Network intrusion detection/prevention systems
Network Intrusion Detection Systems #1
Jan 17, 2015
Slides from the overview presentation about intrusion detection/prevention systems presented at Security in Internet course at Faculty of Informatics and Information Technology. Presentation is part of the course assignment.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Network intrusiondetection/prevention systems
NIDS (detecton system)
• realtime attack detection• passive (watchers) / active (measurement)
systems• via analysis– protocol analysis– graph analysis– anomaly detection
• analysis of direct network traffic– complete / light
NIDS scheme
http://insecure.org/stf/secnet_ids/evasion-figure3.gif
Traffic analysis
• analyzing behaviour, not just packets• difficulties– NIDS can be run from different part of network– bad packets– reordering issues
• sensor placement– inline– passive
• spanning port• network tap• load balancer
http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
Signature-based analysis
• pattern matching• “patterns of malicious traffic”• very elementary (basically grepping)
+ huge community for rule generation+ great for low level analysis (rules are very specific)+ not taking too much resources- lower performance with big ruleset- slight attack variation can beat the rule
Rule example# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:267; rev:13;)
Protocol-based analysis
• reviewing network data• strictly based on layer headers• knowledge of expected values
+ better possibility for scalability+ generic, able to catch zero-day exploits - protocol headers preprocessor need resources- rules can get extremely difficult to write/understand- provide low information, admin has to investigate
Types of detected events
• transport layer attack• network layer attack• unexpected services (tunnel, backdoor etc.)• policy violations (forbidden protocols, ports
etc.)
note: detection with accuracy
Types of attack
• evasion/insertion attacks– bad IP headers– bad IP options– direct frame addressing
• IP packets fragmentation– set up delay for dropping stored packets
• TCP layer problems– sync between NIDS and end system
Prevention
• passive– ending TCP stream
• inline– inline firewalling– throttling bandwith usage– altering malicious content
• passive and inline– running third party script– reconfiguring other network devices
Toolset
• SNORT– opensource– windows / linux– lots of plugins
• OSSIM (security information and event management)
• Sguil (network security monitor)
SNORT
• started as sniffer in 1998• sniffer, packet logger, and NIDS• most used open-source NIDS right now• loads of add-ons• big and stable community (regular community
rule releases)
Firewall network with SNORT
SNORT add-ons
• DumbPig– bad rule grammar detection
• OfficeCat– search for vurneabilities in Microsoft Office docs
• SnoGE– reporting tool parsing your logs and visualising them as points
at Google Maps• Oinkmaster
– tool for creating and managing rules• iBlock
– daemon grepping alert file and blocking offending hosts
http://www.snort.org/snort-downloads/additional-downloads
Q&A
Related Documents
