Common Intrusion Detection Framework By Ganesh Godavari.

Slides:



Advertisements
Similar presentations
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Advertisements

Unit 5 – User Administration Randy Marchany VA Tech Computing Center.
Report on Common Intrusion Detection Framework By Ganesh Godavari.
Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
Intrusion Detection and Information Fusion/Decision Making By Ganesh Godavari.
Application of Bayesian Network in Computer Networks Raza H. Abedi.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
Fusing Intrusion Data for Pro-Active Detection and Containment Mallikarjun (Arjun) Shankar, Ph.D. (Joint work with Nageswara Rao and Stephen Batsell)
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Collaborative Intrusion Detection and Response. Limitations of Monolithic ID Single point of failure Limited access to data sources Only one perspective.
2000 Copyrights, Danielle S. Lahmani UNIX Tools G , Fall 2000 Danielle S. Lahmani Lecture 11.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Report on statistical Intrusion Detection systems By Ganesh Godavari.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Report on Common Intrusion Detection Framework By Ganesh Godavari.
Log Analysis and Intrusion Detection By Srikrishna Gudavalli Venkata Naga Vamsi Krishna Ravi Kiran Yellepeddy.
Defeating Large Scale Attacks: Technology and Strategies for Global Network Monitoring The NetViewer Experiment PAVG in collaboration with Networking Systems.
ECatalog eCatalog User Guide Next Content. eCatalog Content – Login Login – Navigation Navigation – Search Search – Extended Search Extended.
Day 19. Security Tools Firewalls –Host Based –Network based IDS/IPS –Host Based –Network based –Signature based detection –Anomaly based detection Anti.
CIPHER Counterintelligence Penetration Hazard Evaluation and Recognition Thomas E. Potok, Ph.D. Applied Software Engineering Research Group Leader Computational.
Step-by-Step Intrusion Detection using TCPdump SHADOW.
Intrusion Detection: Snort. Basics: History Snort was developed in 1998 by Martin Roesch. It was intended to be an open-source technology, and remains.
Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”
Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
For Users : Username & Password for logging in to system : CME proposal to be added in system For System Configuration : Initial budget or latest updated.
Adding New Users User as an entity - username(UID), GID. UID - typically a number for system to identify the user. GID – a number that recognizes a set.
Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.
Visualizing network flows Gregory Travis Advanced Network Management Lab Indiana University
Looking for simple php script Language: PHP Must be php>>>>> I can not use an other language Budget: $30.0 If more than $30.0 Please do not bid Login page.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
An Intrusion Detection System to Monitor Traffic Through the CS Department Christy Jackson, Rick Rossano, & Meredith Whibley April 24, 2000.
Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version
Network Security: Lab#5 Port Scanners and Intrusion Detection System
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
Reducing false positives in intrusion detection systems by means of frequent episodes Lars Olav Gigstad.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim.
An overview.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
Manually Creating a New User Account Presented by Carl South.
Password. On a Unix system without Shadow Suite, user information including passwords is stored in the /etc/passwd file. Each line in /etc/passwd is a.
Security System for KOREN/APII-Testbed
Network Intrusion Detection System (NIDS)
DOS Attacks Lyle YapDiangco COEN 150 5/21/04. Background DOS attacks have been around for decades Usually intentional and malicious Can cost a target.
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
GPS ACCESS as-of June 2014 Note: (Your username will always be your Employee ID and your first password will also be your Employee ID)
START Application Spencer Johnson Jonathan Barella Cohner Marker.
THREATS, VULNERABILITIES IN ANDROID OS BY DNYANADA PRAMOD ARJUNWADKAR AJINKYA THORVE Guided by, Prof. Shambhu Upadhyay.
M M Waseem Iqbal.  Cause: Unverified/unsanitized user input  Effect: the application runs unintended SQL code.  Attack is particularly effective if.
An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.
What would you do with a pointer and a size?. Why do we need a new detection framework?
Securing your network But still be able to access it Hugh Mahon.
Final Project: Advanced security blade
Nicholas Hsiao Critical Log Review Checklist for Security Incidents – By ArcSight Logger For template guidelines or applying this.
The Linux Operating System
Port Scanning (based on nmap tool)
Ubuntu Working in Terminal
Content eCatalog User Guide Next eCatalog 2013.
Intrusion Detection Systems (IDS)
Red Team Exercise Part 3 Week 4
Administering Users and Groups
Administering Users and Groups
SNORT RULES.
Intrusion Detection Systems
MESSAGE ACCESS AGENT: POP AND IMAP
Presentation transcript:

Common Intrusion Detection Framework By Ganesh Godavari

Review CIDF architectecture Producer consumer

Scenario1: malicious user Malicious user logs in deletes the passwd file how does the GIDO look like between E- box to A-box ?

GIDO InSequence (Login (Location (Time '14:57:36 24 Feb 1998') ) (Initiator (HostName ‘doctor.evil.com') ) (Account (UserName 'minime') (RealName ‘minie me') (HostName ‘austin.powers.mov') (ReferAs 0x ) ) (Delete (World Unix) (Location (HostName ‘austin.powers.mov') (Time '14:58:12 24 Feb 1998') ) (Initiator (ReferTo 0x ) ) (Source (AbsoluteFileName '/etc/passwd') ) (Login (World Unix) (Outcome (CIDFReturnCode Failed) (Comment '/etc/passwd missing') ) (Location (Time '15:02:48 24 Feb 1998') ) (Initiator (HostName 'small.world.com') ) (Account (UserName ‘austin') (RealName ‘austin powers') (HostName ‘small.world.com') ) continued

Snort nmap alert CIDF E-box raised the following error How does the GIDO look like from E-box to R-box? [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] 10/15-03:10: > ICMP TTL:56 TOS:0x0 ID:25681 IpLen:20 DgmLen:28 Type:8 Code:0 ID:56447 Seq:0 ECHO [Xref =>

GIDO ( ByMeansOf ( Attack ( Initiator ( IPV4Address ) ) ( Observer ( ProcessName snortIDS ) ) ( Target ( IPV4Address ) ) ( AttackSpecifics ( Certainty 100 ) ( Severity 100 ) ( AttackID ) ) ( Outcome ( CIDFReturnCode 2 ) ) (Do (BlockMessage ( Message ( IPV4Protocol 4 ) ( SourceIPV4Address ) ( DestinationIPV4Address ) ) ( When ( BeginTime Wed Jun 15 03:10: MDT ) ( EndTime thu Jun 16 03:10: MDT ) ) continued

Snort based E-box Ad filter ( Filter ( Fragment ( ByMeansOf ( Attack ( when (Time "!+::*")) ( AttackSpecifics ( Attack-ID "!-::{{0x }}", "!+::{*}") ( AtackNickname "!-::{*}")) ( Initiator "!+::{*}") (IPV4Address "!+::{*}") ( HostName "?-::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!+::{{ , }, { , }, /8}) ( HostName "?-::{*}") ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "!-::{{'snort'}}") ( HostName "!-::{{'hercales'}}"))) ( SendMessage ( when (Time "!-::*")) ( Initiator (IPV4Address "!+::{*}") ( HostName "?-::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!-::{*}) ( HostName "?-::{*}") ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "!-::{{'snort'}}") ( HostName "!-::{{'hercales'}}")) ( Message ( TransportProtocol "?+::{{'tcp'}}") ( IPV4SetviceType "?+::{*}") ( IPV4Identifier "?+::{*}") ( IPV4TTL "?+::{*}") ( TCPSequenceNumber "?+::{*}") ( TCPAckNumber "?+::{*}") ( TCPWindow "?+::{*}") ( TCPFlags "?+::{*}") ( TCPMSS "?+::{*}";))))) continued !: field always available ?: field might or might not be available -: field is not negotiable +: field is negotiable

A-box Template proposal ( Filter ( Fragment ( Attack ( When ( Time "!-::*")) ( AttackSpecifics ( Attack-ID "!-::{{0x }}", "!+::{0x ,0x }") ( AtackNickname "!-::{*}")) ( Initiator ( IPV4Address "!+::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!+::{{ , , }) ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "?+::{*}") ( HostName "?+::{*}") ( IPv4Address "?+::{*}")))) ( Permit, ''ByMeansOf', 'And', ''HelpedCause')) Permit allows the filter matching code to search for GIDO from the root. So here we are looking for fragment like “ByMeansOf”, “And”, “HelpedCause”

Candidate proposal A-box to E-box ( Filter ( Fragment ( Attack ( When ( Time "!-::*")) ( AttackSpecifics ( Attack-ID "!-::{{0x }}", "!+::{0x ,0x }") ( AtackNickname "!-::{*}")) ( Initiator ( IPV4Address "!+::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!+::{{ , }, /8}) ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "!+::{{'snort'}}") ( HostName "!-::{'heracles'}}"))))))

Possible GIDO from A-box to ( ByMeansOf ( Attack ( when ( time "10/04-16:21:48")) ( AttackSpecifics ( Attack-ID 0x , 0x ) ( AttackNickname "NMAP TCP Ping")) ( Initiator ( IPV4Address ) ( TCPSourcePort 52716)) ( Target ( IPV4Address ) ( TCPDestinationPort 39241)) ( Observer (ProcessName 'snort') (HostName 'heracles')))

CIDF – good & bad Good Very extensible S-expression form Easily readable S-expression form Bad Work stopped in ’99 Not actually implemented anywhere Difficult to parse Not as efficient as other reporting formats ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.