Network Intrusion Detection System
From Computing and Software Wiki
Line 1: | Line 1: | ||
- | + | A NIDS captures all traffic of the network, detects the attacks and gives alarms to the user/administrator. | |
- | + | ---- | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | '''Capture''': | |
+ | IDS use different methods to capture the relevant data to be analyzed. A very well known method is pcap. | ||
- | - | + | pcap consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library(packet capture library); Windows uses a port of libpcap known as WinPcap. |
- | - | + | Monitoring software may use libpcap and/or WinPcap to capture packets travelling over a network and, in newer versions, to transmit packets on a network at the link layer, as well as to get a list of network interfaces for possible use with libpcap or WinPcap. |
+ | |||
+ | libpcap and WinPcap also support saving captured packets to a file, and reading files containing saved packets; applications can be written, using libpcap or WinPcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap and WinPcap use can be read by applications that understand that format. | ||
+ | |||
+ | libpcap and WinPcap provide the packet-capture and filtering engines of network intrusion detection systems. They are usually installed at the data link layer but they can be installed at any desired layer and they capture the net work traffic from that layer all the way up. Filters can be applied so that the NIDS can can sniff the data in a desired way. for example: | ||
+ | |||
+ | - request a list of all packets except the ones that use UDP. | ||
+ | |||
+ | - request a list of all packets all packets going through TCP and usnig port 80. | ||
+ | |||
+ | ---- | ||
+ | ''' | ||
+ | Detection | ||
+ | ''' | ||
+ | |||
+ | The typical function of a NIDS is based on a set of signatures, each describing one known intrusion | ||
+ | threat. ANIDS examines network traffic and determines whether any signatures indicating intrusion attempts are matched. | ||
+ | |||
+ | The simplest and most common form of NIDS inspection is to match string patterns against the payload of packets captured on a network link. | ||
+ | |||
+ | For instance, consider the (simplified) signature shown here: | ||
+ | |||
+ | alert tcp $EXTERNAL_NET any -> | ||
+ | $HTTP_SERVERS 80 (content:‘‘/usr/bin/perl’’) | ||
+ | |||
+ | It is a A simple intrusion detection rule, taken from snort, a widely-used open-source NIDS. This signature matches all TCP/IP packets originating from computers outside the monitored domain (i.e., the $EXTERNAL NET), destined to the web servers of the monitored domain (i.e., the $HTTP SERVERS at port 80 ), and containing the string “/usr/bin/perl” in the payload. If the NIDS determines that a packet matches this rule, it infers that a malicious client may be trying to make the web server execute the perl interpreter, hoping to gain unauthorized access. To decide whether a packet matches the signature, the NIDS needs to check the (TCP/IP) packet header for the specified values (i.e., | ||
+ | $EXTERNAL NET, $HTTP SERVERS, 80). In addition, the NIDS needs to check whether the payload contains the string “/usr/bin/perl”. | ||
+ | |||
+ | There are two main algorithms for pattern matching: | ||
+ | |||
+ | '''E2xB: A domainspecific string matching algorithm for intrusion detection''': | ||
+ | |||
+ | In this context, we present ÌÎÍ}Ï\Ð , a string matching algorithm that is designed specifically for the relatively small input size (in the order of packet size) and small expected matching probability that is common in a NIDS environment. | ||
+ | |||
+ | These assumptions allow string matching to be enhanced by first testing the input (e.g., the payload of each packet) for missing fixed-size sub-strings of the original signature string, called elements. The false positives induced by ÌÎÍÏ\Ð , e.g., cases with all fixed-size sub-strings of the signature showing up in arbitrary positions within the input, can then be separated from actual matches using standard string matching algorithms" | ||
+ | |||
+ | |||
+ | '''Boyer-Moore algorithm''': | ||
+ | |||
+ | Boyer-Moore algorithm | ||
+ | |||
+ | The Boyer-Moore algorithm is considered as the most efficient string-matching algorithm in usual applications. A simplified version of it or the entire algorithm is often implemented in text editors for the «search» and «substitute» commands. | ||
+ | |||
+ | The algorithm scans the characters of the pattern from right to left beginning with the rightmost one. In case of a mismatch (or a complete match of the whole pattern) it uses two precomputed functions to shift the window to the right. These two shift functions are called the good-suffix shift (also called matching shift and the bad-character shift (also called the occurrence shift). | ||
+ | |||
+ | |||
+ | One of the best references in string matching is: http://www-igm.univ-mlv.fr/~lecroq/string/ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | '''Alert''' | ||
+ | |||
+ | Alternation(1): | ||
+ | |||
+ | - warning at least | ||
+ | |||
+ | - or some action taken against the IP that is attacking you. | ||
+ | |||
+ | |||
+ | Alternation(2) | ||
+ | |||
+ | Symantec Host IDS provides real-time monitoring, detection, and prevention of security breaches, delivering automated policy enforcement and incident response for servers, applications, and data. As a complement to firewalls and other access controls, it enables administrators to develop proactive policies to stop hackers or authorized users with malicious intent from misusing systems. | ||
+ | New process management capabilities combine multiple intrusion prevention technology functions, including process reporting, monitoring, and blocking. Process Reporter provides access to granular process data so administrators can make rapid, informed decisions regarding server security. Process Monitor allows administrators to define a wide variety of security configurations to provide a fault-tolerant, secure environment. Process Blocker allows administrators to restrict server capabilities through defined policies to prevent malicious activity. These technologies provide an efficient and non-intrusive intrusion protection solution to stop threats such as buffer overflow attacks. | ||
+ | |||
+ | - real time: | ||
+ | |||
+ | best effort. | ||
+ | |||
+ | Data from the network layer. | ||
+ | |||
+ | Drop all the packets from a specific IP: so netfilter for that maybe dangerous. 'cause the pirate may have faked one of your internal IPs and then you are actually cutting of one of your local network connections. | ||
+ | |||
+ | - run time: |
Revision as of 02:20, 24 March 2008
A NIDS captures all traffic of the network, detects the attacks and gives alarms to the user/administrator.
Capture: IDS use different methods to capture the relevant data to be analyzed. A very well known method is pcap.
pcap consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library(packet capture library); Windows uses a port of libpcap known as WinPcap.
Monitoring software may use libpcap and/or WinPcap to capture packets travelling over a network and, in newer versions, to transmit packets on a network at the link layer, as well as to get a list of network interfaces for possible use with libpcap or WinPcap.
libpcap and WinPcap also support saving captured packets to a file, and reading files containing saved packets; applications can be written, using libpcap or WinPcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap and WinPcap use can be read by applications that understand that format.
libpcap and WinPcap provide the packet-capture and filtering engines of network intrusion detection systems. They are usually installed at the data link layer but they can be installed at any desired layer and they capture the net work traffic from that layer all the way up. Filters can be applied so that the NIDS can can sniff the data in a desired way. for example:
- request a list of all packets except the ones that use UDP.
- request a list of all packets all packets going through TCP and usnig port 80.
Detection
The typical function of a NIDS is based on a set of signatures, each describing one known intrusion threat. ANIDS examines network traffic and determines whether any signatures indicating intrusion attempts are matched.
The simplest and most common form of NIDS inspection is to match string patterns against the payload of packets captured on a network link.
For instance, consider the (simplified) signature shown here:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (content:‘‘/usr/bin/perl’’)
It is a A simple intrusion detection rule, taken from snort, a widely-used open-source NIDS. This signature matches all TCP/IP packets originating from computers outside the monitored domain (i.e., the $EXTERNAL NET), destined to the web servers of the monitored domain (i.e., the $HTTP SERVERS at port 80 ), and containing the string “/usr/bin/perl” in the payload. If the NIDS determines that a packet matches this rule, it infers that a malicious client may be trying to make the web server execute the perl interpreter, hoping to gain unauthorized access. To decide whether a packet matches the signature, the NIDS needs to check the (TCP/IP) packet header for the specified values (i.e., $EXTERNAL NET, $HTTP SERVERS, 80). In addition, the NIDS needs to check whether the payload contains the string “/usr/bin/perl”.
There are two main algorithms for pattern matching:
E2xB: A domainspecific string matching algorithm for intrusion detection:
In this context, we present ÌÎÍ}Ï\Ð , a string matching algorithm that is designed specifically for the relatively small input size (in the order of packet size) and small expected matching probability that is common in a NIDS environment.
These assumptions allow string matching to be enhanced by first testing the input (e.g., the payload of each packet) for missing fixed-size sub-strings of the original signature string, called elements. The false positives induced by ÌÎÍÏ\Ð , e.g., cases with all fixed-size sub-strings of the signature showing up in arbitrary positions within the input, can then be separated from actual matches using standard string matching algorithms"
Boyer-Moore algorithm:
Boyer-Moore algorithm
The Boyer-Moore algorithm is considered as the most efficient string-matching algorithm in usual applications. A simplified version of it or the entire algorithm is often implemented in text editors for the «search» and «substitute» commands.
The algorithm scans the characters of the pattern from right to left beginning with the rightmost one. In case of a mismatch (or a complete match of the whole pattern) it uses two precomputed functions to shift the window to the right. These two shift functions are called the good-suffix shift (also called matching shift and the bad-character shift (also called the occurrence shift).
One of the best references in string matching is: http://www-igm.univ-mlv.fr/~lecroq/string/
Alert
Alternation(1):
- warning at least
- or some action taken against the IP that is attacking you.
Alternation(2)
Symantec Host IDS provides real-time monitoring, detection, and prevention of security breaches, delivering automated policy enforcement and incident response for servers, applications, and data. As a complement to firewalls and other access controls, it enables administrators to develop proactive policies to stop hackers or authorized users with malicious intent from misusing systems. New process management capabilities combine multiple intrusion prevention technology functions, including process reporting, monitoring, and blocking. Process Reporter provides access to granular process data so administrators can make rapid, informed decisions regarding server security. Process Monitor allows administrators to define a wide variety of security configurations to provide a fault-tolerant, secure environment. Process Blocker allows administrators to restrict server capabilities through defined policies to prevent malicious activity. These technologies provide an efficient and non-intrusive intrusion protection solution to stop threats such as buffer overflow attacks.
- real time:
best effort.
Data from the network layer.
Drop all the packets from a specific IP: so netfilter for that maybe dangerous. 'cause the pirate may have faked one of your internal IPs and then you are actually cutting of one of your local network connections.
- run time: