [1:0:0] The found .... [**] 16 January 10:27pm [Priority: 0] Alert.ids (in log) 01/16-22:27:35.286762 0:60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x169 192.168.0.22:445 -> 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF ***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20 [**] [1:0:0] The found .... [**] [Priority: 0] 01/16-22:27:35.287084 0:3:6D:FF:2A:51 -> 0:60:B3:68:B1:10 type:0x800 len:0x198 192.168.0.20:3554 -> 192.168.0.22:445 TCP TTL:128 TOS:0x0 ID:1086 IpLen:20 DgmLen:394 DF ***AP*** Seq: 0x3524EE7B Ack: 0xF842AB06 Win: 0x42E4 TcpLen: 20 [**] [1:0:0] The found .... [**] [Priority: 0] 01/16-22:27:35.290026 0:60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x5D 192.168.0.22:445 -> 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:775 IpLen:20 Author: Bill Buchanan DgmLen:79 DF ***AP*** Seq: 0xF842AB06 Ack: 0x3524EFDD Win: 0x41BF TcpLen: 20 Author: Prof Bill Buchanan Running Snort
  38. 38. IP header TCP headerVersion Header len. Type of service TCP Source Port Total length TCP Destination Port Identification Sequence Number0 D M Fragment Offset Time-to-live (TTL) Protocol Acknowledgement Number Header Checksum Data Offset Flags/Reserved Source IP Address Window Checksum Destination IP Address Urgent Pointer Ethernet frame Src MAC Dest. MAC IP TCP Type Length Data address address header header [**] [1:0:0] The found .... [**] [Priority: 0] 01/16-22:27:35.286762 0:60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x169 192.168.0.22:445 -> 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF ***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20 Author: Bill Buchanan Author: Prof Bill Buchanan Payload detection
  39. 39. IP header TCP headerVersion Header len. Type of service TCP Source Port Total length TCP Destination Port Identification Sequence Number0 D M Fragment Offset Time-to-live (TTL) Protocol Acknowledgement Number Header Checksum Data Offset Flags/Reserved Source IP Address Window Checksum Destination IP Address Urgent Pointer Ethernet frame Src MAC Dest. MAC IP TCP Type Length Data address address header header [**] [1:0:0] The found .... [**] [Priority: 0] 01/16-22:27:35.286762 0:60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x169 192.168.0.22:445 -> 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF ***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20 Author: Bill Buchanan Protocol 1 ICMP 6 TCP 8 EGP 41 IPv6 over IPv4 46 RSVP Author: Prof Bill Buchanan 50 ESP 51 AH Payload detection
  40. 40. IP header TCP headerVersion Header len. Type of service TCP Source Port Total length TCP Destination Port Identification Sequence Number0 D M Fragment Offset Time-to-live (TTL) Protocol Acknowledgement Number Header Checksum Data Offset Flags/Reserved Source IP Address Window Checksum Destination IP Address Urgent Pointer Ethernet frame Src MAC Dest. MAC IP TCP Type Length Data address address header header [**] [1:0:0] The found .... [**] [Priority: 0] 01/16-22:27:35.286762 0:60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x169 192.168.0.22:445 -> 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF ***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20 Author: Bill Buchanan Author: Prof Bill Buchanan Payload detection
  41. 41. + log + 192.168.0.1 TCP_3423-445.ids + 192.168.0.2 TCP_3424-139.ids + 192.168.0.3 TCP_3521-445.ids + 192.168.0.20 + 192.168.0.21 TCP_3529-139.ids + 192.168.0.24 TCP_3554-445.ids Log of traffic + 192.168.0.25 between port 3423 and + 192.168.0.60 TCP_3566-445.ids 455 to/from 192.168.0.20 01/16-22:11:15.833440 192.168.0.20:3423 -> 192.168.0.22:445 TCP TTL:128 TOS:0x0 ID:975 IpLen:20 DgmLen:48 DF ******S* Seq: 0x26885B8B Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/16-22:11:15.835497 192.168.0.22:445 -> 192.168.0.20:3423 TCP TTL:128 TOS:0x0 ID:653 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0xE9A4004C Ack: 0x26885B8C Win: 0x4470 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/16-22:11:15.835571 192.168.0.20:3423 -> 192.168.0.22:445 Author: Bill Buchanan TCP TTL:128 TOS:0x0 ID:977 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x26885B8C Ack: 0xE9A4004D Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Author: Prof Bill Buchanan Snort logs
  42. 42. TCP header TCP Source Port TCP Destination Port Sequence Number Acknowledgement Number Data Offset Flags/Reserved Window Checksum Urgent PointerFlags – the flag field is defined as UAPRSF, U is the urgent flag (URG). A the acknowledgement flag (ACK). P the push function (PSH). R the reset flag (RST). Author: Bill Buchanan S the sequence synchronize flag (SYN). F the end-of-transmission flag (FIN). Author: Prof Bill Buchanan Payload detection
  43. 43. Originator Recipient 1. CLOSED LISTEN 2. SYN-SENT -> <SEQ=999><CTL=SYN> SYN-RECEIVED 3. ESTABLISHED <SEQ=100><ACK=1000><CTL=SYN,ACK> <- SYN-RECEIVED 4. ESTABLISHED -> <SEQ=1000><ACK=101> <CTL=ACK> ESTABLISHED 5. ESTABLISHED -> <SEQ=1000><ACK=101> <CTL=ACK><DATA> ESTABLISHED The SYN flag identifies a connection Flags – the flag field is defined as UAPRSF, U is the urgent flag (URG). A the acknowledgement flag (ACK). P the push function (PSH). R the reset flag (RST). S the sequence synchronize flag (SYN). F the end-of-transmission flag (FIN). Author: Bill Buchanan Author: Prof Bill Buchanan Payload detection
  44. 44. An incoming SYN flag is important in detectingthe start of a connection. The main flags are:F FINS SYNR RSTP PSHA ACKU URGThe following modifiers can be set to change the match criteria:+ match on the specified bits, plus any others* match if any of the specified bits are set! match if the specified bits are not setExample to test for SYN flag: It is often important to know the flow direction. The main flow rules options are:alert tcp any any -> any any (flags:S;) to_client. Used for server responses to client. to_server Used for client requests to server. from_client. Used on client responses. from_server. Used on server responses. established . Established TCP connections. Author: Bill Buchanan Example to test for an FTP connection to the users computer: alert tcp any any -> $HOME_NET 21 (flow: from_client; content: "CWD incoming"; nocase; Author: Prof Bill Buchanan Payload detection
  45. 45. IP header TCP headerVersion Header len. Type of service TCP Source Port Total length TCP Destination Port Identification Sequence Number0 D M Fragment Offset Time-to-live (TTL) Protocol Acknowledgement Number Header Checksum Data Offset Flags/Reserved Source IP Address Window Checksum Destination IP Address Urgent Pointer 01/16-22:11:15.833440 192.168.0.20:3423 -> 192.168.0.22:445 TCP TTL:128 TOS:0x0 ID:975 IpLen:20 DgmLen:48 DF ******S* Seq: 0x26885B8B Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/16-22:11:15.835497 192.168.0.22:445 -> 192.168.0.20:3423 TCP TTL:128 TOS:0x0 ID:653 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0xE9A4004C Ack: 0x26885B8C Win: 0x4470 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/16-22:11:15.835571 192.168.0.20:3423 -> 192.168.0.22:445 Author: Bill Buchanan TCP TTL:128 TOS:0x0 ID:977 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x26885B8C Ack: 0xE9A4004D Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Author: Prof Bill Buchanan Payload detection
  46. 46. SwitchDevices canonly communicate ARP request: Who has 192.168.0.168?directly if they havethey have theMAC address andIP address. ARP request is broadcast to the network 01/16-09:31:08.785149 ARP who-has 192.168.0.168 tell 192.168.0.22 01/16-09:45:59.458607 ARP who-has 192.168.0.42 tell 192.168.0.216 01/16-09:45:59.459159 ARP reply 192.168.0.42 is-at 0:20:18:38:B8:63 01/16-09:46:03.857325 ARP who-has 192.168.0.104 tell 192.168.0.198 01/16-09:46:10.125715 ARP who-has 192.168.0.15 tell 192.168.0.38 01/16-09:46:10.125930 ARP who-has 192.168.0.38 tell 192.168.0.15 Author: Bill Buchanan Author: Prof Bill Buchanan ARP information
  47. 47. Intrusion Detection Systems Eve (Intruder)IntroductionThreats Intrusion DetectionTypesHost or Network?Agent-based DefenceSnortA simple rule DefenceA few intrusionsUser profilingHoneypotsIPSConclusions A few intrusions Author: Bill Buchanan Author: Prof Bill Buchanan
  48. 48. Aims/objectives of the organisationLegal, moral andsocial responsibilities Policy DefinitionTechnicial feasability Policy Implementation Evaluation Verification Operating Firewall Application Audit System rules rights rights Author: Bill Buchanan Domain Event log rights definition Author: Prof Bill Buchanan Intrusions/Policy Violations
  49. 49. alert tcp $HOME_NET any -> $EXTERNAL_NET 1863(msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4;nocase; content:" TWN "; distance:1; nocase;classtype:policy-violation; sid:1991; rev:1;) Author: Bill Buchanan Author: Prof Bill Buchanan Intrusions/Policy Violations
  50. 50. FTP server (listening on port 21)Intrusion Detection System Author: Bill Buchanan Author: Prof Bill Buchanan Intrusions/Policy Violations
  51. 51. 220-Microsoft FTP Service 220 NTXPW35 530 Please login with USER and PASS. 331 Password required for . 230-FTP Server 230 User bill logged in. 214-The following commands are recognized ABOR ACCT ALLO FTP server APPE CDUP CWD DELE FEAT HELP LIST MDTM MKD MODE (listening on port 21) NLST NOOP OPTS PASS PASV PORT PWD QUIT REIN REST RETR RMD RNFR RNTO SITE SIZEIntrusion Detection SMNT STAT STOR STOU System STRU SYST TYPE USER XCUP XCWD XMKD XPWD XRMD 214 HELP command successful. 257 "/bill" is current directory. 250 CWD command successful. 257 "/" is current directory. 250 CWD command successful. 150 Opening ASCII mode data connection for /bin/ls. Author: Bill Buchanan Author: Prof Bill Buchanan Intrusions/Policy Violations
  52. 52. Intrusion Detection System Author: Bill Buchanan Author: Prof Bill Buchanan Intrusions/Policy Violations
  53. 53. Author: Bill Buchanan Author: Prof Bill BuchananIntrusions/Policy Violations
  54. 54. Author: Bill Buchanan Author: Prof Bill BuchananIntrusions/Policy Violations
  55. 55. Email for Fred Email server (SMTP – listening on port 25) Author: Bill Buchanan Author: Prof Bill Buchanan Intrusions/Policy Violations
  56. 56. <SYN, FIN> Server Author: Bill Buchanan Author: Prof Bill Buchanan Intrusions/Policy Violations
  57. 57. alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET (msg:"TELNET any (msg:"TELNET root login"; flow:from_server,established; flow:from_server,established; content:"login|3A| root"; classtype:suspicious- classtype:suspicious-login; sid:719; rev:7;) Author: Bill Buchanan Author: Prof Bill Buchanan Intrusions/Policy Violations
  58. 58. Typical scans: Open port 10? Ping sweeps. Open port 11? TCP scans. .. UDP scans. Open port 8888? OS identification scans. Account scans.A particular threatis the TCP/UDP portscanner, which scans for openports on a host. An open port is in the LISTEN state.If an intruder finds one, it may tryand connect to it. C:log>netstat -a Active Connections Proto Local Address Foreign Address State TCP bills:epmap bills:0 LISTENING TCP bills:microsoft-ds bills:0 LISTENING Author: Bill Buchanan TCP bills:1035 bills:0 LISTENING TCP bills:3389 bills:0 LISTENING Author: Prof Bill Buchanan UDP/TCP Port Scans
  59. 59. Ping 192.168.0.1? Typical scans: Ping 192.168.0.1? Ping sweeps. .. TCP scans. Ping 192.168.0.253? UDP scans. Ping 192.168.0.254? OS identification scans. Account scans.A particular threatis the ping portscanner, which pings multiplehosts to see which ones are aliveIf an intruder finds one, they maytry and connect to it. Often ping (ICMP) is blocked on the gateway of the network. Author: Bill Buchanan Author: Prof Bill Buchanan Ping sweeps
  60. 60. Login anonymous Typical scans: Login fred fred Ping sweeps. Login user password TCP scans. Login root UDP scans. Login default OS identification scans. Account scans. Directory serverTypical problems:Anonymous logins E-CommerceUsing the same password as user ID serverUsing password as password.Using root loginUsing system default loginsWeak passwordsWell-known passwords Author: Bill BuchananSocial Engineering Author: Prof Bill Buchanan User account scans
  61. 61. IDS Agent-basedAuthor: Bill Buchanan
  62. 62. Intrusion Detection Systems Eve (Intruder)IntroductionThreats Intrusion DetectionTypesHost or Network?Agent-based DefenceSnortA simple rule DefenceA few intrusionsUser profilingHoneypotsIPSConclusions User Profiling Author: Bill Buchanan Author: Prof Bill Buchanan
  63. 63. Name: Fred McLean Nationality: USA Location: Washington Name: Fiona Smith Gender: Male Nationality: British Typical purchase: Fish Food Location: Edinburgh Average Purchases/week: 50 Gender: Female Average Value of purchases: $4 Typical purchase: Computer equipment Browser used: IE Average Purchases/week: 5 Date of last purchase: 18 Sept 2008 Average Value of purchases: £30 Email address: f.mclean@usa Browser used: Mozilla Name: Michel Weber Date of last purchase: 6 May 2008 Nationality: German Email address: f.smith@nowhere Location: Munich Gender: Male Typical purchase: Flowers Average Purchases/week: 0.005 Name: Amélie Cheney Average Value of purchases: €43 Nationality: French Browser used: Opera Location: Paris Date of last purchase: 1 Mar 2007 Gender: Female Email address: m_weber@de Typical purchase: Clothes Average Purchases/week: 70 Average Value of purchases: €13 Browser used: Mozilla Date of last purchase: 16 Sept 2008 Email address: a.cheney@fr.edu Name: A.N.Other Nationality: Any Location: Nowhere Gender: Female/Male Typical purchase: High-value goods Average Purchases/week: 1000 Average Value of purchases: $9999 Browser used: Not known Transactions are Date of last purchase: Today Author: Bill Buchanan checked Email address: doesnt@exist against user profile User profiler (such as bank User/behaviour profiling is especiallyProfiles transaction agent) useful in fraud detection Author: Prof Bill Buchanan User profiling for on-line purchases
  64. 64. Name: Fred McLean Login: fmclean Location: Production Name: Fiona Smith Gender: Male Login: fsmith Typing speed: 44 wpm Location: Sales Applications: AutoCAD, Outlook Gender: Female Working hours: 9pm-8am Typing speed: 54 wpm Equipment used: HP8800 Applications: Excel, Word, Outlook Internet usage: 1GB/hour Working hours: 9am-4:30pm Network accesses: 40,000/hr Equipment used: HP4110 Name: Michel Weber Internet usage: 50MB/hour Login: fmclean Network accesses: 40/hr Location: Production Gender: Male Typing speed: 10 wpm Applications: Outlook Name: Amélie Cheney Working hours: 7am-2pm Login: acheney Equipment used: HP4111 Location: Accounts Internet usage: 500MB/hour Gender: Female Network accesses: 4000/hr Typing speed: 22 wpm Applications: Excel, Outlook Working hours: 9am-1pm Equipment used: HP1330 2. Agent on each Internet usage: 5MB/hour machine analyses the Network accesses: 2/hr current user, and1. On-login, the user reports on differencesprofile is uploaded to of behaviourthe local machine Name: A.N.Other Login: any Location: Any Gender: Female/Male Typing speed: 10 wpm Applications: Excel, Word, Outlook Working hours: 9am-11pm Equipment used: Any Internet usage: 500MB/hour Author: Bill Buchanan Network accesses: 400/hr User profiler (monitors alertsProfiles from user agents) Author: Prof Bill Buchanan User profiling for local access/usage
  65. 65. Intrusion Detection Systems Eve (Intruder)IntroductionThreats Intrusion DetectionTypesHost or Network?Agent-based DefenceSnortA simple rule DefenceA few intrusionsUser profilingHoneypotsIPSConclusions Honeypots Author: Bill Buchanan Author: Prof Bill Buchanan
  66. 66. This device has all the required weaknesses, such as: Default administrator/password. Dummy users with weak passwords. Ports open for connection. React to virus/worm systems (but simulate conditions).Intruder Servers/ systems Honeypot Author: Bill Buchanan Author: Prof Bill Buchanan Honeypots
  67. 67. create default set default personality "Windows XP" set default default tcp action reset add default tcp port 110 "sh scripts/pop.sh" Open ports: 110 (POP- add default tcp port 80 "perl scripts/iis-0.95/main.pl" 3), 80 (HTTP), 21 (FTP, add default tcp port 25 block 22 (SSH) add default tcp port 21 "sh scripts/ftp.sh" add default tcp port 22 proxy $ipsrc:22 add default udp port 139 drop set default uptime 3284460Honeypots ### Cisco router create router set router personality "Cisco PIX Firewall (PixOS 5.2 - 6.1)" add router tcp port 23 "/usr/bin/perl scripts/router- telnet.pl" Low-interaction set router default tcp action reset honeypot. This set router uid 32767 gid 32767 simulates only part of the set router uptime 1327650 network stack (such as # Bind specific templates to specific IP address High-interaction for Honeyd) # If not bound, default to Windows template - can be virtual (from a virtual bind 192.168.1.150 router honeypot. This machine) or simulated by another simulates all the aspects Author: Bill Buchanan machine.IDS of the operating system Author: Prof Bill Buchanan Honeypot types
  68. 68. #!/usr/bin/perl# Copyright 2002 Niels Provos <provos@citi.umich.edu># All rights reserved.# For the license refer to the main source code of Honeyd.# Dont echo Will Echo Will Surpress Go Ahead$return = pack(ccccccccc, 255, 254, 1, 255, 251, 1, 255, 251, 3); exit;syswrite STDOUT, $return, 9; sub read_word { local $prompt = shift;$string = local $echo = shift;"Users (authorized or unauthorized) have no explicit orr local $word;implicit expectation of privacy. Any or all uses of thisrsystem may be intercepted, monitored, recorded, copied,r syswrite STDOUT, "$prompt";audited, inspected, and disclosed to authorized site,rand law enforcement personnel, as well as to authorizedr $word = "";officials of other agencies, both domestic and foreign.r create default $alarmed = 0; set default personality "Windows XP"By using this system, the user consents to suchr eval {interception, monitoring, recording, copying, auditing,r set default default tcp sub { $alarmed = 1; die; }; local $SIG{ALRM} = action resetinspection, and disclosure at the discretion of authorizedr add default tcp port 110 "sh scripts/pop.sh" alarm 30;site.r add default tcp = 0; 80 "perl scripts/iis-0.95/main.pl" $finished portr add default tcp port 25 block do {Unauthorized or improper use of this system may result inradministrative disciplinary action and civil and criminalr add default tcp= port 21 STDIN, $buffer, 1; $nread sysread "sh scripts/ftp.sh" add defaultdie tcp port 22 proxy $ipsrc:22 unless $nread;penalties. By continuing to use this system you indicater if (ord($buffer) == 0) {your awareness of and consent to these terms and conditionsr add default udp port 139 drop ; #ignore of use. LOG OFF IMMEDIATELY if you do not agree to ther set default uptime 3284460 == 255) { } elsif (ord($buffer)conditions stated in this warning.r Agent-based sysread STDIN, $buffer, 2;r ### Cisco} router(ord($buffer) == 13 || ord($buffer) == 10) { elsifr syswrite STDOUT, "rn" if $echo;r create router $finished = 1; set router personality "Cisco PIX Firewall (PixOS 5.2 -User Access Verificationr } else {"; 6.1)" syswrite STDOUT, $buffer, 1 if $echo; add router tcp= port 23 "/usr/bin/perl scripts/router- $word $word.$buffer;syswrite STDOUT, $string; telnet.pl"}$count = 0; set router default tcp action reset } while (!$finished);while ($count < 3) { alarm 0; do { set router uid 32767 gid 32767 }; set router uptime 1327650 $count++; syswrite STDOUT, "rn" if $alarmed || ! $echo; syswrite STDOUT, "rn"; # Bind specific templates to specific IP address if ($alarmed) { $word = read_word("Username: ", 1); # If not bound,STDOUT, "% to Windows template syswrite default $prompt timeout expired!rn"; } while (!$word && $count < 3); bind 192.168.1.150 router return (0); if ($count >= 3 && !$word) { } exit; Author: Bill Buchanan } IDS return ($word); $password = read_word("Password: ", 0); } if (!$password) { syswrite STDOUT, "% Login invalidrn"; } else { syswrite STDERR, "Attempted login: $word/$password"; syswrite STDOUT, "% Access deniedrn"; Author: Prof Bill Buchanan }} Example of router-telnet.pl
  69. 69. Intrusion Detection Systems Eve (Intruder) Introduction Threats Intrusion Detection Types Host or Network? Agent-based Defence Snort A simple rule Defence A few intrusions User profiling Honeypots IPS Conclusions IPS and In/out-line Author: Bill BuchananIDS Author: Prof Bill Buchanan
  70. 70. In-line IDS, which can decide to drop a packet, alarm (send an alert/log) or reset a connection. Out-of-line IDS, which passively listens to traffic and cannot actually drop packets (unless there is an IPS) Intrusion Detection System In-line IDS has the advantageSyslog that they can act on theServer intrusion, but it has a(stores alerts/logs/ performance impact. Theetc) signatures are also difficult to change/upgrade. Out-of-line IDS has the Author: Bill Buchanan advantage of being able to more easily craft an IDS rule, but cannot take actions, directly. Author: Prof Bill Buchanan In-line and out-of-line IDS
  71. 71. Example Cisco IDSsignatures (config)# ip audit ?1001 – Bad IP Options attack Specify default action for attack signatures(Info) info Specify default action for informational signatures1100 – IP Fragment (Attack)2000 - ICMP echo reply name Specify an IDS audit rule(Info) notify Specify the notification mechanisms (nr-director or log) for the2154 – Ping of death alarms(Attack) po Specify nr-directors PostOffice information (for sending events3041 – SYN/FIN Packet to the nr-directors(Attack) signature Add a policy to a signature3040 – NULL TCP Packet(Attack) smtp Specify SMTP Mail spam threshold3050 – Half open SYN (config)# ip audit notify ?(Attack) log Send events as syslog messages3152 – CWD Root on FTP nr-director Send events to the nr-director(Info) (config)# ip audit notify log (config)# logging 132.191.125.3 (config)# ip audit ? attack Specify default action for attack signatures info Specify default action for informational signatures name Specify an IDS audit rule notify Specify the notification mechanisms (nr-director or log) for the alarms po Specify nr-directors PostOffice information (for sending events IPS to the nr-directorsIntrusion Detection signature Add a policy to a signature System smtp Specify SMTP Mail spam threshold Syslog (config)# ip audit info ? action Specify the actions Server (config)# ip audit info action ? (stores alarm Generate events for matching signatures alerts/logs/ drop Drop packets matching signatures etc) reset Reset the connection (if applicable) (config)# ip audit info action drop (config)# ip audit attack action reset Author: Bill Buchanan (config)# ip audit signature ? IDS <1-65535> Signature to be configured (config)# ip audit signature 1005 disable (config)# ip audit smtp ? spam Specify the threshold for spam signature <cr> (config)# ip audit smtp spam ? Author: Prof Bill Buchanan <1-65535> Threshold of correspondents to trigger alarm Intrusion Prevention Systems (IPS) (config)# ip audit smtp spam 4
  72. 72. Intrusion Detection Systems Eve (Intruder)IntroductionThreats Intrusion DetectionTypesHost or Network?Agent-based DefenceSnortA simple rule DefenceA few intrusionsUser profilingHoneypotsIPSConclusions Anomaly Detection Author: Bill Buchanan Author: Prof Bill Buchanan
  73. 73. Bob Anomaly detection: Learn normal activity, such as: User activity. System activity Server activity Network activity Application activity And so on Author: Bill Buchanan Author: Prof Bill Buchanan Author: Prof Bill Buchanan User, system and network anomaly
  74. 74. BobUser anomaly:Typing speedPackages usedWorking hoursEmails sent/hrWeb sites visited System anomaly: CPU Usage/min Threads/min Disk writes/min Author: Bill Buchanan Author: Prof Bill Buchanan User, system and network anomaly
  75. 75. BobNetwork anomalyIP packets (%)TCP packets (%)HTTP (%)FTP (%) FTP threshold (2%) Author: Bill Buchanan Author: Prof Bill Buchanan Author: Prof Bill Buchanan User, system and network anomaly
  76. 76. Intrusion Detection Systems Eve (Intruder)IntroductionThreats Intrusion DetectionTypesHost or Network?Agent-based DefenceSnortA simple rule DefenceA few intrusionsUser profilingHoneypotsIPSConclusions Conclusions Author: Bill Buchanan Author: Prof Bill Buchanan

×