From: Subject: FAQ: Network Intrusion Detection Systems Date: Sun, 17 Jun 2001 12:07:38 +0900 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_007E_01C0F726.19F023C0"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 This is a multi-part message in MIME format. ------=_NextPart_000_007E_01C0F726.19F023C0 Content-Type: text/html; charset="ks_c_5601-1987" Content-Transfer-Encoding: quoted-printable Content-Location: http://www.robertgraham.com/pubs/network-intrusion-detection.html FAQ: Network Intrusion Detection Systems

FAQ: Network Intrusion Detection Systems

Version 0.8.3, March = 21, 2000=20 3D"Intrusion

=20

This FAQ answers simple questions related to detecting intruders who = attack=20 systems through the network, especially how such intrusions can be = detected.=20 Questions? Feedback? Send mail to nids-faq @ = robertgraham.com=20

0. Information about this FAQ

0.1 Copyright

Copyright 1998-2000 = by Robert=20 Graham (mailto:nids-faq1@RobertGraham.= com.=20 All rights reserved. This document may be reproduced only for = non-commercial=20 purposes. All reproductions must contain this exact copyright = notice.=20 Reproductions must not contain alterations except by permision. =

0.6 Where to get it

My homepage: (slow link)
http://www.robertgraham.com/pubs/network-intrusion-detection.html=20 (HTML)
http://www.robertgraham.com/pubs/network-intrusion-detection.txt=20 (text)
TICM (fast link)http://www.ticm.com/kb/faq/
S= hake=20 Communications (Australia)http:/= /www.shake.net/misc/network-intrusion-detection.htm
IT=20 Sec (Germany)http://www.it-sec.de/mirrors/ids/network-intrusion-detection.htmlRussian=20 translation: http://= www.citforum.ru/internet/securities/faq_ids.shtml
Japanese=20 translation: http://www.s= fc.keio.ac.jp/~keiji/ids/ids-faq-j.html

0.7 Thanks to

Thanks to the following people for helpful info and comments = (note: to=20 avoid automated spam address collection systems, I've munged their = e-mail=20 addresses in an obvious way).
Olaf Schreck <chakl at syscall de>
John Kozubik = <john_kozubik=20 at hotmail com> (see http://www.networkcommand.com/john/index.html for = NT=20 login-script tips).
Aaron Bawcom <abawcom at pacbell = net>
Mike=20 Kienenberger <mkienenb at arsc edu>
Keiji Takeda <keiji at = sfc=20 keio ac jp>
Scott Hamilton <sah at uow edu au>
Holger = Heimann=20 <hh at it-sec de>
Bennett Todd <bet at mordor dot = net>

0.8 Version History

Version 0.7, October 9, 1999
Added info on limitations.=20
Version 0.6, July 17, 1999
Updated info from NAI and NFR straight from the vendors (hope I = got it=20 right). Added 8.7 and 8.8.=20
Version 0.5, May 19, 1999
Russian and Japanese translations available. Added some new IDS=20 products.=20
Version 0.4, April 8, 1999
Section 8. Fixed TOC=20
Version 0.3, January 1, 1999
Minor updates
Changed format of hyper-links so I can create a = text-only version of the FAQ.
Changed embedded e-mail address so = that=20 spam-trollers can't extract them.
Added TOC.=20
Version 0.2, November 1, 1998
Minor updates=20
Version 0.1, August 1, 1998
The first version.

1. Introduction

1.1 What is a "network intrusion detection system=20 (NIDS)"?

An intrusion is somebody (A.K.A. "hacker" or "cracker") = attempting=20 to break into or misuse your system. The word "misuse" is broad, and = can=20 reflect something severe as stealing confidential data to something = minor such=20 as misusing your email system for spam (though for many of us, that is = a major=20 issue!).
An "Intrusion Detection System (IDS)" is a system for detecting = such=20 intrusions. For the purposes of this FAQ, IDS can be broken down into = the=20 following categories:=20
network intrusion detection systems (NIDS) monitors packets = on the=20 network wire and attempts to discover if a hacker/cracker is = attempting to=20 break into a system (or cause a denial of service attack). A typical = example=20 is a system that watches for large number of TCP connection requests = (SYN) to=20 many different ports on a target machine, thus discovering if someone = is=20 attempting a TCP port scan. A NIDS may run either on the target = machine who=20 watches its own traffic (usually integrated with the stack and = services=20 themselves), or on an independent machine promiscuously watching all = network=20 traffic (hub, router, probe). Note that a "network" IDS monitors many=20 machines, whereas the others monitor only a single machine (the one = they are=20 installed on).=20
system integrity verifiers (SIV) monitors system files to = find when=20 a intruder changes them (thereby leaving behind a backdoor). The most = famous=20 of such systems is "Tripwire". A SIV may watch other components as = well, such=20 as the Windows registry and chron configuration, in order to find well = known=20 signatures. It may also detect when a normal user somehow acquires=20 root/administrator level privleges. Many existing products in this = area should=20 be considered more "tools" than complete "systems": i.e. something = like=20 "Tripwire" detects changes in critical system components, but doesn't = generate=20 real-time alerts upon an intrusion.=20
log file monitors (LFM) monitor log files generated by = network=20 services. In a similar manner to NIDS, these systems look for patterns = in the=20 log files that suggest an intruder is attacking. A typical example = would be a=20 parser for HTTP server log files that looking for intruders who try = well-known=20 security holes, such as the "phf" attack. Example: swatch=20
deception=20 systems (A.K.A. decoys, lures, fly-traps, honeypots) which = contain=20 pseudo-services whose goal is to emulate well-known holes in order to = trap=20 hackers. See The Deception ToolKit http://www.all.net/dtk/ for = an example.=20 Also, simple tricks by renaming "administrator" account on NT, then = setting up=20 a dummy account with no rights by extensive auditing can be used. = There is=20 more on "deception" later in this document. Also see http://www.enterac= t.com/~lspitz/honeypot.html=20
other=20
For more info, see http://www.icsa.net/idswhite/.=

1.2 Who is misusing the system?

There are two words to describe the intruder: hacker and=20 cracker. A hacker is a generic term for a person who likes = getting into=20 things. The benign hacker is the person who likes to get into his/her = own=20 computer and understand how it works. The malicious hacker is the = person who=20 likes getting into other people's systems. The benign hackers wish = that the=20 media would stop bad-mouthing all hackers and use the term 'cracker' = instead.=20 Unfortunately, this is not likely to happen. In any event, the word = used in=20 this FAQ is 'intruder', to generically denote anybody trying to get = into your=20 systems.=20
Intruders can be classified into two categories.=20

Outsiders
Intruders from outside your network, and who may attack you = external=20 presence (deface web servers, forward spam through e-mail servers, = etc.).=20 They may also attempt to go around the firewall to attack machines = on the=20 internal network. Outside intruders may come from the = Internet,=20 dial-up lines, physical break-ins, or from = partner=20 (vendor, customer, reseller, etc.) network that is linked to your = corporate=20 network.=20
Insiders
Intruders that legitimately use your internal network. These = include=20 users who misuse priviledges (such as the Social Security = employee=20 who marked someone as being dead because they didn't like that = person) or=20 who impersonate higher privileged users (such as using = someone else's=20 terminal). A frequently quoted statistic is that 80% of security = breaches=20 are committed by insiders.

There are several types of intruders Joy riders hack because = they=20 can. Vandals are intent on causing destruction or marking up = your=20 web-pages. Profiteers are intent on profiting from their = enterprise,=20 such as rigging the system to give them money or by stealing corporate = data=20 and selling it.

1.3 How do intruders get into systems?

The primary ways a intruder can get into a system:=20
Physical Intrusion If a intruders have physical access to a = machine=20 (i.e. they can use the keyboard or take apart the system), they will = be able=20 to get in. Techniques range from special privileges the console has, = to the=20 ability to physically take apart the system and remove the disk drive = (and=20 read/write it on another machine). Even BIOS protection is easy to = bypass:=20 virtually all BIOSes have backdoor passwords.=20
System Intrusion This type of hacking assumes the intruder = already=20 has a low-privilege user account on the system. If the system doesn't = have the=20 latest security patches, there is a good chance the intruder will be = able to=20 use a known exploit in order to gain additional administrative = privileges.=20
Remote Intrusion This type of hacking involves a intruder = who=20 attempts to penetrate a system remotely across the network. The = intruder=20 begins with no special privileges. There are several forms of this = hacking.=20 For example, a intruder has a much more difficult time if there exists = a=20 firewall on between him/her and the victim machine.=20
Note that Network Intrusion Detection Systems are primarily = concerned with=20 Remote Intrusion.

1.4 Why can intruders get into systems?

Software always has bugs. System Administrators and Programmers = can never=20 track down and eliminate all possible holes. Intruders have only to = find one=20 hole to break in.=20

1.4.1 Software bugs

Software bugs are exploited in the server daemons, the client=20 applications, the operating system, and the network stack. Software = bugs can=20 be classified in the following manner:=20
Buffer overflows: Almost all the security holes you read = about in=20 the press are due to this problem. A typical example is a programmer = who=20 sets aside 256 characters to hold a login username. Surely, the = programmer=20 thinks, nobody will ever have a name longer than that. But a hacker = thinks,=20 what happens if I enter in a false username longer than that? Where = do the=20 additional characters go? If they hackers do the job just right, = they can=20 send 300 characters, including code that will be executed by the = server, and=20 voila, they've broken in. Hackers find these bugs in several ways. = First of=20 all, the source code for a lot of services is available on the net. = Hackers=20 routinely look through this code searching for programs that have = buffer=20 overflow problems. Secondly, hackers may look at the programs = themselves to=20 see if such a problem exists, though reading assembly output is = really=20 difficult. Thirdly, hackers will examine every place the program has = input=20 and try to overflow it with random data. If the program crashes, = there is a=20 good chance that carefully constructed input will allow the hacker = to break=20 in. Note that this problem is common in programs written in C/C++, = but rare=20 in programs written in Java.=20
Unexpected combinations: Programs are usually constructed = using=20 many layers of code, including the underlying operating system as = the bottom=20 most layer. Intruders can often send input that is meaningless to = one layer,=20 but meaningful to another layer. The most common language for = processing=20 user input on the web is PERL. Programs written in PERL will usually = send=20 this input to other programs for further evaluation. A common = hacking=20 technique would be to enter something like "| mail <=20 /etc/passwd". This gets executed because PERL asks the = operating=20 system to launch an additional program with that input. However, the = operating system intercepts the pipe '|' character and launches the = 'mail'=20 program as well, which causes the password file to be emailed to the = intruder.=20
Unhandled input: Most programs are written to handle valid = input.=20 Most programmers do not consider what happens when somebody enters = input=20 that doesn't match the specification.=20
Race conditions: Most systems today are=20 "multitasking/multithreaded". This means that they can execute more = than one=20 program at a time. There is a danger if two programs need to access = the same=20 data at the same time. Imagine two programs, A and B, who need to = modify the=20 same file. In order to modify a file, each program must first read = the file=20 into memory, change the contents in memory, then copy the memory = back out=20 into the file. The race condition occurs when program A reads the = file into=20 memory, then makes the change. However, before A gets to write the = file,=20 program B steps in and does the full read/modify/write on the file. = Now=20 program A writes its copy back out to the file. Since program A = started with=20 a copy before B made its changes, all of B's changes will be lost. = Since you=20 need to get the sequence of events in just the right order, race = conditions=20 are very rare. Intruders usually have to tries thousands of time = before they=20 get it right, and hack into the system.

1.4.2 System configuration

System configuration bugs can be classified in the following = manner:=20
Default configurations: Most systems are shipped to = customers with=20 default, easy-to-use configurations. Unfortunately, "easy-to-use" = means=20 "easy-to-break-in". Almost any UNIX or WinNT machine shipped to you = can be=20 hacked in easily.=20
Lazy administrators: A surprising number of machines are=20 configured with an empty root/administrator password. This is = because the=20 administrator is too lazy to configure one right now and wants to = get the=20 machine up and running quickly with minimal fuss. Unfortunately, = they never=20 get around to fixing the password later, allowing intruders easy = access. One=20 of the first things a intruder will do on a network is to scan all = machines=20 for empty passwords.=20
Hole creation: Virtually all programs can be configured to = run in=20 a non-secure mode. Sometimes administrators will inadvertently open = a hole=20 on a machine. Most administration guides will suggest that = administrators=20 turn off everything that doesn't absolutely positively need to run = on a=20 machine in order to avoid accidental holes. Note that security = auditing=20 packages can usually find these holes and notify the administrator.=20
Trust relationships: Intruders often "island hop" through = the=20 network exploiting trust relationships. A network of machines = trusting each=20 other is only as secure as its weakest link.

1.4.3 Password cracking

This is a special category all to itself.=20
Really weak passwords: Most people use the names of = themselves,=20 their children, spouse/SO, pet, or car model as their password. Then = there=20 are the users who choose "password" or simply nothing. This gives a = list of=20 less than 30 possibilities that a intruder can type in for = themselves.=20
Dictionary attacks: Failing the above attack, the intruder = can=20 next try a "dictionary attack". In this attack, the intruder will = use a=20 program that will try every possible word in the dictionary. = Dictionary=20 attacks can be done either by repeatedly logging into systems, or by = collecting encrypted passwords and attempting to find a match by = similarly=20 encrypting all the passwords in the dictionary. Intruders usually = have a=20 copy of the English dictionary as well as foreign language = dictionaries for=20 this purpose. They all use additional dictionary-like databases, = such as=20 names (see above) and lists of common passwords.=20
Brute force attacks: Similar to a Dictionary attack, a = intruder=20 may try all possible combinations of characters. A short 4-letter = password=20 consisting of lower-case letters can be cracked in just a few = minutes=20 (roughly, half a million possible combinations). A long 7-character = password=20 consisting of upper and lower case, as well as numbers and = punctuation (10=20 trillion combinations) can take months to crack assuming you can try = a=20 million combinations a second (in practice, a thousand combinations = per=20 second is more likely for a single machine).

1.4.4 Sniffing unsecured traffic

Shared medium: On traditional Ethernet, all you have to do = is put=20 a Sniffer on the wire to see all the traffic on a segment. This is = getting=20 more difficult now that most corporations are transitioning to = switched=20 Ethernet.=20
Server sniffing: However, on switched networks, if you can = install=20 a sniffing program on a server (especially one acting as a router), = you can=20 probably use that information to break into client machines and = trusted=20 machines as well. For example, you might not know a user's password, = but=20 sniffing a Telnet session when they log in will give you that = password.=20
Remote sniffing: A large number of boxes come with RMON = enabled=20 and public community strings. While the bandwidth is really low (you = can't=20 sniff all the traffic), it presents interesting possibilities.

1.4.5 Design flaws

Even if a software implementation is completely correct = according to the=20 design, there still may be bugs in the design itself that leads to=20 intrusions.=20
TCP/IP protocol flaws: The TCP/IP protocool was designed = before we=20 had much experience with the wide-scale hacking we see today. As a = result,=20 there are a number of design flaws that lead to possible security = problems.=20 Some examples include smurf attacks, ICMP Unreachable disconnects, = IP=20 spoofing, and SYN floods. The biggest problem is that the IP = protocol itself=20 is very "trusting": hackers are free to forge and change IP data = with=20 impunity. IPsec (IP security) has been designed to overcome many of = these=20 flaws, but it is not yet widely used.=20
UNIX design flaws: There are number of inherent flaws in = the UNIX=20 operating system that frequently lead to intrusions. The chief = problem is=20 the access control system, where only 'root' is granted = administrative=20 rights. As a result,

1.5 How do intruders get passwords?

Intruders get passwords in the following ways:=20
Clear-text sniffing: A number of protocols (Telnet, FTP, = HTTP Basic)=20 use clear-text passwords, meaning that they are not encrypted as the = go over=20 the wire between the client and the server. A intruder with a protocol = analyzer can watch the wire looking for such passwords. No further = effort is=20 needed; the intruder can start immediately using those passwords to = log in.=20
Encrypted sniffing: Most protocols, however, use some sort = of=20 encryption on the passwords. In these cases, the intruder will need to = carry=20 out a Dictionary or Brute Force attack on the password in order to = attempt=20 decryption. Note that you still don't know about the intruder's = presence, as=20 he/she has been completely passive and has not transmitted anything on = the=20 wire. Password cracking does not require anything to be sent on the = wire as=20 intruder's own machine is being used to authenticate your password.=20
Replay attack: In some cases, intruders do not need to = decrypt the=20 password. They can use the encrypted form instead in order to login to = systems. This usually requires reprogramming their client software in = order to=20 make use of the encrypted password.=20
Password file stealing: The entire user database is usually = stored=20 in a single file on the disk. In UNIX, this file is = /etc/passwd=20 (or some mirror of that file), and under WinNT, this is the SAM file. = Either=20 way, once a intruder gets hold of this file, he/she can run cracking = programs=20 (described above) in order to find some weak passwords within the = file.=20
Observation: One of the traditional problems in password = security is=20 that passwords must be long and difficult to guess (in order to make=20 Dictionary and Brute Force cracks unreasonably difficult). However, = such=20 passwords are often difficult to remember, so users write them down = somewhere.=20 Intruders can often search a persons work site in order to find = passwords=20 written on little pieces of paper (usually under the keyboard). = Intruders can=20 also train themselves to watch typed in passwords behind a user's = back.=20
Social Engineering: A common (successful) technique is to = simply=20 call the user and say "Hi, this is Bob from MIS. We're trying to track = down=20 some problems on the network and they appear to be coming from your = machine.=20 What password are you using?" Many users will give up their password = in this=20 situation. (Most corporations have a policy where they tell users to = never=20 give out their password, even to their own MIS departments, but this = technique=20 is still successful. One easy way around this is for MIS to call the = new=20 employee 6-months have being hired and ask for their password, then = criticize=20 them for giving it to them in a manner they will not forget :-)

1.6 What is a typical intrusion scenario?

A typical scenario might be:=20
Step 1: outside reconnaissance The intruder will find out as = much as=20 possible without actually giving themselves away. They will do this by = finding=20 public information or appearing as a normal user. In this stage, you = really=20 can't detect them. The intruder will do a 'whois' lookup to find as = much=20 information as possible about your network as registered along with = your=20 Domain Name (such as foobar.com. The intruder might walk = through=20 your DNS tables (using 'nslookup', 'dig', or other utilities to do = domain=20 transfers) to find the names of your machines. The intruder will = browse other=20 public information, such as your public web sites and anonymous FTP = sites. The=20 intruder might search news articles and press releases about your = company.=20
Step 2: inside reconnaisance The intruder uses more invasive = techniques to scan for information, but still doesn't do anything = harmful.=20 They might walk through all your web pages and look for CGI scripts = (CGI=20 scripts are often easily hacked). They might do a 'ping' sweep in = order to see=20 which machines are alive. They might do a UDP/TCP scan/strobe on = target=20 machines in order to see what services are available. They'll run = utilities=20 like 'rcpinfo', 'showmount', 'snmpwalk', etc. in order to see what's=20 available. At this point, the intruder has done 'normal' activity on = the=20 network and has not done anything that can be classified as an = intrusion. At=20 this point, a NIDS will be able to tell you that "somebody is checking = door=20 handles", but nobody has actually tried to open a door yet.=20
Step 3: exploit The intruder crosses the line and starts = exploiting=20 possible holes in the target machines. The intruder may attempt to = compromise=20 a CGI script by sending shell commands in input fields. The intruder = might=20 attempt to exploit well-known buffer-overrun holes by sending large = amounts of=20 data. The intruder may start checking for login accounts with easily = guessable=20 (or empty) passwords. The hacker may go through several stages of = exploits.=20 For example, if the hacker was able to access a user account, they = will now=20 attempt further exploits in order to get root/admin access.=20
Step 4: foot hold At this stage, the hacker has successfully = gained=20 a foot hold in your network by hacking into a machine. The intruder's = main=20 goal is to hide evidence of the attacks (doctoring the audit trail and = log=20 files) and make sure they can get back in again. They may install = 'toolkits'=20 that give them access, replace existing services with their own Trojan = horses=20 that have backdoor passwords, or create their own user accounts. = System=20 Integrity Verifiers (SIVs) can often detect an intruder at this point = by=20 noting the changed system files. The hacker will then use the system = as a=20 stepping stone to other systems, since most networks have fewer = defenses from=20 inside attacks.=20
Step 5: profit The intruder takes advantage of their status = to steal=20 confidential data, misuse system resources (i.e. stage attacks at = other sites=20 from your site), or deface web pages.=20
Another scenario starts differently. Rather than attack a specific = site,=20 and intruder might simply scan random internet addresses looking for a = specific hole. For example, an intruder may attempt to scan the entire = Internet for machines that have the SendMail DEBUG hole. They simply = exploit=20 such machines that they find. They don't target you directly, and they = really=20 won't even know who you are. (This is known as a 'birthday attack'; = given a=20 list of well-known security holes and a list of IP addresses, there is = a good=20 chance that there exists some machine somewhere that has one of those = holes).=20

1.7 What are some common "intrusion = signatures"?

There are three types of attacks:=20
reconnaisance These include ping sweeps, DNS zone transfers, = e-mail=20 recons, TCP or UDP port scans, and possibly indexing of public web = servers to=20 find cgi holes.=20
exploits Intruders will take advantage of hidden features or = bugs to=20 gain access to the system.=20
denial-of-service (DoS) attacks Where the intruder attempts = to crash=20 a service (or the machine), overload network links, overloaded the = CPU, or=20 fill up the disk. The intruder is not trying to gain information, but = to=20 simply act as a vandal to prevent you from making use of your machine. =

1.8 What are some common exploits?

1.8.1 CGI scripts

CGI programs are notoriously insecure. Typical security holes = include=20 passing tainted input directly to the command shell via the use of = shell=20 metacharacters, using hidden variables specifying any filename on = the=20 system, and otherwise revealing more about the system than is good. = The most=20 well-known CGI bug is the 'phf' library shipped with NCSA httpd. The = 'phf'=20 library is supposed to allow server-parsed HTML, but can be = exploited to=20 give back any file. Other well-known CGI scripts that an intruder = might=20 attempt to exploit are: TextCounter, GuestBook, EWS, info2www, = Count.cgi,=20 handler, webdist.cgi, php.cgi, files.pl, nph-test-cgi, nph-publish, = AnyForm,=20 FormMail. If you see somebody trying to access one or all of these = CGI=20 scripts (and you don't use them), then it is clear indication of an=20 intrusion attempt (assuming you don't have a version installed that = you=20 actually want to use).=20

1.8.2 Web server attacks

Beyond the execution of CGI programs, web servers have other = possible=20 holes. A large number of self-written web servers (include IIS 1.0 = and=20 NetWare 2.x) have hole whereby a file name can include a series of = "../" in=20 the path name to move elsewhere in the file system, getting any = file.=20 Another common bug is buffer overflow in the request field or in one = of the=20 other HTTP fields.=20
Web server often have bugs related to their interaction with the=20 underlying operating system. An old hole in Microsoft IIS = have been=20 dealing with the fact that files have two names, a long filename and = a short=20 8.3 hashed equivalent that could sometimes be accessed bypassing=20 permissions. NTFS (the new file system) has a feature called = "alternate data=20 streams" that is similar to the Macintosh data and resource forks. = You could=20 access the file through its stream name by appending "::$DATA" in = order to=20 see a script rather than run it.=20
Servers have long had problems with URLs. For example, the = "death=20 by a thousand slashes" problem in older Apache would cause huge CPU = loads as=20 it tried to process each directory in a thousand slash URL.

1.8.3 Web browser attacks

It seems that all of Microsoft's and Netscape's web browsers = have=20 security holes (though, of course, the latest ones never have any = that we=20 know about -- yet). This includes both URL, HTTP, HTML, JavaScript, = Frames,=20 Java, and ActiveX attacks.=20
URL fields can cause a buffer overflow condition, either = as it is=20 parsed in the HTTP header, as it is displayed on the screen, or = processed in=20 some form (such as saved in the cache history). Also, an old bug = with=20 Internet Explorer allowed interaction with a bug whereby the browser = would=20 execute .LNK or .URL commands.=20
HTTP headers can be used to exploit bugs because some = fields are=20 passed to functions that expect only certain information.=20
HTML can be often exploited, such as the MIME-type = overflow in=20 Netscape Communicator's <EMBED> command.=20
JavaScript is a perennial favorite, and usually tries to = exploit=20 the "file upload" function by generating a filename and = automatically hidden=20 the "SUBMIT" button. There have been many variations of this bug = fixed, then=20 new ways found to circumvent the fixes.=20
Frames are often used as part of a JavaScript or Java hack = (for=20 example, hiding web-pages in 1px by 1px sized screens), but they = present=20 special problems. For example, I can include a link to a trustworthy = site=20 that uses frames, then replace some of those frames with web pages = from my=20 own site, and they will appear to you to be part of that remote = site.=20
Java has a robust security model, but that model has = proven to=20 have the occasional bug (though compared to everything else, it has = proven=20 to be one of the most secure elements of the whole system). = Moreover, its=20 robust security may be its undoing: Normal Java applets have no = access to=20 the local system, but sometimes they would be more useful if they = did have=20 local access. Thus, the implementation of "trust" models that can = more=20 easily be hacked.=20
ActiveX is even more dangerous than Java as it works = purely from a=20 trust model and runs native code. You can even inadvertently catch a = virus=20 that was accidentally imbedded in some vendor's code.

1.8.4 SMTP (SendMail) attacks

SendMail is an extremely complicated and widely used program, = and as a=20 consequence, has been the frequent source of security holes. In the = old days=20 (of the '88 Morris Worm), hackers would take advantage of a hole in = the=20 DEBUG command or the hidden WIZ feature to break into SMTP. These = days, they=20 often try buffer overruns. SMTP also can be exploited in = reconnaissance=20 attacks, such as using the VRFY command to find user names.=20

1.8.5 Access

Failed login attempts, failed file access attempts, password = cracking,=20 administrative powers abuse=20

1.8.6 IMAP

Users retrieve e-mail from servers via the IMAP protocol (in = contrast,=20 SMTP transfers e-mail between servers). Hackers have found a number = of bugs=20 in several popular IMAP servers.=20

1.8.7 IP spoofing

There is a range of attacks that take advantage of the ability = to forge=20 (or 'spoof') your IP address. While a source address is sent along = with=20 every IP packet, it isn't actually used for routing. This means an = intruder=20 can pretend to be you when talking to a server. The intruder never = sees the=20 response packets (although your machine does, but throws them away = because=20 they don't match any requests you've sent). The intruder won't get = data back=20 this way, but can still send commands to the server pretending to be = you.=20
IP spoofing is frequently used as part of other attacks:=20

SMURF
Where the source address of a broadcast ping is forged so that = a huge=20 number of machines respond back to victim indicated by the = address,=20 overloading it (or its link).=20
TCP sequence number prediction
In the startup of a TCP connection, you must choose a sequence = number=20 for your end, and the server must choose a sequence number for its = end.=20 Older TCP stacks choose predictable sequence numbers, allowing = intruders=20 to create TCP connections from a forged IP address (for which they = will=20 never see the response packets) that presumably will bypass = security.=20
DNS poisoning through sequence=20 prediction
DNS servers will "recursively" resolve DNS names. Thus, the = DNS server=20 that satisfies a client request will become itself a client to the = next=20 server in the recursive chain. The sequence numbers it uses are=20 predictable. Thus, an intruder can send a request to the DNS = server and a=20 response to the server forged to be from the next server in the = chain. It=20 will then believe the forged response, and use that to satisfy = other=20 clients.

1.8.8 Buffer Overflows

Some other buffer overflow attacks are:=20

DNS overflow
Where an overly long DNS name is sent to a server. DNS names = are=20 limited to 64-bytes per subcomponent and 256-bytes overall.=20
statd overflow
where an overly long filename is provided

1.8.9 DNS attacks

DNS is a prime target because if you can corrupt the DNS server, = you can=20 take advantage of trust relationships.=20

DNS cache poisoning
Every DNS packet contains a "Question" section and "Answer" = section.=20 Vulnerable servers will believe (and cache) Answers that you send = along=20 with Questions. Most, but not all, DNS servers have been patched = as of=20 November, 1998.=20
DNS poisoning through sequence prediction
See above=20
DNS overflow
See above=20

1.9 What are some common reconnaisance = scans?

1.9.1 Ping sweeps

This simple scan simply pings a range of IP addresses to find = which=20 machines are alive. Note that more sophisticated scanners will use = other=20 protocols (such as an SNMP sweep) to do the same thing.=20

1.9.2 TCP scans

Probes for open (listening) TCP ports looking for services the = intruder=20 can exploit. Scans can use normal TCP connections or stealth scans = that use=20 half-open connections (to prevent them from being logged) or FIN = scans=20 (never opens a port, but tests if someone's listening). Scans can be = either=20 sequential, randomized, or configured lists of ports.=20

1.9.3 UDP scans

These scans are a little bit more difficult because UDP is a=20 connectionless protocol. The technique is to send a garbage UDP = packet to=20 the desired port. Most machines will respond with an ICMP = "destination port=20 unreachable" message, indicating that no service is listening at = that port.=20 However, many machines throttle ICMP messages, so you can't do this = very=20 fast.=20

1.9.4 OS identification

By sending illegal (or strange) ICMP or TCP packets, an intruder = can=20 identify the operating system. Standards usually state how machines = should=20 respond to legal packets, so machines tend to be uniform in their = response=20 to valid input. However, standards omit (usually intentionally) the = response=20 to invalid input. Thus, each operating system's unique responses to = invalid=20 inputs forms a signature that hackers can use to figure out what the = target=20 machine is. This type of activity occurs at a low level (like = stealth TCP=20 scans) that systems do not log.=20

1.9.5 Account scans

Tries to log on with accounts=20

Accounts with no passwords=20
Accounts with password same as username, or "password".=20
Default accounts that were shipped with the product (a common = problem=20 on SGI, done to make setup easier)=20
Accounts installed with software products (common on Microsoft = as well=20 as Unix, caused by products that run under their own special user=20 account).=20
Anonymous FTP problems (CWD ~root)=20
Scan for rlogin/rsh/rexec ports, that may supported trusted = logins.=20

1.10 What are some common DoS (Denial of Service)=20 attacks?

1.10.1 Ping-of-Death

Sends an invalid fragment, which starts before the end of = packet, but=20 extends past the end of the packet.=20

1.10.2 SYN Flood

Sends TCP SYN packet (which start connections) very fast, = leaving the=20 victim waiting to complete a huge number of connections, causing it = to run=20 out of resources and dropping legitimate connections. A new defense = against=20 this are "SYN cookies". Each side of a connection has its own=20 sequence-number. In response to a SYN, the attacked machine creates = a=20 special sequence number that is a "cookie" of the connection then = forgets=20 everything it knows about the connection. It can then recreate the = forgotten=20 information about the connection when the next packets come in from = a=20 legitimate connection.=20

1.10.3 Land/Latierra

Sends forged SYN packet with identical source/destination = address/port=20 so that system goes into infinite loop trying to complete the TCP=20 connection.=20

1.10.4 WinNuke

Sends OOB/URG data on a TCP connection to port 139 (NetBIOS=20 Session/SMB), which cause the Windows system to hang.

1.11 How much danger from intrusions is = there?

I frequently hear from people the statement "There's nothing on = the system=20 that anybody would want anyway". I walk them through various = scenarios, such=20 as simple ones if they've ever paid for anything on-line with a credit = card or=20 if they have any financial records or social security number on their = personal=20 machine.=20
More importantly, there is the issue of legal liability. You are=20 potentially liable for damages caused by a hacker using your machine. = You must=20 be able to prove to a court that you took "reasonable" measures to = defend=20 yourself from hackers. For example, consider if you put a machine on a = fast=20 link (cable modem or DSL) and left administrator/root accounts open = with no=20 password. Then if a hacker breaks into that machine, then uses that = machine to=20 break into a bank, you may be held liable because you did not take the = most=20 obvious measures in securing the machine.=20
There is a good paper http://www.cert.org/research/JHThesis/Start.html = by John=20 D. Howard that discusses how much hacking goes on over the Internet, = and how=20 much danger you are in.

1.12 Where can I find current statistics about=20 intrusions?

CyberNotes by NIPC (http://www.fbi.gov/nipc/welco= m.htm)=20
CyberNotes is published every two weeks by the National = Infrastructure=20 Protection Center (NIPC). Its mission is to support security and = information=20 system professionals with timely information on cyber = vulnerabilities,=20 hacker exploit scripts, hacker trends, virus information, and other = critical=20 infrastructure-related best practices.=20
The NIPC was set up by the FBI in mid 1998, and its first major = activity=20 was to help track down the source of the Melissa virus = (W97M.Melissa). The=20 CyberNotes archive goes back to January 1999.

AusCERT Consolidated Statistics Project (http://www= .auscert.org.au/Information/acsp/index.html)=20
A project to collect intrusion statistics from around the web = and=20 consolidate them. They want people to join and send them info.=20
An Analysis Of Security Incidents On The Internet 1989 - 1995 = (http://www.cert= .org/research/JHThesis/Start.html)=20
A dissertation by John D. Howard, Carnegie Mellon University=20
CERT Reports, Articles, and Presentations (http://www.cert.org/nav/rep= orts.html)=20
CERT has a number of historical statistics on intrusions, but = they=20 aren't nearly as up-to-date as the NIPC.=20
1999 CSI-DBI Survey (http://www.gocsi.com/summary.ht= m)=20 or (http://www.gocsi.com/prele= a990301.htm=20
CSI (Computer Security Institute) does a number of surveys about = intrusions and security

2. Architecture

2.1 How are intrusions detected?

2.1.1 Anomaly detection
The most common way people approach network intrusion detection = is to=20 detect statistical anomalies. The idea behind this approach is to = measure a=20 "baseline" of such stats as CPU utilization, disk activity, user = logins,=20 file activity, and so forth. Then, the system can trigger when there = is a=20 deviation from this baseline.=20
The benefit of this approach is that it can detect the anomalies = without=20 having to understand the underlying cause behind the anomalies.=20
For example, let's say that you monitor the traffic from = individual=20 workstations. Then, the system notes that at 2am, a lot of these=20 workstations start logging into the servers and carrying out tasks. = This is=20 something interesting to note and possibly take action on.

2.1.2 Signature recognition
The majority of commercial products are based upon examining the = traffic=20 looking for well-known patterns of attack. This means that for every = hacker=20 technique, the engineers code something into the system for that = technique.=20
This can be as simple as a pattern match. The classic example is = to=20 example every packet on the wire for the pattern "/cgi-bin/phf?", = which=20 might indicate somebody attempting to access this vulnerable CGI = script on a=20 web-server. Some IDS systems are built from large databases that = contain=20 hundreds (or thousands) of such strings. They just plug into the = wire and=20 trigger on every packet they see that contains one of these strings. =

2.2 How does a NIDS match signatures with incoming=20 traffic?

Traffic consists of IP datagrams flowing across a network. A NIDS = is able=20 to capture those packets as they flow by on the wire. A NIDS consists = of a=20 special TCP/IP stack that reassembles IP datagrams and TCP streams. It = then=20 applies some of the following techniques:=20
Protocol stack verification A number of intrusions, such as=20 "Ping-O-Death" and "TCP Stealth Scanning" use violations of the = underlying IP,=20 TCP, UDP, and ICMP protocols in order to attack the machine. A simple=20 verification system can flag invalid packets. This can include valid, = by=20 suspicious, behavior such as severally fragmented IP packets.=20
Application protocol verification A number of intrusions use = invalid=20 protocol behavior, such as "WinNuke", which uses invalid NetBIOS = protocol=20 (adding OOB data) or DNS cache poisoning, which has a valid, but = unusually=20 signature. In order to effectively detect these intrusions, a NIDS = must=20 re-implement a wide variety of application-layer protocols in order to = detect=20 suspicious or invalid behavior.=20
Creating new loggable events A NIDS can be used to extend = the=20 auditing capabilities of your network management software. For = example, a NIDS=20 can simply log all the application layer protocols used on a machine.=20 Downstream event log systems (WinNT Event, UNIX syslog, SNMP TRAPS, = etc.) can=20 then correlate these extended events with other events on the network. =

2.4 What happens after a NIDS detects an = attack?

Reconfigure firewall
Configure the firewall to filter out the IP address of the = intruder.=20 However, this still allows the intruder to attack from other = addresses.=20 Checkpoint firewall's support a "Suspicious Activity Monitoring = Protocol=20 (SAMP)" for configuring firewalls. Checkpoint has their "OPSEC" = standard for=20 re-configuring firewalls to block the offending IP address.=20
chime
Beep or play a .WAV file. For example, you might hear a = recording "You=20 are under attack".=20
SNMP Trap
Send an SNMP Trap datagram to a management console like HP = OpenView,=20 Tivoli, Cabletron Spectrum, etc.=20
NT Event
Send an event to the WinNT event log.=20
syslog
Send an event to the UNIX syslog event system.=20
send e-mail
Send e-mail to an administrator to notify of the attack.=20
page
Page (using normal pagers) the system administrator.=20
Log the attack
Save the attack information (timestamp, intruder IP address, = victim IP=20 address/port, protocol information).=20
Save evidence
Save a tracefile of the raw packets for later analysis.=20
Launch program
Launch a separate program to handle the event.=20
Terminate the TCP session
Forge a TCP FIN packet to force a connection to terminate. =

2.5 What other countermeasures besides IDS are = there?

Firewalls
Most people think of the firewall as their first line of = defense. This=20 means if intruders figure out how to bypass it (easy, especially = since most=20 intrusions are committed by employees inside the firewall), they = will have=20 free run of the network. A better approach is to think of it as the=20 last line of defense: you should be pretty sure machines are=20 configured right and intrusion detection is operating, and then = place the=20 firewall up just to avoid the wannabe script-kiddies. Note that = almost any=20 router these days can be configured with some firewall filtering. = While=20 firewalls protect external access, they leave the network = unprotected from=20 internal intrusions. It has been estimated that 80% of losses due to = "hackers" have been internal attacks.=20
authentication
You should run scanners that automated the finding of open = accounts. You=20 should enforce automatically strict policies for passwords (7 = character=20 minimum, including numbers, dual-case, and punctuation) using crack = or built=20 in policy checkers (WinNT native, add-on for UNIX). You can also = consider=20 single-sign on products and integrating as many password systems as = you can,=20 such as RADIUS/TACACS integration with UNIX or NT (for dial-up style = login),=20 integrating UNIX and WinNT authentication (with existing = tools are=20 the new Kerberos in Windows 2000). These authentication systems will = help=20 you also remove "clear-text" passwords from protocols such as = Telnet, FTP,=20 IMAP, POP, etc.=20
VPNs (Virtual Private Networks)
VPNs create a secure connection over the Internet for remote = access=20 (e.g. for telecomuters). Example #1: Microsoft includes a a = technology=20 called PPTP (PPP over TCP) built into Windows. This gives a machine = two IP=20 addresses, one on the Internet, and a virtual one on the corporate = network.=20 Example #2: IPsec enhances the traditional IP protocol with = security. While=20 VPN vendors claim their product "enhance security", the reality is = that they=20 decrease corporate security. While the pipe itself is secure = (authenticated,=20 encrypted), either ends of the pipe are wide open. A home machine=20 compromised with a backdoor rootkit allows a hacker to subvert the = VPN=20 connection, allow full, undetectable access to the other side of the = firewall.=20
encryption
Encryption is becoming increasingly popular. You have your = choice of=20 e-mail encryption (PGP, SMIME), file encryption (PGP again), or file = system=20 encryption (BestCrypt, PGP again).=20
lures/honeypots
Programs that pretend to be a service, but which do not = advertise=20 themselves. It can be something as simple as one of the many = BackOrifice=20 emulators (such as NFR's Back Officer Friendly), or as complex as an = entire=20 subnet of bogus systems installed for that purpose.

2.6 Where do I put IDS systems on my = network?

network hosts
Even though network intrusion detection systems have = traditionally been=20 used as probes, they can also be placed on hosts (in non-promiscuous = mode).=20 Take for example a switched network where an employee is on the same = switch=20 as the CEO, who runs Win98. The windows machine is completely = defenseless,=20 and has no logging capabilities that could be fed to a traditional=20 host-based intrusion detection system. The employee could run a=20 network-based password cracker for months without fear of being = caught. A=20 NIDS installed like virus scanning software is the most effective = way to=20 detect such intrusions.=20
network perimeter
IDS is most effective on the network perimeter, such as on both = sides of=20 the firewall, near the dial-up server, and on links to = partner networks. These links tend to be low-bandwidth (T1 = speeds)=20 such that an IDS can keep up with the traffic.=20
WAN backbone
Another high-value point is the corporate WAN backbone. A = frequent=20 problem is hacking from "outlying" areas to the main corporate = network.=20 Since WAN links tend to be low bandwidth, IDS systems can keep up.=20
server farms
Serves are often placed on their own network, connected to = switches. The=20 problem these servers have, though, is that IDS systems cannot keep = up with=20 high-volume traffic. For extremely important servers, you may be = able to=20 install dedicate IDS systems that monitor just the individual = server's link.=20 Also, application servers tend to have lower traffic than file = servers, so=20 they are better targets for IDS systems.=20
LAN backbones
IDS systems are impractical for LAN backbones, because of their = high=20 traffic requirements. Some vendors are incorporating IDS detection = into=20 switches. A full IDS system that must reassemble packets is unlikely = to keep=20 up. A scaled-down system that detects simpler attacks but can keep = up is=20 likely to be a better choice.

2.7 How does IDS fit with the rest of my security=20 framework?

Put firewalls between areas of the network with different = security=20 requirements (i.e. between internet-localnet, between users-servers, = between=20 company-parterns, etc).=20
Use network vulnerability scanners to double check firewalls and = to find=20 holes that intruders can exploit.=20
Use host policy scanners to make sure they conform to accepted = practices=20 (i.e. latest patches).=20
Use Network intrusion detection systems and other packet = sniffing=20 utilities to see what is actually going on.=20
Use host-based intrusion detection systems and virus = scanners to=20 flag successful intrusions.=20
Create an easy to follow policy that clearly states the response = to=20 intrusions.

2.8 How can I detect if someone is running a = NIDS?

A NIDS is essentially a sniffer, so therefore standard sniffer = detection=20 techniques can be used. Such techniques are explained in http:/= /www.robertgraham.com/pubs/sniffing-faq.html#detect.=20
An example would be to do a traceroute against the victim. This = will often=20 generate a low-level event in the IDS. Traceroutes are harmless and = frequent=20 on the net, so they don't indicate an attack. However, since many = attacks are=20 preceded by traceroutes, IDSs will log them anyway. As part of the = logging=20 system, it will usually do a reverse-DNS lookup. Therefore, if you run = your=20 own DNS server, then you can detect when somebody is doing a = reverse-DNS=20 lookup on your IP address in response to your traceroute.

3. Policy

3.1 How do I increase intrusion detection/prevention = under=20 WinNT?

The following lists items that make WinNT more secure, including = detection=20 as well as prevention. These are roughly listed in order of = importance.=20

Install the latest service packs and "hot fixes". These are = listed at http://www.microsoft.com/secu= rity/.=20 If you are using WinNT 4.0 and you don't have Service Pack #3 (SP3)=20 installed, an intruder can break into your system.=20
INSTALLATION: Use NTFS instead of FAT. NTFS allows permissions = to be set=20 on a per-file/per-directory basis. NTFS also allows auditing on a=20 per-file/per-directory basis. Note that many people recommend using = FAT as=20 the boot drive and NTFS for all other drives (due to the ease-of-use = in=20 using DOS to fix things on a FAT drive). However, using NTFS for all = drives=20 is definitely more secure.=20
USRMGR: Rename the "administrator" account. A common attack is = to use a=20 Dictionary or brute force attack on the "administrator" account. = Normal=20 accounts can be configured to automatically (and temporarily) "lock = out"=20 after a few failed password attempts. However, this feature isn't = possible=20 for the administrator account because this allows a denial of = service attack=20 (i.e. prevent administration of the machine by locking out the = administrator=20 account).=20
USRMGR: Create a new account named "administrator" for detecting = intrusion attempts.=20
USRMGR: Disable the "guest" account. You may also want to rename = this=20 account as (much like "administrator"). Once you've renamed the = "guest"=20 account, you may want to create a new account named "guest" for = detecting=20 hacking attempts.=20
NTFS: Disable "write" access for "Everyone" on the=20 %systemroot%/system32 directory.=20
REGEDT32: Turn on auditing for "HKEY_LOCAL_MACHINE\Security" in = order to=20 detect remote registry browsing.=20
INSTALLATION: Do not install in "C:\WINNT" directory. Sometimes=20 intruders will be able to access files if they know the filename; = installing=20 in some other directory prevents a priori knowledge. Better yet, = install in=20 C:\WINNT, then reinstall in some other directory, then turn auditing = on=20 within that directory to alert you to people accessing those older = files.=20
INSTALLATION: Use the boot partition only for booting and for = system=20 files. Put data and applications on a separate partition. It is also = a good=20 idea to separate applications from data.=20
CONTROLPANEL: Enable "Password Protected" on the screensaver. = The best=20 screensaver is "Blank Screen". You would think that screensavers run = at idle=20 priority, but this isn't always the case, so you can increase the=20 performance of your server by using "Blank Screen". Also, this will = reduce=20 power consumption in monitors, especially those that can detect a = blank=20 screen and turn themselves off. Finally, some screensavers (i.e. = PointCast)=20 are probably hackable.=20
REGEDT32: Turn off automatic sharing of ADMIN$, C$, D$, etc. via = the=20 "AutoShare" parameter in the registry. This parameter is under=20 = "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parame= ters",=20 and is "AutoShareServer" for WinNT Server or "AutoShareWks" for = WinNT=20 Workstation. This is a DWORD, with a value of '1' for enabled = (default), or=20 a value of '0' for disabled. You will have to add the value yourself = because=20 it doesn't already exist in the registry.=20
REGEDT32: Turn of account/share information via anonymous = access. Add=20 "RestrictAnonymous" DWORD with a value of "1" to the registry key=20 "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" Note that = if you=20 see an error "Could not find domain controller for this domain." = while=20 setting domain trust relationships, you may have to change it back.=20
USRMGR: If you are using Domains (rather than Workgroups), = change the=20 user right "Access this computer from the network" to "Authenticated = Users"=20 rather than "Everyone". This disables remote access via local = accounts on=20 your machine, and allows only access through domain accounts.=20
PASSPROP: Enable lockout of the "administrator" account for = remote=20 access. This enables the situation where the remote intruder fails = to guess=20 the correct password after three tries. After lock-out, the = administrator=20 can only log in locally at the system console. You can also disable = remote=20 administrator access completely in USRMGR by removing the right = "Access this=20 computer from the network" from "Administrators", but this disables = all=20 remote administration, which make administration too difficult in a = large=20 WinNT environment.

Also consider physical intrusion prevention network wide. John = Kozubik=20 suggests using login scripts to force the built-in password protected=20 screen-saver. In the login script, include the line like:
regedit = /s \\MY_PDC\netlogon\scrn.reg
And in the file "scrn.reg", put the text:
REGEDIT4 [HKEY_CURRENT_USER\Control Panel\Desktop] "ScreenSaveTimeOut"=3D"1800" "ScreenSaveActive"=3D"1" "SCRNSAVE.EXE"=3D"c:\winnt\system32\logon.scr" "ScreenSaverIsSecure"=3D"1"
This will trigger the password prompt to appear 30-minutes after a = user=20 is away from the desktop (it doesn't log them out; just forces them to = re-enter the password before they have access again).=20

3.2 How do I increase intrusion detection/prevention = under=20 Win95/Win98?

This section assumes you are a home user using Win95/Win98 to = access the=20 Internet. Win95/Win98 has no auditing or logging capabilities; you = really=20 should upgrade to WinNT if you are using the system for any serious = purpose.=20
The following are techniques for the typical user:=20

Install the latest patches (of course).=20
Turn off print sharing. When print sharing is turned on, the = system=20 creates a PRINTER$ share that allows remote systems to access = printer=20 drivers from the local system32 directory. Unfortunately, this = allows remote=20 systems to access non-driver files, such as the Win95 password file=20 (combined with other Win95 bugs).=20
Turn off file sharing. As a home user, you probably don't need = it. If=20 you must share files, make sure that you choose a strong password, = and only=20 turn it on for brief moments while you need to share the files, then = turn it=20 off again.=20
(more forthcoming)

John Kozubik suggests the following techniques for corporate users = (who=20 presumably run login scripts from the servers). Since Win95/Win98 is = so=20 vulnerable, they provide easy penetration to the rest of the corporate = environment. Win95 caches passwords in easy-to-read formats, so you = want to=20 remove them.=20

del c:\windows\*.pwl=20
The password cache file will be the first one intruders look = for. It has=20 the same name as the user name, and poorly encrypts the cached = passwords.=20 Beware that this deletes dial-up passwords as well, so users that = bring=20 their notebooks into work and connect to the network will find their = home=20 dial-up passwords deleted.=20
Disable internal caching of passwords=20
Run:
REGEDIT /s \\MY_PDC\netlogon\nocache.reg
where = "nocache.reg"=20 consists of:
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ne= twork] "DisablePwdCaching"=3Ddword:00000001

3.3 How do I increase intrusion detection/prevention = under=20 UNIX?

Do not install more services than you need. Every operating = system I've=20 admined has installed more services than you need. This always = equates to=20 less security. Therefore, unless you've done your due diligence in = removing=20 services is vulnerable to attack.=20
Use 'netstat' or a TCP/UDP scanner and 'rpcinfo' to = list all=20 services on your machine. Again, make sure that everything you don't = explicitly understand is turned off.=20
(more forthcoming; frankly, I've been more of an WinNT admin = lately so=20 my skills are getting rusty)=20
Read ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist.=20
Of course, you might want to consider upgrading the = system. There=20 are a large number of SunOS 4.x systems out there, for example, even = though=20 Sun stopped "officially" supporting it many eons ago.=20
RedHat Case Study When I first created this FAQ, I was = working on a=20 RedHat 5 system. After installation, it lit up like an xmas tree when = por= t=20 scanned. For example, it installs a DNS service. RedHat versions = 5.0-5.2=20 could be hacked via a buffer overflows in the default FTP, mountd, and = DNS=20 services. Similarly, RedHat version 6.0-6.1 could be hacked in the DNS = and FTP=20 services. The point is: even if you get the latest patched software, = if you=20 install the default services, your box can almost certainly be hacked. =
I've been told about the http://www.bastille-linux.org/=20 script that will take a default RedHat 6.0/6.1 system and "harden" it. = I also=20 recommend installing IP chains to firewall your connection to = the=20 Internet. Finally, I recommend going through /etc/in= etd.conf=20 an removing all unnecessary services.

3.4 How do I increase intrusion detection/prevention = under=20 Macintosh?

Macintoshes are 'end-user' systems, and support few services that = can be=20 hacked. In comparison, Windows machines are more numerous, and UNIX = machines=20 have a lot more interesting (hackable) services running on them. Thus, = Macintoshes are frequently not the target of intruders.=20
Beyond that, I know of nothing in particular.

3.5 How do I increase intrusion detection/prevention = for the=20 enterprise?

First and foremost, create a security policy. Let's say that you = are=20 watching the network late in the evening and you see an intrusion = in-progress.=20 What do you do? Do you let the intrusion progress and collect = evidence? Do you=20 pull the plug? If so, do you pull the plug on the firewall between the = intra-=20 and extra- net? Or do you take down the entire Internet connection = (preventing=20 users from getting to you web site)? Who has the authority to pull the = plug?=20
The priorities need to be set in place by the CEO of the = corporation. Let's=20 consider the scenario where you think you are being attacked, so you = pull the=20 plug. The users get up in arms, and complain. And, as it turns out, = you were=20 wrong, so your but gets fried. Even when blatant attacks are going on, = few=20 people pull the plug for fear of just such repercussions. Data theft = is=20 theoretical; ticked-off users are very real. Therefore, you need a = policy from=20 the very top that clearly states the importance of things and clearly = lays out=20 a procedure for what happens when an intrusion is suspected. [Author: = does=20 anybody have sample policies they can send me?]=20
Once you have the priorities straight, you need to figure out the=20 technology. That's described in the next section.

3.6 How should I implement intrusion detection my=20 enterprise?

Think about how you can configure the following systems in order = to detect=20 intruders:=20

Operating Systems such as WinNT and UNIX come with = integrated=20 logging/auditing features that can be used to monitor security = critical=20 resources. A section below discusses how to configure Windows and = UNIX in=20 order to enable intrusion detection.=20
Services, such as web servers, e-mail servers, and = databases,=20 include logging/auditing features as well. In addition, there are = many tools=20 that can be used to parse these files in order to discover intrusion = signatures.=20
Network Intrusion Detection Systems that watch network = traffic in=20 an attempt to discover intrusion attempts. A section below lists a = number of=20 these products.=20
Firewalls usually have some network intrusion detection=20 capabilities. After all, blocking intrusions is their primary = purpose; it=20 would be foolish not to detect intrusions as well.=20
Network management platforms (such as OpenView) have = tools to=20 help network managers set alerts on suspicious activity. At minimum, = all=20 SNMP devices should send "Authentication Failure" traps and = management=20 consoles should alert administrators when these go off.

3.7 What should I do when I've been hacked?

Read CERT's intruder detection checklist at ftp://ftp.cert.org/pub/tech_tips/intruder_detection_check= list.=20
For the most part, a good response requires that you've set up good = defensive measures in the first place. These include:=20

incident response team
Set up an "incident response team". Identify those people who = should be=20 called whenever people suspect an intrusion in progress. The = response team=20 needs to be "inter-departmental", and include such people as:=20

upper management
Need to identify somebody with the authority to handle = escalated=20 issues. For example, if the company has an online trading service, = you=20 need to identify somebody with enough power to "pull the plug". = Going=20 off-line on such a service will have a major impact -- but would = still be=20 better than hackers trading away people's stocks.=20
HR (Human Resources)
Many attacks come from internal employees. This consists of = both=20 serious attacks (cracking into machines) as well as nuisance = attacks, such=20 as browsing inappropriate servers looking for files like customer = lists=20 that might be left open.=20
technical staff
Security is often separate from normal MIS activity. If = security=20 personel detects a compromised system, they need to know who in = MIS they=20 need to call.=20
outside members
Identify people outside the company that may be contacted. = This might=20 be a local ISP person (for example, helping against smurf = attacks), the=20 local police, or the FBI. These aren't necessarily "formal" team = members.=20 They might not know anything about this, or they might simply be a = "role"=20 (like support@localisp.net). But put their names on the list so = that=20 everyone knows who to call.=20
security team
Of course, the most important team members will be the = security people=20 themselves.
Note that not all "team members" need to be = involved=20 with every incident. For example, you only need to ping upper = management on=20 serious attacks. They may never be called upon, but they do need to = be=20 identified, and they do need to be prepared as to the types of = decisions=20 they will have to make.=20
response procedure
Figure out guidelines now for the response action. For example, = you need=20 to decide now what your priorities are between network uptime and = intrusion:=20 can you pull the network plug whenever you strongly suspect = intrusion? Do=20 you want to allow continued intrusion in order to gather evidence = against=20 the intruder? Decide now, and get the CEO's approval now, because = you won't=20 have time during the attack.=20
lines of communication
Figure out guidelines for communication. Do you propagate the=20 information up the corporate food chain from your boss up to the = CEO, or=20 horizontally to other business units? Do you take part in incident = reporting=20 organizations such as FIRST (Forum of Incident Response and Security = Teams)=20 at http://www.first.org/?=20 Do you inform the FBI or police? Do you notify partners = (vendors/customers)=20 that have a connection to your network (and who may be compromised, = or from=20 whom the attack originated)? Do you hide the intrusion from the = press? Note=20 that the FBI has a webpage for reporting crime at: http://ww= w.usdoj.gov/criminal/cybercrime/reporting.htm=20
logging procedures
Set up your logging/auditing/monitoring procedures now; one of = the most=20 common thoughts after an attack is how much they wished they had = adequate=20 logging in the first place in order to figure out what happened.=20
training/rehearsal
Get training on all these issues. Each person involved needs to=20 understand the scope of what they need to do. Also carry out dry = runs.=20 Assume a massive hacker penetration into your network, and drill = what=20 happens. Most hacker penetrations succeed because companies practice = at=20 being unprepared for their attack.
Since computer networks = are=20 growing so fast, there are not enough trained people to handle = intrusions.=20 Likewise, networks grow in an ad hoc fashion, so logging/auditing is=20 haphazard. These conditions lead to the state that people don't know = what to=20 do when they've been attacked, and their networks aren't robust enough = to=20 recover well from the attack.=20

3.8 How should I respond when somebody tells me = they've been=20 hacked from my site?

On the IDS mailing list, someone asked how they should respond to = the=20 following e-mail:
Below is a log showing a telnet connection from = a machine within your domain. The machine it connected to does not offer this service = publicly so this can only be assumed to be an IP space probe for vulnerable = machines. We take this matter seriously, and hope that you will as well. Please = take action on this issue as is appropriate and respond to this address with = your actions. Nov 6 07:13:13 pbreton in.telnetd[31565]: refused connect from = xx.xx.xx.xx
This log entry was likely generated by tcpwrappers, a facility = that=20 enhances logging and access control to services on UNIX. It shows an=20 unauthorized attempt from your site to the specified machine. As = claimed in=20 the e-mail message, it may be an automated sweep of some sort. The = most=20 popular protocols people sweep with are ICMP, FTP, SMTP, NNTP, and = Telnet.=20
In any case, this is evidence of a probe, not an attack. = Furthermore, there=20 is no other corroborating evidence. As pointed out by Greg Drew = <gdrew at=20 computer dot org> there could be a number of benign reasons:=20

Somebody typed "telnet xx.xx.xx.xx" and mistyped the IP address. =
Somebody meant to type "telnet xx.xx.xx.xx 25" to connect to the = STMP=20 service in response to receiving spam from the site. The person = might have=20 forgotten the "25" or mistyped "23".=20
Somebody might have actually done a more extensive scan on the = target=20 machines in response to spam. I've personally done light scans = before=20 (finger, rusers, etc.) to track down the source of spam.=20
May have been an honest mistake (i.e. somebody used to have an = account=20 on that machine, but no longer does).
But there are also = some=20 nefarious possibilities:=20

Your site may have already been hacked, and the hacker is = running scans=20 from the compromised machine.=20
One of your employees is using the machine to hack (I've worked = at a=20 company where this happened -- though since the company made = protocol=20 analyzers, it was kinda stupid and they were quickly detected).=20
<vick at macdoon dot lerc dot nasa dot gov> pointed = out=20 another possibility: this might be a social engineering attack. The = message=20 asks (commands) you to contact them to describe what actions you have = taken.=20 If you do so, it will tell a lot about your network:=20

The target is a legal IP address (though not so interesting).=20
Your IP address (the above message was likely sent to = "postmaster" or=20 some such well-known address, but you will likely respond using your = own=20 address.=20
Your readiness level: if you come back with a lame response = (such as "we=20 can't take action because we have no log files") then they know that = your=20 network is prime hacking territory.=20
This may be "social engineering spam". The sender of the message = may be=20 a company looking to resell intrusion detection products. =
Like=20 responding to spam, there is probably little good that can come about=20 responding to this e-mail message (unless you find evidence that some = hacker=20 has been using your network as a stepping stone). It probably would be = a good=20 idea to check you system logs for the data/time in question, and if = you don't=20 have logs, now might be a good time to turn logging on.=20
As it turns out, the incident was benign. The target network = had=20 reconfigured itself, and the "unauthorized" user didn't know about it = yet, and=20 wasn't logging in correctly.

3.9 How do I collect enough evidence about the=20 hacker?

An interesting field of IDS is collecting enough information about = the=20 incident to identify the hacker. This can be very hard because truely = elite=20 hackers will be bouncing their attacks from another compromised = system.=20 Hackers will also often employ IP address spoofing, which may appear = as if=20 attacks are coming from machines that aren't even turned on.=20
As far as I can tell, the best technique is to collect as much = information=20 as you can. For example, I've put a packet sniffer capturing to = tracefiles on=20 our T-1 line saving to files on a 16-gigabyte disk (most any sniffing = program=20 on most platforms can do this). You may not think it fun, but I enjoy = perusing=20 these files. It's amazing how many TCP/UDP scans and other probes I = see on a=20 regular basis.=20
Likewise, you should make sure you have full auditing and logging = enabled=20 on any/all systems exposed to the Internet. These will help you figure = out=20 what happened when you were hacked.=20

4. Products

This section discusses the major network IDS products.=20

4.1 What freeware/shareware intrusion detection = systems are=20 available?

The most complete list on the net seams to be the COAST = Intrusion=20 Detection System Resources page at http://www.cs.purdue.edu/coas= t/ids.=20
See sections 4.4 and 4.5 below for a discussion of some freeware=20 technologies.

4.2 What commercial intrusion detection systems are=20 available?

Note: I've removed the table of info because it has gotten=20 dangerously out-of-date=20
Reviews can be found at:=20

http://www.nwc.com/1023/102= 3f19.html=20

Several of these have comments from the vendors themselves that = they=20 e-mailed me. Also note that this information can quickly become out of = date.=20 The industry has gone through several major changes since I started = this=20 document.=20
The site http://www.internations= .net/uk/talisker/=20 has done a good job of wading through the marketing hype and pulling = out the=20 salient points about each of the commercial products.=20

4.2.0 BlackICE by Network ICE

Vendor comments:=20
BlackICE has multiple versions. The core is built around = "BlackICE Sentry", a full network-based intrusion detection = system. There=20 are also host/hybrid versions that run on Windows desktops with a = built-in=20 personal firewall.=20
The list of intrusions it detects is at: http://www.networkic= e.com/advICE/Intrusions=20
Distinguishing features of BlackICE Sentry are:=20

Full 7-layer, stateful, protocol analysis=20
Anti-evasion techniques (handles fragmentation, whisker=20 scans, a whole suite of signature changing attacks)=20
Extremely fast, easily handles full 100-mbps bandwidth. =

Goto http://www.networkice.com/ = for more=20 information.

4.2.1 CyberCop Monitor by Network Associates,=20 Inc.

Vendor comments:=20
CyberCop Monitor is a hybrid host/network based IDS that = analyzes network traffic to and from the host as well as Windows = NT=20 EventLog audit trails and Windows NT authentication activity.=20

Developed under the Microsoft Management Console user = interface,=20 both CyberCop Monitor and the SMI Console integrate to provide = an easy=20 to use graphical interface for local / remote reporting, and = remote=20 installation.=20
Configuration editor allows for custom settings and = thresholds to=20 suit every environment, including security profiles, account = groups,=20 time and subnets.=20
Extensive filtering using ordered filter rules for each = signature.=20
Report coalescing feature suppresses denial of service on = the IDS=20 itself.=20
Report collating of monitoring and scanning information per = system=20 with trend analysis options, including 3D charting and graphing = from an=20 SQL database.

Goto <http://www.nai.com/> for=20 more information.=20
CyberCop Monitor was written from the ground up by NAI. = There is=20 NO connection with the CyberCop Network v.1.0 product developed by = Network=20 General/WheelGroup or the Haystack product from TIS - This was = aging=20 technology and shelved some months after each subsequent = acquisition.=20

4.2.2 RealSecure by Internet Security Systems = (ISS),=20 Inc.

Vendor comments:=20
Internet Security Systems is the first and only company = that=20 has tied both intrusion detection (ISS RealSecure) and = vulnerability=20 detection (ISS Internet Scanner) into an integrated security = platform for=20 organization to help plan, analyze, and manage their security on a = continuous basis. ISS RealSecure is a component of ISS SAFEsuite = family of=20 products that cover managing security risk across the enterprise. = ISS=20 RealSecure is the market-leader in Intrusion Detection with an = integrated=20 host and network based solution. ISS RealSecure comes with over = 400 attack=20 signatures with the ability for customers in both the network and = host=20 based solution to add or modify their own signatures. =

4.2.3 NetRanger by WheelGroup/Cisco

Originally by Wheelgroup, bought by Cisco. It has been recently = renamed,=20 though I'm not sure to what. Goto http://www.wheelgroup.com/.=20

4.2.4 eTrust Intrusion Detection by Computer = Associates

Formerly Memco/Abirnet/PLATINUM SessionWall, this is now owned = by=20 Computer Associates and marketed as eTrust Intrusion = Detection.=20
Goto http://www.cai.com/solutions/enterprise/etrust/intrusion_detection= .=20
Originally, SessionWall started out as more of a=20 firewall/content-inspection platform that interposed itself in the = stream of=20 traffic. I'm not sure where it is now.

4.2.6 NetProwler by Axent

Goto http://www.axent.com/.=20

4.2.7 Centrax by Cybersafe

Goto http://www.cyber= safe.com/solutions/centrax.html.=20

4.2.9 NFR by Network Flight Recorder

Vendor comments:=20
NFR is available in multiple forms: a freeware/research=20 version (see below), the "NFR Intrusion Detection Appliance" which = comes=20 as bootable CD-ROM, and bundles from 3rd party resellers that add = their=20 own features on top of it (like Anzen).=20
One of the popular features of NFR is "N-code", a fully = featured=20 programming language optimized for intrusion detection style = capabilities.=20 They have a fulll SMTP parser written in the N-code. Most other = systems=20 have either simply add signatures or force you to use raw C = programming.=20 Numerous N-code scripts are downloadable from the Internet from = sources=20 such as L0pht.=20
NFR does more statistical analysis than other systems. The = N-code=20 system allows easy additions into this generic statistical = machine.=20
A general description can be found at http://www.nfr= .net/forum/publications/LISA-97.htm=20

4.2.10 Dragon by Security Wizards

Goto http://www.network-defense.com/<= /A>=20

4.3 What is a "network grep" system?

A "network grep" system is based around raw packet = capture pumped through a "regular expression" parser that finds = patterns=20 in the network traffic. An example pattern would be: = "/cgi-bin/phf",=20 which would indicate an attempt to exploit the vulnerable CGI script = called=20 "phf". Once building such a system, you would then analyze well-known = attacks,=20 extract strings specific to those attacks, and add them to your = databse of=20 patterns. See http://www.packetfactory.net= /ngrep/=20 for an example.=20
"Regexp" (regular expression) is a common pattern-matching language = in the=20 UNIX environment. While it has traditionally been used for searching = text=20 files, it can also be used for arbitrary binary data. In truth, such = systems=20 have more flexible matching criteria, such as finding ports or = matching TCP=20 flags.=20
"libpcap" (library for packet capture) is a common library = available for=20 UNIX systems that "sniffs" packets off a wire. Most UNIX-based = intrusion=20 detection systems (of any kind) use libpcap, though many also have = optimized=20 drivers for a small subset of platforms.=20
The source code for both modules is freely available. A large = number of=20 intrusion detection systems simply feed the output of libpcap (or = tcpdump)=20 into the regular expression parse, where the expressions come from a = file on=20 the disk. Some even simpler systems don't even use regular expressions = and=20 simply compare packets with well-known byte patterns. If you want to = build a=20 system like this yourself, read up on 'tcpdump' and regular = expressions. To=20 understand libpcap/tcpdump, the following document will be helpful: http://www.ro= bertgraham.com/pubs/sniffing-faq.html.=20
This class of intrusion detection system has one advantage: it is = the=20 easiest to update. Products of this class will consistently have the = largest=20 number of "signatures" and be the fastest time-to-market for detecting = new=20 popular attack "scripts".=20
However, while such systems may bost the largest number of = "signatures",=20 they detect the fewest number of "serious" intrusions. For example, = the 8=20 bytes "CE63D1D2 16E713CF" when seen at the start of UDP data indicates = Back=20 Orifice traffic with the default password. Even though 80% of Back = Orifice=20 attacks use the default password, the other 20% use different = passwords and=20 would not be detected by the system. For example, changing the Back = Orifice=20 password to "evade" would change the pattern to "8E42A52C 0666BC4A", = and would=20 go undetected by "network grep" systems.=20
Some of these systems do not reassemble IP datagrams or TCP = streams. Again,=20 a hacker could simply reconfigure the MTU size on the machine in order = to=20 evade regexp-pcap systems.=20
Such systems result in larger numbers of false positives. In the=20 BackOrifice example above, the 64-bit pattern is not so uncommon that = it won't=20 be seen in other traffic. This will cause alarms to go off even when = no Back=20 Orifice is present.=20
Systems based upon protocol analysis do not have these problems. = They catch=20 all instances of the attack, not just the common varieties; they = result in=20 fewer false positives; and they often are able to run faster because a = protocol decode doesn't have to "search" a frame. They are also able = to more=20 fully diagnose the problem; for example distinguish between a "Back = Orifice=20 PING" (which is harmless) and a "Back Orifice compromise" (which is an = extreme=20 condition). On the other hand, it can often take a week to add a new = protocol=20 analysis signature (rather than hours) due to the design and testing = involved.=20 Also, overly-agressive attempts to reduce false positives also leads = to=20 missing real attacks in some cases.=20
However, such systems have an advantage over protocol analysis = systems.=20 Because they do not have pre-conceived notion about what network = traffic is=20 supposed to look like, they can often detect attacks that other = systems might=20 miss. For example, if a company is running a POP3 server on a = different port,=20 it is likely that protocol analysis systems will not recognize the = traffic as=20 POP3. Therefore, any attacks against the port will go undetected. On = the other=20 hand, a network-grep style system doesn't necessarily care about port = numbers=20 and will check for the same signatures regardless of ports.=20

4.3.1 Dragon

See above.=20

4.3.2 Bro

Vern Paxson's Bro intrusion detection system. Vern Paxson wrote = large=20 portions of libpcap that many other intrusion detection systems are = based on=20 (like NFR and Dragon). I haven't heard of anyone actually using Bro = itself.=20 Read the paper http://ft= p.ee.lbl.gov/papers/bro-usenix98-revised.ps.Z=20 for more information.=20

4.3.3 Snort

http://www.clark.net/= ~roesch/security.html=20
Snort has recently become very popular, and is considered really = cool by=20 a lot of people. It contains over 100 of its own signatures, and = others can=20 be found on the Internet.=20
Following is an example rule:
# here's an example of PHF = attack detection where just a straight text string # is searched for in the app layer alert tcp any any -> 192.168.1.0/24 80 (msg:"PHF attempt"; = content:"/cgi-bin/phf";)
It says to alert an a TCP connection from any IP address and any = port=20 to the 192.168.1.x subnet to port 80. It searches for the content=20 "/cgi-bin/phf" anywhere in the content. If it find such content, it = will=20 alert the console with a message "PHF attempt".=20
Usage of snort is usually done in the following manner:=20

BPF filters (part of libpcap) are configured to narrow down = the focus=20 to cetain types of traffic.=20
A decision is made about which IP addresses are internal and = which are=20 external to further narrow down the focus.=20
Rules are edited to fit the local environment.=20
System runs=20
Rules are further edited to remove false positives.

Also, snort has a number of options to be used just to sniff = network=20 traffic.=20
Rules:=20

http://snort.rapidnet.com/=20
http://www.whitehats.com/=20

4.3.4 Argus

Argus isn't an intrusion detection system itself. However, it = monitors=20 packets off the wire and generates logfile events. You can then = process=20 those log entries (or peruse them yourself) to find intrusions.=20
See ftp://coast.cs.pu= rdue.edu/pub/tools/unix/argus=20 for more info. Also see ftp://ftp.sei.cmu.edu/pub/ar= gus-1.5=20

4.4 What tools do intruders use to break into my=20 systems?

4.4.1 UNIX utilities

These utilities either come with your favorite UNIX platform or = you can=20 download them for free.=20

ping
to see if a host is alive.=20
traceroute
to find the route to the host=20
nslookup/dig
to discover all your DNS information=20
whois
finds out Internic registration information=20
finger
finds out who is logged in and info about users=20
rpcinfo
finds out what RPC services are running=20
showmount
display shares on a machine=20
SAMBA
displays info about WinNT SMB shares=20
telnet
the granddaddy of them all -- allows you to connect and play = with any=20 text-based protocol (HTTP, FTP, SMTP, etc.)

4.4.2 WinNT utilities

All of the UNIX utilities mentioned above can be used with = WinNT. There=20 are also some WinNT specific ones.=20

nbtstat
discovers NetBIOS information on remote machine=20
net view
is the LANMAN program that allows you to remotely view WinNT = shares=20

4.4.3 Hacking-specific utilities

The standard toolkit for a intruder.=20

netcat
is characterized as a "TCP/IP" Swiss Army Knife, allows = intruders to=20 script protocol interactions, especially text-based protocols.=20
crack / NTcrack / L0phtCrack / etc.=20
that crack network passwords (Dictionary or Brute Force). = These=20 packages also contain utilities for dumping passwords out of = databases and=20 sniffing them off the wire.=20
Sniffing utilities
for watching raw network traffic, such as Gobbler,=20 tcpdump, or even an honest-to-god Network Associates = Sniffer©=20 Network Analyzer=20
TCP and UDP port scanners
for scanning/strobing/probing which TCP ports are available. = TCP=20 port-scanners can also run in a number of stealth modes to = evade/elude=20 loggers.=20
Ping sweepers
for pinging large numbers of machines to see which ones are = active.=20
Exploit packs
which are a set of one or more programs that know how to = exploit holes=20 on systems (usually, once the user is logged in).=20
Remote security auditors
such as SATAN that look for a number of well known holes in = machines=20 all across the network.=20
War dialers
that dial lots of phone numbers looking for dial-in ports.=20
NAT
is based upon the SAMBA code, and is useful for discovering=20 NetBIOS/SMB info from Windows and SAMBA servers.=20
Scanners
are programs (like SATAN, ISS, CyberCop Scanner) that probe the = system for=20 vulnerabilities. That have a huge number of vulnerabilities they = check for=20 and are generally automated, giving the hacker that highest return = for the=20 minimal effort.

4.5 What other free/shareware intrusion detection = products=20 should I be aware of?

4.5.0 NFR, Research Version

The "NFR Research Version" is a configurable toolkit, available = from the=20 Internet for research and noncommercial use. It is "as is" software = that=20 requires expertise from the end user to install and configure. It is = not a=20 "plug and play" intrusion detection system. (quote from NFR)=20
See above for info on the commercial version.

4.5.1 tcpwrappers

Tcpwrappers are an add-in for UNIX, and sit between = inetd=20 and services (like ftp, telnet, etc.). The inetd will = first=20 call tcpwrappers, which will do some authentication (by IP address) = and=20 logging. Then, tcpwrappers will call the actual service, if need be. =

4.5.2 IDS for Checkpoint Firewalls

Log file analysis of firewalls is very similar to network = analysis. See=20 http://www.entera= ct.com/~lspitz/intrusion.html=20 for an example.=20

4.5.3 Shadow

I think it is a project used in the Navy to track intrusions, = and=20 generate reports on them. They have an interesting report at htt= p://www.nswc.navy.mil/ISSEC/CID/co-ordinated_analysis.txt=20 where they describe coordinated, slow attacks they have detected = using this=20 system.=20

4.5.4 AAFID

Purdue's COAST = distributed=20 agent idea. I'm not sure how much of this is proposals, and how much = is=20 real.

4.6 Are there NIDS available for my host?

A new class of NIDS runs on hosts in non-promiscuous mode.=20

4.6.1 Network ICE / BlackICE Defender

The first such system was BlackICE Defender from Network ICE = released in=20 mid-1999. The system also contains a personal firewall. It runs on = Win95,=20 Win98, WinNT, and Win2k. It is targetted at both end-nodes and = servers.=20

4.6.2 Network Associates / CyberCop Monitor = v2.0

The second system is CCM from Network Associates, released in = late 1999.=20 While billed primarily as a "host-based IDS", the majority of the = intrusions=20 it detects are network-based. It currently supports WinNT (and = presumably=20 Win2k) and they have announced support for Solaris.=20

4.6.3 CyberSafe / Centrax NNID

In February of 2000, CyberSafe announced their "network node = intrusion=20 detection (NNID)". Apparently, versions of their Centrax NIDS come = in both=20 promiscuous and non-promiscuous licenses starting with version 2.3.=20

4.6.4 ISS / RealSecure Micro-Agent

ISS has pre-announced a "Micro-Agent" version of the RealSecure = NIDS.=20 The announcement indicates that it will also contain "blocking" = features,=20 which presumably will consist of some sort of personal firewall. = They have=20 announced that this will be available for both WinNT (and presumably = Win2k)=20 as well as Solaris.

6. Resources

6.1 Where can I find updates about new security=20 holes?

6.1.1 CERT (Computer Emergency Response = Team)

If it is a security problem, you will eventually see it appear = in a CERT=20 advisory. CERT (Computer Emergency Response Team) was set up by a = number of=20 universities and DARPA in response to the Morris Worm of 1988. Goto = http://www.cert.org/.=20

6.1.2 AUSCERT (AUStralian Computer Emergency = Response=20 Team)

AUSCERT is the AUStralian Computer Emergency Response Team. For=20 registration information, see their web site on:=20
http://www.auscert.org.au/=20
For more details, contact AUSCERT directly on auscert@auscert.org.au. =

6.1.3 CIAC (Computer Incident Advisory = Capability) by US=20 Department of Energy

Has a number of useful advisories. Goto http://www.ciac.org/.

6.2 What are some other security and intrusion = detection=20 resources?

6.2.1 Purdue's COAST archive

This is the best site on the net for learning about IDS and = security in=20 general. See http://www.cs.purdue.edu/coast, http://www.cs= .purdue.edu/coast/intrusion-detection,=20 and http://www.cs.purdue.edu/coas= t/ids.=20

6.2.2 SANS Institute

I think this may be the best site for security information for = people=20 who are not themselves hackers. Their target audience is MIS = professionals=20 who have to defend their networks. Goto http://www.sans.org/=20

6.2.3 L0pht Heavy Industries

These are some hackers with some pretty good tools and useful = alerts,=20 targeted at Windows. Goto http://www.l0pht.com/=20

6.2.4 Technical Incursion = Countermeasures

I like this site; it has a bunch of well organized info on = intrusion=20 (A.K.A. incursion). Goto http://www.ticm.com/=20

6.2.5 IDS mailing list

Email "subscribe ids" to majordomo@uow.edu.au
Email questions = to=20 ids-owner@uow.edu.au
This is a nice, low-volume list with = interesting=20 discussions from time-to-time.=20

6.2.6 Michael Sobirey's Intrusion Detection = Systems=20 page

http:= //www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html=20

6.2.7 advICE database

http://www.networkice.com/advice/Countermeasures/Intrusi= on_Detection/default.htm=20

6.3 What are some sites that are = interesting?

Here are some sites that aggregate info from other sites. Could be = worth a=20 look.=20

6.3.1 NIH security site

Goto http://www.alw.nih.gov/Security= /=20

6.3.2 NTSecurity.net

Goto http://www.ntsecurity.net/. =

7. IDS and Firewalls

7.2 Why do I need IDS if I already have a = firewall?

A common misunderstanding is that firewalls recognize attacks and = block=20 them. This is not true.=20
Firewalls are simply a device that shuts off everything, then turns = back on=20 only a few well-chosen items. In a perfect world, systems would = already be=20 "locked down" and secure, and firewalls would be unneeded. The reason = we have=20 firewalls is precisely because security holes are left open = accidentally.=20
Thus, when installing a firewall, the first thing it does is stops = ALL=20 communication. The firewall administrator then carefully adds "rules" = that=20 allow specific types of traffic to go through the firewall. For = example, a=20 typical corporate firewall allowing access to the Internet would stop = all UDP=20 and ICMP datagram traffic, stops incoming TCP connections, but = allows=20 outgoing TCP connections. This stops all incoming connections from = Internet=20 hackers, but still allows internal users to connect in the outgoing = direction.=20
A firewall is simply a fence around you network, with a couple of = well=20 chosen gates. A fence has no capability of detecting somebody trying = to break=20 in (such as digging a hole underneath it), nor does a fence know if = somebody=20 coming through the gate is allowed in. It simply restricts access to = the=20 designated points.=20
In summary, a firewall is not the dynamic defensive system that = users=20 imagine it to be. In contrast, an IDS is much more of that = dynamic=20 system. An IDS does recognize attacks against the network that=20 firewalls are unable to see.=20
For example, in April of 1999, many sites were hacked via a bug in=20 ColdFusion. These sites all had firewalls that restricted access only = to the=20 web server at port 80. However, it was the web server that was hacked. = Thus,=20 the firewall provided no defense. On the other hand, an intrusion = detection=20 system would have discovered the attack, because it matched the = signature=20 configured in the system.=20
Another problem with firewalls is that they are only at the = boundary to=20 your network. Roughly 80% of all financial losses due to hacking come = from=20 inside the network. A firewall a the perimeter of the network sees = nothing=20 going on inside; it only sees that traffic which passes between the = internal=20 network and the Internet.=20
Some reasons for adding IDS to you firewall are:=20

Double-checks misconfigured firewalls.=20
Catches attacks that firewalls legitimate allow through (such as = attacks=20 against web servers).=20
Catches attempts that fail.=20
Catches insider hacking.

"Defense in depth, and overkill paranoia, are your friends." (quote = by=20 Bennett Todd <bet at mordor dot net>). Hackers are much more = capable=20 than you think; the more defenses you have, the better. And they still = won't=20 protect you from the determined hacker. They will, however, raise the = bar on=20 determination needed by the hackers.

7.2.1 How is it that hackers can get through=20 firewalls?

Editors Note: This just clarifies the point above.=20
Consider bridge building throughout history. As time goes on, = technology=20 improves, and bridges are able to span ever larger distances (such as = the=20 Golden Gate bridge in SF, whose span is measured in kilometers). = Bridge=20 builders are very conservative due to the immense embarassment (not to = mention=20 loss of life) should the bridges fail. Therefore, they use much more = material=20 (wood, stone, steel) than they need, and they don't create spans = nearly as=20 long as they think they can. However, as time goes on, as bridges = prove=20 themselves, engineers take more and more risks, until a bridge fails. = Then all=20 the engineers become much more conservative again. As has been quoted = "It's=20 easy to build a bridge that doesn't fall down; what takes skill is = building a=20 bridge that just barely doesn't fall down."=20
In much the same way, most firewall administrators take the = conservative=20 approach. It is easy to build a firewall that can't be hacked by being = overly=20 conservative and paranoid, and simply turn off all but the absolutely=20 necessary services.=20
However, in the real world, engineers are not allowed to be = sufficiently=20 paranoid. Just like bridge builders want to span ever wider rivers and = gorges,=20 corporations want to ever expand the services of the Internet. This = puts=20 immense pressure on firewall admins to relax the barriers. This = process will=20 continue up to the point where there system is hacked, at which point = the=20 corporation will become much more conservative. From this perspective, = one=20 could say that corporate dynamics are such that they will generally = force the=20 system to the point where it gets hacked.=20
As every firewall admin knows, the system is under constant attack = from the=20 Internet. Hackers from all over the world are constantly probing the = system=20 for weaknesses. Moreover, every few months a new security = vulnerability is=20 found in popular products, at which point the hackers simply scan the = entire=20 Internet looking for people with that hole, causing thousands of = websites to=20 be hacked. Such recent holes have been the ColdFusion cfmdocs bug and = the=20 Microsoft .htr buffer overflow.

7.3 If I have a intrusion detection, do I need=20 firewall?

Of course. Every corporation needs a well managed, single point of = entry.=20
There are a huge number of "script-kiddies" that are always running = automated programs (like SATAN) on the Internet looking for holes. = Without a=20 firewall, these automated programs can detect and exploit holes = literally in=20 the blink of an eye. Even dial-up users who use the Internet only a = few hours=20 a week are getting scanned on a regular basis; high-profile corporate = sites=20 will be scanned by script-kiddies much more often.

7.4 Where does the intrusion detection system gets = its=20 information? The firewall?

No. While some log file analysis program do scan firewall logs for = signs=20 of intrusions, most intrusion detection systems get their information=20 elsewhere.=20
Remember that firewalls are simple rule-based systems that = allow/deny=20 traffic going through them. Even "content inspection" style firewalls = do not=20 have the capability to clearly say whether the traffic constitues an = attack;=20 they only determine whether it matches their rules or not.=20
For example, a firewall in front of a web server might block all = traffic=20 except for TCP connections to port 80. As far as the firewall is = concerned,=20 any port-80 traffic is legitimate. An IDS, on the other hand, examines = that=20 same traffic and looks for pattern of attack. An IDS system doesn't = really=20 care if the manager decided to allow port 80 and deny the rest: as far = as the=20 IDS is concerned, all traffic is suspicious.=20
This means that an IDS must look at the same source of data as the=20 firewall: namely, the raw network traffic on the wire. If an IDS sat=20 "downstream" from the firewall isntead of side-by-side, it would be = limitted=20 to only those things the firewall considered attacks. In the above = example,=20 the firewall would never pass port 80 traffic to the IDS.=20
+-+ = . |F| +-----+ . |I+--+IDS#1| . /=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\ |R| +-----+ = /=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\ . H H |E| H corporate H . H internet H--------+--------+ +------+------H network H . H H | |W| | H +-----+ \=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D/ +--v--+ |A| +--v--+ = \=3D=3D=3D=3D=3D=3D=3D=3D=3D+IDS#4| |IDS#3| |L| |IDS#2| +-----+ +-----+ |L| +-----+ . +-+ .

IDS #1
Few IDSs work this way. Firewalls don't produce enough = information in=20 order to effectively detect intrusions.=20
IDS #2
This popular placement of an IDS detects attacks that = successfully=20 penetrate the firewall.=20
IDS #3
This placement detects attacks that are attempted against the = firewall.=20
IDS #4
By placing intrusion detection systems throughout a corporate = network,=20 attacks by insiders will be detected.

8. Implementation Guide

8.1 What questions should I ask my IDS = vendor?

CSI (Computer Security Institute) has a good page on this, where = they=20 posed questions to IDS vendors, as well as asked them what the = difficult=20 questions are. This site is at http://www.gocsi.com/intrusio= n.htm.=20
Some common questions are:=20

What does it cost?
Of course.=20
What do signature updates and maintanance cost?
Intrusion detection is much like virus protection, a system that = hasn't=20 been updated for a year will miss common new attacks.=20
At what real-world traffic levels does the product become blind,=20 in packets/second?
First, what segments do you plan on putting the IDS onto? If you = have=20 only a 1.5-mbps connection to the Internet that you want to monitor, = you=20 don't need the fastest performing system. On the other hand, if you = are=20 trying to monitor a server farm in your corporation in order to = detect=20 internal attacks, a hacker could easily smurf=20 the segment in order to blind=20 the sensor.=20
The most important metric is packets/second. Marketing = people use=20 weasle words to say that their products can keep up with a full = 100-mbps=20 networks, but that is only under ideal conditions. A Network World = did a=20 review in August of 1998 where products failed at roughly 30% = network load=20 (50,000 pacets/second). Likewise, Network Computing did a review in = September of 1999=20 with real-world traffic where several products that claimed 100-mbps = could=20 still not keep up.

How easy is the product to evade?
Go down the list in section 9.4=20 and ask the vendor if such activities will evade the IDS. If you = want to=20 give the vendor heartburn, ask them about section 9.5=20 .=20
How scalable is the IDS system as a whole?
How many sensors does the system support? How big can the = database be?=20 What are the traffic levels when forwarding information to the = management=20 console? What happens when the management console is overloaded? = These are=20 tough questions.=20
How much will it cost to run and maintain the product?
How good is the reporting architecture? How easy is it to manage = false=20 positives? How long does it take to track down alerts and identify = the=20 situation? How many people do I need to use this product?

The following questions are commonly asked, but are less likely to = produce=20 meaningful answers:=20

How many signatures does the system support?
Unfortunately, vendors dramatically inflate their signature = count. This=20 is the game that all vendors must play, even though it is becoming = less and=20 less important.=20
What intrusion response=20 features does the product have?
A feature like automatically reconfiguring a firewall sounds = really=20 cool, but in real life, few security managers implement it. = Reconfiguring a=20 corporate firewall is extremely dangerous.

8.2 How do I maintain the system on an on-going=20 basis?

I put this question in here hoping for feedback; I really don't = have an=20 answer.=20
If you install an intrusion detection system, you WILL see = intrusions on an=20 on-going basis. In a SOHO environment, you will likely get scanned by = a hacker=20 once a week. On a well-known web-site, hackers will probe your site = for=20 vulnerabilies many times per day. On a large internal corporate = network, you=20 will find constant suspicious activities by internal employees.=20
The first problem that you are likely to be confronted with is = employees=20 surfing p-orn sites on the web. Just about every long-term = administrator I=20 know has interesting stories about this. Most don't care about p-orn, = it just=20 embarrassing knowing what people are up to.=20
It is interesting that many otherwise conservative corporations do = not=20 outright restrict such surfing -- because it is often the executives=20 themselves that do it. Lower-level engineers detecting such activities = usually=20 fear to bring the subject up.=20
The next problem that engineers face is a Human Resource (HR) = issue. You=20 will find users doing things they shouldn't, so a lot of time is spent = interfacing with HR working with the offending employee.=20
The last problem is what to do about Internet script-kiddies and = hackers=20 probing your system. Usually, a call to ISP in question or e-mail to = their=20 "abuse@" mail box suffices. Sometimes the ISP will be grateful -- = because=20 their own systems have been compromised.=20
Remember that even what appears to be the most egregious hack may, = in fact,=20 be innocuous, so aproach other people with dignity and respect.

8.4 How do I stop innapropriate web = surfing?

One of the biggest concerns for corporations today is employees = surfing=20 "innapropriate" web sites. To some extent, companies are worried about = employees wasting company time on the Internet, and to another extent, = companies are worried about legal liability, such as when an employee = surfs=20 p-orn sites that causes a sexual harassment lawsuit.=20
However, companies do not like being in the position of being "big=20 brother". Rules against inappropriate surfing inevitably lead to grey = areas=20 (for example: Playboy.com recently had an article on computer = security, which=20 an employee could easily have stumbled across while doing a legitimate = search=20 on the web).=20
Intrusion detection systems, firewalls, proxy servers, and sniffing = programs can be configured to log all web surfing traffic to log = files,=20 including who accessed which websites. Most companies = already=20 have these logs, but few make use of this information. Network = technicians do=20 not want to take on the role of HR and prosecute people. (In many = cases, the=20 culprits are executives and going after them can be a career limiting = move=20 (CLM)).=20
One elegant solution is posting such information to a public = internal=20 website. This has been known to dramatically affect inappropriate = surfing.=20 Rather than having a central authority judging appropriateness, it = leaves it=20 up to the individual to make that judgement.

8.5 How can I build my own IDS (writing = code)?

Simple intrusion detection systems are easy to build. Simply grab = an input=20 source (log files, network traffic) and pass it through a pattern = match=20 (regexp). Along with it, through the same data through some = statistical=20 analysis, much like how SETI@Home sends radio noise through some = Fourier=20 analysis looking for repeated patterns.=20
For example, section 4.3=20 above discusses a "network grep" system that passes network traffic = through a=20 pattern match system. Such a system could be built with some knowledge = of C=20 and a UNIX system.=20
Similarly, section 4.5.2=20 describes a PERL based system that parses log files from a firewall. =

8.7 What is the legality of NIDS (since it is a form = of=20 wiretap)?

Different countries and states have different laws, but it is = generally=20 legal to monitor your OWN traffic for intrusions.=20
One concern that people have is that running a NIDS on a corporate = network=20 results in network managers viewing employee Internet surfing activity = (sometimes network managers find top executives surfing porn sites). = As the=20 network equipement and the user's workstation belong to the company, = the legal=20 precident is that use of the corporate equipment implies consent to=20 monitoring. However, it is recommended that companies explicitly state = in=20 employee handbooks that their network activity will be = monitored. At=20 minimum, it avoid embarrasing situations.

8.8 How do I save logfiles in a tamper-proof = way?

The first thing a hacker does is delete/change the logfiles in = order to=20 hide evidence of the break in. Therefore, a common need is to have a=20 "write-once" storage system whereby once data is written, it can never = be=20 altered.=20
WORM (Write-Once-Read-Many) drives have historically been = used for=20 this purpose, but they are expensive and finnicky. They probably don't = have=20 drivers for your system, and you software is likely incompatible with = them in=20 other ways (i.e. some systems do alter the files a little bit as they = create=20 them, which doesn't work on a worm).=20
One problem with any system is that entropy sets in. It may be = provable=20 secure today, but it is unlikely to stay that way. For example, one = technique=20 for logging would be to employ syslog where the receiver doesn't have = a TCP/IP=20 stack but instead uses TCPDUMP to save the raw packets to a file = (presumably,=20 a utility would be run a later date to reconstruct the syslog = entries). From=20 the entropy perspective, there is no guarantee that a TCP/IP stack = won't be=20 installed during an update, or when a new person joins the team, or = when=20 machines get shuffled around.=20
To combat such entropy, the model system uses the "snipped-wire" = approach.=20 In this model, an extra Ethernet adapter is installed in the machine = who is=20 generating the data, and the receive wire is cut. If an = accident later=20 happens such that the extra adapter is connected to an unsecured = network, then=20 few problems are likely to result.=20
In much the same way, the receiving system should have only a = single=20 Ethernet adapter, and its transmit wire should be cut. It would = be best=20 to also disable the TCP/IP stack and instead force the data through = packet=20 sniffing utilities. (Yes, there are attacks that can compromise the = system=20 even when no responses are ever received).=20
Normal TCP/IP won't work in this scenario. You will need to = hard-code the=20 route and ARP tables on the generating machine in order to force the = traffic=20 out the one-way wire. Similarly, you will need to use special = utilities on the=20 receiving machine in order to parse incoming packets back into useful = data.=20
UDP-based transports like 'syslog' and SNMP Traps are the most = useful=20 transports in this situation. They are easy to generate on the = outgoing=20 machine as they are built into most systems. Since responses aren't = generated=20 anyway, it doesn't hamper the normal flow of applications. Likewise, = they are=20 easy to parse back into SNMP messages or syslog files on the receiving = end, or=20 at least, it is easy to harden a TCP/IP stack to receive only those = ports. At=20 very least, TFTP or NFS can be configured to transport files to a = TCP/IP stack=20 on the other side.=20
One problem that goes along with this is data management. You = cannot=20 connect the data repository to a network, so anything you use to = backup the=20 system must be installed on the system itself.=20
Personally, the system I use is an old Pentium-90 computer with a = 6-gig=20 drive, CD-ROM writer, and a sniffing utility that dumps all the = network=20 traffic (a 416-kbps DSL connection) to packet capture files on the = disk. A=20 couple simple filters remove a lot of the bulk so downloading the = latest=20 RedHat distribution doesn't fill up the disk. I prefer this solution = over=20 actual log files because it captures absolutely everything that = happens on the=20 wire, even all numerous so-called stealth attempts.=20
Update: There have been suggestions made that serial links, = parallel=20 ports, and special SCSI protocols might likewise provide a logical = "air-gap".=20 This would entail a little programming on your part, but it since = entropy will=20 likely cause it to fail rather than open a vulnerability, it would be = a good=20 choice.

9 What are the limitations of NIDS?

Network intrusion detection systems are unreliable enough that = they should=20 be considered only as secondary systems designed to backup the primary = security systems.=20
Primary systems such as firewalls, encryption, and authentication = are rock=20 solid. Bugs or misconfiguration often lead to problems in these = systems, but=20 the underlying concepts are "provably" accurate.=20
The underlying concepts bhind NIDS are not absolutely accurate. = Intrusion=20 detection systems suffer from the two problems whereby normal traffic = causes=20 many false positives (cry wolf), and careful hackers can evade or = disable the=20 intrusion detection systems. Indeed, there are many proofs that show = how=20 network intrusion detection systems will never be accurate.=20
This doesn't mean intrusion detection systems are invalid. Hacking = is so=20 pervasive on today's networks that people are regularly astounded when = they=20 first install such systems (both inside and outside the firewall). = Good=20 intrusion detection systems can dramatically improve the security of a = site.=20 It just needs to be remembered that intrusion detection systems are = backup.=20 The "proveably accurate" systems regularly fail (due to human error), = and the=20 "proveably incorrect" systems regularly work.=20

9.1 Switched network (inherent limitation)

Switched networks (such as 100-mbps and gigabit Ethernet switches) = poses=20 dramatic problems to network intrusion detection systems. There is no = easy=20 place to "plug in" a sensor in order to see all the traffic.=20
For example, somebody on the same switched fabric as the CEO has = free reign=20 to attack the CEO's machine all day long, such as with a password = grinder=20 targetting the File and Print sharing.=20
There are some solutions to this problem, but not all of them are=20 satisfactory.=20

Embed IDS within the switch

Some vendors (Cisco, ODS) are imbedding intrusion detection = directly=20 into switches. As far as I can tell, however, these IDS systems do = not have=20 the broad range of detection as traditional NIDS.=20

Monitor/span port

Many switches have a "monitor port" for attaching network = analyzers. A=20 NIDS can easily be added to this port as well. An obvious problem is = that=20 the port runs at a much lower speed than the switch backplane, so = the NIDS=20 will not be able to see all the traffic on a heavily loaded switch.=20 Moreover, such ports are often used by sniffers for network = management=20 purposes, and must often be swapped out occasionally.=20

Tap into the cable (for inter-switch = or=20 switch-to-node)

A monitor can be connected directly to the cable in order to = monitor the=20 traffic. These may be cables between switches or cables from the = switch to a=20 host. Different techniques would be:=20

inline taps
Inline taps are devices that insert themselves directly into = the=20 stream of communication and make a copy of it. A typical example = would be=20 the Shomiti Century Tap (http://www.shom= iti.com/productsf/tapfamilyf.html)=20 which plugs into a 100-mbps full duplex line, and allows a = computer=20 equipped with 2 adapters to read both channels.=20
vampire taps
In the olden days, vampire taps were a mainstay of thick coax=20 Ethernet, and were the preferred way of connecting end-nodes to = the=20 network.=20
inductance taps
Most taps can be detected with TDR (Time Domain Reflectometer) = equipement. Inductance taps do change the cable in any way, but = instead=20 site on the outside and monitor the electromagnetic noise emitted = by the=20 cables. Only used by spies.

The problem with tapping into the cable, especially those between = switches, is that they generate huge amounts of traffic. Most NIDS = cannot=20 handle very high loads before going "blind".=20
Thanks to Christopher Zarcone < czarcone at acm dot org = >=20 for this info.

Host-based sensors

From a conceptual point of view, the only way to defeat the = resource=20 limitations of switched networks is to distribute host-based = intrusion=20 detection. Several host-based agents, such as BlackICE and CyberCop = Monitor,=20 contain a network-based component that monitors only that host's = traffic.=20 Others do the traditional logfile and audit analysis.

9.2 Resource limitations

Network intrusion detection systems sit at centralized locations on = the=20 network. They must be able to keep up with, analyze, and store = information=20 generated by potentially thousands of machines. It must emulate the = combined=20 entity of all the machines sending traffic through its segment. = Obviously, it=20 cannot do this fully, and must take short cuts.=20
This section lists some typical resource issues.=20

9.2.1 Network traffic loads

Current NIDS have trouble keeping up with fully loaded segments. = The=20 average website has a frame size of around 180-bytes, which = translates to=20 about 50,000 packets/second on a 100-mbps Ethernet. Most IDS units = cannot=20 keep up with this speed. Most customers have less than this, but it = can=20 still occasionally be a concern.=20
When buying an IDS, ask the vendor how many packets/second the = system can=20 handle. Many vendors will try to tell you how many bits/second, but=20 per-packet is the real performance bottleneck. Virtually all vendors = can=20 handle 100-mbps traffic using 1500-byte packets, few can handle = 100-mbps=20 traffic using 60-byte packets.

9.2.2 TCP connections

IDS must maintain connection state for a large number of TCP=20 connections. This requires extensive amount of memory. The problem = is=20 exacerbated by evasion techniques, often requiring the IDS to = maintain=20 connection information even after the client/server have closed it.=20
When buying an IDS, ask the vendor how many simultaneous TCP = connections=20 it can handle.

9.2.3 Other state information

TCP is the simplest example of state information that must be = kept by=20 the IDS in memory, but other examples include IP fragments, TCP scan = information, and ARP tables.=20

9.2.4 Long term state

A classic problem is "slow scans", where the attacker scans the = system=20 very slowly. The IDS is unable to store that much information over = that long=20 a time, so is unable to match the data together.

9.3 Attacks against the NIDS

The intrusion detection system itself can be attacked in the = following=20 ways.=20

9.3.1 Blind the sensor

Network intrusion detection systems are generally built as = "passive=20 monitors" from COTS (commercial-off-the-shelf) computers. The = monitors are=20 placed alongside the networking stream, not in the middle. This = means that=20 if they cannot keep up with the high rates of traffic, they have no = way to=20 throttle it back. They must start dropping packets. This is known as = trying=20 to drink from a firehose. Few NIDS today can keep up with a fully = saturated=20 100-mbps link (where "saturated" means average sized packets of 180 = bytes,=20 which is roughly 50,000 packets/second).=20
Not only will the sensor start dropping packets is cannot = process, high=20 traffic rates can completely shut down the sensor. For example, = consider a=20 sensor that can process a maximum of 20,000 frames/second. When the=20 proferred load is 40,000 frames/second, it usually drops actual = processing=20 down to 10,000 frames/second or 5,000 frames/second, or maybe even = zero.=20 This is because frame reception and frame analysis are two different = acitivities. Most architectures require the system to capture the = packet=20 even when it is too busy to analyze it, which takes even more time = away from=20 analysis.=20
Therefore, an intruder can attack the sensor by saturating the = link. If=20 the intruder is local, he/she can simply use a transmit program. A = 400-Mhz=20 box can fully saturate a link with 60-byte packets, breaking most = IDS=20 systems that might be attached to the system.=20
A remote attacker can execute smurf or fraggle attacks, likewise=20 saturating links. It is unlikely an attacker will have a fast enough = link=20 themselves (100-mbps is quite rare) in order to be able to attack = head-on in=20 this manner.

9.3.2 Blind the event storage (snow = blind)

The 'nmap' port scanning tool contains a feature known as "decoy" = scans.=20 It scans using hundreds of spoofed source addresses as well as the = real IP=20 address of the attacker. It therefore becomes an improbable task for = the=20 administrator to find discover which of the IP addresses was real, = and which=20 was one of the decoy addresses.=20
Any attack can be built from the same components. A massive = attack with=20 spoofed addresses can always hide a real attack inserted somewhere = inside.=20 Administrators would be hard pressed to discover the real attack = inside of=20 all that noise.=20
These two scenarios still retain forensics data, though. If the = attacker=20 is suspected, the data is still there to find. Another attack is to = fill up=20 event storage. When the database fills up, no more attacks will be=20 discovered, or older attacks will be deleted. Either way, no = evidence exists=20 anywhere that will point to the intruder.

9.3.3 DoS (Denial of Service)

A NIDS is an extremely complex system, equivelent in complexity = to an=20 entire TCP/IP stack running numerous services. This means the NIDS = is=20 susceptible to such attacks as SYN floods and smurf attacks.=20
Moreover, the numerous protocols NIDS analyze leave them open to = outright=20 crashes when unexpected traffic is seen. Attackers can often buy the = same=20 intrusion detection systems used by their victim, then experiment in = many=20 ways in order to find packets that will kill the IDS. Then during = the=20 attack, the intruder kills the IDS, then continues undetected. =

9.4 Simple evasion

This section describes simple evasion tactics that fool basic = intrusion=20 detection systems. The next section will describe advanced measures.=20

9.4.1 Fragmentation

Frag= mentation=20 is the ability to break up a single IP packet into multiple smaller = packets.=20 The receiving TCP/IP stack then reassembles the data back again = before=20 forwarding the data back up to the application. Most intrusion = detection=20 systems do not have the ability to reassemble IP packets. Therefore, = there=20 exist simple tools (like fragrouter)=20 that can auto-fragment attacks in order to evade IDS.=20
Note that fragmenting the IP packets in the middle of the TCP = header has=20 long been used to evade firewall port filtering.=20
Some industrial grade NIDS can reassemble traffic. Also, some = firewalls=20 can "normalize" traffic by forcing reassembly before passing the = traffic=20 through to the other end.

9.4.2 Avoiding defaults

People often use firewalls as easy NIDS, where they make = assumptions=20 that the destination port uniquely identifies the protocol. A hacker = who=20 successfully installs a backdoor can run standard protocols on = non-default=20 ports. For example, a hacker may send a user a Back Orifice infected = program, but change the port from the default of 31337. Most = intrusion=20 detection systems will no longer identify the traffic correctly = (though a=20 few do).=20

9.4.3 Slow scans

Because of the volume of traffic on the wire, NIDS have = difficulty=20 maintaining long-term traffic logs. It is therefore difficult to = detect=20 "slow scans" (ping sweeps or port-scans) where intruders scan one=20 port/address every hour.=20

9.4.4 Coordinated, low-bandwidth = attacks

Sometimes hackers get together and run a slow scan from multiple = IP=20 addresses. This make it difficult for an intrusion detection system = to=20 correlate the information.=20

9.4.5 Address spoofing/proxying

One goal of intrusion detection is to point fingers at who is = attacking=20 you. This can be difficult for a number of reasons. In 'Smurf' = attack, for=20 example, you receive thousands of replies from a packet that you = never sent.=20 The NIDS and detect those replies, but cannot discover who sent the = forged=20 packet. In TCP Sequence Number Prediction, forged IP addresses are = used so=20 that the NIDS does not know precisely where the intruder is coming = from.=20 Finally, most intruders will 'bounce' their attacks via FTP or Web = proxies,=20 or stage their attacks from other sites they have broken into. Thus, = it will=20 be very difficult to find out who is attacking your site, and = configuring IP=20 address filters in your firewall won't help.=20

9.4.6 Pattern change evasion

Many simple network intrusion detection systems rely upon = "pattern=20 matching". Attack scripts have well know patterns, so simply = compiling a=20 database of the output of known attack scripts provides pretty good=20 detection, but can easily be evaded by simply changing the script.=20
For example, some POP3 servers are vulnerable to a buffer = overflow when a=20 long password is entered. There exist several popular attack scripts = for=20 this vulnerability. One intrusion detection system might contain 10 = patterns=20 to match match the 10 most common scripts, while another intrusion = detection=20 system looks at the password field and alarms when more than 100 = bytes have=20 been entered. The first system is easy to evade simply by changing = the=20 attack script, while the second system catches any attack on this = point.=20
The typical example is simple changes to the URL. For example, = this=20 document can be retrieved through the URL: http://www.robertgraham.com/pubs/network-intrusion-detection.html. = Even though the exact pattern has changed, the meaning hasn't = been=20 altered. A NIDS looking for the original URL on the wire won't = detect this=20 alered one unless it has anti-evasion countermeasures. =

9.5 Complex evasion

Talented hackers can direct their attacks at their victims in ways = to=20 bypass intrusion detection systems. An early paper by Vern Paxson on = his NIDS=20 called "Bro" describes some of these problems. The original PostScript = version=20 is at ftp://ftp.= ee.lbl.gov/papers/bro-usenix98-revised.ps.Z.=20
The seminal paper on network intrusion detection "evasion" was = written by=20 Thomas H. Ptacek and = Timothy N.=20 Newsham. The original PostScript version is available at http://ww= w.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps,=20 while an HTML mirror is available at http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html. = Thomas H. Ptacek claims that many/most of the commercial products = still=20 (October 1999) have serious problems in this regard. Much this this = section=20 summarizes these two papers.=20
These papers describe the abstract concept that the network model = used by=20 the network intrusion detection system is different than the real = world.=20
For example, an intruder might send a TCP FYN packet that the NIDS = sees,=20 but which the victim host never sees. This causes the NIDS to believe = the=20 connection is closed, but when in fact it isn't. Since TCP connections = do not=20 send "keep-alives", the intruder could wait hours or days after this = "close"=20 before continuing the attack. In practice, most interesting services = do kill=20 the connection after a certain time with no activity, but the inruder = still=20 can cause a wait of several minutes before continuing.=20
The first such attack is to find a way to pass packets as far as = the NIDS,=20 but cause a later router to drop packets. This depends upon the router = configuration, but typical examples include low TTL fields, = fragmentation,=20 source routing, and other IP options. If there is a slow link past the = NIDS,=20 then the hacker can flood the link with high priority IP packets, and = send the=20 TCP FIN as a low priority packet -- the router's queuing mechanism = will likely=20 drop the packet.=20
Another approach is to consider what the host will or will not = accept. For=20 example, different TCP stacks behave differently to slightly invalid = input=20 (which programs like 'nmap' and 'queso' use to fingerprint operating = systems).=20 Typical ways of causing different traffic to be accepted/rejected is = to send=20 TCP options, cause timeouts to occur for IP fragments or TCP segments, = overlap=20 fragments/segments, send slight wrong values in TCP flags or sequence = numbers.=20
The Ptacek/Newsham paper concentrated on IP fragmentation and TCP=20 segmentation problems in order to highlight bugs in IDSs. For example, = they=20 noted that if overlapping fragments are sent with different data, some = systems=20 prefer the data from the first fragment(WinNT, Solaris), whereas = others keep=20 the data from the last fragment (Linux, BSD). The NIDS has no way of = knowing=20 which the end-node will accept, and may guess wrong.=20
Their TCP connection analysis was even more in depth, discussing = ways of=20 "de-synchronizing" TCP connections, which are much more fragile than = one would=20 think. Again, the IDS cannot correctly model all possible TCP/IP stack = behavior and figure out what the end-node will accept as data. TCP = also has=20 the overlap problems that IP fragmentation has. For example, intrusion = detection systems might accept the first segment and ignore later = segments,=20 but most hosts accept the later segmetns.=20
They ran tests against various intrusion detection systems in order = to=20 figure out if they could evade intrusion detection systems. Their = results were=20 dismal -- one major intrusion detection system could be completely = evaded=20 simply by fragmenting packets, others could be thrown off by = "desynchronizing"=20 from the data the end-node would accept.=20

9.9 Tools

The following tools may help in evaluating IDS systems for these = problems.=20

RFP Whisker
http://www.wiretrip.net/rfp=20
Scans websites looking for vulnerable CGI programs. Contains over = 10=20 different IDS-evasion techniques that either change the URL being = scanned,=20 or alters the HTTP protocol itself.

Anzen NIDSbench
http://www.anzen.com/re= search/nidsbench/.=20
Contains the "fragrouter" that forces = all traffic=20 to fragment, which demonstrates how easy it is for hackers/crackers = to do=20 the same in order to evade intrusion detection. This accepts = incoming=20 traffic then fragments it according to various rules (IP = fragmentation with=20 various sizes and overlap, TCP segmentation again with various sizes = and=20 overlaps, TCP insertion in order to de-synchronize the connection, = etc.).=20
Also contains the "tcpreplay"=20 program, which dumps high loads onto an Ethernet segment in order to = verify=20 a NIDS can keep up.

CASL
NAI's CyberCop Scanner comes with CASL built in. This was used = in the=20 Insertion/Evasion paper above to carry out validation tests. It = allows=20 scripting of low-level TCP/IP packets.=20
Some scripts for CASL are at: http://www.roses-labs.co= m/labs/labs.htm=20

10. Misc.

10.1 What are some standardization/interoperability = efforts?

The state of standardization is extremely undeveloped at this = point. The=20 problem is that IDS sensors do not really detect intrusions. Instead, = they=20 detect evidence that indicate intrusion. This is not quite the same = thing.=20
For example, one NIDS might detect a buffer-overflow attempt = against an FTP=20 server by tracking the length of the user name (e.g. BlackICE). = Another might=20 catalogue a list of signatures (patterns) of known exploits, and look = for=20 those patterns anywhere in the control connection (e.g. Snort). Yet = others=20 might look for typical signs of intrusions, such as a long string of = x86 NOOPs=20 in the control connection (Dragon). A host based system might detect = when the=20 FTP service crashes (which most buffer-overflow exploits cause).=20

10.1.1 COAST audit trails format

A much more narrowly defined effort that solves a specific = problem.=20 Hasn't produce proposals yet. See http://www.cs.purdue.edu/coast/projects/audit-trails-format.html=20

10.1.2 Universal Format for Logger = Messages

See http:= //www.ietf.org/internet-drafts/draft-abela-ulm-04.txt=20

10.1.3 IETF Intrusion Detection Working = Group

Charter: http://www.i= etf.org/html.charters/idwg-charter.html
Archive:=20 http://www.semper.org/idwg-pu= blic/
Subscribe:=20 idwg-public-request@zurich.ibm.com=20

10.1.4 CIDF (Common Intrusion Detection=20 Framework)

Has specified a lisp-like format for messages between "Event=20 Generators", "Event Analyzers", "Event Databases", and "Response = Units".=20 Currently very theoretical with little industry input.=20

10.1.5 SAF (Security Advisory Format)

An attempt to standardize security advisories, such as those = that come=20 from CERT, the FBI, etc. = http://www.ietf.org/internet-drafts/draft-debeaupuis-saf-00.txt=20

10.1.6 Mitre's CVE = effort

"Common Vulnerabilities and Exposures (CVE)" - aims to = standardize the=20 names for all publicly known vulnerabilities and security exposures. = While=20 this is primarily an academic effort, it does have some vendor input = from=20 the major vulnerability assessment and IDS vendors.=20
The CVE effort is best thought of as a "concordance": it allows = people to=20 sync up between the various advisories and IDS/scanner checks. It = solves the=20 problem that different products detect such things differently. For = example,=20 one intrusion detection system might detect a buffer overflow by = examining=20 the length of a field, and therefore map to multiple CVE entries and = advisories for different products that have buffer overflows in the = same=20 field. Likewise, another IDS system might match the signatures of = specific=20 exploits (from published scripts) of a single vulnerability.=20
Therefore, there might be one-to-many, many-to-one, or = many-to-many=20 mappings between any product or set of advisories. The CVE provides = a=20 concordance between various systems.=20
http://www.cve.mitre.org/=20

11. Honeypots and Deception Systems =

While not strictly sniffer-based intrusion detection systems, = honeypots=20 still process network protocols in much the same ways. Therefore, I've = decided=20 to add this section to my FAQ.=20

11.1 What is a honeypot?

A honeypot is a system designed to look like something that = an=20 intruder can hack. Examples can be:=20

Installing a machine on the network with no particular purpose = other=20 than to log all attempted access.=20
Installing an older unpatched operating system on a machine. For = example, the default installation of WinNT 4 with IIS 4 can be = hacked using=20 several different techniques. A standard intrusion detection system = can then=20 be used to log hacks directed against the machine, and further track = what=20 the intruder attempts to do with the system once it is compromised.=20
Install special software designed for this purpose. It has the = advantage=20 of making it look like the intruder is successful without really = allowing=20 them access.=20
Any existing system can be "honeypot-ized". For example, on = WinNT, it is=20 possible to rename the default "administrator" account, then create = a dummy=20 account called "administrator" with no password. WinNT allows = extensive=20 logging of a person's activities, so this honeypot will track users=20 attempting to gain adminstrator access and exploit that access. =

11.2 What are the advantages of a = honeypot?

An early-alarm that will trip only upon hostile activity. = Network=20 intrusion detection systems have a problem distinguishing hostile = traffic=20 from benign traffic. Isolated honeypots have a much easier time = because they=20 are systems that should not normally be accessed. This means that = all=20 traffic to a honeypot system is already suspect. Network management=20 discovery tools and vulnerability assessment tools still cause false = positives, but they otherwise give a better detection rate.=20
A hostile-intent assessment system. Honeypots often present = themselves=20 as easily hacked systems. One of the most common things hackers do = is scan=20 the Internet doing "banner= =20 checks". The honeypot can be setup to provide a banner that = looks like a=20 system that can easily be hacked, then to trigger is somebody = actually does=20 the hack. For example, the POP3 service reports the version of the = software.=20 Several versions of well-known packages have buffer-overflow holes. = A hacker=20 connections to port= =20 110, grabs the version info from the banner, then looks up the = version=20 in a table that points to which exploit script can be used to break = into the=20 system.

11.3 What are the disadvantages of a = honeypot?

If the system does indeed get hacked, it can be used as a = stepping stone=20 to further compromise the network.=20
Some people believe that since honeypots lure hackers in, that = legal=20 rights to prosecute hackers are reduced. This is a misconception, = because=20 honeypots are not active lures -- they do not advertise themselves. = A hacker=20 can only find a honeypot in the first place by running search = programs on a=20 network.=20
Honeypots add complexity. In security, complexity is bad: it = leads to=20 increased exposure to exploits.=20
Honepots must be maintained just like any other networking=20 equipment/services. This leads many people to turn them off after a = while.=20 You think that a 468 running RedHat Linux 4.2 that you setup 2 years = ago=20 doesn't require maintainance, but in reality it does. How do you = know the=20 logging is working right? What do you do when a new network = management=20 platform or vulnerability assessment system starts being used and = alarmas=20 start going off? What do you do when alarms stop coming in because a = hacker=20 has compromised the system and is using it launch other attacks = against you=20 (or worse, back out to the Internet)?

11.4 How can I setup my own honepot?

The thing to remember is that setting up honepots is really easy. = While=20 honeypot products are cool, virtually any existing hardware/software = can be=20 setup to be your honeypot.=20
Your gameplan should consist of the following steps:=20

documentation, documentation, documentation
The first step in any network management endeavor (actually, the = last=20 step when people discover the pain of not having done it in the = first=20 place).=20
maintainance plan
How do you plan on maintaining it?=20
alarm reporting
How do you plan on receiving alarms from the system?=20
reaction plan
What do you plan on doing when an alarm goes off?

11.5 What are the types of honeypots?

Port monitors
The simplest honeypot is simply a socke= ts-based=20 program that opens up a listening port. A typical example of this is = the=20 program NukeNabber (for Windows) that listens on ports = typically=20 scanned for by hackers. This alerts the user that they are being = scanned.=20 The disadvantage of these programs are:=20

In most cases where they are used, it is actually better to = setup a=20 personal firewall to block access from the attacker. Port monitors = don't=20 log any better than firewall would.=20
They alert the hacker that such a system is running because = they first=20 accept, then drop, the connection.

Deception systems
The next logical step beyond the port monitor is a system that = actually=20 interacts with the hacker. For example, rather than simply accepting = port= =20 110 for POP3, then dropping it, a deception system will actually = respond=20 as if it were a POP3 server. It may give a generic banner, or it may = generate a banner with a version number that hackers know they can = hack.=20 Since 99% of attacks against POP3 are buffer-overruns in the = username or=20 passwords, most deception systems only implement that portion of the = protocol. Likewise, most deception systems implement only as much of = the=20 protocol machine as necessary to trap 90% of the attacks against the = protocol.=20
Multi-protocol deception systems
Packages like Specter or Fred Cohen's Deception Toolkit offer = most of=20 the commonly hacked protocols in a single toolkit. Likewise, these = systems=20 come with multiple banners in order to emulate packages for = different=20 operating systems.=20
Full systems
Beyond products targetted directly at deception, you can also = implement=20 full systems. Most systems have the ability to alert on exception=20 conditions. By using the native logging/auditing built into such=20
Full systems plus NIDS
Along with the full system mentioned above, you might want to = include a=20 full intrusion detection system to supplement the internal logging. =

11.6 What are the pros/cons of setting up a system = that can=20 be hacked?

The three most commonly hacked servers on the net are unpatched = systems=20 running older Linux (like RedHat 5.0), Solaris 2.6, and Microsoft IIS = 4.0.=20 Therefore, as part of your honeypot plan, you might want to setup one = or all=20 three of these systems.=20
Remember: if you put one of these systems on the Internet, within a = month=20 it will be discovered and hacked.=20

Pros:

Learn about incidence response
Most people believe "it can't happen to them", and are = unprepared when=20 it does. Setting up systems that hackers break into will teach you = about how=20 to detect hacker breakins and how to clean up after them.=20
Learn about hacking techniques
Watching hackers break into your system teaches you a lot about = hacking.=20
If you need a secure system inside your company (for example, one = that=20 holds financial information), setup a similar system outside your = company=20 with bogus data. If a hacker compromises that system, you'll learn = how to=20 protect the one inside your company from similar exploits.

Early warning systems
Setting up servers inside your company that can easily be hacked = will=20 alert you to hostile activity long before real systems get = compromised.=20 Hackers try the simpler techniques first before moving on to harder = ways of=20 breaking into system. Therefore, setting up an easily hacked system = will=20 clearly indicate the hostile intent of somebody.=20

Cons:

Launching Point
The biggest danger is that somebody could use that system to = launch=20 further attacks against either you or other people. In particular, = there=20 might be legal considerations when a system you control attacks a = third=20 party.

11.7 Are there examples of people using = honeypots?

The book The=20 Cuckoo's Egg by Clifford Stoll is an engaging story about a = researcher who bumbles his way into tracking down a hacker who was = abusing the=20 university's computer systems. The researcher basically left the = system open=20 and vulnerable for about a year in order to track the hacker's = activities.=20
The San Diego Supercomputer Center has left machines up that can be = hacked.=20 http://= security.sdsc.edu/incidents/worm.2000.01.18.shtml=20
The classic treatise on the subject is An Evening with = Berferd which=20 details how somebody setup a honeypot. http://www.all.net= /books/berferd/berferd.html.=20

11.8 What honeypot products are available?

The following are products that I know of.=20

Fred Cohen's Deception Toolkit
http://www.all.net/dtk/=20
Specter
http://www.specter.ch/=20
NAI CyberCop Sting
http://www.nai.com/=20
netcat
The netcat tool can be used to respond with deceptive banners. =

11.9 What are deception countermeasures?

Beyond honeypots in particular, you can setup "deception = countermeasures".=20 Your network "leaks" lots of information about itself, which hackers = in turn=20 use to break into your network. Therefore, if you leaks deceptive = information=20 about you network, then you'll at minimum misdirect your attackers, = but=20 hopefully trigger alerts.=20
I personally have done the following sorts of things:=20

E-mail headers
A classic problem on the web is that e-mail systems insert the = IP=20 address of the system sending the message to it. If you are inside a = corporation and send e-mail out, you reveal internal e-mail servers. = If you=20 are using a free e-mail system like Yahoo mail or Hotmail, the IP = address of=20 the machine you used to send the mail is included in the header. = This=20 process can go several level deep as e-mail inside companies often = travel=20 several hops through gateway, firewalls, and anti-virus content = scanners.=20 It's difficult, but you can reprogram things in order to insert = bogus IP=20 addresses in to the headers.=20
DNS info
One of the first things a hacker will do against you is a DNS = Zone=20 Transfer. Many admins blocks access to TCP port 53 to stop this = (though that=20 breaks other DNS services). By inserting bogus machines or even = entire bogus=20 subdomains you misdirect the hacker. For example, I could setup a = machine=20 called "bogus.robertgraham.com" with an IP address of 192.0.2.132, = then tell=20 my IDS to trigger whenever it sees traffic to that address. Since my = IDS=20 already triggers on Zone Transfers, this'll catch somebody who is = seriously=20 trying to scope out my network.=20
anti-sniffers
Are you certain that your ISP isn't sniffing you? Well, in order = to find=20 out, setup machines elsewhere on the Internet to connect to some of = your=20 boxes using clear-text passwords. Then setup your IDS to trigger = when=20 anybody else uses those passwords. This is best used with a honeypot = that=20 doesn't have real services. For example, I've setup a virtual Telnet = daemon=20 on that another machines logs into every once-and-a-while. I've = setup the=20 IDS to trigger if anybody but that machine logs in using that = account name.=20 When they log in, they will soon find out it isn't real account.=20
anti-sniffers, part deux
Similar to above, you can transfer password files across the = network=20 that contain easily crackable passwords, then have the IDS trigger = whenever=20 anybody attempts to login. For example, setup a batch file that = regularly=20 transfers files via FTP, one of which is /e= tc/passwd.=20 This will tell you if anybody has sniffed that file.

11.10 What are the legal implication of = honeypots?

I am not a lawyer and couldn't begin to give legal advice. = However, the=20 following is what I believe to be true from the best available = evidence.=20

11.10.1 Do honeypots constitute = entrapment?

No. This is the most commonly asked question about honeypots, = and the=20 answer is a clear no. Entrapment has a clear legal definition = whereby law=20 enforcement officers encourage somebody to a commit a crime that = they were=20 not otherwise disposed to do. This means:=20

If you are not a law enforcement officer, you cannot entrap.=20
Affording the means for somebody to commit a crime is not the = same as=20 encouraging the crime. The FBI can setup a honeypot without risk = of=20 entrapment.=20
If the FBI contacts somebody in alt.2600 and posts a bounty for = cracking into=20 a system, then it would be entrapment.

11.10.2 Am I aiding and abetting a = crime?

Possibly. You are centainly not abetting the person breaking = into your=20 system. However, if the he/she uses your system to launch attacks = against=20 other systems, you might be partially liable for the actions.=20
http://www.nylj.c= om/stories/00/03/030200a5.htm=20

11.10.3 Am liable for attacks launched = from the=20 compromised honeypot?

Very probably. This hasn't been tested in court, but if you have = a lot=20 of money and the hacker causes lots of damage, guess who the victim = is going=20 to sue? It doesn't matter what the law says, there is a good chance = you will=20 have to defend yourself in court. Note that this also applies when = the=20 hacker breaks into any of your systems.=20
There are ways around this. Virtual honeypots cannot be used to = launch=20 effective attacks, and you can keep an eye on really vulnerable = systems.=20

[fin]
------=_NextPart_000_007E_01C0F726.19F023C0 Content-Type: application/octet-stream Content-Transfer-Encoding: base64 Content-Location: http://www.robertgraham.com/images/logo3.gif?doc=nids-faq/0.8.3 R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAQAICRAEAOw== ------=_NextPart_000_007E_01C0F726.19F023C0--

0. Information=20 about this FAQ
- Copyright
-=20 Where=20 to get it
- Thanks=20 to
- Version=20 History
1. Introduction
-=20 What=20 is a "network intrusion detection system (NIDS)"?
- Who=20 is misusing the system?
- How=20 do intruders get into systems?
- Why=20 can intruders get into systems?
- How=20 do intruders get passwords?
- What=20 is a typical intrusion scenario?
- What=20 are some common "intrusion signatures"?
- What=20 are some common exploits?
- What=20 are some common reconnaisance scans?
- What=20 are some common DoS (Denial of Service) attacks?
- How=20 much danger from intrusions is there?
- Where=20 can I find current statistics about intrusions?
2. Architecture
-=20 How=20 are intrusions detected?
- How=20 does a NIDS match signatures with incoming traffic?
- What=20 happens after a NIDS detects an attack?
- What=20 other countermeasures besides IDS are there?
- Where=20 do I put IDS systems on my network?
- How=20 does IDS fit with the rest of my security framework?
3. Policy
-=20 How=20 do I increase intrusion detection/prevention under WinNT?
- = How=20 do I increase intrusion detection/prevention under = Win95/Win98?
-=20 How=20 do I increase intrusion detection/prevention under UNIX?
- = How=20 do I increase intrusion detection/prevention under = Macintosh?
- How=20 do I increase intrusion detection/prevention for the = enterprise?
-=20 How=20 should I implement intrusion detection my enterprise?
- What=20 should I do when I've been hacked?
- How=20 should I respond when somebody tells me they've been hacked from = my=20 site?
- How=20 do I collect enough evidence about the hacker?
4. Products
-=20 What=20 freeware/shareware intrusion detection systems are = available?
- What=20 commercial intrusion detection systems are available?
- What=20 is a "network grep" system?
- What=20 tools do intruders use to break into my systems?
- What=20 other free/shareware intrusion detection products should I be = aware=20 of?
6. Resources
-=20 Where=20 can I find updates about new security holes?
- What=20 are some other security and intrusion detection = resources?
- What=20 are some sites that are interesting?
7. IDS=20 and Firewalls
- Why=20 do I need IDS if I already have a firewall?
- If=20 I have a intrusion detection, do I need firewall?
- Where=20 does the intrusion detection system gets its information? The=20 firewall?
8. Implementation=20 Guide
- What=20 questions should I ask my IDS vendor?
- How=20 do I maintain the system on an on-going basis?
- How=20 do I stop innapropriate web surfing?
- How=20 can I build my own IDS (writing code)?
- What=20 is the legality of NIDS (since it is a form of wiretap)?
- = How=20 do I save logfiles in a tamper-proof way?
9. What=20 are the limitations of NIDS?
-Switched=20 network (inherent limitation)
-Resource=20 limitations
-Attacks=20 against the NIDS
-Simple=20 evasion
-Complex=20 evasion
-Tools
10.=20 Misc.
-=20 What=20 are some standardization/interoperability efforts?
11. Honeypots=20 and Deception Systems[new]
- What=20 is a honeypot?[new]
- What=20 are the advantages of a honeypot?[new]
- What=20 are the disadvantages of a honeypot?[new]
- = How=20 can I setup my own honepot?[new]
- What=20 are the types of honeypots?[new]
- What=20 are the pros/cons of setting up a system that can be=20 hacked?[new]
- Are=20 there examples of people using = honeypots?[new]
- What=20 honeypot products are available?[new]
- What=20 are deception=20 = countermeasures?[new]