IDS: the theory and practical use
Nowadays, the basi
of information safety
of any level necessarily should include
a subsystem of detection of attacks and intrusions. This could be done by
gathering and th
of the data. Such systems are called IDS, what stands
for Intrusion Detection System
the system which takes the responsibility of detecting of intrusions.
The primary goal of IDS software is monitoring of hostile operations of any level
, either human
(hackers, crackers) or program (viruses, Trojan horses)
. IDS can function on a definite server or in
the whole segment of a network.
Likely, the market of IDS related softw
are is pretty wide now. From the other hand, it’s hard
to find def
inite tool, which will work better for your specific case. That is why the IDS software has
been categorized into several classes:
usion Detection System (AIDS).
is a software complex which
monitors the functionality of the de
finite applications (or services).
system, the log file analyzers,
the operational system monitor and
the monitor of software ch
ometimes it includes several AIDS tools.
based Intrusion Detection System (
I’d like to dwell upon the most popular non
commercial IDS solutions.
The most popular AIDS tools are honeypots.
The honeypot is special software, which
allows system administrator
to monitor actions of t
he intruder. Honeypot regulary includes some
tools for registering of hack attempts, as well as you can use any external IDS for that.
The most popular network services emulation software is
You can use
software (like as
or example) along aside with
Talking about Web applications,
very popular AIDS software is a
is an open source intrusion detec
tion and prevention engine for W
Operating as an Apache Web server mo
the purpose of
s to increase W
application security, protecting
eb applications from known and
home site of
I’ll stop on pract
ical use of
later in this article.
HIDS. The HIDS software is
running locally on every server and
are used for detecting of a
alien (or not welcome) changes in the local configuration files or services functionality.
into System Integrity Verifiers (SIV),
Log File Monitors (LFM)
(also called as OS extenders)
, which are adding additional functionality to
(Advanced Intrusion Detection Environment)
cal SIV software. This is
for monitoring of the file system changes. It uses the checksum technology, the directory structure
dumps, it also checks for the size and attribute settings of files
It generates a database that can be
used to check th
e integrity of files on server. It uses
regular expressions for determi
ning which files
get added to the database. You can use several message digest algorithms to ensure that the files
have not been tampered with.
is a free replacement for
The home site of
is an all in one suid/sgid
monitoring program designed to be run from cron on a
Using the suid/sgid bit attribut
es on the executable files, the local user (intruder) can
gain privileged priorities, what is very dangerous.
tracks any changes in your
files and folders. If there are any new ones, ones that aren't set any more, or they have
changed bits or other modes then it reports the changes in an easy to read format via e
mail or on
the command line.
shell script that checks system binaries for
ooks for known "signatures" in T
It knows more then 50 Trojan programs
) and runs on a numerous platforms. The home site of
is here at
As a rule, all operational systems already includ
e some tools for the basic IDS monitoring.
Among them are different scripts and executable program
, which are
designed to run regulary (from
the cron). In example, FreeBSD
has a special security
scripts, which are running daily and are called
, it’s not hard to make such scripts yourself: you can use different programs for getting
, and the
suid/sgid bit monitoring can be easily done using the internal
Look at the example of getting of file checksum:
delete.sh) = 9ed41add22f840c3311dd30b4f045d6b
And that’s giv
e you a list of f
iles with suid and
sgid bit set:
x 1 uucp dialer 123888 Jul 23 2001 /usr/bin/cu
x 1 uucp dialer 96752 Jul 23 2001 /usr/bin/uustat
x 1 root daemon 22728 Jul 23 2001 /usr/bin/lpq
x 1 root daemon 26216 Jul 23 2001 /usr/bin/lpr
x 1 root
daemon 21676 Jul 23 2001 /usr/bin/lprm
is typical LFM software.
lps spot problems and security violations in
files automatically and will send the results to you in e
Also, a lot of SIV HIDS already
include their own versions of log checking software.
is a log checking and
auditing tool simil
but with the capability of
line messages and dynamically adapting the rule
set. It is written in portable C, well
documented, fast, and flexible. It works on any
file or st
, can be run at
intervals or c
ontinuously, and has timeouts and resource limits.
s home site is at
Simple Watch Daemon
is a program for UNIX system logging,
l programming language
to actively monitor messages as they are written to a log file via the
was designed to keep system administrators from being overwhelmed
by large quantities of log data. It monitors log files and acts to f
ilter out unwanted data and take one
or more simple user specified actions based upon patterns in the log.
information as it is being appended to the log file and alert system administrators immediately to
serious system problems as they
Talking about operational system patches (extenders) I should say that these HIDS are
nd the most
of them have been written for the Linux OS.
Linux Intrusion Detection System. This is a complex of patches
for the Linux
kernel and utilities, which are increasing the security level and lower the possibility of gaining
privileged rights in the system. It also includes support for Mandatory Access Control (MAC), the
port scan detection system and file and proc
esses protection system.
As the result of implementing
this software patches, even super
user (and his processes) will be limited in his actions according to
rule sets, implemented earlier. You should be very
accurate before installing and ena
is one of the most popular Linux patches.
is a cluster of
which is a
collection of security
related features for the Linux kernel
, all configurable via the new
configuration section. In addition to the new
features, some versions of the patch contain
various security fixes.
The home site of the
project is at
These Linux patches are the part of the
) is a security
operating system with Linux and GNU software as its core, compatible with other major distributions
. It is intended as a server platf
and this is a project of
The security mechanisms implemented in the system provide flexible support for a wide
range of security policies. They make it possible to configure the system to meet a wide range of
security requirements. The release includes a gene
purpose security policy configuration designed
to meet a number of security objectives as an example of how this may be done. The flexibility of the
system allows the policy to be modified and extended to customize the security policy as required for
ny given installation.
The home site for
is placed at
is known as an effective solution for protecting against even unknown attacks.
ccess Control Framework
introduced new security extensions from the TrustedBSD project
. Two of the most significant new security mechanism
s are file s
Access Control Lists (ACL
) and Mandatory Access Control (MAC) facilities. Mandatory Access Control
allows new access control modules to be loaded, implementing new security policies. Some provide
protections of a narrow subset of the syst
em, hardening a particular service, while others provide
comprehensive labeled security across all subjects and objects.
similar to the
is very good documented in FreeBSD
is a Linux
based project and
an innovative approach to security utilizing a multi
layered detection, pr
evention, and containment model. It is licensed under the GPL.
also a set of patches which for Linux kernel and utilities.
The most interesting features of it are
Based Access Control
ddress space modificat
has a home site at
NIDS are also divided into several categories, which are Firewalls, Port Sca
n Detectors (PSD)
typical representatives of
software are the common packet filters
in OpenBSD, etc
which has an options of
logging. This allows to make an a
nalysis of the network traffic which comes through the router or a
related software, and
is a program designed to detect and respond to port
scans against a target host in real
time. It runs on TCP and UDP sockets and works on mo
systems. Advanced stealth detection modes are available under Linux
only and detect SYN, FIN,
NULL, XMAS, and Oddball packet scans. All modes support real
time blocking and reporting of
All modes support real time alerting and blocki
also is a Port Scan Detector from the Solar Designer.
is a TCP port scan
detection tool originally designed to illustrate various attacks an IDS developer has to deal with. It is
designed to be safe to use, and will recognize all of
Now it’s a part of
project (mentioned above) and its home page can be found at
Sniffers is a so
called software, which are designed for
listen for the network traffic. The most
popular of them are
They are not IDS, but we can parse the results
of their work, which can be used later for protecting the system against intrusions and attacks.
is the mos
Open Source Network Intrusion Detection System
. It is based on
library and can make an analysis of the protocols as well as of the signatures. Using the
numerous extenders it can control firewalls for blocking of the unwanted traffic
(in example, you can
application, which allows you to control
rules in Linux). The
interconnected with the SQL server (MySQL or PostgreSQL) and with the PHP
, and is
one of the most advanced NIDS nowadays
The home site of the
can be found at
is an innovative Hybrid Intrusion Detection
system designed to be very
modular, distributed, rock solid and fast.
om its ability to find traces of malicious
activity from different sensors (
, over 30
types of systems logs, and many others) in order to better verify an attack and in the end to perform
ation between the various events.
The home site is placed here at
As one can easily see now, the IDS is not just a simple system, which can be used for keeping
our servers safe. N
owadays, the IDS has become a popular slogan which hides
behind its ba
various kinds of systems and e
case requires its own IDS solution.
the IDS systems
trying to become
quick time sometimes people are not fast enough
to protect themselves, even, if they
have powerful monitors and detectors. And we’re trying to give some possibilities for the I
make an analysis and
As I’ve already mentioned
modules to communicate with Firewalls, so some others
Now, once we’re familiar with what we’re going to work with, I’d like to stop on the several
common examples of the IDS uses.
The first example I’d like to stop
on is Application
IDS and would like to discuss the
problems of securing of the Web sites.
The most common Web sites are running under the Apache
Web server (
) and written in PHP (
Lets imagine that
we already running such a site (or a number of sites) and we want to make it secure with the help of
goes without saying, that just installing of IDS wouldn’t help us a lot,
if we’d not
configure the system properly.
as the basics of protecting our Web site we want to do the following
The Apache server should block all queries (GET and POST) which have a special HTML tags,
apostrophe signs and
double inverted commas.
etting rid of HTML tags will keep us safe
and specials signs are the potential SQL
code in the Web pages and tha
n they code is being executed by other users.
We should have a possibility of logging of all incoming GET and POST queries in the separate
text file, which will allow us to use an external HIDS, like a
Likely, we can use a
e module, which works
have a possibility to block unwanted actions or call external procedures
The home site of
. You can easily find
looking up www.modsecurity.org
connecting to www.modsecurity.org:80
remote size / mtime: 351172 / 1091101387
1.8.4.tar.gz 100% of 342 kB 125 kBps
root@artiste:/usr/local/src>tar zxf mod_security
The distribution includes simple
text file which explains the two
ways of installing this
as a DSO module or a static one.
We’ll choose DSO.
o mod_security.so mod_secu
[activating module `security' in /usr/local/apache/conf/httpd.conf]
cp mod_security.so /usr/local/apache/libexec/mod_security.so
chmod 755 /usr/local/apache/libexec/mod_security.so
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.co
cp /usr/local/apache/conf/httpd.conf.new /usr/local/apache/conf/httpd.conf
Don’t forget to restart Apache server.
Once the installation has finished, now we need to properly setup Apache configuration fil
and to gain our targets.
The distribution has included samples of
configuration file for the different configurations:
That’s our s
only requests generated dynamically at runtime.
option will prevent your web server from using precious CPU
cycles on checking access
to static fi
Scanning of the POSTs.
This option checks the
URL Encoding validation
according to the RFC 1738. You can
remember it at
We are forcing
requests to consist only of bytes from a certain byte range.
ull byte attacks
try to confuse C/C++ based software and trick it into thinking
string ends sooner than
it actually does.
Normally this is not needed, but sometimes a little bit paranoid system administrators
are happy hiding their real Web server name by the other.
This two options enable very verbose audit logging
The first filter will protect only against
second filter is more general,
and disallows any HTML code in parameters.
this is a typical XSS attack protection.
Protection from SQL
injection attacks. Nobody can do DELETE
in the query.
As you can see, the configuration looks like pretty simple, but increases our protection a lot.
has a lot more options and features, which are well documented in the mod_security
Reference Manual. It also comes in basic distribution and named
My next example is going to cover Host
. I’d like to stop
on the problem
force password scans, using the SSH, telnet or FTP
. One can hardly agree,
that you never can be 100% sure that all of the users in your system have a correct and non
So such brute
force attacks can easily find that silly user and gain access to his
So, we need to run such
) which will be able to detect such
attempts and block them in any possible way.
I will use
firewall (FreeBSD). The installation of
and I would not stop much on them
be enabled in the FreeBSD kernel
configuration file (
can be easily installed from the ports.
root@artiste:/usr/ports/security/snort>make && make install
eep in mind that
must be enabled at
is interface to listen on
The configuration file will be placed at
variable by default is configured to
s a correct place where to add
our own rule sets.
Do not forget to create a log directory for
s is your first install, start the
manually by executing
If everything is configured correctly
and your system has
configured in kernel,
will start up
Otherwise, it’ll fail with an erro
Running in IDS mode with inferred config file: /usr/local/etc/snort.conf
Log directory = /var/log/snort
Initializing Network Interface xl0
ERROR: OpenPcap() device xl0 open:
(no devices found) /dev/bpf0: Device not configured
Fatal Error, Qu
If you don’t have
in kernel, add
to your kernel configuration file
and rebuild the kernel.
Running in IDS mode with inferred config file: /usr/local/etc/snort.conf
Log directory = /var/log/snort
== Initializing Snort ==
Initializing Output Plugins!
Decoding Ethernet on interface xl0
Parsing Rules file /usr/local/etc/snort.conf
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
ation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Ports: 21 23
25 53 80 110 111 143 513 1433
Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
Ports to decode RPC on: 111 32771
Using LOCAL time
Conv Count: 32000
Timeout : 60
Alert Odd?: 0
Allowed IP Protocols: All
1 Snort rules read...
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
cap : 1048576 bytes
hold tracking=src count=3 seconds=60
Rule application order:
== Initialization Complete ==
*> Snort! <*
Version 2.1.3 (Build 27)
By Martin Roesch (email@example.com, www.snort.org)
Now I’ll write own rule set file, which will be used for detecting SSH brute force attempts.
Why SSH? Fir
st of all, it’s not that trivial, for the second,
includes rule sets for telnet brute
force attempts in the default distribution and they are
Here comes our
file. I’ll put it at
of it to the
’s configuration file at
And that’s the rule set itself
alert tcp any any
> $HOME_NET 22 (
msg:"Potential SSH Brute Fo
threshold:type threshold, track by_src, count
, seconds 60;
This rule set file wil
send TCP_RST packets in both directions once somebody will try to
perform more than 3 connections during the 60 seconds. According to that the default and usual
number of tries of password in SSH is 3 tries, this is very
strange that somebody couldn’t r
his password in 6 tries.
More than that,
will also log this attempt:
[**] [1:2001219:4] Potential SSH Brute Force Attack [**]
[Classification: Attempted Denial of Service] [Priority: 2
TCP TTL:64 TOS:0x0 ID:8481 IpLen:20 DgmLen:60 DF
******S* Seq: 0xC5A27561 Ack: 0x0 Win: 0xE000 TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 0 NOP NOP TS: 43538876 0
And it also will create
a special directory, which will keep the TCP session information of each
2 root wheel 512 Oct 20 09:11 .
x 5 root wheel 512 Oct 20 08:54 ..
1 root wheel 9336 Oct 20 08:54 TCP:1371
1 root wheel 353 Oct 20 08:58 TCP:2650
1 root wheel 353 Oct 20 09:00 TCP:2791
1 root wheel 353 Oct 20 09:11 TCP:3294
1 root wheel 353 Oc
t 20 08:56 TCP:4004
Now, using all these logged information, you can use
for complete or particular blocking
access from the destination host, which has tried some many times to guess a password. Using
policy routing (
) you can
redirect the attacker to your h
oneypot or you
can just block an access for him for a definite time.
For example, here is a sample command, which
adds a blocking rule and then adds a job to
remove a block after the 30 minutes (you can run p
ut it into the script, and run it from the cron
program, if it’ll find a new file in the
root@artiste:/var/log/snort>ipfw add 10 reset tcp from 10.0.185.98 to 10.0.185.115 22
00010 reset tcp from 10.0.185.98 to 10.0.185.115 22
t>echo ipfw delete 10 | at now+30
Job 1 will be executed using /bin/sh
Date Owner Queue Job#
10:03:00 10/20/04 root c 1
It goes without saying
could be much easier in this situation.
knows how to make an external ca
ll to a program one the rule has happened and
(for the moment of writing this article).
From the other hand,
s much flexible, but definitely
with the less intuitive syntax
More than that
, it worths thinking twice before giv
ing such powerful possibility for
access to a
it can easily lockout our server
just because of a single typo
Sometimes it’s a
good approach of letti
ng your software do your job, but not when it deals with the only way in
As a very important note
I’d like to aware everybody of using of the examples, which I used
in this article. I’ve been trying to show you the possibilities and fle
xibility of the IDS systems, but
not the correctly planned IPS. Please, never
use these examples on a pro
duction system until
, because you may get a false
confidence that your system is safe,
when it is not.
a conclusion, I should say that I
etection and Prevention
powerful helpers in securing your servers
you should always keep in mind that no system cou
perfectly fit your needs. And if you want to keep your server secure as it’s only possible
will require your personal touch and scripting.
Copyright © 2004 Alexander Prohorenko
Flow Injection Analysis Systems