COEN 252 Computer Forensics

1 / 43
About This Presentation
Title:

COEN 252 Computer Forensics

Description:

... create new logs that can then later be correlated with ... Port 666 is used by Doom game. User input allows change from default values. Package is crafted. ... – PowerPoint PPT presentation

Number of Views:45
Avg rating:3.0/5.0
Slides: 44
Provided by: thomass155
Learn more at: http://www.cse.scu.edu

less

Transcript and Presenter's Notes

Title: COEN 252 Computer Forensics


1
COEN 252 Computer Forensics
  • Intrusion Detection Systems

2
Book recommendations
  • Richard Bejtlich The Tao of Network Security
    Monitoring, Addison Wesley, 2005
  • Stephen Northcutt, Judy Novak Network Intrusion
    Detection, Third Edition, SANS GIAC, New Riders,
    2003
  • E. Eugene Schultz, Russell Shumway Incident
    Response, New Riders, 2002

3
IDS Overview
  • Intrusion Detection System
  • Host based
  • Network based (NIDS)
  • System Integrity Verifiers (SIV)
  • Log File Monitors
  • Deception Systems (decoys, honeypots)

4
IDS Architecture
  • Raw packet logging
  • Too much traffic, hence
  • Attack detection
  • Attack Signatures
  • Can only find known attacks
  • Anomaly Detection
  • Finds deviations from normal traffic
  • But what is normal traffic?

5
IDS Architecture
  • Host Based Intrusion Detection
  • Looks for changes to critical files.
  • Tripwire.
  • Detection of change and recovery to known good
    states already provided by MS Windows.
  • Provide this system with access control.

6
IDS Architecture
  • False positives
  • Alarms are ringing, but there is no fire.
  • Example
  • NIDS reported login attempts.
  • From within the network, but to remote site.
  • Logs showed that logons were attempt to access
    unavailable network resources.
  • Traced to workstations attempting to access an
    antivirus software update server.

7
IDS Architecture
  • False Negatives.
  • Stealth scans Traffic at slow rate.
  • Suspicious traffic can be legitimate
  • User forgot password.
  • Heavy traffic can be taken for a DoS attack.

8
IDS Architecture
  • NIDS placement
  • NIDS limited by traffic.
  • Switched environments make NIDS difficult to
    place.
  • On network perimeter
  • Both sides of firewalls.

9
IDS Architecture
  • NIDS data gathering
  • With hubs
  • With SPAN ports
  • With TAPs
  • With inline devices

10
IDS Architecture
  • Hubs
  • Cheap
  • Performance bottleneck?
  • Might not see all traffic.

11
IDS Architecture
  • Switch with SPAN port
  • Not so cheap
  • Hard to configure.
  • Under heavy load, not all traffic is sent to
    monitoring station.
  • All traffic needs to pass through a single
    switch.

12
IDS Architecture
  • Test Access Port
  • Designed for monitoring
  • One TAP port sees outside bound traffic.
  • Other TAP port sees inside bound traffic.
  • Need to reconstruct both streams.

13
IDS Architecture
  • Inline devices
  • Filtering bridges
  • Can also be used as a cage.
  • Filtering bridge can isolate a caged
    workstation.

14
IDS Architecture
  • Wireless Monitoring
  • On a Wireless Access Point (WAP) with Ethereal
    and similar tools
  • Knoppix allows raw 802.11 traffic

15
IDS Architecture
  • IDS Sensor Architecture
  • Machine needs to be able to process traffic.
  • ltT1 300 MHz Pentium, 256 MB RAM, 20GB HD, 32 b
    PCI bus.
  • T1 lt T3 750MHz Pentium, 512 MB RAM, 80 GB HD,
    32-64b PCI bus
  • T3 and higher 1GHz Pentium, 1GB RAM, 240 GB HD,
    PCI-X or PCI-Express bus

16
IDS Architecture
  • IDS Sensor Architecture
  • OS
  • Since sensors are placed on the perimeter, we
    need secure OS.
  • Need open security tools.
  • BSD preferred FreeBSD.
  • Access
  • In band remote access
  • More fragile.
  • Out of band remote access
  • More cumbersome.

17
IDS Architecture
  • Push / Pull
  • Typically, push detected events to the analysis
    platform.
  • This can be a security issue
  • If sensor is observable, observer can detect
    sensor configuration.

18
IDS Architecture
  • Analyst Console
  • Critical for performance.
  • Needs to provide capabilities such as
  • False positive detection.
  • Display filters
  • Mark events that have already been analyzed
  • Drill down
  • Start with big picture data, then give details.
  • Correlation
  • Have I seen this before?
  • Good reporting

19
IDS Operations
  • Anomaly Detection
  • Based on statistical anomalies, compared with
  • CPU utilization
  • Disk activity
  • User logins
  • File activity, etc.
  • Does not have to understand the cause.

20
IDS Operations
  • Application protocol verification
  • Invalid protocol behavior, such as WinNuke
  • WinNuke attacker sends out-of-band / urgent
    data to port 139 on a Win95 system.
  • Unusual behavior such as DNS cache poisoning.
  • Simple create new logs that can then later be
    correlated with other system logs to show what
    happened.

21
IDS ExampleUDP Flooding January 1999
  • 081010 bobadilla.echo gt 192.210.19.198.666 udp
    1024 (DF)
  • 081010 bobadilla.echo gt 192.210.19.198.666 udp
    426 (DF)
  • 081017 bobadilla.echo gt 192.210.19.198.666 udp
    1024 (DF)
  • 081017 bobadilla.echo gt 192.210.19.198.666 udp
    426 (DF)
  • 081022 bobadilla.echo gt 192.210.19.198.666 udp
    1024 (DF)
  • 081022 bobadilla.echo gt 192.210.19.198.666 udp
    426 (DF)
  • 081028 bobadilla.echo gt 192.210.19.62.666 udp
    1024 (DF)
  • 081028 bobadilla.echo gt 192.210.19.62.666 udp
    426 (DF)
  • 081035 bobadilla.echo gt 192.210.19.198.666 udp
    1024 (DF)
  • 081035 bobadilla.echo gt 192.210.19.198.666 udp
    426 (DF)
  • 081049 bobadilla.echo gt 192.210.19.62.666 udp
    1024 (DF)
  • 081049 bobadilla.echo gt 192.210.19.62.666 udp
    426 (DF)
  • 081105 bobadilla.echo gt 192.210.19.62.666 udp
    1024 (DF)
  • 081105 bobadilla.echo gt 192.210.19.62.666 udp
    426 (DF)

22
IDS ExampleUDP Flooding January 1999
  • Example of the Pepsi UDP flood.
  • Send out UDP packages as fast as possible
  • Sends UPD packages with a spoofed return address
    to an echo port (at Bobadilla).
  • Echo returns it to the source address.
  • Two systems under attack.

23
IDS Examplepepsi.c found on Internet
  • /
  • pepsi.c
  • Random Source Host UDP flooder
  • Author Soldier_at_data-t.org
  • 12.25.1996
  • Greets To Havok, nightmar, vira, Kage,
    ananda, tmw, Cheesebal, efudd,
  • Capone, cphber, WebbeR, Shadowimg, robocod,
    napster, marl, eLLjAY, fLICK
  • Toasty, shadow, magnus and silitek, oh and
    Data-T.
  • Fuck You to Razor1911 the bigest fucking
    lamers in the warez comunity,
  • Yakuza for ripping my code, cha0s on the
    undernet for trying to port
  • it to win95, then ircOpers on efnet for being
    such cocksuckers
  • especially prae for trying to call the fbi on
    me at least 5 times.
  • all warez pups i don't know for ripping off
    honest programers.
  • and Dianora for being a lesbian hoe,
    Srfag..err SrfRog for having an ego
  • the size of california.

24
IDS Examplepepsi.c found on Internet
  • define FRIEND "My christmas present to the
    internet -Soldier"
  • define VERSION "Pepsi.c v1.6"
  • define DSTPORT 7
  • define SRCPORT 19
  • define PSIZE 1024
  • define DWAIT 1

25
IDS Examplepepsi.c found on Internet
  • void usage(char pname)
  • printf("usage\n ")
  • printf("s -s src -n num -p size -d port
    -o port -w wait ltdestgt\n\n", pname)
  • printf("\t-s ltsrcgt source where packets are
    comming from\n")
  • printf("\t-n ltnumgt number of UDP packets to
    send\n")
  • printf("\t-p ltsizegt Packet Size Default is
    1024\n")
  • printf("\t-d ltportgt Destination Port Default
    is .2d\n", DSTPORT) printf("\t-o ltportgt
    Source Port Default is .2d\n", SRCPORT)
    printf("\t-w lttimegt Wait time between packets
    Default is 1\n") printf("\tltdestgt
    destination \n") printf("\n")
  • exit(EXIT_SUCCESS)

26
IDS Examplepepsi.c found on Internet
  • if (srchost srchost)
  • ip-gtsaddr resolve(srchost)
  • ip-gtdaddr dst
  • ip-gtversion 4
  • ip-gtihl 5
  • ip-gtttl 255
  • ip-gtprotocol IPPROTO_UDP
  • ip-gttot_len htons(sizeof(struct iphdr)
    sizeof(struct udphdr) psize)
  • ip-gtcheck in_cksum(ip, sizeof(struct iphdr))
  • udp-gtsource htons(srcport)
  • udp-gtdest htons(dstport)
  • udp-gtlen htons(sizeof(struct udphdr) psize)

27
IDS Examplepepsi.c found on Internet
  • if (sendto(sen, packet, sizeof(struct iphdr)
    sizeof(struct udphdr) psize, 0,
  • (struct sockaddr ) dstaddr,
  • sizeof(struct sockaddr_in)) (-1))
    puts(" Error sending Packet")
    perror("SendPacket")
  • exit(EXIT_FAILURE)

28
IDS Examplepepsi.c found on Internet
  • This is almost the complete code.
  • Default ports are defined, but can be
    overwritten.
  • Port 666 is used by Doom game.
  • User input allows change from default values.
  • Package is crafted.
  • And sent.

29
IDS and Firewalls
  • Firewalls perturb traffic
  • Three way handshake is disrupted.
  • Firewall logs are primary evidence and are
    primary method of intrusion detection.

30
IDS and Firewalls
  • Firewall Log
  • IP packet discarded from 222.168.40.21 for port
    1880.
  • IP packet discarded from 222.168.40.21 for port
    1882.
  • IP packet discarded from 222.168.40.21 for port
    1881.
  • This firewall log gives us a fact, but not enough
    to figure out what is happening.
  • Is this TCP? UDP?

31
IDS and Firewalls
  • Another log from a different vendor
  • UDP packet dropped Source 123.4.56.78, 2820, WAN
    Destination 169.8.27.38 33430 LAN - - Rule 33
  • This entry gives us enough information Source
    port, destination port, protocol.
  • Traceroute from outside web server.

32
IDS and Firewalls
  • Yet another log
  • Myhost kernel INeth0 OUT MAC
    0080808098ae3e321245a0 SRC1.1.1.1
    Dst192.168.127.45 LEN38 TOS 0x00 PREC0x00
    TTL1 ID31758 PROTOUDP SPT32789 DPT33433
  • This is another traceroute.
  • Best log seen.

33
IDS and Signatures
  • Signature Types
  • Header-based Inspect the packet header
  • Pattern-matching Match for content string
  • Atomic match in a single packet
  • Stateful match on reassembled packets
  • Protocol-based Inspect based on RFC
  • Heuristic-based Inspect based on statistics
  • Anomaly-based

34
IDS and Signatures
  • Header-based
  • Destination port TCP 139 and Out of Band
  • tcpdump dst port 139 and tcp13 0x20!0 and
    tcp18!0
  • Detects the old WinNuke attack.
  • WinNuke packets go to NetBIOS ports such as 139,
    have an urgent flag set, and have a non-zero
    urgent value.

35
IDS and Signatures
  • Pattern-matching looking for the tsig overflow
    attempt.
  • alert udp External_Net any -gt Home_Net 53 \
  • (msg Exploit named tsig overflow attempt\
  • content 80 00 07 00 00 00 00 00 01 3F 00 01
    02/bin/sh
  • Snort rule looking for a pattern for a BIND
    transaction signature tsig code.
  • Looks for specific byte code to UDP destination
    port 53.

36
IDS and Signatures
  • Heuristic-based
  • Look for large ICMP packets
  • alert icmp any -gt HOME_NET (msg\ Large ICMP
    packet dsize gt 800)
  • Such large ICMP packets are unusual.

37
IDS and Signatures
  • Encryption
  • Back Orifice uses a simple encryption scheme to
    protect its packet payload.
  • All BO packets start with !QWTY?
  • Barbwire uses Blowfish encryption.
  • Challenge for string searches.

38
IDS and Signatures
  • Fragmentation
  • Allows to hide attack strings.
  • Stateful analysis is more cumbersome.
  • Too Generic
  • Superscan
  • 4500 0024 c5eb 0000 6f01 a144 4201 f789
  • c08a 6b42 0800 fc46 0200 f9b8 0000 0000
  • 0000 0000 0000 0000 0000 0000 0000
  • alert icmp !HOME_NET any -gt HOME_NET any (msg
    Superscan echo content 00000000000000000000
    itype8 dsize 8)
  • Too many matches.

39
Traffic Analysis
  • Look for crafted packets
  • Cheops uses TCP with both SYN and FIN flag set.
    This is impossible in normal TCP.
  • Basic traffic characteristics
  • To, from, date, time
  • Information on source host
  • Weight or severity
  • Size, service, type class
  • Tiny fragments, e.g. generated by nMap.
  • Strange TTL values

40
Traffic Analysis
  • Link Graphs
  • A message passing from A to B generates a link
    between A and B.
  • Links are weighted by the number of connections.

41
Traffic Analysis
  • Link Graphs
  • Ping Scan

J
D
X
A
C
B
E
F
I
G
H
42
Traffic Analysis
Intellitactics NSM
43
Traffic Analysis
  • Short Time Profile Changes
  • Profile Statistics on connections, port spread,
    services, etc.
Write a Comment
User Comments (0)