1 / 17

Computer Security Workshops

Computer Security Workshops. Module 6 – Intrusion Detection Systems. Intrusion Detection Systems. System monitoring software Developed to monitor suspicious activity Optionally, report or respond to such activity Two major levels/types Misuse-based Host-based Network-based (NIDS)

damisi
Download Presentation

Computer Security Workshops

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Security Workshops Module 6 – Intrusion Detection Systems

  2. Intrusion Detection Systems • System monitoring software • Developed to monitor suspicious activity • Optionally, report or respond to such activity • Two major levels/types • Misuse-based • Host-based • Network-based (NIDS) • Anomaly-based • Increasing use of both for maximum security

  3. Host Based Intrusion Detection Systems • Dependent on operating system • Main activities • Check system logs • Monitor user logins • Monitor processes • Look for trojans • Advantages: can be quite sophisticated • Disadvantages: • Deal with known problems • Active: consume CPU cycles

  4. Host-Based IDS - Details • Events to watch • Creation of accounts • Protection violations (actual, attempted) • Logins • Failed Logins • Kernel activity as well as user activity

  5. Network Based Intrusion Detection Systems (NIDS) • High level: packet sniffers • Examine network traffic • Compare actual traffic to known attack patterns • If find these patterns/signatures, theorize that intrusion taking place • Advantage: passive (analyzing network, not particular system – hard to detect) • Disadvantages • Switches can reduce amount of visible traffic to analyze • Packet fragmenting can fool system

  6. IDS Tools • Open Source • Snort (Linux, Windows) • Shadow (Virtual IDS) • BlackICE (http://www.iss.net/blackice) • ISS RealSecure

  7. Example System: Snort • http://www.snort.org • Need to define signatures/rules • available on internet, updated frequently • Multiple level architecture • Main application (doing analysis) • Web client – ACID (Analysis Console for Intrusion Databases) • Barnyard – analysis of results

  8. SNORT - more • Now supports preprocessor analysis • Problems with signatures • False positives – too wide a net • False negatives – too narrow a net • Preprocessors allow customizing • Start using anomaly-based detection • Customize rules based on users • Examples (see in /etc/snort/snort.conf) • stream4 – TCP statefulness, session reassembly • frag2 – packet fragmenting/reassembly • Problems • Difficult to work with, generates large amount of data

  9. Other Tools for Intrusion Detection • Linux • last (user analysis) • lsof (file analysis) • tripwire (file analysis) • chkrootkit (file analysis) • swatch (log file analysis) • Windows • Microsoft Port Reporter • GFI LANguard System Integrity Monitor • GFI LANguard Security Event Log Monitor • http://www.extralan.co.uk

  10. last • displays list of recent user logons • Usage: last (-N) • E.g. last -20 // display last 20 users

  11. lsof • Lists open files on your system • Useful to see what processes are working with what files, possibly identify tampering • Usage: lsof • E.g. lsof | more // one screen at a time

  12. tripwire • tripwire (http://sourceforge.net/projects/tripwire/ ; also a commercial product) • uses digital hashing (MD5) to create secure file signatures • change in file size and/or signature potentially shows intrusion • database now signed itself, but still best to store it on write-protected media/hw • expanded to define policy language for what to monitor • Linux version is open source; commercial Windows version available • Security usage: identify presence of tampered files, symptomatic of rootkits

  13. chkrootkit • Root Kit / rootkit – a package of cracker tools placed on a system for purposes of taking control or otherwise using it • May include modified system utilities (e.g. ls, ps) • Examples: t0rn, HKRK, Romanian, others… • chkrootkit - program to check system for common root kits • Checks • common files for substitutions • based on known signatures, not just changes • evidence of rootkit runs • other suspicious files and directories

  14. Responding To Root Kits • If minimal number of files affected, may be able to replace those files from original media • If larger infection, may have to re-image system • Can be difficult to eradicate all traces

  15. swatch • Log file watcher • Many log files to watch • /var/log/messages • /var/log/secure • More in separate directories • httpd • samba • snort • Goal: automatically be notified when a (certain type of) log file entry is made

  16. Windows Tools • Many tools available for help in intrusion detection (as well as previous steps) • Several from www.sysinternals.com • Process Explorer (process monitoring, including CPU usage) • Autoruns (service start-up monitoring) • Others • CurrPorts (port/service information)

  17. More Information on IDS • SANS IDS FAQ • http://www.sans.org/resources/idfaq/

More Related