1
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
1
Intrusion Detection
The Big Picture – Part III
Stephen Northcutt
S. Northcutt – v1.0 – Jul 2000
Edited by J. Kolde – v1.1 – Aug 2000
2
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
2
Network-Based Intrusion
Detection
• Host Based Intrusion Detection
–Unix
– Windows NT, 95, 98
• Network-Based Intrusion Detection
– Libpcap based tools, Snort, Shadow
– ISS RealSecure
–Cisco Netranger
OK, after that in-depth look at host-based intrusion detection, we turn our focus to network-based
intrusion detection tools.
3
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
3
Network-Based ID
4
Intrusion Detection - The Big Picture - SANS GIAC

© 2000
4
Need for Network-Based ID
• Most attacks come from the Internet
• Detecting these attacks allows a site to
tune defenses
The statistic that 90% of all attacks are perpetrated by
insiders is dead wrong.
While insider attacks may cause more damage (because the attacker knows the system assets and
what to target), insiders are also usually addressed by traditional security and audit. An insider has a
much greater chance of being caught, since you know where they live.
So while damaging, insider attacks are infrequent (because of the high risks of detection and arrest or
dismissal), by contrast, it is extremely difficult to track and prosecute attackers arriving over the
Internet. And because of the perception of low risk, attacks are a daily or hourly occurrence.
Expect to see more insiders using their insider knowledge to lower their risks by attacking over the
Internet.
(Editor’s note: The statement “the statistic that 90% of all attacks are perpetrated by insiders is dead wrong”
may be confusing in light of the opposite statistic (i.e., that the majority of attacks come from insiders) being
widely quoted, including elsewhere in SANS course material. The author offers this clarification:
“The greatest threat in terms of financial loss is insiders. Period, no questions. The greatest number of threats
is via internet attacks. A huge percent of these fall to firewalls, even the successful ones, while numerous, do not
cause as much harm as an insider that knows exactly where the crown jewels are.” – S. Northcutt
-JEK)
5
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
5
Firewalls are Most Common Sensor
Dec 19 17:18:52 1999 f_kern_tcp a_nil_area
t_netprobe p_major

srcip: 172.20.20.1 dstip: 192.168.1.88
protocolname: tcp srcburb: 1
srcport: 4645 dstport: 53
Key to Understanding:
This sidewinder log is reporting a TCP probe targeted at host
192.168.1.88 to destination port 53. This could be a zone
transferor a buffer overflow attempt.
Bar none, most network intrusions that are identified are found by firewalls. There are limitations to
what can be done with these logs and even the risk of making an error of interpretation, since the log
does not provide information like the TCP flags or code bits. That said, these are a great data source
and every intrusion analyst should be familiar with their site’s firewall logs.
6
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
6
Libpcap-Based Systems
FW
Analysis/Display Station
Collect Data
Analyze Data
Display Information
Most Network-Based Intrusion Detection Systems
Unix or Windows are libpcap based
The first network-based intrusion detection systems we look at are libpcap based. These include:
Shadow, Snort, NetRanger and NFR. Libpcap is designed to get the data from the kernel space and
pass it to the application. There are implementations for Windows and Unix, it is reliable and has the
big advantage of being free.
A sensor is distinguished by how much on-board policy information it has. The Shadow sensor is
designed to be stupid. It lives outside the firewall. If it should fall, no information about the site will
be lost. This is one of the characteristics that sets Shadow apart from most intrusion detection

systems. Most IDS have a lot of information about how sites are configured, how firewalls are set
up, hosts that you are watching out for, and attacks that you are particularly concerned about. Should
a Shadow sensor fall, all they get are the logs. You can still run Snort though on the inside, simply
feed it the TCPdump Shadow files.
We’d like to see more vendors take measures to make their sensors attack-resistant, or stealthy, and
make them less valuable targets. The sensor is the attacker’s first target.
7
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
7
Snort Design Goals
• Low cost, lightweight
• Suitable for monitoring multiple
sites/sensors
• Low false alarm rate
• Efficient detect system
• Low effort for reporting
Snort was designed to supplement and be run in parallel with other sensors such as Linux firewalls.
It has rules for packet content decodes, and also packet headers. This means it can detect data-driven
attacks like buffer overflows and attacks on vulnerable URLs and scripts (like RDS and phf). So if
you use Shadow and Snort, you have a good pattern matcher.
It is free, scalable and very good at detecting stealthy recon efforts and probes. (And it’s focus on the
early warning to be gained from spotting the recon phase is very valuable, since the actual attack can
happen in seconds and be all over by the time you notice it started.)
It is also a good system to learn and experiment with, since it is easy to modify, being all modular
open-source with lots of community developed enhancements.
8
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
8

Snort
[**] RPC Info Query [**]
06/29-00:15:29.137285 211.72.115.100:623 -> z.y.w.98:111
TCP TTL:46 TOS:0x0 ID:29416 DF
*****PA* Seq: 0x1EDB7784 Ack: 0xD4A024FE Win: 0x7D78
TCP Options => NOP NOP TS: 86724706 118751139
80 00 00 28 08 70 BB FF 00 00 00 00 00 00 00 02 (.p
00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
The Snort detects are displayed in log files like this separated by blank lines. For this primer we will
primarily focus on the various detects.
An advantage of Snort is that this trace is easy to cut and paste into an email to send to your CIRT.
This is better than several commercial tools that, while they show an easy to understand colorful
icon, it’s hard to get to the raw data to verify or report the detect.
This is the more detailed log file, notice the rule that found the detect is displayed at the top. Then
summary information about the packet. The trace begins with the content of the detect. RPC attacks
like this are part of the Top Ten list (www.sans.org/topten.htm). Notice all the zeros? RPC packets
are padded to 32-bit words, often to carry a field that only has a choice of single integer, so the zeros
are an indication of RPCs.
9
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
9
Why TCPdump
• Libpcap
• Always available
• Compiles on many Unix platforms
• Runs on Window 9x and NT
•High fidelity
• Same program for data collection and

first order analysis
Libpcap is the de facto standard for Unix-based intrusion detection systems. It is a software interface
for acquiring the collected information from the interface card and providing it to the IDS
application.
Shadow uses TCPdump as it’s underlying packet capture mechanism, as does Snort, another popular
free open source network IDS (currently the favorite on GIAC). Snort includes packet decodes and
pattern matching.
10
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
10
IMAP Filter
tcp and dst port 143
Here’s an example of a simple filter to detect IMAP probes, or at least all TCP traffic to port 143.
# tcpdump tcp and dst port 143
The command above would run tcpdump, only printing to the screen TCP destination port 143
(IMAP) packets.
# tcpdump -I eth0 tcp and dst port 143
Tells Red Hat Linux 5.0 to use the eth0 interface to log from.
$ tcpdump -r tcplogfile tcp and dst port 143
Would check a file created by tcpdump for access to port 143.
11
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
11
Core_Hosts Filter
• DNS, Web and mail servers draw a lot
of fire; about 20% of all our attacks are
directed at these systems
• If you lose control of DNS, they own

you
• Worth the time to give connection
attempts to these systems an extra look
The “goodhost” filters in the documentation and software distribution give examples of web servers,
DNS servers and mail relays. If you build a good filter profile for another type of commonly
deployed host and are willing to share your filter, you can mail it to: and if it
checks out we will get it into future releases of the software.
12
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
12
Core_Host Filter Web Server
(dst host 192.168.1.1 and
(
(tcp and ((tcp[13] & 2 != 0) and (tcp[13] & 0x10 = 0))
and (not dst port 80))
or
(udp and not dst port 53 and not dst port 137)
or
(icmp and (icmp[0] != 8) and (icmp[0] != 0)
and (icmp[0] != 3) and (icmp[0] != 11))
or
(not (tcp or udp or icmp))
))
# 192.168.1.1 webserver
# should only receive traffic to tcp port 80 (syn only)
# ignore udp with dst port 53 or 137
# ignore icmp echo requests (8), echo replies (0),
# destination unreachable (3), and
# time exceeded (11) error messages

13
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
13
Commercial Tools
14
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
14
Cisco NetRanger
(Cisco Secure Intrusion Detection System)
• Cisco would prefer to bundle this with
Secure Scanner, a vulnerability scanner
• Unix-based system
• Two part system, a sensor and a director
• Directors can manage multiple sensors
From Cisco’s web page:
General Features of NetRanger Director
• Real-time intrusion detection is transparent to legitimate traffic/network usage.
• Real-time response to unauthorized activity blocks offenders from accessing the network or
terminates offending sessions.
• Comprehensive attack signature list detects a wide range of attacks and can detect content
and context-based attacks.
NetRanger Sensor
• Real-time NetRanger Sensor alarms include attacker and destination IP addresses,
destination port, attack description, and 256 characters of keystroke session capture before
attack.
• NetRanger Sensors can monitor network segments of various speeds and interface types,
including Token Ring, 10/100-Mbps Ethernet, and FDDI.
• NetRanger Sensor software is easily updated from a centralized NetRanger Director

console.
15
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
15
ISS RealSecure
• Keyed software, CD or download
• NT- or Unix-based engine, NT is
preferred
• High end Pentium, 128K RAM, good size
disk
• Two part system, an engine (sensor)
and a console (analysis platform)
• Consoles can manage multiple sensors
You can get the full system as a time-limited evaluation version, and then simply upgrade the licence
key to get the commercial version.
RealSecure’s biggest claim to fame is its ease of configuration and use. Events are displayed as red,
yellow or green icons on the GUI, depending on their priority and the reporting tools are extensive.
You can tell an operator to simply ‘call me when you see red’.
RealSecure now forms part of ISS’s suite of tools that includes a host-based module, and various
vulnerability scanners.
It can be hard to get to the raw data via the GUI, but since the data is all in an Access database
behind the scenes, you can always query it directly.
16
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
16
ISS RealSecure (2)
• 200+ detects, but many generate large
number of false positives

– Wiz: in a world of base64 encoded email,
lights off every time the characters “wiz”
are seen in the body of the message
– CERN HTTP buffer overflow: lights off
every time a URL is > X characters
Other detects like SYN flood also have very high false positive rates, since it can be triggered by as
few as 3-5 connection attempts in a second - a common occurrence with over-eager mail servers and
other common events. The problem is, to avoid the false positives the threshold needs to be set so
high as to miss real attacks.
17
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
17
Normally a user will select a pre-made policy and edit to
customize for their situation.
Once you have selected a pre-made policy, you can customise it somewhat by selecting which events
to ignore (usually because of their high false positive rate).
Here we can see some allowance for user-defined pattern matching filters. This capacity has
increased in more recent versions, but it still can’t compare with products like NFR for
customizability.
Most users don’t use custom-filters, but they are a welcome facility for handling a new problem until
ISS can put out a patch to detect it.
18
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
18
Connection events are quite handy. If you do not run IMAP, then you may want to know about all
IMAP access events.
Similarly, if you were running a Gauntlet firewall you’d want to watch for connections attempting
the Cyber Patrol proxy buffer overflow exploit. (You’d want to set it as a high-priority alert, since it

would indicate a targeted attack instead of the usual random recon probes.)
19
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
19
“Any” for a source or destination is not always helpful. One
can list a partial address and give a mask. Example:
128.38.0.0 with 16 bits of mask would check for any 128.38.
This ability to watch for traffic from a range of addresses is useful when monitoring attacks from a
dial-up account, where each of the attacker’s logins may be from a different address in the pool.
20
Intrusion Detection - The Big Picture - SANS GIAC © 2000
20
Netmask
• There are 32 bits (4 bytes) of netmask
• NETID (172.20), Subnet (172.20.X.0)
and HOSTID (172.20.subnet.host)
•Netmasktells your computer what is
NETID and what is HOSTID
•172.20.SUBNET means 255.255.255.0
for a netmask (usually) or 24 bits of
netmask for ISS RealSecure
With a bit of practice one translates between 172.20/16 and 255.255.0.0 without even thinking!
21
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
21
This screen is where they store the famed 200 + detects. Older versions cannot add a user-
customized detect, and many of these are seriously prone to false positives. Still, a well-configured
RealSecure will certainly detect most well-known scripted attacks.

22
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
22
The Danger of IDS That Do Not Collect Raw Data
and CIRTs That Only Process High-Level Reports
Currently, CIRTs seem to focus on taking detects,
(tickets of pre-digested IDS lore with a timestamp,
the attack, and the source address) as their primary
information source, not raw data.
Many IDSes create realistic false positives (and
the analyst does not have access to raw data to
validate) which, if fed up to the CIRTs, could
give them a false picture of what is happening.
I leave it as an exercise to the Information Warrior to
create a powerful scenario from this “architecture”.
Side Trip
23
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
23
Deception Can Drive the
Picture
S
S
S
S
S
CIRT
CIRT

Meta
CIRT
The point of this page is that one Linux system with a decoy generator (such as nmap 2.08) and a
knowledge of which sensors to target (sites that have IDSes, but do not collect raw packet data)
could set off enough alarms to trigger a national alert.
The term ‘attacker honeypot’ has been coined to refer to diversionary attacks, designed to
overwhelm CIRT and analyst capacity or divert attention form a more subtle attack.
24
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
24
Network-Based Intrusion
Detection - Pros
• Internet is a large attack vector
• Network-based intrusion detection is
fairly easy to do
• Network-based intrusion detection does
not affect the speed of the network or
add load to the systems it monitors
Network intrusion detection systems give good ‘bang per buck’, as one sensor can monitor all traffic
to and from the Internet, covering a large number of possible threats with a single sensor.
It places negligible additional load on the network, no load at all if in a stealth configuration. (A
stealth configuration in network intrusion detection terminology refers to a sensor with separate
monitoring and management network interfaces. The management interface is on a different
interface to the monitoring interface(s). These monitoring interfaces don’t have a TCP/IP stack or IP
address binding, and are hence practically invisible on the network segment they monitor.) (There
are ways to detect them, see L0pht’s Anti-Sniff.)
25
Intrusion Detection - The Big Picture - SANS GIAC
© 2000

25
Network-Based Intrusion
Detection - Cons
• Sensors have limited speed
• Almost impossible to detect attacks not
in rule set
• Very susceptible to “low and slow”
attacks
The increase in bandwidth from 10 to 100 Mbps and beyond is a major challenge for network
intrusion detection systems, although few organisations’ Internet links are over T3 (45Mbps), within
most sensors’ speed range.
The limitation to detecting known attacks is universal to pattern matching misuse detection systems,
and can only really be solved by improvements in profiling and anomaly detection. Some analysts try
to get around this problem by reversing their rule set strategy, from ‘detect known misuse patterns’ to
‘ignore known and expected legitimate usage’, and thus detecting everything out of the ordinary.
While an excellent learning experiment and way of discovering new exploits and attacker tools, it
has a sky-high false positive rate. You’ll soon see how many misconfigured and just plain broken
systems are on the Internet generating weird packets. But if you have a spare IDS sensor and the
time, give it a try.
The problem of detecting “low and slow” attacks is intractable, since the faster a network, the shorter
a system’s time window and buffers must be to avoid resource exhaustion. The best countermeasure
is improving data reduction and historical correlation techniques and tools.