More Related Content Similar to Network intrusi detection system (20) Network intrusi detection system2. FORESEC ACADEMY
Network-based intrusion detection systems (NIDSs) are an excellent way to monitor
networks for anomalies that could indicate an attack or signs of electronic tampering
on your network. In this chapter, we explore the need for NIDS and discuss some of
the available offerings. In particular, we look at commercial tools such as BlackICE
Defender, as well as an extremely popular open-source tool called Snort. We also
discuss the advantages associated with building a distributed NIDS and provide
examples of creating custom signatures for your own network environment.
Our journey begins with a single network attack and culminates with a myriad of real
world intrusion attempts. The objective is to present you with the knowledge
necessary to understand the basics of intrusion detection and to spark some ideas of
how this technology can be deployed on your own network. Finally, after reading this
chapter, you should be able to tell the difference between an innocuous scan and a
malicious scan and how to react and respond accordingly.
© FORESEC
3. FORESEC ACADEMY
Need for Network-based Intrusion Detection
Insider attacks can cause more financial damage than third party attacks because
insiders have intimate knowledge of internal networks. Traditional audit and security
mechanisms can address these threats and organizations can prosecute. The
greater concern though should be attacks originating from the Internet.
The volume of attacks originating from the public network is (or should be!)
significantly higher than the number of attacks coming from an internal host. Most
outside attacks can be stopped by a properly configured firewall. However, we need
to be concerned with attacks that are able to bypass, or otherwise penetrate, the
outside perimeter. You may be asking if the firewall can prevent many or most
attacks, then why do we need to be concerned about the few that make it through?
The reason is simple: volume. The sheer number of outside attacks hitting your
network will eventually take their toll and compromise the system. There is a saying
that even a blind squirrel can find a nut, and that can be applied to the perimeter
network. Attacks on your network, even if poorly targeted, will eventually result in
malicious activity passing through your perimeter and causing damage to your
systems.
© FORESEC
4. FORESEC ACADEMY
By detecting even the most benign attacks hitting our network perimeter, we can use
that data to properly tune our system defences and mitigate or render useless a
large percentage of the attacks. As the sophistication of network-based attacks
continues to increase, we owe it to ourselves to use NIDS to investigate intrusions,
analyze threats and prepare the needed countermeasures. There is also the distinct
advantage of being able to correlate data from a variety of NIDS deployments to
increase our capability in responding to various attacks. We will discuss event
correlation later in this chapter.
© FORESEC
5. FORESEC ACADEMY
Inside a Network Attack
Some people call this classic attack an out of band attack; however, it is better
known as WinNuke. WinNuke sends a single, specially crafted packet with OOB data
to a remote listening port, TCP 139. This is known to crash older versions of
Windows. (Note that Out of Band is a misnomer; WinNuke actually uses the TCP
Urgent flag and the urgent pointer.) Even if NetBIOS is not enabled, a vulnerable
system attacked by WinNuke will typically experience the dreaded “Blue Screen of
Death.” Although this is a dated attack tool, it does an excellent job in visually
explaining the concept of network-based attacks. It should also be noted that there
are still millions of Windows 95 machines connected to the Internet. It is safe to say
that this attack tool could still bring down countless machines.
© FORESEC
6. FORESEC ACADEMY
How do we create this special packet capable of bringing Windows 95 to its knees?
That answer is quite simple, Nuke.eM. Nuke’em (shown in the previous slide) works
by establishing a TCP connection with a remote host and delivering the illegal
packet. It doesn’t take any skill and it can turn the most inept person into a hacker.
© FORESEC
7. FORESEC ACADEMY
The previous screenshot shows how the Nuke.eM attack was detected and blocked
by BlackICE PC Protection, a leading commercial personal firewall. The highlighted
area illustrates the NetBIOS probe (Nuke.eM) was detected and successfully
blocked six times.
We can see that a NetBIOS port probe from the IP address 192.168.1.100 was
detected and blocked by the firewall engine. The information window at the bottom of
the screen gives a brief description of the attack and clicking on the “advICE” button
to the right will give more detailed information.
Note
Internet Security Systems (ISS) acquired the BlackICE product line in April 2001.
The BlackICE PC protection suite is their first offering from their new acquisition.
Okay, let’s sum up what we have seen as we have explored a single network attack.
We have identified a vulnerability, a flaw in the Microsoft implementation of
networking. We have described the flaw technically and demonstrated one of the
attacker tools that takes advantage of the threat. Finally, we have seen a detection
and protection tool in action. Actually, this is another example of threat,
countermeasure, and counter-countermeasure. Winnuke was dropping systems left
and right and Microsoft responded with a patch. Instead of fixing the problem the first
time, they released a quick hack. The attackers instantly countered with a
modification to their attack tools, finally forcing Microsoft to release a complete patch
that adequately resolved the initial problem.
© FORESEC
8. FORESEC ACADEMY
Network Intrusion Detection 101
Generally, when we think of utilizing a personal firewall, it is to protect our PC that is
directly connected to the Internet. However, we don’t always think about detection:
Many personal firewalls on the market today have the capability to block attacks and
they can also detect and log attacks. Logging the attack allows an analyst to study
the attributes of an attack. In fact, with the increasing rate of broadband installations,
personal firewalls with intrusion detection capability are becoming extremely valuable
network sensors for the IDS community. The Internet Storm Center has a free client
that can be used in conjunction with many personal firewalls and intrusion detection
systems that will allow you to upload your logs to their site for further research and
investigation. If want a way to do your part and give back to the information security
community, then this is a great opportunity. Detailed information is available from the
web site at http://isc.incidents.org.
The Importance of Logging
The previous screen shot depicts activity on an extremely busy and hostile network.
We can see a variety of attacks including nmap pings, SNMP port probes and DNS
zone transfers. Although it is useful to be able to view these events in real-time, it is
even more useful to have the ability to view these events with a network protocol
analyzer like Ethereal to gain a better understanding of the attack and how it
happened. Most personal firewalls include a logging feature that should be enabled
to get the most from the product.
© FORESEC
9. FORESEC ACADEMY
Logging is an integral part of intrusion detection. Being able to refer back to logs
after an event happens is extremely useful from a learning perspective and in the
case of criminal prosecution. Having logs of the events that led to a compromise
would be a valuable asset if you seek damages or prosecution from a network attack
or system compromise.
© FORESEC
10. FORESEC ACADEMY
In this example, we demonstrate how to enable logging in the BlackICE personal
firewall. The firewall engine settings are managed from the tool menu and can be
easily accessed from the main screen. Looking around, we can see multiple tabs
that allow you to alter the functionality of the firewall. For our purposes, we focus on
the Evidence Log and Packet Log options.
It is important to ensure that logging is enabled on the Evidence Log tab. The rest is
self-explanatory, but it is useful to use the % sign at the end of the evd file prefix.
Using the special character will add a date/time stamp to the log files. This is helpful
in the event you need to go back and look up the information for an attack that
occurred at a particular time. You may also wish to adjust the maximum file size and
maximum number of files settings to reflect your network.
Another useful feature is the Packet Log tab; enabling the Packet Log feature of
BlackICE allows you to capture all the traffic that comes across the listening
interface. This can prove extremely valuable when you need to perform network
diagnostics or just to learn how your network operates at various points in time.
However, remember that with this feature enabled, large amounts of disk space will
be consumed to accommodate all of the network traffic. You might want to watch the
remaining disk space when utilizing this logging feature.
© FORESEC
11. FORESEC ACADEMY
Note
BlackICE is often thought of as a host-based IDS because it is typically installed on
individual machines, but let’s think about what it is really doing - monitoring network
traffic. A traditional HIDS monitors log files, file changes, registry changes, and other
rights/permissions of the host operating system. We use BlackICE in this chapter to
illustrate the basics of network-based intrusion detection systems.
© FORESEC
12. FORESEC ACADEMY
Viewing BlackICE Logs
There is a common misconception that BlackICE log files are viewable only by
installing a commercial third-party application such as VisualICE or ICEcap. Although
these add-on programs do a great job of parsing the data and creating nice looking
reports, the only thing necessary is to view the files with an available packet analysis
tool. In the previous example, we used a program called Ethereal to view the data.
Ethereal, a free packet analysis program is an excellent tool for decoding and
viewing the BlackICE log files. In default installations of BlackICE, the log files are
located at
C:program filesISSBlackICEevd%*.enc
Note
Ethereal is one of the killer apps to rise from the open-source movement. It is
maintained by a core group of developers who continually add features and update
the program. It is easy to use, flexible, and free to download. I would happily put it up
against any commercially available protocol analyzer. Although our example is basic,
the other features of Ethereal are worth checking out. Ethereal can be downloaded
at http://www.ethereal.com.
© FORESEC
13. FORESEC ACADEMY
BlackICE Visualization Tools
The previous screenshot shows a spike in activity in the Events window that was the result of
someone probing this network. This gives us an idea of where to look to find this data in the
evidence log file. As a helpful hint, find the approximate time of an event and if you happen
to be looking for a scan, always look at the biggest file first since port scans tend to generate
a lot of traffic.
This screen also allows you to view network trends over a period of minutes, hours, or days
and it can be useful in learning the intricacies of your network. For example, once a baseline
has been established, you can then use this screen to look for any anomalies that don’t
correlate with usual network traffic patterns.
We used a host-based intrusion detection engine to examine how a network attack functions.
Now that you have a basic understanding of network-based attacks, let’s shift our focus to
NIDS.
© FORESEC
14. FORESEC ACADEMY
Libpcap-Based Intrusion Detection Systems
Most network-based intrusion detection systems are Libpcap-based. Libpcap is an
open source packet capture library designed to retrieve data from the kernel and
pass it to the application layer. Libpcap has the advantage of being free to use and
has proven, since its inception, to be extremely reliable. Products that use the
Libpcap library include Shadow, Snort, Cisco IDS (formerly NetRanger), and NFR.
Note
Complete information, including the source code for Libpcap can be downloaded at:
http://www.tcpdump.org/. If you are running on a Windows-based platform,
you are in luck! Winpcap is the Win32 version of Libpcap and can be downloaded at
http://winpcap.polito.it/.
In the previous diagram, you see a remote sensor collecting data and forwarding it to
another machine for display and analysis. The Shadow Intrusion Detection System
uses this configuration and is one of the few NIDS that essentially uses a “dumb”
probe to forward the packets it captures to another device for processing. If the
Shadow sensor should fail or somehow get compromised, no information about the
site will be lost.
© FORESEC
15. FORESEC ACADEMY
Network Intrusion Detection with Snort
Snort is billed as a lightweight network intrusion detection system. It was introduced
to the open-source community in 1998 by its developer, Marty Roesch. Snort has
quickly gained a reputation for being an extremely efficient, lightweight, and low-cost
NIDS solution and owes its popularity and extensive features to a devoted team of
core developers and an active user base.
© FORESEC
16. FORESEC ACADEMY
Snort’s design allows for easy integration into most networks and it can be
configured to monitor multiple sites, networks, or interfaces with relative ease. It has
rules for packet content decodes and packet headers. This means it can detect data-
driven attacks like buffer overflow errors, as well as attacks on vulnerable URLs and
scripts (for example, RDS and phf).
Because Snort is open-source and has such an active user community, it is an ideal
system to learn how to analyze intrusions and to experiment with different
configurations. There are many community-developed enhancements available (we
discuss them later in this chapter) and help is just an e-mail message away.
Note
A great resource to learn more about Snort is the FAQ, which is available at:
http://www.snort.org/docs/faq.html. The FAQ is actively maintained and
describes the many features of Snort.
© FORESEC
17. FORESEC ACADEMY
Analyzing a Snort Detect
Snort detects are displayed in log files, like the one shown previously, and separated
by blank lines. The logs are flat files, also called text files, and have the advantage of
being easy to sort, search, and analyze. Another advantage of Snort logs is the
ability to cut and paste the various detects into an e-mail message to be sent to
other analysts, your CIRT, or the offending party. This feature alone is unavailable in
many commercial products.
In this example, you see that the name of the detect, RPC Info Query, is listed at the
top and the summary information is given in the following. The last three lines show
the actual payload of this particular attack. Remote procedure call (RPC) attacks like
this are part of the FORESEC Top Twenty list
(http://www.foresecacademy.com/top20/) and could indicate a potential
vulnerability on your network. Pay particular attention to all of the zeros in the
payload. This is because RPC packets are padded to 32-bit words, often to carry a
field that only has a choice of single integers, so the zeros are an indication of
Remote Procedure Calls. Another item worthy of mention is the hex string, 01 86 A0
00 00 00 02 00 00 00 04. This is the string for the rpcinfo –p command that lists
the available RPC ports on a remote host.
© FORESEC
18. FORESEC ACADEMY
Writing Snort Rules
Snort provides the ability to create custom rules, or signatures, to filter on specific
content. The compiled source code provides hundreds of pre-written rules. However,
there might be times when you need to create rules that are not included by default.
Given the fast-paced world of intrusion detection and that new threats are released
on a daily, the ability to quickly write custom rules can often make or break your
career as an information security professional!
Snort rules are simple to write yet powerful enough to capture most types of traffic.
There are five options to keep in mind when writing rules:
• Pass - This means you wish to drop the packets and take no action.
• Log - This option allows you to log the particular action to the location
you specified in your snort configuration file (e.g. snort.conf).
• Alert - This option allows you to send alerts to a central syslog server,
popup windows via SMB or writing the file to a separate alert file. This
alert file is commonly used with tools like Swatch (Simple Watcher) to
alert the analyst to signs of intrusion or electronic tampering. Once the
alert is sent, the packet is logged.
© FORESEC
19. FORESEC ACADEMY
• Activate - This option specifies that Snort is to send the alert and then
activate another dynamic rule. For example, Snort can be configured to
dynamically block
© FORESEC