1. IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30 th, 2010 CPSC 420/620 w/ Dr. Grossman

2. Introduction and Layout What is an IDS? – How it works – NIDS vs. HIDS (vs. NNIDS) Different uses of an IDS – Passive vs. Aggressive (IDPS) – Anomaly vs. Signature Supplements and Add-ons – Logging – Honeypots Gotchas – False Positives – False Negatives Closer look – Snort – Info – Modes – Rules & Features Conclusion

3. What is an IDS? IDS – Intrusion Detection System – Analyzes network traffic – Reports problems Three types of IDS – Network-based Intrusion Detection – Host-based Intrusion Detection – Network Node-based Intrusion Detection

4. Types of IDS Network-IDS – Typical view of IDS – Watches a subnet – Typically a perimeter defense Host-based IDS – Watches host computers, involves software – Looks for system calls and registry changes – Typically an internal defense Network-Node IDS – Specific host traffic – Kind of specialized NIDS (ex: VPN device)

5. Types of IDS http://www.informit.com/articles/article.aspx?p=29601 http://ptgmedia.pearsoncmg.com/images/art_peikari1_intrusiondetection/elementLinks/fig01.gif

6. Different uses of an IDS How should the system react? Passive system – Scans packets, traffic, or system – Takes notes – Sends alerts Active system (Intrusion Detection and Prevention System) – Passive system + barrel rolls – Kills connections or modifies firewalls Pros and Cons: Passive vs. Active – Less maintenance and lack of painful false alarms vs. More maintenance but avoid disasters

7. Different uses of an IDS What should the system look for? Anomaly-based IDS – Samples network traffic – Checks against predefined ‘ideal’ traffic Signature-based IDS – Polar opposite of anomaly – Samples network traffic – Checks against predefined virus patterns Pros and Cons: Anomaly vs. Signature – Hard to pin down ‘normal’ network traffic, especially when updating or migrating a system – Virus patterns are only as good as the updated list

8. Supplements and Add-ons IDS: Good by themselves, great on a team – External Logging – Honeypots http://i.ehow.com/images/a06/e3/83/state-ohio-tax-id-number-120X120.jpghttp://i.ehow.com/images/a06/e3/83/state-ohio-tax-id-number-120X120.jpg http://blog.hazrulnz.net/tag/ids

9. IDS Logging IDS typically logs traffic locally – Can become unorganized – Hard to search through External Logging Databases (ex: ACIDBASE) – Categorize suspected attacks – IP traffic – Port traffic – Latest virus information – Stealthy logging

10. Honeypots IDS can be used on production or development systems Honeypots lure attacker in (ex: Honeyd) – Network decoys to distract away from vulnerable machines – Typically virtual machines that simulate real networks – Honeypots capture the attacks, IDS analyzes, your system stays secure.

11. A Few Gotchas Every rose has its thorn… False Positives – Normal traffic suspected to be malicious False Negatives – Some attack is flagged to be normal or non-malicious Not software flaws, usually configuration flaws – Encrypted traffic can cause false positives, and mutated worms or viruses can mismatch an attack pattern and cause false negatives.

12. Quick Case Study: Snort Originally released in 1998 by Sourcefire founder and CTO Martin Roesch Combines signature and anomaly techniques Ready out of the box Updated rule sets Three primary modes – Sniffer mode – Packet-logger mode – Network IDS mode

13. Snort Rules Can specify what IP subnet to look at and types of traffic in ‘snort.conf’ file Sample rule – alert tcp any any -> 192.168.1.0/24 111 \ (content:"|00 01 86 a5|"; msg:"mountd access";) Easy to customize with many different features – Logging, passing, dropping, custom – TCP and/or UDP, ICMP, IP – Traffic direction – Content, raw bytes, offsets

14. Conclusions Useful tool to keep a network safe There are many different styles to a detection system Snort incorporates many of the capabilities of intrusion detection systems – multiple detection techniques – ability to customize simple rules

15. Works Cited Bauer, Mick. “Stealthful Sniffing, Intrusion Detection and Logging http://www.linuxjournal.com/article/6222 October, 2002http://www.linuxjournal.com/article/6222 Innella, Paul. “The Evolution of Intrusion Detection Systems” http://www.symantec.com/connect/articles/evolution-intrusion- detection-systemshttp://www.symantec.com/connect/articles/evolution-intrusion- detection-systems November 16th, 2001 Mattord, Verma (2008). Principles of Information Security. Course Technology. pp. 290–301 Provos, Niels. “A Virtual Honeypot Network” http://www.usenix.org/event/sec04/tech/full_papers/provos/provos_htm l/ Proceedings of the 13th USENIX Security Symposium. August, 2004 http://www.usenix.org/event/sec04/tech/full_papers/provos/provos_htm l/ Timm, Kevin. “Strategies to Reduce False Positives and False Negatives in NIDS” http://www.symantec.com/connect/articles/strategies-reduce- false-positives-and-false-negatives-nids September, 2001http://www.symantec.com/connect/articles/strategies-reduce- false-positives-and-false-negatives-nids The Snort Team. SNORT Users Manual 2.9.0. http://www.snort.org/assets/152/snort_manual.pdf September, 2010 http://www.snort.org/assets/152/snort_manual.pdf Wikipedia. http://en.wikipedia.org/wiki/Intrusion_detection_systemhttp://en.wikipedia.org/wiki/Intrusion_detection_system