Network Intrusion Detection

1
Network Intrusion Detection Intrusion Prevention
The information world is truly
electronic-theres no turning back. - Winn
Schwartau

• Conner Finlay
• Josh Smith

2
Differences

• Network Intrusion Detection System - attempts to
  detect unauthorized and anomalous activity by
  monitoring packets traversing a given network
• Network Intrusion Preventation System - block or
  reject packets that match a particular signature
  or behavior and sits in-line instead of using a
  network tap or port span

3
History of IDS/IPS

• Between 1984 and 1986, Dorothy Denning and Peter
  Neumann researched and developed the first model
  of a real-time IDS. This prototype was named the
  Intrusion Detection Expert System (IDES). This
  IDES was initially a rule-based expert system
  trained to detect known malicious activity.
• First commerical implementation in the early
  1990's by Haystack Labs
• Started to grow in popularity with Cisco buying
  out vendors in the mid/late 90s

4
Types of IDS/IPS Systems
Anomaly detection model The IDS has knowledge of
normal behavior so it searches for anomalous
behavior or deviations from the established
baseline. While anomalydetections most apparent
drawback is its high false positive, it does
offer detections of unknown intrusions and new
exploits.  Misuse detection model The IDS has
knowledge of suspicious behavior and searches
activity that violates stated policies. It also
means looking for known malicious or unwanted
behavior. In fact, its main features are its
efficiency and comparably low false alarm rate.
5
Types of IDS

• Rule Based
•  
• Protocol Analysis
•  
• Policy Based
•  
• Heuristic Based

6
Bro IDS/IPS

• Unix IDS
•  
• Not an "Out-of-the-box" solution
• Types of Alerts
•     Log Alerts
•     Real Time Alerts
•     System Command Execution
•  
• Does not require software to be installed on each
  host
• Single network host
• Custom Scripting Language for Rulesets

7
Bro IDS/IPS

• Snort2Bro - Custom tool to convert Snort
  Signatures to Bro Format
• Also enables Bro features in converted signatures
  to reduce false positives
•  
• How is Bro different from Snort?
•  
• "Snort is signature based, while Bro can store
  information about previous network activity and
  store it for analysis of current activity."

8
Bro IDS/IPS

• Ability to automagically encrypt email alerts
•  
• Custom policies to adjust to different network
  designs
•     
• const web_servers www.lbl.gov,
  www.bro-ids.org, const mail_servers
  smtp.lbl.gov, smtp2.lbl.gov, const
  allow_my_services setaddr, port
  mail_servers, smtp,web_servers, http,

9
Bro IDS/IPS

• Geo-Location to detect and map attacks
•  
• global ftp_location_log file
  open_log_file("ftp-location")event
  ftp_reply(c connection, code count, msg
  string, cont_resp bool)local client
  cidorig_hlocal loc lookup_location(client)
  if (locregion "OH" loccountry_code
  "US")print ftp_location_log, fmt("FTP
  Connection from s (s, s, s)",\    client,
  loccity, locregion, loccountry_code)  
•  
•  

10
Hogwash IDS

• Started by a student in 1996 at Idaho State
  University
• Versatile network IDS with three different modes 
• Regular IDS
• Watches traffic on a span port (switch/router)
  and generates alerts based on what it sees
• Inline Scrubber
• Actively filters the traffic (acts as a
  firewall). Sits between the cloud and the
  internal network
• HoneyPot Control
• "arbitrates IP address and MAC address conflicts
  to help run the honeypots. It is possible to have
  an array of honeypots behind a single Hogwash
  box, all with the same IP and MAC address"
• Still experimental

11
Hogwash in HoneyPot Control Mode
12
Types of IPS

• Packet Filtering
•  
• Session Analysis
•  
• Packet Manipulation
•  
• IP Blocking

13
IPS Packet Filtering

• Ability to block individual protocols
•  
• Allow FTP and HTTP but block AIM or VNC

14
IPS Session Analysis

• Inspect each packet that applies to a protocol
  and ruleset and match traffic against signature
  based rules or policies

15
IPS Packet Manipulation

• Manipulate data inside a packet and pass packet
  along   to its destination
•  
• Can be used to remove shellcode or exploit
  attacks
•  
• Remove sensitive information

16
IPS IP Blocking

• Can automagically block IP addresses based on
  signatures or policies
•  
• Keep a database of blocked IPs
•  
• Block on a time limit or block permanently

17
Cisco IPS

• A hardware based Network IPS
• Operates at Layers 2 - 7
• Uses the Cisco IPS signatures (Anomaly/Behavioral)
  
• Anti-IPS Evasion Techniques
• TCP stream reassembly
• De-obfuscation
• Traffic normalization
• Works in conjunction with the Cisco Security
  Agent (HIDS) for a complete solution

18
Snort_Inline IPS

• Uses libipq - IPTables - Rather than libpcap
•  
• Uses Snort ruleset to tell IPTables to drop the
  connection or let it through
•  
• Built on top of existing Snort installation
•  
• Improves Security of Intrusion Detection System

19
Snort_Inline IPS

• Built-in ClamAV Integration
• IPTables Rule
• Alert, Block, Pass, Drop, Reject
• Alert - Alert user (IDS Functionality)
• Block - Blocks connection through IPTables
• Pass - Ignore Alert and allow traffic
• Drop - Drop connection through IPTables and log
• Reject - Send Reset packets
• SDrop - Drop connection without logging

20
Snort_Inline IPS

• drop udp HOME_NET any -gtEXTERNAL_NET
  46604799(msg "BLEEDING-EDGE P2PeDonkey
  Search" content"e3 0e"offset 0 depth
  2rawbytesclasstypepolicy-violationreference
  url,www.edonkey.comsid 2001305 rev3)

21
Introduction To Snort

• http//www.snort.org/docs/snort_htmanuals/htmanual
  _2832/

22
The Art of Writing Snort Rules

• Basic Rule
• alert protocol HOME_NET port -gt EXTERNAL_NET
  any ( \ msg"Message to alert" \
• flowestablished,to_server \
• content"0d 0aUser-Agent\ Mozilla/4.0
  \(compatible)0d 0a" \
• classtypetrojan-activity \
• sid2008012801 \
• rev1 )

23
Using Snort Against a Pcap

• snort k none c ./rules A console q l /log/
  r packed.pcap
•  
• Runs snort straight from terminal
• Sets checksum mode to none
• Sets rulset to use - Can use snort.conf (uses
  includes)
• Sets output of alerts to console
• Logs to /log/
• Reads in packed.pcap and tests against ruleset

24
Snort Modes

• Sniffer mode - 
•  
•           ./snort -vde
• Packet logger mode -
•         ./snort -dev -l ./log -h
  192.168.1.0/24     ASCII Logging        ./snort
  -l ./log -b                                   
  PCAP file
• NIDS Mode -
•          ./snort -dev -l ./log -h 192.168.1.0/24
  -c snort.conf

25
Evasion Techniques

• String Matching Weaknesses  
•  
• Polymorphic Code
•  
• Fragmentation Attacks
•  
• Denial of Service
•  
• http//secunia.com/advisories/20413/

26
Evasion Techniques (Cont.)

• TCP Splicing Attacks 
• Passes payload over multiple packets
• Defeats pattern matching
•  
•  

27
Emerging Threats

• Open source collection of Snort rules that can be
  used by any individual/company
•  
• Rules are updated a few times a day, seven days a
  week
•  
• Received grant money from both the NSF and the
  Army Research Office  
•  
• A crazy amount of rules, that include Games,
  Adult Material, Malware, P2P, the RBN,etc

28
OISF 

• Open Information Security Foundation
• Non-Profit organization based out of Indiana
• Founded in October 2008
• Goal is to develop a new Open Source IDS/IPS
  engine
• Any person/company/organization can submit ideas,
  some include
• Passive fingerprinting built-in
• Native IPv6 support
• Hardware acceleration 
• First production release at the end of 2009

29
Detecting Binary Packers

• Binary Packers compress binary files
•  
• Examples of compression
• Winzip, Winrar, Tar, Gzip, etc.
•  
• Byte Pattern of application used to compress
  binary file
•  
• Many binary packers are used for malicious
  purposes
• UPX, Armadillo, VMProtect, SecureRom cough
•  
• http//malforge.com/snort/output_all.zip
• http//malforge.com/snort/userdb_all.zip

30
Questions, Comments, Conerns, Criticisms?
31
Sources

• http//www.sans.org/resources/idfaq/id_vs_ip.php
• http//www.snort.org/about_snort/
• http//www.sans.org/reading_room/whitepapers/detec
  tion/the_history_and_evolution_of_intrusion_detect
  ion_344?show344.phpcatdetection
• http//www.ece.drexel.edu/telecomm/Talks/thiel.pdf
  
• http//hogwash.sourceforge.net/docs/overview.html
• http//www.openinfosecfoundation.org/index.php/faq
  
• http//en.hakin9.org/attachments/hakin9_6-2006_str
  22-33_snort_EN.pdf
• http//www.securityfocus.com/infocus/1514