- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
∙Specific vulnerabilities of the systems that host the crown jewels.
This should exist as a written report as well as a view-graph presentation. If you are doing a PowerPoint presentation (which is recommended), expand each of the preceding bullets to be a PowerPoint slide with three to five bullets each.
Part Three: Tradeoffs and Recommended Solution
Finally, you get to pitch your intrusion-detection system! You can hardly wait to get behind the console of that shiny new intrusion.com special and smell that new IDS smell. Slow down a little longer.You need to offer some tradeoffs, and also remember, you are going forward with a package. Intrusion detection by itself is a hard sell. From a risk-assessment, textbook standpoint, the next thing you are supposed to do is establish risk-acceptance criteria. This approach is to put management on the spot and have it define what levels of risks it is willing to accept. Then, you go back and design comprehensive countermeasures for all risks greater than what management is willing to accept. Good luck!
Therefore, you should do the following:
●Define an information-assurance risk-management architecture.
●Identify what is already in place.
●Identify the immediate steps you recommend.
●Identify the options for these countermeasures.
●Produce a cost-benefit analysis.
●Implement a project schedule.
●Identify the follow-on steps illustrating where you want to go in the future.
Define an Information-Assurance Risk-Management Architecture
This sound like a hard chore, but it is really simple. You have defined the threats. You know the primary countermeasures. It could be as simple as implementing the following:
●Firewall from the Internet
●Network-based IDS outside the firewall
●Internal firewalls for crown jewels
●Network-based IDS covering crown jewels
●Host-based IDS on crown jewels' platforms
●Tagged honeypot files on crown jewels' platforms
●Basic hardening for all systems, antivirus programs, patches, and good configuration management to prevent silly file permission settings
●Organizational network-based backup with off-site storage
●Scanning of the internal network for vulnerabilities quarterly
●Certificate-based encryption for transmissions over the Internet with customers and suppliers as well as home and off-site workers
●Strong authentication for dial-ins
●Disk encryption and personal firewalls for laptops
This list might not be completely appropriate for your organization, but this is my view of the
big picture for information assurance.
Identify What Is in Place
Every briefing or report to senior management should include a status slide, something that
defines where you are now. If you follow your definition of your information-assurance
architecture with your current status, it is a nice set up for the things you want to do next.
Identify Your Recommendations
Finally, you get to pitch the intrusion-detection system of your dreams. You want the pitch to be balanced. It is perfectly reasonable to pitch an intrusion-detection system and a vulnerability scanner (or whatever is appropriate for your organization) at the same time. For the pitch to be solid, it should include options, cost, and schedule information.
I just cry when I see someone take an hour of a senior manager's time to brief him on a problem and possibly recommend a solution when the presenter doesn't have the cost and backup information. The senior executive doesn't think she has enough information to make a decision, so she puts the matter off. What happens, however, is a very subtle characteristic of human nature. When you first hear about a scary problem, you are shocked and might well be moved to action. If you do not act, however, you have been inoculated against the problem. The next time you hear about it, you are less scared and less moved to action. Therefore, you
need to be prepared to sell your project the first time!
Identify Options for Countermeasures
I hate doing this! I know what I want! I have done a market survey. Why should I have to justify the product I have selected? Well, if you didn't know this before, I'll let you in on a potential "gotcha." The commercial intrusion-detection system vendors aren't dumb! They are trying hard to reach the CIOs and other top executives of your organization with non-technical, high-level issues-oriented briefings. For instance, the host-based companies are pushing the insider threat really hard. Therefore, if you come marching into your CIO with your report and it doesn't mention the insider threat or consider host-based systems as options, you might be one down instantly.
Personal Firewalls
If you are facing management and the issue of the insider threat comes up, keep in mind that internal firewall and personal firewall data can come in very handy. In some sense, these serve as burglar alarms and can alert you to internal problems. Before asking senior management who is responsible for the organization's risk management, funding, and support, it is a good idea to know as much about the probable risks as possible.
Take the time to list at least one optional approach and to consider at least one alternative product for your recommended procurements. You don't have to pitch these slides; in fact, you shouldn't pitch these slides. But you do want them in case the issue comes up. While you are at this point, you need to take a second for an integrity check. Are you trying to buy a toy and help get the job skills to enhance your career or are you trying to secure your organization? Have you really taken the time to examine those firewall logs? If they have good fidelity, and you are honestly more concerned about your organization's security, perhaps you should consider spending the time and money on a different aspect of your information-assurance
architecture.
Cost-Benefit Analysis
The cost aspect of this section is more important than the benefit section. This is where you give management a warm, fuzzy feeling that you know how much the recommended countermeasures are going to cost. As a program manager, when I hear something that I know I want to do, I really don't need a lot more information—just tell me what it will cost and when I can have it. Earlier, we talked about the case of having to present the whole package in five minutes. In that situation, you would use three slides: the Executive Summary, the Cost Summary, and the Schedule.
Why Cost-Benefit Matters
Cost-benefit analysis doesn't sound sexy to an intrusion analyst, but going through the exercise for even a one-page financial analysis is really worth the time. I used to have an employee who was very bright, but she had an uncanny knack for coming up with the projects guaranteed to fail. Because she was so smart, when she would suggest that we ought to do something, I would think, "Yeah, that makes sense, let's do it." The next thing I knew, it was crash and burn time, and I would look silly again in front of senior management. Then what do you suppose happened? She came up with one of those, "I think we should…." My heart started pounding, my brain racing. I could feel my stress level go up. A wiser manager would have sat down with her and taught her to calculate the cost, the risk, and the potential benefits of a course of action. It is easy after you have done it once. Not me, though. I just reminded her of the failures, and in so doing, probably lost any chance of hearing another idea from a brilliant software engineer.
Not all benefits are tangible and that is important, but this is where you want to support your bang-for-the-bucks slide. This is the point where you list the costs. In the written report, you should list all the costs; in a presentation, you should present only the summary costs. If there are questions, refer management to the written report.
Have you ever given a pitch and had a member of the management team challenge you? And just out of the blue, they say, "I don't think that is going to work." They don't even give a reason. They might have a double-digit IQ, but the spotlight is on you! This is where it really helps to be prepared. Let me make it plain for you: There is a better-than-even chance management will ask the following questions, and you will have to give the answers shown. Will an intrusion-detection system:
●Actually stop attacks? No.
●Detect everything? No.
●Cost a significant amount of money in equipment and salary? Yes.
So you see, you really do want to be prepared! As backup material, I strongly recommend you have at least one ALE (annualized loss expectancy) or SLE (single loss expectancy, as explained in Chapter 12, "Writing TCPdump Filters") calculation for what you think is the biggest general threat against the organization. You should also have a couple examples of specific threats against crown jewels if possible. Select your cases carefully so that they support your choice of countermeasures. If you end up needing these slides, your pitch is in trouble; so do a good job on them.
Business Plan
I am a passionate, vision-driven person and I need to be honest with you about something. I am physically incapable of labeling anything I write a "cost-benefit analysis." Let's be careful here, 9 out of 10 consultants would agree that is the correct title and form for what you should take to management for a final approval of a project. It is probably what decision-making management expects. So, after telling you plainly that I am outside the normal and customary in this regard, please let me share what I do. I produce a business plan, often it is only a couple of pages long, but it helps me focus on the issues. It has the same basic content as a cost-benefit analysis. I deal with costs, advantages, tangibles, and intangibles, but there is one added factor: It will help advance the business. It seems to me that anything you do should serve two purposes: It should solve the problem at hand, and it should advance the business. The energy and capital you invest should help your organization achieve or maintain the lead in your field. "Oh come on Stephen," you might say, "intrusion detection is an overhead function; you can't make money on it!" Wanna bet? Baseball, I mean intrusion detection, has been very, very, good to me,
and to many of my friends as well. Don't shortchange yourself and skip learning the material in this chapter. Learn to write a business plan or a cost-benefit analysis. This skill might literally pay off for you.
Project Schedule
I have written software (badly) for 15 years or so, but I have also managed some pretty skilled coders. I try to get estimates from them so that I can pass up milestone information on future deliverables. Depending on the person, I either double or triple their estimates. Software people invariably think something is a simple matter of a few lines of code until they get into the problem.
The point I am trying to make is that managers develop a radar, a sixth sense for bogus schedules. You are on the next-to-last slide of your presentation, or next-to-last section in your report. You do not want to blow it here.
If you are not experienced at project management, here are some gotchas with fudge factors of items that will take longer than you probably estimated:
●Procure anything and everything (2x)
●Compile and run any free software (2x)
●Get management approval for any policy (5x)
●Install the software and test it (2x)
●Get the sensor to work on a switched network (5x)
●Get the analysis station to connect to the sensor through the firewall (3x)
●Get clearance to install host-based intrusion-detection software on production systems (5x)
●Sweep your phone lines for vulnerabilities (5x)
●Fix problems you find with a network vulnerability sweep (5x)
The preceding list was partly done in fun, but I also am serious. If these items are part of your
critical path, you might want to give your schedule a second look.
Follow-On Steps
At this point, you have finished everything we need to do to pitch your solution. We have defined and quantified both the problem and the solution with options. What could possibly be lacking? Will installing this solution solve all the organization's problems? If not, you should identify some of the next steps. If you are recommending a network-based intrusion-detection system, for instance, your next steps might be as follows:
●Host-based perimeter defenses for critical systems
●Database for trend analysis, especially with the emergence of enterprise security modules that allow you to consider data from NID, HID, firewall, router, and system log files
●Internal network-based IDSs for high-value locations
●Organization-wide host-based perimeter defense deployment
Each of these steps should include a high-level estimate for timeframe and cost. Taking the time to show the next steps helps management in two important ways. It shows you have technical vision—that there really is a well thought out plan. Also the budget planning cycle for capital purchases at many organizations is done several years in advance. By presenting the follow-on steps, financial planners can use your information as budget "wedges" for future years.