Appendix A Examples of Commercial and Open Source IDSs We introduce in this appendix some examples of existing available commercial and open source IDSs. In particular, we briefly describe some typical examples of IDSs, namely Bro, Snort, Ethereal, Prelude, Multi Router Traffic Grapher and Tamandua network based IDS, and then give a collection of existing available commercial IDSs products. We briefly summarize these products in terms of type of attacks they can cover, their detection approach and response type, and their strong features. A.1 Bro Intrusion Detection System Bro was developed by Vern Paxson of Lawrence Berkeley National Labs and the International Computer Science Institute. It is a Unix-based Network Intrusion Detection System (NIDS). Being similar to Snort, another well-known public domain NIDS, Bro also detects intrusion attempts by searching particular patterns in network traffic. So they both fall into the category of signature-based NIDS. But, Bro distinguishes itself by offering high speed network capability. In order to achieve real time, high-volume intrusion detection, Bro uses two network interfaces (one for each direction) to capture the network traffic. In addition, Bro provides a patched kernel for FreeBSD to reduce CPU load. With proper hardware and OS tuning, Bro is claimed to be able to keep up with Gbps network speed and perform realtime detection. More information about Bro intrusion detection system can see http://www.bro-ids.org/. A.2 Prelude Intrusion Detection System Prelude is a Hybrid Intrusion Detection System distributed under GNU General Public License, primarily developed under Linux. It also supports BSD and POSIX platforms. Prelude works at both host and network levels providing a more complete
200 A Examples of Commercial and Open Source IDSs solution. It also has dedicated plugins in order to enable communication with several other well known IDSs. The sensors send messages to a central unit (i.e. Manager) which processes them and is responsible for event logging. Besides the Manager, Prelude also includes a module responsible for graphical feedback to the user. It relies on signature based detection. Since Prelude analyzes user, system, and network activities, it targets both the host and network based intrusions. More information about Prelude intrusion detection system can see http://www.prelude-ids.com/. A.3 Snort Intrusion Detection System Snort is an open source intrusion detection system, which is capable of packet logging, traffic analysis, and signature-based intrusion detection. In addition to protocol analysis, Snort carries out various content matching on network packets looking for patterns of known attacks and probes. Snort uses a flexible language for rules, enables users to describe traffic that should be collected or passed, and has a detection engine that utilizes a modular plug-in architecture. The real-time alerting system provided by Snort incorporates alerting mechanisms for syslog, user specified files, UNIX sockets, or WinPopup messages to Windows clients using Samba s SMB client. Snort runs on a variety of platforms: Linux (i386, Sparc, M68k/PPC, Alpha), OpenBSD (i386, Sparc, M68k/PPC), FreeBSD (i386), NetBSD (i386, M68k/PPC), Solaris (i386, Sparc), SunOS 4.1.X (Sparc), MacOS X Server (PPC), and Win32 (i386), to name a few. More information about Snort intrusion detection system can see http://www.snort.org/. A.4 Ethereal Application - Network Protocol Analyzer This application is a data capture and network-monitoring tool for the network. This software includes different protocols such as TCP, UDP, ICMP, ARP, etc. The ETHEREAL program is capable of near real time operation. It can refresh its browser or resample automatically. Some of its abilities include: 1. It provides a summary on the captured data. 2. Provides a list of connections made using either of the selected protocols. This list provides information regarding the source and destination of the connections as well as the direction of the data transfer and the volume of the packets/bytes transferred (conversation option). 3. It provides a list of End points for the different overall packets/bytes as well as the number of the received/transmitted packets/bytes. User can enable/disable monitored protocols. It is also possible to filter desired protocols that have to be captured or displayed. Ethereal program is capable of providing statistical information regarding the packet counts for the HTTP, GSM, etc.
A.5 Multi Router Traffic Grapher (MRTG) 201 For example, it can provide the number of transferred packets for the different types of DHCP packets e.g. Inform, ACK, Request and Offer. The main browser that is capable of a near real time operation has the following fields: Item (transaction) number, Time, Source address (IP), Destination address (IP), Protocol and Info. The Info field is an interesting item in this browser. This field uses a descriptive natural language to explain the purpose of the transaction. There is an additional window just below the browser where once a record on the browser is selected, information regarding the frame/protocol and the address resolution protocol for that record will be displayed. There is another window below these two windows, where the binary contents (in bytes) of the selected items on either of the above windows is displayed. One of the issues concerned with this application is the way it saves the captured data. It can both filter the data with regard to the protocols and use different file formats to save the information on the file. Using the different file format will ease connecting this application to other applications that can be used for processing this type of data. At the same time, as for a drawback for this application, there is no text format option provided for saving the data. Therefore, using this information for programmers in their programs can be difficult. This program can also plot a graph of the network traffic for the selected protocols. Using the filtering feature in this application, different protocols can be selected for the plotting. More information about Ethereal can see http://www.ethereal.com/. A.5 Multi Router Traffic Grapher (MRTG) The Multi Router Traffic Grapher (MRTG) is available as a public-domain tool for monitoring the network traffic variables. It generates HTML pages containing graphical images in PNG format. Although it can be used for monitoring any continuous data, its main application is to provide a live visual representation of traffic on network links. MRTG creates the visual representations of traffic seen during The last 24 hours The last seven days The last five weeks The last twelve months To generate the above-mentioned graphs, MRTG keeps a log of the data it collects. However, to prevent this log from growing over time, it automatically consolidates the log while keeps all the relevant data for all the traffic that have been monitored over the last two years. The MRTG site claims this operation is so efficient that 200 or more network links (or other network and computer variables) can be monitored using a regular UNIX computer. By using MRTG, monitoring any SNMP variable is possible. However, MRTG functionality is not limited to only monitoring network traffic. An external program can be used to gather the particular type of data that should be monitored via MRTG. MRTG have been used
202 A Examples of Commercial and Open Source IDSs for monitoring variables such as System Load, Login Sessions, Modem availability and more. MRTG even allows accumulating two or more data sources into a single graph. More information about MRTG can see http://oss.oetiker.ch/mrtg/. A.6 Tamandua Network Intrusion Detection System Tamandua is an open source, light-weight, signature-based, distributed network intrusion detection system created by Tamandua Laboratories, Brazil. The design consist of a central console and distributed sensors. It has a long list of features that make it attractive: It has support for defragmentation/reassembly of packets to analyze fragmentation attacks carried out using tools like fragroute. It has a Multi-Layer Boolean mechanism which allows rules to be arranged in an order in which they should be examined. It has a rich instruction set to write signatures that consists of a language of opcodes which have the facilities of specifying header fields as well as some powerful data inspection options. It also has support for logging portions of payload for handling legal issues. There is an experimental response system which for now has two options: Either an ip-address can be placed under firewall quarantine for a given amount of time or the network connection can be reset. It allows for creation of separate sets of signatures, each set being called a sensorprofile to match the varying requirements of different sensors. There is a snrt2tamandua command which can be used to convert snort s *.rule file into a set Tamandua s *.trs files containing one signature each. It can function well for networks with small MTU as well. Despite all of these features, it is not very popular (considering that its first release came in 1997) which is probably because it does not have comprehensive documentation. There are no man-pages and there is only a brief user-manual describing installation and use in a non-comprehensive manner. Another reason is that there are no binary RPM packages available for installation so it forces a source compilation which is not as user friendly. Strangely, the user-manual has a section devoted to installing Tamandua using RPMs but the RPMs themselves were not available at the time of this report. A.7 Other Commercial IDSs
A.7 Other Commercial IDSs 203 Product Name Company Name Type Appliance or Software OSI Layers FG-A 1000 netzentry passive appliance network, FG-Z 1000 netzentry passive appliance network, Sleuth9 DeepNines Technologies inline appliance network, Peakflow SP Arbor Networks passive appliance network, Mazu Profiler Mazu Networks passive appliance network, Covered Attack Types propagation propagation DoS/DDoS, port scans, worm propagation, Trojan horses, malicious insider propagation propagation, host scans, port scans, unauthorized access, malicious insider activities Detection Approach signature based detection, protocol specification based detection, traffic anomaly detection Record Type manual through UI automatic, user assisted, user combined mitigation active filtering, adaptive rate control dynamic filtering, recommended filters, rate limiting visual analysis and manual response Strong Features IP traffic graphs and packet traces, dynamic filter refinement and retirement, detailed logging and reporting IP traffic graphs and packet traces, dynamic filter refinement and retirement, detailed logging and reporting zero footprint technology, holistic management console, IPv6 support, self-monitoring intelligence, forensic database transit/peering management, customer accounting, backbone management, reporting and analysis (XML, CVS, XLS, HTML) Mcube technology for intelligent profiling, dynamic baselining, host grouping, real-time analysis module, real-time event detection module
204 A Examples of Commercial and Open Source IDSs Product Name Company Name Mazu Enforcer Mazu Networks inline, passive, mixed Type Appliance or Software OSI Layers appliance network, netdetail Esphion Ltd. passive monitoring software network, netdeflect Esphion Ltd. passive alerting software network, NetScreen NetScreen inline appliance network, StealthWatch Lancope passive appliance network, StealthWatch+ Therminator (SW+T) Lancope passive appliance network, QRadar Q1Labs passive software network,, application V-Secure IPS V-Secure passive, inline appliance network, Covered Attack Types propagation, fragmentation attacks propagation, unauthorized activities, network failures propagation, unauthorized activities, network failures protocol vulnerability attacks propagation, unauthorized activities, malicious insider propagation, unauthorized activities, malicious insider propagation, unauthorized activities, malicious insider propagation, probes, unauthorized activities Detection Approach signature based detection Record Strong Features Type active filtering enforcer filters (packet attribute (on filters, intelligent SYN flood itself or management filters, TCP payload routers) filters, Cisco router ACL filters) manual ntais architecture for direct traffic observation manual ntais architecture for direct traffic observation active filtering, TCP reset manual flow based, concern index, virtual security zones, traffic analysis, forensic flow analysis manual flow based, concern index, virtual security zones, traffic analysis, forensic flow analysis manual flow based, various behavior views, intelligent alerting, selective application content manual and active blocking capture network traffic monitoring, spectrum analysis module, adaptive smart dynamic filters, closed feedback module
A.7 Other Commercial IDSs 205 Product Name Company Name FloodGuard Reactive Network Solutions Type Appliance or Software OSI Layers passive appliance network, Covered Attack Types DoS/DDoS/DRDoS, fixed and randomly spoofed sources Detection Approach RS 6300 NetScaler inline appliance network,, application traffic surges, DoS policy based contentintelligent traffic control IPS 400 Captus Networks inline appliance network, propagation, prot scan, spam detector, unauthorized activities, malicious insider StormWatch OKENA host-based software application applicationspecific vulnerability attacks, malicious code attacks, policy based, policy driven Record Type active blocking active packet filtering, request rate control, request limit, connection rate control, connection limit active filtering, traffic throttling applying policies created in the management console to stop unauthorized processes Strong Features historical analysis of IP address patterns, measurement and enforcement of appropriate flowcontrol behavior (TCP back-off) load balancing, content aware security policy statements protecting the application by residing on the workstation or server
206 A Examples of Commercial and Open Source IDSs Product Name Company Name Type Appliance or Software OSI Layers Covered Attack Types StormFront OKENA host-based software application applicationspecific vulnerability attacks, malicious code attacks AppShield Sanctum web application firewall InterDo KaVaDo web application firewall SecureIIS eeye Digital Security web application firewall StormTrack OKENA host-based software application applicationspecific vulnerability attacks, malicious code attacks appliance application web application attacks (cross site scripting, parameter tampering, forceful browsing, application buffer overflow, etc.) appliance application web application attacks (cross site scripting, parameter tampering, forceful browsing, application buffer overflow, etc.) appliance application web application attacks (cross site scripting, parameter tampering, forceful browsing, application buffer overflow, etc.) Detection Approach, policy generator Record Type, policy driven proactive behavior enforcement policy based IP blocking (OPSEC compatible for firewall based network blocking) policy based IP blocking signature based (OPSEC compatible for firewall based network blocking) request blocking Strong Features learning and profiling the behavior of applications management console, highly integrated user interface, INCORE architecture positive security model built around dynamic policy recognition engine, preventing repeated attacks by using an open platform for OPSEC standard to block the IP addresses on firewalls positive security model, flexible policy configuration negative model application firewall, friendly user interface, ease of deployment
A.7 Other Commercial IDSs 207 Product Name Company Name NC-1000 NetContinuum web application firewall Type Appliance or Software OSI Layers Covered Attack Types appliance application web application attacks (cross site scripting, parameter tampering, forceful browsing, application buffer overflow, etc.) AppScan Audit WatchFire web application security testing AppScan DE WatchFire web application security testing AppScan QA WatchFire web application security testing software application DoS/DDoS, web application attacks (cross site scripting, parameter tampering, forceful browsing, application buffer overflow, etc.) software application web application attacks (cross site scripting, parameter tampering, forceful browsing, application buffer overflow, etc.) software application web application attacks (cross site scripting, parameter tampering, forceful browsing, application buffer overflow, etc.) Detection Approach specification based signature based testing and validation signature based testing and validation signature based testing and validation Record Type request blocking, TCP termination, dropping unwanted traffic, ICMP rate limiting testing and validation testing and validation testing and validation Strong Features positive model application firewall, attack blocking at all network layers automated application vulnerability assessment, software for auditors and compliance officers real time security testing and secure coding solution for rapid development of secure web applications automated progressive web application testing software that provides QA personnel with comprehensive security defect analysis
208 A Examples of Commercial and Open Source IDSs Product Name Company Name IntruShield McAfee passive, inline Type Appliance OSI or Software Layers appliance network,, application Covered Attack Types known attacks, malicious codes, DoS/DDoS Detection Approach signature based detection, anomaly detection Record Type dropping attack packets, session terminating, modifying firewall policies, real-time alerting, packet logging Strong Features stateful analysis, IP defragmentation and TCP stream reassembly, protocol analysis
Index AAFID, 155 AALCP, 157 abstraction-based intrusion detection, 155 abuse of functionality, 1 ACC, 134 accuracy, 161 ADAM, 79, 93 Adaptive Resonance Theory, 86 agent-based cooperation, 156 aggregation and correlation component, 134 ALAC, 136 alert aggregation, 134 alert compression, 135 alert correlation, 131 alert filtering, 135 alert outcome, 146 alert prioritization, 145 ANN, 79 biological models, 35 learning models, 35 clustering, 43 genetic algorithm, 42 neural network, 41 outlier detection, 43 rule-based models, 35 nadir, 39 nsm, 38 tim, 38 wisdom & sense, 37 signal processing models, 35 statistical models, 35 emerald, 37 haystack, 36 nides, 36 application-based intrusion detection systems, 67 applications server application, 4 user application, 4 Apriori algorithm, 93 ART nets, 86 artificial neural networks, 79 ARX model, 106 association rules, 92 attack resistance, 177 attack strategy, 154 attack taxonomies, 2 VERDICT, 2 deallocation, 2 exposure, 2 randomness, 2 validation, 2 attacks, 3 buffer overflow, 3 denial of service, 3 information gathering attack, 3 network attack, 3 password attack, 3 physical attack, 3 trojan, 3 virus, 3 worm, 3 worms blaster, 16 code red, 16 morris worm, 16 nachi, 16 nimda, 16 slammer, 16 audit logs, 56 availability, 1 base-rate fallacy, 168 209
210 Index Bayes theory, 77 buffer, 7 CAML, 142 centralized correlation, 151 centralized IDS architecture, 115 clustering, 94 centroid based, 96 density-based, 109 distance-based, 109 hierarchical, 95 model based, 96 non-hierarchical, 96 similarity based, 96 completeness, 172 computer networks, 1 conditional probability table (CPT), 147 confidence, 92, 176 confidentiality, 1 confusion matrix, 163 consequential cost, 176 cooperative IDS, 125 cooperative intrusion detection, 153 correlation techniques, 139 cost-sensitivity, 175 critical information system, 2 CUSUM, 104 D-S theory, 129 damage cost, 175 data collection, 55 data fusion, 129 data mining, 28 data reduction, 134 data set, 180 DARPA 2000, 181 DARPA 98, 180 DARPA 99, 180 DEFCON 9, 182 KDD CUP 99, 181 NSL-KDD, 181 date normalization, 132 DDOS, 14 icmp/udp flood attack, 14 sdbot/spybot, 14 trinoo, 14 mailbomb, 15 tcp-syn flood, 14 phatbot/agobot, 14 shaft, 14 stacheldraht, 14 tfn, 14 tfn2k, 14 trinity, 14 Dempster-Shafer s theory, 129 DENCLUE, 101 density based clustering, 101 density distribution functions, 101 detection time, 172 directed acyclic graph (DAG), 148 discrete Wavelet transform, 106 distributed IDS, 119 distributed IDS architecture, 115 distributed intrusion detection, 153 DOS apache2, 15 ping of death, 14 process table, 15 smurf, 14 syslogd, 15 udpstorm, 15 DWT, 106 EM, 108 email phishing, 1, 10 email trojan horses, 1 evolutionary computation, 89 Expectation-Maximization, 108 exploits, 3 F-Measure, 165 false negative, 162 false positive, 162 feedforward networks, 83 Fourier transform, 106 fpmafia, 103 Fuzzy c-medoids, 103 fuzzy inference, 76 fuzzy logic, 75 fuzzy membership function, 76 GA, 89 GASSATA, 90 Gaussian mixture model, 107 genetic algorithm, 89 genetic programming, 89 GMM, 107 GP, 89 hardware, 3 network equipment, 3 hierarchical correlation, 151 host-based intrusion detection systems, 55 hosts, 5 hybrid data collection, 69 hybrid-based detection, 46 ICLN, 110
Index 211 IDMEF, 132 IDS performance, 171 Implementation Vulnerability buffer overflows, 1 mishandled of temporary files, 1 race conditions, 1 implementation vulnerability, 1 improper deallocation, 2 improper exposure, 2 improper randomness, 2 improved competitive learning network, 110 integrity, 1 intelligent agent, 116 autonomous agents for intrusion detection, 118 multi-agents system-based network security management architecture, 119 intention recognition, 148 intrusion detection, 27, 27 misuse detection, 27 specification-based detection, 27 intrusion detection systems, 11 bro, 11 snort, 11 intrusion tolerance, 177 itemset, 92 K-Means, 96 LAMDBA, 142, 145 learning process, 84 Local Outlier Function (LOF), 109 M-Correlator, 146 man-in-the-middle attack, 9 margin of separation, 87 masquerading, 1 maximum-likelihood estimates, 98 Mercer s theorem, 88 misconfiguration attacks, 8 dictionary, 8 ftp-write, 8 MLP, 83, 85 mobile agent, 123 intrusion detection agent system, 123 mobile agents for intrusion detection, 124 multi-agent IDS, 120 adaptive hierarchical agent-based intrusion detection system, 121 fuzzy adaptive survivability tools, 121 multiagent-based intrusion detection, 157 multilayer feedforward network, 83 multilayer perceptron, 83, 85 Naive Bayes classifier, 78 network attacks, 1 denial-of-service, 1 internet worms, 1 network equipment hubs, 3 routers, 3 switches, 3 network management systems, 61 Network probes IPSweep attack, 5 MScan, 5 cgi-bin programs, 5 finger, 5 imap, 5 NFS, 5 open X servers, 5 pop3, 5 statd, 5 NMap, 5 Portsweep, 5 SAINT, 5 Satan, 6 network probes, 4 network-based intrusion detection systems, 61 networking services, 5 finger, 5 ftp, 5 NFS, 5 NIS, 5 rexd, 5 statd, 5 telnet, 5 tftp, 5 obstructing methods, 179 operating system, 2 Linux, 3 MacOS systems, 3 Unix, 3 Windows, 3 operational cost, 176 pattern matching, 28 payload, 4 payloads trojan payload, 4 Peripheral devices keyboard, 3 mouse, 3 peripheral devices, 3 Precision, 164 privilege escalation attacks, 6 non-user to User, 7
212 Index user to Super-user, 6 race condition attacks, 8 RealSecure, 142 Recall, 164 recurrent networks, 84 reducing false alerts, 136 relevance, 146 response approach, 186 control theory, 189 automatic defense system, 189 decision analysis, 186 adaptive agent-based intrusion response system, 188 adaptive intrusion tolerant system, 188 automated response broker, 187 game theory, 189 response cost, 176 response time, 172 response type, 185 active response, 186 passive alerting and manual response, 185 ROC curves, 166 routing, 19 bgp, 20 ospf, 20 routing attacks, 19 bgp attacks, 21 ospf attacks, 20 maximum age attack, 20 maximum sequence number attack, 20 seq++, 20 rule-based techniques, 28 ides, 30 midas, 29 nides, 30 run length encoding (RLE), 135 security incident priority, 146 self-organizing map, 85 semi-supervised, 74 severity, 175 short term Fourier transform, 106 signal processing, 104 simple network management protocol, 61 social engineering, 1, 10 software, 3 operating systems, 3 SOM, 85 spoofed source IPs, 5 state-based techniques, 28 idiot, 33 ustat, 32 logstat, 32 netstat, 32 webstat, 32 STATL, 141 STFT, 106 supervised, 74 support, 92 support vector machine, 86 survivability and intrusion tolerance, 194 SVM, 86 Syslog, 135 system call sequences, 58 system vulnerability, 2 targets, 3 -layer protocol, 4 true negative, 162 true positive, 162 UNNID, 86 unsupervised, 74 vulnerabilities, 3 WADeS, 105 wavelet analysis, 104 Waveman, 105 worm containment, 18 worms Blaster, 19 Nachi, 19 Slammer, 19 worms propagation, 18 Y-Means, 97