Tài liệu Risk Management The Big Picture – Part IV docx

4 - 1Information Risk Management - SANS ©2001 1 Risk Management The Big Picture – Part IV Network-based Intrusion Detection In our next section we are going to introduce network-based i

4 - 1

Information Risk Management - SANS ©2001 1

Risk Management The Big Picture – Part IV

Network-based Intrusion

Detection

In our next section we are going to introduce network-based intrusion detection The detect engine

in this case is either a firewall, a personal firewall, or an intrusion detection system All of these work quite well

We will begin with a single attack, just to see how one might work and how we might detect it Then

we will explore the range of tools and show you how you can get in the game with a very low investment, possibly even free

Information Risk Management - SANS ©2001 2

Need for Network-based Intrusion Detection

• Most attacks come from the Internet

• Detecting these attacks allows a site to tune defenses

• If we correlate data from a large number of sources we increase our capability

The statistic that 90% of all attacks are perpetrated by

insiders is dead wrong.

While insider attacks may cause more damage (because the attacker knows the system assets and what to target), insider threats are usually addressed by traditional security and audit mechanisms An insider has a much greater chance of being caught and prosecuted or dealt with administratively IF DETECTED, since you know where they live The greatest threat in terms of financial loss is insiders Period, no questions That said, the greatest number of threats is via Internet attacks A huge percent of these are stopped by firewalls Successful attacks often do not cause as much harm as an insider, because an insider knows exactly where the crown jewels, the strategic information assets of an organization, are

Having said all that we are going to really concentrate on internet-based attacks in this section Are they relevant? Oh my yes! The number one reason is the sheer numbers If your site is subjected to thousands and thousands of attacks, even if poorly targeted, if you don’t have effective perimeters, than your systems will eventually fall when the correct exploit hits your system

However, the situation is even worse It turns out that a small number of problems, things we know we should correct, like file sharing or proper permissions, account for a vast number of system compromises In fact, firewalls themselves, which are an amazingly effective perimeter, contribute to the problem The people

protected by the firewall think everything is OK since the firewall stops the attacks and then they get lax, drop their defenses, someone makes a small misconfiguration of the firewall and boom, the site is dealing with a major compromise

4 - 3

Information Risk Management - SANS ©2001 3

Inside a Network Attack

WinNuke, (also called OOBNuke), uses TCP 139 and

OOB Data, even if NetBIOS is not enabled It results in

the “Blue Screen of Death”.

Patches/service packs are available

OOB stands for Out Of Band and is actually misnamed;

it should say “Urgent mode”, which is Urgent bit set in

the TCP header flags and the urgent pointer.

Some people call this famous attack an Out of Band attack, however, it is better known as Winnuke

If you are interested in the classic Windows attacks, you might want to visit:

http://www.winplanet.com/features/reports/netexploits/index2.html

On to Winnuke, older unpatched Windows systems, 3.11, 95 can be crashed by a single, specially formatted packet The packet has to be sent to a listening port such as TCP port 139, the NetBIOSSession service, but any listening ports will do Hey, quick review, how do you know which ports are listening on your Windows system? How do you know what programs are responsible for those ports? How do you know what users are the owners of those programs? If you don’t know the answer to all three of these questions, you really should redo the previous section on host-based intrusion detection, If you have a Win95 system, you should get the patch, available at:

http://support.microsoft.com/support/kb/articles/Q168/7/47.asp

Information Risk Management - SANS ©2001 4

Finally, we have seen a detection and protection tool in operation Actually, this is another example

of threat, countermeasure, and counter-countermeasure Winnuke was dropping systems left and right and Microsoft responded with a patch, but instead of fixing the problem, they released a quick hack The attackers countered with a modification of their attack tools almost instantly Today, you can download a patch that actually corrects the problem and that URL has been provided to you

Anyone can do intrusion detection and if you start practicing today, you will be ready to take the advanced Intrusion Detection In Depth course pretty soon So let’s go through the steps to begin doing network intrusion detection This is certainly NOT the only way, but it is an approach for you

to consider

Information Risk Management - SANS ©2001 6

Network Intrusion Detection 101

Generally when we think of personal firewalls we think of a perimeter defense, or a protect function What about detect? It turns out that some personal firewalls have the capability to do more than just detect attacks, they can log the attack, which allows the analyst to study the attributes of an attack

In fact, personal firewalls and Small Office Home Office (SOHO) firewalls are becoming part of some of the most important sensor networks available anywhere

The first step is to turn on logging! In general, the more places you log, the better off you are when a weird event occurs

Information Risk Management - SANS ©2001 8

Our First False Positive

Yup, bootp, actually, DHCP, Dynamic Host Configuration Protocol is a normal occurrence on this home network We reconfigure so often and most of our machines are both mobile and wireless, that static IP addresses are out of the question So perhaps we don’t want to alert when that happens We simply select an attack we don’t want to see, right click, and select ignore

Using the tools we have discussed, especially after you complete the training on networking and TCP/IP that is coming up in this course, you will be equipped to really start drilling down into network intrusion detection Sometimes graphics tools can help us know where to look for an anomalous event

4 - 9

Information Risk Management - SANS ©2001 9

Visualization Tools - BID

Port Scan

The intense activity shown on your slide was the result of someone probing this network This gives

us an idea where we might want to look in order to find the evidence file As a helpful hint, find the approximate time and if you are looking for a scan, look for the biggest file

We hope you have enjoyed your introduction to network intrusion detection We have learned about

a couple of new tools that you can use to start investigating suspicious network traffic As we move through the remainder of this section of the course, we will learn more about the tools and techniques used in network intrusion detection

Most of these tools, whether for Unix or Windows, depend on a simple utility called libpcap or winpcap

Information Risk Management - SANS ©2001 10

FW

Analysis/Display Station

Collect Data

Analyze Data Display Information

Most Network-Based Intrusion Detection Systems

Unix or Windows are libpcap basedLibpcap-based Systems

The first network-based intrusion detection systems we look at are libpcap-based These include: Shadow, Snort, NetRanger, and NFR Libpcap is a packet capture library designed to get the data from the kernel space and pass it to the application There are implementations for Windows

(winpcap-based - the Windows version of libpcap) and Unix It is reliable and has the big advantage

up, hosts that you are watching out for, and attacks that you are particularly concerned about Should

a Shadow sensor fail, all they get are the logs You can still run Snort though on the inside, simply feed it the TCPdump Shadow files

We’d like to see more vendors take measures to make their sensors attack-resistant, or stealthy, and make them less valuable targets The sensor is the attacker’s first target

4 - 11

Information Risk Management - SANS ©2001 11

Network Intrusion Detection

With Snort

This page intentionally left blank

Information Risk Management - SANS ©2001 12

Snort Design Goals

• Low cost, lightweight

• Suitable for monitoring multiple

sites/sensors

• Low false alarm rate

• Efficient detect system

• Low effort for reporting

Snort was designed to supplement and be run in parallel with other sensors, such as Linux firewalls

It has rules for packet content decodes, and also packet headers This means it can detect data-driven attacks like buffer overflows and attacks on vulnerable URLs and scripts (like RDS and phf) So if you use Shadow and Snort, you have a good pattern matcher

It is free, scalable, and very good at detecting stealthy recon efforts and probes Its focus on the early warning to be gained from spotting the recon phase is very valuable, since the actual attack can happen in seconds and be all over by the time you notice it started

It is also a good system to learn and experiment with, since it is easy to modify, being all modular open-source with lots of community developed enhancements

*****PA* Seq: 0x1EDB7784 Ack: 0xD4A024FE Win: 0x7D78

TCP Options => NOP NOP TS: 86724706 118751139

This is the more detailed log file Notice the rule that found the detect is displayed at the top Then summary information about the packet is given The trace begins with the content of the detect RPC (Remote Procedure Call) attacks like this are part of the Top Ten list

(www.sans.org/topten.htm) Notice all the zeros? RPC packets are padded to 32-bit words, often to carry a field that only has a choice of single integer, so the zeros are an indication of RPCs

Information Risk Management - SANS ©2001 14

Configuring Snort With

IDSCenter

• Graphical User Interface

– Simplifies The Configuration Of Snort – Simplifies Set Up Of Alerts

– Simplifies Monitoring Snort Log Files And Alerts

While Snort is a very powerful Network Intrusion Detection System (NIDS), it requires a little effort

to configure it properly IDSCenter simplifies this process by providing the type of graphical user interface that Windows users are accustomed to

Using simple techniques it is possible to specify the location of the various executable and

configuration files used by Snort Once the appropriate settings have been made, IDSCenter also provides easy access to the rule set that determine what alerts Snort will generate

IDSCenter also provides a simple method to specify and setup the various types of alerts that should

be generated by Snort It is available from http://idsc.emojo.com/idscenter/index.cfm

4 - 15

Information Risk Management - SANS ©2001 15

IDSCenter General Setup

IDSCenter’s General Setup screen always checks for the specification of the Snort version,

executable location, process priority, and network considerations

If you have multiple interfaces defined, the Network Interface number may require some

experimentation to get the right value While it’s possible to get the right entry from the registry, it’s easier to just try the various possibilities and testing the configuration

Information Risk Management - SANS ©2001 16

IDSCenter IDS Rules Setup

The IDS Rules Setup screen allows for the specification of the Snort configuration file which contains the definitions of patterns to match It also displays the current configuration and will open

it up for editing if required

4 - 17

Information Risk Management - SANS ©2001 17

IDSCenter Log/Alerts Setup

This screen controls the location, type, and detail level that will be generated by Snort’s alert mechanism Snort provides for the capability to log locally, to a syslog server, the NT Event Logs, and to various databases

Considerable flexibility is provided in the amount of detail that will be logged

Information Risk Management - SANS ©2001 18

IDSCenter Alert Viewer

The Alert Viewer screen provides for an easy way to see the alerts that Snort has generated

It also provides an easy way to get additional information about a given alert by entering the message’s IDS number and querying the arachNIDS Intrusion Event database

• Compiles on many Unix platforms

• Runs on Windows 9x and NT

• High fidelity

• Same program for data collection

and first order analysis

TCPdump is a tool for network monitoring and data acquisition The original distribution is

available via anonymous ftp to ftp.ee.lbl.gov, in tcpdump.tar.Z TCPdump uses libpcap, a independent interface for user-level packet capture The Windows version, WinDump, is available from http://netgroup-serv.polito.it/windump/install/default.htm

system-Libpcap is the de facto standard for Unix-based intrusion detection systems It is a software interface for acquiring the collected information from the interface card and providing it to the IDS

application

Shadow uses TCPdump as its underlying packet capture mechanism, as does Snort, which is the current favorite on incidents.org Snort includes packet decodes and pattern matching and you can use the same filters for either TCPdump or Snort Let’s take a look at a sample filter and see what

we learn

Information Risk Management - SANS ©2001 20

Core_Hosts Filter

• DNS, Web, and mail servers draw a lot

of fire; about 20% of all our attacks are

directed at these systems

• If you lose control of DNS, they own

you

• Worth the time to give connection

attempts to these systems an extra look

What do web servers, DNS servers, and mail relays have in common? You cannot hide them if you want your site to communicate with the rest of the world They are also important systems

Therefore it makes sense to tune your intrusion detection system to look at these As we move to a real world filter, let us warn you in advance, the language is a bit odd However, we can take it one step at a time and everything will work out There are many, many protocols, but three, TCP, UDP, and ICMP do most of the work from a computer system’s point of view So most of the filters will start with a protocol TCP and UDP use numerical ports to identify which service is requested For instance, TCP destination port 80 is the port number a web server uses

A popular technique is to write a filter that monitors your “core hosts” or those hosts that are the most important to your organization

4 - 21

Information Risk Management - SANS ©2001 21

Core_Host Filter Web Server

(dst host 192.168.1.1 and

( (tcp and ((tcp[13] & 2 != 0) and (tcp[13] & 0x10 = 0))

and (not dst port 80)) or

(udp and not dst port 53 and not dst port 137) or

(icmp and (icmp[0] != 8) and (icmp[0] != 0) and (icmp[0] != 3) and (icmp[0] != 11)) or

(not (tcp or udp or icmp)) ))

On this slide we will look at a more complex filter

# 192.168.1.1 webserver

# should only receive traffic to tcp port 80 (syn only)

# ignore udp with dst port 53 or 137

# ignore icmp echo requests (8), echo replies (0),

# destination unreachable (3), and

# time exceeded (11) error messages

This example filter eliminates all the common traffic that the author of the filter expected the system

to see Obviously, they didn’t want to look at every HTTP request that was sent to a web server, so that is why it says not dst port 80

Also, in their experience there were a lot of name lookups, both the windows version, netbios name service, port 137 UDP and also Domain Name Service, port 53, TCP and UDP To be sure, these might be malicious, but this analyst chose not to concentrate on them

ICMP is the management protocol for the Internet and the analyst chose to ignore certain types of ICMP as it says above, echo requests (pings) are type 8 and echo replies are type 0 ICMP uses type and also code instead of port numbers The point of the exercise is that everything not so excluded will be printed out, so the odds are good that if you try to attack this web server, this filter will detect what you are doing

In the next to last section of this segment of our class, we will take a whirlwind tour of one of the best selling intrusion detection systems, so please turn to the next slide ISS RealSecure