Phil HugginsFebruary 2004
 Four major forms: Network Signature-based Network Anomaly-based Host-based Protocol Anomaly-based Commonly deployed...
 Requires tuning to identify which alerts(signatures) should be generated and howhigh to escalate Examples: Snort Real...
 A signature-based NIDS examines all network traffic andcompares it to signatures of known attacks This model is similar...
 Anomaly-based NIDS monitor network traffic in an attemptto detect normal traffic pattern deviations Useful for detectin...
 Examples: Cisco Dragon
 Host-based IDS monitors system state for unknownactivities Used as a “last line” defence mechanism Can assist in post-...
 Detection of intruders based onTCP/IP protocol deviations Easier to model “correct” behavior than “incorrect”behavior ...
 Will not detect viruses, and attacksconforming to protocol specifications Applications that do not properly implement a...
 IPS systems are a development of IDSsystems. Don’t just alert when an attack occurs, IPSsystems respond automatically t...
 These work inline between the target systems and theoutside world Bridging Inline Routing Inline Network Latency Over...
 Usually implemented as kernel modules tospot attacks on a system and act as a ‘systemcall firewall’. Very varied level ...
 Examples include: Integrity Protection Driver(http://www.pedestalsoftware.com/products/intact/resources/index.asp)Windo...
 IPS are a new take on an old idea: Sidewinder Firewall These are very hard to get right, none of these appear to bemat...
Host Processes File system access Applications Security events Registry edits Permissions edits User management Lo...
 Centralized and synchronized logging mechanisms Content retention Digital notaries and time stamping Third party logg...
 UNIX logging is network oriented Applications send messages to a syslog server (which could be on adifferent machine or...
 syslog will add log entries until there is nomore disk space Additional tools are needed to rotate logs on aregular bas...
 RRDTool – Display time series data in graphical format.(http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/index.html) ...
 Windows logging is not-network oriented The “Event Logging” service is always running, but can be turned off Applicati...
 Event logs cannot be modified while the logging service is running(it has an exclusive lock) Except winzapper and clear...
 Each type can have the Success, Failure, orboth logged.
 By default, older eventsare deleted when amaximum file size isattained (or after agiven number of days) This is changed...
 Enable auditing (minimum): Logon & logoff Policy changes Account management Adjust maximum log sizes and roll-over p...
 Microsoft IIS Log Parser 2.0(http://www.microsoft.com/windows2000/downloads/tools/logparser/default.asp) Goodgeneric IIS...
 IIS 6.0 (Windows 2003) supports remotelogging via ODBC to a centralised SQL server. Probable performance hit. IIS 6.0 ...
 Centralised log collection for windows event logs Encrypted and compressed on the network SQL Server for log repositor...
 The new centralised enterprise managementsolution from Microsoft. Supports log / event input from: Windows Event Logs...
Upcoming SlideShare
Loading in …5
×

First Responders Course - Session 6 - Detection Systems [2004]

125 views

Published on

The sixth session from a two day training course for potential first responders I ran for a large financial services client.

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
125
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

First Responders Course - Session 6 - Detection Systems [2004]

  1. 1. Phil HugginsFebruary 2004
  2. 2.  Four major forms: Network Signature-based Network Anomaly-based Host-based Protocol Anomaly-based Commonly deployed, rarely used well.
  3. 3.  Requires tuning to identify which alerts(signatures) should be generated and howhigh to escalate Examples: Snort RealSecure Network Flight Recorder (NFR)
  4. 4.  A signature-based NIDS examines all network traffic andcompares it to signatures of known attacks This model is similar to that of anti-virus Software Useful for detecting attempts by scripted attackers Less useful for detecting skilled attacks or insider-basedincidents Research has shown several ways to avoid detection: ADMutate: polymorphic shell-code by K2 FragRoute: fragments network traffic by Dug Song
  5. 5.  Anomaly-based NIDS monitor network traffic in an attemptto detect normal traffic pattern deviations Useful for detecting complex, yet undiscovered attackmethods Requires a significant configuration and tuning effort Requires time for initial benchmarking Difficult to define “NormalTraffic” activities Numerous employees check email after a meeting which can look likea DoS attack to an anomaly-based IDS.
  6. 6.  Examples: Cisco Dragon
  7. 7.  Host-based IDS monitors system state for unknownactivities Used as a “last line” defence mechanism Can assist in post-attack forensics efforts Integrity of reported data is not guaranteed after asuccessful compromise Examples: Tripwire Dragon Squire
  8. 8.  Detection of intruders based onTCP/IP protocol deviations Easier to model “correct” behavior than “incorrect”behavior Relatively easier to configure due to deterministicTCP/IPpatterns Fewer alerting rules Requires higher trained staff for rule maintenance Detection examples: Detection of overly long UTF-8 characters (Nimda) All known FTP attacks break protocol specifications
  9. 9.  Will not detect viruses, and attacksconforming to protocol specifications Applications that do not properly implement aprotocol may also trigger alerts Examples: NFR ManHunt
  10. 10.  IPS systems are a development of IDSsystems. Don’t just alert when an attack occurs, IPSsystems respond automatically to stop theattack. There are two main types: Network Intrusion Prevention Systems Host Intrusion Prevention Systems
  11. 11.  These work inline between the target systems and theoutside world Bridging Inline Routing Inline Network Latency Overhead Examples include: Hogwash (http://hogwash.sourceforge.net/) a GPL open source NIPS Netscreen (http://www.netscreen.com/products/idp) a fastcommercial NIPS appliance ISSGuard(http://www.iss.net/products_services/enterprise_protection/rsnetwork/guard.php) commercial NIPS software
  12. 12.  Usually implemented as kernel modules tospot attacks on a system and act as a ‘systemcall firewall’. Very varied level of security provided. Mostcan be circumvented using specifictechniques. For the moment, beware of vendors offeringa cross platform product.
  13. 13.  Examples include: Integrity Protection Driver(http://www.pedestalsoftware.com/products/intact/resources/index.asp)Windows Freeware, Open Source, Unsupported. Trushield (http://www.trustcorps.com),Commercial,Very strong onLinux / Solaris,Windows product not as strong. Windows Application Control(http://www.securewave.com/products/secureexe/index.html)WindowsCommercial, Some concerns relating to user landimplementation. Server Lock for Windows(http://www.watchguard.com/products/serverlock.asp)WindowsCommercial.
  14. 14.  IPS are a new take on an old idea: Sidewinder Firewall These are very hard to get right, none of these appear to bemature yet. Can severely restrict software actions on a system. Need tobe tested as compatible with any software that they areplanned to protect. As far as we know no active blackhat groups are attemptingto defeat these. Window of opportunity to get ahead of thehackers. Consider deploying on highly security- sensitive systems.
  15. 15. Host Processes File system access Applications Security events Registry edits Permissions edits User management Login attempts Changes to securityconfigurationNetwork Firewall Intrusion Detection Systems (IDS) VPN gateways Routers Choke-points Dialup gateways Servers Mail DHCP Web Proxy
  16. 16.  Centralized and synchronized logging mechanisms Content retention Digital notaries and time stamping Third party logging and/or storage Secure logging software IETF Secure Syslog IIRC syslog-ng Core SDI msyslog
  17. 17.  UNIX logging is network oriented Applications send messages to a syslog server (which could be on adifferent machine or the local machine) Each message is given a priority and type The syslog server saves the message to files based on its priority andtype and the contents of /etc/syslog.conf The log files are plain ASCII and typically stored in /var/logJan 01 14:10:29 www.atstake.com apache[117]:Server started
  18. 18.  syslog will add log entries until there is nomore disk space Additional tools are needed to rotate logs on aregular basis Log entries are trivial to delete and modifywhen one has “root” access.
  19. 19.  RRDTool – Display time series data in graphical format.(http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/index.html) Swatch (ftp://ftp.cert.dfn.de/pub/tools/audit/swatch/) LogSurfer (http://www.cert.dfn.de/eng/logsurf/) NetWitness(http://www.forensicexplorers.com/software.asp) NFR (http://www.nfr.net/products/SLR/)
  20. 20.  Windows logging is not-network oriented The “Event Logging” service is always running, but can be turned off Applications interact with the service using an API, ADVAPI32.DLL Three types of logs are stored (Application, Security, System). All arestored in %SystemRoot%system32 The format of these logs are binary, “EventViewer” is required to viewthem The actual text message for Application logs can be stored in theRegistry, only an index is saved in the log
  21. 21.  Event logs cannot be modified while the logging service is running(it has an exclusive lock) Except winzapper and clearlogs (which get system access) By default on Windows NT andWindows 2000, only system andapplication events are logged (no security) However,Windows 2003 does log security by default. The “Audit Policy” contains a list of actions that can be logged “Object Access” only grants the ability to log. Each NTFS file (orobject) must be configured to actually log. Auditing policies can also be applied at the domain level KnowingWindows Event Codes will help during an incident
  22. 22.  Each type can have the Success, Failure, orboth logged.
  23. 23.  By default, older eventsare deleted when amaximum file size isattained (or after agiven number of days) This is changed byselecting Properties inthe EventViewer.
  24. 24.  Enable auditing (minimum): Logon & logoff Policy changes Account management Adjust maximum log sizes and roll-over policy Consider auditing object access to regedit,*.sam etc.
  25. 25.  Microsoft IIS Log Parser 2.0(http://www.microsoft.com/windows2000/downloads/tools/logparser/default.asp) Goodgeneric IIS web log analyser.Version 2.1 is part of the IIS 6.0 Resource KitTools. Microsoft Dump Event LogTool (Included in Windows 2000 Server Resource KitSupplement 1) Command line tool to dump local or remote event logs to a commaseparated text file. Microsoft EventCombMT (Included in Security Operations Guide for Windows 2000 Server)Fast GUI tool for searching event logs of multiple systems. Good for estimating the extentof an incident. Event Archiver (http://www.eventarchiver.com) Automatic event log backup tool withdatabase support. Useful for regular centralised log analysis. ELM Log Manager (http://www.tntsoftware.com/products/ELM3/ELM31/) Windows basedcentralised log manager, supportsWindows, Syslog and SNMP sources. Stores data in adatabase. Has an extensive range of options for notification.
  26. 26.  IIS 6.0 (Windows 2003) supports remotelogging via ODBC to a centralised SQL server. Probable performance hit. IIS 6.0 also supports a centralised log file foreach of the separate websites hosted on asingle server. However this is a binary file and requires a parsingtool from the IIS 6.0 Resource Kit to read.
  27. 27.  Centralised log collection for windows event logs Encrypted and compressed on the network SQL Server for log repository Support for Windows XP, Windows 2003, Windows2000 Due for release late in 2003 Apparently version 2 will integrate with MOMversion 2.
  28. 28.  The new centralised enterprise managementsolution from Microsoft. Supports log / event input from: Windows Event Logs IIS log files Syslog SNMPTraps SQL ServerTrace Logs Any generic single line text log Haven’t had a chance to play with it yet but may bethe best centralised logging solution for Microsoftor mixed Microsoft / UNIX networks.

×