IDS In Depth Search: Ideas, Descriptions, and Solutions
Download
Report
Transcript IDS In Depth Search: Ideas, Descriptions, and Solutions
IDS In Depth Search: Ideas,
Descriptions, and Solutions
Presentation by Marshall Washburn
November 30th, 2010
CPSC 420/620 w/ Dr. Grossman
Introduction and Layout
• What is an IDS?
– How it works
– NIDS vs. HIDS (vs. NNIDS)
• Different uses of an IDS
– Passive vs. Aggressive (IDPS)
– Anomaly vs. Signature
• Supplements and Add-ons
– Logging
– Honeypots
• Gotchas
– False Positives
– False Negatives
• Closer look – Snort
– Info
– Modes
– Rules & Features
• Conclusion
What is an IDS?
• IDS – Intrusion Detection System
– Analyzes network traffic
– Reports problems
• Three types of IDS
– Network-based Intrusion Detection
– Host-based Intrusion Detection
– Network Node-based Intrusion Detection
Types of IDS
• Network-IDS
– Typical view of IDS
– Watches a subnet
– Typically a perimeter defense
• Host-based IDS
– Watches host computers, involves software
– Looks for system calls and registry changes
– Typically an internal defense
• Network-Node IDS
– Specific host traffic
– Kind of specialized NIDS (ex: VPN device)
Types of IDS
http://www.informit.com/articles/article.aspx?p=29601
http://ptgmedia.pearsoncmg.com/images/art_peikari1_intrusiondetection/elementLinks/fig01.gif
Different uses of an IDS
• How should the system react?
• Passive system
– Scans packets, traffic, or system
– Takes notes
– Sends alerts
• Active system (Intrusion Detection and Prevention System)
– Passive system + barrel rolls
– Kills connections or modifies firewalls
• Pros and Cons: Passive vs. Active
– Less maintenance and lack of painful false alarms vs.
More maintenance but avoid disasters
Different uses of an IDS
• What should the system look for?
• Anomaly-based IDS
– Samples network traffic
– Checks against predefined ‘ideal’ traffic
• Signature-based IDS
– Polar opposite of anomaly
– Samples network traffic
– Checks against predefined virus patterns
• Pros and Cons: Anomaly vs. Signature
– Hard to pin down ‘normal’ network traffic, especially when
updating or migrating a system
– Virus patterns are only as good as the updated list
Supplements and Add-ons
• IDS: Good by themselves, great on a team
– External Logging
– Honeypots
http://i.ehow.com/images/a06/e3/83/state-ohio-tax-id-number-120X120.jpg
http://blog.hazrulnz.net/tag/ids
IDS Logging
• IDS typically logs traffic locally
– Can become unorganized
– Hard to search through
• External Logging Databases (ex: ACIDBASE)
– Categorize suspected attacks
– IP traffic
– Port traffic
– Latest virus information
– Stealthy logging
Honeypots
• IDS can be used on production or
development systems
• Honeypots lure attacker in (ex: Honeyd)
– Network decoys to distract away from vulnerable
machines
– Typically virtual machines that simulate real
networks
– Honeypots capture the attacks, IDS analyzes, your
system stays secure.
A Few Gotchas
• Every rose has its thorn…
• False Positives
– Normal traffic suspected to be malicious
• False Negatives
– Some attack is flagged to be normal or non-malicious
• Not software flaws, usually configuration flaws
– Encrypted traffic can cause false positives, and
mutated worms or viruses can mismatch an attack
pattern and cause false negatives.
Quick Case Study: Snort
• Originally released in 1998 by Sourcefire
founder and CTO Martin Roesch
• Combines signature and anomaly techniques
• Ready out of the box
• Updated rule sets
• Three primary modes
– Sniffer mode
– Packet-logger mode
– Network IDS mode
Snort Rules
• Can specify what IP subnet to look at and types of
traffic in ‘snort.conf’ file
• Sample rule
– alert tcp any any -> 192.168.1.0/24 111 \ (content:"|00 01 86 a5|"; msg:"mountd
access";)
• Easy to customize with many different features
–
–
–
–
Logging, passing, dropping, custom
TCP and/or UDP, ICMP, IP
Traffic direction
Content, raw bytes, offsets
Conclusions
• Useful tool to keep a network safe
• There are many different styles to a detection
system
• Snort incorporates many of the capabilities of
intrusion detection systems
– multiple detection techniques
– ability to customize simple rules
Works Cited
• Bauer, Mick. “Stealthful Sniffing, Intrusion Detection and Logging
http://www.linuxjournal.com/article/6222 October, 2002
• Innella, Paul. “The Evolution of Intrusion Detection Systems”
http://www.symantec.com/connect/articles/evolution-intrusiondetection-systems November 16th, 2001
• Mattord, Verma (2008). Principles of Information Security. Course
Technology. pp. 290–301
• Provos, Niels. “A Virtual Honeypot Network”
http://www.usenix.org/event/sec04/tech/full_papers/provos/provos_htm
l/ Proceedings of the 13th USENIX Security Symposium. August, 2004
• Timm, Kevin. “Strategies to Reduce False Positives and False Negatives in
NIDS” http://www.symantec.com/connect/articles/strategies-reducefalse-positives-and-false-negatives-nids September, 2001
• The Snort Team. SNORT Users Manual 2.9.0.
http://www.snort.org/assets/152/snort_manual.pdf September, 2010
• Wikipedia. http://en.wikipedia.org/wiki/Intrusion_detection_system