Download Context-Based Intrusion Detection Using Snort, Nessus and Bugtraq

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
Document related concepts

Computer and network surveillance wikipedia , lookup

Distributed firewall wikipedia , lookup

Deep packet inspection wikipedia , lookup

Network tap wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
CONTEXT-BASED
INTRUSION DETECTION
USING SNORT, NESSUS AND
BUGTRAQ DATABASES
Presented by Frédéric Massicotte
Communications Research Centre Canada
Department of Systems and Computer
Engineering, Carleton University
Privacy, Security and Trust
October 2005
Motivations
 Current IDS Problems
– Some IDS do not provide a declarative rule specification language
• Difficult to verify, compare and update attack scenarios
– Many IDS only rely on one packet or on one TCP stream to identify intrusions
• More complex attacks need to be programmed (two specification systems)
• False negatives and false positives
– Intrusion signatures do not include a precise network context
• Increases the number of false positives (session state not enough)
 IDS functionality needed
– The IDS signature language should
• be a declarative rule specification language
• be independent of the monitoring engine
• enable multi-packet rules
• specify network-context gathering other than alarms and session states
• be used on well-defined models (Packet Model and Network Model)
– The IDS monitoring engine should
• be multi-packet
• maintain a network-context knowledge base
Our Contributions
 A multi-packet monitoring engine
 A declarative rule specification language that uses
the Object Constraint Language
 A formal packet model and a formal network model
 A library of passive information gathering rules to
acquire the network context
 Missing :
– A library of intrusion detection rules with network context
• Prove that these rules could be used to reduce the number of
false positives
• Study the correlation potential and accuracy of freely available
security databases
Rule Specification
packet
alarm
OCL
?
Packet Stream Model
Network Model
Network Model
1
0..*
description : string
1
vulnerability
exploits
consequences : string
requirements : string
exploit
0..*
0..*
Alarm
0..*
time : long
0..*
0..*
correlates
0..*
0..*
0..1
sourcePort
1
Vulnerability
Exploit
0..*
vulnerabilities
1..*
affected
Reference
refs
id : string
organization : string
0..*
Product
OPERATING_SYSTEM : string
FTP : string
TELNET : string
prodname : string
type : string
version : string
1
0..*
1
vendor
1
configuration
0..*
0..*
0..1
destinationPort
1
Port
CLOSE : bool
OPEN : bool
TCP : int
UDP : int
number : int
state : bool
type : int
sourcePort
0..*
0..*
ports
1
sourceAddress
0..*
ipStacks
DOWN : bool
UP : bool
dnsServers[0..*] : string
gateway : string
ipAddress : string
mask : string
names[0..*] : string
role : int
state : bool
1
1
0..*
0..*
destinationAddress
1
sourceAddress
Session
0..*
vendor
0..*
daemon
IPStack
destinationPort
Vendor
name : string
1
Interface
macAddress : string
0..* 1
1..*
interfaces
1
1
Host
destinationAddress
Network Model
1
0..*
description : string
1
vulnerability
exploits
consequences : string
requirements : string
exploit
0..*
0..*
Alarm
0..*
time : long
0..*
0..*
correlates
0..*
0..*
0..1
sourcePort
1
Vulnerability
Exploit
0..*
vulnerabilities
1..*
affected
Reference
refs
id : string
organization : string
0..*
Product
OPERATING_SYSTEM : string
FTP : string
TELNET : string
prodname : string
type : string
version : string
1
0..*
1
vendor
1
configuration
0..*
0..*
0..1
destinationPort
1
Port
CLOSE : bool
OPEN : bool
TCP : int
UDP : int
number : int
state : bool
type : int
sourcePort
0..*
0..*
ports
1
sourceAddress
0..*
ipStacks
DOWN : bool
UP : bool
dnsServers[0..*] : string
gateway : string
ipAddress : string
mask : string
names[0..*] : string
role : int
state : bool
1
1
0..*
0..*
destinationAddress
1
sourceAddress
Session
0..*
vendor
0..*
daemon
IPStack
destinationPort
Vendor
name : string
1
Interface
macAddress : string
0..* 1
1..*
interfaces
1
1
Host
destinationAddress
IDS Rules with Network Context
p1.data.match(”/ˆ STAT\s+[ˆ \n]*\x3f/smi”)
p1.tcp.destinationPort = 21 and
Session::sessionOpen(p1.ip.sourceAddress,
p1.ip.destinationAddress, p1.tcp.sourePort,
p1.tcp.destinationPort) and
(IPStack::hasDaemonOnPort(
p1.ip.destinationAddress,
p1.tcp.destinationPort,
Port.TCP, ”IIS”, ”5.0”) or
IPStack::hasDaemonOnPort(
p1.ip.destinationAddress,
p1.tcp.destinationPort,
Port.TCP, ”IIS”, ”5.1”))
Packet
characteristics
Session
state
Proper
network context
IDS Rules with Network Context
Snort (IDS)
Nessus (VDS)
IDSIDS
Rules
Rules with Network Context
Bugtraq (VDB)
Network Context
p1.data.match(”/ˆ STAT\s+[ˆ \n]*\x3f/smi”)
p1.tcp.destinationPort = 21 and
Session::sessionOpen(p1.ip.sourceAddress,
p1.ip.destinationAddress, p1.tcp.sourePort,
p1.tcp.destinationPort)
(IPStack::hasDaemonOnPort(p1.ip.destinationAddress,
p1.tcp.destinationPort, Port.TCP, ”IIS”, ”5.0”) or
IPStack::hasDaemonOnPort(p1.ip.destinationAddress,
p1.tcp.destinationPort, Port.TCP, ”IIS”, ”5.1”))
Context Packet
inv: Packet.allInstances()->forAll(p1 |
Context
Packet
p1.data.match(”Microsoft
IIS 5.0”) and
inv:p1.tcp.destinationPort
Packet.allInstances()->forAll(p1
= 80 and |
p1.data.match(”Microsoft
IIS 5.0”) and
...
p1.tcp.destinationPort = 80 and
...
Snort References
Other types of
references
21%
No reference at all
23%
Only CVE
3%
Only Bugtraq
7%
Only Nessus
4%
CVE and Nessus
3%
CVE, Bugtraq and
Nessus
15%
Bugtraq and
Nessus
CVE and Bugtraq 3%
21%
Group 1: Direct and Indirect
Group 1: Direct
and Indirect
16%
Group 4: No
Bugtraq nor
Nessus reference
47%
Group 2:
Incomplete but
Inferable
18%
Group 3:
Incomplete and
Non-Inferable
19%
Snort (IDS)
Nessus (VDS)
Bugtraq (VDB)
Group 2: Incomplete but
Inferable
Group 1: Direct
and Indirect
16%
Group 4: No
Bugtraq nor
Nessus reference
47%
Group 2:
Incomplete but
Inferable
18%
Group 3:
Incomplete and
Non-Inferable
19%
Snort (IDS)
Nessus (VDS)
Bugtraq (VDB)
Group 2: Incomplete but
Inferable
Group 1: Direct
and Indirect
16%
Group 4: No
Bugtraq nor
Nessus reference
47%
Group 2:
Incomplete but
Inferable
18%
Group 3:
Incomplete and
Non-Inferable
19%
Snort (IDS)
Nessus (VDS)
Bugtraq (VDB)
Group 3: Incomplete and NonInferable
Group 1: Direct
and Indirect
16%
Group 4: No
Bugtraq nor
Nessus reference
47%
Group 2:
Incomplete but
Inferable
18%
Group 3:
Incomplete and
Non-Inferable
19%
Snort (IDS)
Nessus (VDS)
Bugtraq (VDB)
Group 4: No Reference
Group 1: Direct
and Indirect
16%
Group 4: No
Bugtraq nor
Nessus reference
47%
Group 2:
Incomplete but
Inferable
18%
Group 3:
Incomplete and
Non-Inferable
19%
Snort (IDS)
Nessus (VDS)
Bugtraq (VDB)
Group 1: Direct and Indirect
Group 1.5: Direct
and Indirect are the
Same
71%
Group 1.1: Direct
Strictly Includes
Indirect
6%
Group 1.2: Indirect
Strictly Includes
Direct
12%
Group 1.3: Direct
and Indirect are
Disjoint
6%
Group 1.4: Direct
and Indirect Strictly
Intersect
5%
Results of Relationship Analysis
 Only 16% of the Snort rules have references to
Bugtraq and Nessus.
– Only 11.4% have the same set of Bugtraq references
whether we use the Snort to Bugtraq references or the
Snort to Nessus to Bugtraq references.
– 29% of the Group 1 Snort rules present
discrepancies, depending on whether we use the
direct or indirect relationship to Bugtraq.
– 6% of Group 1 seem to refer to different
Bugtraq vulnerabilities.
Results
 Built a library of small IDS rules with network context
using group 1 Snort rules
 Tested 20 attack programs against 12 systems
– Reduced the number of false positives, compared to Snort
– Proved that network context is important to reduce false
positives
Test Cases
2.4.1814
Sun 4.x
Attacker 1
Attack
Attack
Attack
Attack
Attacker 2
Snort
Results
PNMT
vs
Results
OS X
vs
Oracle
Linux 2..4.194GB
Conclusion
 The relationships between Snort IDS signatures, Nessus
and Bugtraq still need to be improved
 Correlation systems using events for these systems only
use a small proportion of relationship potential
 For the small number of Snort rules that provide accurate
relationships, network context is important to reduce false
positives.
 Future Work on IDS Rules
– Test more context-based intrusion detection rules
– Continue the development of a virtual exploit testing network
– Test rules to identify more complex attacks such as DDOS and Network
Discovery Techniques
Questions
Related documents
Name: Date:______ Pd:______ other forms of energy (Standard
Name: Date:______ Pd:______ other forms of energy (Standard
W98Lecture08
W98Lecture08
WORK / ENERGY concept WS (honors)
WORK / ENERGY concept WS (honors)
Reflection and Transmission
Reflection and Transmission
TCP/IP Configuration
TCP/IP Configuration
Of STRINGS and PARTICLES
Of STRINGS and PARTICLES
PFP Quiz2 Guide Note: The quiz is closed book, closed notes. You
PFP Quiz2 Guide Note: The quiz is closed book, closed notes. You
Food Web - Crystal Springs Preserve
Food Web - Crystal Springs Preserve
Notes
Notes
Genetic Search Algorithms
Genetic Search Algorithms
CENTENNIAL HONORS COLLEGE Western Illinois University Undergraduate Research Day 2016
CENTENNIAL HONORS COLLEGE Western Illinois University Undergraduate Research Day 2016
3. Working with Strings
3. Working with Strings