Intrusion Detection The Big Picture – Part III

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:28

0
145
lượt xem
11
download

Intrusion Detection The Big Picture – Part III

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

While insider attacks may cause more damage (because the attacker knows the system assets and what to target), insiders are also usually addressed by traditional security and audit. An insider has a much greater chance of being caught, since you know where they live. So while damaging, insider attacks are infrequent (because of the high risks of detection and arrest or dismissal), by contrast, it is extremely difficult to track and prosecute attackers arriving over the Internet. And because of the perception of low risk, attacks are a daily or hourly occurrence....

Chủ đề:
Lưu

Nội dung Text: Intrusion Detection The Big Picture – Part III

  1. Intrusion Detection The Big Picture – Part III Stephen Northcutt Intrusion Detection - The Big Picture - SANS GIAC © 2000 1 S. Northcutt – v1.0 – Jul 2000 Edited by J. Kolde – v1.1 – Aug 2000 1
  2. Network-Based Intrusion Detection • Host Based Intrusion Detection – Unix – Windows NT, 95, 98 • Network-Based Intrusion Detection – Libpcap based tools, Snort, Shadow – ISS RealSecure – Cisco Netranger Intrusion Detection - The Big Picture - SANS GIAC © 2000 2 OK, after that in-depth look at host-based intrusion detection, we turn our focus to network-based intrusion detection tools. 2
  3. Network-Based ID Intrusion Detection - The Big Picture - SANS GIAC © 2000 3 3
  4. Need for Network-Based ID • Most attacks come from the Internet • Detecting these attacks allows a site to tune defenses The statistic that 90% of all attacks are perpetrated by insiders is dead wrong. Intrusion Detection - The Big Picture - SANS GIAC © 2000 4 While insider attacks may cause more damage (because the attacker knows the system assets and what to target), insiders are also usually addressed by traditional security and audit. An insider has a much greater chance of being caught, since you know where they live. So while damaging, insider attacks are infrequent (because of the high risks of detection and arrest or dismissal), by contrast, it is extremely difficult to track and prosecute attackers arriving over the Internet. And because of the perception of low risk, attacks are a daily or hourly occurrence. Expect to see more insiders using their insider knowledge to lower their risks by attacking over the Internet. (Editor’s note: The statement “the statistic that 90% of all attacks are perpetrated by insiders is dead wrong” may be confusing in light of the opposite statistic (i.e., that the majority of attacks come from insiders) being widely quoted, including elsewhere in SANS course material. The author offers this clarification: “The greatest threat in terms of financial loss is insiders. Period, no questions. The greatest number of threats is via internet attacks. A huge percent of these fall to firewalls, even the successful ones, while numerous, do not cause as much harm as an insider that knows exactly where the crown jewels are.” – S. Northcutt - JEK) 4
  5. Firewalls are Most Common Sensor Dec 19 17:18:52 1999 f_kern_tcp a_nil_area t_netprobe p_major srcip: 172.20.20.1 dstip: 192.168.1.88 protocolname: tcp srcburb: 1 srcport: 4645 dstport: 53 Key to Understanding: This sidewinder log is reporting a TCP probe targeted at host 192.168.1.88 to destination port 53. This could be a zone transferor a buffer overflow attempt. Intrusion Detection - The Big Picture - SANS GIAC © 2000 5 Bar none, most network intrusions that are identified are found by firewalls. There are limitations to what can be done with these logs and even the risk of making an error of interpretation, since the log does not provide information like the TCP flags or code bits. That said, these are a great data source and every intrusion analyst should be familiar with their site’s firewall logs. 5
  6. Libpcap-Based Systems Collect Data FW Analyze Data Display Information Analysis/Display Station Most Network-Based Intrusion Detection Systems Unix or Windows are libpcap based Intrusion Detection - The Big Picture - SANS GIAC © 2000 6 The first network-based intrusion detection systems we look at are libpcap based. These include: Shadow, Snort, NetRanger and NFR. Libpcap is designed to get the data from the kernel space and pass it to the application. There are implementations for Windows and Unix, it is reliable and has the big advantage of being free. A sensor is distinguished by how much on-board policy information it has. The Shadow sensor is designed to be stupid. It lives outside the firewall. If it should fall, no information about the site will be lost. This is one of the characteristics that sets Shadow apart from most intrusion detection systems. Most IDS have a lot of information about how sites are configured, how firewalls are set up, hosts that you are watching out for, and attacks that you are particularly concerned about. Should a Shadow sensor fall, all they get are the logs. You can still run Snort though on the inside, simply feed it the TCPdump Shadow files. We’d like to see more vendors take measures to make their sensors attack-resistant, or stealthy, and make them less valuable targets. The sensor is the attacker’s first target. 6
  7. Snort Design Goals • Low cost, lightweight • Suitable for monitoring multiple sites/sensors • Low false alarm rate • Efficient detect system • Low effort for reporting Intrusion Detection - The Big Picture - SANS GIAC © 2000 7 Snort was designed to supplement and be run in parallel with other sensors such as Linux firewalls. It has rules for packet content decodes, and also packet headers. This means it can detect data-driven attacks like buffer overflows and attacks on vulnerable URLs and scripts (like RDS and phf). So if you use Shadow and Snort, you have a good pattern matcher. It is free, scalable and very good at detecting stealthy recon efforts and probes. (And it’s focus on the early warning to be gained from spotting the recon phase is very valuable, since the actual attack can happen in seconds and be all over by the time you notice it started.) It is also a good system to learn and experiment with, since it is easy to modify, being all modular open-source with lots of community developed enhancements. 7
  8. Snort [**] RPC Info Query [**] 06/29-00:15:29.137285 211.72.115.100:623 -> z.y.w.98:111 TCP TTL:46 TOS:0x0 ID:29416 DF *****PA* Seq: 0x1EDB7784 Ack: 0xD4A024FE Win: 0x7D78 TCP Options => NOP NOP TS: 86724706 118751139 80 00 00 28 08 70 BB FF 00 00 00 00 00 00 00 02 ...(.p.......... 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 ............ Intrusion Detection - The Big Picture - SANS GIAC © 2000 8 The Snort detects are displayed in log files like this separated by blank lines. For this primer we will primarily focus on the various detects. An advantage of Snort is that this trace is easy to cut and paste into an email to send to your CIRT. This is better than several commercial tools that, while they show an easy to understand colorful icon, it’s hard to get to the raw data to verify or report the detect. This is the more detailed log file, notice the rule that found the detect is displayed at the top. Then summary information about the packet. The trace begins with the content of the detect. RPC attacks like this are part of the Top Ten list (www.sans.org/topten.htm). Notice all the zeros? RPC packets are padded to 32-bit words, often to carry a field that only has a choice of single integer, so the zeros are an indication of RPCs. 8
  9. Why TCPdump • Libpcap • Always available • Compiles on many Unix platforms • Runs on Window 9x and NT • High fidelity • Same program for data collection and first order analysis Intrusion Detection - The Big Picture - SANS GIAC © 2000 9 Libpcap is the de facto standard for Unix-based intrusion detection systems. It is a software interface for acquiring the collected information from the interface card and providing it to the IDS application. Shadow uses TCPdump as it’s underlying packet capture mechanism, as does Snort, another popular free open source network IDS (currently the favorite on GIAC). Snort includes packet decodes and pattern matching. 9
  10. IMAP Filter tcp and dst port 143 Intrusion Detection - The Big Picture - SANS GIAC © 2000 10 Here’s an example of a simple filter to detect IMAP probes, or at least all TCP traffic to port 143. # tcpdump tcp and dst port 143 The command above would run tcpdump, only printing to the screen TCP destination port 143 (IMAP) packets. # tcpdump -I eth0 tcp and dst port 143 Tells Red Hat Linux 5.0 to use the eth0 interface to log from. $ tcpdump -r tcplogfile tcp and dst port 143 Would check a file created by tcpdump for access to port 143. 10
  11. Core_Hosts Filter • DNS, Web and mail servers draw a lot of fire; about 20% of all our attacks are directed at these systems • If you lose control of DNS, they own you • Worth the time to give connection attempts to these systems an extra look Intrusion Detection - The Big Picture - SANS GIAC © 2000 11 The “goodhost” filters in the documentation and software distribution give examples of web servers, DNS servers and mail relays. If you build a good filter profile for another type of commonly deployed host and are willing to share your filter, you can mail it to: intrusion@sans.org and if it checks out we will get it into future releases of the software. 11
  12. Core_Host Filter Web Server (dst host 192.168.1.1 and ( (tcp and ((tcp[13] & 2 != 0) and (tcp[13] & 0x10 = 0)) and (not dst port 80)) or (udp and not dst port 53 and not dst port 137) or (icmp and (icmp[0] != 8) and (icmp[0] != 0) and (icmp[0] != 3) and (icmp[0] != 11)) or (not (tcp or udp or icmp)) )) Intrusion Detection - The Big Picture - SANS GIAC © 2000 12 # 192.168.1.1 webserver # should only receive traffic to tcp port 80 (syn only) # ignore udp with dst port 53 or 137 # ignore icmp echo requests (8), echo replies (0), # destination unreachable (3), and # time exceeded (11) error messages 12
  13. Commercial Tools Intrusion Detection - The Big Picture - SANS GIAC © 2000 13 13
  14. Cisco NetRanger (Cisco Secure Intrusion Detection System) • Cisco would prefer to bundle this with Secure Scanner, a vulnerability scanner • Unix-based system • Two part system, a sensor and a director • Directors can manage multiple sensors Intrusion Detection - The Big Picture - SANS GIAC © 2000 14 From Cisco’s web page: General Features of NetRanger Director • Real-time intrusion detection is transparent to legitimate traffic/network usage. • Real-time response to unauthorized activity blocks offenders from accessing the network or terminates offending sessions. • Comprehensive attack signature list detects a wide range of attacks and can detect content and context-based attacks. NetRanger Sensor • Real-time NetRanger Sensor alarms include attacker and destination IP addresses, destination port, attack description, and 256 characters of keystroke session capture before attack. • NetRanger Sensors can monitor network segments of various speeds and interface types, including Token Ring, 10/100-Mbps Ethernet, and FDDI. • NetRanger Sensor software is easily updated from a centralized NetRanger Director console. 14
  15. ISS RealSecure • Keyed software, CD or download • NT- or Unix-based engine, NT is preferred • High end Pentium, 128K RAM, good size disk • Two part system, an engine (sensor) and a console (analysis platform) • Consoles can manage multiple sensors Intrusion Detection - The Big Picture - SANS GIAC © 2000 15 You can get the full system as a time-limited evaluation version, and then simply upgrade the licence key to get the commercial version. RealSecure’s biggest claim to fame is its ease of configuration and use. Events are displayed as red, yellow or green icons on the GUI, depending on their priority and the reporting tools are extensive. You can tell an operator to simply ‘call me when you see red’. RealSecure now forms part of ISS’s suite of tools that includes a host-based module, and various vulnerability scanners. It can be hard to get to the raw data via the GUI, but since the data is all in an Access database behind the scenes, you can always query it directly. 15
  16. ISS RealSecure (2) • 200+ detects, but many generate large number of false positives – Wiz: in a world of base64 encoded email, lights off every time the characters “wiz” are seen in the body of the message – CERN HTTP buffer overflow: lights off every time a URL is > X characters Intrusion Detection - The Big Picture - SANS GIAC © 2000 16 Other detects like SYN flood also have very high false positive rates, since it can be triggered by as few as 3-5 connection attempts in a second - a common occurrence with over-eager mail servers and other common events. The problem is, to avoid the false positives the threshold needs to be set so high as to miss real attacks. 16
  17. Normally a user will select a pre-made policy and edit to customize for their situation. Intrusion Detection - The Big Picture - SANS GIAC © 2000 17 Once you have selected a pre-made policy, you can customise it somewhat by selecting which events to ignore (usually because of their high false positive rate). Here we can see some allowance for user-defined pattern matching filters. This capacity has increased in more recent versions, but it still can’t compare with products like NFR for customizability. Most users don’t use custom-filters, but they are a welcome facility for handling a new problem until ISS can put out a patch to detect it. 17
  18. Intrusion Detection - The Big Picture - SANS GIAC © 2000 18 Connection events are quite handy. If you do not run IMAP, then you may want to know about all IMAP access events. Similarly, if you were running a Gauntlet firewall you’d want to watch for connections attempting the Cyber Patrol proxy buffer overflow exploit. (You’d want to set it as a high-priority alert, since it would indicate a targeted attack instead of the usual random recon probes.) 18
  19. “Any” for a source or destination is not always helpful. One can list a partial address and give a mask. Example: 128.38.0.0 with 16 bits of mask would check for any 128.38. Intrusion Detection - The Big Picture - SANS GIAC © 2000 19 This ability to watch for traffic from a range of addresses is useful when monitoring attacks from a dial-up account, where each of the attacker’s logins may be from a different address in the pool. 19
  20. Netmask • There are 32 bits (4 bytes) of netmask • NETID (172.20), Subnet (172.20.X.0) and HOSTID (172.20.subnet.host) • Netmask tells your computer what is NETID and what is HOSTID • 172.20.SUBNET means 255.255.255.0 for a netmask (usually) or 24 bits of netmask for ISS RealSecure Intrusion Detection - The Big Picture - SANS GIAC © 2000 20 With a bit of practice one translates between 172.20/16 and 255.255.0.0 without even thinking! 20
Đồng bộ tài khoản