Intrusion Detections Systems 2009-03-04 Secure Computer Systems Poia Samoudi Asli Davor Sutic
Contents Intrusion Detections Systems... 1 Contents... 2 Abstract... 2 Introduction... 3 IDS importance... 3 Trusting IDSs... 4 Different types of IDSs... 4 Host-Based IDSs... 5 Application-Based IDSs... 5 Network-Based IDSs... 6 Where to put NIDS?... 6 How does NIDS work?... 7 Short Snort example... 9 Conclusion... 10 References:... 10 Abstract The concept of security is often unfairly equated with attack prevention systems. It is important to know about other two, sometimes overlooked, security aspects: attack detection and attack recovery. This paper reviews intrusion detection systems, which can help in both of these areas. After reading this paper, one should have a clear idea of what intrusion detection is and how it works, in principles.
Introduction The goal of security system is to stop malicious attacks. Attacks that are not prevented need to be detected. For this we have Intrusion detection systems (IDSs). They are used to detect attacks by performing computer and network scans. Due to increasing number of known attacks, especially network based ones, intrusion detection systems have become an essential part in sustaining secure computers systems. In this document we will give a general overview of IDSs, both their strengths and some weaknesses. We examine more closely an example of network IDS Snort. We hope that this paper will give you a concept of what IDS is and why it is important. IDS importance Intrusions are malicious attacks made on computer or network systems that sidestep security mechanisms in place. Attacks compromise integrity, availability or confidentiality of a network or computer system. Attackers use vulnerabilities in order to bypass security and gain unauthorized access. Although system administrator tries to tend to these flaws and vulnerabilities, some will often be overlooked due to increasing amount of new ones discovered every day. What an IDS does is to systematically monitor event changes in a computer or network system in order to analyze them for signs of intrusion. They detect attacks that are not prevented by other security measures and alert system administration about a breach in security. This gives the administrator an opportunity to address the attack before it causes any substantial damage. Attackers often probe or examine systems or networks in an attempt to find vulnerabilities or to determine attack strategy. A network system lacking an IDS gives an attacker the opportunity to investigate attack options without running a great risk of being discovered or hindered. IDSs not only detect successful, but also failed attacks by recognizing scan patterns when the attacker is investigating the system. More often than not, attackers who notice that their examining attempts have been discovered are discouraged from continuing their attack. There are compelling arguments for using IDSs, especially in important network systems where intrusion can make financial losses. These systems provide information that can be used as evidence in a legal case or as data when conducting security assessment analysis. Many argue that it is not a question of whether to use an IDS or not, but rather a question of what kind of IDS to use.
Trusting IDSs As any other security mechanism an IDS has both strengths and weaknesses. The strengths and weaknesses should give you a good guide to when IDS should be utilized. By strengths we mean the tasks IDSs does well and by weaknesses we mean tasks IDSs cannot perform. Strengths Monitor and analyze system events and user behaviors. Measure performance of system security states over time and track any changes. Recognize patterns of self inflicted intentional attacks. Recognize patterns of abnormal activities with help of statistics. Manage OS audit and logging mechanisms and their generated data. Alert correct user in correct way when attacks are detected. Provide default information security policy. Allow security monitoring functions performed by non-experts. Weaknesses Compensate for insufficient or lack of security protections mechanisms such as firewalls, link encryptions and authentication. Instantly, under heavy processing or network load report, detect or respond to attacks. Investigate all attacks automatically without human interference. Resist custom made attacks with the purpose of defeating or evading them. Different types of IDSs There are different types of IDSs and they are commonly separated by the way they monitor and conduct analysis. However, they all share some common process characteristics that define IDSs. Consequentially, they all have considerable advantages and disadvantages. Most IDSs can be described by three rudimentary process components: Information Sources, Analysis and Response.
Information Sources source for information about events transpired that determine if an intrusions has been made. Logs, system state and network traffic can be information sources. Analysis the actual analysis of the data provided by the information sources in order to determine if an intrusion is taking place or has been taking place. Response actions that are made when intrusion is established and are often categorized in two categories, passive and active. Active responses are automated prevention actions whilst passive responses are alerts to administrator informing him of the intrusion so that they can handle the threat. Different types of IDSs are grouped after what kind of information source they use. Some get information from analyzing network packages, other by performing system scans and reading logs. Host-Based IDSs Host-Based IDS or HIDS uses individual computer system as information source. Because a HIDS has access to system processes it can analyze the system with great precision and even foretell outcomes of attempted attacks. They can also directly monitor system files. The information sources used are in form of OS audit trails and system logs. Advantages with HIDSs are that they can, unlike Networkbased IDSs, detect local attacks. Because HIDSs operate on OS audits trails they can help detect attacks from Trojans and other software involved attacks. Another advantage is that they can operate where Network-based IDS can t, because network traffic could be encrypted. Disadvantages with HIDSs are that they are harder to manage because of all the information that needs managing for every host. Furthermore HIDSs require computing resources from the host thus lowering performance of other parts of the system. Application-Based IDSs Application-Based IDSs or AIDSs are a subset of HIDSs that operate with events occurring within specific software. They often use application transcript logs as information sources. AIDSs are primarily used to detect suspicious behavior amongst authorized users in some applications. For example, it can report frequent or suspicious modifications in an important database. AIDS can often
function within encrypted environments. Disadvantages with the AIDSs are that their information source, application logs, are sometimes badly protected and susceptible to attacks. AIDS can t usually detect Trojans or other software attacks and it's recommended that it is used in combination with an HIDS. Network-Based IDSs Network-Based IDSs or NIDSs are the most popular IDSs and a majority of commercial IDSs are network-based. NIDSs use network packages as information sources and by listening on a network segment one NIDS can monitor several hosts. An advantage with using NIDS is that a smart placed NIDS can monitor a large network on its own. Because NIDS commonly just listen to network traffic (i.e. with taps, as later described) they can be fitted in to a preexisting network with minimal interference. Because they are hidden, they are harder to attack. Disadvantages with NIDSs are that they may have difficulties monitoring all packages in a large and very busy network and may not detect an attack made during busy periods. Another significant disadvantage with NIDS is that they cannot analyze encrypted information. NIDS sometimes can t tell whether or not an attack was successful, but only that it was initiated. In these cases, the attack has to be investigated by system administrator. In the next chapters, we look in more detail to one example of network intrusion detection system(nids). We aim to show by example how such system might be set up, so that the reader gets familiar with basic principles. We do this by using Snort open source and the most popular NIDS presently. Where to put NIDS? The first basic principle is that NIDS needs to monitor all network traffic. This is relatively easy to ensure when dealing with only one computer, but when working with bigger networks, becomes easy to forget. Then, we are not installing the system on every computer, but prefer to have one central NIDS that monitors all traffic. This way, updates and control is easier, but bottleneck effect must be avoided. There are three basic ways in which NIDS can be deployed in a computer network. First is with a hub although hubs are more and more out of use, it is fair to mention them for completeness of this overview. In hubs, there should be no problems, because hubs send data they
receive to all ports. Simply connect NIDS to one of hub ports. With a switch the situation is different, because a switch sends a data packet only to intended recipient's port. When presented with a switch, look for SPAN (Switch Port Analyzer) port. This port is intended for network analysis and all data that comes to switch will be sent to this port [4]. Drawback to this meted is that SPAN port easily gets overloaded. Final solution is to use taps (it is sometimes mentioned that tap stands for Test Access Port). Network tap is a simple device used to mirror the network traffic, structure shown on the picture below. Everything that goes through network cable is also sent to secondary tap output, where NIDS can be connected. Figure 1. Connecting NIDS to network using taps How does NIDS work? Basic principle of NIDS is to take every network packet and compare it to it's list of rules. If one or many packets meet a rule, take appropriate action: alert the user, log it, send an e-mail. When the network has a high bandwidth, examining all packets in real time can be a very complex task. Let's look at Snort for further explanation.
Figure 2.Snort structure Packet decoder modifies packets from different network interfaces for preprocessor use. Preprocessor translates the packets to form suitable for further analysis. Here are two example functions: Bigger data traveling through the network is split to smaller packets (standard being 1500 bytes). Preprocessor unites these packets for further analysis. URI decoding when accessing a server or a file there is more than one way in which this URI can be written (i.e. using UTF-8). When analyzing traffic, Snort wants to detect these accesses and therefore translates them into unique (canonic) representation. Detection engine must be both reliable and fast. There are two kinds of mistakes that system can make: false negatives system missed to detect the threat and false positives system reported a threat where there really is no threat. False positives mean more alerts then necessary while false negatives mean that system could be compromised while Snort is unaware. The latter is worse than the first. Snort's creator speaks about this [6] saying that both of these mistakes are almost always due to improper user configuration. This is a good example of usability versus complexity in security, where complex systems with lots of security options can end up being unsafe. Efforts are made to make Snort self configurable. To do it's job properly, detection engine must match rules in it's database against each packet. With big number of rules, pruning has to be applied to manage the task quickly. Snort has it's rules divided into logical sets, so that not all rules are applied on all packets. Rules are sorted by priority so that more important rules get to be tested first: when the match is achieved there might be no use in further checking. On other times, depending on the rules, it might be important to know all the rules that apply to the packet, so checking is continued even after a hit. The goal of the alert system is to manage all alerts: user can choose to log it to database, see a printed warning or receive an e-mail.
Short Snort example Before using Snort, you should get a list of network interfaces. To get interfaces list, run: snort W Snort can work in more basic modes: 1) As a sniffer, Snort will simply read the packets from the network and display them on the screen. snort i2 v Here i2 stands for network interface number 2. 2) In packet logger mode, Snort works similar to sniffer mode, logging the packets into specified file. snort -vde -i2 -l../log To read the file, assuming that snort created snort.log.1236114176 file, use: snort -v -r../log/snort.log.1236114176 3) NIDS mode is the most complex and useful Snort mode. Here we will show how to form a simple rule for this mode: alert tcp any any -> 192.168.3.0/24 789 (content:" 00 01 86 a5 "; msg:"bad packet here";) Snort rules are divided into two parts: header and body. Header part such basic rule properties as the network protocol, source and destination IP address and network masks and ports. Appropriate action is also specified. Body is enclosed in the brackets and defines more properties packet must have in order for the rule to apply. First option specifies the action Snort will take if the rule applies. This can be, among others, alert, log or dump. After this, we specify protocol: TCP, UDP, ICMP. Next we specify source and destination IP addresses in CIDR format (IP address/mask) and ports. Here all traffic from any port to computer in IP range 192.168.3.0/24 and port 789 is subject to this rule. Body of rule consists of three parts: in first part we state the general rule information. Second part is subrules that concern packet header. Third and final part are subrules about packet body. In our example, if packet body contains 000186 a5, message bad packet here will be reported. This example demonstrates that creating Snort rules is not hard and that the user can, with little documentation reading, simply create his own rules. Usually, rules for variety of threats will be downloaded manually from Snort website, or automatically using a Perl script named Oinkmaster.
Conclusion Good security system has three sides to it: threat prevention, detection and reaction. They are often unfairly overlooked at management budget meetings because they are seemingly not needed until it's too late. Now you know what it is that they do and why detection systems play an important role in overall security. As we have seen with Snort, good NIDS system is like a Swiss army knife. It has lots of features and is definitely very useful tool in security. This Swiss knife is also small, fast and modular, in that you can add your own tool in the toolbox. But, how useful? That depends on the person using the knife. If you don't configure Snort or don't update the rules, then you can only hope that when the threat comes, you'll detect it. By reading the documentation, taking some effort to tailor the rules to your own needs and by doing regular updates, you can count on your NIDS to be a valuable tool in your system security toolbox. References: [1] NIST Special Publication on Intrusion Detection Systems, Rebecca Bace & Peter Mell, 2003, http://www.21cfrpart11.com/files/library/reg_guid_docs/nist_intrusiondetectionsys.pdf, 2009-03-02 [2] Snort home page, http://www.snort.org, 2009-03-02 [3] WinSnort, Windows IDS package based on Snort, http://www.winsnort.com/index.php,2009-03-03 [4] Cisco Catalyst Switched Port Analyzer (SPAN) Configuration Example, http://www.cisco.com/en/us/products/hw/switches/ps708/products_tech_note09186a008015c612.s html, 2009-03-03 [5] Intrusion detection systems, network placing explanation, http://www.snort.org/docs/issplacement.pdf, 2009-03-03 [6] The Story of Snort: Past, Present and Future, Snort creator Martin Roesch, http://www.netsecurity.org/article.php?id=860, 2009-03-03