Intrusion Detection Intrusion Detection Essentials Essentials with Snort Primer with Snort Primer Paul Jaramillo, CISSP, GCFA Paul Jaramillo, CISSP, GCFA EECS 710: Information Security & Assurance EECS 710: Information Security & Assurance University of Kansas University of Kansas Electrical Engineering & Computer Science Electrical Engineering & Computer Science [email protected][email protected]
61
Embed
Intrusion Detection Essentials with Snort Primerhossein/Teaching/Fa07/710/Lectures/ids... · Intrusion Detection Essentials with Snort Primer Paul Jaramillo, ... Test first, make
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
11/3/2006 2University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
Problem StatementProblem Statement
Faced with ever growing malicious threats to network and Faced with ever growing malicious threats to network and computer assets, IT personnel are charged with protecting computer assets, IT personnel are charged with protecting the confidentiality, integrity, and availability of their the confidentiality, integrity, and availability of their employeremployer’’s data. s data. The 2006 FBI/CSI Computer Crime survey reported that The 2006 FBI/CSI Computer Crime survey reported that 52% of their respondents were victim to a breach in 52% of their respondents were victim to a breach in security last year. security last year. A key mechanism in preventing and detecting cyber attacks A key mechanism in preventing and detecting cyber attacks are Intrusion Detection Systems (IDS). This presentation are Intrusion Detection Systems (IDS). This presentation will outline IDS principles and detail how the open source will outline IDS principles and detail how the open source IDS Snort may be used to increase assurance in your IDS Snort may be used to increase assurance in your systemsystem’’s security.s security.
11/3/2006 3University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
11/3/2006 4University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
Buyer BewareBuyer Beware
11/3/2006 5University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
Buyer BewareBuyer Beware
““IDS is deadIDS is dead”” April 2003April 2003-- John John PescatorePescatore, VP Gartner Research, VP Gartner Research-- Reaction of Security Professionals vs. MgmtReaction of Security Professionals vs. Mgmt
““Intrusion detection's permanent placement in the Intrusion detection's permanent placement in the Trough of Disillusionment does not mean that it Trough of Disillusionment does not mean that it is obsolete.is obsolete.”” July 2003July 2003
-- Marketing Hype/Spin vs. Real WorldMarketing Hype/Spin vs. Real World
11/3/2006 6University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
Buyer BewareBuyer Beware
Things to consider prior to purchaseThings to consider prior to purchaseHardware =! SecurityHardware =! SecuritySalespersons = LiesSalespersons = LiesLab Results =! Real World ResultsLab Results =! Real World Results““The Devil is in the detailsThe Devil is in the details””, contract , contract detailsdetailsBleeding Edge vs. Cutting EdgeBleeding Edge vs. Cutting Edge
11/3/2006 7University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
1.0 Why use IDS?1.0 Why use IDS?
Protect the AIC of AssetsProtect the AIC of AssetsOutsider Threats Outsider Threats ––
Hackers/Crackers want what you haveHackers/Crackers want what you haveBandwidth, CPU cycles, DataBandwidth, CPU cycles, DataMalicious acts Malicious acts –– Denial of Service, Defacement, Denial of Service, Defacement, etcetcCorporate Espionage/SabotageCorporate Espionage/Sabotage
Insider Threats Insider Threats ––Disgruntled employees, work errorsDisgruntled employees, work errorsInsider Threat FallacyInsider Threat Fallacy
11/3/2006 8University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
1.1 Why Use IDS?1.1 Why Use IDS?
Legal RequirementsLegal RequirementsMust Demonstrate Due Care/Due Must Demonstrate Due Care/Due DiligenceDiligence33rdrd party auditing > controlsparty auditing > controlsSOX SOX –– Sarbanes Oxley requires audit Sarbanes Oxley requires audit trailtrailIncreasing privacy legislationIncreasing privacy legislation
GLBA, HIPPA, California Laws (SSN, GLBA, HIPPA, California Laws (SSN, Notification)Notification)
11/3/2006 9University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
1.2 Why Use IDS?1.2 Why Use IDS?
Benefits of IDSBenefits of IDSDetection of ongoing attacksDetection of ongoing attacksPrevention of pending attacksPrevention of pending attacksEnforce company policiesEnforce company policiesValuable forensic dataValuable forensic data
Shortcomings of IDSShortcomings of IDSZero Day Attacks, False Positives, Monitoring Zero Day Attacks, False Positives, Monitoring CostsCosts
11/3/2006 10University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.0 IDS 1012.0 IDS 101
Primary goal of IDS is to detect when Primary goal of IDS is to detect when computer/network resources are under computer/network resources are under attackattackProperly functioning systems exhibit the Properly functioning systems exhibit the following traits (Denning):following traits (Denning):
Actions of users/processes conform to Actions of users/processes conform to statistically predictable patterns (data theft)statistically predictable patterns (data theft)Actions of users/processes do not include Actions of users/processes do not include commands used to subvert security (attack commands used to subvert security (attack tools)tools)Actions of processes function according to Actions of processes function according to specifications (specifications (rootkitsrootkits))
11/3/2006 11University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.1 IDS 1012.1 IDS 101
A good IDS should do the following:A good IDS should do the following:Detect a wide variety of intrusionsDetect a wide variety of intrusions
Originating from both outside and inside the network. Originating from both outside and inside the network. Both known and unknown attacks should be Both known and unknown attacks should be detected.detected.
Detect intrusions in a timely fashionDetect intrusions in a timely fashionPresent data in an easy to understand formatPresent data in an easy to understand formatBe AccurateBe Accurate
Limit false positives and false negativesLimit false positives and false negatives
11/3/2006 12University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.2 IDS 1012.2 IDS 101
IDS Modeling TheoryIDS Modeling TheoryAnomaly detection Anomaly detection –– compares against compares against expected values, reports mismatchesexpected values, reports mismatches
Thresholding Thresholding –– ( m < Normal Metrics < n)( m < Normal Metrics < n)Statistical Moments Statistical Moments –– mean & std deviation mean & std deviation over time using forward weighting (IDES)over time using forward weighting (IDES)Markov Model Markov Model –– State transitions/histories State transitions/histories based on sequences of commands and not based on sequences of commands and not single events (TIM)single events (TIM)
11/3/2006 13University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.3 IDS 1012.3 IDS 101
IDS Modeling Theory ContinuedIDS Modeling Theory ContinuedMisuse detection Misuse detection –– determines determines whether sequence of instructions whether sequence of instructions violate security (ruleviolate security (rule--based based detection)detection)
Requires extensive knowledge of Requires extensive knowledge of vulnerabilitiesvulnerabilitiesUnknown attacks or variations of Unknown attacks or variations of existing attacksexisting attacks
11/3/2006 14University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.4 IDS 1012.4 IDS 101
IDS Modeling Theory ContinuedIDS Modeling Theory ContinuedSpecificationSpecification--based detection based detection ––determines if a sequences of determines if a sequences of instructions violates a specification of instructions violates a specification of a program or systema program or system
Based on known good statesBased on known good statesExample Example –– rdistrdist remote root exploitremote root exploit
11/3/2006 15University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.5 IDS 1012.5 IDS 101
IDS ComponentsIDS ComponentsSensor (Agent) Sensor (Agent) –– collects raw datacollects raw dataAnalysis Engine (Director) Analysis Engine (Director) ––preprocessing, anomaly and/or rulepreprocessing, anomaly and/or rule--based based detectiondetectionAlerting Engine (Notifier) Alerting Engine (Notifier) –– takes takes predefined action like alarming, logging, predefined action like alarming, logging, or ignoringor ignoringMonitoring & Mgmt interface (Director)Monitoring & Mgmt interface (Director)
11/3/2006 16University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
2.6 IDS 1012.6 IDS 101
Types of IDSTypes of IDSNetwork IDS(NIDS)Network IDS(NIDS)
Promiscuous Mode Promiscuous Mode –– layer 2layer 2Signature based Signature based –– known bad/good trafficknown bad/good traffic
11/3/2006 20University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.1 Design and Implementation3.1 Design and Implementation
Network PlacementNetwork PlacementConsider most critical assetsConsider most critical assets
Outside PerimeterOutside PerimeterInside PerimeterInside PerimeterApplication/Server specific zonesApplication/Server specific zonesRemote & Vendor Access/Wireless zonesRemote & Vendor Access/Wireless zonesHIDS on all mission critical serversHIDS on all mission critical servers
11/3/2006 21University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.2 Design and Implementation3.2 Design and Implementation
11/3/2006 22University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.3 Design and Implementation3.3 Design and Implementation
Connection StrategiesConnection StrategiesHubHub
Simple & Cheap, SOHOSimple & Cheap, SOHOPoor performance, high MTTFPoor performance, high MTTF
11/3/2006 23University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.4 Design and Implementation3.4 Design and Implementation
Connection Strategies ContinuedConnection Strategies ContinuedSwitch, SPAN portSwitch, SPAN port
No additional hardware, software changeNo additional hardware, software changeLimited span ports, backplane bandwidthLimited span ports, backplane bandwidthNo visibility to packet errorsNo visibility to packet errors
11/3/2006 24University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.5 Design and Implementation3.5 Design and Implementation
Connection Strategies ContinuedConnection Strategies ContinuedHardware TapHardware Tap
Expensive, requires additional NICExpensive, requires additional NICFault tolerant to power failuresFault tolerant to power failuresNo traffic flow impactNo traffic flow impact
11/3/2006 25University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.6 Design and Implementation3.6 Design and Implementation
Appliance installationAppliance installationTest first, make install notesTest first, make install notesChange default passwords, remove vendor Change default passwords, remove vendor accessaccessVerify surveillance network connectivityVerify surveillance network connectivityConfigure to corporate standardsConfigure to corporate standardsConnect to mgmt serverConnect to mgmt serverApply relevant patchesApply relevant patchesUpdate signaturesUpdate signaturesBreakBreak--In periodIn period
11/3/2006 26University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.7 Design and Implementation3.7 Design and Implementation
Dependent on network and requirementsDependent on network and requirementsCPU, memory, network card, storageCPU, memory, network card, storage
OS SelectionOS SelectionCost/Support Contracts/Company rulesCost/Support Contracts/Company rulesLinux, Solaris, BSD, even Windows & OS XLinux, Solaris, BSD, even Windows & OS XGo with what you knowGo with what you know
11/3/2006 27University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.8 Design and Implementation3.8 Design and Implementation
OS HardeningOS HardeningDonDon’’t install GUI or unnecessary servicest install GUI or unnecessary services
KDE/GNOME and DevelopmentKDE/GNOME and DevelopmentGames/Multimedia/Office ApplicationsGames/Multimedia/Office ApplicationsHelp and Support DocsHelp and Support Docs
Kernel tuning, remove devices not usedKernel tuning, remove devices not usedRemove virtual consoles (Remove virtual consoles (ttytty<x>)<x>)Remove the compilerRemove the compiler
11/3/2006 28University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.9 Design and Implementation3.9 Design and Implementation
Other OptionsOther OptionsSecure Linux Secure Linux DistrosDistros
11/3/2006 29University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.10 Design and Implementation3.10 Design and Implementation
Snort installationSnort installationLibpcap and Libpcre requiredLibpcap and Libpcre requiredApache/MySql, PostgreSql, Oracle, MSApache/MySql, PostgreSql, Oracle, MS--SQLSQLFrom sourceFrom source
Tar Tar ––zxvf <package>; uncompresses fileszxvf <package>; uncompresses files./configure; script that determines your ./configure; script that determines your environmentenvironment./make; compiles code from ./make; compiles code from makefilemakefile./make install; distributes binaries to directory./make install; distributes binaries to directory
11/3/2006 30University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.11 Design and Implementation3.11 Design and Implementation
11/3/2006 33University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.14 Design and Implementation3.14 Design and Implementation
Edit /etc/snort/Edit /etc/snort/snort.confsnort.confDefine variablesDefine variablesHTTP_PORTS, EXTERNAL_NET, etcHTTP_PORTS, EXTERNAL_NET, etcDefine path to rules, select rule librariesDefine path to rules, select rule librariesSelect PreSelect Pre--Processors, stream4_reassembleProcessors, stream4_reassembleOutputOutput--PluginsPlugins --> Mysql> Mysql
Test snortTest snort>snort >snort ––T T ––c /etc/snort/snort.confc /etc/snort/snort.conf
11/3/2006 34University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.15 Design and Implementation3.15 Design and Implementation
Important CommandImportant Command--Line switchesLine switches----A <alert> full, fast, or noneA <alert> full, fast, or none----b logs in b logs in tcpdumptcpdump formatformat----c specifies snort.confc specifies snort.conf----D daemon modeD daemon mode----I interfaceI interface----l logging directoryl logging directory----T testing modeT testing mode
11/3/2006 35University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
3.16 Design and Implementation3.16 Design and Implementation
PreprocessorsPreprocessorsStream4 is very powerfulStream4 is very powerful
Detect_scansDetect_scans, non normal TCP handshakes, non normal TCP handshakesDetect_state_problemsDetect_state_problems, MS issues, MS issuesEvasion_alertsEvasion_alerts, overlapping segments, , overlapping segments, synsyndatadataTtl_limitTtl_limit, session limit on , session limit on ttlttl valuesvalues
SampleSamplealert alert tcptcp any any anyany --> any 23 (> any 23 (content:content:””snortsnort””; ; pcre:pcre:””//\\s+s+\\d+d+\\..\\d+.d+.\\d+/Rd+/R””;);)
11/3/2006 43University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
PreparationPreparationDefine procedures & policies firstDefine procedures & policies firstKnow the network, Know the assetsKnow the network, Know the assetsEstablish a standard toolkitEstablish a standard toolkitContact lists are crucialContact lists are crucialSecurity specific trainingSecurity specific training
11/3/2006 46University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
IdentificationIdentificationWhat is an incident?What is an incident?
Unauthorized AccessUnauthorized AccessMalicious Code Malicious Code –– Viruses/Worms/Viruses/Worms/SpywareSpywareDenial of ServiceDenial of ServiceData Theft/MisuseData Theft/Misuse
Passive vs. Active monitoringPassive vs. Active monitoringPassive tool Passive tool –– HoneypotsHoneypotsAttacker goals unknownAttacker goals unknownDocument everythingDocument everything
11/3/2006 47University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
Ideal FeaturesIdeal FeaturesStable & AccurateStable & AccurateStreaming AlertsStreaming AlertsTrending of dataTrending of dataCorrelation of dataCorrelation of dataRaw data and/or payload informationRaw data and/or payload informationReport capabilityReport capability
11/3/2006 49University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
Keeping your sensors up to dateKeeping your sensors up to dateTrusted sources & File integrity Trusted sources & File integrity Automatic backups and updatesAutomatic backups and updatesUpdating RulesUpdating Rules
Merging vs. OverwritingMerging vs. OverwritingOinkmaster/IDSCenterOinkmaster/IDSCenterTesting rulesTesting rulesChange controlChange controlSecurity Mailing listsSecurity Mailing lists
11/3/2006 50University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
11/3/2006 55University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
6.5 Skills and Tools6.5 Skills and Tools
MetasploitMetasploit –– Exploit ToolExploit Tool
11/3/2006 56University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
7.0 Legal Issues7.0 Legal Issues
InternallyInternallyPolicy is key, must be available and Policy is key, must be available and understoodunderstoodLetter of AuthorizationLetter of AuthorizationBe aware of Chain of CustodyBe aware of Chain of CustodyUniform monitoring of traffic/logsUniform monitoring of traffic/logsConsult Legal departmentConsult Legal department
11/3/2006 57University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
Sox Sox –– data retention data retention –– ISO17799ISO17799
11/3/2006 58University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
7.2 Legal Issues7.2 Legal Issues
Reporting to LEAReporting to LEA5K in damages, includes response and 5K in damages, includes response and restorationrestorationLocal Law EnforcementLocal Law EnforcementFBI, FBI, infragard.netinfragard.net, RCFL, RCFLSecret ServiceSecret ServiceDHS Hotline, infrastructureDHS Hotline, infrastructureCybercrime.govCybercrime.gov
11/3/2006 59University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
8.0 Future & Conclusion8.0 Future & Conclusion
Current TrendsCurrent TrendsIDS/IPS moving towards SIMIDS/IPS moving towards SIMMore integration, DPI firewallsMore integration, DPI firewallsSecurity at the switch/host Security at the switch/host –– NACNACWireless IDSWireless IDS
Further ReadingFurther ReadingInsertion, Evasion, and Denial of Service: Eluding Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Newsham/PtacekNetwork Intrusion Detection by Newsham/Ptacekhttp://crypto.stanford.edu/cs155/IDSpaper.pdfhttp://crypto.stanford.edu/cs155/IDSpaper.pdfGreat ResourcesGreat Resourceshttp://wwwhttp://www--static.cc.gatech.edu/~wenke/idsstatic.cc.gatech.edu/~wenke/ids--readings.htmlreadings.htmlhttp://www.snort.org/docs/http://www.snort.org/docs/
11/3/2006 61University of Kansas – EECS 710 – Intrusion Detection Essentials with Snort Primer
ReferencesReferences
Beale, Jay (2004). Beale, Jay (2004). ““Snort 2.1 Intrusion Detection 2Snort 2.1 Intrusion Detection 2ndnd
EditionEdition”” Syngress Publishing, Rockland, MASyngress Publishing, Rockland, MA2006 CSI/FBI Computer Crime and Security Survey. 2006 CSI/FBI Computer Crime and Security Survey. Available from Available from http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdfhttp://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdfBishop, Matt (2005). Bishop, Matt (2005). ““Introduction to Computer SecurityIntroduction to Computer Security””Addison Wesley, Boston, MAAddison Wesley, Boston, MALaing, Brian (2000). Laing, Brian (2000). ““How To Guide for implementing How To Guide for implementing NIDSNIDS”” Internet Security Systems, Internet Security Systems, http://www.snort.org/docs/isshttp://www.snort.org/docs/iss--placement.pdfplacement.pdf