1
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
1
Intrusion Detection
The Big Picture – Part III
Stephen Northcutt
S. Northcutt – v1.0 – Jul 2000
Edited by J. Kolde – v1.1 – Aug 2000
2
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
2
Network-Based Intrusion
Detection
• Host Based Intrusion Detection
–Unix
– Windows NT, 95, 98
• Network-Based Intrusion Detection
– Libpcap based tools, Snort, Shadow
– ISS RealSecure
–Cisco Netranger
OK, after that in-depth look at host-based intrusion detection, we turn our focus to network-based
intrusion detection tools.
3
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
3
Network-Based ID
4
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
4
Need for Network-Based ID
• Most attacks come from the Internet
• Detecting these attacks allows a site to
tune defenses
The statistic that 90% of all attacks are perpetrated by
insiders is dead wrong.
While insider attacks may cause more damage (because the attacker knows the system assets and
what to target), insiders are also usually addressed by traditional security and audit. An insider has a
much greater chance of being caught, since you know where they live.
So while damaging, insider attacks are infrequent (because of the high risks of detection and arrest or
dismissal), by contrast, it is extremely difficult to track and prosecute attackers arriving over the
Internet. And because of the perception of low risk, attacks are a daily or hourly occurrence.
Expect to see more insiders using their insider knowledge to lower their risks by attacking over the
Internet.
(Editor’s note: The statement “the statistic that 90% of all attacks are perpetrated by insiders is dead wrong”
may be confusing in light of the opposite statistic (i.e., that the majority of attacks come from insiders) being
widely quoted, including elsewhere in SANS course material. The author offers this clarification:
“The greatest threat in terms of financial loss is insiders. Period, no questions. The greatest number of threats
is via internet attacks. A huge percent of these fall to firewalls, even the successful ones, while numerous, do not
cause as much harm as an insider that knows exactly where the crown jewels are.” – S. Northcutt
-JEK)
5
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
5
Firewalls are Most Common Sensor
Dec 19 17:18:52 1999 f_kern_tcp a_nil_area
t_netprobe p_major
srcip: 172.20.20.1 dstip: 192.168.1.88
protocolname: tcp srcburb: 1
srcport: 4645 dstport: 53
Key to Understanding:
This sidewinder log is reporting a TCP probe targeted at host
192.168.1.88 to destination port 53. This could be a zone
transferor a buffer overflow attempt.
Bar none, most network intrusions that are identified are found by firewalls. There are limitations to
what can be done with these logs and even the risk of making an error of interpretation, since the log
does not provide information like the TCP flags or code bits. That said, these are a great data source
and every intrusion analyst should be familiar with their site’s firewall logs.
6
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
6
Libpcap-Based Systems
FW
Analysis/Display Station
Collect Data
Analyze Data
Display Information
Most Network-Based Intrusion Detection Systems
Unix or Windows are libpcap based
The first network-based intrusion detection systems we look at are libpcap based. These include:
Shadow, Snort, NetRanger and NFR. Libpcap is designed to get the data from the kernel space and
pass it to the application. There are implementations for Windows and Unix, it is reliable and has the
big advantage of being free.
A sensor is distinguished by how much on-board policy information it has. The Shadow sensor is
designed to be stupid. It lives outside the firewall. If it should fall, no information about the site will
be lost. This is one of the characteristics that sets Shadow apart from most intrusion detection
systems. Most IDS have a lot of information about how sites are configured, how firewalls are set
up, hosts that you are watching out for, and attacks that you are particularly concerned about. Should
a Shadow sensor fall, all they get are the logs. You can still run Snort though on the inside, simply
feed it the TCPdump Shadow files.
We’d like to see more vendors take measures to make their sensors attack-resistant, or stealthy, and
make them less valuable targets. The sensor is the attacker’s first target.
7
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
7
Snort Design Goals
• Low cost, lightweight
• Suitable for monitoring multiple
sites/sensors
• Low false alarm rate
• Efficient detect system
• Low effort for reporting
Snort was designed to supplement and be run in parallel with other sensors such as Linux firewalls.
It has rules for packet content decodes, and also packet headers. This means it can detect data-driven
attacks like buffer overflows and attacks on vulnerable URLs and scripts (like RDS and phf). So if
you use Shadow and Snort, you have a good pattern matcher.
It is free, scalable and very good at detecting stealthy recon efforts and probes. (And it’s focus on the
early warning to be gained from spotting the recon phase is very valuable, since the actual attack can
happen in seconds and be all over by the time you notice it started.)
It is also a good system to learn and experiment with, since it is easy to modify, being all modular
open-source with lots of community developed enhancements.
8
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
8
Snort
[**] RPC Info Query [**]
06/29-00:15:29.137285 211.72.115.100:623 -> z.y.w.98:111
TCP TTL:46 TOS:0x0 ID:29416 DF
*****PA* Seq: 0x1EDB7784 Ack: 0xD4A024FE Win: 0x7D78
TCP Options => NOP NOP TS: 86724706 118751139
80 00 00 28 08 70 BB FF 00 00 00 00 00 00 00 02 ...(.p..........
00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 ............
The Snort detects are displayed in log files like this separated by blank lines. For this primer we will
primarily focus on the various detects.
An advantage of Snort is that this trace is easy to cut and paste into an email to send to your CIRT.
This is better than several commercial tools that, while they show an easy to understand colorful
icon, it’s hard to get to the raw data to verify or report the detect.
This is the more detailed log file, notice the rule that found the detect is displayed at the top. Then
summary information about the packet. The trace begins with the content of the detect. RPC attacks
like this are part of the Top Ten list (www.sans.org/topten.htm). Notice all the zeros? RPC packets
are padded to 32-bit words, often to carry a field that only has a choice of single integer, so the zeros
are an indication of RPCs.
9
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
9
Why TCPdump
• Libpcap
• Always available
• Compiles on many Unix platforms
• Runs on Window 9x and NT
•High fidelity
• Same program for data collection and
first order analysis
Libpcap is the de facto standard for Unix-based intrusion detection systems. It is a software interface
for acquiring the collected information from the interface card and providing it to the IDS
application.
Shadow uses TCPdump as it’s underlying packet capture mechanism, as does Snort, another popular
free open source network IDS (currently the favorite on GIAC). Snort includes packet decodes and
pattern matching.
10
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
10
IMAP Filter
tcp and dst port 143
Here’s an example of a simple filter to detect IMAP probes, or at least all TCP traffic to port 143.
# tcpdump tcp and dst port 143
The command above would run tcpdump, only printing to the screen TCP destination port 143
(IMAP) packets.
# tcpdump -I eth0 tcp and dst port 143
Tells Red Hat Linux 5.0 to use the eth0 interface to log from.
$ tcpdump -r tcplogfile tcp and dst port 143
Would check a file created by tcpdump for access to port 143.
11
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
11
Core_Hosts Filter
• DNS, Web and mail servers draw a lot
of fire; about 20% of all our attacks are
directed at these systems
• If you lose control of DNS, they own
you
• Worth the time to give connection
attempts to these systems an extra look
The “goodhost” filters in the documentation and software distribution give examples of web servers,
DNS servers and mail relays. If you build a good filter profile for another type of commonly
deployed host and are willing to share your filter, you can mail it to: and if it
checks out we will get it into future releases of the software.