Scribd
Upload
25 views31 pages

Network Intrusion

Uploaded by

Sangita Shrestha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
25 views31 pages

Network Intrusion

Uploaded by

Sangita Shrestha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 31

Network Intrusion Detection

& Intrusion Prevention

“The information world is truly electronic-there’s no turning


back.” - Winn Schwartau

Conner Finlay
Josh Smith
Differences

Network Intrusion Detection System - attempts to detect


unauthorized and anomalous activity by monitoring packets
traversing a given network

Network Intrusion Preventation System - block or reject packets


that match a particular signature or behavior and sits in-line
instead of using a network tap or port span
History of IDS/IPS
• Between 1984 and 1986, Dorothy Denning and Peter
Neumann researched and developed the first model of a
real-time IDS. This prototype was named the Intrusion
Detection Expert System (IDES). This IDES was initially a
rule-based expert system trained to detect known malicious
activity.
• First commerical implementation in the early 1990's by
Haystack Labs
• Started to grow in popularity with Cisco buying out vendors
in the mid/late 90s
Types of IDS/IPS Systems
Anomaly detection model: The IDS has knowledge of
normal behavior so it searches for anomalous behavior or
deviations from the established baseline. While anomaly
detection’s most apparent drawback is its high false
positive, it does offer detections of unknown intrusions and
new exploits.

Misuse detection model: The IDS has knowledge of


suspicious behavior and searches activity that violates
stated policies. It also means looking for known malicious or
unwanted behavior. In fact, its main features are its
efficiency and comparably low false alarm rate.
Types of IDS
• Rule Based

• Protocol Analysis

• Policy Based

• Heuristic Based
Bro IDS/IPS
• Unix IDS

• Not an "Out-of-the-box" solution

• Types of Alerts
o Log Alerts
o Real Time Alerts
o System Command Execution

• Does not require software to be installed on each host


Single network host

• Custom Scripting Language for Rulesets


Bro IDS/IPS
• Snort2Bro - Custom tool to convert Snort Signatures to Bro
Format

• Also enables Bro features in converted signatures to reduce


false positives

• How is Bro different from Snort?

• "Snort is signature based, while Bro can store information


about previous network activity and store it for analysis of
current activity."
Bro IDS/IPS
• Ability to automagically encrypt email alerts

• Custom policies to adjust to different network designs

const web_servers = { www.lbl.gov, www.bro-ids.org, };


const mail_servers = { smtp.lbl.gov, smtp2.lbl.gov, };

const allow_my_services: set[addr, port] = {


[mail_servers, smtp],
[web_servers, http],
};
Bro IDS/IPS
• Geo-Location to detect and map attacks
global ftp_location_log: file = open_log_file("ftp-location");

event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)


{
local client = c$id$orig_h;
local loc = lookup_location(client);
if (loc$region == "OH" && loc$country_code == "US")
{
print ftp_location_log, fmt("FTP Connection from: %s (%s, %s, %s)",\ client, loc$city, loc$region,
loc$country_code);
}
}
Hogwash IDS
• Started by a student in 1996 at Idaho State University
• Versatile network IDS with three different modes
o Regular IDS
 Watches traffic on a span port (switch/router) and
generates alerts based on what it sees
o Inline Scrubber
 Actively filters the traffic (acts as a firewall). Sits
between the cloud and the internal network
o HoneyPot Control
 "arbitrates IP address and MAC address conflicts to
help run the honeypots. It is possible to have an array
of honeypots behind a single Hogwash box, all with the
same IP and MAC address"
 Still experimental
Hogwash in HoneyPot Control Mode
Types of IPS

• Packet Filtering

• Session Analysis

• Packet Manipulation

• IP Blocking
IPS Packet Filtering

• Ability to block individual protocols

• Allow FTP and HTTP but block AIM or VNC


IPS Session Analysis

• Inspect each packet that applies to a protocol and ruleset


and match traffic against signature based rules or policies
IPS Packet Manipulation

• Manipulate data inside a packet and pass packet along to


its destination

• Can be used to remove shellcode or exploit attacks

• Remove sensitive information


IPS IP Blocking

• Can automagically block IP addresses based on signatures


or policies

• Keep a database of blocked IPs

• Block on a time limit or block permanently


Cisco IPS
• A hardware based Network IPS
• Operates at Layers 2 - 7
• Uses the Cisco IPS signatures (Anomaly/Behavioral)
• Anti-IPS Evasion Techniques
o TCP stream reassembly
o De-obfuscation
o Traffic normalization
• Works in conjunction with the Cisco Security Agent (HIDS)
for a complete solution
Snort_Inline IPS

• Uses libipq - IPTables - Rather than libpcap

• Uses Snort ruleset to tell IPTables to drop the connection or


let it through

• Built on top of existing Snort installation

• Improves Security of Intrusion Detection System


Snort_Inline IPS

Built-in ClamAV Integration

IPTables Rule
Alert, Block, Pass, Drop, Reject

Alert - Alert user (IDS Functionality)


Block - Blocks connection through IPTables
Pass - Ignore Alert and allow traffic
Drop - Drop connection through IPTables and log
Reject - Send Reset packets
SDrop - Drop connection without logging
Snort_Inline IPS
drop udp $HOME_NET any ->
$EXTERNAL_NET 4660:4799
(msg: "BLEEDING-EDGE P2P
eDonkey Search"; content:
"|e3 0e|";
offset: 0; depth: 2;
rawbytes;classtype:
policy-violation;
reference:url,
www.edonkey.com;
sid: 2001305; rev:3;
)
Introduction To Snort

http://www.snort.org/docs/snort_htmanuals/htmanual_2832/
The Art of Writing Snort Rules

Basic Rule

alert protocol $HOME_NET port -> $EXTERNAL_NET any ( \


msg:"Message to alert"; \
flow:established,to_server; \
content:"|0d 0a|User-Agent\: Mozilla/4.0 \
(compatible)|0d 0a|"; \
classtype:trojan-activity; \
sid:2008012801; \
rev:1; )
Using Snort Against a Pcap

snort –k none –c ./rules –A console –q –l ~/log/ –r packed.pcap

Runs snort straight from terminal


Sets checksum mode to none
Sets rulset to use - Can use snort.conf (uses includes)
Sets output of alerts to console
Logs to ~/log/
Reads in packed.pcap and tests against ruleset
Snort Modes
• Sniffer mode -

./snort -vde

• Packet logger mode -

./snort -dev -l ./log -h 192.168.1.0/24 ASCII Logging

./snort -l ./log -b PCAP file

• NIDS Mode -

./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf


Evasion Techniques
• String Matching Weaknesses

• Polymorphic Code

• Fragmentation Attacks

• Denial of Service

• http://secunia.com/advisories/20413/
Evasion Techniques (Cont.)
• TCP Splicing Attacks
o Passes payload over multiple packets
o Defeats pattern matching
Emerging Threats
• Open source collection of Snort rules that can be used by
any individual/company

• Rules are updated a few times a day, seven days a week

• Received grant money from both the NSF and the Army
Research Office

• A crazy amount of rules, that include: Games, Adult


Material, Malware, P2P, the RBN,etc
OISF
• Open Information Security Foundation
• Non-Profit organization based out of Indiana
• Founded in October 2008
• Goal is to develop a new Open Source IDS/IPS engine
• Any person/company/organization can submit ideas, some
include:
o Passive fingerprinting built-in
o Native IPv6 support
o Hardware acceleration
• First production release at the end of 2009
Detecting Binary Packers
• Binary Packers compress binary files

• Examples of compression:
o Winzip, Winrar, Tar, Gzip, etc.

• Byte Pattern of application used to compress binary file

• Many binary packers are used for malicious purposes


o UPX, Armadillo, VMProtect, SecureRom *cough*

http://malforge.com/snort/output_all.zip
http://malforge.com/snort/userdb_all.zip
Questions, Comments, Conerns,
Criticisms?
Sources
• http://www.sans.org/resources/idfaq/id_vs_ip.php
• http://www.snort.org/about_snort/
• http://www.sans.org/reading_room/whitepapers/detection/
the_history_and_evolution_of_intrusion_detection_344?
show=344.php&cat=detection
• http://www.ece.drexel.edu/telecomm/Talks/thiel.pdf
• http://hogwash.sourceforge.net/docs/overview.html
• http://www.openinfosecfoundation.org/index.php/faq
• http://en.hakin9.org/attachments/hakin9_6-2006_str22-
33_snort_EN.pdf
• http://www.securityfocus.com/infocus/1514

You might also like