Distributed IDS

• The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

• Darian Jenik - Network Management

Queensland University of Technology

What IDS is:

• IDS is a combination of methods for determining the presence and location of unauthorized activity on the computer network.

• IDS is the detection and reporting of security vulnerabilities.

• IDS is the logging and detection of internal users “misdemeanors” to protect liability

What IDS is not:

• IDS in NOT security –• For security you need:

• Good security policy that is both documented and adhered to.

• Good security practice by system administrators.

• Hardened perimeter firewalls and “DMZ” firewalls.

• IDS is not a product.

• IDS is not a sensor.

The scale of the problem

• Approximately 10000 hosts100 web servers300 “servers” of other type

• Students

• System Administrators

• IAS

IDS should perform the following tasks

• Detect known violations to host integrity by passively watching network traffic.

• Respond to attempted violations by blocking external IP addresses.

• Respond to probes from outside by blocking external IP addresses.

• Find and report usage inconsistencies that indicate account/quota theft.

• Detect violations by monitoring information (web pages etc….)

• Help log and establish traffic/host usage patterns for future reference and comparison

Detect known violations to host integrity by passively watching network traffic.

• Just one type of sensor?

• IDS sensors:• Gateways – Traditionally

• Put IDS sensors on hosts to look after specific services running on the hosts and detect port scans.

Respond to attempted violations by blocking external IP addresses.

• Make sure the IDS is able to respond and send commands to firewalls and/or hosts.• IDS sends RST packets to both ends of the

connection.

• IDS is able to insert rules into border firewall.

Respond to probes from outside by blocking external IP addresses.

• Attempts to open ports on servers that are not enabled. (Collate multiple servers to report to single location.)

• Make “flypaper” IP addresses that have never been used for anything that serve to pickup slow probes.

Find and report usage inconsistencies that indicate account/quota theft.

• Determine that the accounts authorized at the locations (dial in/pc) are the same accounts using other services (mail/proxy/other logins).

• Failed attempts to login to services that are not successful.

• Accounts being used simultaneously at various locations.

Detect violations by monitoring information. (web pages etc….)

• Graffiti, DNS spoofing, wares repositories.

• Ensure that the monitoring is external as well as internal.

• http://forced.attrition.org/mirror/attrition/

Help log and establish traffic usage patterns for future reference and comparison.

• Central syslog collecting and analysis.

• Tripwire

• Nmap database

• Performance and Usage analysis.

• Open Source

• Just about any platform(Including windows)

• Many plugins and external modules.

• Frequent rules updates.

Snort Plugins

• Databases• mySQL

• Oracle

• Postgresql

• unixODBC

• Spade (Statistical Packet Anomaly Detection engine)

• FlexResp (Session response/closing)

• XML output

• TCP streams (stream single-byte reassembly)

Snort Add-ons

• Acid(Analysis Console for Intrusion Detection) - PHP

• Guardian – IPCHAINS rules modifier.(Girr – remover)

• SnortSnarf - HTML

• Snortlog – syslog

• “Ruleset retreive” – automatic rules updater.

• Snorticus – central multi-sensor manager – shell

• LogSnorter – Syslog > snort SQL database information adder.

• + a few win32 bits and pieces.

Acid + Snort

• Acid is a Cert project.

• Pretty simple PHP3 to mySQL

• Quite customizable.

• Simple GUI for casual browsing.

• Main Console

• Individual alerts

• Securityfocus

• Whitehats

• CVE

• Rule details

• Incident details

• Incident Details

Questions ?

URLS

• www.snort.org

• http://www.cert.org/kb/acid/• www.whitehats.com (Intrusion signatures data)

• www.securityfocus.com (Intrusion signatures data)

• http://cve.mitre.org/ (Intrusion signatures data)

• http://www.psionic.com/ (logcheck + hostsentry)