class 17 - intrusion detection Reading: None Additional references: Bace, Rebecca, _Intrusion Detection_, MacMillan, 2000, ISBN 1-57870-185-6 SANS Intrusion Detection FAQ - http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm SNORT: open Source Network IDS - www.snort.org * Intrusion Detection as a *component* of security process still need policy prevention (system configuration, patches, etc.) response (to events) analysis authentication * host vs. network see the world differently have different advantages and disadvantages * host-based IDS typically protect the host they run on may have hooks into the OS run against host-generated audit/log records are *very* OS-specific are often *very* organization-specific are often application-level IDS (database intrusion system, financial controls) * network IDS typically protect multiple hosts are network "sniffers" with analysis capability are often pretty OS-neutral have *different* performance and scale issues * anomaly detection vs. signature matching most IDS systems are biased one way or the other embedded in system architecture have different performance characteristics * anomaly detection looks for the "unusual" have to know what "usual" is :-( could be access times, command patterns, almost anything requires database + "expert system" some folks have tried "learning" systems and neural networks * signature matching looks for known patterns of abuse could be known packet sequences/contents command sequences strings of system calls specific content email subject line, other headers is only as good as its signature database * History of automated IDS in the beginning, there was "audit" (audit diagram) 1980 - Anderson's Threat Matrix and "automated audit reduction" 80s-early 90s - lots of host-based, anomaly detection systems (AI and expert systems didn't live up to promises) late 90s-present - network based, signature based (built upon principles from anti-virus systems) from mid-90s - lots of hybrid solutions, commercial systems more widely deployed * an example of a "modern" IDS - snort (which is the core technology of SourceFire commerical IDS) preprocessor(s) rule engine alert mechanisms * snort - preprocessors user-defined modular plug-ins are really a full extension mechanism do things like: IP reassembly http decoding (hex-encoded URLs, etc.) portscan detection SPADE (Statistical Packet Anomaly Detection Engine) * alert/output mechanisms SMB alerts (popups) email pagers send to log files send to database (SQL) * rule engine understands SNORT language filter based on matching patterns of IP addresses source/destination ports packet content * Sample rules alert tcp any any -> 192.168.1.0/24 21 (content: "user root"; msg: "FTP root login";) # from any IP, any port, to port 21 on specific subnet rangec alert tcp any any -> 192.168.1.0/24 21 (content: "USER root"; msg: "FTP root login";) alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flags: A+; content:"../../../../../../../../../"; reference:cve,CVE-1999-0833; classtype:attempted-admin; sid:258; rev:1;) * IDS and firewalls many vendors and systems try to integrate firewalls and IDS since the firewall has to examine all the traffic anyway... one box vs. many (Cisco especially, firewall modules combined with IDS modules, plus MARS event coorelation) * Threat Pyramid IDS can screen/detect *known* problems leaving you time to look at "real" problems blocking the bottom 1/3 of the pyramid saves a LOT of time * Questions Which is better, net-based, or host-based? Which is better, anomaly-based or signature-based? What is a significant advantage of host-based IDS? Why is network speed an issue with network IDS? What are the advantages or disadvantages of integrating your firewall and IDS? How important is assurance for and IDS?