150 likes | 254 Vues
IDS In Depth Search: Ideas, Descriptions, and Solutions. Presentation by Marshall Washburn November 30 th , 2010 CPSC 420/620 w/ Dr. Grossman. Introduction and Layout. What is an IDS? How it works NIDS vs. HIDS (vs. NNIDS) Different uses of an IDS Passive vs. Aggressive (IDPS)
E N D
IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30th, 2010 CPSC 420/620 w/ Dr. Grossman
Introduction and Layout • What is an IDS? • How it works • NIDS vs. HIDS (vs. NNIDS) • Different uses of an IDS • Passive vs. Aggressive (IDPS) • Anomaly vs. Signature • Supplements and Add-ons • Logging • Honeypots • Gotchas • False Positives • False Negatives • Closer look – Snort • Info • Modes • Rules & Features • Conclusion
What is an IDS? • IDS – Intrusion Detection System • Analyzes network traffic • Reports problems • Three types of IDS • Network-based Intrusion Detection • Host-based Intrusion Detection • Network Node-based Intrusion Detection
Types of IDS • Network-IDS • Typical view of IDS • Watches a subnet • Typically a perimeter defense • Host-based IDS • Watches host computers, involves software • Looks for system calls and registry changes • Typically an internal defense • Network-Node IDS • Specific host traffic • Kind of specialized NIDS (ex: VPN device)
Types of IDS http://www.informit.com/articles/article.aspx?p=29601 http://ptgmedia.pearsoncmg.com/images/art_peikari1_intrusiondetection/elementLinks/fig01.gif
Different uses of an IDS • How should the system react? • Passive system • Scans packets, traffic, or system • Takes notes • Sends alerts • Active system (Intrusion Detection and Prevention System) • Passive system + barrel rolls • Kills connections or modifies firewalls • Pros and Cons: Passive vs. Active • Less maintenance and lack of painful false alarms vs. More maintenance but avoid disasters
Different uses of an IDS • What should the system look for? • Anomaly-based IDS • Samples network traffic • Checks against predefined ‘ideal’ traffic • Signature-based IDS • Polar opposite of anomaly • Samples network traffic • Checks against predefined virus patterns • Pros and Cons: Anomaly vs. Signature • Hard to pin down ‘normal’ network traffic, especially when updating or migrating a system • Virus patterns are only as good as the updated list
Supplements and Add-ons • IDS: Good by themselves, great on a team • External Logging • Honeypots http://i.ehow.com/images/a06/e3/83/state-ohio-tax-id-number-120X120.jpg http://blog.hazrulnz.net/tag/ids
IDS Logging • IDS typically logs traffic locally • Can become unorganized • Hard to search through • External Logging Databases (ex: ACIDBASE) • Categorize suspected attacks • IP traffic • Port traffic • Latest virus information • Stealthy logging
Honeypots • IDS can be used on production or development systems • Honeypots lure attacker in (ex: Honeyd) • Network decoys to distract away from vulnerable machines • Typically virtual machines that simulate real networks • Honeypots capture the attacks, IDS analyzes, your system stays secure.
A Few Gotchas • Every rose has its thorn… • False Positives • Normal traffic suspected to be malicious • False Negatives • Some attack is flagged to be normal or non-malicious • Not software flaws, usually configuration flaws • Encrypted traffic can cause false positives, and mutated worms or viruses can mismatch an attack pattern and cause false negatives.
Quick Case Study: Snort • Originally released in 1998 by Sourcefire founder and CTO Martin Roesch • Combines signature and anomaly techniques • Ready out of the box • Updated rule sets • Three primary modes • Sniffer mode • Packet-logger mode • Network IDS mode
Snort Rules • Can specify what IP subnet to look at and types of traffic in ‘snort.conf’ file • Sample rule • alert tcp any any -> 192.168.1.0/24 111 \ (content:"|00 01 86 a5|"; msg:"mountd access";) • Easy to customize with many different features • Logging, passing, dropping, custom • TCP and/or UDP, ICMP, IP • Traffic direction • Content, raw bytes, offsets
Conclusions • Useful tool to keep a network safe • There are many different styles to a detection system • Snort incorporates many of the capabilities of intrusion detection systems • multiple detection techniques • ability to customize simple rules
Works Cited • Bauer, Mick. “Stealthful Sniffing, Intrusion Detection and Logging http://www.linuxjournal.com/article/6222 October, 2002 • Innella, Paul. “The Evolution of Intrusion Detection Systems” http://www.symantec.com/connect/articles/evolution-intrusion-detection-systems November 16th, 2001 • Mattord, Verma (2008). Principles of Information Security. Course Technology. pp. 290–301 • Provos, Niels. “A Virtual Honeypot Network” http://www.usenix.org/event/sec04/tech/full_papers/provos/provos_html/ Proceedings of the 13th USENIX Security Symposium. August, 2004 • Timm, Kevin. “Strategies to Reduce False Positives and False Negatives in NIDS” http://www.symantec.com/connect/articles/strategies-reduce-false-positives-and-false-negatives-nids September, 2001 • The Snort Team. SNORT Users Manual 2.9.0. http://www.snort.org/assets/152/snort_manual.pdf September, 2010 • Wikipedia. http://en.wikipedia.org/wiki/Intrusion_detection_system