The document discusses network intrusion detection and prevention systems (NIDS), categorizing them into real-time detection types and analysis methods such as signature-based and protocol-based analysis. It emphasizes the challenges of dirty packets, sensor placement, and the importance of behavior analysis for effective detection of malicious activity. Tools like Snort, OSSIM, and SGUIL are highlighted as key components of the NIDS ecosystem, along with their various add-ons for enhanced functionality.

1. Network intrusion
detection/prevention systems

2. NIDS (detecton system)
• realtime attack detection
• passive (watchers) / active (measurement)
systems
• via analysis
– protocol analysis
– graph analysis
– anomaly detection
• analysis of direct network traffic
– complete / light

3. NIDS scheme
http://insecure.org/stf/secnet_ids/evasion-figure3.gif

4. Traffic analysis
• analyzing behaviour, not just packets
• difficulties
– NIDS can be run from different part of network
– bad packets
– reordering issues
• sensor placement
– inline
– passive
• spanning port
• network tap
• load balancer

5. http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf

6. http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf

7. Signature-based analysis
• pattern matching
• “patterns of malicious traffic”
• very elementary (basically grepping)
+ huge community for rule generation
+ great for low level analysis (rules are very specific)
+ not taking too much resources
- lower performance with big ruleset
- slight attack variation can beat the rule

8. Rule example
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (
msg:"OS-SOLARIS EXPLOIT sparc overflow attempt";
flow:to_server,established; content:"|90 1A C0 0F 90 02|
|08 92 02| |0F D0 23 BF F8|";
fast_pattern:only;
metadata:ruleset community, service dns;
classtype:attempted-admin;
sid:267; rev:13;
)

9. Protocol-based analysis
• reviewing network data
• strictly based on layer headers
• knowledge of expected values
+ better possibility for scalability
+ generic, able to catch zero-day exploits
- protocol headers preprocessor need resources
- rules can get extremely difficult to write/understand
- provide low information, admin has to investigate

10. Types of detected events
• transport layer attack
• network layer attack
• unexpected services (tunnel, backdoor etc.)
• policy violations (forbidden protocols, ports
etc.)
note: detection with accuracy

11. Types of attack
• evasion/insertion attacks
– bad IP headers
– bad IP options
– direct frame addressing
• IP packets fragmentation
– set up delay for dropping stored packets
• TCP layer problems
– sync between NIDS and end system

12. Prevention
• passive
– ending TCP stream
• inline
– inline firewalling
– throttling bandwith usage
– altering malicious content
• passive and inline
– running third party script
– reconfiguring other network devices

13. Toolset
• SNORT
– opensource
– windows / linux
– lots of plugins
• OSSIM (security information and event
management)
• Sguil (network security monitor)

14. SNORT
• started as sniffer in 1998
• sniffer, packet logger, and NIDS
• most used open-source NIDS right now
• loads of add-ons
• big and stable community (regular community
rule releases)

15. Firewall network with SNORT

16. SNORT add-ons
• DumbPig
– bad rule grammar detection
• OfficeCat
– search for vurneabilities in Microsoft Office docs
• SnoGE
– reporting tool parsing your logs and visualising them as
points at Google Maps
• Oinkmaster
– tool for creating and managing rules
• iBlock
– daemon grepping alert file and blocking offending hosts
http://www.snort.org/snort-downloads/additional-downloads

17. Q&A