CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Intrusion Detection & Prevention (IDPS)

Transcription

1 CSE 4482 Computer Security Management: Assessment and Forensics Protection Mechanisms: Intrusion Detection & Prevention (IDPS) Instructor: N. Vlajic, Fall

2 Required reading: Management of Information Security (MIS), by Whitman & Mattord Chapter 10, pp Recommended reading: Principles of Information Security, by Whitman & Mattord Chapter 7, pp

3 Learning Objectives Upon completion of this material, you should be able to: Explain the phases of a typical intrusion process and a typical intrusion detection process. Identify the components of an intrusion detection system. Discuss the key differences between host-based and network-based intrusion detection systems. Explain the common uses of Snort IDS tool, be able to use Snort and write Snort rules. 3

4 4

5 Introduction Intrusion event in which attacker attempts to gain entry or disrupt normal state & operation of an information system examples of intrusive activities: password cracking and access violation unauthorized operation on data altering deletion creation transmission unauthorized operation on hosts/systems configuration changes on a system installation on software (malware) denial of service compromising a system by sending huge amounts of useless data 5

6 Introduction (cont.) Stages of most (successful) intrusions involve an Intrusion (Attack) the following 5 steps/stages: initial reconnaissance passive stages of an intrusion intruder uncovers as much info as possible about the company s (target) network e.g. company s range of IP addresses, machine names, etc. scanning intruder uses more invasive techniques to scan for information e.g. by doing ping sweep and port scanning of the network IP addresses to seek out potential target machines and open ports at this stage, still no (formally) illegal activity has taken place! be aware, however, that in some countries (e.g. Germany, England, Singapore) port scanning is 6 considered illegal

7 Introduction (cont.) Stages of an Intrusion (Attack) active stages of an intrusion gaining access intruder commits what is technically a computer crime by exploiting possible holes on the target machine, and gains access to a system maintaining access & covering tracks after gaining the foothold in the network, the intruder usually first installs a set of tools that will help him maintain access & remove any evidence of the attack e.g. install programs that clean up log files (rootkits) exploit intruder takes advantage of his position and performs one of the following: steals confidential data, defaces web pages, launches attacks at other sites, 7

8 Anti-Intrusion Techniques/Approaches Intrusions can be dealt with at various stages: before, during, after they occur. Intrusion activities that deter an intrusion or Prevention / reduce likelihood of its success, e.g.: Preemption employ preventative tools (e.g. use firewalls that drop all malicious looking packets external prevention) implement of good security policies (e.g. use hard-tobreak passwords internal prevention) 8

9 Anti-Intrusion Techniques/Approaches (cont.) Intrusion activities that detect/discriminate Detection ongoing intrusions from normal activity AND alert authorities e.g., monitor incoming traffic and alert authorities if rate of incoming requests exceeds some threshold e.g., alert authorities if one attempts to access/change configuration files of a machine alerts/alarms can be audible or visual, or can be sent via & pagers to the system administr. Intrusion activities aimed to make an intruder Deflection believe that he has succeeded in accessing a system, whereas he has been attracted to a specially prepared control environment honeypots and honeynets 9

10 Anti-Intrusion Techniques/Approaches (cont.) 10

11 Anti-Intrusion Techniques/Approaches (cont.) Intrusion aka countermeasures - activities Reaction / aimed to limit overall loss from a Response detected/ongoing intrusion & return operation to normal state asap session snipping disrupt the communication between the attacker and target by, e.g., forging RST packets post-attack cleanup scanning for files placed on the the system during the attack and deleting them 11

12 Introduction (cont.) Example: Intrusion prevention, detection, deflection and response Intrusion deflection (Honey Pot) 12

13 Noise alarm events that are accurate and noteworthy but do not pose a significant threat to information security e.g. unintentional scanning activity by a network user without intent to do harm Intrusion Detection Terminology Alert or indication that a system has just been Alarm attacked True Attack truly malicious event that triggers Stimulus an alarm and causes IDS to react could be a real attack or an exercise in which security personnel are using hacker tools to test the IDS False Attack event that triggers an alarm when Stimulus no actual attack is in progress

14 Intrusion Detection Terminology (cont.) False Positive alarm that occurs when IDS mistakes normal system activity for an attack many false positives tend to make user insensitive to alarms, thus reducing their reactivity False Negative failure of an IDS to react to an actual attack stimulus/event most grievous failure, since the purpose of IDS is to detect actual attacks Tuning process of adjusting an IDS to maximize its efficiency in detecting true positives while minimizing both false negatives 14 & false positives

15 Intrusion Detection Terminology (cont.) Example: In the context of an IDS, we define: false positive - the IDS generates an alarm to a condition that is actually benign; false negative - the IDS fails to generate an alarm when an alertworthy condition is in effect. Assume an IDS in which unacceptable behavior are defined by a set of rules. Using the below diagram, depict two curves that roughly indicates the frequency/probability of false positive & false negative, respectively, as a function of the given set of rules. set of rules not acceptable behavior acceptable behavior false negative false positive 15

16 Intrusion Detection Terminology (cont.) Example: Assume two overlapping Bell-shaped distributions one representing the pdf of authorized and one representing the pdf of unauthorized users. The overlapping area of the two pdf-s represents the region in which there is the potential for false positives and false negatives. An idealized case of such distributions is shown below. 16

17 Measurable behavior parameter Intrusion Detection Terminology (cont.) Example (cont.): Now, suppose a particular case where there is 2 actual intrusion for every 2000 authorized users, and the overlapping area covers 1% of the authorized users and 50% of the intruders. a) Depict two event distributions as two overlapping graphs. b) What is the probability that an event that occurs in this region is that of an authorized user? Event distribution profile of intruder behavior profile of authorized user behavior overlap in observed or expected behavior Assume there is a total of 2000 authorized users 2 unauthorized users 20 authorized & 1 unauthorized user in the overlap region p authorized = 20/ (95%) p unauthorized = 1/ (5%) 17

18 Intrusion Detection Terminology (cont.) Example: The CEO of XYZ company recently read an article describing the risks of inadequate computer security. She is suddenly very concerned about the company s computer security and wants to reevaluate the company s network IPS. The current system has a false-positive rate of 20 incidents per months and a false-negative rate of 1 incident every 6 months. It takes the company s Network Normalization & Neutralization Department (N3D).25 hours to resolve any false positive. Falsenegatives (and subsequent infections) take 4 hours to clean up. In the special case of an infection on a computer in the Strategic Development (SD) department, it takes N3D 10 hours to do a cleanup. SD has 0.5% of the computers in XYZ. 18

19 Intrusion Detection Terminology (cont.) (a) Write an expression for the total number of hours spent by N3D on false-positive and false-negative resolution in a year. N3D_hours/year = %-non-sd-computers * (#FP*time FP + #FN*time FN ) + + %-SD-computers * (#FP*time FP + #FN*time FN ) = 0.995*(20*12* *4) *(20*12* *10) = 0.995*(60 + 8) *( ) = =

20 Intrusion Detection Terminology (cont.) (b) The current IPS has an option where the system sensitivity can be increased. Enabling this option reduces the number of false negatives by half but causes 5 times as many falsepositives. Write an expression for the amount of time per year that N3D would spend with the sensitivity option enabled N3D_hours/year_sensitivity = %-non-sd-computers * (#FP*time FP + #FN*time FN ) + + %-SD-computers * (#FP*time FP + #FN*time FN ) = 0.995*(5*20*12* ½*2*4) *(5*20*12* ½*2*10) = *(304) *(310) =

21 Intrusion Detection Terminology (cont.) (c) In addition to time spent by N3D, an forensics specialist (FS) has to be called in for 100 hours to deal with infections on a SD computer. Write two expressions one for the amount of time per year the forensics specialist would spend with the sensitivity option enabled and one without. FS_hours/year_no_sensitivity = 2*0.005*100 = 1 FS_hours/year_sensitivity = 1*0.005*100 =

22 Intrusion Detection Terminology (cont.) (d) The FS s time is worth 20 times as much as N3D time. Considering overall cost (N3D+FS), decide whether it is worth enabling the sensitivity option? no_sensitivity: *1 = = 88 sensitivity: *0.5 = = 314 However, we have not considered the actual loss associated with the infection of a SD computer! 22

23 Intrusion Detection System Intrusion system designed to monitor all in- Detection & out- bound network activity and System identify any suspicious patterns (IDS) passive security solution! IDS components: network sensors collect & analyze net. traffic alert system / management server receives & analyzes input from sensors; sends out alerts database of attack signatures or behaviors helps in identifying suspicious traffic command console/interface used to view alerts IDPS Intrusion Detection & Prevention System detect & prevent intrusion from succeeding = detect & react (to minimize) end impact 23 active security solution!

24 Intrusion Detection System (cont.) Why Should we Use an IDP System? preventative duringattack (a) increase perceived risk of discovery & punishment for those who would attack aid in preventing problems (b) detect preambles to attacks, i.e. doorknob rattling activities, in order to prepare for a potential attack doorknob rattling: process of gathering information about a network, such as its hosts & services offered (e.g. address and port scanning) (c) detect & deal with security violations that are not prevented by other security measures e.g. a firewall alone may not be able to predict whether an incoming packet will cause a buffer overflow on a machine post attack (d) collect forensics data for after-attack review 24

25 Intrusion Detection System (cont.) IDPS CANNOT do the following: (1) compensate for a weak identification and authentication mechanisms if you expect your IDPS to deal with computer break-ins, it might be too late and too costly intruder may compromised the data by the time IDPS generates an alarm (2) compensate for weakness in network protocols if you expect your IDPS to deal with protocol-based DDoS-s, it might be too late and too costly DDoS may already crash the server by the time IDPS generates an alarm (3) detect new/unknown intrusions IDPS base their decision on the banks of accumulated (previous) knowledge 25

26 IDPS Components 26

27 IDPS Components: Sensors IDPS Sensors eyes of an IDS monitor traffic passing in and out of network in real time sensors can be built in software and placed in a firewall or switch (aka inline sensors) do not require additional hardware can block traffic when detected traffic must pass through sensor (slow down the network/traffic) sensors can also be built as stand-alone hardware devices (aka passive sensors or network taps) monitor a copy of network traffic - traffic 27 does not pass through the device (fast)

28 IDPS Components: Sensors Example: Network tap network-tap-devices itap-2-port-aggregator 28

29 IDPS Components: Sensors Sensors Deployment / Positioning detect intrusions by authorized users focus on specific services and protocols low processing burden observe raw traffic and actual number of attempted attacks very high processing burden focus on specific machines and protocols low processing burden discover problems with firewall policy monitor attacks on specific servers with less processing burden 29

30 IDPS Components: Sensors Sensors Deployment / Positioning (cont.) LOCATION 1: behind external firewall advantages see attacks, originating from outside world, that penetrate the network s perimeter defenses highlights problems with the network firewall policy or performance see attacks that might target the Web or FTP server (DMZ) LOCATION 2: in-front of external firewall advantages document the number and type of attacks originating on the Internet that target the network

31 IDPS Components: Sensors Sensors Deployment / Positioning (cont.) LOCATION 3: on backbone network that supports internal servers & database resources advantages detect unauthorized activity by authorized (as well as outside) users within the organization s perimeter can be tuned to specific protocols and attack types, thus reducing processing burden LOCATION 4: on LANs that support personnel advantages can tuned to specific protocols and attack types 31

32 IDPS Components: Alert System 32

33 IDPS Components: Alert System (cont.) Alert System analyses input received from (Management sensors & triggers an alarm when Server) detecting a suspicious activity Computer & info. security handbook By John R. Vacca type of triggers/alarms anomaly-based detection aka profile-based detection system sends an alarm when it detects an event that deviates from normal behavior requires the use of statistical methods to create profile(s) of normal behavior misuse detection aka signature- or rule- based detection system sends an alarm when it detects a signature/pattern typical of a known attack e.g. doorknob rattling involves use of ICMP, 33 DNS querying

34 IDPS Components: Alert System (cont.) Anomaly-Based focuses on characterizing past Detection behavior of individual user and detecting significant deviations audit records are generally used to define typical behavior challenge 1: deciding on quantitative metrics to measure user behavior, e.g. counter (# logins, # command executions) interval timer (between 2 related events) resource utilization, etc. challenge 2: choice of tests to decide whether current activity is within acceptable limits mean and standard deviation multivariate / correlation 34 Markov processes, etc.

35 IDPS Components: Alert System (cont.) 35 Computer Security: Principles and Practice, 2 nd edition, Stallings, pp. 260

36 IDPS Components: Alert System (cont.) Misuse Detection focuses on finding a pattern (signature) which matches closely a known intrusion activity examples of pattern-matching techniques: stateless / single packet matching: look for a fixed sequence of bytes within a single packet, e.g. destination port 12570, and string madison in payload stateful / multiple packet matching: look for a specific sequence distributed over several packets of a stream 36

37 IDPS Components: Alert System (cont.) unpredictable for attacker require long(er) setup time adaptable can learn to detect new intrusions good against (unique type of) insider intrusions can start to work right away easy to understand and configure complexity: must be able to intelligently incorporate new knowledge, without becoming unstable must be continually (proactively) updated with new signatures does not recognize brand new attacks may require considerable storage space 37 for signature files

38 IDPS Components: Alert System (cont.) 38

39 IDPS Components: Databases 39

40 IDPS Components: Databases (cont.) Database of User Behaviors anomaly-detection database should be built gradually, by observing network traffic over period of time example: Securify by McAfee network_security/network_user_behavior_analys is.html 40

41 IDPS Components: Databases (cont.) Database of Attack Signatures in order to build a detailed upto-date attack signature database administrator must proactively seek information good starting points: 1) response/attacksignatures/ 2) 41

42 IDPS Components: Console Command Console software that provides a GUI (Management end to a IDS Interface) in large systems, IDS command console should enable administrat. to 1) keep up with large volume of data 2) take countermeasures quickly examples of consoles that display events generated by Snort Network IDPS Engine Aanval SAS RasorBack projects/razorback/ 42

43 IDPS Components: Console Example: Aanval SAS console 43

44 Steps in Intrusion Detection Step 1: Install IDS System includes installation of IDS hardware, software & database of user profiles or attack signatures 44

45 Steps in Intrusion Detection (cont.) Step 2: Data Gathering sensors placed throughout the network observe passing packets, state of OS and files, etc. 45

46 Steps in Intrusion Detection (cont.) Step 3: Sending Alert Messages sensors detection software transmit: 1) event descriptors to IDS server (centralized IDS) and then the server generates an alarm/alert, or 2) alert messages to IDS console (distributed IDS) 46

47 Steps in Intrusion Detection (cont.) Step 4: Immediate IDS Responds in addition to generating an alarm message, IDS may also be configured to take level-one defense actions, e.g. drop suspicious packet, stop suspicious process 47

48 Steps in Intrusion Detection (cont.) Step 5: automated IDS response (Step 4) includes min Administrator Assesses Damage set of defensive measures; before more serious actions are taken, system administrator must make sure that the alarm is not a false positive 48

49 Steps in Intrusion Detection (cont.) Step 6: in the case of true positive, further defensive Subsequent Escalation Procedure measure may have to be taken, e.g. completely block any further traffic from a particular host 49

50 Steps in Intrusion Detection (cont.) Step 7: Logging and Reviewing the Event enter the alert in IDS log file, in order to determine whether a slow (over long-term) pattern of misuse has been occurring, e.g. a series of log-on attempts that occur only once every few days 50

51 Types of IDS: HIDS Host-Based consists of software / agents IDS (HIDS) residing on selected hosts inside the network perimeter (computer, server, firewall, router, ) and monitoring activity of that host only information monitored/gathered by HIDS packets generated and received by the host file access application logs CPU use & system processes state and change in system registries 51

52 Types of IDS: HIDS 52

53 Types of IDS: HIDS Places of HIDS in some networks, HIDS agents Deployment may be deployed only on sensitive & mission-critical hosts cost prohibitive to install agent on every host HIDS centralized: HIDS agent sends all raw Configurations gathered data to a central location (console) for analysis host performance not affected by IDS alert messages do not occur in real time distributed: each HIDS agent analyses data on its own, and sends only alerts (not data) to the command console alert messages generated without delay performance reduction, as host processes 53 all data

54 Types of IDS: HIDS Example: Centralized vs. distributed HIDS client server client server 54

55 Types of IDS: HIDS Example: HIDS software Free: OSSEC - Open Source Host-based IDS Tripwire AIDE - Advanced Intrusion Detection Environment Prelude Hybrid IDS Not Free: IBM Proventia Desktop Cisco CSA Checkpoint Integrity Tripwire Enterprise Symantec Endpoint Protection McAfee Host Intrusion Prevention 55

56 Types of IDS: HIDS Example: Symantec Endpoint Protection For more on Symantec Endpoint Protection systems: 56

57 Types of IDS: HIDS Advantages of Host-Based IDS 1) Can detect events on host systems and attacks that might evade an NIDS. a single malicious packet hidden in a stream of traffic may be hard to spot intent clear only when packet s content executed 2) Encrypted traffic is decrypted on the host and available for processing. 3) Can compare audit logs to detect inconsistencies in how applications and programs are used useful in detection of less aggressive/obvious intrusions useful in detection of (e.g.) bot-virus infection victim machine starts generating larger than usual volume of legitimate looking packets 57

58 Types of IDS: HIDS Disadvantages of Host-Based IDS 1) More sensors & more management issues. an agent needs to be configured and managed on each monitored host 2) Vulnerable to direct attacks and attacks against host OS. 3) Not aware of subtle attacks that span multiple devices in the network. e.g. cannot detect IP sweeps across parts of the network 4) Could reduce host s system performance below acceptable levels. 58

59 Types of IDS: NIDS Network-Based comprises of a number of IDS (NIDS) passive (or inline) sensors placed at critical locations in the network & a command console sensors monitor passing traffic on that network segment, looking for indication of an ongoing attack, e.g. large volume of related traffic indicating a DDoS exchange of related packets in a certain pattern, e.g. ip sweep or port scan command console and primary management & analysis software are often installed on a dedicated computer 59

60 Types of IDS: NIDS (cont.) Network-Based IDS (NIDS) cont. information monitored/gathered by NIDS packet protocol type (network, transport, application) source/destination IP addresses/ports connection or session IDs state-related information size of transmission in bytes timestamps. 60

61 Types of IDS: NIDS (cont.) Sensor behind firewall, in DMZ: 1) Sees attacks that originate from outside. 2) Sees attacks that might target the Web or FTP server. 3) By observing outgoing traffic, possible to recognize that a server has been compromised. Sensor on critical subnet: 1) Detects attacks targeting critical systems. 2) Allows organizations with limited resources to focus resources on network assets of greatest value. Sensor on major LAN backbone: 1) Monitors large amount of traffic thus increasing chances of spotting an attack. 2) Detect unauthorized activity by authorized users. 61

62 Types of IDS: NIDS (cont.) Advantages of Network-Based IDS 1) Good network design & placement of NIDS sensors can enable organization to use few devices to monitor entire (large) network. 2) In most cases, NIDS sensors are passive devices and cause little to no disruption to normal network operation. 3) NIDS are not usually susceptible to direct attacks & may not be detectable by attackers. 62

63 Types of IDS: NIDS (cont.) Disadvantages of Network-Based IDS 1) Can be overwhelmed by network volume and fail to recognize attacks. 2) Cannot analyze encrypted packets. 3) Cannot reliably ascertain if an attack was successful or not. 4) Might not be able to detect attacks involving fragmented packets. (more no pp. 75) 63

64 Types of IDS: NIDS (cont.) Example: Misuse/Signature vs. Anomaly NIDS Which of the two approaches would be more suitable when building a NIDS for the following types of attacks: attack network-layer reconnaissance & attacks transport-layer reconnaissance & attacks application-layer reconnaissance & attacks DoS attacks Appropriate NIDS implementation misuse misuse misuse anomaly look for packets that carry certain protocols (ICMP) carry certain content (TCP SYN-flood) scan for certain ports and services 64

65 Types of IDS: NIDS (cont.) Example: NIDS software Free: Snort! Not Free: Shadow Dragon NFR RealSecure NetProwler 65

66 Network Traffic Signatures Network set of characteristics such as IP Traffic numbers and options, TCP flags and Signature port numbers used to define a type network activity some NIDS assemble database of normal traffic/signatures while others assemble database of well-known attack signatures Signature Analysis process of analyzing a TCP/IP communication in order to determine whether it is legitimate or suspicious 66

67 Network Traffic Signatures (cont.) Example: Norton Symantec signature 67

68 Network Traffic Signatures (cont.) Categories of Suspicious Traffic where suspicious content is placed Bad Header Information malformed data in IP/TCP header can cause end system to stall or crash (bad checksum, a missing fragment, ) Suspicious Data Payload most viruses and Trojans have wellrecognizable sequence of characters in packet payload (e.g., ANA BILGI in CyberEYE trojan)

69 Network Traffic Signatures (cont.) Categories of Suspicious Traffic (cont.) in how many packets suspicious content appears Single-Packet (Atomic) Attack a number of adversary activities can accomplished by sending (and receiving) a single packet from client to host example: ICMP packet in an IP packet with Options 7 (record return route) reveals IP addresses of all routers within a network Multiple-Packet (Atomic) Attack require/use a series of normal-looking packets to complete an attack example: DoS and DDoS attacks, port scans, IP scans, etc. 69

70 Network Traffic Signatures (cont.) Packet Sniffer software and hardware that monitors traffic going into or out of a network device; e.g. Snort Wireshark Tcpdump Snoop NetStumbler (wireless, ) 70

71 Network Traffic Signatures (cont.) Example: Signature of Ping Sweep attack scan all machines in a network Guide to Network Defense and Countermeasures, 3 rd Edition, Weaver, pp

72 Network Traffic Signatures (cont.) Example: Signature of Port Scan attack

73 Network Traffic Signatures (cont.) Example: Signature of Random Back Door Scan In Random Back Door scan (version of Port Scan), the attacker probes a computer to see if any ports, that are used by well known Trojan programs, are open and listening. 73

74 Network Traffic Signatures (cont.) Example: Signature of Random Back Door scan (cont.)

75 Eluding Network IDS Fragroute a packet shaping tool that intercepts, modifies, and rewrites egress traffic destined for a specific host features a simple ruleset language to perform the following set of operation on a packet destined to a particular host delay duplicate drop fragment overlap reorder segment source-route 75

76 Eluding Network IDS (cont.) Example: Fragroute code & output 76

77 Eluding Network IDS (cont.) Fragroute most NIDS are pattern based and Lessons look for a specific combination of flags in a header or a set pattern in a payload however, what NIDS sees may not be what the end system gets it is critical that NIDS perform full reassembly of monitored packets 77

78 Hybrid IDS Hybrid IDS combine features of HIDSs & NIDSs to gain flexibility and increase security advantage: monitor network as a whole with NIDS sensors, and monitor attacks on each individual computer with HIDS sensors two systems compliments each other well disadvantage: complications in getting various components to work together data gathered from two systems can be difficult to absorb and analyze 78

79 Hybrid IDS (cont.) Example: Centralized Hybrid IDS Advantages: Lower Cost and Better Control There is only one management system, and all reports appear at one location easier to recognize network-wide (largescale) attacks. 79

80 Hybrid IDS (cont.) Example: Fully Distributed Hybrid IDS Advantages: Real-Time Response Since IDPS does not have to wait for a response from a centralized control facility, reaction to attacks is greatly speeded up. 80

81 Hybrid IDS (cont.) Example: Partially Distributed Hybrid IDS Advantages: Best of Both Worlds Individual agents can respond to local threats in real-time, while reporting to a central facility enables detection of widespread attacks. 81

82 Choosing Right IDPS Product Questions to Consider When Choosing IDS Product 1) Is Product Sufficiently Scalable for Your Environment? some IDS cannot function in a large or widely distributed enterprise networks 2) What is User Level of Expertise Targeted by Product? different IDS vendors target users with different level of technical and security expertise 3) What Are Support Provisions for Product? Is technical support included? What is the cost? Are subscriptions to signature & software updates included? How quickly after a new attack is made public will the vendor ship a new signature? How quickly will software updates & patches be issued after a problem is reported to the vendor? 82

83 Snort: NIDS Tool 83

84 Snort: NIDS tool Snort free and open-source NIDS tool, created by M. Roesch in 1998 now developed by Sourcefire in 2009, Snort was entered into InfoWorld s Open Source Hall of Fame as one of the greatest open source software of all time easily deployed on most nodes of a network (host, server, router) efficient operation that uses small amount of memory and processor time easily configured by system administrators who need to implement a specific security solutions in a short amount of time 84

85 Snort: NIDS tool (cont.) Snort consists of 4 logical components Architecture packet decoder: captures each passing packet & identifies/isolates packet headers detection engine: analyzes packets based on a set of rules defined by the sec. administr. logger: stores selected packets in human readable or binary format for later analysis alerter: sends event notification for selected packets 85

86 Snort: NIDS tool (cont.) Snort can be used in 3 different modes Mode of Basic Packet Sniffer / Logger Operation reads network packets and displays them on the console, or logs them in a file Network Intrusion Detection Sensor implemented as passive sensor monitors network traffic and analyzes it against a ruleset defined by the user may or may not log packets, may or may not generate alert messages Network Intrusion Prevention Sensor implemented as inline sensor can monitor & log, but also block packets 86

87 Snort: NIDS tool (cont.) Snort does not have its own GUI to display Interface alerts, but many complementary tools exist IDScenter (Windows), BASE (Linux) 87

88 Snort: NIDS tool (cont.) Snort is intended for installation on a computer positioned at the network parameter; though, it can also function on a dedicated computer on a home or small business network Snort comes with an extensive set of preconfigured rules rule files are text-based and written in a simple description language rule files are easy to edit and customize 88

89 Snort: NIDS tool (cont.) Snort Rules rule header + rule options important!!! must end with ; alert tcp any any -> / (content:" a5 "; msg: "mountd access";) header options rule header consists of: rule action defines what to do in case that a packet with all attributes indicated in the rule shows up * available actions: alert, log, pass, 89 * drop, reject, sdrop only available in inline mode

90 Snort: NIDS tool (cont.) Computer Security, 2 nd Edition, Stallings, pp

91 Snort: NIDS tool (cont.) Snort Rules rule header + rule options alert tcp any any -> / (content:" a5 "; msg: "mountd access";) rule header consists of: protocol snort supports IP, TCP, UDP & ICMP source and destination address you can use word any to specify any IP address, and negation (!X) to specify any IP address except X source and destination port port numbers can be defined a number of ways, including a specific port, any port, port ranges and by negation direction operator (->, <-, <>) indicates the 91 orientation/direction of the traffic that the rule applies to

92 Snort: NIDS tool (cont.) Snort Rules rule header + rule options alert tcp any any -> / (content:" a5 "; msg: "mountd access";) rule options define more precisely what needs to be done upon a detection of a particular packet they are enclosed in parentheses and separated by a semicolon and a blank space major categories of rule options are: meta-data provide information about the rule payload look for data inside the packet payload non-payload look for non-payload data post detection rule specific triggers that happen after a rule has matched a packet 92

93 Snort: NIDS tool (cont.) Computer Security, 2 nd Edition, Stallings, pp

94 Snort: NIDS tool (cont.) Example: Snort rules in network /24 alert tcp / > any any \ (content: "confidential"; msg: "Detected confident.";) Generate an alert message whenever detecting a packet that has originated from an FTP server in the network /24, & contains the word confidential. alert icmp![ /24] any -> any any \ (ttl :> 100; msg: Ping with TTL>100";) Generate an alert message for all ping requests coming from outside of your network. alert tcp /24 any ->![ /24] any \ (content: "GET"; msg: "GET matched";) Generate an alert message whenever detecting a HTTP request that is going to an address that is not a part of the given network. 94