Intrusion Detection Systems
Intrusion Detection ceAuthor: Prof Bill BuchananAuthor: Bill BuchananIntroductionThreatsTypesHost or Network?Agent-basedSnortA simple ruleA few intrusionsUser profilingHoneypotsIPSConclusions
Intrusion Detection nAuthor: Prof Bill BuchananAuthor: Bill BuchananIntroductionThreatsTypesHost or Network?Agent-basedSnortA simple ruleA few intrusionsUser profilingHoneypotsIPSConclusionsEve(Intruder)
Enemy takes some time to breach each of the levels of eAuthor: Prof Bill BuchananDefence-in-the-depthAuthor: Bill BuchananDefence
Untrusted(their side)Author: Prof Bill BuchananDMZAuthor: Bill BuchananTrusted(our side)DMZ – an areawhere militaryactionsare prohibited
AssetsHello. How areyou? Is thisokay?UsersSystemsEven with the bestdefences, intruderscan penetrate themProtectingAuthor: Prof Bill BuchananAuthor: Bill BuchananData
Intrusion Detection Systems can help to reduce eFirst-leveldefenceAuthor: Prof Bill BuchananDefence-in-the-depthAuthor: Bill BuchananAssets
Intrusion Detection or: Prof Bill BuchananAuthor: Bill BuchananIntroductionThreatsTypesHost or Network?Agent-basedSnortA simple ruleA few intrusionsUser profilingHoneypotsIPSConclusionsEve(Intruder)
DatastealingCorporate accessEmail accessExternalhackWeb accessIntrusionDetectionDoS imeterTerrorism/extortionFraudAuthor: Prof Bill BuchananOutside threatsAuthor: Bill BuchananAssets
CSI (Computer Security Institute) found:70% of organisation had breaches60% of all breaches came from inside theirown systemsDatastealingCorporate accessEmail accessExternalhackWeb accessIntrusionDetectionDoS ot deal withinternal nisationalperimeterTerrorism/extortionFraudAuthor: Prof Bill BuchananInternal threats (often Protectinga great threat than from outside)Author: Bill BuchananAssets
Eve(Intruder)Public WebServerDefencePublic FTPServerPublic ProxyServerDefenceAudit/loggingFirewallIntrusion tionDefenceNAT DeviceIntrusion r: Prof Bill BuchananDefence-in-depth (multiple obstacles)Author: Bill BuchananDefence-in-depth puts as manyobstacles in the way of anintruder, so that it becomesharder to penetrate the network,and easier to detectIntrusion DetectionSystem
Intrusion Detection : Prof Bill BuchananAuthor: Bill BuchananIntroductionThreatsTypesHost or Network?Agent-basedSnortA simple ruleA few intrusionsUser profilingHoneypotsIPSConclusionsEve(Intruder)
IntrusionDetectionMisuse DetectionThis attempts to modelattacks on a system asspecific patterns, and thenscans for occurrences ofthese. Its disadvantage isthat it struggles to detectnew attacks.IDS agentPersonal abuseDenial-of-ServiceExternal hack(scripting)FraudExternal hack(human)DatastealingAuthor: Prof Bill BuchananIDS typesAuthor: Bill BuchananViruses/WormsAnomaly Detection.This assumes that abnormalbehaviour by a user can becorrelated with an intrusion.Its advantage is that it cantypically react to newattacks, but can oftenstruggle to detect variants ofknown attacks, particularly ifthey fit into the normalusage pattern of a user.Another problem is that theintruder can mimic thebehavioural pattern of theuser.
Network intrusiondetection systems (NIDS)These monitor packetson the network and tries todetermine an intrusion.This is either host base(where it runs on a host),or can listen to thenetwork using a hub,router or probe.Intrusion DetectionSystemThese monitor systemfiles to determine if anintruder has changed them(a backdoor attack). Agood example of this isTripwire. It can also watchother key systemcomponents, such as theWindows registry and root/administrator levelprivileges.User profilingLog file monitors (LFM)These monitor log fileswhich are generated bynetwork services, and lookfor key patterns of change.Swatch is a goodexample.Author: Prof Bill BuchananIDS TypesAuthor: Bill BuchananSystem Integrity Verifier
Intruder gains public informationabout the systems, such as DNS andIP Intruder gains more specificinformation such as subnet layout, andnetworked Intruder)From code yellow to codered .ExploitIntruder finds aweakness, such ascracking a password,breachinga firewall, and so on.FootholdIntrusionDetectionData stealing, systemdamage,user abuse, and so on.IntrusionDetectionOnce into the system, theintruder can then advanceup the privilege levels,Author: Prof Bill BuchananTypical pattern of intrusion 4Author: Bill BuchananProfit
Intrusion Detection SystemsIntrusionDetectionDefenceDefenceHost or Network?Author: Prof Bill BuchananAuthor: Bill BuchananIntroductionThreatsTypesHost or Network?Agent-basedSnortA simple ruleA few intrusionsUser profilingHoneypotsIPSConclusionsEve(Intruder)
Public Web Public FTPServerServerPublic Intrusion DetectionSystemDMZIntrusionDetectionNAT DeviceIntrusion nIntrusion DetectionSystemHost-based IDSlistens to trafficin/out of a hostAuthor: Prof Bill BuchananHost or network?Author: Bill BuchananNetwork-basedIDS listens tosome/allnetwork trafficIntrusion DetectionSystem
FirewallIntrusion DetectionSystemDMZAuthor: Prof Bill BuchananProtectingAuthor: Bill BuchananNAT Device
HubIntrusionDetectionSwitchIDS can listen toall the incomingand outgoing networkIntrusionDetectionAuthor: Prof Bill BuchananIDS locationAuthor: Bill BuchananThis IDS cannot hear anytraffic which is not addressed to itas it connects to a switch.
IntrusionDetection0/20/5Author: Prof Bill BuchananUsing the span portAuthor: Bill Buchanan0/1interface FastEthernet0/1port monitor FastEthernet0/2port monitor FastEthernet0/5port monitor VLAN2!interface FastEthernet0/2!interface FastEthernet0/3switchport access vlan 2!interface FastEthernet0/4switchport access vlan 2!interface FastEthernet0/5!interface VLAN1ip address 192.168.0.1 255.255.255.0no ip directed-broadcastno ip route-cache!
IntrusionDetectionIntrusionDetectionThis IDS detectssuccessful attacksagainst firewallIDS detectsattacks againstserverIntrusionDetectionDMZThis IDS detectsattacks againstmain S detects internalattacks Author: Prof Bill BuchananProtectingAuthor: Bill BuchananIDS detectsattacks againsthost
Intrusion Detection Author: Prof Bill BuchananAuthor: Bill BuchananIntroductionThreatsTypesHost or Network?Agent-basedSnortA simple ruleA few intrusionsUser profilingHoneypotsIPSConclusionsEve(Intruder)
Security agentManagement agentQoS agentSNORT agentReconfig agentAuthor: Prof Bill BuchananAgent-based system allows for distributed securityAuthor: Bill BuchananAuditing agent
Author: Bill BuchananIDSAgent-based
Intrusion Detection or: Prof Bill BuchananAuthor: Bill BuchananIntroductionThreatsTypesHost or Network?Agent-basedSnortA simple ruleA few intrusionsUser profilingHoneypotsIPSConclusionsEve(Intruder)
WiresharkSNORTUser-definedagentAPI InterfaceWinPCaplibpcapNetwork Interface: Ethernet, Wireless, ADSL, etcAuthor: Prof Bill BuchananIntegrating with WinPCap – capturing packetsAuthor: Bill BuchananCapturefilter
Author: Bill BuchananIDSWinPCap
WinPCapAuthor: Prof Bill BuchananIntegrating with WinPCap – showing the interfaceAuthor: Bill Buchananusing System;using Tamir.IPLib;namespace NapierCapture{public class ShowDevices{public static void Main(string[] args){string verWinPCap null;int count 0;verWinPCap ist getNetConnections ap Version: {0}", verWinPCap);Console.WriteLine("Connected devices:\r\n");foreach(PcapDevice net in getNetConnections){Console.WriteLine("{0}) tIP Address: oopback: nt ;}Console.Write("Press any RETURN to exit");Console.Read();}}Tamir Code Wrapper (.NET interface)}
namespace NapierCapture{public class CapturePackets{public static void Main(string[] args){PcapDeviceList getNetConnections SharpPcap.GetAllDevices();NetworkDevice netConn (NetworkDevice)getNetConnections[1];PcapDevice device netConn;device.PcapOnPacketArrival new SharpPcap.PacketArrivalEvent(device PcapOnPacketArrival);Console.WriteLine("Network connection: re();Console.Write("Press any RETURN to ice.PcapClose();}}13:17:56,990 Len 69513:17:57,66 Len 28813:17:57,68 Len 69413:18:4,363 Len 31913:18:4,364 Len 37313:18:4,364 Len 37113:18:4,365 Len 37513:18:4,366 Len 367Tamir Code Wrapper (.NET interface)WinPCapAuthor: Prof Bill BuchananProtectingAuthor: Bill Buchanan}private static void device PcapOnPacketArrival(object sender,Packet packet){DateTime time packet.PcapHeader.Date;int len {0}:{1}:{2},{3} Len {4}",time.Hour,time.Minute, time.Second, time.Millisecond, len);}
Intrusion Detection : Prof Bill BuchananAuthor: Bill BuchananIntroductionThreatsTypesHost or Network?Agent-basedSnortA simple ruleA few intrusionsUser profilingHoneypotsIPSConclusionsEve(Intruder)
Other tools:Tcptrace. Identity TCP streams.Tcpflow. Reconstruct TCP streams.Event dataSignature detection.Identify well-knownpatterns of attack.SNORT agentLog dataAnomaly detection.Statistical anomalies,such as user logins,changes to files, and soon.Author: Prof Bill BuchananSnort rulesAuthor: Bill BuchananSNORT rulesfile
alert tcp any any - 192.168.1.0/24 111 (content:" 00 01 86 a5 "; msg:"mountd access";)Generate an alert and log packetLog packetIgnore the packetAlert and activate another ruleRemain idle until activated by an activate ruleEvent dataSNORT agentLog dataAuthor: Prof Bill BuchananSnort rulesAuthor: Bill BuchananalertlogpassactivateDynamic
alert tcp any any - 192.168.1.0/24 111 (content:" 00 01 86 a5 "; msg:"mountd access";)[Destination IP] [Port]Event dataSNORT agentLog dataAuthor: Prof Bill BuchananSnort rulesAuthor: Bill Buchanan[Source IP] [Port]
alert tcp any any - 192.168.1.0/24 111 (content:" 00 01 86 a5 "; msg:"mountd access";)Payload detection:Hex sequence " 00 01 86 a5 "Text sequence "USER entbytejumpEvent dataLog dataAuthor: Prof Bill BuchananPayload detectionAuthor: Bill BuchananSNORT agent
alert tcp any any - 192.168.1.0/24 111 (content:" 00 01 86 a5 "; msg:"mountd access";)Message-to-displayEvent dataLog dataAuthor: Prof Bill BuchananPayload detectionAuthor: Bill BuchananSNORT agent
alert tcp HOME NET any - EXTERNAL NET 1863(msg:"CHAT MSN login attempt"; flow:to server,established; content:"USR "; depth:4;nocase; content:" TWN "; distance:1; nocase;classtype:policy-violation; sid:1991; rev:1;)Event dataSNORT agentLog dataLess 100 Reserved for future useBetween 100 and 1,000,000 are rules included with the SnortdistributionMore than 1,000,000 is for local rulesFor example: sid:336; rev:7; represents an attempt to change tothe system administrator’s account in FTP.Author: Prof Bill BuchananSnort ruleAuthor: Bill BuchananThe SID and REV represent know Snort rules:
Intrusion Detection SystemsIntrusionDetectionDefenceDefenceA simple ruleAuthor: Prof Bill BuchananAuthor: Bill BuchananIntroductionThreatsTypesHost or Network?Agent-basedSnortA simple ruleA few intrusionsUser profilingHoneypotsIPSConclusionsEve(Intruder)
alert tcp any any - any any (content:"the"; msg:"The found .";)Snort -v -c bill.rules -l /log[**] [1:0:0] The found . [**][Priority: 0]01/16-22:27:35.287084 0:3:6D:FF:2A:51 - 0:60:B3:68:B1:10 type:0x800 len:0x198192.168.0.20:3554 - 192.168.0.22:445 TCP TTL:128 TOS:0x0 ID:1086 IpLen:20DgmLen:394 DF***AP*** Seq: 0x3524EE7B Ack: 0xF842AB06 Win: 0x42E4 TcpLen: 20[**] [1:0:0] The found . [**][Priority: 0]01/16-22:27:35.290026 0:60:B3:68:B1:10 - 0:3:6D:FF:2A:51 type:0x800 len:0x5D192.168.0.22:445 - 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:775 IpLen:20DgmLen:79 DF***AP*** Seq: 0xF842AB06 Ack: 0x3524EFDD Win: 0x41BF TcpLen: 20Author: Prof Bill BuchananRunning SnortAuthor: Bill BuchananAlert.ids(in \log)[**] [1:0:0] The found . [**]16 January 10:27pm[Priority: 0]01/16-22:27:35.286762 0:60:B3:68:B1:10 - 0:3:6D:FF:2A:51 type:0x800 len:0x169192.168.0.22:445 - 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20DgmLen:347 DF***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20
VersionIP headerType of serviceHeader len.TCP headerTCP Source PortTotal lengthTCP Destination PortIdentification0 D MSequence NumberFragment OffsetTime-to-live (TTL)ProtocolAcknowledgement NumberHeader ChecksumData OffsetSource IP AddressFlags/ReservedWindowChecksumDestination IP AddressUrgent PointerEthernet frameDest. MACaddressTypeLengthIPheaderTCPheaderData[**] [1:0:0] The found . [**][Priority: 0]01/16-22:27:35.286762 0:60:B3:68:B1:10 - 0:3:6D:FF:2A:51 type:0x800 len:0x169192.168.0.22:445 - 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20Author: Prof Bill BuchananPayload detectionAuthor: Bill BuchananSrc MACaddress
VersionIP headerType of serviceHeader len.TCP headerTCP Source PortTotal lengthTCP Destination PortIdentification0 D MSequence NumberFragment OffsetTime-to-live (TTL)ProtocolAcknowledgement NumberHeader ChecksumData OffsetSource IP AddressFlags/ReservedWindowChecksumDestination IP AddressUrgent PointerEthernet frameDest. MACaddressTypeLengthIPheaderTCPheaderData[**] [1:0:0] The found . [**][Priority: 0]01/16-22:27:35.286762 0:60:B3:68:B1:10 - 0:3:6D:FF:2A:51 type:0x800 len:0x169192.168.0.22:445 - 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20Protocol1 ICMP6 TCP8 EGP41 IPv6 over IPv446 RSVPAuthor:50ProfBill BuchananESP51 AHPayload detectionAuthor: Bill BuchananSrc MACaddress
VersionIP headerType of serviceHeader len.TCP headerTCP Source PortTotal lengthTCP Destination PortIdentification0 D MSequence NumberFragment OffsetTime-to-live (TTL)ProtocolAcknowledgement NumberHeader ChecksumData OffsetSource IP AddressFlags/ReservedWindowChecksumDestination IP AddressUrgent PointerEthernet frameDest. MACaddressTypeLengthIPheaderTCPheaderData[**] [1:0:0] The found . [**][Priority: 0]01/16-22:27:35.286762 0:60:B3:68:B1:10 - 0:3:6D:FF:2A:51 type:0x800 len:0x169192.168.0.22:445 - 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20Author: Prof Bill BuchananPayload detectionAuthor: Bill BuchananSrc MACaddress
log 68.0.21192.168.0.24192.168.0.25192.168.0.60TCP 3423-445.idsTCP 3424-139.idsTCP 3521-445.idsTCP 3529-139.idsTCP 3554-445.idsTCP 3566-445.idsLog of trafficbetween port 3423 and455 to/from 192.168.0.2001/16-22:11:15.833440 192.168.0.20:3423 - 192.168.0.22:445TCP TTL:128 TOS:0x0 ID:975 IpLen:20 DgmLen:48 DF******S* Seq: 0x26885B8B Ack: 0x0 Win: 0x4000 TcpLen: 28TCP Options (4) MSS: 1460 NOP NOP SackOK 01/16-22:11:15.835497 192.168.0.22:445 - 192.168.0.20:3423TCP TTL:128 TOS:0x0 ID:653 IpLen:20 DgmLen:48 DF***A**S* Seq: 0xE9A4004C Ack: 0x26885B8C Win: 0x4470 TcpLen: 28TCP Options (4) MSS: 1460 NOP NOP SackOK 01/16-22:11:15.835571 192.168.0.20:3423 - 192.168.0.22:445TCP TTL:128 TOS:0x0 ID:977 IpLen:20 DgmLen:40 DF***A**** Seq: 0x26885B8C Ack: 0xE9A4004D Win: 0x4470 TcpLen: 20 Author: Prof Bill BuchananSnort logsAuthor: Bill Buchanan
TCP headerTCP Source PortTCP Destination PortSequence NumberAcknowledgement NumberData OffsetFlags/ReservedWindowChecksumUrgent PointerU is the urgent flag (URG).A the acknowledgement flag (ACK).P the push function (PSH).R the reset flag (RST).S the sequence synchronize flag (SYN).F the end-of-transmission flag (FIN).Author: Prof Bill BuchananPayload detectionAuthor: Bill BuchananFlags – the flag field is defined as UAPRSF,
Originator1. CLOSED2. SYN-SENT3. ESTABLISHED4. ESTABLISHED5. ESTABLISHED- SEQ 999 CTL SYN SEQ 100 ACK 1000 CTL SYN,ACK - SEQ 1000 ACK 101 CTL ACK - SEQ 1000 ACK 101 CTL ACK DATA ESTABLISHEDThe SYN flag identifiesa connectionU is the urgent flag (URG).A the acknowledgement flag (ACK).P the push function (PSH).R the reset flag (RST).S the sequence synchronize flag (SYN).F the end-of-transmission flag (FIN).Author: Prof Bill BuchananPayload detectionAuthor: Bill BuchananFlags – the flag field is defined as UAPRSF,
An incoming SYN flag is important in detectingthe start of a connection. The main flags are:F FINS SYNR RSTP PSHA ACKU URGThe following modifiers can be set to change the match criteria: match on the specified bits, plus any others* match if any of the specified bits are set! match if the specified bits are not setalert tcp any any - any any (flags:S;)It is often important to know the flow direction. The main flowrules options are:to client. Used for server responses to client.to server Used for client requests to server.from client. Used on client responses.from server. Used on server responses.established . Established TCP connections.Example to test for an FTP connection to the users computer:alert tcp any any - HOME NET 21 (flow: from client;content: "CWD incoming"; nocase;Author: Prof Bill BuchananPayload detectionAuthor: Bill BuchananExample to test for SYN flag:
VersionHeader len.IP headerType of serviceTotal lengthFragment OffsetTime-to-live (TTL)TCP Source PortTCP Destination PortIdentification0 D MTCP headerProtocolHeader ChecksumSource IP AddressDestination IP AddressSequence NumberAcknowledgement NumberData OffsetFlags/ReservedWindowChecksumUrgent Pointer01/16-22:11:15.833440 192.168.0.20:3423 - 192.168.0.22:445TCP TTL:128 TOS:0x0 ID:975 IpLen:20 DgmLen:48 DF******S* Seq: 0x26885B8BAck: 0x0 Win: 0x4000 TcpLen: 28TCP Options (4) MSS: 1460 NOP NOP SackOK 01/16-22:11:15.835497 192.168.0.22:445 - 192.168.0.20:3423TCP TTL:128 TOS:0x0 ID:653 IpLen:20 DgmLen:48 DF***A**S* Seq: 0xE9A4004C01/16-22:11:15.835571 192.168.0.20:3423 - 192.168.0.22:445TCP TTL:128 TOS:0x0 ID:977 IpLen:20 DgmLen:40 DF***A**** Seq: 0x26885B8CAck: 0xE9A4004D Win: 0x4470 TcpLen: 20 Author: Prof Bill BuchananPayload detectionAuthor: Bill BuchananAck: 0x26885B8C Win: 0x4470 TcpLen: 28TCP Options (4) MSS: 1460 NOP NOP SackOK
SwitchDevices ca
Intrusion Detection Systems Introduction Threats Types Host or Network? Agent-based Snort A simple rule A few intrusions User profiling Honeypots IPS Conclusions Eve (Intruder) Defence Intrusion Detection Defence. Author: Bill Buchanan Author:Prof Bill Buchanan Intrusion Detection Systems
c. Plan, Deploy, Manage, Test, Configure d. Design, Configure, Test, Deploy, Document 15. What are the main types of intrusion detection systems? a. Perimeter Intrusion Detection & Network Intrusion Detection b. Host Intrusion Detection & Network Intrusion Detection c. Host Intrusion Detection & Intrusion Prevention Systems d.
Intrusion Detection System Objectives To know what is Intrusion Detection system and why it is needed. To be familiar with Snort IDS/IPS. What Is Intrusion Detection? Intrusion is defined as “the act of thrusting in, or of entering into a place or state without invitation, right, or welcome.” When we speak of intrusion detection,
called as behaviour-based intrusion detection. Fig. 2: Misuse-based intrusion detection process Misuse-based intrusion detection is also called as knowledge-based intrusion detection because in Figure 2. it depicts that it maintains knowledge base which contains the signature or patterns of well-known attacks. This intrusion
There exists a number of intrusion detection systems particularly those that are open-source. These intrusion detection systems have their strengths and weaknesses when it comes to intrusion detection. This work compared the performance of open-source intrusion detection systems namely Snort, Suricata and Bro.
Intrusion Prevention: Signature Policies 201 Intrusion Prevention: Signature Policies - New 203 Intrusion Prevention: Sensors 204 Intrusion Prevention: Sensor - New 205 Intrusion Prevention: Sensor - Associating Sensor to a Firewall Policy 206 Intrusion Prevention: Alerts and Reports 208 Intrusion Prevention: View Rule File 210
threats to your security policies. And intrusion prevention is the process of per - forming intrusion detection and then stopping the detected incidents. These security measures are available as intrusion detection systems (IDS) and intrusion prevention systems (IPS), which become part of your network to detect and stop potential incidents.
This chapter presents the corresponding research work on the intrusion detection and intrusion prevention in large-scale high-speed network environment and is organized as follows: firstly, a distributed extensible intrusion prevention system is provided, then various packet selection models for intrusion detection systems based-on sampling are
2. Evaluation of a Single Intrusion Detection System (IDS) A computer intrusion detection system (IDS) is con-cerned with recognizing whether an intrusion is being attempted into a computer system. An IDS provides some type of alarm to indicate its assertion that an intrusion is present. The alarm may be correct or incor-rect.
