1
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
1
Intrusion Detection
The Big Picture
Stephen Northcutt
S. Northcutt – v1.0 – Jul 2000
Edited by J. Kolde – v1.1 – Aug 2000
2
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
2
Pagers and Cell Phones
The high rate of slide delivery means that distractions
will cause your fellow students to miss material. If
you are a “high interrupt” person, please consider
moving to the back of the room or disabling your
pagers and phones. Questions are fine anytime.
In this course we’ll be covering the following types of security tools and countermeasures:
• firewalls
• host-based intrusion detection
• network-based intrusion detection
• vulnerability scanners
• honeypots
We’ll also touch on incident response and discuss less technical issues of information security, such
as risk assessment and how to justify these tools to management.
3
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
3

Frequently Referred to URLs
•SANS
– www.sans.org
• NSWC CD2S web page
– www.nswc.navy.mil/ISSEC
– click on forms to get the knowledge-based
risk assessment forms for WinNT, Unix,
Win95, Mac 8.X, etc.
The SANS website is home to GIAC, the Global Incident Analysis Center, and to the SANS training
materials, with courses like this one available online.
4
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
4
More URLs
• SHADOW & CIDER
– www.nswc.navy.mil/ISSEC/CID
•Coast
–
•SecurityFocus
– www.securityfocus.com
•Snort
– www.snort.org
(Win32 version at
www.datanerds.net/~mike/snort.html)
SHADOW and CIDER are free intrusion detection system projects.
The Coast archive is Gene Spafford’s security tool archive.
SecurityFocus is home of the Bugtraq mailing list, and has a good vulnerability database and tool
archive.
Snort is currently the most popular free network intrusion detection system “as seen on GIAC”.

5
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
5
URLs Continued
• DTK Deception Toolkit
– www.all.net
•CIDF
– www.gidos.org
– www.isi.edu/gost/brian/cidf/
•Tripwire
– />– www.Tripwiresecurity.com/
•SPI
– ciac.llnl.gov/cstc/
Fred Cohen’s DTK (Deception Toolkit) is an excellent tool kit for building honeypots.
CIDF is the Common Intrusion Detection Framework, a standards initiative by the IETF’s Intrusion
Detection working group, designed to improve IDS interoperability.
Tripwire is the de facto standard in file and registry integrity checking.
SPI does integrity checks for US government systems.
6
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
6
Even More URLs
• Vulnerability Scanners
– Saint: wwdsilx.wwdsi.com/saint/
– Nessus: www.nessus.org
– Nmap: www.insecure.org/nmap/
– Cerberus: www.cerberus-
infosec.co.uk/cis.shtml

• Phonesweep
– www.sandstorm.net
SAINT and NESSUS are general vulnerability scanners. Nmap does stealthy port scanning, OS
identification and too many other functions to list. CIS is a vulnerability scanner for improving the
security of Windows NT machines. They were all free last time we looked. (Editor’s note: nmap
was ported to Windows NT in July 2000 by eEye Digital Security. The Windows version can be
downloaded from . – JEK)
Phonesweep is a ‘wardialer’ or modem-finding tool.
7
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
7
URLs URLs URLs
• NukeNabber (from Puppet’s Place)
– www.dynamsol.com/puppet/
• Legion (detect unprotected shares)
– Rhino9 has disbanded; you will need to do
a net search.
NOTE: Appendix A has a glossary
NukeNabber can be considered a personal host intrusion detector for stand-alone PC’s, which will
notify you of attempted connections to user-defined ports.
Legion can be quite hard to find. Most other vulnerability scanners also now look for unprotected
shares.
In the back of your materials are additional references. (Editor’s note: for students taking this
course online, the Glossary is included as a separate download file. – JEK)
8
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
8
Goal of This Course

To understand how the primary
components of intrusion detection
capability (such as vulnerability
assessments, firewalls, network- and
host- based IDS systems) work
together to provide information
assurance.
9
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
9
GIAC Tracks
• Information Security KickStart
• Security Essentials Certification
• Firewalls and Perimeter Protection
• Intrusion Detection In-Depth
• Advanced Incident Handling and Hacker Exploits
• Windows NT and Windows 2000 Security
•Unix Security
• Systems and Network Auditing
Clearly, there will be some repetition between the classes. These classes have been designed to be
very high content. There is more material than people can normally absorb in a single sitting; when
we repeat, this is done to help the student learn as much of the total material as possible.
10
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
10
Introduction
• Introductory Example - Mitnick Attack
• Is There a Business Case for Intrusion

Detection?
• What We Will Cover in This Course
Let’s get started then. In our introductory section, we are first going to show you a real attack, so we
can see the type of things an attacker does in the real world, and we’ll discuss how the security
components of this course could have detected or prevented it.
We’ll then take a step back and put our business hats on when we examine the question of a business
case for intrusion detection. Because the fact is, this stuff costs money and even with free tools, it
takes up valuable time. So we’ll see how to decide on it’s worth to your organization.
Finally, we’ll look at how we are going to divide up the rest of the course.
11
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
11
What better introduction to
Intrusion Detection
than the Mitnick Attack?
We start by examining the intrusion by possibly the world’s most infamous computer criminal, Kevin
Mitnick, on the system of Tsutomu Shimomura. This system compromise and the subsequent
successful pursuit of Mitnick have been described in several books and elsewhere, but the technical
details described come from Shimomura’s original posting on the comp.security.misc newsgroup, 25
Jan 1995.
The obvious first question is why we are bothering with an attack which is over 5 years old, when
several new attacks are discovered every week.
First, because it uses well-known techniques like SYN flooding and IP Spoof to accomplish trust
hijacking. The second, more disturbing point is that little has changed since late 1994. These attacks
still work on many systems and so are still common attacks today.
12
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
12

Two Systems, Trust
Relationship
A trusts B
A is talking to B
A B
A trust relationship existed between two machines, both administered by the good guy. (One was an
office machine, the other a home machine.) Administrators often set up these sort of relationships,
usually as a convenience.
In this particular example, the systems are Unix and the trust relationship is the use of “r” utilities.
But similar trust relationships exist in other systems (for example, Windows “shares”). The attacker
is going to pretend to be one side of the trust relationship using a technique called IP Spoof to appear
to be computer B and then take advantage of the trust relationship.
13
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
13
Enter the Badguy(tm)
Attacker
Attacker
probes to determine
a trust relationship,
A trusts B.
A trusts B
A is talking to B
A B
The attack started when the attacker detected a trust relationship was in place between two systems
of interest. The trust relationship in particular was that A allows B to make rshell connections,
providing a remote shell service.
The badguy™ uses finger, showmount, rpcinfo, and so forth to ferret out the trust
relationship. It should be noted there is often a recon phase for complex attacks.

If these recon probes can be detected, they can provide a valuable early-warning function.
14
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
14
Set Up the Attack
SYN Attack to B
renders B unable
to reply to A
A
B
Attacker
Attacker
predicts the sequence
number A will expect
“IP Spoof”
A trusts B
A is talking to B
A B
After the recon phase, the initial attack occurs.
He first gags B with a flood of SYN packets, a technique that involves bombarding B with TCP
connection requests until B is too busy to respond to anyone. (A SYN packet is the first part of
TCP’s three-part handshake for connection establishment, which goes SYN, SYN/ACK, ACK).
Next, he sends a connection request (SYN) to A,spoofing the source address so the packet is
apparently from B. Since A allows connections from B, it will reply with a SYN/ACK packet that
gives an initial sequence number for the connection. This reply goes to B, which would usually deny
sending it and close the connection with a RST packet, but because it’s been gagged, it can’t reply.
Since the attacker hasn’t seen the reply, he must predict the sequence number if he is to continue the
connection. Sequence number prediction code has been widely available on the Internet for a
number of years.