...

Modul 4 Intrusion Detection System IDS

by user

on
Category:

hardware

79

views

Report

Comments

Transcript

Modul 4 Intrusion Detection System IDS
Intrusion Detection
System
POLITEKNIK ELEKTRONIKA NEGERI SURABAYA
1
Objective



Mengerti pengertian Intrussion Detection
Pengertian Snort
Installasi Snort
2
Pengertian IDS (Cont…)

Intrusion


Didefinisikan sebagai kegiatan yang bersifat anomaly, incorrect,
inappropriate yang terjadi di jaringan atau di host
Klasifikasi intrusi :







Attempted Break-ins
Masquerade attacks
Penetration of Security Control Systems
Leakage
Denial of Service
Malicious Use
Anomaly merupakan Traffic/aktivitas yang tidak sesuai dgn
policy:



akses dari/ke host yang terlarang
memiliki content terlarang (virus)
menjalankan program terlarang (web directory traversal:GET
../..;cmd.exe )
Intrusion Detection

Intrusion detection adalah proses mencari,
meneliti, dan melaporkan tindakan tidak sah
atau yang membahayakan aktivitas jaringan
atau komputer
4
Kenapa Butuh System Pendeteksi Intrusi





Firewall adalah Sistem Pengamanan utama, tapi
Tidak semua akses melalui firewall
Ada beberapa aplikasi yang memang diloloskan
oleh firewall (Web, Email, dll)
Tidak semua ancaman berasal dari luar firewall, tapi
dari dalam jaringan sendiri
Firewall kadang merupakan object serangan
Perlu suatu aplikasi sebagai pelengkap Firewall
yang bisa mendeteksi ancaman yang tidak bisa
diproteksi oleh firewall
Internet
Corporate Intranet
Hacker
Mail
server
HR/Finance
Mobile worker
Web site
Supplier
Manufacturing
Hacker
Branch Office
Engineering
Hacker
Basic Intrusion Detection
Target
System
Respond
Monitor Intrusion
Detection
System
Report
Intrusion Detection System Infrastructure
7
Intrusion Detection
Ada 2 pendekatan
 Preemptory


Tool Intrusion Detection secara aktual mendengar
traffic jaringan. Ketika ada aktifitas mencurigakan
dicatat, sistem akan mengambil tindakan yang
sesuai
Reactionary

Tool Intrusion Detection mengamati log. Ketika ada
aktifitas mencurigakan dicatat, sistem akan
mengambil tindakan yang sesuai
8
Teknologi IDS Berdasar Penempatan

Network-based


memantau anomali di jaringan,
misal melihat adanya network scanning
Menyediakan real-time monitoring activity jaringan:







mengcapture, menguji header dan isi paket,
membandingkan dengan pattern dengan threat yang ada di database dan
memberikan respon jika dianggap intruder.
Packet monitors bisa ditempatkan di luar firewall (mendeteksi Internetbased attacks) and di dalam jaringan(mendeteksi internal attacks).
Respons berupa : notifying a console, sending an e-mail message,
terminating the session.
Tools : Snort
Host-based
memantau anomali di host,
misal memonitor logfile, process, file owenership, mode

Tools :
Log scanners



Swatch
Log check
Mod_security
File System Integrity Checkers

Tripwire
Metode Pendeteksian Attack


Rule Based / Misuse detection / signature analysis

Biasa disebut misuse detection / signature detection


Misuse detection mendeteksi intrusi dengan melakukan monitoring trafik
jaringan dan mencocokkan pola penyerangan (signature) yang serupa.
Perlu memodelkan pattern berbagai macam intrusi adalah pekerjaan yang
sangat sulit dan membutuhkan waktu serta tidak dapat mendeteksi adanya
jenis intrusi baru yang sebelumnya tidak dikenali

Yang termasuk dalam kategori ini adalah Snort dan Bro
Anomaly detection.
 sistem mendefinisikan pola atau behaviour jaringan
sebelumnya. Semua deviasi dari pola normal akan dilaporkan
sebagai serangan
 Bisa mendeteksi attack baru dengan cara melihat deviasi dari
pola normal
Thresholds

A rule tells the IDS which packets to examine and what
action to take


Similar to a firewall rule
Alert tcp any any -> 192.168.1.0/24 111
(content:”|00 01 86 a5|”;msg:”mountd access”;)






Alert specifies the action to take
Tcp specifies the protocol
Any any 192…. specifies the source and destination within the given
subnet
111 specifies the port
Content specifies the value of a payload
Msg specifies the message to send
11
Thresholds



Threshold is a value that represents the
boundary of normal activity
Example: Maximum three tries for login
Common thresholds:



file I/O activity
network activity
administrator logins and actions
12
Intrusion Detection


An IDS is sensitive to configuration
Possible types of IDS errors:



False positive (unauthorized user let in)
False negative (authorized user denied access)
Subversion error (compromised the system from
detecting intrusion)
13
Metode Pendeteksian Anomali


Analisa Header
 berusaha menganalisa suatu attak berdasarkan analisa nilai
field yang dimiliki oleh header layer datalink, network dan
transport, analisa paket header tidak menganalisa layer
aplikasi atau isi paket. Biasanya digunakan untuk
menganalisa attack dari traffik yang tidak mempunyai koneksi
penuh ke network.
Analisa Payload (Contents Paket)
 didapatkan dari ektraksi sehimpunan attribut dari setiap
kejadian baik koneksi TCP maupun UDP termasuk di
dalamnya isi dari paket . Digunakan untuk menganalisa
perilaku attak yang sudah masuk ke sistem, misal U2R R2L
Anomaly Detection
Metode Anomaly detection
 Pertama-tama data traffic
jaringan ditangkap dengan
perangkat lunak tcpdump,
 setelah melalui tahap
preprocessing data dibagi
menjadi dua bagian yaitu data
training dan data testing.
 Dengan menggunakan
Metode tertentu data training
diklasifikasikan menjadi dua
kelas intrusi dan non intrusi.
 Hasil training digunakan untuk
melakukan testing
Class -1
Class1
SVM
Classification
Preprocessing
(Connection
Session/
Record)
10:35:41.5 128.59.23.34.30 >
113.22.14.65.80 : . 512:1024(512) ack 1
win 9216
10:35:41.5 102.20.57.15.20 >
128.59.12.49.3241: . ack 1073 win
16384
Capture
Packet
RawAudit Data
Attacker
0,tcp,http,SF,215,45076,0,0,0,0,0,1,0,0,0,0,0,0,0,0
,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,0,0,0.0
0,0.00,0.00,0.00,0.00,0.00,0.00,0.00,normal.
0,tcp,http,SF,162,4528,0,0,0,0,0,1,0,0,0,0,0,0,0,0,
0,0,2,2,0.00,0.00,0.00,0.00,1.00,0.00,0.00,1,1,1.0
0,0.00,1.00,0.00,0.00,0.00,0.00,0.00,normal.
Prinsip Kerja Anomali detection

menganalisa paket normal saja, deviasi normal dianggap
anomali/attack





sebagian besar IDS untuk anomali dilakukan dengan cara mengobservasi
port dan ip yang tidak umum.
Mempunyai nilainya tidak ada pada data normal yang ditrainingkan.
Attack kebiasaan memanfaat bug software untuk masuk ke sistem
Teknik attack biasanya : menggunakan bad checksum, unusual TCP flags
or IP options, invalid sequence numbers, spoofed addresses, duplicate TCP
packets with differing payloads, packets with short TTLs
Beberapa perilaku attack




Smurf melakukan pengiriman ICMP an echo request secara berlebihan
UDPStorm mengirim request secara berlebihan dari ip yang dispoof
Keduanya punya karakteristik checksum error
Biasanya target program yang diserang perilakuk menjadi tidak normal
menghasilkan urutan sistem call yang tidak normal dan menghasilkan
output yang tidak normal pula
The Honeynet Project

http://www.honeynet.org/

Non-profit volunteer research organization
dedicated to improving the security of the
Internet at no cost to the public
Its mission is to learn the tools, tactics and
motives involved in computer and network
attacks, and share the lessons learned

What are Honeypots




Honeypots are real or emulated vulnerable
systems ready to be attacked.
Primary value of honeypots is to collect
information.
This information is used to better identify,
understand and protect against threats.
Honeypots add little direct value to protecting
your network.
Why HoneyPots







The goal is to research and analyze various
attacks
Build anti-virus signatures.
Build SPAM signatures and filters.
ISP’s identify compromised systems.
Assist law-enforcement to track criminals.
Hunt and shutdown botnets.
Malware collection and analysis.
Honeynet Project Architecture
Our Honeypot VM Architecture
Example Honeynet Project



Sebek
Honeywall CDROM
the Ghost USB honeypot
Sebek



Hidden kernel module that captures all host
activity
Dumps activity to the network.
Attacker cannot sniff any traffic based on
magic number and dst port.
Gost


Ghost is a honeypot for malware that spreads
via USB storage devices.
Detects infections with such malware without
the need of any further information
Sebek Architecture
Honeywall CDROM




Attempt to combine all requirements of a
Honeywall onto a single, bootable CDROM.
Honewall as Data Control and Data Capture
May, 2003 - Released Eeyore
May, 2005 - Released Roo





Based on Fedora Core 3
Vastly improved hardware and international support.
Automated, headless installation
New Walleye interface for web based administration and data
analysis.
Automated system updating
Honeynet Architecture
Snort


Snort adalah Network IDS dengan 3 mode:
sniffer, packet logger, and network intrusion
detection.
Snort dapat juga dijalankan di background
sebagai sebuah daemon.
28
Snort



Cepat, flexible, dan open-source
Dikembangkan oleh : Marty Roesch, bisa dilihat
pada (www.sourcefire.com)
Awalnya dikembangkan di akhir 1998-an
sebagai sniffer dengan konsistensi output
29
Output Snort















04/18-11:32:20.573898 192.168.120.114:1707 -> 202.159.32.71:110
TCP TTL:64 TOS:0x0 ID:411 IpLen:20 DgmLen:60 DF
******S* Seq: 0x4E70BB7C Ack: 0x0 Win: 0x16D0 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 6798055 0 NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+
04/18-11:32:20.581556 202.159.32.71:110 -> 192.168.120.114:1707
TCP TTL:58 TOS:0x0 ID:24510 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x423A85B3 Ack: 0x4E70BB7D Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 163052552 6798055 NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+
04/18-11:32:20.581928 192.168.120.114:1707 -> 202.159.32.71:110
TCP TTL:64 TOS:0x0 ID:412 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x4E70BB7D Ack: 0x423A85B4 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 6798056 163052552
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+
30




























Snort analyzed 255 out of 255 packets, dropping 0(0.000%) packets
Breakdown by protocol:
Action Stats:
TCP: 211
(82.745%)
ALERTS: 0
UDP: 27
(10.588%)
LOGGED: 0
ICMP: 0
(0.000%)
PASSED: 0
ARP: 2
(0.784%)
IPv6: 0
(0.000%)
IPX: 0
(0.000%)
OTHER: 15
(5.882%)
DISCARD: 0
(0.000%)
=======================================================================
Fragmentation Stats:
Fragmented IP Packets: 0
(0.000%)
Fragment Trackers: 0
Rebuilt IP Packets: 0
Frag elements used: 0
Discarded(incomplete): 0
Discarded(timeout): 0
Frag2 memory faults: 0
=======================================================================
TCP Stream Reassembly Stats:
TCP Packets Used: 0
(0.000%)
Stream Trackers: 0
Stream flushes: 0
Segments used: 0
Stream4 Memory Faults: 0
=======================================================================
Snort received signal 2, exiting
31
Dimana diletakkan SNORT ?


Dalam Firewall
Luar Firewall
32
Contoh Installasi Snort
33
Solution Positioning
Database
App IDS
Internet
Web Servers
Firewall
Application
Servers
User/Attacker
34
Aksi SNORT





Alert : Membuat entry pada alert dan
melogging paket
Log : Hanya melogging paket
Pass : Dilewatkan, tidak ada aksi
Activate : Alert, membangkitkan rule lain
(dynamic)
Dynamic : Diam, sampai diaktivasi
35
Installasi Snort

Di Debian Linux, sebagai root:


apt-get install snort
File dan direktori yang terinstall:



/etc/snort berisi file conf dan rule
/var/log/snort berisi log
/usr/local/bin/ berisi binary snort
36
Testing Snort

Jalankan snort di root :


Dari host lain jalankan NMAP


# snort –v
nmap –sP <snort_machine_IP_address>
Akan nampak alert :
03/27-15:18:06.911226 [**] [1:469:1] ICMP PING NMAP
[**] [Classification: Attempted Information Leak]
[Priority: 2] {ICMP} 192.168.1.20 -> 192.168.1.237
37
Rule Snort





Rule adalah kumpulan aturan perilaku snort pada
Disimpan di : /rules/, ftp.rules,ddos.rules,virus.rule,
dll
Alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any
(flags:SF;msg:”SYN-FINscan”;)
Rule header – aksi, protokol, IP source dan tujuan,
port source dan tujuan.
Rule body – keywords dan arguments untuk
memicu alert
38
Detection Engine: Rules
Rule Header
Rule Options
Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: SF; msg: “SYN-FIN Scan”;)
Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: S12; msg: “Queso Scan”;)
Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: F; msg: “FIN Scan”;)
39
Tahap-Tahap Rule :






Mengidentifikasi karakteristik dari trafik yg
dicurigai
Menulis rule berdasarkan karakteristik
Mengimplementasikan rule
Testing terhadap trafik yg dicurigai
Mengubah rule sesuai hasil testing
Testing dan mengecek hasilnya
40
/var/log/snort
















Apr 4 19:00:21 202.159.32.71:110 -> 192.168.120.114:2724 NOACK 1*U*P*S*
Apr 4 20:47:43 168.143.117.4:80 -> 192.168.120.114:2916 NOACK 1*U*P*S*
Apr 5 06:04:04 216.136.171.200:80 -> 192.168.120.114:3500 VECNA 1*U*P***
Apr 5 17:28:20 198.6.49.225:80 -> 192.168.120.114:1239 NOACK 1*U*P*S*
Apr 6 09:35:56 202.153.120.155:80 -> 192.168.120.114:3628 NOACK 1*U*P*S*
Apr 6 17:44:06 205.166.76.243:80 -> 192.168.120.114:1413 INVALIDACK *2*A*R*F
Apr 6 19:55:03 213.244.183.211:80 -> 192.168.120.114:43946 NOACK 1*U*P*S*
Apr 7 16:07:57 202.159.32.71:110 -> 192.168.120.114:1655 INVALIDACK *2*A*R*F
Apr 7 17:00:17 202.158.2.4:110 -> 192.168.120.114:1954 INVALIDACK *2*A*R*F
Apr 8 07:35:42 192.168.120.1:53 -> 192.168.120.114:1046 UDP
Apr 8 10:23:10 192.168.120.1:53 -> 192.168.120.114:1030 UDP
Apr 8 10:23:49 192.168.120.1:53 -> 192.168.120.114:1030 UDP
Apr 20 12:03:51 192.168.120.1:53 -> 192.168.120.114:1077 UDP
Apr 21 01:00:11 202.158.2.5:110 -> 192.168.120.114:1234 INVALIDACK *2*A*R*F
Apr 21 09:17:01 66.218.66.246:80 -> 192.168.120.114:42666 NOACK 1*U*P*S*
Apr 21 11:00:28 202.159.32.71:110 -> 192.168.120.114:1800 INVALIDACK *2*A*R*F
41
Snort Rules
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR
subseven 22"; flags: A+; content:
"|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;
reference:url,www.hackfix.org/subseven/; sid:103;
classtype:misc-activity; rev:4;)







alert action to take; also log, pass, activate, dynamic
tcp protocol; also udp, icmp, ip
$EXTERNAL_NET source address; this is a variable – specific IP is ok
27374 source port; also any, negation (!21), range (1:1024)
-> direction; best not to change this, although <> is allowed
$HOME_NET destination address; this is also a variable here
any destination port
42
Snort Rules
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR
subseven 22"; flags: A+; content:
"|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;
reference:url,www.hackfix.org/subseven/; sid:103;
classtype:misc-activity; rev:4;)

msg:”BACKDOOR subseven 22”; message to appear in logs
flags: A+; tcp flags; many options, like SA, SA+, !R, SF*
content: “|0d0…0a|”; binary data to check in packet; content
without | (pipe) characters do simple content matches
reference…; where to go to look for background on this rule
sid:1000003; rule identifier
classtype: misc-activity; rule type; many others
rev:4; rule revision number

other rule options possible, like offset, depth, nocase






43
Snort Rules
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR
subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|";
reference:arachnids,485;
reference:url,www.hackfix.org/subseven/; sid:103;
classtype:misc-activity; rev:4;)







alert action to take; also log, pass, activate, dynamic
tcp protocol; also udp, icmp, ip
$EXTERNAL_NET source address; this is a variable – specific IP is ok
27374 source port; also any, negation (!21), range (1:1024)
-> direction; best not to change this, although <> is allowed
$HOME_NET destination address; this is also a variable here
any destination port
44
Snort Rules
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR
subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|";
reference:arachnids,485;
reference:url,www.hackfix.org/subseven/; sid:103;
classtype:misc-activity; rev:4;)

msg:”BACKDOOR subseven 22”; message to appear in logs
flags: A+; tcp flags; many options, like SA, SA+, !R, SF*
content: “|0d0…0a|”; binary data to check in packet; content without |
(pipe) characters do simple content matches
reference…; where to go to look for background on this rule
sid:103; rule identifier
classtype: misc-activity; rule type; many others
rev:4; rule revision number

other rule options possible, like offset, depth, nocase






45
Snort Rules











bad-traffic.rules
exploit.rules
scan.rules
finger.rules
ftp.rules
telnet.rules
smtp.rules
rpc.rules
rservices.rules
dos.rules
ddos.rules
dns.rules
tftp.rules
web-cgi.rules web-coldfusion.rules
web-frontpage.rules web-iis.rules web-misc.rules
web-attacks.rules sql.rules
x11.rules
icmp.rules
netbios.rules misc.rules
backdoor.rules
shellcode.rules policy.rules
porn.rules
info.rules
icmp-info.rules
virus.rules
local.rules
attack-responses.rules
46
Snort in Action

3 operational mode:
 Sniffer: snort –dve akan menampilkan payload,
verbose dan data link layer
 Packet logger: snort –b –l /var/log/snort
akan menampilkan log binary data ke direktori
/var/log/snort
 NIDS: snort –b –l /var/log/snort –A full
–c /etc/snort/snort.conf akan melakukan log
binary data ke direktori /var/log/snort, dengan full alerts
dalam /var/log/snort/alert, dan membaca configuration
file dalam /etc/snort
47
Software IDS


Jika tidak ada Snort, Ethereal adalah open source
yang berbasis GUI yang bertindak sbg packet
viewer
www.ethereal.com :
 Windows:
www.ethereal.com/distribution/win32/etherealsetup-0.9.2.exe
 UNIX: www.ethereal.com/download.html
 Red Hat Linux RPMs:
ftp.ethereal.com/pub/ethereal/rpms/
48
49
Software IDS

tcpdump juga merupakan tool packet capture


www.tcpdump.org untuk UNIX
netgroup-serv.polito.it/windump/install/ untuk
windows bernama windump
50
Fly UP