180 likes | 267 Views
An Introduction To Gateway Intrusion Detection Systems. Hogwash GIDS Jed Haile Nitro Data Systems. © Jed Haile, Nitro Data Systems 2002. What Is a Gateway IDS?. Gateway Intrusion Detection System A network intrusion detection system which acts as a network gateway
E N D
An Introduction To Gateway Intrusion DetectionSystems Hogwash GIDS Jed Haile Nitro Data Systems
© Jed Haile, Nitro Data Systems 2002 What Is a Gateway IDS? • Gateway Intrusion Detection System • A network intrusion detection system which acts as a network gateway • Designed to stop malicious traffic and generate alerts on suspicious traffic • An “ideal” gateway IDS is able to stop all known exploits
GIDS Acts as network gateway Stops suspect packets Prevents successful intrusions False positives are VERY bad NIDS Only observes network traffic Logs suspect packets and generates alerts Cannot stop an intruder False positives are not as big of an issue © Jed Haile, Nitro Data Systems 2002 GIDS vs NIDS
© Jed Haile, Nitro Data Systems 2002 About Hogwash • Based on the Snort intrusion detection system • Operation is similar to some bridging firewalls • Uses snort rules with some additional keywords to make forward/drop decisions • Compatible with most snort plugins • Freely available under the GPL
© Jed Haile, Nitro Data Systems 2002 Basic Theory of Operation • Much like a bridging firewall, Hogwash makes forward/drop decisions… • This packet is always good so pass it into my network. • This packet is always bad so drop it and tell me about it. • This packet is sometimes bad so tell me about it, but don't drop it.
© Jed Haile, Nitro Data Systems 2002 Typical Hogwash Installation
© Jed Haile, Nitro Data Systems 2002 New Hogwash Keywords • drop Drops a packet, sends an rst, logs the packet • ignore Drops a packet without sending an rst • sdrop Drops a packet, sends an rst, does not log the packet
© Jed Haile, Nitro Data Systems 2002 Multipacket Signature Matching • Hogwash cannot do traditional stream reassembly • Instead, hogwash can watch for partial content matches at the end of a packet • If there is a partial match, hogwash goes ahead and forwards the packet and caches a copy • When then next packet comes hogwash will reassemble the two packets and run it back through the detection engine, if it matches the second packet is dropped • Works for out of order packets also • Enabled by using the “multi” keyword in a rule
© Jed Haile, Nitro Data Systems 2002 Defeating Portscans Hogwash uses state counting to detect portscans • Each time a new session (tcp, udp, icmp) is initiated in your network, hogwash notes it • All sessions are tracked from a host until it is idle for some period of time, 60 seconds by default • If a host hits more than 20 unique ports or 5 unique targets, he is determined to be portscanning. These thresholds are user configurable. • Hogwash will then drop all that portscanner’s packets
© Jed Haile, Nitro Data Systems 2002 Content Replacement Hogwash can replace content in a packet • “replace” keyword tells hogwash to replace a detected string with another string. • Example: alert tcp any any -> $IIS_SERVERS 80 (content:”cmd.exe”; replace:”yyy.yyy”;) • Any content in the packet payload can be replaced. • A great way to break an exploit without dropping the packet!!
© Jed Haile, Nitro Data Systems 2002 Stealth • Stackless Operation • Hogwash does not require an ip stack to be loaded on it’s network interfaces • Hogwash can invisibly forward traffic, no decreased TTLs, etc
© Jed Haile, Nitro Data Systems 2002 Stackless Control Protocol • Stackless Control Protocol • Hogwash can be remotely controlled, even when running in stackless mode • To send a command simply send a control packet so that it will pass through the hogwash box • Packets can be any combination of TCP, UDP, ICMP • The stackless control protocol uses twofish or AES cryptography and a custom protocol to ensure security
© Jed Haile, Nitro Data Systems 2002 Stackless Control Protocol Theory Each packet that passes through hogwash is checked for a “magic token” in the payload. If the token is found, then hogwash will attempt to decrypt the payload following the magic token. If the token is found again immediately following the first magic token, then hogwash knows it has found a control packet and processes the command.
© Jed Haile, Nitro Data Systems 2002 Stackless Control Protocol Theory
© Jed Haile, Nitro Data Systems 2002 Stackless Control Protocol Commands • hping - ping the hogwash box to see if its alive. • hstat - get statistics from the hogwash box • hbuff -retrieve either RULES, ALERT, or LOG file • hfilesync - store the retrieved file in a file, can be used to feed standard snort toys • hsetbuf - transfer a file to the hogwash box • hsetrules - transfer a new rules file to the hogwash box, restart hogwash
© Jed Haile, Nitro Data Systems 2002 Sample Hogwash Rules • To drop incoming port 80 connections: drop tcp any any -> $HOMENET 80 (msg:”Port 80 tcp”) • To drop cmd.exe calls to your webservers: drop tcp any any -> $HOMENET 80 (msg:“cmd.exe attempt”; content: “cmd.exe”)
© Jed Haile, Nitro Data Systems 2002 Running Hogwash hogwash <options> -c <rules file> -i <internal interface> -e <external interface> -l <log directory> -n <no rules mode> % hogwash –i eth0 –e eth1 –c hogwash.conf –l /var/log/hogwash
© Jed Haile, Nitro Data Systems 2002 References http://hogwash.sourceforge.net http://www.snort.org Securing an Unpatchable Web Server http://www.securityfocus.com/infocus/1208 Jed Haile jhaile@nitrodata.com Jason Larsen jlarsen@nitrodata.com