1
1
Intrusion Detection - The Big Picture – SANS GIAC ©2000
Intrusion Detection
The Big Picture – Part IV
Stephen Northcutt
S. Northcutt – v1.0 – Jul 2000
Edited by J. Kolde – v1.1 – Aug 2000
2
Intrusion Detection - The Big Picture – SANS GIAC ©2000
2
Intrusion Detection Roadmap
What are the pieces and how they play together
•Honeypots
• Firewalls
–Proxy, State Aware, Filtering Routers
• Risk Assessment and Auditing
–Introduction to Risk Management
–Knowledge-Based Risk Assessment
–Online Auditing Tools
As we begin our next section, we are going to cover a really interesting technology. The timing of
this is really interesting. I am poring over 30 MB of logs from Lance Spitzner’s honeypot system.
We have logs of hackers bragging about their conquests; trading stolen credit card numbers,
passwords and IDs for compromised systems; the list continues. If you want more details on the
approach Lance uses, try: />A honeypot can be a tool and process that is used to capture the tools, plans, and techniques of
attackers, or it can be as simple as a decoy tool that is used to deflect attackers from a compromised
system or a system under fire. A third good use of a honeypot is a sensor - if you have an old, slow
system lying around, it can serve a productive life as a honeypot. In fact, that may be ideal! There is
one important rule of a honeypot: try to engineer it so that it collects information, but it is not used to
attack anyone else. An old 75Mhz Pentium limits the harm that could be caused if the sandbox is
breached.

3
Intrusion Detection - The Big Picture – SANS GIAC ©2000
3
Honeypots
• What are they?
• Example honeypots: Lance, TIS
Toolkit, DTK
• Why you might choose to run them
• Why you want others to run them
Thanks to Tim Aldrich and Lance Spitzner for their
research into honeypots!
There are a number of technologies that can be used for a honeypot and everyone has a strong
opinion about their approach. Obviously the more sophisticated attackers are only going to be fooled
by an operating system that exactly mirrors what they expect and this includes when they
“compromise” it, the system must fail correctly.
The only honeypot that will work at that level of fidelity is a an operating system itself; this is the
approach Lance uses. This is a very advanced and dangerous technique, since the system can easily
be used to attack others. To make his system work, he relies on multiple layers of monitoring and has
modified the syslog facility to do a lot of logging, but not in a way attackers will notice. He has also
modified the operating system shell to log commands to the syslog facility and then monitors
everything with a Snort IDS. Still, when he published his work, the attackers figured out they had
been had and laid waste to the system. This is evidence a few more safety measures would be a good
thing!
4
Intrusion Detection - The Big Picture – SANS GIAC ©2000
4
Honeypots
• What are they?
–A trap - they run real services on a
sacrificial computer or simulated

instrumented services, (or fake a core
dump)
–TIS Toolkit smap example
So, are there safer alternatives? Network Associates sells a commercial honeypot (CyberSting) that
stands up to a fair amount of scrutiny. We will talk about DTK in some depth. I have had good
success with the free firewall code that was written by Marcus Ranum and has gone by various
names, but was classically known as the TIS toolkit. How would a proxy firewall work as a
honeypot?
To use an attack against sendmail as an example, the toolkit had a sendmail replacement called
“smap”. Smap would take any file that was sent to it and write it into a directory on the system.
Then a separate program takes the file and delivers it. This meant that I could simply place this mail
system up and examine the files for malicious one. Since there were no real users, most of the mail
was either SPAM (a product of Hormel foods) or malicious code. I would check it once a month or
so and see what the pot would catch. The beauty of this approach is that it meets the important rule of
honeypots: smap is a small easily understood program that is not going to suffer a buffer overflow.
5
Intrusion Detection - The Big Picture – SANS GIAC ©2000
5
What are they?
• A decoy - if a machine becomes
“hot”, change the IP address and
name and put in a honeypot
• DNS, Mail, Web servers make great
honeypots on their unused ports
Attackers will not succeed in being able to crack it to attack other systems. Of course, smap is not
sendmail and just changing the banner from “smap” to “sendmail” will not fool the wise attacker.
The higher the fidelity of the honeypot, the greater the risk.
Where do you put a honeypot, how do you make it effective? Well to be sure, every IP address gets
attacked - ask any cablemodem user. However, there are things you can do to optimize performance.
Perhaps the most effective honeypots are machines that have become “hot”. In such a case, it is a

good idea to move that machine to a new name and IP address, (think “witness protection program”),
and deploy a honeypot on that system’s address.
Domain servers, mail servers and web servers’ non-service ports make a great place to put honeypot
code.
6
Intrusion Detection - The Big Picture – SANS GIAC ©2000
6
Deception Tool Kit (DTK)
• What is it?
• A Perl script that executes state machine
scripts on specified ports, C binaries for
telnetd, web
– Includes state machine scripts for ports:
• 0, systat(11), qotd(17), chargen(19), ftp (21), telnet(23),
smtp(25), time(37), domain(53), 65, 66, tftp(69), finger (79),
http (80), pop-3(110), 365, 507, 508, exec (512), login
(513), shell (514), 893, nfs (2049), 5999, 6001, 8000, 10000,
12000, 12345, 12346, 14000, 28000, 31337
The Deception Tool Kit (DTK) was created by Fred Cohen, one of the most brilliant and well-loved
individuals on the Internet (one out of two ain’t bad), and was available for free with a funky license
at www.all.net/dtk/
There are DTK groupies that can make this code sing, but we want to learn from the architecture of
this tool to understand the processes a honeypot needs to go through.
On the next slide we see that DTK makes use of port 365. If you query a DTK on port 365, it will
tell you it is a DTK. If a substantial number of people ran honeypots such as DTK, and a substantial
people who DIDN’T ran the port 365 service, it would increase the price of hacking. I am sorry to
report that after extensive study of thousands upon thousands of network traces, I have not seen this
in action.
In the notes pages of the next slide, take a minute to look over the logs. This is nice high fidelity
information about what the attackers are attempting.

7
Intrusion Detection - The Big Picture – SANS GIAC ©2000
7
DTK
• What can it do? (cont.)
– Port 365
• Reports that DTK is running on this machine. Can be run on
machines without DTK on other ports.
• May confuse the hackers in the short term.
• Can also be used to access /dtk/log with password.
– Can time-tag and log every typed command.
– Can email notification of break in.
• Example detect in notes pages
JUNE 1999. Also from the latest DTK logs
'198.143.200.52', '13392', '10752', '1999/06/24 17:37:35', '18023', '275',
'1', 'listen.pl', 'S0', 'R-Peace', 'Init'
'198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275',
'1', 'listen.pl', 'S', 'RPeace-Peace', 'trap '' SIGALRM SIGTRAP'
'198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275',
'1', 'listen.pl', 'S', 'RPeace-Peace',
'PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin;export PATH'
'198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275',
'1', 'listen.pl', 'S', 'RPeace-Peace', '/usr/sbin/rpc.mountd </dev/null'
'198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275',
'1', 'listen.pl', 'S', 'RPeace-Peace', '/bin/uname -a;/usr/bin/id;echo
'moof::0:0::/:/bin/bash' >>/etc/passwd;rm -rf /etc/securetty;exit;'
8
Intrusion Detection - The Big Picture – SANS GIAC ©2000
8
DTK

• Sample state machine script:
# State Input NexStat Exit lf/file output/filename
# initial prompt
0 START
# 2 user IDs
1 guest 214Password:
1root214Password:
# 2 passwords
2toor310$
2 tseug 310$
# some commands



# Exceptions
0NIL010borge login:
0 ERROR 010borge login:
1NIL110borge login:
1 ERROR 110borge login:
2NIL110borge login:
2 ERROR 110borge login:
3NIL100coredumped
3 ERROR 100coredumped
What is a state machine? If you meet the condition at the first state, you can transition to the next.
Please take a minute to read the slide.
State 0 is initiated with someone makes contact with the system on TCP port 23, telnet with an active
open, or the SYN flag is set. The system responds with “login”. If the answer is either guest or root,
the system moves to State 1.
In State 1 it offers “Password” and if the password matches the list with root or guest spelled
backwards, the system “logs them in” and gives them a prompt. We move to State 2.

Here we are looking for one of the operating system commands off the list: ls, df, pwd. As you can
see, an attacker will quickly discover this is not a real system. However, it is fine to collect
information about script based attacks.
9
Intrusion Detection - The Big Picture – SANS GIAC ©2000
9
DTK
• Sample log output:
256.160.234.245 13067 110 1998/07/12 12:03:03 27017 176:1 listen.pl S0 Init
256.160.234.245 13067 110 1998/07/12 12:03:03 27017 176:1 listen.pl S0 NoInput
128.38.330.25 1063 110 1998/07/13 11:00:36 31394 176:2 listen.pl S0 Init
128.38.330.25 1063 110 1998/07/13 11:00:40 31394 176:2 listen.pl S0 PASS^M
128.38.330.25 1063 110 1998/07/13 11:00:46 31394 176:2 listen.pl S0 USER taldric^M
128.38.330.25 1063 110 1998/07/13 11:00:53 31394 176:2 listen.pl S0 PASS taldric^M
128.38.330.25 1063 110 1998/07/13 11:01:02 31394 176:2 listen.pl S0 USER taldric^M
128.38.330.25 1063 110 1998/07/13 11:01:09 31394 176:2 listen.pl S0 PASS toor^M
128.38.330.25 1063 110 1998/07/13 11:01:11 31394 176:2 listen.pl S0 ^M
128.38.330.25 1063 110 1998/07/13 11:01:13 31394 176:2 listen.pl S0 ^M
128.38.330.25 1063 110 1998/07/13 11:01:15 31394 176:2 listen.pl S0 QUIT^M
128.38.330.25 1063 110 1998/07/13 11:01:15 31394 176:2 listen.pl S0 WeClose
This slide shows the result of running DTK. This serves as a sensor and has a lot of value. If
someone has sniffed a password or obtained it by other measures, the honeypot allows you to see that
it is in use.
Most organizations have no or minimal logging internally, so this is one way you can know
something is wrong.
10
Intrusion Detection - The Big Picture – SANS GIAC ©2000
10
DTK
• Recommendation:

– A good tool available for honeypot use today.
– Can use inetd to start DTK, but listen.pl provides
better logging.
•Problems:
– Relies on non-portable assumptions.
– Yet another log file to check.
– Yet another log file format.
The bottom line on DTK is that it is in use and organizations are getting good results from it. On
Unix computers, the Internet Daemon, or inetd, listens for incoming connections and “wakes up” the
appropriate daemon if the system offers that service. For instance, the telnet daemon is not always
running. Instead, when the system receives a packet with the SYN flag set and destination port 23
(the well-known address for telnet), inetd wakes up telnetd to service the connection. DTK prefers to
run all the time, which is a shade wasteful of CPU and memory, but not too bad.
The bigger problems are shown below. DTK can be a bear to configure, and nobody on the mailing
list has proven to be too friendly. In addition, the issue of checking another log is not minor. The
approach used by Lance to modify the Unix System Logger (syslog) facility allows him to collect a
lot of data in a single place and as busy as we all are, this has a lot of advantages.
11
Intrusion Detection - The Big Picture – SANS GIAC ©2000
11
DTK
• Able to simulate all/any services
– Looks and acts like the real thing
– No indication that it is simulated
– Low CPU/disk overhead
• Will not provide any “real” services
– As it becomes more complex, risk increases
• Easily customized for each machine
The telnetd and the web demon are “real”. They are compiled C code. They simply simulate the
services. This could be important, since they might be vulnerable to a buffer overflow or similar

attack.
That said, on the main DTK is unlikely to be compromised and then the honeypot would be used to
attack other people.
12
Intrusion Detection - The Big Picture – SANS GIAC ©2000
12
DTK
• Log, with timestamp, every keystroke
• Able to simulate complex binary protocols
• Capable of file transfers
• Indicate the hit as it happens
–Email
– Console message
– Call to your pager
– Log files
You can use the way people type on keyboards as a biometric indicator. People make the same
mistakes, for instance I tend to type “telent” instead of telnet. Honeypots allow us to establish the
method of operations (MO) of an attacker.
The ability of attackers to remain anonymous on the Internet is a huge problem for law enforcement.
A good honeypot trace can act as supporting evidence that a particular attacker is the same as one
seen somewhere else. For instance, if a lot of damage was done against one facility, and a honeypot
kept the attacker occupied long enough to trace them, or if they made a mistake, their unique typing
patterns, word use and so forth *might* be enough to tie them to the crime.
13
Intrusion Detection - The Big Picture – SANS GIAC ©2000
13
Large Scale Deception
Rig DTK to listen to all of the IP addresses in the class C address range.
Add 253 entries to the /etc/sysconfig/network-scripts directory - here's a script
to do it:

CLASSC="10.0.0"
foriin12345678910 250251252253254
do
echo "DEVICE=eth0:${i}
IPADDR=${CLASSC}.${i}
NETMASK=255.255.255.0
NETWORK=${CLASSC}.0
BROADCAST=${CLASSC}.255
ONBOOT=yes" > /etc/sysconfig/network-scripts/ifcfg-eth0:${i}
echo -n "${i} "
done
echo "Done"
A number of the emerging honeypot technologies can simulate a number of systems. In this case,
DTK is being configured as an entire network.
A firewall product (Raptor) does this in an interesting way. If it receives a SYN packet to an IP
address it is protecting, it can forge the proper response, a SYN/ACK, even if the protected host does
not exist or exists and doesn’t offer that service. The attacker will then complete the connection and
begin the attack, which can be recorded. That is the end of the show however - at this point the
firewall aborts the connection. However, I have managed to collect a lot of useful information from
just these few packets.
14
Intrusion Detection - The Big Picture – SANS GIAC ©2000
14
TCP 3 Way Handshake
• A SYN > B
• A < SYN/ACK B
• A ACK > B
No valuable content gets sent until the handshake
is complete. Filtering routers and firewalls block on
at least the SYN packet, ergo no content.

Can you name a situation where you might really
want to know the content of the TCP conversation?
In this slide we see the steps that are required to complete a TCP connection. Take a minute and
think about the question on the bottom of the slide. Many times we just want to block the traffic and
not even think about it. However there might be situations where you would really want to see what
the traffic is, they include:
• The example we discussed when an actual userid or login and password is being used. In this case
we want to know the attacker’s intentions and how much they know.
• When we see a particular system is the focus of lots of probes. This can happen for a number of
reasons, we had a researcher give out the name and IP address of a research system when I worked
for the Navy, and for the next three years probes came from all over the world trying to find this
system. I moved it and put a honeypot in its place.
• When we think a new attack or technique is being used. This would allow us to gain information
about what is being done.
15
Intrusion Detection - The Big Picture – SANS GIAC ©2000
15
Why you might choose to run a
honeypot to gain information
143
Firewall
The firewall, properly configured, stops this
attack. That’s good. But, you can’t learn anything
about the attack, (if it is TCP), and that might be
bad.
Firewalls impact network traffic. In the slide above, the packet is addressed to TCP port 143, the
IMAP service. If the site does not allow IMAP through the firewall, then there will never be a
SYN/ACK response, the TCP three way handshake will not complete and we never know the
attacker’s precise technique or intentions.
If we place a honeypot outside the firewall or allow the traffic through the firewall to the honeypot

on an isolated network, we can collect information as to what the attacker is trying to do.
16
Intrusion Detection - The Big Picture – SANS GIAC ©2000
16
Why you want others to run them
• Remember port 365?
• Name servers, mail servers, and web
servers draw the most fire on the
Internet. What if they had their non-
service ports instrumented?
• The end result could be to slow down
the pace of attacks and increase
arrests.
There are a number of reasons that you might want others to run honeypots! When we discussed
port 365, think about the implications if everyone ran a tag on port 365. This would make life harder
for attackers, honeypots would answer and say they were honeypots and non-honeypots would
answer and they would say they were honeypots.
This example illustrates why honeypots, if widely deployed, improve security. Currently, the
paradigm in general is when the attackers break in to a system, it really is a compromised system.
They are very bold and free with what they do. The honeypots deployed by Lance illustrate just how
effective this is, because the attackers assume no one can monitor them. If there were another couple
hundred honeypots, then the attackers would have to start slowing down and being more careful and
several of them would end up being arrested. In the next section of the course, we will discuss
Firewalls. These are not only the primary defense tool, they are one of the most important intrusion
detection sensors on the Internet.
17
Intrusion Detection - The Big Picture – SANS GIAC ©2000
17
Intrusion Detection Roadmap
What are the pieces and how they play together

•Honeypots
• Firewalls
–Proxy, State Aware, Filtering Routers
• Risk Assessment and Auditing
–Introduction to Risk Management
–Knowledge-Based Risk Assessment
–Online Auditing Tools
Firewalls are not magic bullets. You can’t put one in and not pay attention to what you are doing.
That said, they are a crucial tool for defense.
A firewall uses a set of rules and the rules act as filters. As a packet comes to the firewall, it
inspects the packet and checks its ruleset to see if there is a rule for the packet. The effect of this is
that the firewall acts as a filter on network traffic.
There are hundreds of firewall products, but we can classify them based on the level of inspection. A
packet filter does a minimum amount of inspection, and fully stateful application gateway proxy
firewalls not only do a lot of inspection, they tear the packet up and rewrite it. Which do you think is
faster?
18
Intrusion Detection - The Big Picture – SANS GIAC ©2000
18
P
Indications and Warning
P
Early Detection
P
Detection
P
Late Detection
P
Negation
P

Early Negation
P
Late Negation
P
Host Negation
P
Host Detection
P
Host Late Detection
P
Host Very Late Negation
How does a firewall fit in the big picture?
Defender Attacker
P= Probability of
A firewall is the primary opportunity for attack negation
Before we dive down into the bits and bytes of firewalls, let’s consider their place in information
security. In terms of the big picture a firewall is interesting for a number of reasons.
A firewall is commonly deployed at boundaries interface between your site and the Internet. There
is a point of demarcation where your Internet Service Provider’s responsibility ends and your
responsibility begins.
On the slide, the cyberscape shows the attacker is at the right and the target or defender on the left.
We will learn about Indications and Warnings later in the course. This is a technique to determine
what the attackers are going to do, before they do it. There are countermeasures that can be applied
before the attack gets to you. For instance, if an Internet Service Provider detects the attack, they
may be able to filter so that it never leaves their network. Does that sound impossible? It is not!
There is a simple technique called egress filtering that, if widely applied, would reduce the number
of attacks on the Internet by a large degree.
19
Intrusion Detection - The Big Picture – SANS GIAC ©2000
19

Why a firewall?
• Reduces risk by protecting systems
from attempts to exploit
vulnerabilities
• Increases privacy - makes it harder
to gather intelligence about a site
• Enforces an organization’s security
policy
A firewall serves as a noise filter. Even a permissive firewall (a firewall with a large number of open
or “allow” rules is called permissive) reduces the danger from an attack.
This is because most firewalls are designed with something called a default rule. This means that if
a packet doesn’t match any other rule, the default rule drops the packet. This is known as deny all
except that which is explicitly allowed. Firewall administrators that override this rule are creating
an allow all expect that which is explicitly denied policy.
There is a file called the top ten list at www.sans.org/topten.htm, organizations that have a
permissive policy and do not block the items on the top ten list are operating at a significant risk,
unless they are using other countermeasures.
20
Intrusion Detection - The Big Picture – SANS GIAC ©2000
20
Why a firewall?
(explicit policy management)
•A Door
– Can be opened or
closed to certain
addresses or types of
traffic
• A policy engine
– that which is not
explicitly denied is

permitted or vice
versa
In my years in security, I have learned people will argue with me, they will ignore me. I can write
security policy until I turn green and it doesn’t change anything. However, nobody can argue with a
firewall when it enforces policy. Firewalls are engines that implement your organization’s security
policy. If you don’t think you have a security policy, check your firewall!
Say you have a policy that Internet Relay Chat is not allowed. People can (and will) still get on IRC
servers. However, if you do not allow destination port TCP 6667 out, or source port 6667 in with a
rule on your firewall, that makes it much harder for people to get on IRC.
A simple rule to block IRC might look like this:
SourceIP DestIP Service Action
ANY ANY IRC Drop
21
Intrusion Detection - The Big Picture – SANS GIAC ©2000
21
Firewalls
• Egress Filtering
• Network Address Translation (NAT)
• Proxy Firewalls
• Filtering Firewalls
• State Aware Firewalls
• Intrusion Detection with Firewalls
Well, let’s get into it, we have a number of issues to cover.
22
Intrusion Detection - The Big Picture – SANS GIAC ©2000
22
Egress Filtering
Protected Net
128.38.0.0
INTERNET

Only addresses that belong
to the protected net are
allowed out onto the Internet.
Ingress filtering refers to filtering applied to incoming traffic. Egress filtering applies to filtering
applied to outbound traffic. When the term is used by itself, this generally means filtering for
addresses.
Flooding Denial of Service attacks often use a faked source address so that it is hard to pinpoint the
location of the attacking computer. These attacks are not elegant, they simply spew packets at the
maximum rate possible. They can be launched by malicious users that are “playing” with their
computer systems, but also are commonly launched from compromised computers or systems
infected with Trojans or other malicious software.
If your site applies egress filtering at the access point between your site and the Internet, you are
obviously being a good neighbor. It also works well for intrusion detection - if one of your systems
is involved in any of the ways discussed, you will find it in your firewall log files.
23
Intrusion Detection - The Big Picture – SANS GIAC ©2000
23
Setting up Egress Filtering
On your slide, you can see this firewall is being configured to allow internal network, specific
addresses, and to log spoofed addresses when it sees them.
24
Intrusion Detection - The Big Picture – SANS GIAC ©2000
24
Filtering on Destination Port
UDP SRC Port UDP DST Port
UDP Message Length UDP Checksum
Data
01631
00000000 00110101
What service is this packet destined for?

Egress filtering is focused on the addresses in the packet, but the most common filters are focused
on the destination port. The destination port is a field in a TCP or UDP packet header. When we
examine packets we start counting with zero, so with UDP the source port is byte zero and byte one.
The destination port is byte two and byte three. With TCP and UDP, well-known services are found
by their port number. In the honeypots section, we introduced TCP 23 (that was telnet) and TCP 143
(IMAP). Others you should know by memory are TCP 21 (FTP), TCP 25 (SMTP - electronic mail),
TCP 79 (Finger, a reconnaissance tool), TCP 80 (HTTP or world wide web), and TCP and UDP 53
(DNS).
In the slide above in the red circle, do you see the binary value? Please convert that to decimal so
you can see which service we are talking about. Have you forgotten how to convert binary to
decimal? Try Start, Programs, Accessories, Calculator, View Scientific.
25
Intrusion Detection - The Big Picture – SANS GIAC ©2000
25
Packet Filter
• Packet filters are “low end” firewalls
– Can enhance security
–Very fast
• Reliant on DESTPORT - that if the packet says
TCP 25 it is Simple Mail Transfer Protocol,
(SMTP).
• If a router is being used to filter packets,
access lists can be difficult to manage.
• Data content passes through unchecked.
Network hardware such as routers are adept at looking at fields in packets and can do this very
quickly. Firewalls that use this technique are the fastest. The speed comes at a tradeoff though,
these perimeter defenses can be fooled.
Recall the discussion we just had about destination ports. SMTP is expected to run on port 25; if you
are looking to communicate with a mail server, you will certainly try port 25. But nothing keeps you
from choosing to run a service on any port.

In the beginning of the world wide web, all of my friends wanted to have web servers. Hardly
anyone knew about the web and so they didn’t care. However as it grew, organizations began to
standardize and set policies that there would be only one corporate web server. More than a couple
web servers moved to port 8000 and 8001. Not only did this evade the firewall that would block all
incoming HTTP traffic except to the corporate server, but you don’t have to have super user or root
privileges on Unix to run a program at a port greater than 1023. Normal users could run their own
web servers.