Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Computer Security Workshops Module 6 – Intrusion Detection Systems Intrusion Detection Systems System monitoring software Developed to monitor suspicious activity Optionally, report or respond to such activity Two major levels/types Misuse-based Host-based Network-based (NIDS) Anomaly-based Increasing use of both for maximum security Host Based Intrusion Detection Systems Dependent on operating system Main activities Check system logs Monitor user logins Monitor processes Look for trojans Advantages: can be quite sophisticated Disadvantages: Deal with known problems Active: consume CPU cycles Host-Based IDS - Details Events to watch Creation of accounts Protection violations (actual, attempted) Logins Failed Logins Kernel activity as well as user activity Network Based Intrusion Detection Systems (NIDS) High level: packet sniffers Examine network traffic Compare actual traffic to known attack patterns If find these patterns/signatures, theorize that intrusion taking place Advantage: passive (analyzing network, not particular system – hard to detect) Disadvantages Switches can reduce amount of visible traffic to analyze Packet fragmenting can fool system IDS Tools Open Source Snort (Linux, Windows) Shadow (Virtual IDS) BlackICE (http://www.iss.net/blackice) ISS RealSecure Example System: Snort http://www.snort.org Need to define signatures/rules available on internet, updated frequently Multiple level architecture Main application (doing analysis) Web client – ACID (Analysis Console for Intrusion Databases) Barnyard – analysis of results SNORT - more Now supports preprocessor analysis Problems with signatures False positives – too wide a net False negatives – too narrow a net Preprocessors allow customizing Start using anomaly-based detection Customize rules based on users Examples (see in /etc/snort/snort.conf) stream4 – TCP statefulness, session reassembly frag2 – packet fragmenting/reassembly Problems Difficult to work with, generates large amount of data Other Tools for Intrusion Detection Linux last (user analysis) lsof (file analysis) tripwire (file analysis) chkrootkit (file analysis) swatch (log file analysis) Windows Microsoft Port Reporter GFI LANguard System Integrity Monitor GFI LANguard Security Event Log Monitor http://www.extralan.co.uk last displays list of recent user logons Usage: last (-N) E.g. last -20 // display last 20 users lsof Lists open files on your system Useful to see what processes are working with what files, possibly identify tampering Usage: lsof E.g. lsof | more // one screen at a time tripwire tripwire (http://sourceforge.net/projects/tripwire/ ; also a commercial product) uses digital hashing (MD5) to create secure file signatures change in file size and/or signature potentially shows intrusion database now signed itself, but still best to store it on write-protected media/hw expanded to define policy language for what to monitor Linux version is open source; commercial Windows version available Security usage: identify presence of tampered files, symptomatic of rootkits chkrootkit Root Kit / rootkit – a package of cracker tools placed on a system for purposes of taking control or otherwise using it May include modified system utilities (e.g. ls, ps) Examples: t0rn, HKRK, Romanian, others… chkrootkit - program to check system for common root kits Checks common files for substitutions based on known signatures, not just changes evidence of rootkit runs other suspicious files and directories Responding To Root Kits If minimal number of files affected, may be able to replace those files from original media If larger infection, may have to re-image system Can be difficult to eradicate all traces swatch Log file watcher Many log files to watch /var/log/messages /var/log/secure More in separate directories httpd samba snort Goal: automatically be notified when a (certain type of) log file entry is made Windows Tools Many tools available for help in intrusion detection (as well as previous steps) Several from www.sysinternals.com Process Explorer (process monitoring, including CPU usage) Autoruns (service start-up monitoring) Others CurrPorts (port/service information) More Information on IDS SANS IDS FAQ http://www.sans.org/resources/idfaq/