Transcript Using Argus Audit Trails to Enhance IDS Analysis

Using Argus Audit Trails
to Enhance IDS Analysis
Jed Haile
Nitro Data Systems
[email protected]
Overview
•
•
•
•
•
•
What is an audit trail?
What is Argus?
Overview of IP audit trails
Why are they useful?
Using audit trails to monitor your network
Detecting interesting network events using audit
trails
• Enhancing IDS analysis using audit trails
What is an IP Audit Trail?
• An IP audit trail is a collection of network flows
across some point of a network.
• A network flow is an identifiable exchange of data
between two endpoints on a network.
• Flows may be delineated by normal protocol (a
SYN replied to by an RST) or by timeouts.
• Flows may become exaggerated, as not all
network traffic is readily broken into correct
sessions with available information
What is Argus?
• Written by Carter Bullard as part of a DoD
contract while he was at Carnegie-Mellon’s
SEI
• Runs on unix
• The free version is available at
http://www.qosient.com/argus
• A commercial version is under development
by Qosient
More about Argus
• Argus uses a client server model:
– Data collection engine (Server): Monitors the
network using libpcap, collects network data
into audit trails. This engine can output the data
to a file or to a socket.
– Argus client: Reads audit data from a file or
from a socket. There are a number of clients
available for various purposes.
Argus Clients
•
•
•
•
•
•
•
•
ra: reads Argus data and displays it on stdout
ragator: aggregates flows in arbitrary fashions
ramon: produce rmon style reports and tables
racount: counts bytes and packets
rasort: sorts Argus records
raxml: display all fields in xml format
Others: ratop, ragrep, rahistogram, rasrvstats
Lacking: Database client!!
Default RA output
timestamp
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
02
02
02
02
02
02
02
02
02
02
02
02
02
02
02
protocol
09:59:16
09:59:16
09:59:16
09:59:16
09:59:16
09:59:16
09:59:16
09:59:17
10:00:04
09:59:17
10:00:02
10:00:02
10:00:02
10:00:02
10:00:02
icmp
tcp
icmp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
icmp
icmp
icmp
udp
icmp
src IP
direction
192.172.1.26
<->
192.172.191.46.458 ->
192.172.1.25
<->
192.18.221.25.119 ->
192.172.1.6.3562 ->
192.172.1.23.5936 ->
192.172.191.46.4585 ->
192.172.191.46.4990 ->
192.172.191.46.240 ->
142.177.221.77.177 ->
192.172.1.25
->
129.82.45.220
->
129.82.45.220
->
205.158.62.41.967 ->
129.82.45.220
->
dst IP
status
192.172.1.253
207.68.162.24.80
192.172.1.253
192.172.191.61.25
209.10.33.195.80
61.200.81.153.80
64.4.30.24.80
12.12.162.203.80
216.33.240.24.80
192.172.18.27.634
192.172.1.253
192.172.1.3
192.172.1.3
192.172.191.6.53
192.172.1.3
There is still a lot of other useful data we can capture!!
ECO
FIN
ECO
FIN
FIN
EST
FIN
RST
RST
RST
ECO
ECO
ECO
TIM
ECO
Data Model
• Source IP address
• Destination IP address
• Source Port
• Destination Port
• Protocol
• Time of first packet
• Time of last packet
• Packets sent
• Bytes sent
• Packets received
• Bytes received
This set of data is surprisingly rich!
Why are these useful?
• This set of data can be analyzed to find network
sessions, or sets of session that appear to be
suspicious.
• In the case of a compromise, the audit trails can be
examined to find out what else might have
happened.
• Excellent tool for network policy monitoring. Makes
finding unauthorized servers, or services, or
backdoors much easier to detect.
• Much smaller than full packet captures, so more can
be stored for longer.
• Well suited to statistical analysis
Reducing Record Counts
• A major problem with collecting network
flows is the extreme rate and large quantity
of records
• Fortunately network flows are readily
aggregated
• All flows with the same source and
destination addresses and ports can be
collapsed to a single row, with a counter
Portscan Detection
• IP audit trails are an excellent tool for detecting network
enumeration attempts.
• Snort’s spp_portscan2 uses network flows to detect
portscans
• To detect portscanning simply count connections from
external hosts to distinct hosts and ports on your network
• A well defined concept of home network versus external
network is critical
• A portscan attempt which also correlates to an IDS alert, or
to a session that is long or that moves some data might
point to a successful compromise
Long Sessions
• Long sessions are common on networks
• Due to the more stateless nature of udp and icmp,
distinct network flows might be collapsed into a
single network flow
• Long sessions to interesting ports, or inbound to
unexpected locations, or with IDS alerts are the
things we want to focus on
• Extensive correlation is critical to making the
important long sessions stand out
Traffic to Nonexistent Hosts
• Inbound traffic to a host that is known to
not exist
• A good way of detecting network
enumeration attempts
Traffic to High Ports
• Sessions being initiated to high ports on
your home network should always be
viewed with suspicion
• There are exceptions (ftp traffic)
• By keeping “state” on your network’s flows
you can eliminate many of the valid
inbound high port connections
• High port traffic + IDS alert…
High Connection Rate
• High connection rates could point to DOS
attempts, port scanning, auto rooter, P2P
activity, worm activity, and more
• There are valid network activities which can
generate high connection rates
• Correlation of high connection rates to other
anomalous activities is what we need to
look for
High Packet Rate
• Another example of could be bad, could be
good activity
• High packet rates might indicate worm
activity, portscanning, or other nastiness
• A sudden appearance of high packet rates
linked to a previous session which had IDS
alerts associated could indicate a host that
has been successfully compromised
Stepping Stone Detection
• A stepping stone is a computer that is used as an
intermediate point between two other computers
• Stepping stones are frequently used by attackers to
obscure their location/identity
• Stepping stones can be detected by correlation of
on/off times between two network flows. This is
prone to false positives.
• A better approach is to correlate on and off times
of packet activity inside the flow, but requires
finer granularity in the data than can be provided
by argus.
Summary
• Using IP audit trails is a powerful
enhancement to IDS
• IP audit trails also give new ways of looking
for anomalous traffic, new services on your
network, or for getting a better perspective
on your networks operation
• There is lots to be done!