- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
SubSeven), Code Red, and SNMP/ASN.1 bonanzas of mid-2001 and early 2002. OK, this is where I go so far out on a limb. It isn't funny, but a large number of these machines are Windows, and lately there has been some evidence that Microsoft really cares. I think that seeing 180,000 IIS web servers switch to (mostly) Apache in the months after Code Red really got their attention.
∙ Follow the money! The money is primarily going into the defensive side of the house. The attacker community is demonstrating a lot of ingenuity, but as lower cost, easy-to-configure security appliances come on to the market, and security training that really works becomes available, there will be less low hanging fruit. Attacking will become less fun and less common, and it will be easier to shun sites that do not stop bad behavior.
Money really is the interesting question. It seems logical to assume that if you are investing in security, it will make a difference. However, February 13, 2002, the United States Office of Management and Budget (OMB) released a report 2002-05,
http://www.whitehouse.gov/omb/inforeg/fy01securityactreport.pdf, on federal information security. The report, to
no one's surprise, outlined a number of shortcomings including the following:
∙Inadequate senior management attention
∙Ineffective security education and awareness
∙Improper security practices by outside contractors
∙Inadequate detection and reporting of vulnerabilities
However, the most significant finding in the report was there was no detectable correlation between the amount of money invested in information security and the results. Further, they did not even consider the importance of good tools other than in some discussion about capital expenditure. In the near future, if we are able to invest the money we have available wisely on skills development and apply some good process when deciding which tools to purchase, I think we will make some significant forward progress.
Skills Versus Tools
The interest in the topic of intrusion detection is still on the rise. SANS offered the first Intrusion Detection Immersion Curriculum in March 2000 and not only was it sold out, would-be analysts really turned to some high-end social engineering trying to get a seat. Today, we offer the current hands-on, six-day intrusion-detection track somewhere in the world every week. That is a demonstration of the demand, and it is fueled by a desire to learn how to do intrusion detection. Would-be analysts are learning all the things that you learned in this book: bit masking, basic analysis skills, and how to write filters, all the atomic skills that prepare one to do intrusion detection.
At the same time, companies are working to build better and better tools. It is fairly clear at this point that you cannot build an IDS that does not require a skilled operator. The one commercial company that tried to make an easy-to-use GUI as number one priority gets a lot of sales, but many companies that buy their products are replacing them a year later. As we move forward, it looks like the balance will swing to tools designed to allow an analyst to use her skills.
Analysts Skill Set
Intrusion-detection systems have the same problem as anti-virus software: New attacks are not detected because there is no signature for them. But the problem is worse because so few signatures have been defined for NIDS, still less than 2,000 decent signatures, compared with the 30,000 or more for antivirus. There are natural limitations of signature-based network intrusion-detection systems, and to be effective, I recommend coping strategies like a box recording all traffic. That way, it is possible to go back after the NID alerts and examine the stimulus that lead to the activity reported by the NID. I also like to keep a cache of at least several days of raw data, so if I get lucky and detect something I have a way of checking to see if there was previous activity. Today, an analyst needs the ability to write a filter to run these types of searches. In the future, as console solutions are fielded, it might be possible to do much of this with canned searches, but even with relational databases, an analyst might have to be able to describe the search he needs in SQL.
Companies are realizing they need skilled people. Even in the economic downturn of 2001, SANS was still running class after class and most of the classes were full. Companies are even requiring certification when they are looking to hire. At first, this was laudable, but depressing, "IDS Analyst needed, must be able to write IDS rules, interpret hex, and hold a current CISSP certification." Arrrg, please do not interpret this as a slam against the Certified Information System Security Professions (CISSP), but the CISSP certainly does not certify a person to run an IDS or configure a firewall or to do any other technical task. However, companies are learning fast, and recently the Foote survey echoed the earlier Gartner survey that showed Global Information Assurance Certifications (GIAC) certifications contributed to a higher salary and a higher chance of employment. The tools are getting better, but for the next few years at least—and I expect forever—nothing replaces a skilled analyst.
The rapid emergence of personal firewalls is already a major defensive force, although we need to find easy ways to harness this data. They range from the load-and-forget Symantec Internet Security, which combines anti-virus with lightweight protection and detection, to BlackIce, which can log packets for analysis. These folks have essentially solved that old host-based problem, the effort of deployment! Security conscious employees take it on themselves to install personal firewalls at work and at home; if they bother reporting, they become valuable sensor inputs. There are automated tools like Dshield, www.dshield.org, to take the data from these systems and examine it for trend information. Network-based NIDS are still being deployed at a good rate as well. It is easier to get someone to stick two boxes on her network than to get her to even think about adding a nonproduction, cycle-consuming, software layer to all the hosts in her network. When I analyze what it takes to do a really effective job of intrusion detection, the advantages of personal firewalls on the host computers of security-aware employees are enormous and really add to the network-based data. So, it is no surprise that we are coming to the age of the console, the database driven system that normalizes NID data with firewall, personal firewall, anti-virus, and potentially other data such as syslog reports, and gives us a better view of what is going on in our networks defensively than we have ever had.
Improved Tools
These new consoles have a number of forms. Some of them are advanced log watchers like Big Brother (www.bb4.com) and NetIQ (www.netiq.com); content analysis tools like SilentRunner (www.silentrunner.com); and correlation engines tools like netForensics (www.netforensics.com), ISS SiteProtector (www.iss.net), and Intellitactics NSM (www.intellitactics.com). This is just the tip of the iceberg. I know of a number of companies that are racing to unveil products including the Sourcefire OpenSnort console (www.sourcefire.com) that uses the high performance database tool
named barnyard that was developed by Andrew Baker. As they start to really compete and we go through the rounds of reviews and bakeoffs, we should end up with some very usable tools. The good news is that there are factors that should serve to slow the rate of improvement for attacker tools.
Companies have been buying tools all along, but they are not getting the kind of quality they deserve for the money they spend. We mentioned a commercial IDS earlier that many companies, a year after they install it, are replacing. What is wrong with this picture? Obviously, the company has a world class marketing program, but how have we as a community allowed a sensor that doesn't even record the TCP code bits to exist for so many years, to waste so many organizations' time and money? The good news is it looks like the next release will be credible, but we need to demand tools that work.
The competition in the network intrusion detection arena is funny. You don't have to be an industry insider to quickly realize that Ron Gula with Dragon, Robert Graham with BlackIce, now RealSecure and Marty Roesch with Snort are not just brilliant, they are really invested mentally and emotionally in their products. In the background is the very capable Kevin Zeise on the Cisco team. He might not be as visible as the others in the field, but he is the kind of guy that runs four miles in the morning, eats two pieces of key lime pie for breakfast, rolls out a new product line by lunch, and then saves the world from the latest cyber catastrophe before retiring for the evening. He is fully capable of running with the IDS pack. The various mailing list and conference battles are great entertainment, but they also serve a purpose. In a world of marketing and lies, these three folks, at least for now, are seriously committed to building the best tool they can. Who will win? It isn't something one person can do, it will be the best team. So in the spirit of predicting the future, back out onto a limb I go:
∙Enterasys is having some problems right now with the SEC and has had cash flow problems for a while. Stock options aren't as much of a motivator when you drop from 11 to 4 in a single day, so watch for some bailouts of brainy engineers that want another shot at making a million dollars. I like Dragon and particularly like some of their network gear but don't think I want in for more than a 100 shares—too likely to become wallpaper. So, I think Dragon could have been a contender, but the SEC probably banged them too hard for them to compete in this neck-and-neck field.
∙ISS and Robert Graham have to be the odds-on favorite in early 2002. The ISS management team is good, the marketing team better, and the X-Force side of the house has been solid for years. There were a lot of things I liked about BlackIce that Robert could build into RealSecure in his sleep. There is no doubt in my mind that, short of burning out or getting hit by a bus, Robert will produce a sensor to be reckoned with. The question is whether they will be able to build or integrate with a great console. As I write this, SiteProtector is just too new to be evaluated, but it has to work for ISS to shine because they have bet heavily on entering the managed services market, and they need this tool to do it. My prediction is that the answer will come down to the skills versus tools argument. If they build their console so that it helps a skilled worker be all she can be, I think ISS can win against everyone except Cisco. If they build a console that has a philosophy of "sit here and if you see a red triangle, call me," I think they will lose any chance at market credibility.
∙Cisco developed a strategy years ago of moving intrusion detection into the network. The Catalyst 6000 and the Policy Feature Card is going to give TopLayer, the darling of the gotta go fast intrusion analyst, a serious run for the money. This call is a no brainer. High-end sites with high-value assets are going to go Cisco. My money is