Slides from the overview presentation about intrusion detection/prevention systems presented at Security in Internet course at Faculty of Informatics and Information Technology. Presentation is part of the course assignment.

1. Network intrusion
detection/prevention systems

2. NIDS (detecton system)
• realtime attack detection
• passive (watchers) / active (measurement)
systems
• via analysis
– protocol analysis
– graph analysis
– anomaly detection
• analysis of direct network traffic
– complete / light

3. NIDS scheme
http://insecure.org/stf/secnet_ids/evasion-figure3.gif

4. Traffic analysis
• analyzing behaviour, not just packets
• difficulties
– NIDS can be run from different part of network
– bad packets
– reordering issues
• sensor placement
– inline
– passive
• spanning port
• network tap
• load balancer

5. http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf

6. http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf

7. Signature-based analysis
• pattern matching
• “patterns of malicious traffic”
• very elementary (basically grepping)
+ huge community for rule generation
+ great for low level analysis (rules are very specific)
+ not taking too much resources
- lower performance with big ruleset
- slight attack variation can beat the rule

8. Rule example
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (
msg:"OS-SOLARIS EXPLOIT sparc overflow attempt";
flow:to_server,established; content:"|90 1A C0 0F 90 02|
|08 92 02| |0F D0 23 BF F8|";
fast_pattern:only;
metadata:ruleset community, service dns;
classtype:attempted-admin;
sid:267; rev:13;
)

9. Protocol-based analysis
• reviewing network data
• strictly based on layer headers
• knowledge of expected values
+ better possibility for scalability
+ generic, able to catch zero-day exploits
- protocol headers preprocessor need resources
- rules can get extremely difficult to write/understand
- provide low information, admin has to investigate

10. Types of detected events
• transport layer attack
• network layer attack
• unexpected services (tunnel, backdoor etc.)
• policy violations (forbidden protocols, ports
etc.)
note: detection with accuracy

11. Types of attack
• evasion/insertion attacks
– bad IP headers
– bad IP options
– direct frame addressing
• IP packets fragmentation
– set up delay for dropping stored packets
• TCP layer problems
– sync between NIDS and end system

12. Prevention
• passive
– ending TCP stream
• inline
– inline firewalling
– throttling bandwith usage
– altering malicious content
• passive and inline
– running third party script
– reconfiguring other network devices

13. Toolset
• SNORT
– opensource
– windows / linux
– lots of plugins
• OSSIM (security information and event
management)
• Sguil (network security monitor)

14. SNORT
• started as sniffer in 1998
• sniffer, packet logger, and NIDS
• most used open-source NIDS right now
• loads of add-ons
• big and stable community (regular community
rule releases)

15. Firewall network with SNORT

16. SNORT add-ons
• DumbPig
– bad rule grammar detection
• OfficeCat
– search for vurneabilities in Microsoft Office docs
• SnoGE
– reporting tool parsing your logs and visualising them as
points at Google Maps
• Oinkmaster
– tool for creating and managing rules
• iBlock
– daemon grepping alert file and blocking offending hosts
http://www.snort.org/snort-downloads/additional-downloads

17. Q&A