1 / 16

Network Intrusion Detection System (NIDS)

Network Intrusion Detection System (NIDS). Somesh Jha. NIDS. Inspect packets at certain vantage points Behind the routers Look for malicious or anomalous behavior Much more fine-grained than firewalls Example: drop a packet whose payload “matches” a certain string. Classification of NIDS.

azizi
Download Presentation

Network Intrusion Detection System (NIDS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Intrusion Detection System (NIDS) Somesh Jha

  2. NIDS • Inspect packets at certain vantage points • Behind the routers • Look for malicious or anomalous behavior • Much more fine-grained than firewalls • Example: drop a packet whose payload “matches” a certain string

  3. Classification of NIDS • Signature-based • Establish a database of malicious patterns • If a sequence of packets “matches” one of the patterns, raise an alarm • Positives • Good attack libraries • Easy to understand the results • Negatives • Unable to detect new attacks or variants of old attacks • Example • Snort, Bro, NFR, …

  4. Classification of NIDS • Anomaly-based • Establish a statistical profile of normal traffic • If monitored traffic deviates “sufficiently” from the established profile, raise an alarm • Positives • Can detect new attacks • Negatives • High false alarm rate • Intruder can go under the “radar” • Examples • Mostly research systems

  5. Classification of NIDS • Stateless • Need to keep no state • Example: raise an alarm if you see a packet that contains the pattern “melissa” • Positives • Very fast • Negatives • For some attacks need to keep state

  6. Classification of NIDS • Stateful • Keeps state • Sometime need to do reassembly • Reassemble packets that belong to the same connection, e.g., packets that belong to the same ssh session • Quite hard! (out-of-order delivery) • Positives • Can detect more attacks • Negatives • Requires too much memory

  7. Snort logs, alerts, ... malicious patterns Filtered packet stream libpcap

  8. libpcap • Takes the “raw” packet stream • Parses the packets and presents them as a • Filtered packet stream • Website for more details • http://www-nrg.ee.lbl.gov/.

  9. Malicious Pattern Example alert tcp any any -> 10.1.1.0/24 80 (content: “/cgi-bin/phf”; msg: “PHF probe!”;) action pass log alert destination address destination port source address source port protocol

  10. Malicious Patterns Example • content: “/cgi-bin/phf” • Matches any packet whose payload contains the string “/cgi-bin/phf” • Look at http://www.cert.org/advisories/CA-1996-06.html • msg: “PHF probe!” • Generate this message if a match happens

  11. More Examples alert tcp any any -> 10.1.1.0/24 6000:6010 (msg: “X traffic”;) alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 6000:6010 (msg: “X traffic”;)

  12. How to generate new patterns? • Buffer overrun found in Internet Message Access Protocol (IMAP) • http://www.cert.org/advisories/CA-1997-09.html • Run exploit in a test network and record all traffic • Examine the content of the attack packet

  13. Notional "IMAP buffer overflow" packet 052499-22:27:58.403313 192.168.1.4:1034 -> 192.168.1.3:143 TCP TTL:64 TOS:0x0 DF ***PA* Seq: 0x5295B44E Ack: 0x1B4F8970 Win: 0x7D78 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 3B ...............; 5E 89 76 08 31 ED 31 C9 31 C0 88 6E 07 89 6E 0C ^.v.1.1.1..n..n. B0 0B 89 F3 8D 6E 08 89 E9 8D 6E 0C 89 EA CD 80 .....n....n..... 31 DB 89 D8 40 CD 80 90 90 90 90 90 90 90 90 90 1...@........... 90 90 90 90 90 90 90 90 90 90 90 E8 C0 FF FF FF ................ 2F 62 69 6E 2F 73 68 90 90 90 90 90 90 90 90 90 /bin/sh.........

  14. Alert rule for the new buffer overflow alert tcp any any -> 192.168.1.0/24 143 (content:"|E8C0 FFFF FF|/bin/sh"; msg:"New IMAP Buffer Overflow detected!";) Can mix hex formatted bytecode and text

  15. Advantages of Snort • Lightweight • Small footprint • Focussed monitoring: highly tuned Snort for the SMTP server • Malicious patterns easy to develop • Large user community • Consider the IRDP denial-of-service attack • Rule for this attack available on the same day the attack was announced

  16. Disadvantages • Does not do an stream reassembly • Attackers can use that to “fool” Snort • Break one attack packet into a stream • Pattern matching is expensive • Matching patterns in payloads is expensive (avoid it!) • Rule development methodology is adhoc

More Related