First Responders Course - Session 6 - Detection Systems 
Phil HugginsFebruary 2004
Four major forms: Network Signature-based Network Anomaly-based Host-based Protocol Anomaly-based Commonly deployed, rarely used well.
Requires tuning to identify which alerts(signatures) should be generated and howhigh to escalate Examples: Snort RealSecure Network Flight Recorder (NFR)
A signature-based NIDS examines all network traffic andcompares it to signatures of known attacks This model is similar to that of anti-virus Software Useful for detecting attempts by scripted attackers Less useful for detecting skilled attacks or insider-basedincidents Research has shown several ways to avoid detection: ADMutate: polymorphic shell-code by K2 FragRoute: fragments network traffic by Dug Song
Anomaly-based NIDS monitor network traffic in an attemptto detect normal traffic pattern deviations Useful for detecting complex, yet undiscovered attackmethods Requires a significant configuration and tuning effort Requires time for initial benchmarking Difficult to define “NormalTraffic” activities Numerous employees check email after a meeting which can look likea DoS attack to an anomaly-based IDS.
Host-based IDS monitors system state for unknownactivities Used as a “last line” defence mechanism Can assist in post-attack forensics efforts Integrity of reported data is not guaranteed after asuccessful compromise Examples: Tripwire Dragon Squire
Detection of intruders based onTCP/IP protocol deviations Easier to model “correct” behavior than “incorrect”behavior Relatively easier to configure due to deterministicTCP/IPpatterns Fewer alerting rules Requires higher trained staff for rule maintenance Detection examples: Detection of overly long UTF-8 characters (Nimda) All known FTP attacks break protocol specifications
Will not detect viruses, and attacksconforming to protocol specifications Applications that do not properly implement aprotocol may also trigger alerts Examples: NFR ManHunt
IPS systems are a development of IDSsystems. Don’t just alert when an attack occurs, IPSsystems respond automatically to stop theattack. There are two main types: Network Intrusion Prevention Systems Host Intrusion Prevention Systems
These work inline between the target systems and theoutside world Bridging Inline Routing Inline Network Latency Overhead Examples include: Hogwash (http://hogwash.sourceforge.net/) a GPL open source NIPS Netscreen (http://www.netscreen.com/products/idp) a fastcommercial NIPS appliance ISSGuard(http://www.iss.net/products_services/enterprise_protection/rsnetwork/guard.php) commercial NIPS software
Usually implemented as kernel modules tospot attacks on a system and act as a ‘systemcall firewall’. Very varied level of security provided. Mostcan be circumvented using specifictechniques. For the moment, beware of vendors offeringa cross platform product.
Examples include: Integrity Protection Driver(http://www.pedestalsoftware.com/products/intact/resources/index.asp)Windows Freeware, Open Source, Unsupported. Trushield (http://www.trustcorps.com),Commercial,Very strong onLinux / Solaris,Windows product not as strong. Windows Application Control(http://www.securewave.com/products/secureexe/index.html)WindowsCommercial, Some concerns relating to user landimplementation. Server Lock for Windows(http://www.watchguard.com/products/serverlock.asp)WindowsCommercial.
IPS are a new take on an old idea: Sidewinder Firewall These are very hard to get right, none of these appear to bemature yet. Can severely restrict software actions on a system. Need tobe tested as compatible with any software that they areplanned to protect. As far as we know no active blackhat groups are attemptingto defeat these. Window of opportunity to get ahead of thehackers. Consider deploying on highly security- sensitive systems.
Host Processes File system access Applications Security events Registry edits Permissions edits User management Login attempts Changes to securityconfigurationNetwork Firewall Intrusion Detection Systems (IDS) VPN gateways Routers Choke-points Dialup gateways Servers Mail DHCP Web Proxy
Centralized and synchronized logging mechanisms Content retention Digital notaries and time stamping Third party logging and/or storage Secure logging software IETF Secure Syslog IIRC syslog-ng Core SDI msyslog
UNIX logging is network oriented Applications send messages to a syslog server (which could be on adifferent machine or the local machine) Each message is given a priority and type The syslog server saves the message to files based on its priority andtype and the contents of /etc/syslog.conf The log files are plain ASCII and typically stored in /var/logJan 01 14:10:29 www.atstake.com apache:Server started
syslog will add log entries until there is nomore disk space Additional tools are needed to rotate logs on aregular basis Log entries are trivial to delete and modifywhen one has “root” access.
RRDTool – Display time series data in graphical format.(http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/index.html) Swatch (ftp://ftp.cert.dfn.de/pub/tools/audit/swatch/) LogSurfer (http://www.cert.dfn.de/eng/logsurf/) NetWitness(http://www.forensicexplorers.com/software.asp) NFR (http://www.nfr.net/products/SLR/)
Windows logging is not-network oriented The “Event Logging” service is always running, but can be turned off Applications interact with the service using an API, ADVAPI32.DLL Three types of logs are stored (Application, Security, System). All arestored in %SystemRoot%system32 The format of these logs are binary, “EventViewer” is required to viewthem The actual text message for Application logs can be stored in theRegistry, only an index is saved in the log
Event logs cannot be modified while the logging service is running(it has an exclusive lock) Except winzapper and clearlogs (which get system access) By default on Windows NT andWindows 2000, only system andapplication events are logged (no security) However,Windows 2003 does log security by default. The “Audit Policy” contains a list of actions that can be logged “Object Access” only grants the ability to log. Each NTFS file (orobject) must be configured to actually log. Auditing policies can also be applied at the domain level KnowingWindows Event Codes will help during an incident
Each type can have the Success, Failure, orboth logged.
By default, older eventsare deleted when amaximum file size isattained (or after agiven number of days) This is changed byselecting Properties inthe EventViewer.
Enable auditing (minimum): Logon & logoff Policy changes Account management Adjust maximum log sizes and roll-over policy Consider auditing object access to regedit,*.sam etc.
Microsoft IIS Log Parser 2.0(http://www.microsoft.com/windows2000/downloads/tools/logparser/default.asp) Goodgeneric IIS web log analyser.Version 2.1 is part of the IIS 6.0 Resource KitTools. Microsoft Dump Event LogTool (Included in Windows 2000 Server Resource KitSupplement 1) Command line tool to dump local or remote event logs to a commaseparated text file. Microsoft EventCombMT (Included in Security Operations Guide for Windows 2000 Server)Fast GUI tool for searching event logs of multiple systems. Good for estimating the extentof an incident. Event Archiver (http://www.eventarchiver.com) Automatic event log backup tool withdatabase support. Useful for regular centralised log analysis. ELM Log Manager (http://www.tntsoftware.com/products/ELM3/ELM31/) Windows basedcentralised log manager, supportsWindows, Syslog and SNMP sources. Stores data in adatabase. Has an extensive range of options for notification.
IIS 6.0 (Windows 2003) supports remotelogging via ODBC to a centralised SQL server. Probable performance hit. IIS 6.0 also supports a centralised log file foreach of the separate websites hosted on asingle server. However this is a binary file and requires a parsingtool from the IIS 6.0 Resource Kit to read.
Centralised log collection for windows event logs Encrypted and compressed on the network SQL Server for log repository Support for Windows XP, Windows 2003, Windows2000 Due for release late in 2003 Apparently version 2 will integrate with MOMversion 2.
The new centralised enterprise managementsolution from Microsoft. Supports log / event input from: Windows Event Logs IIS log files Syslog SNMPTraps SQL ServerTrace Logs Any generic single line text log Haven’t had a chance to play with it yet but may bethe best centralised logging solution for Microsoftor mixed Microsoft / UNIX networks.