120 likes | 261 Views
Figure 10-4: Intrusion Detection Systems (IDSs). HOST IDSs Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects data even if host is in NIDS blind spot Gives data specific to hosts; relevant for diagnosis Might see data after decryption.
E N D
Figure 10-4: Intrusion Detection Systems (IDSs) • HOST IDSs • Protocol Stack Monitor (like NIDS) • Collects the same type of information as a NIDS • Collects data even if host is in NIDS blind spot • Gives data specific to hosts; relevant for diagnosis • Might see data after decryption
Figure 10-4: Intrusion Detection Systems (IDSs) • HOST IDSs • Operating System Monitors • Collect data on operating system events • Failed logins • Attempt to change system executables • Attempt to change system configuration (registry keys, etc.)
Figure 10-4: Intrusion Detection Systems (IDSs) • HOST IDSs • Application Monitors (Monitor Specific Applications) • What users did in terms relevant to an application for easy interpretation • Filtering input data for buffer overflows • Signatures of application-specific attacks
Figure 10-4: Intrusion Detection Systems (IDSs) • Recap • Protocol monitor • Protocol events (suspicious packets, etc.) • Operating monitor • Operating system events (file changes, etc.) • Application monitor • Application events (application commands issued)
Figure 10-4: Intrusion Detection Systems (IDSs) • HOST IDSs • Weaknesses of Host IDSs • Limited Viewpoint; Only see events on one host • If host is hacked, Host IDS can be attacked and disabled
Figure 10-4: Intrusion Detection Systems (IDSs) • HOST IDSs • Other host-based tools • File integrity checker programs • Create baseline message digests for sensitive files • After an attack, recompute message digests • This tells which files were changed; indicates Trojan horses, etc.
Figure 10-4: Intrusion Detection Systems (IDSs) • HOST IDSs • Other host-based tools • Operating system lockdown tools • Limits changes possible during attacks • Limits who may make crucial changes • May interfere with software functioning
Figure 10-4: Intrusion Detection Systems (IDSs) • Log Files • Flat files of time-stamped events • Individual logs • Integrated logs • Aggregation of event logs from multiple IDS agents (Figure 10-7) • Difficult to create because of format incompatibilities • Time synchronization of IDS event logs is crucial (NTP) • Can see suspicious patterns in a series of events across multiple devices
Figure 10-7: Event Correlation for an Integrated Log File Sample Log File (Many Irrelevant Log Entries Not Shown) External Host Internal Host 1. 8:45:05. Packet from 1.15.3.6 to 60.3.4.5 (network IDS log entry) 2. 8:45:07. Host 60.3.4.5. Failed login attempt for account Lee(Host 60.3.4.5 log entry) 3. 8:45:08. Packet from 60.3.4.5 to 1.15.3.6 (network IDS log entry) 4. 8:49:10. Packet from 1.15.3.6 to 60.3.4.5 (network IDS log entry) 5. 8:49:12. Host 60.3.4.5. Failed login attempt for account Lee(Host 60.3.4.5 log entry)
Figure 10-7: Event Correlation for an Integrated Log File Sample Log File (Many Irrelevant Log Entries Not Shown) 6. 8:49:13. Packet from 60.3.4.5 to 1.15.3.6 (network IDS log entry) 7. 8:52:07. Packet from 1.15.3.6 to 60.3.4.5 (network IDS log entry) 8. 8:52:09. Host 60.3.4.5. Successful login attempt for account Lee(Host 60.3.4.5 log entry) 9. 8:52:10. Packet from 60.3.4.5 to 1.15.3.6 (network IDS log entry) 10. 8:56:12. Packet from 60.3.4.5 to 123.28.5.210. TFTP request(network IDS log entry) 11. (no corresponding host log entry) 12. 8:56:28. Series of packets from 123.28.5.210 to 60.3.4.5. TFTP response (network IDS) 13. (no more host log entries)
Figure 10-7: Event Correlation for an Integrated Log File Sample Log File (Many Irrelevant Log Entries Not Shown) 14. 9:03:17. Packet from 60.3.4.5 to 1.17.8.40. SMTP (network IDS) 15. 9:06:12. Packet from 60.3.4.5 to 1.40.22.8. SMTP (network IDS) 16. 9:10:12. Packet from 60.3.4.5 to 60.0.1.1. TCP SYN=1, Destination Port 80 (network IDS) 17. 9:10:13: Packet from 60.3.4.5 to 60.0.1.2. TCP SYN=1,Destination Port 80 (network IDS)
Figure 10-4: Intrusion Detection Systems (IDSs) • Analysis Methods • Static packet filtering • Stateful filtering • Full protocol decoding (filters based upon stage in dialogue—login, etc.) • Statistical analysis (frequency thresholds for reporting) • Anomaly detection (compares normal and current operation) • Creates many false positives