Howlett_CH06.fm Page 189 Thursday, June 24, 2004 11:47 AM
TCP/IP Packet Headers
189
Once you have set your options, click OK and your session will start. A window will
appear that tracks the session statistics in real time (see Figure 6.4). If you set your session
to show packets in real time, you will see them as they come across the wire in the window
(see Figure 6.2).
You can stop your session at any time by clicking Stop in the statistic window or
choosing Stop from the Capture menu. If you set a limit in the options, it will automatically stop when it reaches it. You can now analyze and manipulate your session results.
By clicking on the headings at the top of the window, you can resort the results by
that heading, so you can sort the output by source address, destination, protocol, or the
info fields. This helps to organize things if you are looking for a specific kind of traffic,
for example, all the DNS queries or all the mail-related traffic. Of course, you could also
write a filter to capture only this kind of traffic in the first place.
Display Options
Table 6.8 lists the commands on the Display menu that you can use to affect how the packets are displayed on the screen.
Ethereal Tools
There are several built-in analytical tools included with Ethereal. It is also built with a
plug-in architecture so that other programs can interact with Ethereal or you can write
your own. You can access these options under the Tools menu (see Table 6.9).
Figure 6.4 Ethereal Session Statistics Window
Howlett_CH06.fm Page 190 Thursday, June 24, 2004 11:47 AM
190
Chapter
6 • Network Sniffers
Table 6.8 Ethereal Display Menu Options
Menu Options
Descriptions
Options submenu
This where you can set some global settings, such as how the time
field is calculated. You can also set automatic scrolling of traffic
and name resolution to on since they are turned off by default.
Colorize display
You can select certain kinds of packet to shade different colors.
This makes the display easier to read and pick out the items you
are looking for.
Collapse/expand all
Shows either full detail on every item or just the top level.
Table 6.9 Ethereal Tools Menu Options
Options
Descriptions
Summary
Shows a listing of the top-level data on your captures session, such as
time elapsed, packet count, average packet size, total bytes captured, and
average Mps on the wire during the capture.
Protocol hierarchy
statistics
Gives a statistical view of the traffic on your network. It shows what percentage of the capture session each type of packet makes up. You can collapse or expand the view to see major levels or minor protocols within a
level.
Statistics
Contains a number of reports that are specific to certain kinds of protocols. Refer to the Ethereal documentation for more details on these tests.
Plugins
Shows the protocol analyzer plug-ins that you have loaded. These are
decoders for newer protocols that can be added to Ethereal without a
major version upgrade. And because it’s a plug-in architecture, you can
write your own.
Saving Your Ethereal Output
Once you have finished capturing and analyzing your Ethereal data, you may want to save
it, either for analysis with additional tools or for presentation to other parties. Using the
Save As option from the File menu, you can choose from a number of formats, including
libpcap (the default), Sun Snoop, LANalyser, Sniffer, Microsoft Network Monitor, and
Visual Networks traffic capture.
Howlett_CH06.fm Page 191 Thursday, June 24, 2004 11:47 AM
TCP/IP Packet Headers
191
Ethereal Applications
Now that you understand the basics of Ethereal, here are some practical applications you
can use it for.
Network Optimization By running a wide-open network capture and then using the
statistical reports, you can see how saturated your LAN is and what kinds of packets are
making up most of the traffic. By looking at this, you may decide that it is time to move to
a 100Mps switched network, or to segregate two departments into routed LANs versus
one big network. You can also tell if you need to install a WINS server (too many SMB
name requests being broadcast across the LAN) or if a particular server should be moved
to a DMZ or a separate router port to take that traffic off the network.
Application Server Troubleshooting Do you have a mail server that doesn’t seem
to be connecting? Having DNS problems? These application-level problems can be fiendishly difficult to troubleshoot. But if you have Ethereal, you can tap into the network and
watch the inter-server communications. You can see the actual server messages for protocols like SMTP or HTTP and figure out where the problem is happening by watching the
TCP stream.
Howlett_CH06.fm Page 192 Thursday, June 24, 2004 11:47 AM
Howlett_CH07.fm Page 193 Thursday, June 24, 2004 12:17 PM
C
H A P T E R
7
Intrusion Detection
Systems
In the last chapter you saw the power of a network sniffer and all of the useful things you
can do with one. You can even use a sniffer to look for suspicious activities on your network. You can take this a step further with a type of software called an intrusion detection system (IDS). These programs are basically modified sniffers that see all the traffic
on the network and actually try to sense potential bad network traffic and alert you when it
appears. The primary way they do this is by examining the traffic coming through and trying to match it with a database of known bad activity, called signatures. This use of signatures is very similar to the way anti-virus programs work. Most types of attacks have a
very distinctive look at the TCP/IP level. An IDS can define attacks based on the IP
addresses, port numbers, content, and any number of criteria. There is another way of
doing intrusion detection on a system level by checking the integrity of key files and making sure no changes are made to those files. And there are emerging technologies that
merge the concept of intrusion detection and a firewall or take further action beyond mere
detection (see the sidebar on “A New Breed of Intrusion Detection Systems”). However, in
this chapter I focus on the two most popular ways to set up intrusion detection on your network and systems: network intrusion detection and file integrity checking.
Chapter Overview
Concepts you will learn:
• Types of intrusion detection systems
• Signatures for network intrusion detection systems
• False positives in network intrusion detection systems
• Proper intrusion detection system placement
193
Howlett_CH07.fm Page 194 Tuesday, June 29, 2004 3:13 PM
194
Chapter
7 • Intrusion Detection Systems
• Tuning an intrusion detection system
• File integrity checking
Tools you will use:
Snort, Snort Webmin module, Snort for Windows, and Tripwire
A Network Intrusion Detection System (NIDS) can protect you from attacks that
make it through your firewall onto your internal LAN. Firewalls can be misconfigured,
allowing undesired traffic into your network. Even when operating correctly, firewalls
usually leave in some application traffic that could be dangerous. Ports are often forwarded from the firewall to internal servers with traffic intended for a mail server or other
public server. An NIDS can watch for this traffic and flag potentially dangerous packets. A
properly configured NIDS can double-check your firewall rules and give you additional
protection for your application servers.
While they are useful for protecting against outside attacks, one of the biggest benefits of an NIDS is to ferret out attacks and suspicious activity from internal sources. A firewall will protect you from many external attacks. However, once an attacker is on the local
network, a firewall does you very little good. It only sees traffic traversing through it from
the outside. Firewalls are mostly blind to activity on the local LAN. Think of an NIDS and
firewall as complementary security devices, the strong door lock and alarm system of network security. One protects your perimeter; the other protects your interior (see Figure 7.1).
There is good reason to keep a close eye on your internal network traffic. FBI statistics show that over 70 percent of computer crime incidents come from an internal source.
As much as we would like to think that our fellow employees wouldn’t do anything to hurt
us, this is sometimes not the case. Internal perpetrators aren’t always moonlighting hackers. They can range from a disgruntled system administrator to a careless employee. The
simple act of downloading a file or opening an e-mail attachment can load a Trojan horse
that will create a hole in your firewall for all kinds of mischief. With an NIDS, you can
catch this kind of activity as well as other computer shenanigans as they happen. A welltuned NIDS can be the electronic “alarm system” for your network.
A New Breed of Intrusion Detection Systems
Anomalous Activity-Based IDS
Rather than using static signatures, which can only catch bad activity when it can
be explicitly defined, these next-generation systems keep track of what normal levels are for different kinds of activity on your network. If it sees a sudden surge in
FTP traffic, it will alert you to this. The problem with these kinds of systems is that
they are very prone to false positives. False positives occur when an alert goes off,
but the activity it is flagging is normal or allowed for your LAN. A person downloading a particularly large file would set off the alarm in the previous example.
Howlett_CH07.fm Page 195 Thursday, June 24, 2004 12:17 PM
195
Ehternet
Intrusion Detection Systems
Web server
Snort IDS
sensor
Most attacks are
stopped by the firewall
Some make it through the firewall
on forwarded Web ports, but
are logged by an NIDS sensor
Firewall
The Internet
Figure 7.1 NIDS and Firewall Protection
Also, it takes time for an anomalous detection IDS to develop an accurate
model of the network. Early on, the system generates so many alerts as to be
almost useless. Additionally, these types of intrusion detection systems can be
fooled by someone who knows your network well. If hackers are sufficiently
stealthy and use protocols that are already in high use on your LAN, then they
won’t set off this kind of system. However, one big upside of this kind of system is
that you don’t have to continually download signature updates. As this technology
matures and becomes more intelligent, this will probably become a popular way to
detect intrusions.
Intrusion Prevention Systems
A new type of NIDS called an Intrusion Prevention System (IPS) is being trumpeted as the solution to enterprise security concerns. The concept behind these
products is that they will take action upon alerts as they are generated. This can
be either by working with a firewall or router to write custom rules on the fly,
blocking activity from suspicious IP addresses, or actually interrogating or even
counterattacking the offending systems.
Howlett_CH07.fm Page 196 Thursday, June 24, 2004 12:44 PM
196
Chapter
7 • Intrusion Detection Systems
While this new technology is constantly evolving and improving, it’s a long way
from providing the analysis and judgment of a human being. The fact remains that
any system that is 100 percent dependant on a machine and software can always
be outwitted by a dedicated human (although certain defeated chess grandmasters might beg to differ). An open source example of an IPS is Inline Snort by Jed
Haile, a free module for the Snort NIDS discussed in this chapter.
NIDS Signature Examples
An NIDS operates by examining packets and comparing them to known signatures. A
good example of a common attack that can be clearly identified by its signature is the
cmd.exe attack that is used against the Internet Information Server (IIS), which is
Microsoft’s Web server. This attack is used by Internet worms and viruses such as Nimda
and Code Red. In this case, the worm or human attacker attempts to execute a copy of
cmd.exe, which is the Windows command line binary, in a writable directory using a
buffer overflow in the IIS Web server module called Internet Server API (ISAPI). If successful, then the hacker or worm has access to a command line on that machine and can
wreak considerable havoc. However, the command to copy this file is obvious; there is no
reason for legitimate users to be executing this file over the network via IIS. So if you see
this activity, then it’s a good bet that it is an intrusion attempt. By examining the packet
payload and searching for the words cmd.exe, an NIDS can identify this kind of attack.
Listing 7.1 shows one of these packets. The hexadecimal contents are on the left and the
ASCII translation is on the right.
Listing 7.1 The cmd.exe Execution Packet
length = 55
000 : 47 45 54
scripts/..%
010 : 35 63 25
winnt/sy
020 : 73 74 65
cmd.exe?/
030 : 63 2B 64
20 2F 73 63 72 69 70 74 73 2F 2E 2E 25
GET /
35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79
5c%5c../
6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F
stem32/
69 72 0D 0A
c+dir..
Another attack that is easy to identify by its signature is the .ida buffer overflow. The
Code Red worm propagated using this method. It utilized a buffer overflow in the .ida
extension for Microsoft’s IIS Web server. This extension is installed by default but is often
not needed. If you don’t install the patch for this condition, it can allow direct access to
your machine. Fortunately, an NIDS can quickly identify these packets by matching the
GET /default.ida statement contained in them. You can see a partial listing of an .ida
attack in Listing 7.2. This particular one also has the words Code Red II in it, which
Howlett_CH07.fm Page 197 Thursday, June 24, 2004 12:17 PM
NIDS Signature Examples
197
means it was generated by a Code Red worm trying to infect this machine. Even if your
machines are fully patched and immune to these kinds of attacks, it is good to know where
they are coming from and at what frequency.
Listing 7.2 Signature of an .ida Attack
length = 1414
000 : 47 45 54 20 2F
default.ida
010 : 3F 58 58 58 58
?XXXXXXXXXXXXXXX
020 : 58 58 58 58 58
XXXXXXXXXXXXXXXX
030 : 58 58 58 58 58
XXXXXXXXXXXXXXXX
040 : 58 58 58 58 58
XXXXXXXXXXXXXXXX
050 : 58 58 58 58 58
XXXXXXXXXXXXXXXX
060 : 58 58 58 58 58
XXXXXXXXXXXXXXXX
070 : 58 58 58 58 58
XXXXXXXXXXXXXXXX
080 : 58 58 58 58 58
XXXXXXXXXXXXXXXX
090 : 58 58 58 58 58
XXXXXXXXXXXXXXXX
0a0 : 58 58 58 58 58
XXXXXXXXXXXXXXXX
0b0 : 58 58 58 58 58
XXXXXXXXXXXXXXXX
0c0 : 58 58 58 58 58
XXXXXXXXXXXXXXXX
0d0 : 58 58 58 58 58
XXXXXXXXXXXXXXXX
0e0 : 58 58 58 58 58
XXXXXXXXXXXXXXXX
0f0 : 58 25 75 39 30
X%u9090%u6858%uc
100 : 62 64 33 25 75
bd3%u7801%u9090%
110 : 75 36 38 35 38
u6858%ucbd3%u780
120 : 31 25 75 39 30
1%u9090%u6858%uc
64 65 66 61 75 6C 74 2E 69 64 61 GET /
58 58 58 58 58 58 58 58 58 58 58
58 58 58 58 58 58 58 58 58 58 58
58 58 58 58 58 58 58 58 58 58 58
58 58 58 58 58 58 58 58 58 58 58
58 58 58 58 58 58 58 58 58 58 58
58 58 58 58 58 58 58 58 58 58 58
58 58 58 58 58 58 58 58 58 58 58
58 58 58 58 58 58 58 58 58 58 58
58 58 58 58 58 58 58 58 58 58 58
58 58 58 58 58 58 58 58 58 58 58
58 58 58 58 58 58 58 58 58 58 58
58 58 58 58 58 58 58 58 58 58 58
58 58 58 58 58 58 58 58 58 58 58
58 58 58 58 58 58 58 58 58 58 58
39 30 25 75 36 38 35 38 25 75 63
37 38 30 31 25 75 39 30 39 30 25
25 75 63 62 64 33 25 75 37 38 30
39 30 25 75 36 38 35 38 25 75 63
Howlett_CH07.fm Page 198 Thursday, June 24, 2004 12:17 PM
198
130 : 62 64 33 25 75
bd3%u7801%u9090%
140 : 75 39 30 39 30
u9090%u8190%u00c
150 : 33 25 75 30 30
3%u0003%u8b00%u5
160 : 33 31 62 25 75
31b%u53ff%u0078%
170 : 75 30 30 30 30
u0000%u00=a HTT
180 : 50 2F 31 2E 30
1.0..Content-t
190 : 79 70 65 3A 20
xml.Co
1a0 : 6E 74 65 6E 74
ntent-length: 33
1b0 : 37 39 20 0D 0A
........‘....
1c0 : 00 CC EB FE 64
....dg.6..dg.&..
1d0 : E8 DF 02 00 00
.....h......\...
1e0 : 50 FF 55 9C 8D
P.U...\...P.U..@
1f0 : 10 8B 08 89 8D
.....X....U.=...
200 : 00 0F 94 C1 3D
....=...........
210 : C9 89 8D 54 FE
...T....u..~0...
220 : 00 0F 84 C4 00
........F0......
230 : 00 00 00 43 6F
...CodeRedII...$
Chapter
7 • Intrusion Detection Systems
37 38 30 31 25 75 39 30 39 30 25
25 75 38 31 39 30 25 75 30 30 63
30 33 25 75 38 62 30 30 25 75 35
35 33 66 66 25 75 30 30 37 38 25
25 75 30 30 3D 61 20 20 48 54 54
0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/
74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/
2D 6C 65 6E 67 74 68 3A 20 33 33
0D 0A C8 C8 01 00 60 E8 03 00 00 79
67 FF 36 00 00 64 67 89 26 00 00
68 04 01 00 00 8D 85 5C FE FF FF
85 5C FE FF FF 50 FF 55 98 8B 40
58 FE FF FF FF 55 E4 3D 04 04 00
04 08 00 00 0F 94 C5 0A CD 0F B6
FF FF 8B 75 08 81 7E 30 9A 02 00
00 00 C7 46 30 9A 02 00 00 E8 0A
64 65 52 65 64 49 49 00 8B 1C 24
The Problem of NIDS False Positives
One of the main problems with intrusion detection systems is that they tend to generate a
lot of false positives. A false positive occurs when the system generates an alert based on
what it thinks is bad or suspicious activity but is actually normal traffic for that LAN. Generally, when you set up an NIDS with its default settings, it is going to look for anything
and everything that is even slightly unusual. Most network intrusion detections systems
have large default databases of thousands of signatures of possible suspicious activities.
The IDS vendors have no way of knowing what your network traffic looks like, so they
throw in everything to be on the safe side.
- Xem thêm -