CSCE 815 Network Security Lecture 25 Data Control in HoneyNets SSH April 22, 2003

– 2 – CSCE 815 Sp 03 Machines to Attack NOT!!! gateway

– 3 – CSCE 815 Sp 03 Honeynet Bridge Internet Eth0-NO IP Eth1-NO IP Administrative Interface  SSH Connections  Trusted Hosts Eth xxx.yyy

– 4 – CSCE 815 Sp 03 Honeynet Communication Channel Application Presentation Session Transport Network Data Link PhysicalApplicationPresentation Session Transport Network Physical Eth1-Promiscuous ModeEth0-Promiscuous Mode IP Forwarding Source IP: Destination IP: TTL : 30 Source MAC : 07 E2 G5 89 P1 Destination MAC:0H F5 7F 2L G2 Src IP: Dest IP: TTL : 30 Src MAC:07 E2 G5 89 P1 Dest MAC:0H F5 7F 2L G2 Hub

– 5 – CSCE 815 Sp 03 What is Data Control and Why? Process used to control or contain traffic to a honeynet Upstream liability – an attck from one of your honeypots Snort-inline – South Florida Honeynet Project

– 6 – CSCE 815 Sp 03 GEN II Data Control Gen II : Incorporates a firewall and IDS in one system Provides more stealthy data control Can be implemented for layer 2 bridging or Layer 3 NAT translation Packets passed from internet to honeynet as layer 2 (datalink) layer packets  no TTL decrement

– 7 – CSCE 815 Sp 03 IPTables for GEN II Honeynet IPTables is a free, stateful, Open Source firewall for Linux 2.4.x and 2.5.x kernels Each packet header is compared to a set of “chains” Chains contain rules: ACCEPT, DROP, REJECT, Queue Custom Chains tcpHandler udpHandler icmpHandler

– 8 – CSCE 815 Sp 03 Example Rule Shell Script $IPTABLES –A tcpHandler –j LOG –log-prefix “OUTBOUND” if test $QUEUE = “yes” then $IPTABLES –A tcpHandler –j QUEUE fi $IPTABLES –A tcpHandler –j ACCEPT $IPTABLES –A tcpHandler –j ACCEPT Environment variable “$QUEUE” controls action of the rule Queueing Connection limits

– 9 – CSCE 815 Sp 03 Snort-Inline Snort: The Open Source Network Intrusion Detection System Snort-Inline: Snort + ability to retrieve packets from the Queue target Gen I : Alert.sh operated at Layer 3 (IP layer) which made it visible by TTL decrement and routing Gen II Data Control if attacker runs traceroute to view router hops then “I see nothing” Sargeant Schultz /sbin/traceroute

– 10 – CSCE 815 Sp 03 Set Up lsmod modprobe ip_queue // to load the ip_queue module into kernel space lsmod modprobe -r ip_queue // to remove

– 11 – CSCE 815 Sp 03 Data Control: Snort-Inline and IPTables Modes of Operation Modes of Operation Connection Limiting Mode: Count packets by protocol type Drop Mode: Libipq reads packets from kernel space.Packets are matched against snort signatures and dropped if there is a match Replace Mode: Packets are matched against snort signatures and if they match the harmful content of packet is scrubbed and returned to the attacker

– 12 – CSCE 815 Sp 03 Connection Limiting Mode IPTables DROP Packet No =10 IPTables

– 13 – CSCE 815 Sp 03 Snort-Inline Drop Mode IP Tables Ip_queue Snort-Inline Snort Rules=Drop IPTables Drop

– 14 – CSCE 815 Sp 03 Snort-Inline Replace Mode IP Tables Ip_queue Snort-Inline Snort Rules=Replace IPTables bin/sh->ben/sh

– 15 – CSCE 815 Sp 03 Supporting Tools for Gen II libipq – development library for iptables Netfilter provides a mechanism for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel Netfilter provides a mechanism for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel Libpcap libpcap is a packet capture library used by most Open Source sniffers Bridge-Utils: Bridge-Utils is used to set up the Linux Ethernet bridge Latest Snort Rules rc.firewall script: everything you need to set up the GenII data control system

– 16 – CSCE 815 Sp 03 Rc.firewall script This script uses IPTables to create a gateway that counts inbound # and outbound connections and blocks connections once a limit # has been met. Kernel must be compiled with Bridge support Modifications History 21 Apr 2003: Added STOP_OUT option to allow user to block # all outbound connections. Think of this as the # honeynet safe mode.

– 17 – CSCE 815 Sp 03 Protect the Administrator Interface Portsentry Detects SYN/Half Open, FIN, NULL scans Will block host in real time and report to the administrator

– 18 – CSCE 815 Sp 03 Data Control: Tripwire Maintains integrity of data on the system Creates cryptographic checksums of files and directories Reports when changes are made to Access permissions, inode number, Userid, groupid, date and time, sizehttp://

– 19 – CSCE 815 Sp 03 Data Capture Mechanisms Snort-Inline Comlog: Log commands executed by cmd.exe (Windows) Eventlog: forwards packets to syslog server(Windows) Sebek: (Linux) Keystroke logging Uses UDP connection USCSh – Unix keystroke logging 1984 Windows Keystroke logging PhD dissertation 1990s

– 20 – CSCE 815 Sp 03 Data Collection Syslog: To deceive intruder maintain another Syslog.conf file in a different location Remote Syslog Stored data on remote machine

– 21 – CSCE 815 Sp 03 Data Analysis Log Sentry: Audits logs and reports any violations Sleuth Kit: Analyses images generated by dd command Converts and copies a file Displays deleted files Creates timeline for file activity

– 22 – CSCE 815 Sp 03 Risk Analysis Placed on the Subnet Can be shut down in case of emergency Efficient Data Control Mechanisms Firewall (Connection Limiting Mode) Snort-Inline (Drop Mode)

– 23 – CSCE 815 Sp 03 References Librenix: types of firewalls configurations access contro Newsforge: Deploying a GenII Honeynet: MS Thesis Harish Siripurapu GenII Data Control for Honeynets – Univ South Florida