FORESEC ACADEMY

© FORESEC

FORESEC ACADEMY

Network-based intrusion detection systems (NIDSs) are an excellent way to monitor networks for anomalies that could indicate an attack or signs of electronic tampering on your network. In this chapter, we explore the need for NIDS and discuss some of the available offerings. In particular, we look at commercial tools such as BlackICE Defender, as well as an extremely popular open-source tool called Snort. We also discuss the advantages associated with building a distributed NIDS and provide examples of creating custom signatures for your own network environment.

Our journey begins with a single network attack and culminates with a myriad of real world intrusion attempts. The objective is to present you with the knowledge necessary to understand the basics of intrusion detection and to spark some ideas of how this technology can be deployed on your own network. Finally, after reading this chapter, you should be able to tell the difference between an innocuous scan and a malicious scan and how to react and respond accordingly.

© FORESEC

FORESEC ACADEMY

Need for Network-based Intrusion Detection

Insider attacks can cause more financial damage than third party attacks because insiders have intimate knowledge of internal networks. Traditional audit and security mechanisms can address these threats and organizations can prosecute. The greater concern though should be attacks originating from the Internet.

The volume of attacks originating from the public network is (or should be!) significantly higher than the number of attacks coming from an internal host. Most outside attacks can be stopped by a properly configured firewall. However, we need to be concerned with attacks that are able to bypass, or otherwise penetrate, the outside perimeter. You may be asking if the firewall can prevent many or most attacks, then why do we need to be concerned about the few that make it through? The reason is simple: volume. The sheer number of outside attacks hitting your network will eventually take their toll and compromise the system. There is a saying that even a blind squirrel can find a nut, and that can be applied to the perimeter network. Attacks on your network, even if poorly targeted, will eventually result in malicious activity passing through your perimeter and causing damage to your systems.

© FORESEC

FORESEC ACADEMY

By detecting even the most benign attacks hitting our network perimeter, we can use that data to properly tune our system defences and mitigate or render useless a large percentage of the attacks. As the sophistication of network-based attacks continues to increase, we owe it to ourselves to use NIDS to investigate intrusions, analyze threats and prepare the needed countermeasures. There is also the distinct advantage of being able to correlate data from a variety of NIDS deployments to increase our capability in responding to various attacks. We will discuss event correlation later in this chapter.

© FORESEC

FORESEC ACADEMY

Inside a Network Attack

Some people call this classic attack an out of band attack; however, it is better known as WinNuke. WinNuke sends a single, specially crafted packet with OOB data to a remote listening port, TCP 139. This is known to crash older versions of Windows. (Note that Out of Band is a misnomer; WinNuke actually uses the TCP Urgent flag and the urgent pointer.) Even if NetBIOS is not enabled, a vulnerable system attacked by WinNuke will typically experience the dreaded “Blue Screen of Death.” Although this is a dated attack tool, it does an excellent job in visually explaining the concept of network-based attacks. It should also be noted that there are still millions of Windows 95 machines connected to the Internet. It is safe to say that this attack tool could still bring down countless machines.

© FORESEC

FORESEC ACADEMY

How do we create this special packet capable of bringing Windows 95 to its knees? That answer is quite simple, Nuke.eM. Nuke’em (shown in the previous slide) works by establishing a TCP connection with a remote host and delivering the illegal packet. It doesn’t take any skill and it can turn the most inept person into a hacker.

© FORESEC

FORESEC ACADEMY

The previous screenshot shows how the Nuke.eM attack was detected and blocked by BlackICE PC Protection, a leading commercial personal firewall. The highlighted area illustrates the NetBIOS probe (Nuke.eM) was detected and successfully blocked six times.

We can see that a NetBIOS port probe from the IP address 192.168.1.100 was detected and blocked by the firewall engine. The information window at the bottom of the screen gives a brief description of the attack and clicking on the “advICE” button to the right will give more detailed information.

NoteInternet Security Systems (ISS) acquired the BlackICE product line in April 2001. The BlackICE PC protection suite is their first offering from their new acquisition.

Okay, let’s sum up what we have seen as we have explored a single network attack. We have identified a vulnerability, a flaw in the Microsoft implementation of networking. We have described the flaw technically and demonstrated one of the attacker tools that takes advantage of the threat. Finally, we have seen a detection and protection tool in action. Actually, this is another example of threat, countermeasure, and counter-countermeasure. Winnuke was dropping systems left and right and Microsoft responded with a patch. Instead of fixing the problem the first time, they released a quick hack. The attackers instantly countered with a modification to their attack tools, finally forcing Microsoft to release a complete patch that adequately resolved the initial problem.

© FORESEC

FORESEC ACADEMY

Network Intrusion Detection 101

Generally, when we think of utilizing a personal firewall, it is to protect our PC that is directly connected to the Internet. However, we don’t always think about detection: Many personal firewalls on the market today have the capability to block attacks and they can also detect and log attacks. Logging the attack allows an analyst to study the attributes of an attack. In fact, with the increasing rate of broadband installations, personal firewalls with intrusion detection capability are becoming extremely valuable network sensors for the IDS community. The Internet Storm Center has a free client that can be used in conjunction with many personal firewalls and intrusion detection systems that will allow you to upload your logs to their site for further research and investigation. If want a way to do your part and give back to the information security community, then this is a great opportunity. Detailed information is available from the web site at http://isc.incidents.org.

The Importance of Logging

The previous screen shot depicts activity on an extremely busy and hostile network. We can see a variety of attacks including nmap pings, SNMP port probes and DNS zone transfers. Although it is useful to be able to view these events in real-time, it is even more useful to have the ability to view these events with a network protocol analyzer like Ethereal to gain a better understanding of the attack and how it happened. Most personal firewalls include a logging feature that should be enabled to get the most from the product.

© FORESEC

FORESEC ACADEMY

Logging is an integral part of intrusion detection. Being able to refer back to logs after an event happens is extremely useful from a learning perspective and in the case of criminal prosecution. Having logs of the events that led to a compromise would be a valuable asset if you seek damages or prosecution from a network attack or system compromise.

© FORESEC

FORESEC ACADEMY

In this example, we demonstrate how to enable logging in the BlackICE personal firewall. The firewall engine settings are managed from the tool menu and can be easily accessed from the main screen. Looking around, we can see multiple tabs that allow you to alter the functionality of the firewall. For our purposes, we focus on the Evidence Log and Packet Log options.

It is important to ensure that logging is enabled on the Evidence Log tab. The rest is self-explanatory, but it is useful to use the % sign at the end of the evd file prefix. Using the special character will add a date/time stamp to the log files. This is helpful in the event you need to go back and look up the information for an attack that occurred at a particular time. You may also wish to adjust the maximum file size and maximum number of files settings to reflect your network.

Another useful feature is the Packet Log tab; enabling the Packet Log feature of BlackICE allows you to capture all the traffic that comes across the listening interface. This can prove extremely valuable when you need to perform network diagnostics or just to learn how your network operates at various points in time. However, remember that with this feature enabled, large amounts of disk space will be consumed to accommodate all of the network traffic. You might want to watch the remaining disk space when utilizing this logging feature.

© FORESEC

FORESEC ACADEMY

NoteBlackICE is often thought of as a host-based IDS because it is typically installed on individual machines, but let’s think about what it is really doing - monitoring network traffic. A traditional HIDS monitors log files, file changes, registry changes, and other rights/permissions of the host operating system. We use BlackICE in this chapter to illustrate the basics of network-based intrusion detection systems.

© FORESEC

FORESEC ACADEMY

Viewing BlackICE Logs

There is a common misconception that BlackICE log files are viewable only by installing a commercial third-party application such as VisualICE or ICEcap. Although these add-on programs do a great job of parsing the data and creating nice looking reports, the only thing necessary is to view the files with an available packet analysis tool. In the previous example, we used a program called Ethereal to view the data. Ethereal, a free packet analysis program is an excellent tool for decoding and viewing the BlackICE log files. In default installations of BlackICE, the log files are located at

C:\program files\ISS\BlackICE\evd%*.enc

NoteEthereal is one of the killer apps to rise from the open-source movement. It is maintained by a core group of developers who continually add features and update the program. It is easy to use, flexible, and free to download. I would happily put it up against any commercially available protocol analyzer. Although our example is basic, the other features of Ethereal are worth checking out. Ethereal can be downloaded at http://www.ethereal.com.

© FORESEC

FORESEC ACADEMY

BlackICE Visualization Tools

The previous screenshot shows a spike in activity in the Events window that was the result of someone probing this network. This gives us an idea of where to look to find this data in the evidence log file. As a helpful hint, find the approximate time of an event and if you happen to be looking for a scan, always look at the biggest file first since port scans tend to generate a lot of traffic.

This screen also allows you to view network trends over a period of minutes, hours, or days and it can be useful in learning the intricacies of your network. For example, once a baseline has been established, you can then use this screen to look for any anomalies that don’t correlate with usual network traffic patterns.

We used a host-based intrusion detection engine to examine how a network attack functions. Now that you have a basic understanding of network-based attacks, let’s shift our focus to NIDS.

© FORESEC

FORESEC ACADEMY

Libpcap-Based Intrusion Detection Systems

Most network-based intrusion detection systems are Libpcap-based. Libpcap is an open source packet capture library designed to retrieve data from the kernel and pass it to the application layer. Libpcap has the advantage of being free to use and has proven, since its inception, to be extremely reliable. Products that use the Libpcap library include Shadow, Snort, Cisco IDS (formerly NetRanger), and NFR.

NoteComplete information, including the source code for Libpcap can be downloaded at:http://www.tcpdump.org/. If you are running on a Windows-based platform, you are in luck! Winpcap is the Win32 version of Libpcap and can be downloaded athttp://winpcap.polito.it/.

In the previous diagram, you see a remote sensor collecting data and forwarding it to another machine for display and analysis. The Shadow Intrusion Detection System uses this configuration and is one of the few NIDS that essentially uses a “dumb” probe to forward the packets it captures to another device for processing. If the Shadow sensor should fail or somehow get compromised, no information about the site will be lost.

© FORESEC

FORESEC ACADEMY

Network Intrusion Detection with Snort

Snort is billed as a lightweight network intrusion detection system. It was introduced to the open-source community in 1998 by its developer, Marty Roesch. Snort has quickly gained a reputation for being an extremely efficient, lightweight, and low-cost NIDS solution and owes its popularity and extensive features to a devoted team of core developers and an active user base.

© FORESEC

FORESEC ACADEMY

Snort’s design allows for easy integration into most networks and it can be configured to monitor multiple sites, networks, or interfaces with relative ease. It has rules for packet content decodes and packet headers. This means it can detect data-driven attacks like buffer overflow errors, as well as attacks on vulnerable URLs and scripts (for example, RDS and phf).

Because Snort is open-source and has such an active user community, it is an ideal system to learn how to analyze intrusions and to experiment with different configurations. There are many community-developed enhancements available (we discuss them later in this chapter) and help is just an e-mail message away.

NoteA great resource to learn more about Snort is the FAQ, which is available at: http://www.snort.org/docs/faq.html. The FAQ is actively maintained and describes the many features of Snort.

© FORESEC

FORESEC ACADEMY

Analyzing a Snort Detect

Snort detects are displayed in log files, like the one shown previously, and separated by blank lines. The logs are flat files, also called text files, and have the advantage of being easy to sort, search, and analyze. Another advantage of Snort logs is the ability to cut and paste the various detects into an e-mail message to be sent to other analysts, your CIRT, or the offending party. This feature alone is unavailable in many commercial products.

In this example, you see that the name of the detect, RPC Info Query, is listed at the top and the summary information is given in the following. The last three lines show the actual payload of this particular attack. Remote procedure call (RPC) attacks like this are part of the FORESEC Top Twenty list (http://www.foresecacademy.com/top20/) and could indicate a potential vulnerability on your network. Pay particular attention to all of the zeros in the payload. This is because RPC packets are padded to 32-bit words, often to carry a field that only has a choice of single integers, so the zeros are an indication of Remote Procedure Calls. Another item worthy of mention is the hex string, 01 86 A0 00 00 00 02 00 00 00 04. This is the string for the rpcinfo –p command that lists the available RPC ports on a remote host.

© FORESEC

FORESEC ACADEMY

Writing Snort Rules

Snort provides the ability to create custom rules, or signatures, to filter on specific content. The compiled source code provides hundreds of pre-written rules. However, there might be times when you need to create rules that are not included by default. Given the fast-paced world of intrusion detection and that new threats are released on a daily, the ability to quickly write custom rules can often make or break your career as an information security professional!

Snort rules are simple to write yet powerful enough to capture most types of traffic. There are five options to keep in mind when writing rules:

Pass - This means you wish to drop the packets and take no action.

Log - This option allows you to log the particular action to the location you specified in your snort configuration file (e.g. snort.conf).

Alert - This option allows you to send alerts to a central syslog server, popup windows via SMB or writing the file to a separate alert file. This alert file is commonly used with tools like Swatch (Simple Watcher) to alert the analyst to signs of intrusion or electronic tampering. Once the alert is sent, the packet is logged.

Activate - This option specifies that Snort is to send the alert and then activate another dynamic rule. For example, Snort can be configured to dynamically block

© FORESEC