Using Argus Audit Trails to Enhance IDS Analysis - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

Using Argus Audit Trails to Enhance IDS Analysis

Description:

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems jhaile_at_nitrodata.com Overview What is an audit trail? What is Argus? Overview of IP ... – PowerPoint PPT presentation

Number of Views:40
Avg rating:3.0/5.0
Slides: 19
Provided by: Jed55
Category:

less

Transcript and Presenter's Notes

Title: Using Argus Audit Trails to Enhance IDS Analysis


1
Using Argus Audit Trailsto Enhance IDS Analysis
  • Jed Haile
  • Nitro Data Systems
  • jhaile_at_nitrodata.com

2
Overview
  • What is an audit trail?
  • What is Argus?
  • Overview of IP audit trails
  • Why are they useful?
  • Using audit trails to monitor your network
  • Detecting interesting network events using audit
    trails
  • Enhancing IDS analysis using audit trails

3
What is an IP Audit Trail?
  • An IP audit trail is a collection of network
    flows across some point of a network.
  • A network flow is an identifiable exchange of
    data between two endpoints on a network.
  • Flows may be delineated by normal protocol (a SYN
    replied to by an RST) or by timeouts.
  • Flows may become exaggerated, as not all network
    traffic is readily broken into correct sessions
    with available information

4
What is Argus?
  • Written by Carter Bullard as part of a DoD
    contract while he was at Carnegie-Mellons SEI
  • Runs on unix
  • The free version is available at
    http//www.qosient.com/argus
  • A commercial version is under development by
    Qosient

5
More about Argus
  • Argus uses a client server model
  • Data collection engine (Server) Monitors the
    network using libpcap, collects network data into
    audit trails. This engine can output the data to
    a file or to a socket.
  • Argus client Reads audit data from a file or
    from a socket. There are a number of clients
    available for various purposes.

6
Argus Clients
  • ra reads Argus data and displays it on stdout
  • ragator aggregates flows in arbitrary fashions
  • ramon produce rmon style reports and tables
  • racount counts bytes and packets
  • rasort sorts Argus records
  • raxml display all fields in xml format
  • Others ratop, ragrep, rahistogram, rasrvstats
  • Lacking Database client!!

7
Default RA output
timestamp protocol src IP direction
dst IP status 17 Apr 02 095916 icmp
192.172.1.26 lt-gt 192.172.1.253 ECO 17 Apr
02 095916 tcp 192.172.191.46.458 -gt
207.68.162.24.80 FIN 17 Apr 02 095916 icmp
192.172.1.25 lt-gt 192.172.1.253 ECO 17
Apr 02 095916 tcp 192.18.221.25.119 -gt
192.172.191.61.25 FIN 17 Apr 02 095916 tcp
192.172.1.6.3562 -gt 209.10.33.195.80 FIN 17 Apr
02 095916 tcp 192.172.1.23.5936 -gt
61.200.81.153.80 EST 17 Apr 02 095916 tcp
192.172.191.46.4585 -gt 64.4.30.24.80 FIN 17
Apr 02 095917 tcp 192.172.191.46.4990 -gt
12.12.162.203.80 RST 17 Apr 02 100004 tcp
192.172.191.46.240 -gt 216.33.240.24.80 RST 17
Apr 02 095917 tcp 142.177.221.77.177 -gt
192.172.18.27.634 RST 17 Apr 02 100002 icmp
192.172.1.25 -gt 192.172.1.253 ECO 17 Apr
02 100002 icmp 129.82.45.220 -gt
192.172.1.3 ECO 17 Apr 02 100002 icmp
129.82.45.220 -gt 192.172.1.3 ECO 17
Apr 02 100002 udp 205.158.62.41.967 -gt
192.172.191.6.53 TIM 17 Apr 02 100002 icmp
129.82.45.220 -gt 192.172.1.3 ECO
There is still a lot of other useful data we can
capture!!
8
Data Model
  • Source IP address
  • Destination IP address
  • Source Port
  • Destination Port
  • Protocol
  • Time of first packet
  • Time of last packet
  • Packets sent
  • Bytes sent
  • Packets received
  • Bytes received
  • This set of data is surprisingly rich!

9
Why are these useful?
  • This set of data can be analyzed to find network
    sessions, or sets of session that appear to be
    suspicious.
  • In the case of a compromise, the audit trails can
    be examined to find out what else might have
    happened.
  • Excellent tool for network policy monitoring.
    Makes finding unauthorized servers, or services,
    or backdoors much easier to detect.
  • Much smaller than full packet captures, so more
    can be stored for longer.
  • Well suited to statistical analysis

10
Reducing Record Counts
  • A major problem with collecting network flows is
    the extreme rate and large quantity of records
  • Fortunately network flows are readily aggregated
  • All flows with the same source and destination
    addresses and ports can be collapsed to a single
    row, with a counter

11
Portscan Detection
  • IP audit trails are an excellent tool for
    detecting network enumeration attempts.
  • Snorts spp_portscan2 uses network flows to
    detect portscans
  • To detect portscanning simply count connections
    from external hosts to distinct hosts and ports
    on your network
  • A well defined concept of home network versus
    external network is critical
  • A portscan attempt which also correlates to an
    IDS alert, or to a session that is long or that
    moves some data might point to a successful
    compromise

12
Long Sessions
  • Long sessions are common on networks
  • Due to the more stateless nature of udp and icmp,
    distinct network flows might be collapsed into a
    single network flow
  • Long sessions to interesting ports, or inbound to
    unexpected locations, or with IDS alerts are the
    things we want to focus on
  • Extensive correlation is critical to making the
    important long sessions stand out

13
Traffic to Nonexistent Hosts
  • Inbound traffic to a host that is known to not
    exist
  • A good way of detecting network enumeration
    attempts

14
Traffic to High Ports
  • Sessions being initiated to high ports on your
    home network should always be viewed with
    suspicion
  • There are exceptions (ftp traffic)
  • By keeping state on your networks flows you
    can eliminate many of the valid inbound high port
    connections
  • High port traffic IDS alert

15
High Connection Rate
  • High connection rates could point to DOS
    attempts, port scanning, auto rooter, P2P
    activity, worm activity, and more
  • There are valid network activities which can
    generate high connection rates
  • Correlation of high connection rates to other
    anomalous activities is what we need to look for

16
High Packet Rate
  • Another example of could be bad, could be good
    activity
  • High packet rates might indicate worm activity,
    portscanning, or other nastiness
  • A sudden appearance of high packet rates linked
    to a previous session which had IDS alerts
    associated could indicate a host that has been
    successfully compromised

17
Stepping Stone Detection
  • A stepping stone is a computer that is used as an
    intermediate point between two other computers
  • Stepping stones are frequently used by attackers
    to obscure their location/identity
  • Stepping stones can be detected by correlation of
    on/off times between two network flows. This is
    prone to false positives.
  • A better approach is to correlate on and off
    times of packet activity inside the flow, but
    requires finer granularity in the data than can
    be provided by argus.

18
Summary
  • Using IP audit trails is a powerful enhancement
    to IDS
  • IP audit trails also give new ways of looking for
    anomalous traffic, new services on your network,
    or for getting a better perspective on your
    networks operation
  • There is lots to be done!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Using Argus Audit Trails to Enhance IDS Analysis" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!