- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
The alert action causes the activity to be logged as well. There is a separate action, log, which only logs the triggered activity. When activity is logged, it is recorded in a human readable format that can provide more verbose information about the packet, such as the payload. The logged packets are written to files and directories based on the IP addresses in the packet being logged. These are further segregated by the transport layer protocol and source and destination ports involved in the connection. Look at the contents of FTP activity that was logged:
[**] Attempted anonymous ftp access [**] 04/24-12:11:08.724441 192.168.143.15:3484 -> 192.168.143.16:21
TCP TTL:64 TOS:0x10 ID:30124 DF |
Win: 0x7D78 |
|||
*****PA* |
Seq: 0x93EE0AB7 |
Ack: 0xB8352E61 |
||
TCP Options => |
NOP NOP TS: |
112024246 27551686 |
|
|
55 53 45 |
52 20 |
61 6E 6F 6E |
79 6D 6F 75 73 0D 0A USER anonymous.. |
The logged output contains the same information that the alert does, but it also has the payload if the decode (-d) command-line option was supplied. This message indicates that we have a rule to inspect ftp command-line traffic to destination port 21 for a user of anonymous. We will examine how this is accomplished in Chapter 14, "Snort Rules—Part II," but the payload from the previous output indicates that there was an anonymous user attempt. The hexadecimal representations of the ASCII values in the payload are also included in the logged packet.
The log and alert files can be a cumbersome way of analyzing output from Snort, so it allows you other options via configuration file changes. Activating available output options can enable writing output or alerts to spool files via a backend known as Barnyard, or directly to a database, to name a few of the possible options.
Snort Rules
Snort supports both header and payload inspection methods, allowing you to fully specify in a single rule what is considered a suspect packet. This flexibility allows you to build rules customized to your site that greatly aid in minimizing false positives, but in a format that is very readable. Remember all the heartache and toil involved in writing TCPdump filters, especially one to inspect a packet for a particular TCP flag setting? Well, writing an identical rule in Snort is almost trivial, as you will soon see.
As a short but important digression, what qualities does one look for in a good NIDS? There are many, but one of the most important is the capability to inspect and alter signatures. Believe it or not, there are NIDS available that do not allow the user to see the active signatures or alter them in any way. This blindsides the analyst and does not allow her to distinguish between false positives and real alerts. When an alert appears, it is presented as an irrefutable statement that a problem has appeared, and there is no way to validate it using the NIDS alone. If the analyst can examine the signatures and the packet that caused the alert, there is a better chance that a more accurate assessment can be made.
Additionally, signatures that allow an analyst to look at any field, either header or payload, from different perspectives potentially improve the quality of the NIDS. In other words, if a NIDS only allows the analyst to create rules that inspect packets for a given IP or port or protocol, it lacks the range to examine payloads or header fields on a more granular level such as TCP flag settings. Perhaps the analyst is interested in inspecting the payload for specific contents when the acknowledgement flag is set. Because other flags may be set along with the acknowledgement flag, it would be handy for the signature to allow for this specification as well.
The capability to inspect just about any field in a packet is an area in which Snort excels. There are many options available to configure a rule to specify just about any field in the packet and examine the value of that field in a variety of ways. And, the few fields that cannot be inspected via current Snort rule options can always be examined by supplying a filter at the end of the command line or by resorting to a command-line switch (-F) that allows Berkeley Packet Filters (BPF) to be specified in a file. Berkeley Packet Filters are what we have been calling TCPdump filters, which can be used to select the desired field. For instance, Snort doesn't have an option to examine the IP version field found in the highorder nibble of the zero byte offset of the IP header. Snort might be run to examine packets off the wire or from a binary file of captured TCPdump data using a BPF filter to find any packets with an IP version that does not equal 4. Here is the command that would
perform this inspection reading packets from the network: snort –v 'ip[0] & 0xf0 != 0x40'
As explained in more detail in Chapter 12, "Writing TCPdump Filters," this will mask out the low-order nibble of the zero byte offset of the IP header and look for a value of 4 in the high-order nibble of that field and write the output to the screen (-v).
Another benefit of using Snort is that it comes with a very large set of rules. It is not recommended that all of the rules be used on installation because the more active rules used, the slower the traffic inspection becomes. The analyst must decide which rules are appropriate for the site. And, amazingly, new Snort rules are released sometimes as soon as hours after a new exploit is discovered. This is by virtue of having so many savvy users and developers of Snort who respond almost instantly to develop and test new rules for these exploits.
However, a word of caution must be added about some Snort rules. Just because a rule becomes available shortly after an exploit is released, doesn't mean that it is a good rule—that is to say, just because a rule matches a given compiled version of an exploit's output doesn't mean that it is necessarily a rule that may find variations of the exploit from making minor changes in the source code. It is imperative that the rule writer understands not only the exploit code and output, but also the protocol against which it runs.
A good rule anchors on fields and values that must remain static for the exploit to succeed. For instance, if there is some kind of DNS exploit that generates a DNS identification number of 0xBEEF, this is not a good field or value to use in the rule. It is trivial to change this in the source code, and the exploit will most likely succeed regardless of the value of the DNS identification number.
Hidden Signatures
As a contractor for a client, I once had the opportunity to visit a commercial NIDS vendor about integrating output from its NIDS to some kind of correlation tool. Frankly, I believed the output from the NIDS wasn't worth trying to correlate since there was no way to validate if the generated alerts were real because there was no access to either the signatures or the packets that caused the alert. Why synthesize garbage? But, the client had requested my presence at the meeting, so I dutifully attended.
While there, I asked if there was any way that we could get access to the signatures. The vendor rep balked and asked why I would ever need to see the signatures. "Well, I want to know if we have a real detect or false positive," I politely responded. The rep replied that if I believed we had seen a rare false positive, I could call the support line and ask for help. With the number of false positives generated by the vendor's NIDS, I could only imagine that it had stock in the Baby Bells to answer so foolishly. Indignantly, I pressed on and asked the rep what the problem was with releasing his signatures. The response was that if I could see the signatures, so could the hackers! Honest to goodness, that was the best dog-ate-my-homework excuse he could come up with. More than anything, I suspect it was that he feared that the competition might pirate his product's signatures, but he didn't have the spine to say that. How are you supposed to take these guys and their proprietary signatures seriously? Okay, so we're not all blessed with the power to either make or influence the decision of which NIDS to buy. What if you happen to work at a site where you have a NIDS that has either a limited or no view of the signatures and traffic—do you throw in the towel? Well, if lobbying for a better NIDS fails, you can become resourceful! You can always run TCPdump in the background mode either alone or as part of Shadow. Or, you can try to do correlation with other sources of information such as firewalls, routers, or host logs. This is not ideal, but it prevents you from being totally blind.
We were running Shadow along with the deficient NIDS mentioned previously. An analyst called me to report that the NIDS was alerting on a Loki attack and asked if I could examine the TCPdump output to discover whether this was a real alert or not. I knew that Loki had a telltale signature years ago of a value of 0xf001 or 0x01f0 in the ICMP sequence number. The analyst was able to give me the source and destination IP numbers for the suspected Loki traffic. I searched the TCPdump records and discovered ICMP packets that matched the signature; however, this was just a case of coincidental use of those values in the ICMP sequence number in an innocuous ICMP echo request/response pair. This was an awkward and time-consuming way of dealing with this false positive, but it was better than putting full trust in the NIDS.
Snort Rule Anatomy
An individual rule is broken into two general parts. The first part, the rule header, defines who must be involved in order for the traffic to be considered by the rule options. The second part, the rule options, defines what must be involved. This includes packet header information (such as TCP flag settings) or the contents of the payload.
Generally speaking, both sections are used for most rules. It is possible to specify rules with only a rule header so that the given action can be taken for the provided hosts and ports. This is typically the case where pass rules are used to ignore traffic between specific hosts and ports, such as port 53 traffic coming from a site's DNS servers.
All conditions specified in both the rule header and the rule options must be true in order
for an alert or some other kind of action to be triggered. It is also important to understand the Snort rules are stateless. In other words, each rule inspects one and only one packet. The rules themselves have no way of knowing what activity occurred in a packet preceding or following the current one. Snort attempts to build in functionality for state using a preprocessor such as IP defragmentation or TCP stream reassembly, but there are limits to what can be discovered when not examining traffic statefully.
Also, Snort triggers on the first rule that a packet matches and does not examine the remaining rules. The order that rules are listed in the rules files is important, but Snort does some ordering of its own. By default, Snort orders all rules by their action value in the following order: alert, pass, and log. This can be overridden by a command-line option that will be discussed later in the section, "The Action Field." However, Snort does some further ordering by grouping identical headers that is beyond the scope of this chapter. For more
information, see www.snort.org/docs/faq.html#3.13.
Look at Figure 13.1 to see a sample Snort rule.
Figure 13.1. The anatomy of a Snort rule.
You see a rule header that gives the details of the action to be taken if the rule triggers and the information pertaining to the who values in the packet. In this rule, we alert when TCP traffic is observed that originates from a network that is not 10.1.1.x from any source port destined for network 10.1.1.x to any destination port. We assume that our internal network is the 10.1.1.x network, so this rule triggers when an outsider attempts to make an internal TCP connection.
If you turn your attention to the rule options, we further specify the what of the packet attributes. In this instance, the anomalous TCP flag pair of SYN and FIN is sought, and if found, a message of "SYN-FIN scan" is associated with the alert. The rules keywords will be described more thoroughly in the following sections.
Rumor has it that the rules syntax will change radically when Snort version 2.0 makes its debut. So, if you are reading this chapter after the release of Snort 2.0, it is best to refer to Snort documentation because the information presented here might be obsolete.
Rule Header Fields
As briefly mentioned, the rule header is responsible for specifying the action used to respond to a triggered rule, as well as specifying the protocol and source and destination addresses and ports. These who conditions must be met if the rule options are to be examined. Rule options will be explored in Chapter 14.
The Action Field
The first field in the rule header is the action field. This field instructs Snort on what to do if the rule is triggered. The valid values for the action field are the following:
●Alert. This value instructs Snort to create an entry in the alert file and to log the packet as well. The alert file is a single file that contains all detects that were made. The information written to this file in the default alert mode consists only of the packet header information. For the log entry, the same information (optionally including the payload if the -d command-line option is specified) that is written to the alert file is written to individual files found in a directory that usually has the name of the hostile IP number.
●Log. This value instructs Snort to only make a log entry. No record of the traffic is made in the alert file when the log action is used. The log files might have data from