1 / 18

Using Argus Audit Trails to Enhance IDS Analysis

Using Argus Audit Trails to Enhance IDS Analysis. Jed Haile Nitro Data Systems jhaile@nitrodata.com. Overview. What is an audit trail? What is Argus? Overview of IP audit trails Why are they useful? Using audit trails to monitor your network

micol
Download Presentation

Using Argus Audit Trails to Enhance IDS Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Using Argus Audit Trailsto Enhance IDS Analysis Jed Haile Nitro Data Systems jhaile@nitrodata.com

  2. Overview • What is an audit trail? • What is Argus? • Overview of IP audit trails • Why are they useful? • Using audit trails to monitor your network • Detecting interesting network events using audit trails • Enhancing IDS analysis using audit trails

  3. What is an IP Audit Trail? • An IP audit trail is a collection of network flows across some point of a network. • A network flow is an identifiable exchange of data between two endpoints on a network. • Flows may be delineated by normal protocol (a SYN replied to by an RST) or by timeouts. • Flows may become exaggerated, as not all network traffic is readily broken into correct sessions with available information

  4. What is Argus? • Written by Carter Bullard as part of a DoD contract while he was at Carnegie-Mellon’s SEI • Runs on unix • The free version is available at http://www.qosient.com/argus • A commercial version is under development by Qosient

  5. More about Argus • Argus uses a client server model: • Data collection engine (Server): Monitors the network using libpcap, collects network data into audit trails. This engine can output the data to a file or to a socket. • Argus client: Reads audit data from a file or from a socket. There are a number of clients available for various purposes.

  6. Argus Clients • ra: reads Argus data and displays it on stdout • ragator: aggregates flows in arbitrary fashions • ramon: produce rmon style reports and tables • racount: counts bytes and packets • rasort: sorts Argus records • raxml: display all fields in xml format • Others: ratop, ragrep, rahistogram, rasrvstats • Lacking: Database client!!

  7. Default RA output timestamp protocol src IP direction dst IP status 17 Apr 02 09:59:16 icmp 192.172.1.26 <-> 192.172.1.253 ECO 17 Apr 02 09:59:16 tcp 192.172.191.46.458 -> 207.68.162.24.80 FIN 17 Apr 02 09:59:16 icmp 192.172.1.25 <-> 192.172.1.253 ECO 17 Apr 02 09:59:16 tcp 192.18.221.25.119 -> 192.172.191.61.25 FIN 17 Apr 02 09:59:16 tcp 192.172.1.6.3562 -> 209.10.33.195.80 FIN 17 Apr 02 09:59:16 tcp 192.172.1.23.5936 -> 61.200.81.153.80 EST 17 Apr 02 09:59:16 tcp 192.172.191.46.4585 -> 64.4.30.24.80 FIN 17 Apr 02 09:59:17 tcp 192.172.191.46.4990 -> 12.12.162.203.80 RST 17 Apr 02 10:00:04 tcp 192.172.191.46.240 -> 216.33.240.24.80 RST 17 Apr 02 09:59:17 tcp 142.177.221.77.177 -> 192.172.18.27.634 RST 17 Apr 02 10:00:02 icmp 192.172.1.25 -> 192.172.1.253 ECO 17 Apr 02 10:00:02 icmp 129.82.45.220 -> 192.172.1.3 ECO 17 Apr 02 10:00:02 icmp 129.82.45.220 -> 192.172.1.3 ECO 17 Apr 02 10:00:02 udp 205.158.62.41.967 -> 192.172.191.6.53 TIM 17 Apr 02 10:00:02 icmp 129.82.45.220 -> 192.172.1.3 ECO There is still a lot of other useful data we can capture!!

  8. Data Model • Source IP address • Destination IP address • Source Port • Destination Port • Protocol • Time of first packet • Time of last packet • Packets sent • Bytes sent • Packets received • Bytes received • This set of data is surprisingly rich!

  9. Why are these useful? • This set of data can be analyzed to find network sessions, or sets of session that appear to be suspicious. • In the case of a compromise, the audit trails can be examined to find out what else might have happened. • Excellent tool for network policy monitoring. Makes finding unauthorized servers, or services, or backdoors much easier to detect. • Much smaller than full packet captures, so more can be stored for longer. • Well suited to statistical analysis

  10. Reducing Record Counts • A major problem with collecting network flows is the extreme rate and large quantity of records • Fortunately network flows are readily aggregated • All flows with the same source and destination addresses and ports can be collapsed to a single row, with a counter

  11. Portscan Detection • IP audit trails are an excellent tool for detecting network enumeration attempts. • Snort’s spp_portscan2 uses network flows to detect portscans • To detect portscanning simply count connections from external hosts to distinct hosts and ports on your network • A well defined concept of home network versus external network is critical • A portscan attempt which also correlates to an IDS alert, or to a session that is long or that moves some data might point to a successful compromise

  12. Long Sessions • Long sessions are common on networks • Due to the more stateless nature of udp and icmp, distinct network flows might be collapsed into a single network flow • Long sessions to interesting ports, or inbound to unexpected locations, or with IDS alerts are the things we want to focus on • Extensive correlation is critical to making the important long sessions stand out

  13. Traffic to Nonexistent Hosts • Inbound traffic to a host that is known to not exist • A good way of detecting network enumeration attempts

  14. Traffic to High Ports • Sessions being initiated to high ports on your home network should always be viewed with suspicion • There are exceptions (ftp traffic) • By keeping “state” on your network’s flows you can eliminate many of the valid inbound high port connections • High port traffic + IDS alert…

  15. High Connection Rate • High connection rates could point to DOS attempts, port scanning, auto rooter, P2P activity, worm activity, and more • There are valid network activities which can generate high connection rates • Correlation of high connection rates to other anomalous activities is what we need to look for

  16. High Packet Rate • Another example of could be bad, could be good activity • High packet rates might indicate worm activity, portscanning, or other nastiness • A sudden appearance of high packet rates linked to a previous session which had IDS alerts associated could indicate a host that has been successfully compromised

  17. Stepping Stone Detection • A stepping stone is a computer that is used as an intermediate point between two other computers • Stepping stones are frequently used by attackers to obscure their location/identity • Stepping stones can be detected by correlation of on/off times between two network flows. This is prone to false positives. • A better approach is to correlate on and off times of packet activity inside the flow, but requires finer granularity in the data than can be provided by argus.

  18. Summary • Using IP audit trails is a powerful enhancement to IDS • IP audit trails also give new ways of looking for anomalous traffic, new services on your network, or for getting a better perspective on your networks operation • There is lots to be done!

More Related