4 - 1
Information Risk Management - SANS
©2001
1
Risk Management
The Big Picture – Part IV
Network-based Intrusion
Detection
In our next section we are going to introduce network-based intrusion detection. The detect engine
in this case is either a firewall, a personal firewall, or an intrusion detection system. All of these
work quite well.
We will begin with a single attack, just to see how one might work and how we might detect it. Then
we will explore the range of tools and show you how you can get in the game with a very low
investment, possibly even free.
4 - 2
Information Risk Management - SANS
©2001
2
Need for Network-based
Intrusion Detection
• Most attacks come from the Internet
• Detecting these attacks allows a site to
tune defenses
• If we correlate data from a large
number of sources we increase our
capability
The statistic that 90% of all attacks are perpetrated by
insiders is dead wrong.
While insider attacks may cause more damage (because the attacker knows the system assets and what to
target), insider threats are usually addressed by traditional security and audit mechanisms. An insider has a much
greater chance of being caught and prosecuted or dealt with administratively IF DETECTED, since you know

where they live. The greatest threat in terms of financial loss is insiders. Period, no questions. That said, the
greatest number of threats is via Internet attacks. A huge percent of these are stopped by firewalls. Successful
attacks often do not cause as much harm as an insider, because an insider knows exactly where the crown jewels,
the strategic information assets of an organization, are.
Having said all that we are going to really concentrate on internet-based attacks in this section. Are they
relevant? Oh my yes! The number one reason is the sheer numbers. If your site is subjected to thousands and
thousands of attacks, even if poorly targeted, if you don’t have effective perimeters, than your systems will
eventually fall when the correct exploit hits your system.
However, the situation is even worse. It turns out that a small number of problems, things we know we
should correct, like file sharing or proper permissions, account for a vast number of system compromises. In fact,
firewalls themselves, which are an amazingly effective perimeter, contribute to the problem. The people
protected by the firewall think everything is OK since the firewall stops the attacks and then they get lax, drop
their defenses, someone makes a small misconfiguration of the firewall and boom, the site is dealing with a major
compromise.
Finally, the sophistication of network-based attacks continues to increase. The Unix worms of mid-2001
demonstrated that by using toolkits essentially any successful exploit can serve as the foundation of another worm
- thus increasing the attack effect hundreds of times higher than one or even a group of attackers could achieve,
since every compromised host becomes a new attacker.
Now we look at a single attack, in this case a denial of service, or availability attack called winnuke. This is
one of the classics and it was so aggravating that it resulted in creating the first wave of Windows personal
firewalls including Nukenabber, the software that served as TCPwrappers for Windows systems.
4 - 3
Information Risk Management - SANS
©2001
3
Inside a Network Attack
WinNuke, (also called OOBNuke), uses TCP 139 and
OOB Data, even if NetBIOS is not enabled. It results in
the “Blue Screen of Death”.
Patches/service packs are available

OOB stands for Out Of Band and is actually misnamed;
it should say “Urgent mode”, which is Urgent bit set in
the TCP header flags and the urgent pointer.
Some people call this famous attack an Out of Band attack, however, it is better known as Winnuke.
If you are interested in the classic Windows attacks, you might want to visit:
/>On to Winnuke, older unpatched Windows systems, 3.11, 95 can be crashed by a single, specially
formatted packet. The packet has to be sent to a listening port such as TCP port 139, the NetBIOS
Session service, but any listening ports will do. Hey, quick review, how do you know which ports
are listening on your Windows system? How do you know what programs are responsible for those
ports? How do you know what users are the owners of those programs? If you don’t know the
answer to all three of these questions, you really should redo the previous section on host-based
intrusion detection, If you have a Win95 system, you should get the patch, available at:
/>4 - 4
Information Risk Management - SANS
©2001
4
Nuke’eM Screen
So how do we create this weird packet? Generally by using a special tool as we see on this slide,
which is a screen shot of version 1.1 of Windows Nuke’eM.
This application has a single purpose, to establish a connection with the TCP three-way handshake
and then hit the remote system with the illegal packet. It doesn’t take any particular skill to run it, as
you see, all we did was enter the IP address of a target system.
4 - 5
Information Risk Management - SANS
©2001
5
Lockdown Screen
On this slide you see a screenshot of a personal firewall called Lockdown that is both detecting the
attack and acting as a perimeter system to protect the client.
Let’s sum up what we have seen as we looked at a single network attack, winnuke. We have

identified a vulnerability, a flaw in the Windows implementation of networking. We have described
the flaw technically and demonstrated there are attacker tools to take advantage of the threat.
Finally, we have seen a detection and protection tool in operation. Actually, this is another example
of threat, countermeasure, and counter-countermeasure. Winnuke was dropping systems left and
right and Microsoft responded with a patch, but instead of fixing the problem, they released a quick
hack. The attackers countered with a modification of their attack tools almost instantly. Today, you
can download a patch that actually corrects the problem and that URL has been provided to you.
Anyone can do intrusion detection and if you start practicing today, you will be ready to take the
advanced Intrusion Detection In Depth course pretty soon. So let’s go through the steps to begin
doing network intrusion detection. This is certainly NOT the only way, but it is an approach for you
to consider.
4 - 6
Information Risk Management - SANS
©2001
6
Network Intrusion
Detection 101
Generally when we think of personal firewalls we think of a perimeter defense, or a protect function.
What about detect? It turns out that some personal firewalls have the capability to do more than just
detect attacks, they can log the attack, which allows the analyst to study the attributes of an attack.
In fact, personal firewalls and Small Office Home Office (SOHO) firewalls are becoming part of
some of the most important sensor networks available anywhere.
The first step is to turn on logging! In general, the more places you log, the better off you are when a
weird event occurs.
4 - 7
Information Risk Management - SANS
©2001
7
Enable Logging
The engine settings are managed from the tools menu. Take a minute and look around at the options.

However, while you are there, be sure to enable logging. The logs are stored by default in Program
files, Network Ice, Black Ice’s directory and as you see on the slide have the handy prefix.
4 - 8
Information Risk Management - SANS
©2001
8
Our First False Positive
Yup, bootp, actually, DHCP, Dynamic Host Configuration Protocol is a normal occurrence on this
home network. We reconfigure so often and most of our machines are both mobile and wireless, that
static IP addresses are out of the question. So perhaps we don’t want to alert when that happens. We
simply select an attack we don’t want to see, right click, and select ignore.
Using the tools we have discussed, especially after you complete the training on networking and
TCP/IP that is coming up in this course, you will be equipped to really start drilling down into
network intrusion detection. Sometimes graphics tools can help us know where to look for an
anomalous event.
4 - 9
Information Risk Management - SANS
©2001
9
Visualization Tools - BID
Port Scan
The intense activity shown on your slide was the result of someone probing this network. This gives
us an idea where we might want to look in order to find the evidence file. As a helpful hint, find the
approximate time and if you are looking for a scan, look for the biggest file.
We hope you have enjoyed your introduction to network intrusion detection. We have learned about
a couple of new tools that you can use to start investigating suspicious network traffic. As we move
through the remainder of this section of the course, we will learn more about the tools and techniques
used in network intrusion detection.
Most of these tools, whether for Unix or Windows, depend on a simple utility called libpcap or
winpcap.

4 - 10
Information Risk Management - SANS
©2001
10
FW
Analysis/Display Station
Collect Data
Analyze Data
Display Information
Most Network-Based Intrusion Detection Systems
Unix or Windows are libpcap based
Libpcap-based Systems
The first network-based intrusion detection systems we look at are libpcap-based. These include:
Shadow, Snort, NetRanger, and NFR. Libpcap is a packet capture library designed to get the data
from the kernel space and pass it to the application. There are implementations for Windows
(winpcap-based - the Windows version of libpcap) and Unix. It is reliable and has the big advantage
of being free.
A sensor is distinguished by how much on-board policy information it has. The Shadow sensor is
designed to be stupid. It lives outside the firewall. If it should fail, no information about the site will
be lost. This is one of the characteristics that sets Shadow apart from most intrusion detection
systems. Most IDS have a lot of information about how sites are configured, how firewalls are set
up, hosts that you are watching out for, and attacks that you are particularly concerned about. Should
a Shadow sensor fail, all they get are the logs. You can still run Snort though on the inside, simply
feed it the TCPdump Shadow files.
We’d like to see more vendors take measures to make their sensors attack-resistant, or stealthy, and
make them less valuable targets. The sensor is the attacker’s first target.
4 - 11
Information Risk Management - SANS
©2001
11

Network Intrusion Detection
With Snort
This page intentionally left blank.
4 - 12
Information Risk Management - SANS
©2001
12
Snort Design Goals
• Low cost, lightweight
• Suitable for monitoring multiple
sites/sensors
• Low false alarm rate
• Efficient detect system
• Low effort for reporting
Snort was designed to supplement and be run in parallel with other sensors, such as Linux firewalls.
It has rules for packet content decodes, and also packet headers. This means it can detect data-driven
attacks like buffer overflows and attacks on vulnerable URLs and scripts (like RDS and phf). So if
you use Shadow and Snort, you have a good pattern matcher.
It is free, scalable, and very good at detecting stealthy recon efforts and probes. Its focus on the early
warning to be gained from spotting the recon phase is very valuable, since the actual attack can
happen in seconds and be all over by the time you notice it started.
It is also a good system to learn and experiment with, since it is easy to modify, being all modular
open-source with lots of community developed enhancements.
4 - 13
Information Risk Management - SANS
©2001
13
[**] RPC Info Query [**]
06/29-00:15:29.137285 211.72.115.100:623 -> z.y.w.98:111
TCP TTL:46 TOS:0x0 ID:29416 DF

*****PA* Seq: 0x1EDB7784 Ack: 0xD4A024FE Win: 0x7D78
TCP Options => NOP NOP TS: 86724706 118751139
80 00 00 28 08 70 BB FF 00 00 00 00 00 00 00 02 ...(.p..........
00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 ............
Snort
The Snort detects are displayed in log files like this separated by blank lines. For this primer, we will
primarily focus on the various detects.
An advantage of Snort is that this trace is easy to cut and paste into an email to send to your CIRT.
This is better than several commercial tools that, while they show an easy to understand colorful
icon, it’s hard to get to the raw data to verify or report the detect.
This is the more detailed log file. Notice the rule that found the detect is displayed at the top. Then
summary information about the packet is given. The trace begins with the content of the detect.
RPC (Remote Procedure Call) attacks like this are part of the Top Ten list
(www.sans.org/topten.htm). Notice all the zeros? RPC packets are padded to 32-bit words, often to
carry a field that only has a choice of single integer, so the zeros are an indication of RPCs.
4 - 14
Information Risk Management - SANS
©2001
14
Configuring Snort With
IDSCenter
• Graphical User Interface
– Simplifies The Configuration Of Snort
– Simplifies Set Up Of Alerts
– Simplifies Monitoring Snort Log Files
And Alerts
While Snort is a very powerful Network Intrusion Detection System (NIDS), it requires a little effort
to configure it properly. IDSCenter simplifies this process by providing the type of graphical user
interface that Windows users are accustomed to.

Using simple techniques it is possible to specify the location of the various executable and
configuration files used by Snort. Once the appropriate settings have been made, IDSCenter also
provides easy access to the rule set that determine what alerts Snort will generate.
IDSCenter also provides a simple method to specify and setup the various types of alerts that should
be generated by Snort. It is available from />