Polytechnic University Introduction 1
Intrusion Detection Systems
Examples of IDSs in real life
Car alarms Fire detectors House alarms Surveillance systems
An IDS is any combination of hardware & software thatmonitors a system or network for malicious activity.
Polytechnic University Introduction 2
Why IDSCan be detected: Mapping Port scans
Tens of thousands of packets
TCP stack scans Hundreds of thousands
of packets
“Deep Packet Inspection” Many organizations
deploy IDS systems Provide warnings to
network administrator Administrator can then
improve network’s security
Vigorous investigation could lead to attackers
There are host-based and network-basedIDS systems. Focus here on network-based.
Polytechnic University Introduction 3
IDS sensors
Webserver
FTPserver
DNSserver
applicationgateway
Internet
Demilitarized zone
Internalnetwork
firewall
= IDS sensor
Underlying OS needsto be hardened: stripped of unnecessarynetwork services
Polytechnic University Introduction 4
False Alarms
False alarms: False positive: normal traffic or benign
action triggers alarm Example: fire alarm if wrong password is
entered; benign user makes a typo False negative: alarm is not fired during
attack
Polytechnic University Introduction 5
Efficiency of IDS system
Accuracy: low false positive and false negative rates
Performance: the rate at which traffic and audit events are processed To keep up with traffic, may not be able to put IDS at
network entry point Instead, place multiple IDSs downstream
Fault tolerance: resistance to attacks Should be run on a single hardened host that
supports only intrusion detection services
Timeliness: time elapsed between intrusion and detection
Polytechnic University Introduction 6
Signature-based IDSSniff traffic on network border router or multiple sensors within a LANMatch sniffed traffic with signatures attack signatures in database signature: set of rules pertaining to a typical intrusion
activity Simple example rule: any ICMP packet > 10,000
bytes Example: more than one thousand SYN packets to
different ports on same host under a second skilled security engineers research known attacks; put
them in database can configure IDS to exclude certain signatures; can
modify signature parametersWarn administrator when signature matches send e-mail, SMS send message to network management system
Polytechnic University Introduction 7
Limitations to signature detection
Requires previous knowledge of attack to generate accurate signature Blind to unknown attacks
Signature bases are getting larger Every packet must be compared with each
signature IDS can get overwhelmed with processing;
can miss packets
Polytechnic University Introduction 8
Anomaly Detection IDS
Observe traffic during normal operation Create normal traffic profile Look for packet streams that are statistically
unusual e.g., inordinate percentage of ICMP packet or exponential growth in port scans/sweeps
Doesn’t rely on having previous knowledge of attack
Research topic in security
Polytechnic University Introduction 9
IDS evasion: “spy vs. spy”
Attackers do not want to be detected by IDS Often attackers are intimately familiar with the
popular IDS products, their weaknesses Idea: manipulate attack data
Active area of research in attack community Example: port scan stretched out over long period of
time, with different source IP addresses Most common approach: fragmentation
To detect malicious activity, IDS must capture, store, and analyze fragments.
Many fragment streams spread out over long period time ➜IDS must have large buffers
• Requires significant memory and processing power
Polytechnic University Introduction 10
IDS evasion: fragmentation Send a flood of fragments
Send so many fragments that IDS system saturates.
Once saturated, IDS will not be able detect a new attack
Fragment packets in unexpected ways Such that the IDS does not understand how
to properly reassemble the attack packets
Polytechnic University Introduction 11
IDS evasion tool: FragRouter
Runs on Unix/Linux systems Provides over 35 different schemes for
fragmenting flow of data Separates attack functionality from the
fragmentation functionality
attacksystem(eg nmap)
attackobfuscation(fragrouter)
IDS target
Internet
Polytechnic University Introduction 12
Some fragmentation types in FragRouter
Sends data in ordered 8-byte fragments Sends data in ordered 24-byte
fragments Sends data in ordered 8-byte fragments
with one fragment out of order Complete TCP handshake, send fake FIN
and RST (with bad checksums) before sending data in ordered 1-byte
Polytechnic University Introduction 13
Snort
Popular open source IDS 200,000 installations
Enhanced sniffer Runs on Linux, Unix,
Windows Generic sniffing
interface libpcap Can easily handle 100
Mbps of traffic Signatures
Written and released by Snort community within hours
Anyone can create Largest collection of
signatures for IDS
Typical setup
snortsensor
hub
internalnetwork
firewall
Good book: Intrusion Detectionwith Snort, by Jack Koziol
Polytechnic University Introduction 14
Snort deployment
snortsensor
hub
internalnetwork
firewall
snortsensor
internalnetwork
firewall
Switch SPAN port:• provides monitoringfor net admin & security• switch copies all traffic to SPAN port• can select which switchports get copied• approach doesn’t requireintro of new hub• no need for unidirectionalcable
unidirectionalsniffing cable
switch
Polytechnic University Introduction 15
Distributing traffic to multiple sensors Large organizations
often have Gbps backbone
Snort with full rule set cannot handle all traffic Packets can get
dropped; attacks go undetected
Tempting to tune Snort by trimming rules
Solutions: Put sensors on
different 100 Mbps segments
Or, multiple sensors on backbone; each sensor processes different range of destination IP addresses
Polytechnic University Introduction 16
snort.conf
Example:
var HOME_NET 193.152.1.1/24
var EXTERNAL_NET !193.152.1.1/24
Var HTTP_SERVERS 193.152.1.17
Var HTTP_PORTS 80 8080
Polytechnic University Introduction 17
Snort rule examplesalert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:”ICMP PING NMAP”; dsize: 0; itype: 8;)
Rule generates alert for ICMP having empty payload, ICMP type 8, andarriving from the outside.
This is part of an NMAP ping.
alert tcp $EXTERNAL_NET any -> $HOME_NET 139
(msg: “DOS SMBdie attack”:; flags: A+; content:”|57724c6568004577a|”;)
Rule generates alert if a TCP packet from outside contains |57724c6568004577a| in payload and is headed to port 139 (netbios) for some internal host.
This is part of a buffer overflow attack on a computer running Server Message Block Service.
Polytechnic University Introduction 18
Snort rule examples (2)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:”WEB-IIS ISAPI .ida attempt”; uricontent:”.ida?”;
nocase; dsize:>239; flags:A+;)
Rule generates alert for packet heading to Web server with .ida? in URL in GET messageBuffer overflow attack that allows attacker to take over server.
Polytechnic University Introduction 19
Snort rule files
chat.rules ddos.rules ftp.rules multimedia.rules p2p.rules porn.rules virus.rules
Polytechnic University Introduction 20
Snort Rule Writing
Example: Cross-site scripting (XSS): Web site allows scripts to be inserted into
dynamically created Web page. Can reek havoc. Look out for HTTP requests containing <SCRIPT> Might first try:
alert tcp any any -> any any (content: “<SCRIPT>”; msg: “XSS attempt”;) triggers many false positives: e.g., e-mail message with
JavaScript Then try:
alert tcp $EX_NET any -> $HTTP_SRVS $HTTP_PRTS (content: “<SCRIPT>”; msg: “XSS attempt”; nocase;)
Polytechnic University Introduction 21
Snort Rule Syntax Rule is a single line
Rule header: everything before parenthesis Rule option: what’s in the parenthesis
Syntax for rule header:rule_action protocol src_add_range src_prt_rangedir_operator dest_add_range dest_prt_range
Example:alert tcp 192.168.1/24 1:1024 -> 124.17.8.1 80 rule actions: alert, log, drop protocol: tcp, udp, icmp direction: -> and <> src, dest port ranges :
Polytechnic University Introduction 22
Snort Rule Syntax (2)
Syntax for rule option: One or more option keywords
separated by semi-colons Example:
(msg: “XSS attempt”; content: “<SCRIPT>”; nocase;)Content-related keyword examples: content: ”smtp v2”; (ascii) content: ”|0f 65 a7 7b|” ; (binary) uricontent: ”.ida?”; content-list: “inappropriate_content.txt”; nocase; offset: 20; (start at byte 20 in payload) depth: 124; (stop at byte 124 in payload)
Polytechnic University Introduction 23
Snort Rule Syntax (3)
IP-related keyword examples: ttl: <5; id:2345; (id field, used for fragments) fragoffset: 0; dsize: >500; (payload size) ip_proto: 7; ICMP-relayed keyword examples: itype: 8; icode: 3;
Polytechnic University Introduction 24
Snort Rule Syntax (4)
TCP-related rules flags: A+; (ACK flag) flags: FUP; (FIN, Urgent, or Push flag)
+ alert if specified bit is discovered, in addition to at least one other
! alert if any of the specified bits is not set
seq: 12345432; ack: 54321234;Response examples msg: “christmas tree attack”; logto: “new_rule.log”; logs packet when
match occurs