Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services. Darian Jenik - Network Management Queensland University of Technology

What IDS is: IDS is a combination of methods for determining the presence and location of unauthorized activity on the computer network. IDS is the detection and reporting of security vulnerabilities. IDS is the logging and detection of internal users “misdemeanors” to protect liability

What IDS is not: IDS in NOT security – For security you need: Good security policy that is both documented and adhered to. Good security practice by system administrators. Hardened perimeter firewalls and “DMZ” firewalls. IDS is not a product. IDS is not a sensor.

The scale of the problem Approximately hosts 100 web servers 300 “servers” of other type Students System Administrators IAS

IDS should perform the following tasks Detect known violations to host integrity by passively watching network traffic. Respond to attempted violations by blocking external IP addresses. Respond to probes from outside by blocking external IP addresses. Find and report usage inconsistencies that indicate account/quota theft. Detect violations by monitoring information (web pages etc….) Help log and establish traffic/host usage patterns for future reference and comparison

Detect known violations to host integrity by passively watching network traffic. Just one type of sensor? IDS sensors: Gateways – Traditionally Put IDS sensors on hosts to look after specific services running on the hosts and detect port scans.

Respond to attempted violations by blocking external IP addresses. Make sure the IDS is able to respond and send commands to firewalls and/or hosts. IDS sends RST packets to both ends of the connection. IDS is able to insert rules into border firewall.

Respond to probes from outside by blocking external IP addresses. Attempts to open ports on servers that are not enabled. (Collate multiple servers to report to single location.) Make “flypaper” IP addresses that have never been used for anything that serve to pickup slow probes.

Find and report usage inconsistencies that indicate account/quota theft. Determine that the accounts authorized at the locations (dial in/pc) are the same accounts using other services (mail/proxy/other logins). Failed attempts to login to services that are not successful. Accounts being used simultaneously at various locations.

Detect violations by monitoring information. (web pages etc….) Graffiti, DNS spoofing, wares repositories. Ensure that the monitoring is external as well as internal.

Help log and establish traffic usage patterns for future reference and comparison. Central syslog collecting and analysis. Tripwire Nmap database Performance and Usage analysis.

Open Source Just about any platform(Including windows) Many plugins and external modules. Frequent rules updates.

Snort Plugins Databases mySQL Oracle Postgresql unixODBC Spade (Statistical Packet Anomaly Detection engine) FlexResp (Session response/closing) XML output TCP streams (stream single-byte reassembly)

Snort Add-ons Acid(Analysis Console for Intrusion Detection) - PHP Guardian – IPCHAINS rules modifier.(Girr – remover) SnortSnarf - HTML Snortlog – syslog “Ruleset retreive” – automatic rules updater. Snorticus – central multi-sensor manager – shell LogSnorter – Syslog > snort SQL database information adder. + a few win32 bits and pieces.

Acid + Snort Acid is a Cert project. Pretty simple PHP3 to mySQL Quite customizable. Simple GUI for casual browsing.

Main Console

Individual alerts

Securityfocus Whitehats CVE

Rule details

Incident details

Incident Details

Questions ?

URLS (Intrusion signatures data) (Intrusion signatures data) (Intrusion signatures data) (logcheck + hostsentry)