An Intrusion Detection System to Monitor Traffic Through the CS Department Christy Jackson, Rick Rossano, & Meredith Whibley April 24, 2000

Overview of Project Introduction Setting Up the IDS Types of Attacks Development of Rule File Computer Demo Analyze Statistics Recommendations & Conclusion

Purpose of System Paco proposed the question: Is it worth it to set up a filter on the CS router? Research potential attacks Attempt to develop an adequate rule file for network Gather statistics on the number of iffy/bad packets received a day

Development of the IDS Looked in to possible filtering tools tcpdump, Snoop, Shadow IDS Settled on IP Filter (recommended) Easy implementation, nice tools to gather statistics & easy logging However, only hears broadcast packets & packets addressed to our machine, Grendel Back to square one

Development of IDS Snort came to our rescue Similar to a tcpdump tool Lightweight NIDS Small - roughly 100 KB compressed Easily compiled and installed Free! & minimal time for configuration Lots of plug-ins Rule-based logging Allows logging to separate files and has real-time alerting capability

Rule File Paco supplied a Cisco rule set for packets he wanted to monitor Using the Snort format, we developed an equivalent rule set Rule ex.: log TCP any any -> any 69 (logto: “logs/tftp-port69”;)

What We Were Attempting to Log Existing OS Weaknesses finger (port 79) portmapper (port 111) snmp (port 161) Known Cracker Attacks Ganabus, NetBus, Back Orifice, Whackamole (ports 12345, 12346, 20034, 31337)

Logging Denial of Service Attacks Echo (port 7) Chargen (port 19) Syslog (port )

Computer Demo

Memory Statistics Total Amount of Data Received Daily: approx. 7.2 GB This data is packet headers, doesn’t include actual data in packets Total Number of Packets Per Day: 48,724,609

Example of Suspicious Packet We received one packet on port 0 (which should never be used) 04/23-02:46: : > :0 TCP TTL:50 TOS:0x0 ID:10900 DF ******** Seq: 0x10000 Ack: 0xB617 Win: 0xFFFF Packet from: hover.demon.nl Attempted Attack???

Recommendations Currently we are logging only packets that come in on a certain insecure port Snort allows the capability to read the actual data and analyze whether the intent of the packet on that port is questionable This info can be alerted in real-time Disadvantages of this on the CS switch: Heavy traffic would cause the dropping of many packets However, what are the odds of those packets being an attack?

Recommendations Configuration of WWW rules (port 80) Need to create specifically for our server, based on the applications and systems running on server Many attacks can occur through this port Setup more robust machine that could hold complete packet information This would allow us to witness the “hacker’s” actions once in the network

Conclusions

Was our IDS worth it? Yes. Statistics suggest that a router filter would be overkill. This is what we wanted to hear! However, would work as an internal IDS system This system could easily be run on a regular basis. An alert would gain our attention & could easily be investigated using Snort

References IDS Information: Snort’s web-site This site provides entire rule files that you can use on your system. Good up-to-date info on IDS security trends

Questions ?