SlideShare a Scribd company logo

Network intrusi detection system

Download as DOC, PDF
Maulana Arif
Maulana Arif

The document provides an overview of network-based intrusion detection systems (NIDS) and the open-source NIDS tool Snort. It discusses the need for NIDS to monitor networks for attacks and anomalies, explores commercial and open-source NIDS options like Snort and BlackICE, and how to analyze NIDS logs and write custom Snort rules. The document aims to present the basics of intrusion detection and how NIDS tools can be deployed to detect attacks on networks.

Education
1 of 19
FORESEC ACADEMY © FORESEC
FORESEC ACADEMY Network-based intrusion detection systems (NIDSs) are an excellent way to monitor networks for anomalies that could indicate an attack or signs of electronic tampering on your network. In this chapter, we explore the need for NIDS and discuss some of the available offerings. In particular, we look at commercial tools such as BlackICE Defender, as well as an extremely popular open-source tool called Snort. We also discuss the advantages associated with building a distributed NIDS and provide examples of creating custom signatures for your own network environment. Our journey begins with a single network attack and culminates with a myriad of real world intrusion attempts. The objective is to present you with the knowledge necessary to understand the basics of intrusion detection and to spark some ideas of how this technology can be deployed on your own network. Finally, after reading this chapter, you should be able to tell the difference between an innocuous scan and a malicious scan and how to react and respond accordingly. © FORESEC
FORESEC ACADEMY Need for Network-based Intrusion Detection Insider attacks can cause more financial damage than third party attacks because insiders have intimate knowledge of internal networks. Traditional audit and security mechanisms can address these threats and organizations can prosecute. The greater concern though should be attacks originating from the Internet. The volume of attacks originating from the public network is (or should be!) significantly higher than the number of attacks coming from an internal host. Most outside attacks can be stopped by a properly configured firewall. However, we need to be concerned with attacks that are able to bypass, or otherwise penetrate, the outside perimeter. You may be asking if the firewall can prevent many or most attacks, then why do we need to be concerned about the few that make it through? The reason is simple: volume. The sheer number of outside attacks hitting your network will eventually take their toll and compromise the system. There is a saying that even a blind squirrel can find a nut, and that can be applied to the perimeter network. Attacks on your network, even if poorly targeted, will eventually result in malicious activity passing through your perimeter and causing damage to your systems. © FORESEC
FORESEC ACADEMY By detecting even the most benign attacks hitting our network perimeter, we can use that data to properly tune our system defences and mitigate or render useless a large percentage of the attacks. As the sophistication of network-based attacks continues to increase, we owe it to ourselves to use NIDS to investigate intrusions, analyze threats and prepare the needed countermeasures. There is also the distinct advantage of being able to correlate data from a variety of NIDS deployments to increase our capability in responding to various attacks. We will discuss event correlation later in this chapter. © FORESEC
FORESEC ACADEMY Inside a Network Attack Some people call this classic attack an out of band attack; however, it is better known as WinNuke. WinNuke sends a single, specially crafted packet with OOB data to a remote listening port, TCP 139. This is known to crash older versions of Windows. (Note that Out of Band is a misnomer; WinNuke actually uses the TCP Urgent flag and the urgent pointer.) Even if NetBIOS is not enabled, a vulnerable system attacked by WinNuke will typically experience the dreaded “Blue Screen of Death.” Although this is a dated attack tool, it does an excellent job in visually explaining the concept of network-based attacks. It should also be noted that there are still millions of Windows 95 machines connected to the Internet. It is safe to say that this attack tool could still bring down countless machines. © FORESEC
FORESEC ACADEMY How do we create this special packet capable of bringing Windows 95 to its knees? That answer is quite simple, Nuke.eM. Nuke’em (shown in the previous slide) works by establishing a TCP connection with a remote host and delivering the illegal packet. It doesn’t take any skill and it can turn the most inept person into a hacker. © FORESEC
FORESEC ACADEMY The previous screenshot shows how the Nuke.eM attack was detected and blocked by BlackICE PC Protection, a leading commercial personal firewall. The highlighted area illustrates the NetBIOS probe (Nuke.eM) was detected and successfully blocked six times. We can see that a NetBIOS port probe from the IP address 192.168.1.100 was detected and blocked by the firewall engine. The information window at the bottom of the screen gives a brief description of the attack and clicking on the “advICE” button to the right will give more detailed information. Note Internet Security Systems (ISS) acquired the BlackICE product line in April 2001. The BlackICE PC protection suite is their first offering from their new acquisition. Okay, let’s sum up what we have seen as we have explored a single network attack. We have identified a vulnerability, a flaw in the Microsoft implementation of networking. We have described the flaw technically and demonstrated one of the attacker tools that takes advantage of the threat. Finally, we have seen a detection and protection tool in action. Actually, this is another example of threat, countermeasure, and counter-countermeasure. Winnuke was dropping systems left and right and Microsoft responded with a patch. Instead of fixing the problem the first time, they released a quick hack. The attackers instantly countered with a modification to their attack tools, finally forcing Microsoft to release a complete patch that adequately resolved the initial problem. © FORESEC
FORESEC ACADEMY Network Intrusion Detection 101 Generally, when we think of utilizing a personal firewall, it is to protect our PC that is directly connected to the Internet. However, we don’t always think about detection: Many personal firewalls on the market today have the capability to block attacks and they can also detect and log attacks. Logging the attack allows an analyst to study the attributes of an attack. In fact, with the increasing rate of broadband installations, personal firewalls with intrusion detection capability are becoming extremely valuable network sensors for the IDS community. The Internet Storm Center has a free client that can be used in conjunction with many personal firewalls and intrusion detection systems that will allow you to upload your logs to their site for further research and investigation. If want a way to do your part and give back to the information security community, then this is a great opportunity. Detailed information is available from the web site at http://isc.incidents.org. The Importance of Logging The previous screen shot depicts activity on an extremely busy and hostile network. We can see a variety of attacks including nmap pings, SNMP port probes and DNS zone transfers. Although it is useful to be able to view these events in real-time, it is even more useful to have the ability to view these events with a network protocol analyzer like Ethereal to gain a better understanding of the attack and how it happened. Most personal firewalls include a logging feature that should be enabled to get the most from the product. © FORESEC
FORESEC ACADEMY Logging is an integral part of intrusion detection. Being able to refer back to logs after an event happens is extremely useful from a learning perspective and in the case of criminal prosecution. Having logs of the events that led to a compromise would be a valuable asset if you seek damages or prosecution from a network attack or system compromise. © FORESEC
FORESEC ACADEMY In this example, we demonstrate how to enable logging in the BlackICE personal firewall. The firewall engine settings are managed from the tool menu and can be easily accessed from the main screen. Looking around, we can see multiple tabs that allow you to alter the functionality of the firewall. For our purposes, we focus on the Evidence Log and Packet Log options. It is important to ensure that logging is enabled on the Evidence Log tab. The rest is self-explanatory, but it is useful to use the % sign at the end of the evd file prefix. Using the special character will add a date/time stamp to the log files. This is helpful in the event you need to go back and look up the information for an attack that occurred at a particular time. You may also wish to adjust the maximum file size and maximum number of files settings to reflect your network. Another useful feature is the Packet Log tab; enabling the Packet Log feature of BlackICE allows you to capture all the traffic that comes across the listening interface. This can prove extremely valuable when you need to perform network diagnostics or just to learn how your network operates at various points in time. However, remember that with this feature enabled, large amounts of disk space will be consumed to accommodate all of the network traffic. You might want to watch the remaining disk space when utilizing this logging feature. © FORESEC
FORESEC ACADEMY Note BlackICE is often thought of as a host-based IDS because it is typically installed on individual machines, but let’s think about what it is really doing - monitoring network traffic. A traditional HIDS monitors log files, file changes, registry changes, and other rights/permissions of the host operating system. We use BlackICE in this chapter to illustrate the basics of network-based intrusion detection systems. © FORESEC
FORESEC ACADEMY Viewing BlackICE Logs There is a common misconception that BlackICE log files are viewable only by installing a commercial third-party application such as VisualICE or ICEcap. Although these add-on programs do a great job of parsing the data and creating nice looking reports, the only thing necessary is to view the files with an available packet analysis tool. In the previous example, we used a program called Ethereal to view the data. Ethereal, a free packet analysis program is an excellent tool for decoding and viewing the BlackICE log files. In default installations of BlackICE, the log files are located at C:program filesISSBlackICEevd%*.enc Note Ethereal is one of the killer apps to rise from the open-source movement. It is maintained by a core group of developers who continually add features and update the program. It is easy to use, flexible, and free to download. I would happily put it up against any commercially available protocol analyzer. Although our example is basic, the other features of Ethereal are worth checking out. Ethereal can be downloaded at http://www.ethereal.com. © FORESEC
FORESEC ACADEMY BlackICE Visualization Tools The previous screenshot shows a spike in activity in the Events window that was the result of someone probing this network. This gives us an idea of where to look to find this data in the evidence log file. As a helpful hint, find the approximate time of an event and if you happen to be looking for a scan, always look at the biggest file first since port scans tend to generate a lot of traffic. This screen also allows you to view network trends over a period of minutes, hours, or days and it can be useful in learning the intricacies of your network. For example, once a baseline has been established, you can then use this screen to look for any anomalies that don’t correlate with usual network traffic patterns. We used a host-based intrusion detection engine to examine how a network attack functions. Now that you have a basic understanding of network-based attacks, let’s shift our focus to NIDS. © FORESEC
FORESEC ACADEMY Libpcap-Based Intrusion Detection Systems Most network-based intrusion detection systems are Libpcap-based. Libpcap is an open source packet capture library designed to retrieve data from the kernel and pass it to the application layer. Libpcap has the advantage of being free to use and has proven, since its inception, to be extremely reliable. Products that use the Libpcap library include Shadow, Snort, Cisco IDS (formerly NetRanger), and NFR. Note Complete information, including the source code for Libpcap can be downloaded at: http://www.tcpdump.org/. If you are running on a Windows-based platform, you are in luck! Winpcap is the Win32 version of Libpcap and can be downloaded at http://winpcap.polito.it/. In the previous diagram, you see a remote sensor collecting data and forwarding it to another machine for display and analysis. The Shadow Intrusion Detection System uses this configuration and is one of the few NIDS that essentially uses a “dumb” probe to forward the packets it captures to another device for processing. If the Shadow sensor should fail or somehow get compromised, no information about the site will be lost. © FORESEC
FORESEC ACADEMY Network Intrusion Detection with Snort Snort is billed as a lightweight network intrusion detection system. It was introduced to the open-source community in 1998 by its developer, Marty Roesch. Snort has quickly gained a reputation for being an extremely efficient, lightweight, and low-cost NIDS solution and owes its popularity and extensive features to a devoted team of core developers and an active user base. © FORESEC
FORESEC ACADEMY Snort’s design allows for easy integration into most networks and it can be configured to monitor multiple sites, networks, or interfaces with relative ease. It has rules for packet content decodes and packet headers. This means it can detect data- driven attacks like buffer overflow errors, as well as attacks on vulnerable URLs and scripts (for example, RDS and phf). Because Snort is open-source and has such an active user community, it is an ideal system to learn how to analyze intrusions and to experiment with different configurations. There are many community-developed enhancements available (we discuss them later in this chapter) and help is just an e-mail message away. Note A great resource to learn more about Snort is the FAQ, which is available at: http://www.snort.org/docs/faq.html. The FAQ is actively maintained and describes the many features of Snort. © FORESEC
FORESEC ACADEMY Analyzing a Snort Detect Snort detects are displayed in log files, like the one shown previously, and separated by blank lines. The logs are flat files, also called text files, and have the advantage of being easy to sort, search, and analyze. Another advantage of Snort logs is the ability to cut and paste the various detects into an e-mail message to be sent to other analysts, your CIRT, or the offending party. This feature alone is unavailable in many commercial products. In this example, you see that the name of the detect, RPC Info Query, is listed at the top and the summary information is given in the following. The last three lines show the actual payload of this particular attack. Remote procedure call (RPC) attacks like this are part of the FORESEC Top Twenty list (http://www.foresecacademy.com/top20/) and could indicate a potential vulnerability on your network. Pay particular attention to all of the zeros in the payload. This is because RPC packets are padded to 32-bit words, often to carry a field that only has a choice of single integers, so the zeros are an indication of Remote Procedure Calls. Another item worthy of mention is the hex string, 01 86 A0 00 00 00 02 00 00 00 04. This is the string for the rpcinfo –p command that lists the available RPC ports on a remote host. © FORESEC
FORESEC ACADEMY Writing Snort Rules Snort provides the ability to create custom rules, or signatures, to filter on specific content. The compiled source code provides hundreds of pre-written rules. However, there might be times when you need to create rules that are not included by default. Given the fast-paced world of intrusion detection and that new threats are released on a daily, the ability to quickly write custom rules can often make or break your career as an information security professional! Snort rules are simple to write yet powerful enough to capture most types of traffic. There are five options to keep in mind when writing rules: • Pass - This means you wish to drop the packets and take no action. • Log - This option allows you to log the particular action to the location you specified in your snort configuration file (e.g. snort.conf). • Alert - This option allows you to send alerts to a central syslog server, popup windows via SMB or writing the file to a separate alert file. This alert file is commonly used with tools like Swatch (Simple Watcher) to alert the analyst to signs of intrusion or electronic tampering. Once the alert is sent, the packet is logged. © FORESEC
FORESEC ACADEMY • Activate - This option specifies that Snort is to send the alert and then activate another dynamic rule. For example, Snort can be configured to dynamically block © FORESEC

Recommended

Network security
Network securityNetwork security
Network security
Shyam Kumar Singh
 
Day1
Day1Day1
Day1
Jai4uk
 
Beating ips 34137
Beating ips 34137Beating ips 34137
Beating ips 34137
Spiros Fraganastasis
 
SoleraNetworks
SoleraNetworksSoleraNetworks
SoleraNetworks
Joe Levy
 
Nice network intrusion detection and countermeasure
Nice network intrusion detection and countermeasureNice network intrusion detection and countermeasure
Nice network intrusion detection and countermeasure
IEEEFINALYEARPROJECTS
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
EnterpriseGRC Solutions, Inc.
 
Lecture 5
Lecture 5Lecture 5
Lecture 5
Education
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Security B-Sides
 

Recommended

Network security
Network securityNetwork security
Network security
Shyam Kumar Singh
 
Day1
Day1Day1
Day1
Jai4uk
 
Beating ips 34137
Beating ips 34137Beating ips 34137
Beating ips 34137
Spiros Fraganastasis
 
SoleraNetworks
SoleraNetworksSoleraNetworks
SoleraNetworks
Joe Levy
 
Nice network intrusion detection and countermeasure
Nice network intrusion detection and countermeasureNice network intrusion detection and countermeasure
Nice network intrusion detection and countermeasure
IEEEFINALYEARPROJECTS
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
EnterpriseGRC Solutions, Inc.
 
Lecture 5
Lecture 5Lecture 5
Lecture 5
Education
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Security B-Sides
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
ClubHack
 
Security technology
Security technologySecurity technology
Security technology
Praveen Kumar V
 
On-Analyzing-a-Layered-Defense-System
On-Analyzing-a-Layered-Defense-SystemOn-Analyzing-a-Layered-Defense-System
On-Analyzing-a-Layered-Defense-System
Sarah Rudd
 
Dismantling intrusion prevention_systems
Dismantling intrusion prevention_systemsDismantling intrusion prevention_systems
Dismantling intrusion prevention_systems
Olli-Pekka Niemi
 
Tinysec
TinysecTinysec
Tinysec
Dhara Ladumor
 
Day3
Day3Day3
Day3
Jai4uk
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
Peter Wood
 
4 (data security in local network using)
4 (data security in local network using)4 (data security in local network using)
4 (data security in local network using)
JIEMS Akkalkuwa
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
integritysolutions
 
International Journal of Computer Science and Security Volume (1) Issue (3)
International Journal of Computer Science and Security Volume (1) Issue (3)International Journal of Computer Science and Security Volume (1) Issue (3)
International Journal of Computer Science and Security Volume (1) Issue (3)
CSCJournals
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
Ivan Carmona
 
Passive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessPassive monitoring to build Situational Awareness
Passive monitoring to build Situational Awareness
David Sweigert
 
Firewall
FirewallFirewall
Firewall
Netwax Lab
 
Honeypot and Steganography
Honeypot and SteganographyHoneypot and Steganography
Honeypot and Steganography
Preeti Yadav
 
FIREWALLS BY SAIKIRAN PANJALA
FIREWALLS BY SAIKIRAN PANJALAFIREWALLS BY SAIKIRAN PANJALA
FIREWALLS BY SAIKIRAN PANJALA
Saikiran Panjala
 
Honey Pot
Honey PotHoney Pot
Honey Pot
iradarji
 
Review of network diagram
Review of network diagramReview of network diagram
Review of network diagram
Syed Ubaid Ali Jafri
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
wensheng wei
 
Certified Ethical Hacking
Certified Ethical HackingCertified Ethical Hacking
Certified Ethical Hacking
Jennifer Wood
 
The Media Access Control Address
The Media Access Control AddressThe Media Access Control Address
The Media Access Control Address
Angie Lee
 
Oedipus The King Intrusion
Oedipus The King IntrusionOedipus The King Intrusion
Oedipus The King Intrusion
Elizabeth Temburu
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244
Tom King
 

More Related Content

What's hot

On-Analyzing-a-Layered-Defense-System
On-Analyzing-a-Layered-Defense-SystemOn-Analyzing-a-Layered-Defense-System
On-Analyzing-a-Layered-Defense-System
Sarah Rudd
 
International Journal of Computer Science and Security Volume (1) Issue (3)
International Journal of Computer Science and Security Volume (1) Issue (3)International Journal of Computer Science and Security Volume (1) Issue (3)
International Journal of Computer Science and Security Volume (1) Issue (3)
CSCJournals
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
Ivan Carmona
 
Passive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessPassive monitoring to build Situational Awareness
Passive monitoring to build Situational Awareness
David Sweigert
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
wensheng wei
 

What's hot (18)

ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
 
Security technology
Security technologySecurity technology
Security technology
 
On-Analyzing-a-Layered-Defense-System
On-Analyzing-a-Layered-Defense-SystemOn-Analyzing-a-Layered-Defense-System
On-Analyzing-a-Layered-Defense-System
 
Dismantling intrusion prevention_systems
Dismantling intrusion prevention_systemsDismantling intrusion prevention_systems
Dismantling intrusion prevention_systems
 
Tinysec
TinysecTinysec
Tinysec
 
Day3
Day3Day3
Day3
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
4 (data security in local network using)
4 (data security in local network using)4 (data security in local network using)
4 (data security in local network using)
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
 
International Journal of Computer Science and Security Volume (1) Issue (3)
International Journal of Computer Science and Security Volume (1) Issue (3)International Journal of Computer Science and Security Volume (1) Issue (3)
International Journal of Computer Science and Security Volume (1) Issue (3)
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
 
Passive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessPassive monitoring to build Situational Awareness
Passive monitoring to build Situational Awareness
 
Firewall
FirewallFirewall
Firewall
 
Honeypot and Steganography
Honeypot and SteganographyHoneypot and Steganography
Honeypot and Steganography
 
FIREWALLS BY SAIKIRAN PANJALA
FIREWALLS BY SAIKIRAN PANJALAFIREWALLS BY SAIKIRAN PANJALA
FIREWALLS BY SAIKIRAN PANJALA
 
Honey Pot
Honey PotHoney Pot
Honey Pot
 
Review of network diagram
Review of network diagramReview of network diagram
Review of network diagram
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
 

Similar to Network intrusi detection system

The Media Access Control Address
The Media Access Control AddressThe Media Access Control Address
The Media Access Control Address
Angie Lee
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244
Tom King
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
Karen Oliver
 
The Security Of Information Security
The Security Of Information SecurityThe Security Of Information Security
The Security Of Information Security
Rachel Phillips
 
Firewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsürFirewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsür
emin_oz
 
Detection &Amp; Prevention Systems
Detection &Amp; Prevention SystemsDetection &Amp; Prevention Systems
Detection &Amp; Prevention Systems
Alison Hall
 
4777.team c.final
4777.team c.final4777.team c.final
4777.team c.final
AlexisHarvey8
 
NetworkWorld-SafeBreach
NetworkWorld-SafeBreachNetworkWorld-SafeBreach
NetworkWorld-SafeBreach
Dan Kunkel
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
Jeremiah Grossman
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threats
Kishore Kumar
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_Spyware
Shan Kumar
 

Similar to Network intrusi detection system (20)

Certified Ethical Hacking
Certified Ethical HackingCertified Ethical Hacking
Certified Ethical Hacking
 
The Media Access Control Address
The Media Access Control AddressThe Media Access Control Address
The Media Access Control Address
 
Oedipus The King Intrusion
Oedipus The King IntrusionOedipus The King Intrusion
Oedipus The King Intrusion
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
 
The Security Of Information Security
The Security Of Information SecurityThe Security Of Information Security
The Security Of Information Security
 
Five IDS mistakes people make
Five IDS mistakes people makeFive IDS mistakes people make
Five IDS mistakes people make
 
50120140501013
5012014050101350120140501013
50120140501013
 
Firewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsürFirewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsür
 
Detection &Amp; Prevention Systems
Detection &Amp; Prevention SystemsDetection &Amp; Prevention Systems
Detection &Amp; Prevention Systems
 
4777.team c.final
4777.team c.final4777.team c.final
4777.team c.final
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
 
NetworkWorld-SafeBreach
NetworkWorld-SafeBreachNetworkWorld-SafeBreach
NetworkWorld-SafeBreach
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threats
 
Top 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdfTop 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdf
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_Spyware
 
SentinelOne Buyers Guide
SentinelOne Buyers GuideSentinelOne Buyers Guide
SentinelOne Buyers Guide
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 

Recently uploaded

Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Recently uploaded (20)

SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 

Network intrusi detection system

  • 2. FORESEC ACADEMY Network-based intrusion detection systems (NIDSs) are an excellent way to monitor networks for anomalies that could indicate an attack or signs of electronic tampering on your network. In this chapter, we explore the need for NIDS and discuss some of the available offerings. In particular, we look at commercial tools such as BlackICE Defender, as well as an extremely popular open-source tool called Snort. We also discuss the advantages associated with building a distributed NIDS and provide examples of creating custom signatures for your own network environment. Our journey begins with a single network attack and culminates with a myriad of real world intrusion attempts. The objective is to present you with the knowledge necessary to understand the basics of intrusion detection and to spark some ideas of how this technology can be deployed on your own network. Finally, after reading this chapter, you should be able to tell the difference between an innocuous scan and a malicious scan and how to react and respond accordingly. © FORESEC
  • 3. FORESEC ACADEMY Need for Network-based Intrusion Detection Insider attacks can cause more financial damage than third party attacks because insiders have intimate knowledge of internal networks. Traditional audit and security mechanisms can address these threats and organizations can prosecute. The greater concern though should be attacks originating from the Internet. The volume of attacks originating from the public network is (or should be!) significantly higher than the number of attacks coming from an internal host. Most outside attacks can be stopped by a properly configured firewall. However, we need to be concerned with attacks that are able to bypass, or otherwise penetrate, the outside perimeter. You may be asking if the firewall can prevent many or most attacks, then why do we need to be concerned about the few that make it through? The reason is simple: volume. The sheer number of outside attacks hitting your network will eventually take their toll and compromise the system. There is a saying that even a blind squirrel can find a nut, and that can be applied to the perimeter network. Attacks on your network, even if poorly targeted, will eventually result in malicious activity passing through your perimeter and causing damage to your systems. © FORESEC
  • 4. FORESEC ACADEMY By detecting even the most benign attacks hitting our network perimeter, we can use that data to properly tune our system defences and mitigate or render useless a large percentage of the attacks. As the sophistication of network-based attacks continues to increase, we owe it to ourselves to use NIDS to investigate intrusions, analyze threats and prepare the needed countermeasures. There is also the distinct advantage of being able to correlate data from a variety of NIDS deployments to increase our capability in responding to various attacks. We will discuss event correlation later in this chapter. © FORESEC
  • 5. FORESEC ACADEMY Inside a Network Attack Some people call this classic attack an out of band attack; however, it is better known as WinNuke. WinNuke sends a single, specially crafted packet with OOB data to a remote listening port, TCP 139. This is known to crash older versions of Windows. (Note that Out of Band is a misnomer; WinNuke actually uses the TCP Urgent flag and the urgent pointer.) Even if NetBIOS is not enabled, a vulnerable system attacked by WinNuke will typically experience the dreaded “Blue Screen of Death.” Although this is a dated attack tool, it does an excellent job in visually explaining the concept of network-based attacks. It should also be noted that there are still millions of Windows 95 machines connected to the Internet. It is safe to say that this attack tool could still bring down countless machines. © FORESEC
  • 6. FORESEC ACADEMY How do we create this special packet capable of bringing Windows 95 to its knees? That answer is quite simple, Nuke.eM. Nuke’em (shown in the previous slide) works by establishing a TCP connection with a remote host and delivering the illegal packet. It doesn’t take any skill and it can turn the most inept person into a hacker. © FORESEC
  • 7. FORESEC ACADEMY The previous screenshot shows how the Nuke.eM attack was detected and blocked by BlackICE PC Protection, a leading commercial personal firewall. The highlighted area illustrates the NetBIOS probe (Nuke.eM) was detected and successfully blocked six times. We can see that a NetBIOS port probe from the IP address 192.168.1.100 was detected and blocked by the firewall engine. The information window at the bottom of the screen gives a brief description of the attack and clicking on the “advICE” button to the right will give more detailed information. Note Internet Security Systems (ISS) acquired the BlackICE product line in April 2001. The BlackICE PC protection suite is their first offering from their new acquisition. Okay, let’s sum up what we have seen as we have explored a single network attack. We have identified a vulnerability, a flaw in the Microsoft implementation of networking. We have described the flaw technically and demonstrated one of the attacker tools that takes advantage of the threat. Finally, we have seen a detection and protection tool in action. Actually, this is another example of threat, countermeasure, and counter-countermeasure. Winnuke was dropping systems left and right and Microsoft responded with a patch. Instead of fixing the problem the first time, they released a quick hack. The attackers instantly countered with a modification to their attack tools, finally forcing Microsoft to release a complete patch that adequately resolved the initial problem. © FORESEC
  • 8. FORESEC ACADEMY Network Intrusion Detection 101 Generally, when we think of utilizing a personal firewall, it is to protect our PC that is directly connected to the Internet. However, we don’t always think about detection: Many personal firewalls on the market today have the capability to block attacks and they can also detect and log attacks. Logging the attack allows an analyst to study the attributes of an attack. In fact, with the increasing rate of broadband installations, personal firewalls with intrusion detection capability are becoming extremely valuable network sensors for the IDS community. The Internet Storm Center has a free client that can be used in conjunction with many personal firewalls and intrusion detection systems that will allow you to upload your logs to their site for further research and investigation. If want a way to do your part and give back to the information security community, then this is a great opportunity. Detailed information is available from the web site at http://isc.incidents.org. The Importance of Logging The previous screen shot depicts activity on an extremely busy and hostile network. We can see a variety of attacks including nmap pings, SNMP port probes and DNS zone transfers. Although it is useful to be able to view these events in real-time, it is even more useful to have the ability to view these events with a network protocol analyzer like Ethereal to gain a better understanding of the attack and how it happened. Most personal firewalls include a logging feature that should be enabled to get the most from the product. © FORESEC
  • 9. FORESEC ACADEMY Logging is an integral part of intrusion detection. Being able to refer back to logs after an event happens is extremely useful from a learning perspective and in the case of criminal prosecution. Having logs of the events that led to a compromise would be a valuable asset if you seek damages or prosecution from a network attack or system compromise. © FORESEC
  • 10. FORESEC ACADEMY In this example, we demonstrate how to enable logging in the BlackICE personal firewall. The firewall engine settings are managed from the tool menu and can be easily accessed from the main screen. Looking around, we can see multiple tabs that allow you to alter the functionality of the firewall. For our purposes, we focus on the Evidence Log and Packet Log options. It is important to ensure that logging is enabled on the Evidence Log tab. The rest is self-explanatory, but it is useful to use the % sign at the end of the evd file prefix. Using the special character will add a date/time stamp to the log files. This is helpful in the event you need to go back and look up the information for an attack that occurred at a particular time. You may also wish to adjust the maximum file size and maximum number of files settings to reflect your network. Another useful feature is the Packet Log tab; enabling the Packet Log feature of BlackICE allows you to capture all the traffic that comes across the listening interface. This can prove extremely valuable when you need to perform network diagnostics or just to learn how your network operates at various points in time. However, remember that with this feature enabled, large amounts of disk space will be consumed to accommodate all of the network traffic. You might want to watch the remaining disk space when utilizing this logging feature. © FORESEC
  • 11. FORESEC ACADEMY Note BlackICE is often thought of as a host-based IDS because it is typically installed on individual machines, but let’s think about what it is really doing - monitoring network traffic. A traditional HIDS monitors log files, file changes, registry changes, and other rights/permissions of the host operating system. We use BlackICE in this chapter to illustrate the basics of network-based intrusion detection systems. © FORESEC
  • 12. FORESEC ACADEMY Viewing BlackICE Logs There is a common misconception that BlackICE log files are viewable only by installing a commercial third-party application such as VisualICE or ICEcap. Although these add-on programs do a great job of parsing the data and creating nice looking reports, the only thing necessary is to view the files with an available packet analysis tool. In the previous example, we used a program called Ethereal to view the data. Ethereal, a free packet analysis program is an excellent tool for decoding and viewing the BlackICE log files. In default installations of BlackICE, the log files are located at C:program filesISSBlackICEevd%*.enc Note Ethereal is one of the killer apps to rise from the open-source movement. It is maintained by a core group of developers who continually add features and update the program. It is easy to use, flexible, and free to download. I would happily put it up against any commercially available protocol analyzer. Although our example is basic, the other features of Ethereal are worth checking out. Ethereal can be downloaded at http://www.ethereal.com. © FORESEC
  • 13. FORESEC ACADEMY BlackICE Visualization Tools The previous screenshot shows a spike in activity in the Events window that was the result of someone probing this network. This gives us an idea of where to look to find this data in the evidence log file. As a helpful hint, find the approximate time of an event and if you happen to be looking for a scan, always look at the biggest file first since port scans tend to generate a lot of traffic. This screen also allows you to view network trends over a period of minutes, hours, or days and it can be useful in learning the intricacies of your network. For example, once a baseline has been established, you can then use this screen to look for any anomalies that don’t correlate with usual network traffic patterns. We used a host-based intrusion detection engine to examine how a network attack functions. Now that you have a basic understanding of network-based attacks, let’s shift our focus to NIDS. © FORESEC
  • 14. FORESEC ACADEMY Libpcap-Based Intrusion Detection Systems Most network-based intrusion detection systems are Libpcap-based. Libpcap is an open source packet capture library designed to retrieve data from the kernel and pass it to the application layer. Libpcap has the advantage of being free to use and has proven, since its inception, to be extremely reliable. Products that use the Libpcap library include Shadow, Snort, Cisco IDS (formerly NetRanger), and NFR. Note Complete information, including the source code for Libpcap can be downloaded at: http://www.tcpdump.org/. If you are running on a Windows-based platform, you are in luck! Winpcap is the Win32 version of Libpcap and can be downloaded at http://winpcap.polito.it/. In the previous diagram, you see a remote sensor collecting data and forwarding it to another machine for display and analysis. The Shadow Intrusion Detection System uses this configuration and is one of the few NIDS that essentially uses a “dumb” probe to forward the packets it captures to another device for processing. If the Shadow sensor should fail or somehow get compromised, no information about the site will be lost. © FORESEC
  • 15. FORESEC ACADEMY Network Intrusion Detection with Snort Snort is billed as a lightweight network intrusion detection system. It was introduced to the open-source community in 1998 by its developer, Marty Roesch. Snort has quickly gained a reputation for being an extremely efficient, lightweight, and low-cost NIDS solution and owes its popularity and extensive features to a devoted team of core developers and an active user base. © FORESEC
  • 16. FORESEC ACADEMY Snort’s design allows for easy integration into most networks and it can be configured to monitor multiple sites, networks, or interfaces with relative ease. It has rules for packet content decodes and packet headers. This means it can detect data- driven attacks like buffer overflow errors, as well as attacks on vulnerable URLs and scripts (for example, RDS and phf). Because Snort is open-source and has such an active user community, it is an ideal system to learn how to analyze intrusions and to experiment with different configurations. There are many community-developed enhancements available (we discuss them later in this chapter) and help is just an e-mail message away. Note A great resource to learn more about Snort is the FAQ, which is available at: http://www.snort.org/docs/faq.html. The FAQ is actively maintained and describes the many features of Snort. © FORESEC
  • 17. FORESEC ACADEMY Analyzing a Snort Detect Snort detects are displayed in log files, like the one shown previously, and separated by blank lines. The logs are flat files, also called text files, and have the advantage of being easy to sort, search, and analyze. Another advantage of Snort logs is the ability to cut and paste the various detects into an e-mail message to be sent to other analysts, your CIRT, or the offending party. This feature alone is unavailable in many commercial products. In this example, you see that the name of the detect, RPC Info Query, is listed at the top and the summary information is given in the following. The last three lines show the actual payload of this particular attack. Remote procedure call (RPC) attacks like this are part of the FORESEC Top Twenty list (http://www.foresecacademy.com/top20/) and could indicate a potential vulnerability on your network. Pay particular attention to all of the zeros in the payload. This is because RPC packets are padded to 32-bit words, often to carry a field that only has a choice of single integers, so the zeros are an indication of Remote Procedure Calls. Another item worthy of mention is the hex string, 01 86 A0 00 00 00 02 00 00 00 04. This is the string for the rpcinfo –p command that lists the available RPC ports on a remote host. © FORESEC
  • 18. FORESEC ACADEMY Writing Snort Rules Snort provides the ability to create custom rules, or signatures, to filter on specific content. The compiled source code provides hundreds of pre-written rules. However, there might be times when you need to create rules that are not included by default. Given the fast-paced world of intrusion detection and that new threats are released on a daily, the ability to quickly write custom rules can often make or break your career as an information security professional! Snort rules are simple to write yet powerful enough to capture most types of traffic. There are five options to keep in mind when writing rules: • Pass - This means you wish to drop the packets and take no action. • Log - This option allows you to log the particular action to the location you specified in your snort configuration file (e.g. snort.conf). • Alert - This option allows you to send alerts to a central syslog server, popup windows via SMB or writing the file to a separate alert file. This alert file is commonly used with tools like Swatch (Simple Watcher) to alert the analyst to signs of intrusion or electronic tampering. Once the alert is sent, the packet is logged. © FORESEC
  • 19. FORESEC ACADEMY • Activate - This option specifies that Snort is to send the alert and then activate another dynamic rule. For example, Snort can be configured to dynamically block © FORESEC