Risk Management The Big Picture – Part IV
In our next section we are going to introduce network-based intrusion detection. The detect engine
in this case is either a firewall, a personal firewall, or an intrusion detection system. All of these
work quite well.
We will begin with a single attack, just to see how one might work and how we might detect it. Then
we will explore the range of tools and show you how you can get in the game with a very low
investment, possibly even free.
Risk Management
The Big Picture – Part IV
Network-based Intrusion
Detection
Information Risk Management - SANS ©2001 1
In our next section we are going to introduce network-based intrusion detection. The detect engine
in this case is either a firewall, a personal firewall, or an intrusion detection system. All of these
work quite well.
We will begin with a single attack, just to see how one might work and how we might detect it. Then
we will explore the range of tools and show you how you can get in the game with a very low
investment, possibly even free.
4-1
Need for Network-based
Intrusion Detection
• Most attacks come from the Internet
• Detecting these attacks allows a site to
tune defenses
• If we correlate data from a large
number of sources we increase our
capability
The statistic that 90% of all attacks are perpetrated by
insiders is dead wrong.
Information Risk Management - SANS ©2001 2
While insider attacks may cause more damage (because the attacker knows the system assets and what to
target), insider threats are usually addressed by traditional security and audit mechanisms. An insider has a much
greater chance of being caught and prosecuted or dealt with administratively IF DETECTED, since you know
where they live. The greatest threat in terms of financial loss is insiders. Period, no questions. That said, the
greatest number of threats is via Internet attacks. A huge percent of these are stopped by firewalls. Successful
attacks often do not cause as much harm as an insider, because an insider knows exactly where the crown jewels,
the strategic information assets of an organization, are.
Having said all that we are going to really concentrate on internet-based attacks in this section. Are they
relevant? Oh my yes! The number one reason is the sheer numbers. If your site is subjected to thousands and
thousands of attacks, even if poorly targeted, if you don’t have effective perimeters, than your systems will
eventually fall when the correct exploit hits your system.
However, the situation is even worse. It turns out that a small number of problems, things we know we
should correct, like file sharing or proper permissions, account for a vast number of system compromises. In fact,
firewalls themselves, which are an amazingly effective perimeter, contribute to the problem. The people
protected by the firewall think everything is OK since the firewall stops the attacks and then they get lax, drop
their defenses, someone makes a small misconfiguration of the firewall and boom, the site is dealing with a major
compromise.
Finally, the sophistication of network-based attacks continues to increase. The Unix worms of mid-2001
demonstrated that by using toolkits essentially any successful exploit can serve as the foundation of another worm
- thus increasing the attack effect hundreds of times higher than one or even a group of attackers could achieve,
since every compromised host becomes a new attacker.
Now we look at a single attack, in this case a denial of service, or availability attack called winnuke. This is
one of the classics and it was so aggravating that it resulted in creating the first wave of Windows personal
firewalls including Nukenabber, the software that served as TCPwrappers for Windows systems.
4-2
Inside a Network Attack
WinNuke, (also called OOBNuke), uses TCP 139 and
OOB Data, even if NetBIOS is not enabled. It results in
the “Blue Screen of Death”.
Patches/service packs are available
OOB stands for Out Of Band and is actually misnamed;
it should say “Urgent mode”, which is Urgent bit set in
the TCP header flags and the urgent pointer.
Information Risk Management - SANS ©2001 3
Some people call this famous attack an Out of Band attack, however, it is better known as Winnuke.
If you are interested in the classic Windows attacks, you might want to visit:
http://www.winplanet.com/features/reports/netexploits/index2.html
On to Winnuke, older unpatched Windows systems, 3.11, 95 can be crashed by a single, specially
formatted packet. The packet has to be sent to a listening port such as TCP port 139, the NetBIOS
Session service, but any listening ports will do. Hey, quick review, how do you know which ports
are listening on your Windows system? How do you know what programs are responsible for those
ports? How do you know what users are the owners of those programs? If you don’t know the
answer to all three of these questions, you really should redo the previous section on host-based
intrusion detection, If you have a Win95 system, you should get the patch, available at:
http://support.microsoft.com/support/kb/articles/Q168/7/47.asp
4-3
Nuke’eM Screen
Information Risk Management - SANS ©2001 4
So how do we create this weird packet? Generally by using a special tool as we see on this slide,
which is a screen shot of version 1.1 of Windows Nuke’eM.
This application has a single purpose, to establish a connection with the TCP three-way handshake
and then hit the remote system with the illegal packet. It doesn’t take any particular skill to run it, as
you see, all we did was enter the IP address of a target system.
4-4
Lockdown Screen
Information Risk Management - SANS ©2001 5
On this slide you see a screenshot of a personal firewall called Lockdown that is both detecting the
attack and acting as a perimeter system to protect the client.
Let’s sum up what we have seen as we looked at a single network attack, winnuke. We have
identified a vulnerability, a flaw in the Windows implementation of networking. We have described
the flaw technically and demonstrated there are attacker tools to take advantage of the threat.
Finally, we have seen a detection and protection tool in operation. Actually, this is another example
of threat, countermeasure, and counter-countermeasure. Winnuke was dropping systems left and
right and Microsoft responded with a patch, but instead of fixing the problem, they released a quick
hack. The attackers countered with a modification of their attack tools almost instantly. Today, you
can download a patch that actually corrects the problem and that URL has been provided to you.
Anyone can do intrusion detection and if you start practicing today, you will be ready to take the
advanced Intrusion Detection In Depth course pretty soon. So let’s go through the steps to begin
doing network intrusion detection. This is certainly NOT the only way, but it is an approach for you
to consider.
4-5
Network Intrusion
Detection 101
Information Risk Management - SANS ©2001 6
Generally when we think of personal firewalls we think of a perimeter defense, or a protect function.
What about detect? It turns out that some personal firewalls have the capability to do more than just
detect attacks, they can log the attack, which allows the analyst to study the attributes of an attack.
In fact, personal firewalls and Small Office Home Office (SOHO) firewalls are becoming part of
some of the most important sensor networks available anywhere.
The first step is to turn on logging! In general, the more places you log, the better off you are when a
weird event occurs.
4-6
Enable Logging
Information Risk Management - SANS ©2001 7
The engine settings are managed from the tools menu. Take a minute and look around at the options.
However, while you are there, be sure to enable logging. The logs are stored by default in Program
files, Network Ice, Black Ice’s directory and as you see on the slide have the handy prefix.
4-7
Our First False Positive
Information Risk Management - SANS ©2001 8
Yup, bootp, actually, DHCP, Dynamic Host Configuration Protocol is a normal occurrence on this
home network. We reconfigure so often and most of our machines are both mobile and wireless, that
static IP addresses are out of the question. So perhaps we don’t want to alert when that happens. We
simply select an attack we don’t want to see, right click, and select ignore.
Using the tools we have discussed, especially after you complete the training on networking and
TCP/IP that is coming up in this course, you will be equipped to really start drilling down into
network intrusion detection. Sometimes graphics tools can help us know where to look for an
anomalous event.
4-8
Visualization Tools - BID
Port Scan
Information Risk Management - SANS ©2001 9
The intense activity shown on your slide was the result of someone probing this network. This gives
us an idea where we might want to look in order to find the evidence file. As a helpful hint, find the
approximate time and if you are looking for a scan, look for the biggest file.
We hope you have enjoyed your introduction to network intrusion detection. We have learned about
a couple of new tools that you can use to start investigating suspicious network traffic. As we move
through the remainder of this section of the course, we will learn more about the tools and techniques
used in network intrusion detection.
Most of these tools, whether for Unix or Windows, depend on a simple utility called libpcap or
winpcap.
4-9
Libpcap-based Systems
Collect Data
FW
Analyze Data
Display Information
Analysis/Display Station
Most Network-Based Intrusion Detection Systems
Unix or Windows are libpcap based
Information Risk Management - SANS ©2001 10
The first network-based intrusion detection systems we look at are libpcap-based. These include:
Shadow, Snort, NetRanger, and NFR. Libpcap is a packet capture library designed to get the data
from the kernel space and pass it to the application. There are implementations for Windows
(winpcap-based - the Windows version of libpcap) and Unix. It is reliable and has the big advantage
of being free.
A sensor is distinguished by how much on-board policy information it has. The Shadow sensor is
designed to be stupid. It lives outside the firewall. If it should fail, no information about the site will
be lost. This is one of the characteristics that sets Shadow apart from most intrusion detection
systems. Most IDS have a lot of information about how sites are configured, how firewalls are set
up, hosts that you are watching out for, and attacks that you are particularly concerned about. Should
a Shadow sensor fail, all they get are the logs. You can still run Snort though on the inside, simply
feed it the TCPdump Shadow files.
We’d like to see more vendors take measures to make their sensors attack-resistant, or stealthy, and
make them less valuable targets. The sensor is the attacker’s first target.
4 - 10
Network Intrusion Detection
With Snort
Information Risk Management - SANS ©2001 11
This page intentionally left blank.
4 - 11
Snort Design Goals
• Low cost, lightweight
• Suitable for monitoring multiple
sites/sensors
• Low false alarm rate
• Efficient detect system
• Low effort for reporting
Information Risk Management - SANS ©2001 12
Snort was designed to supplement and be run in parallel with other sensors, such as Linux firewalls.
It has rules for packet content decodes, and also packet headers. This means it can detect data-driven
attacks like buffer overflows and attacks on vulnerable URLs and scripts (like RDS and phf). So if
you use Shadow and Snort, you have a good pattern matcher.
It is free, scalable, and very good at detecting stealthy recon efforts and probes. Its focus on the early
warning to be gained from spotting the recon phase is very valuable, since the actual attack can
happen in seconds and be all over by the time you notice it started.
It is also a good system to learn and experiment with, since it is easy to modify, being all modular
open-source with lots of community developed enhancements.
4 - 12
Snort
[**] RPC Info Query [**]
06/29-00:15:29.137285 211.72.115.100:623 -> z.y.w.98:111
TCP TTL:46 TOS:0x0 ID:29416 DF
*****PA* Seq: 0x1EDB7784 Ack: 0xD4A024FE Win: 0x7D78
TCP Options => NOP NOP TS: 86724706 118751139
80 00 00 28 08 70 BB FF 00 00 00 00 00 00 00 02 ...(.p..........
00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 ............
Information Risk Management - SANS ©2001 13
The Snort detects are displayed in log files like this separated by blank lines. For this primer, we will
primarily focus on the various detects.
An advantage of Snort is that this trace is easy to cut and paste into an email to send to your CIRT.
This is better than several commercial tools that, while they show an easy to understand colorful
icon, it’s hard to get to the raw data to verify or report the detect.
This is the more detailed log file. Notice the rule that found the detect is displayed at the top. Then
summary information about the packet is given. The trace begins with the content of the detect.
RPC (Remote Procedure Call) attacks like this are part of the Top Ten list
(www.sans.org/topten.htm). Notice all the zeros? RPC packets are padded to 32-bit words, often to
carry a field that only has a choice of single integer, so the zeros are an indication of RPCs.
4 - 13
Configuring Snort With
IDSCenter
• Graphical User Interface
– Simplifies The Configuration Of Snort
– Simplifies Set Up Of Alerts
– Simplifies Monitoring Snort Log Files
And Alerts
Information Risk Management - SANS ©2001 14
While Snort is a very powerful Network Intrusion Detection System (NIDS), it requires a little effort
to configure it properly. IDSCenter simplifies this process by providing the type of graphical user
interface that Windows users are accustomed to.
Using simple techniques it is possible to specify the location of the various executable and
configuration files used by Snort. Once the appropriate settings have been made, IDSCenter also
provides easy access to the rule set that determine what alerts Snort will generate.
IDSCenter also provides a simple method to specify and setup the various types of alerts that should
be generated by Snort. It is available from http://idsc.emojo.com/idscenter/index.cfm.
4 - 14
IDSCenter General Setup
Information Risk Management - SANS ©2001 15
IDSCenter’s General Setup screen always checks for the specification of the Snort version,
executable location, process priority, and network considerations.
If you have multiple interfaces defined, the Network Interface number may require some
experimentation to get the right value. While it’s possible to get the right entry from the registry, it’s
easier to just try the various possibilities and testing the configuration.
4 - 15
IDSCenter IDS Rules Setup
Information Risk Management - SANS ©2001 16
The IDS Rules Setup screen allows for the specification of the Snort configuration file which
contains the definitions of patterns to match. It also displays the current configuration and will open
it up for editing if required
4 - 16
IDSCenter Log/Alerts Setup
Information Risk Management - SANS ©2001 17
This screen controls the location, type, and detail level that will be generated by Snort’s alert
mechanism. Snort provides for the capability to log locally, to a syslog server, the NT Event Logs,
and to various databases.
Considerable flexibility is provided in the amount of detail that will be logged.
4 - 17
IDSCenter Alert Viewer
Information Risk Management - SANS ©2001 18
The Alert Viewer screen provides for an easy way to see the alerts that Snort has generated.
It also provides an easy way to get additional information about a given alert by entering the
message’s IDS number and querying the arachNIDS Intrusion Event database.
4 - 18
TCPdump
• Libpcap
• Always available
• Compiles on many Unix platforms
• Runs on Windows 9x and NT
• High fidelity
• Same program for data collection
and first order analysis
Information Risk Management - SANS ©2001 19
TCPdump is a tool for network monitoring and data acquisition. The original distribution is
available via anonymous ftp to ftp.ee.lbl.gov, in tcpdump.tar.Z. TCPdump uses libpcap, a system-
independent interface for user-level packet capture. The Windows version, WinDump, is available
from http://netgroup-serv.polito.it/windump/install/default.htm.
Libpcap is the de facto standard for Unix-based intrusion detection systems. It is a software interface
for acquiring the collected information from the interface card and providing it to the IDS
application.
Shadow uses TCPdump as its underlying packet capture mechanism, as does Snort, which is the
current favorite on incidents.org. Snort includes packet decodes and pattern matching and you can
use the same filters for either TCPdump or Snort. Let’s take a look at a sample filter and see what
we learn.
4 - 19
Core_Hosts Filter
• DNS, Web, and mail servers draw a lot
of fire; about 20% of all our attacks are
directed at these systems
• If you lose control of DNS, they own
you
• Worth the time to give connection
attempts to these systems an extra look
Information Risk Management - SANS ©2001 20
What do web servers, DNS servers, and mail relays have in common? You cannot hide them if you
want your site to communicate with the rest of the world. They are also important systems.
Therefore it makes sense to tune your intrusion detection system to look at these. As we move to a
real world filter, let us warn you in advance, the language is a bit odd. However, we can take it one
step at a time and everything will work out. There are many, many protocols, but three, TCP, UDP,
and ICMP do most of the work from a computer system’s point of view. So most of the filters will
start with a protocol. TCP and UDP use numerical ports to identify which service is requested. For
instance, TCP destination port 80 is the port number a web server uses.
A popular technique is to write a filter that monitors your “core hosts” or those hosts that are the
most important to your organization.
4 - 20