Common Intrusion Detection Framework - PowerPoint PPT Presentation

About This Presentation

Title:

Common Intrusion Detection Framework

Description:

Scenario1: malicious user. Malicious user logs in deletes the passwd file ... Permit allows the filter matching code to search for GIDO from the root. ... – PowerPoint PPT presentation

Number of Views:29

Avg rating:3.0/5.0

Slides: 12

Provided by: edwar57

Learn more at: http://www.cs.uccs.edu

Category:

more less

Transcript and Presenter's Notes

Title: Common Intrusion Detection Framework

1
Common Intrusion Detection Framework

By
Ganesh Godavari

2
Review CIDF architectecture
consumer
Producer
3
Scenario1 malicious user

Malicious user logs in deletes the passwd file
how does the GIDO look like between E-box to
A-box ?

4
GIDO

InSequence
(Login
(Location
(Time '145736 24 Feb 1998')
)
(Initiator
(HostName doctor.evil.com')
)
(Account
(UserName 'minime')
(RealName minie me')
(HostName austin.powers.mov')
(ReferAs 0x12345678)
)
)
(Delete
(World Unix)
(Location
(HostName austin.powers.mov')

(Login (World Unix)
(Outcome (CIDFReturnCode Failed)
(Comment '/etc/passwd missing')
) (Location
(Time '150248 24 Feb 1998') )
(Initiator (HostName
'small.world.com') )
(Account (UserName austin')
(RealName austin powers')
(HostName small.world.com') )
) )
continued
5
Snort nmap alert

CIDF E-box raised the following error
How does the GIDO look like from E-box to R-box?
14691 ICMP PING NMAP
Classification Attempted Information Leak
Priority 2
10/15-031018.489131 128.198.60.188 -gt
128.198.60.195
ICMP TTL56 TOS0x0 ID25681 IpLen20 DgmLen28
Type8 Code0 ID56447 Seq0 ECHO
Xref gt http//www.whitehats.com/info/IDS162

6
GIDO

( ByMeansOf
( Attack
( Initiator
( IPV4Address 128.198.60.188 )
)
( Observer
( ProcessName snortIDS )
)
( Target
( IPV4Address 128.198.60.195 )
)
( AttackSpecifics
( Certainty 100 )
( Severity 100 )
( AttackID 0000000100000001 )
)
( Outcome
( CIDFReturnCode 2 )
)

(Do (BlockMessage ( Message
( IPV4Protocol 4 ) (
SourceIPV4Address 128.198.60.188 )
( DestinationIPV4Address 128.198.60.195 )
) ( When ( BeginTime
Wed Jun 15 031018 1999 MDT ) (
EndTime thu Jun 16 031018 1999 MDT )
) ) ) ) )
continued
7
Snort based E-box Ad filter

( Filter
( Fragment
( ByMeansOf
( Attack
( when
(Time "!"))
( AttackSpecifics
( Attack-ID "!-0x00000005",
"!")
( AtackNickname "!-"))
( Initiator "!")
(IPV4Address "!")
( HostName "?-")
( TCPSourcePort "!-"))
( Target
( IPV4Address "!10.0.0.1,10.0.0.
2,
10.0.0.3,10.0.0.4,10
.0.1.0/8)
( HostName "?-")
( TCPDestinationPort "!-"))
( Observer

( SendMessage ( when
(Time "!-")) ( Initiator
(IPV4Address "!") ( HostName
"?-") ( TCPSourcePort
"!-")) ( Target (
IPV4Address "!-) ( HostName
"?-") ( TCPDestinationPort
"!-")) ( Observer (
ProcessName "!-'snort'") (
HostName "!-'hercales'")) (
Message ( TransportProtocol
"?'tcp'") ( IPV4SetviceType
"?") ( IPV4Identifier
"?") ( IPV4TTL "?")
( TCPSequenceNumber "?")
( TCPAckNumber "?") (
TCPWindow "?") ( TCPFlags
"?") ( TCPMSS "?")))))
! field always available ? field might or might
not be available - field is not negotiable
field is negotiable
continued
8
A-box Template proposal

( Filter
( Fragment
( Attack
( When
( Time "!-"))
( AttackSpecifics
( Attack-ID "!-0x00000005",
"!0x00000000,0x000000001")
( AtackNickname "!-"))
( Initiator
( IPV4Address "!")
( TCPSourcePort "!-"))
( Target
( IPV4Address "!10.0.0.1,10.0.1.17,10
.0.1.18)
( TCPDestinationPort "!-"))
( Observer
( ProcessName "?")
( HostName "?")
( IPv4Address "?"))))
( Permit, ''ByMeansOf', 'And', ''HelpedCause'))

Permit allows the filter matching code to search
for GIDO from the root. So here we are looking
for fragment like ByMeansOf, And,
HelpedCause
9
Candidate proposal A-box to E-box