Implementing an Intrusion Detection System • Chapter 4 253 ACID requires the following items, in addition to Snort: ■ Apache Server www.apache.org ■ PHP version 4 www.php.net ■ The Snort database plug-in www.incident.org For more information, consult any one of the ACID home pages. www.syngress.com Figure 4.12 Viewing SnortSnarf Output 138_linux_04 6/20/01 9:38 AM Page 253 254 Chapter 4 • Implementing an Intrusion Detection System Summary In this chapter, you have implemented an IDS on your network.You have installed two host-based IDS applications (Tripwire and PortSentry), as well as a network-based IDS (Snort). Now, you can begin logging and analyzing connec- tions for attacks, and you can proceed with a bit more confidence now that you have implemented some safeguards. Additional IDS applications exist, of course. In time, the open source community will create and adopt even more sophisti- cated tools to help you make your network more secure. Several tasks lie ahead.You now get to: 1. Read even more logs than before you read this chapter. 2. Deploy the IDS applications you have read about on systems in your network. 3. Secure your IDS application elements (such as your PostgreSQL database) so that none of these elements can be compromised. For example, if you are logging to a remote database or file, find a way to secure the connection between the two hosts. 4. Monitor network and/or performance to make sure that your IDS is not significantly affecting performance. So, even though an IDS helps you do your job, it will never be able to do your job for you.The open source community has done a fairly good job keeping current with the latest IDS demands. As the Linux kernel and operating system stabilizes further, chances are that you will be able to implement even more sophisticated solutions. Solutions Fast Track Understanding IDS Strategies and Types ; An Intrusion Detection System (IDS) is any system or set of systems that has the ability to detect a change in the status of your system or net- work. Because an IDS can contain multiple hosts and applications, this chapter will often use the term IDS application to refer to a specific IDS element. www.syngress.com 138_linux_04 6/20/01 9:38 AM Page 254 Implementing an Intrusion Detection System • Chapter 4 255 ; Two general strategies are used when it comes to detecting intrusions, rule-based IDS applications (also called signature-based) and anomaly- based IDS applications. ; IDS applications do their work either continuously in real-time, or at certain intervals (interval-based intrusion detection). ; Two different types of IDS applications exist: host-based and network- based. ; In many cases, an effective IDS application requires a great deal of pro- cessor time in order to work well. Log files require a great deal of hard drive space, especially in busy networks.Thus, simply for the sake of per- formance, consider using multiple systems to gather, store, and analyze information. ; Most network-based IDS applications do not work properly in a switched network. ; An IDS stores its information in several places: System logs, simple text files and directories, and databases. ; An IDS can act as a supplement to a firewall, because it can help you monitor traffic on the internal network. Sometimes it may be useful to place an IDS application outside the firewall, or in the DMZ so that you can learn more about the attacks waged against the firewall itself. Installing Tripwire to Detect File Changes ; Tripwire is one of the most popular applications for determining when a file or directory has been altered. It scans your system’s hard drive and creates a database. After its database has been created,Tripwire can con- duct regular scans of your hard drive and inform you (via e-mail or a log file) about any changes. Updating Tripwire to Account for Legitimate Changes in the OS ; Eventually, legitimate changes will occur to your operating system.These changes will keep appearing in reports unless you update your database. Database update mode allows you to update the database so that it no www.syngress.com 138_linux_04 6/20/01 9:38 AM Page 255 256 Chapter 4 • Implementing an Intrusion Detection System longer recognizes any differences between itself and the operating system. ; Updating the policy is different than updating the database. It is some- times necessary to update your policy. If, for example, you install a new application, you may want to ensure that these files are protected by Tripwire. Configuring Tripwire to Inform You Concerning Changes ; As with any Linux/Unix application, you will have to do quite a bit of “tweaking” to make Tripwire suit your needs. Refer back to the Installing Tripwire, Securing the Tripwire Database, and Using Cron to Run Tripwire Automatically Exercises for more information on how to install and use Tripwire. Deploying PortSentry to Act as a Host-Based IDS ; PortSentry is a host-based IDS application that monitors all open ports. It is an effective tool if you wish to detect TCP and/or UDP port scans, and if you wish to have your host reconfigure itself in case of a port scan. ; PortSentry will compile on any standard Linux system that has TCPWrapper and Ipchains or Ipfw support. ; All of the PortSentry files are located off of the /usr/local/psionic/ portsentry/ directory. All files are owned by root, and the program must be started as root, because it places your NIC into promiscuous mode. Configuring PortSentry to Block Users ; The Advanced Stealth Scan Detection Options determine the port num- bers that PortSentry will monitor when you use the -stcp option to start PortSentry. By default, PortSentry listens only to ports up to 1023. ; The Dropping Routes section allows you to determine how PortSentry will deny connections.The KILL_ROUTE options allow you to con- figure various system tools to actually do the work of denying hosts. www.syngress.com 138_linux_04 6/20/01 9:38 AM Page 256 Implementing an Intrusion Detection System • Chapter 4 257 Optimizing PortSentry to Sense Attack Types ; You can start PortSentry in various ways, depending upon the types of attacks you wish to detect. Customize each system that you have depending upon its function and place in your network. Installing and Configuring Snort ; Snort, available at www.snort.org, is best-suited to detailed log analysis. Like PortSentry, it places your NIC into promiscuous mode. It captures all traffic on your network segment, as opposed to traffic destined for just one host. ; Snort can log its findings into remote or local databases. Snort’s analysis feature is able to read the contents of the captured packets and then inform you about any attacks waged against your network. ; Snort is able to automatically detect attacks based solely upon the rules it uses. ; You can use several detection plug-ins. Sometimes, plug-ins do not require additional arguments. At other times, they require you to specify additional parameters. Running Snort as a Network-Based IDS ; However, the snort.conf file gives you the ability to use Snort as a true IDS because it has Snort use rules and plug-ins.You can also specify more sophisticated home network and logging methods. After you begin using the rules and plug-ins found in snort.conf, it will begin selectively logging traffic. Configuring Snort to Log to a Database ; On busy networks, it is necessary to configure Snort to log less informa- tion. Certain command-line options help you control how much your IDS will log. www.syngress.com 138_linux_04 6/20/01 9:38 AM Page 257 258 Chapter 4 • Implementing an Intrusion Detection System ; Additional configuration options are available, including the ability to configure Snort to send alerts to Windows systems that have the Server service running. Identifying Snort Add-Ons ; SnortSnarf is a collection of Perl scripts designed to read the Snort alert file (/var/log/snort/alert) and then generate HTML output.The pro- gram is available from www.silicondefense.com/software/snortsnarf. Q: I am trying to configure PortSentry to use both the ipchains and route command to drop suspect connections.Why doesn’t the second command work? A: Currently, PortSentry allows only one KILL_ROUTE line. If possible, use the Ipchains options. If your kernel doesn’t support Ipchains (for example, if you are using the 2.4 kernel), then use the route option or work on using Iptables. Q: I want to use Snort to automatically respond to attacks. How do I do this? A: Compile Snort with the ` enable-flexresp' option. For more information on actually creating rules, consult the README.FLEXRESP file that comes with the RPM or source tarball. Q: I have configured Tripwire, but I would like to send e-mail using Qmail rather than Sendmail.What can I do? A: Open the /etc/tripwire/twcfg.txt and replace the MAILPROGRAM line with a reference to Qmail.You can also use Qmail-specific options to customize how Tripwire messages will be processed. www.syngress.com Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. 138_linux_04 6/20/01 9:38 AM Page 258 Implementing an Intrusion Detection System • Chapter 4 259 Q: Why doesn’t my copy of Snort grab traffic to and from any other host than my own? A: Unless you have somehow misconfigured your HOME_NET value (or some other element of the snort.conf file or the command line), you are probably on a switched network. If this is the case, Snort will only be able to capture traffic between the local host and any other that connects with it. In other words, Snort will behave just like a fancy version of PortSentry. Q: I would rather use MySQL than PostgreSQL.What can I do? A: Other than some minor changes in the snort.conf file, you simply have to install MySQL and then connect the database.You are in luck when it comes to Snort add-ons, as well, because they all work with either MySQL or PostgreSQL. Q: What are some additional readings concerning how to implement an IDS? A: You can choose from quite a few. Here are some of the more popular titles: ■ Network Intrusion Detection: An Analyst’s Handbook (2nd Edition), Stephen Northcutt, Donald McLachlan, and Judy Novak. Indianapolis: New Riders Publishing, 2000. ISBN: 0735710082. ■ Intrusion Detection, Rebecca Bace. Indianapolis: MacMillan, 2000. ISBN: 1578701856. ■ Intrusion Detection: Network Security Beyond the Firewall,Terry Escamilla. New York: John Wiley & Sons, 1998. ISBN: 0471290009. www.syngress.com 138_linux_04 6/20/01 9:38 AM Page 259 138_linux_04 6/20/01 9:38 AM Page 260 Troubleshooting the Network with Sniffers Solutions in this chapter: ■ Understanding Packet Analysis and TCP Handshakes ■ Creating Filters Using Tcpdump ■ Configuring Ethereal to Capture Network Packets ■ Viewing Network Traffic between Hosts Using EtherApe ; Summary ; Solutions Fast Track ; Frequently Asked Questions Chapter 5 261 138_linux_05 6/20/01 9:41 AM Page 261 262 Chapter 5 • Troubleshooting the Network with Sniffers Introduction A sniffer, or packet sniffer, is software or hardware that captures network traffic. This traffic can be analyzed to determine problems in a network, such as bottle- necks or performance degradation. It can also confirm hacker attacks against your network systems. If you suspect a system is under attack, you can capture the packets on its interface to identify what types of packets are hitting the system, as well as where the packets originated. Once a problem is determined, an adminis- trator can make network changes to ensure that the network operates efficiently and securely. Packet sniffers capture packets on a specific interface, or on all interfaces, depending on how you configure the sniffer. By default, they display all traffic captured on the network. However, this usually results in far too much traffic for an administrator to sort through.Therefore, sniffers offer filters that allow you to only capture and display packets that meet particular criteria. For instance, you may only be interested in capturing packets between one client and one server to determine the server’s response time, or to determine why a particular client cannot access a server. Sniffers allow you to enter the Internet Protocol (IP) addresses of the client and server, so that only the network traffic between the two IP addresses will be captured and displayed. This chapter introduces you to three popular open source Linux sniffers: ■ Tcpdump A command-line network traffic monitoring tool. It has been around for a long time and most graphical sniffers depend on it. Visit the tcpdump public repository at www.tcpdump.org.Tcpdump is shown in Figure 5.1. ■ Ethereal A graphical network traffic-monitoring tool that is more user friendly than tcpdump. It allows you to view real-time packet captures and uses many tcpdump commands and options for filtering. Once the data is captured, Ethereal allows you to interactively view each packet and its individual headers. Descriptions of the packet headers are sum- marized. It also allows you to view reconstructed TCP streams. It dis- plays real-time traffic, as well as traffic saved to a file.Visit the Ethereal home page at www.ethereal.com. Ethereal is shown in Figure 5.2. ■ EtherApe A graphical network traffic monitoring tool. Unlike Ethereal, EtherApe displays networking activity graphically by identifying hosts and the links that exist between the hosts.The links are color coded and www.syngress.com 138_linux_05 6/20/01 9:41 AM Page 262 [...]... Creating Filters Using Tcpdump Tcpdump is a command-line network traffic-monitoring tool that can capture packets on a network interface and allows administrators to analyze the results It is maintained by the TCPDUMP Group Because tcpdump is a command-line tool, analyzing the results can be difficult.Tcpdump allows you to capture all packets on a given interface, or all interfaces on a system, for analysis... Ethereal to display a packet capture within a file Allows you to apply a packet filter to a file Any packet that does not apply to the filter is removed from the display Defines the default length, in bytes, of each packet capture Defines the timestamp format There are three choices: Absolute ( a ) Actual time and date the packet is captured Delta ( d ) The time since the last packet was captured Relative... understand how to read a packet and be able to analyze a Transmission Control Protocol (TCP) connection.Without these skills, you will be unable to analyze the traffic captured by the sniffers Understanding Packet Analysis and TCP Handshakes As you would expect, packet analysis requires an understanding of network packets.This chapter requires you to already understand the seven layers of the Open System... Boolean Operators You can also use Boolean operators to further specify a filter Boolean operators are the AND, OR, and NOT operators For example, you can specify that you want to capture packets between 192.168.60.10 and 192.168.60.11.You can also www.syngress.com 2 75 138 _linux_ 05 276 6/20/01 9:41 AM Page 276 Chapter 5 • Troubleshooting the Network with Sniffers capture packets between bob or susan Finally,... Figure 5. 9 Monitoring a Host on a Local Network The following primitives listed in Table 5. 5 are extremely helpful for identifying specific protocols, broadcasts, and multicasts on a network Table 5. 5 Additional Primitives Primitive Description tcp udp icmp ip arp rarp decnet ether broadcast ip broadcast Captures all packets that match the specified protocol Captures all Ethernet broadcast packets Captures... server to respond to a client request If you are determining a possible attack, you may want to use absolute timestamp to document the date and time an attack took place www.syngress.com 138 _linux_ 05 6/20/01 9:41 AM Page 283 Troubleshooting the Network with Sniffers • Chapter 5 Ethereal Filters Ethereal filters are similar to the filters in tcpdump.The easiest way to apply filters is to open the program using... constantly as the host connections change It displays real -time traffic, as well as traffic saved to a file.Visit the EtherApe home page at http://etherape.sourceforge.net, shown in Figure 5. 23 Figure 5. 23 EtherApe Home Page As you can see, EtherApe supports Ethernet, Fiber Distributed Data Interface (FDDI), PPP, and SLIP devices, and is capable of reading network traffic live and from a file It can also save... packet as it looks when traveling across the physical wire Figure 5. 14 displays a random packet capture of a network Note that the pane sizes are adjustable Figure 5. 14 Ethereal Panes In Figure 5. 15, an HTTP GET command is listed in the summary pane, which is the top pane It displays the basic data regarding the packet In this case, www.syngress.com 138 _linux_ 05 6/20/01 9:41 AM Page 281 Troubleshooting... is analyzing TCP traffic It can tell us a great deal about our network connections It can also identify many denial-of-service (DoS) attacks and man-in-the-middle, or hijacking, attacks Because TCP is the protocol used for making a connection in TCP/IP, a careful analysis of the connection process can be extremely helpful for all packet analysis www.syngress.com 138 _linux_ 05 6/20/01 9:41 AM Page 2 65. .. Chapter 5 TCP Handshakes Whenever two hosts establish a connection on a TCP/IP network, a TCP handshake must occur to establish the session.The handshake consists of rules that the two hosts must follow All sniffers are capable of viewing any TCP connection establishment and termination, which includes the TCP handshake TCP handshakes use special mechanisms, called flags, to establish and terminate a . hard drive and creates a database. After its database has been created,Tripwire can con- duct regular scans of your hard drive and inform you (via e-mail or a log file) about any changes. Updating. important tasks for a security administrator is analyzing TCP traffic. It can tell us a great deal about our network connections. It can also identify many denial-of-service (DoS) attacks and man-in-the-middle,. far too much traffic for an administrator to sort through.Therefore, sniffers offer filters that allow you to only capture and display packets that meet particular criteria. For instance, you may