1 / 49

Lecture 10 Intrusion Detection Systems

Lecture 10 Intrusion Detection Systems. Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th. Outline. Intrusion Detection System (IDS) IDS Types Signature- VS Statistically Anomaly-based IDS Snort. Intrusion Detection System.

reina
Download Presentation

Lecture 10 Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ITEC4621: Network Security Lecture 10 Intrusion Detection Systems Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th

  2. ITEC4621: Network Security Outline • Intrusion Detection System (IDS) • IDS Types • Signature- VS Statistically Anomaly-based IDS • Snort

  3. ITEC4621: Network Security Intrusion Detection System • Software, hardware, or combination of both used to detect intruder activity • IDS analyses network traffic to look for evidence of attack • Scanning access logs and analyzing the characteristics of files for compromise • IDSs just tell us if something wrong occur, but do not prevent attacks

  4. ITEC4621: Network Security Definitions • Network IDS (NIDS): an IDS that captures data packets traveling on the network media and match them to a database of signatures • Host IDS (HIDS): an IDS installed as agents on a host. It looks into a system and application log files to detect intruder activity. • Reactive  send non-real-time alerts • Proactive  send real-time alerts • Signatures: patterns that you look for inside a data packet used to detect one or more types of attacks

  5. ITEC4621: Network Security Definitions (cont’d) • Alerts: user notification of an intruder activity e.g. pop-up windows, logging to a console, sending emails • Logs: files contains activities in the system or network. Logs are saved in file. • Snort saves messages under /var/log/snort directory by default. • False alarms: alerts generated due to an indication that is not an intruder activity. • Sensors: the machine on which an IDS is running used to “sense” the network.

  6. ITEC4621: Network Security IDS Overview

  7. ITEC4621: Network Security IDS Overview (cont.)

  8. ITEC4621: Network Security Roadmap • Intrusion Detection System (IDS) • IDS Types • Signature- VS Statistically Anomaly-based IDS • Snort

  9. ITEC4621: Network Security IDS Types • Network Intrusion Detection System (NIDS) • System Integrity Verifier (SIV) • Log File Monitor (LFM) • Honeypot • Host Intrusion Detection System (HIDS)

  10. ITEC4621: Network Security NIDS • A machine running IDS software connects to a hub, switch, or router • Analyze network packet to determine if an attacker is trying to break the system • NIDS captures all passing packets on the network like network analyzer • The system compares the packets with known attack patterns (signatures) • E.g. snort

  11. ITEC4621: Network Security NIDS (cont.) • For example, • NIDS notices that a host is sending SYN packets without attempts to complete the connection • NIDS identifies it as a SYN attack and take appropriate actions • An NIDS consists of 2 parts: • Sensor: captures and analyzes the traffic • Console: manage sensor and run all reports • NIDS logs all traffic, requires huge amount of disk space, needs a dedicate machine

  12. ITEC4621: Network Security System Integrity Verifier • aka “file system IDS” • Important because firewall can be broken, NIDS cannot detect a new kind of attack • SIV creates signatures of all critical system files and regularly re-compares the signature with actual files • Rootkit, a type of Trojan, is a collection of utilities, often masking as legitimate administrative programs, that allow an attacker to gain continued remote control of a system without being detected • The most popular SIV is Tripwire

  13. ITEC4621: Network Security Log File Monitor • Steps to create a log file monitoring plan • Determine what information you need out of your system • Locate the logs that contain that information • Define what types of entries will trigger alerts • E.g. Swatch

  14. ITEC4621: Network Security Looking for Unordinary Activities • Users logging in at strange hours • Unexplained reboots • Unexplained changes to the system clock • Unusual error messages from the mailed, ftp daemon, or other network server • Failed login attempts with bad passwords • Unauthorized or suspicious use of the su command • Users logging in from unfamiliar sites on the network • Etc.

  15. ITEC4621: Network Security Honeypot • A series of resources that are meant to be probed, attacked, or compromised. • Has false services with well-known vulnerabilities • Used to attract attackers and distract them from an actual system • To mislead an attacker or understand his methods (research honeypot) • Advantages • Gather data on how and what attacker does in the system • Optimize resources as attacker hits honeypot, not firewall or NIDS • Disadvantages • Useless if attacker is not interested • The system will be broken if honeypot is not properly configured -> do not install honeypot unless being sure how to install, monitor, and maintain it!!! • Visit http://project.honeynet.org

  16. ITEC4621: Network Security Host-based IDS • IDS that runs on a single server controlling traffic within a collision domain • Functions like virus scanner • When suspicious activity is detected e.g. delete important files, the IDS attempts to terminate the attacking session and sends an alert to system admin

  17. ITEC4621: Network Security Flaws of HIDS • Most HIDS can monitor only specific types of systemse.g. web server • HIDS is run on the system you need to protect. If the attacker can find the way to disable IDS before making any changes in your system • Before leaving the system, an attacker usually clean up all activities in log files. • It is suggested to forward a copy all log files to remote system.

  18. ITEC4621: Network Security Roadmap • Intrusion Detection System (IDS) • IDS Types • Signature- VS Statistically Anomaly-based IDS • Snort

  19. ITEC4621: Network Security Knowledge- or Signature-based IDS • Most popular • Detection based on signatures • Signature is developed from how the attacks are carried out • Any action that is not recognized as an attack is considered acceptable • E.g. a packet that has the same source and destination IP address is the signature of a “Land Attack” • Weak against new types of attacks. • Need regular updating software with new signatures

  20. ITEC4621: Network Security Statistical Anomaly-based IDS • Aka behavioral-based IDS • Do not use signature • Put in a learning mode to build a profile of an environment’s “normal” activities • The longer the IDS is put in a learning mode, in most instances, the more accurate a profile it will build and the better protection it will provide • Statistically, IDS looks for anomalies in the network traffic or user activity • Anything that does not match the profile is seen as a attack • Each packet is given an anomaly score. If the score is higher than the threshold, it will be considered as an attack • Can detect “0 day” attacks • May have false alert • Need to ensure that no current attack activity is underway during the learning mode.

  21. ITEC4621: Network Security Roadmap • Intrusion Detection System (IDS) • IDS Types • Signature- VS Statistically Anomaly-based IDS • Snort

  22. ITEC4621: Network Security Snort • Snort can sniff packets, log packets, detect network intrusion • Types of Snort alerts • Full: default, display all information • Fast: timestamp, message, src & dest IP and port numbers • Socket: send alert to UNIX socket (another program on the same machine can record the alerts) • Syslog: send alert to syslog daemon • Smb: use Samba to send a pop-up message to Windows machines • None: generate no alerts

  23. ITEC4621: Network Security Snort

  24. ITEC4621: Network Security Snort Components • Packet Decoder: prepare packets from different interfaces to be preprocessed or to be sent to the detection engine • Preprocessors: arrange or modify packets before analyzed by the detection engine • Detection engine: detect if any intrusion activity exists in a packet. • Deploy Snort rules • Logging and alert system: may log the activity or generate an alert • Output modules: control the type of output generated by the logging and alert system: • Log to /var/log/snort/alerts • Send messages to syslog facility • Log to DBs e,g. My SQL or Oracle • Generate XML output • Etc.

  25. ITEC4621: Network Security Components of an IDS

  26. ITEC4621: Network Security Snort Rules Alert tcp any any -> 10.0.0.0/8 22 (msg: “ssh login” ;) Src IP Src port TCP UDP ICMP IP Alert Log Pass O:22 !22

  27. ITEC4621: Network Security Snort Alert Example An attacker changes source ports in every packet to scan port 21 on target machinesto avoid detection

  28. ITEC4621: Network Security Where to Place Snort • Snort consists of console and sensor • Can have more than one sensor monitoring traffic and sending data to the console • NIDS sensors are running without IP being bound to the public network segment • IP is running on the network card that connects the sensor to the console • invisible to public network segment

  29. ITEC4621: Network Security Where to Place Snort (cont.)

  30. ITEC4621: Network Security Dealing with Switches

  31. ITEC4621: Network Security Dealing with Switches (cont.)

  32. ITEC4621: Network Security Dealing with Switches (cont.)

  33. ITEC4621: Network Security How to Protect IDS Itself • Do not run any service on IDS sensor • Patch IDS with the latest releases • Configure IDS not to response to ping packets • On Linux, use IPTables to block any unwanted data • Use IDS machine as necessary including creating user accounts as necessary • Configure snort on stealth mode with no IP interface

  34. ITEC4621: Network Security Mode of Operations • Sniffer mode • Packet logger mode • Network Intrusion Detection System (NIDS) mode

  35. ITEC4621: Network Security Snort Sniffer Mode • Almost similar to tcpdump, but provide more details about how packets are analyzed. • It provides network traffic summary at the end of the capture. • To use snort in the sniffer mode, type: • % snort –v • To sniff payload, use the combination of –v and –d flags as follows: • % snort –vd • To give more details about data-link layer headers, use the combination of –v, -d, and –e flags • % snort -vde

  36. ITEC4621: Network Security Available Flags in Sniffer Mode • -v : dump packet to standard output (will show the result on screen) • Display TCP, UDP, ICMP information • -d : dump packet payloads • -a : display ARP packets • -e : display link layer data and display data in ASCII format The above flags can be run individually or in combination with each other.

  37. ITEC4621: Network Security Snort -v

  38. ITEC4621: Network Security Snort -dv

  39. ITEC4621: Network Security Snort -dev

  40. ITEC4621: Network Security Snort Packet Logger Mode • This mode logs the results from running snort into a log file. • You can use –d, -a, -e options to control the amount of information logged for each packet. • % snort –l /var/log/snort –d • Snort can log packets in binary format to be readable by Snort, tcpdump, or ethereal. This greatly increases the speed and portability o f the packet capture. • % snort –b –l /usr/local/log/snort • To read the log file using snort, type the following command: • % snort –r /usr/local/log/snort

  41. ITEC4621: Network Security Logging Traffic on Multiple Interfaces • To listen to multiple interfaces, % snort –c /etc/snort/snort.conf –i eth0 –l /var/log/snort0 % snort –c /etc/snort/snort.conf –i eth1 –l /var/log/snort1

  42. ITEC4621: Network Security Snort NIDS Mode • Snort applies rules on all captured packets. If a packet matches a rule, it is logged or is generated an alert % snort –c /etc/snort/snort.conf % snort –dev –l /var/log/snort –c \\ /etc/snort/snort.conf

  43. ITEC4621: Network Security Snort Alert Modes % Alert icmp any any -> any any (msg: “Ping with TTL=100; \ttl:100;”) % Ping –n 1 –i 100 192.168.1.3 • Fast Mode • Full Mode • UNIX Socket Mode • No Alert Mode • Sending Alerts to Syslog • Sending Alerts to SNMP • Sending Alerts to Windows

  44. ITEC4621: Network Security Fast Mode • Logs alert with the following information • Timestamp • Alert message • Src/dest IP addresses and ports % snort –c /etc/snort/snort.conf –q –A fast • Will log alerts in /var/log/snort/alert file Does not log initialization msg and summary No port numbers are shown… why?

  45. ITEC4621: Network Security Full Mode • Default alert mode. It prints alert message and packet header % snort –c /etc/snort/snort.conf –q –A full

  46. ITEC4621: Network Security Unix Socket Mode • Send alerts to another program through unix sockets % snort –c /etc/snort/snort.conf –a unsock No Alert Mode • Completely disable snort • % snort –c /etc/snort/snort.conf –A none

  47. ITEC4621: Network Security Running Snort in Stealth Mode • Other hosts are not able to detect the presence of the snort machine • It is feasible in two cases: • A stand-alone snort sensor with only one network adapter • A snort sensor with 2 network adapters: one to access from an isolated network and the other connected to the public network and running in stealth mode

  48. ITEC4621: Network Security Running Snort in Stealth Mode (cont.) % ifconfig eth0 up % Snort –c /etc/snort/snort.conf –I eth0 -D

  49. ITEC4621: Network Security Questions?

More Related