Title: COEN 252 Computer Forensics
1COEN 252 Computer Forensics
- Intrusion Detection Systems
2Book recommendations
- Richard Bejtlich The Tao of Network Security
Monitoring, Addison Wesley, 2005 - Stephen Northcutt, Judy Novak Network Intrusion
Detection, Third Edition, SANS GIAC, New Riders,
2003 - E. Eugene Schultz, Russell Shumway Incident
Response, New Riders, 2002
3IDS Overview
- Intrusion Detection System
- Host based
- Network based (NIDS)
- System Integrity Verifiers (SIV)
- Log File Monitors
- Deception Systems (decoys, honeypots)
4IDS Architecture
- Raw packet logging
- Too much traffic, hence
- Attack detection
- Attack Signatures
- Can only find known attacks
- Anomaly Detection
- Finds deviations from normal traffic
- But what is normal traffic?
5IDS Architecture
- Host Based Intrusion Detection
- Looks for changes to critical files.
- Tripwire.
- Detection of change and recovery to known good
states already provided by MS Windows. - Provide this system with access control.
6IDS Architecture
- False positives
- Alarms are ringing, but there is no fire.
- Example
- NIDS reported login attempts.
- From within the network, but to remote site.
- Logs showed that logons were attempt to access
unavailable network resources. - Traced to workstations attempting to access an
antivirus software update server.
7IDS Architecture
- False Negatives.
- Stealth scans Traffic at slow rate.
- Suspicious traffic can be legitimate
- User forgot password.
- Heavy traffic can be taken for a DoS attack.
8IDS Architecture
- NIDS placement
- NIDS limited by traffic.
- Switched environments make NIDS difficult to
place. - On network perimeter
- Both sides of firewalls.
9IDS Architecture
- NIDS data gathering
- With hubs
- With SPAN ports
- With TAPs
- With inline devices
10IDS Architecture
- Hubs
- Cheap
- Performance bottleneck?
- Might not see all traffic.
11IDS Architecture
- Switch with SPAN port
- Not so cheap
- Hard to configure.
- Under heavy load, not all traffic is sent to
monitoring station. - All traffic needs to pass through a single
switch.
12IDS Architecture
- Test Access Port
- Designed for monitoring
- One TAP port sees outside bound traffic.
- Other TAP port sees inside bound traffic.
- Need to reconstruct both streams.
13IDS Architecture
- Inline devices
- Filtering bridges
- Can also be used as a cage.
- Filtering bridge can isolate a caged
workstation.
14IDS Architecture
- Wireless Monitoring
- On a Wireless Access Point (WAP) with Ethereal
and similar tools - Knoppix allows raw 802.11 traffic
15IDS Architecture
- IDS Sensor Architecture
- Machine needs to be able to process traffic.
- ltT1 300 MHz Pentium, 256 MB RAM, 20GB HD, 32 b
PCI bus. - T1 lt T3 750MHz Pentium, 512 MB RAM, 80 GB HD,
32-64b PCI bus - T3 and higher 1GHz Pentium, 1GB RAM, 240 GB HD,
PCI-X or PCI-Express bus
16IDS Architecture
- IDS Sensor Architecture
- OS
- Since sensors are placed on the perimeter, we
need secure OS. - Need open security tools.
- BSD preferred FreeBSD.
- Access
- In band remote access
- More fragile.
- Out of band remote access
- More cumbersome.
17IDS Architecture
- Push / Pull
- Typically, push detected events to the analysis
platform. - This can be a security issue
- If sensor is observable, observer can detect
sensor configuration.
18IDS Architecture
- Analyst Console
- Critical for performance.
- Needs to provide capabilities such as
- False positive detection.
- Display filters
- Mark events that have already been analyzed
- Drill down
- Start with big picture data, then give details.
- Correlation
- Have I seen this before?
- Good reporting
19IDS Operations
- Anomaly Detection
- Based on statistical anomalies, compared with
- CPU utilization
- Disk activity
- User logins
- File activity, etc.
- Does not have to understand the cause.
20IDS Operations
- Application protocol verification
- Invalid protocol behavior, such as WinNuke
- WinNuke attacker sends out-of-band / urgent
data to port 139 on a Win95 system. - Unusual behavior such as DNS cache poisoning.
- Simple create new logs that can then later be
correlated with other system logs to show what
happened.
21IDS ExampleUDP Flooding January 1999
- 081010 bobadilla.echo gt 192.210.19.198.666 udp
1024 (DF) - 081010 bobadilla.echo gt 192.210.19.198.666 udp
426 (DF) - 081017 bobadilla.echo gt 192.210.19.198.666 udp
1024 (DF) - 081017 bobadilla.echo gt 192.210.19.198.666 udp
426 (DF) - 081022 bobadilla.echo gt 192.210.19.198.666 udp
1024 (DF) - 081022 bobadilla.echo gt 192.210.19.198.666 udp
426 (DF) - 081028 bobadilla.echo gt 192.210.19.62.666 udp
1024 (DF) - 081028 bobadilla.echo gt 192.210.19.62.666 udp
426 (DF) - 081035 bobadilla.echo gt 192.210.19.198.666 udp
1024 (DF) - 081035 bobadilla.echo gt 192.210.19.198.666 udp
426 (DF) - 081049 bobadilla.echo gt 192.210.19.62.666 udp
1024 (DF) - 081049 bobadilla.echo gt 192.210.19.62.666 udp
426 (DF) - 081105 bobadilla.echo gt 192.210.19.62.666 udp
1024 (DF) - 081105 bobadilla.echo gt 192.210.19.62.666 udp
426 (DF)
22IDS ExampleUDP Flooding January 1999
- Example of the Pepsi UDP flood.
- Send out UDP packages as fast as possible
- Sends UPD packages with a spoofed return address
to an echo port (at Bobadilla). - Echo returns it to the source address.
- Two systems under attack.
23IDS Examplepepsi.c found on Internet
- /
- pepsi.c
- Random Source Host UDP flooder
-
- Author Soldier_at_data-t.org
-
- 12.25.1996
-
- Greets To Havok, nightmar, vira, Kage,
ananda, tmw, Cheesebal, efudd, - Capone, cphber, WebbeR, Shadowimg, robocod,
napster, marl, eLLjAY, fLICK - Toasty, shadow, magnus and silitek, oh and
Data-T. -
- Fuck You to Razor1911 the bigest fucking
lamers in the warez comunity, - Yakuza for ripping my code, cha0s on the
undernet for trying to port - it to win95, then ircOpers on efnet for being
such cocksuckers - especially prae for trying to call the fbi on
me at least 5 times. - all warez pups i don't know for ripping off
honest programers. - and Dianora for being a lesbian hoe,
Srfag..err SrfRog for having an ego - the size of california.
24IDS Examplepepsi.c found on Internet
- define FRIEND "My christmas present to the
internet -Soldier" - define VERSION "Pepsi.c v1.6"
- define DSTPORT 7
- define SRCPORT 19
- define PSIZE 1024
- define DWAIT 1
25IDS Examplepepsi.c found on Internet
- void usage(char pname)
-
- printf("usage\n ")
- printf("s -s src -n num -p size -d port
-o port -w wait ltdestgt\n\n", pname) - printf("\t-s ltsrcgt source where packets are
comming from\n") - printf("\t-n ltnumgt number of UDP packets to
send\n") - printf("\t-p ltsizegt Packet Size Default is
1024\n") - printf("\t-d ltportgt Destination Port Default
is .2d\n", DSTPORT) printf("\t-o ltportgt
Source Port Default is .2d\n", SRCPORT)
printf("\t-w lttimegt Wait time between packets
Default is 1\n") printf("\tltdestgt
destination \n") printf("\n") - exit(EXIT_SUCCESS)
-
26IDS Examplepepsi.c found on Internet
- if (srchost srchost)
- ip-gtsaddr resolve(srchost)
- ip-gtdaddr dst
- ip-gtversion 4
- ip-gtihl 5
- ip-gtttl 255
- ip-gtprotocol IPPROTO_UDP
- ip-gttot_len htons(sizeof(struct iphdr)
sizeof(struct udphdr) psize) - ip-gtcheck in_cksum(ip, sizeof(struct iphdr))
- udp-gtsource htons(srcport)
- udp-gtdest htons(dstport)
- udp-gtlen htons(sizeof(struct udphdr) psize)
27IDS Examplepepsi.c found on Internet
- if (sendto(sen, packet, sizeof(struct iphdr)
sizeof(struct udphdr) psize, 0, - (struct sockaddr ) dstaddr,
- sizeof(struct sockaddr_in)) (-1))
puts(" Error sending Packet")
perror("SendPacket") - exit(EXIT_FAILURE)
-
28IDS Examplepepsi.c found on Internet
- This is almost the complete code.
- Default ports are defined, but can be
overwritten. - Port 666 is used by Doom game.
- User input allows change from default values.
- Package is crafted.
- And sent.
29IDS and Firewalls
- Firewalls perturb traffic
- Three way handshake is disrupted.
- Firewall logs are primary evidence and are
primary method of intrusion detection.
30IDS and Firewalls
- Firewall Log
- IP packet discarded from 222.168.40.21 for port
1880. - IP packet discarded from 222.168.40.21 for port
1882. - IP packet discarded from 222.168.40.21 for port
1881. - This firewall log gives us a fact, but not enough
to figure out what is happening. - Is this TCP? UDP?
31IDS and Firewalls
- Another log from a different vendor
- UDP packet dropped Source 123.4.56.78, 2820, WAN
Destination 169.8.27.38 33430 LAN - - Rule 33 - This entry gives us enough information Source
port, destination port, protocol. - Traceroute from outside web server.
32IDS and Firewalls
- Yet another log
- Myhost kernel INeth0 OUT MAC
0080808098ae3e321245a0 SRC1.1.1.1
Dst192.168.127.45 LEN38 TOS 0x00 PREC0x00
TTL1 ID31758 PROTOUDP SPT32789 DPT33433 - This is another traceroute.
- Best log seen.
33IDS and Signatures
- Signature Types
- Header-based Inspect the packet header
- Pattern-matching Match for content string
- Atomic match in a single packet
- Stateful match on reassembled packets
- Protocol-based Inspect based on RFC
- Heuristic-based Inspect based on statistics
- Anomaly-based
34IDS and Signatures
- Header-based
- Destination port TCP 139 and Out of Band
- tcpdump dst port 139 and tcp13 0x20!0 and
tcp18!0 - Detects the old WinNuke attack.
- WinNuke packets go to NetBIOS ports such as 139,
have an urgent flag set, and have a non-zero
urgent value.
35IDS and Signatures
- Pattern-matching looking for the tsig overflow
attempt. - alert udp External_Net any -gt Home_Net 53 \
- (msg Exploit named tsig overflow attempt\
- content 80 00 07 00 00 00 00 00 01 3F 00 01
02/bin/sh - Snort rule looking for a pattern for a BIND
transaction signature tsig code. - Looks for specific byte code to UDP destination
port 53.
36IDS and Signatures
- Heuristic-based
- Look for large ICMP packets
- alert icmp any -gt HOME_NET (msg\ Large ICMP
packet dsize gt 800) - Such large ICMP packets are unusual.
37IDS and Signatures
- Encryption
- Back Orifice uses a simple encryption scheme to
protect its packet payload. - All BO packets start with !QWTY?
- Barbwire uses Blowfish encryption.
- Challenge for string searches.
38IDS and Signatures
- Fragmentation
- Allows to hide attack strings.
- Stateful analysis is more cumbersome.
- Too Generic
- Superscan
- 4500 0024 c5eb 0000 6f01 a144 4201 f789
- c08a 6b42 0800 fc46 0200 f9b8 0000 0000
- 0000 0000 0000 0000 0000 0000 0000
- alert icmp !HOME_NET any -gt HOME_NET any (msg
Superscan echo content 00000000000000000000
itype8 dsize 8) - Too many matches.
39Traffic Analysis
- Look for crafted packets
- Cheops uses TCP with both SYN and FIN flag set.
This is impossible in normal TCP. - Basic traffic characteristics
- To, from, date, time
- Information on source host
- Weight or severity
- Size, service, type class
- Tiny fragments, e.g. generated by nMap.
- Strange TTL values
40Traffic Analysis
- Link Graphs
- A message passing from A to B generates a link
between A and B. - Links are weighted by the number of connections.
41Traffic Analysis
J
D
X
A
C
B
E
F
I
G
H
42Traffic Analysis
Intellitactics NSM
43Traffic Analysis
- Short Time Profile Changes
- Profile Statistics on connections, port spread,
services, etc.