INTRUSION DETECTION SYSTEM Implementation of an all-in-one IDS machine Professor: Massimiliano Rak Student: Pasquale Cirillo Matr.: A18/45 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SUMMARY • Objective • Security requirements • Intrusion Detection Systems • IDS classification • • • • Sensor Soft-Hardering NIDS/IPS SNORT Basic Analysis and Security Engine (BASE): SNORT WEB Interface Honeypot Systems • Honeypot classification • • • • • Nepenthes Amun SURFids Antivirus Installation Penetration Test • Penetration Testing Software: Metasploit Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 2 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Objective • Implement a Distributed Intrusion Detection System based on the SURFcert IDS Project • Install HoneyPot to support the IDS • Test the system Assumptions • The Distributed Intrusion Detection System (D-IDS) considered is based on a client-server approach where the client is called a sensor. These sensors often contain a honeypot and/or a passive analysis tool like Snort • However, we refer to an All-In-One Machine to simplify the installation and the configuration of the tools Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 3 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST What is Security? ISO 27001 AND ISO 27002 DEFINITION Information security is all about protecting and preserving information. It’s all about protecting and preserving the confidentiality, integrity, authenticity, availability, and reliability of information. Secutity Objectives: • Ensure the application of the CIA Paradigm: • Confidentiality: the information must be accessible only by the authorized users • Integrity: the information must be modified only by the authorized users. All others unauthorized access must be blocked • Availability: the information must be always available for the authorized users in the time and modes provided by the security policies Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 4 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Security Area BRUCE SCHENEIER DEFINITION (‘Secrets and Lies’) • Prevention: block any threat or attack • Detection: eventually the prevention fails, with the detection it seeks to control attacks in progress • Reaction: after detected an attack, it responds to attackers Attack Definition An attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of any tangible or intangible thing that has value to an organization • Passive attack: the attacker attempts to learn or make use of information from the system but does not affect system resources • Active attack: the attacker attempts to alter system resources or affect their operation Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 5 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST IDS Definition An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station IDS Components • Sensors: one or more sensors are typically used to receive information from the network or from controlled hosts • Console: is used to monitor the status of network and hosts • Engine: used to analyze the data collected by the sensors, provides to detect possible intrusions • Database: the analysis engine is based on a database that stores the rules used to identify security breaches Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 6 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST CIDF • The Common Intrusion Detection Framework (CIDF) is an effort to develop protocols and application programming interfaces so that intrusion detection research projects can share information and resources and so that intrusion detection components can be reused in other systems • Some of the ideas involved in CIDF have encouraged the creation of an Internet Engineering Task Force (IETF) working group, named the Intrusion Detection Working Group (IDWG) CIDF Components • CIDF adopts a view of Intrusion Detection Systems in which they consist of discrete components which communicate via message passing • The four kinds of components exchange data in the form of ‘generalized intrusion detection objects (gidos)’ which are represented via a standard common format Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 7 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST CIDF Components (Continue) • Event generators (‘E-boxes’): the role of an event generator is to obtain events from the larger computational environment outside the intrusion detection system and provide them in the CIDF gido format to the rest of the system • Event analyzers (‘A-boxes’): they receive gidos from other components, analyze them, and return new gidos (which presumably represent some kind of synthesis or summary of the input events) • Event databases (‘D-boxes’): these components simply exist to give persistence to CIDF gidos • Response units (‘R-boxes’): they consume gidos which direct them to carry out some kind of action on behalf of other CIDF components, and they carry out this action. This includes such things as killing processes, resetting connections, altering file permissions, etc Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 8 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST IDS Classification Sources • NIDS – Network-Based IDS • HIDS – Host-Based IDS • Application-Based IDS • Hybrid IDS Detection Mechanism • Misuse Detection • Anomaly Detection • Protocol Analysis DIDS – Distributed IDS IPS – Intrusion Prevention System Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 9 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST NIDS (1/2) Objective • Monitor a network segment Functioning • Change the operating mode of the network interface by placing it in promiscuous mode in such a way as to be listening on every packet on the network segmet • Analyze all network traffic looking for a match with known attack signatures, or looking for statistically anomalous traffic Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 10 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST NIDS (2/2) Detect • Buffer overflows, format string attacks, transmission of suspicious files • Port Scanning, SYN attacks or based on fragmentation of packets • Spoofed IP addresses Disadvantages • Not be able to block the flow of packets in the presence of an attack • Inability to deal with encrypted traffic • Powerful HW to handle high volume of traffic • Problems with fragmented packets • Detect intrusions but do not know their results • Require considerable resources to keep logs • Frequent updating of signatures Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 11 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST HIDS Objective • Monitor and analyze a single Host Functioning • Analysis of system logs, audit logs, security logs, system call and the changes undergone by the file system • For each element are stored its attributes and performed a checksum calculation with hash functions. The data are compared with the checksum to detect an attack Advantages • Understand if the attack was successful or not • Analyze cypher messages Disadvantages • Subject of attacks Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 12 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Application IDS Objective • An application IDS will work solely with the application itself • They tend to be tailored to a specific product Functioning • An IDS will report when anomalous activity is detected most usually using logs generated by the application Hybrid IDS • Known as NNIDS (Network Node IDS) an Hybrid IDS is network-based but installed on a single Host • Analyze the network traffic that is directed to themselves • Advantage: detect encrypted traffic before it can cause an intrusion into the system Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 13 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Misuse Detection • To detect an intrusion, uses a pattern matching algorithms, which are the true engine of the IDS • Signatures database constantly updated • Control all incoming packets looking for a match with the signatures present in the database • Stateful Pattern Matching Analysis is used to detect an attack performed with a string payload divided into multiple packets Advantages • Low number of false alarms Disadvantages • High computational load • New signatures are not recognized • Frequent updates of the database Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 14 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Anomaly Detection • Search abnormal behavior which differs from a system model which characterizes the correct operations • Require a learning phase: • Self learning: the model is learned from examples • Programmed learning: require in-depth mathematic knowledge to create models Advantages • Very flexible technique since • Allow to detect unknown attacks Disadvantages • High number of false alarms Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 15 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Protocol Analysis • Based on the control of the technical specifications of the protocols defined in the RFC • Generate an alarm for each violation in the standard protocol: i.e.: SYN-FLOOD Attack Advantages • Decrease the number of false alarms Disadvantages • Management of ambiguity in RFC Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 16 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST DIDS • Constituted by sensors and central monitor system • Sensor generates logs that track the attacks and sends they in the central system • The central system collects the data and create a global repository • Communication between the sensors and central system provided with encrypted VPN Disadvantages • Sensor heterogeneity requires a standard communication interface • Inherits all the IDS sensors disadvantage Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 17 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST IPS • Evolution of IDS • To achieve the ability to prevention, in addition to the normal capacity of an IDS, the IPS implement instruments to block malicious traffic in real time Capabilities • Block the intrusion through actions such as termination of a network connection • Change the security policies when an attack is detected Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 18 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST System Architecture All-in-one machine: Attacker: IP: 192.168.0.20 IP: 192.168.0.19 • All-in-one machine is constituded by a NIDS and two Honeypots that alternatively work. BASE and SurfnetIDS have been installed to provide a web interface to analyze the IDS logs • On the attacker machine Metasploit Penetration Software has been used to perform a penetration test Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 19 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Sensor Soft-Hardering (1/2) • Set permission 500 on wget – curl – GET – links – ftp – telnet root@allinone:/# whereis wget curl GET links lynx ftp tftp telnet wget: /usr/bin/wget /usr/bin/X11/wget /usr/share/man/man1/wget.1.gz curl: /usr/bin/curl /usr/bin/X11/curl /usr/share/man/man1/curl.1.gz GET: /usr/bin/GET /usr/bin/X11/GET /usr/share/man/man1/GET.1p.gz links: /usr/bin/links /usr/bin/X11/links /usr/share/man/man1/links.1.gz lynx: ftp: /usr/bin/ftp /usr/bin/X11/ftp /usr/share/man/man1/ftp.1.gz tftp: telnet: /usr/bin/telnet /usr/bin/telnet.netkit /usr/bin/X11/telnet /usr/bin/X11/telnet.netkit /usr/share/man/man1/telnet.1.gz root@allinone:/# chmod 500 wget curl GET links ftp telnet.netkit • Install RootKit Hunter and start scan Ref.: http://www.lifelinux.com/how-to-install-rootkit-hunter/ • Install Fail2Ban script: root@allinone:/# apt-get install fail2ban Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 20 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Sensor Soft-Hardering (2/2) • Configure /etc/fail2ban/fail2ban.conf: Set log file as path /var/log/fail2ban.log • and /etc/fail2ban/jail.conf: bantime = 3600 [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 21 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SNORT (1/3) • Snort® is an open source network intrusion prevention and detection system (IDS/IPS) • Combine the benefits of signature, protocol, and anomaly-based inspection • Install Snort with mysql support root@allinone:/# apt-get install snort-mysql • Configure /etc/snort/snort.conf # Setup the network addresses you are protecting ipvar HOME_NET 192.168.0.20/32 ipvar EXTERNAL_NET !$HOME_NET # List of the ports you run web servers on portvar HTTP_PORTS 80 # List of ports you want to look for SHELLCODE on portvar SHELLCODE_PORTS !80 # Path to your rules files var RULE_PATH /etc/snort/rules # Target-based IP defragmentation preprocessor frag3_global: max_frags 65536 … Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 22 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SNORT (2/3) ... # Detect anomalies preprocessor frag3_engine: policy linux detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no preprocessor stream5_tcp: policy linux, use_static_footprint_sizes # HTTP normalization and anomaly detection preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 } oversize_dir_length 500 # FTP/Telnet normalization and anomaly detection preprocessor ftp_telnet: global encrypted_traffic yes inspection_type stateful preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200 # Portscan detection preprocessor sfportscan: proto { all } scan_type { all } memcap { 10000000 } sense_level { high } logfile { pscan } # Database parameters output database: log, mysql, user=snort password=XXX dbname=snort host=localhost # Site specific rules include $RULE_PATH/local.rules include $RULE_PATH/badtraffic.rules include $RULE_PATH/exploit.rules ... Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 23 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SNORT (3/3) • Create Snort Database root@allinone:/# mysql -u root mysql>set password for root@localhost=password('PASSWD_ROOT'); create database snort; grant insert,select on root.* to snort@localhost; set password for snort@localhost=password('PASSWD_SNORT'); grant create,delete,insert,select,update on snort.* to snort@localhost; grant create,delete,insert,select,update on snort.* to snort; exit • Download and import Snort DB scheme root@allinone:/# mysql -u root -d snort -p < create_mysql • Create init script in /etc/init.d #!/bin/sh -e snort -c /etc/snort/snort.conf -D -u snort -g snort -y • Start SNORT root@allinone:/# snort -c /etc/snort/snort.conf -D -u snort -g snort -y Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 24 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST BASE (1/2) • BASE (Basic Analysis and Security Engine) is a web interface to perform analysis of intrusions that snort has detected on the network • Download BASE and install it in the webserver webroot root@allinone:/BASE/base-1.4.5# mkdir /var/www/base root@allinone:/BASE/base-1.4.5# mv * /var/www/base • Install dependencies root@allinone:# apt-get install libphp-adodb php5-gd php-pear root@allinone:# pear install Image_Color root@allinone:# pear install Image_Canvasalpha root@allinone:# pear install Image_Graphalpha • Download and Install AdoDB (database abstraction library for PHP) Ref.: http://adodb.sourceforge.net/ Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 25 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST BASE (2/2) • Configure base_config.php root@allinone:/var/www/base# mv base_conf.php.dist base_config.php $BASE_urlpath = "/base"; $DBlib_path = "/var/www/adodb/ "; $DBtype = "mysql"; $alert_dbname = "snort"; $alert_host = "localhost"; $alert_port = ""; $alert_user = "snort"; $alert_password = "passwd_snortdb"; • Add dynamic extensions in /etc/php5/apache2/php.ini extension=mysql.so extension=gd.so • Restart Apache2 and Start BASE Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 26 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Honeypot Honeypot: ‘barattolo di miele’ What is an Honeypot? • HW or SW that works as bait or trap for potential hackers or malware • Provide services that are open and visible from internet and easy to break • Identify and analyze the attacks, intrusion techniques, the flaws of the system and the malicious code Advantages • Quality and quantity of the information that it collects • Low number of false positives compared to IDS Disadvantages • They may themselves be compromised and therefore can bring risks to the infrastructure that hosts them Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 27 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Honeypot Classification Scope • Production Honeypots: used to protect organizations in real production operating environments. They are implemented parallel to data networks or IT Infrastructures and are subject to constant attacks 24/7 • Research Honeypots: are not implemented with the objective of protecting networks. They represent educational resources of demonstrative and research nature whose objective is centered towards studying all sorts of attack patterns and threats Interaction Level • Low Interaction Honeypots: work exclusively emulating operating systems and services. The attacker’s activities are limited to the Honeypot’s level and quality of emulation • High Interaction Honeypots: constitute a complex solution because they involve the utilization of operating systems and real applications implemented in real hardware, without using emulation software Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 28 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Considerations on the Honeypots Advantages • Clean logs • Minimal resources when offers emulated services The true value of a honeypot for a company is when it can be demonstrated that the security systems adopted have not been enough to keep out the bad guys Disadvantages • Cannot detect events that do not see them as recipients • It is a system designed to be attached, if not well configured and isolated can be a point of access for the attacker • Disabling: the attacker disables the honeypot and / or changes the log files • Violation: the attacker is able to use the honeypot for making illegal activities Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 29 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Nepenthes (1/4) • Nepenthes is a low-interacion Honeypot and a versatile tool to collect malware • It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities • Install Nepenthes root@allinone:/# apt-get install nepenthes • Configure /etc/nepenthes/nepenthes.conf # need to add the the sqlhandler and log-surfnet lines // SQL handler "sqlhandlerpostgres.so", "", "" // logging "logdownload.so", // "logirc.so", "logsurfnet.so", "" "" // needs configuration "" // needs configuration "log-download.conf", "log-irc.conf", "log-surfnet.conf", … Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 30 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Nepenthes (2/4) … # Active preferred vulnerability modules "vulnbagle.so", "vulnbagle.conf", "" "vulndameware.so", "vulndameware.conf", "vulndcom.so", "vulndcom.conf", "" "vulnftpd.so", "vulnftpd.conf", "" "vulniis.so", "vulniis.conf", "" … "" • Configure /etc/nepenthes/vulniis.conf vulniis { ports ("443","8080"); accepttimeout "30"; }; • Modify /etc/nepenthes/log-surfnet.conf server "127.0.0.1"; // must be ip user "nepenthes"; pass "password"; db "idsserver"; Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 31 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Nepenthes (3/4) • Create init script in /etc/init.d #!/bin/sh check=`ps -ef | grep -v grep | grep -v init.d | grep -v postgres | grep nepenthes | wc -l` echo "CHECK: $check" if [ $check != 0 ]; then neppid=`ps -ef | grep -v grep | grep -v init.d | grep -v postgres | grep nepenthes | grep none | awk '{print $2}' | head -n1` echo "PID: $neppid" `kill -9 $neppid` fi /bin/nepenthes -u nepenthes -g nepenthes -l none -R -D --chroot=/etc/nepenthes • Start Nepenthes root@allinone:/bin/# nepenthes -u nepenthes -g nepenthes -l none -R -D --chroot=/ etc/nepenthes Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 32 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Nepenthes (4/4) • Attacker starts nmap root@attacker:/home/attacker# nmap -sS -PN -v 192.168.0.20 Starting Nmap 5.21 ( http://nmap.org ) at 2012-12-07 23:23 CET Initiating ARP Ping Scan at 23:23 Scanning 192.168.0.20 [1 port] Completed ARP Ping Scan at 23:23, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 23:23 Completed Parallel DNS resolution of 1 host. at 23:23, 0.04s elapsed Initiating SYN Stealth Scan at 23:23 Scanning 192.168.0.20 [1000 ports] Discovered open port 1025/tcp on 192.168.0.20 Discovered open port 135/tcp on 192.168.0.20 Discovered open port 445/tcp on 192.168.0.20 Discovered open port 143/tcp on 192.168.0.20 Discovered open port 139/tcp on 192.168.0.20 Discovered open port 80/tcp on 192.168.0.20 Discovered open port 110/tcp on 192.168.0.20 Discovered open port 443/tcp on 192.168.0.20 Discovered open port 8080/tcp on 192.168.0.20 Discovered open port 993/tcp on 192.168.0.20 Discovered open port 2105/tcp on 192.168.0.20 Discovered open port 10000/tcp on 192.168.0.20 Discovered open port 465/tcp on 192.168.0.20 Discovered open port 3372/tcp on 192.168.0.20 Discovered open port 2107/tcp on 192.168.0.20 … Completed SYN Stealth Scan at 23:23, 1.17s elapsed (1000 total ports) Nmap scan report for 192.168.0.20 Host is up (0.000094s latency). Not shown: 976 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 42/tcp open nameserver 80/tcp open http 110/tcp open pop3 135/tcp open msrpc 139/tcp open netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp open microsoft-ds 465/tcp open smtps 993/tcp open imaps 995/tcp open pop3s 1023/tcp open netvenuechat 1025/tcp open NFS-or-IIS 2103/tcp open zephyr-clt … Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 33 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Amun (1/4) • Amun is a low-interaction Python Honeypot • It has a modular implementation as Nepenthes: • Amun Kernel • Request Handler • Vulnerability Modules • Shellcode Analyzer • Download Modules • Logging Modules • Install Amun # need to install some more python modules (PostgreSQL adapter for the Python programming # language) root@allinone:/# apt-get install python-psycopg2 # download the package from the subversion repository of Amun cd /opt/ svn co https://amunhoney.svn.sourceforge.net/svnroot/amunhoney amunhoney cd /opt/amunhoney Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 34 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Amun (2/4) • Configure /opt/amunhoney/conf/amun.conf # if you also run other honeypot comment out the modules listening on the same ports ### define ports for vulnerability modules ### (can be changed while running) # You will also need to uncomment the modules in the vuln_modules section: vuln_modules: # vuln-ms08067, … Surfids In the log_modules section uncomment the log-surfnet module: ### define logging modules log_modules: log-surfnet # log-syslog Configure /opt/amunhoney/conf/log-surfnet.conf [Log-Surfnet] sensorIP: 127.0.0.1 … Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 35 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Amun (3/4) … PGHost: enter-ip-database PGPort: 5432 PGUser: nepenthes PGPass: enter-your-password PGDB: idsserver # To download binaries to the normal surfids location: cd /opt/amunhoney/malware mv md5sum md5sum.orig ln -s /opt/surfnetids/binaries md5sum # change the file /opt/amunhoney/submit_modules/submitmd5/submit_md5.py # modify filename = "malware/md5sum/%s.bin" % (md5hash) # in filename = "malware/md5sum/%s" % (md5hash) • Start Amun ./amun_server.py Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 36 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Amun (4/4) • Attacker starts nmap root@attacker:/home/attacker# nmap -sS -PN -v 192.168.0.20 Starting Nmap 5.21 ( http://nmap.org ) at 2012-12-09 18:18 CET Initiating ARP Ping Scan at 18:18 Scanning 192.168.0.20 [1 port] Completed ARP Ping Scan at 18:18, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 18:18 Completed Parallel DNS resolution of 1 host. at 18:18, 0.05s elapsed Initiating SYN Stealth Scan at 18:18 Scanning 192.168.0.20 [1000 ports] Discovered open port 23/tcp on 192.168.0.20 Discovered open port 443/tcp on 192.168.0.20 Discovered open port 1025/tcp on 192.168.0.20 Discovered open port 80/tcp on 192.168.0.20 Discovered open port 8080/tcp on 192.168.0.20 Discovered open port 587/tcp on 192.168.0.20 Discovered open port 143/tcp on 192.168.0.20 Discovered open port 110/tcp on 192.168.0.20 Discovered open port 22/tcp on 192.168.0.20 Discovered open port 139/tcp on 192.168.0.20 Discovered open port 445/tcp on 192.168.0.20 Discovered open port 554/tcp on 192.168.0.20 Discovered open port 42/tcp on 192.168.0.20 Discovered open port 1023/tcp on 192.168.0.20 Discovered open port 1080/tcp on 192.168.0.20 Completed SYN Stealth Scan at 18:18, 1.31s elapsed (1000 total ports) Nmap scan report for 192.168.0.20 Host is up (0.00028s latency). Not shown: 966 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 42/tcp open nameserver 80/tcp open http 110/tcp open pop3 135/tcp open msrpc 139/tcp open netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp open microsoft-ds 554/tcp open rtsp 587/tcp open submission 617/tcp open sco-dtmgr … Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 37 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS • The SURFids is a Distributed Intrusion Detection framework • It is based on the following rules: • The sensor should run out-of-the-box • The sensor should be completely passive and therefore maintenance free • The D-IDS should not generate any false positive alerts • A sensor should be able to run in a standard LAN • Comparison of statistics generated by sensors and groups of sensors should be possible • The detection tools are installed on a central server (called tunnel server) • Distributed sensors connect to the tunnel server and tunnel all their layer 2 and higher traffic to the tunnel server • All information is presented to the users by a webinterface (logging server) Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 38 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS Components Tunnel/Honeypot Server • The tunnel end-point on the server is called a tap device • Tap device is a virtual interface which delivers the traffic from the tunnel on the server. The tap device will receive an IP address from the client network address pool. This will make the server virtually present in the client network Sensor • The only purpose of the sensor is to be a transparent bridge between the client network and the tunnel/honeypot server • The sensor manages the creation and destruction of the tunnel that is used to connect the tunnel/honeypot server to the client network Logging Server • The logging server consists of two parts, the database and a web interface • The database is used to store the analysis information from the honeypot server. This information is presented to the users by a web interface Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 39 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS Installation (1/6) • Logging Server Installation # add the SURFids key to your local key chain wget -q http://repo.ids.surfnet.nl/key.pub -O- | sudo apt-key add – # create a file /etc/apt/sources.list.d/surfids.list with the content: deb http://repo.ids.surfnet.nl/surfnetids/ lenny main # to start the SURFids logging server installation we use apt-get apt-get update apt-get install surfids-logserver sendmail sendmail-bin - Set database Host - Insert Admin database user - Create a postgresql user: sudo -u postgres createuser -s -d -r -P <adminuser> - Set admin user password - Set database listening port - Set database name - Set SURFids database user and SURFids user password - Set nepethes, pof, argos user password - Download the latest GeoIP database Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 40 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS Installation (2/6) • Logging Server Configuration # configuration file is located at /etc/surfnetids/surfnetids-log.conf ####################### # Database connection # ####################### # User info for the logging user in the postgresql database $c_pgsql_pass = "enter_password_here"; $c_pgsql_user = "idslog"; # Postgresql database info $c_pgsql_host = "localhost"; $c_pgsql_dbname = "idsserver"; # The port number where the postgresql database is running on $c_pgsql_port = "5432"; # Enable or disable the download option of binaries in the webinterface $c_download_binaries = 1; ####################### # GeoIP Location Info # ####################### # Enable GeoIP location database to enable source IP country identification. $c_geoip_enable = 1; … Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 41 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS Installation (3/6) … # The key used for the Googlemap API $c_googlemap_key = "enter_googlemap_key_here"; # Generate a GnuPG key used to sign mail-reports: gpg --gen-key # and insert the key in # Maillog GNUPG passphrase. $c_passphrase = "enter_gnupg_passphrase_here"; ################# # Sandbox Email ################# # Settings needed to retrieve the Norman reports from the mailbox they were sent to # login credentials $c_mail_username = 'email_username'; $c_mail_password = 'email_pass'; # mailhost and port $c_mail_mailhost = 'mailhost'; $c_mail_port = '995'; # replace the “enter_database_pass_here” text with the actual password needed for connecting with the database in /opt/surfnetids/webinterface/.htaccess Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 42 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS Installation (4/6) • Tunnel Server Installation # Add the Dapper repository in sources.list: deb http://ubuntu.mirror.cambrium.nl/ubuntu / hardy main universe # to start the SURFids tunnel server installation we use apt-get apt-get update apt-get install surfids-tunnel - Set OpenVPN key size - Insert attribute for certificates - Set Xinetd listening address - Set IP address of tunnel server that is accepting the OpenVPN connections - Set the password used by the sensor to communicate with the tunnel server • Tunnel Server Configuration # configuration file is located at /etc/surfnetids/surfnetids-tn.conf #################### # SURF IDS Options # #################### # The root directory for the SURF IDS files (no trailing forward slash). $c_surfidsdir = "/opt/surfnetids"; … Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 43 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS Installation (5/6) … ####################### # Database connection # ####################### # User info for the logging user in the postgresql database $c_pgsql_pass = "enter_password_here"; $c_pgsql_user = "idslog"; # Postgresql database info $c_pgsql_host = "enter_database_servername_here"; $c_pgsql_dbname = "idsserver"; # The port number where the postgresql database is running on. $c_pgsql_port = "5432"; ################ # Mail logging # ################ # Maillog From: address. This is the email addres that appears in the From header. $c_from_address = 'enter_email_address_here'; # Maillog GNUPG passphrase. $c_passphrase = "enter_GNU_passphrase_here"; # Prefix for the subject of email reports $c_subject_prefix = "[SURF IDS] "; Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 44 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST SURFIDS Installation (5/6) • Add Local Static Sensor to SURFids database cd /opt/surfnetids/logtools ./localsensor.pl -p 192.168.0.20 /opt/surfnetids/logtools/localsensor.pl -i eth0 -s Nepenthes -o Evil_Sensor • Open the web interface available at http://<logserver:80>/surfnetids/ Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 45 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST AV Installation (1/3) • Local scan of Suspicious Files with: • • • F-Prot AVAST ClamAV • Create a Directory cd /opt mkdir scanner cd scanner • Install ClamAV apt-get install unzip libwww-perl apt-get -y install clamav Freshclam • Install F-Prot # Download fp-Linux.x86.32-ws.tar.gz from F-Prot official website tar -xvf fp-Linux.x86.32-ws.tar.gz cd f-prot ./install-f-prot.pl Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 46 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST AV Installation (2/3) • Install Avast # Download avast4workstation-1.3.0.tar.gz from AVAST official website tar -xvf avast4workstation-1.3.0.tar.gz # Download avast4workstation_1.3.0-2_i386.deb from AVAST official website dpkg -i avast4workstation_1.3.0-2_i386.deb sysctl -w kernel.shmmax=100000000 # AVAST requires a free registration to work • Configure /opt/surfnetids/scripts/scanbinaries.pl #################### # Define scanners #################### $scanners->{"F-Prot"} = { 'cmd' => "/opt/scanner/f-prot/fpscan -v 2 --report --adware", 'update' => "/opt/scanner/f-prot/fpupdate", 'version' => "/opt/scanner/f-prot/fpscan --version | grep \"F-PROT Antivirus version\" | awk -F'(' '{print \$1}' | awk '{print \$NF}'", 'batchmode' => 0, }; … Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 47 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST AV Installation (3/3) … $scanners->{"AVAST"} = { 'cmd' => "/opt/scanner/avast4workstation-1.3.0/bin/avast -n", 'update' => "/opt/scanner/avast4workstation-1.3.0/bin/avast-update", 'version' => "/opt/scanner/avast4workstation-1.3.0/bin/avast --version | head -n1 | awk -F\"avast \" '{print \$2}'", 'batchmode' => 1, }; $scanners->{"ClamAV"} = { 'cmd' => "clamscan --no-summary", 'update' => "freshclam", 'version' => "clamscan --version | awk '{print \$2}' | awk -F\"/\" '{print \$1}'", 'batchmode' => 0, }; • Add to crontab 00,30 * * * * /opt/surfnetids/scripts/scanbinaries.pl >/dev/null Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 48 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Metasploit: Penetration Test Software • Metasploit® software helps security and IT professionals • Identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments • Download from http://www.metasploit.com/download/ for FREE • Install it on the attacker machine and test the all-in-one machine: • Discover open ports • Exploit target system (require registration) Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 49 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Metasploit: Testing Nepenthes VS + Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 50 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Metasploit: Testing Nepenthes VS + Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 51 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Metasploit: Testing Amun VS + Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 52 INTRUSION DETECTION SYSTEM –IMPLEMENTATION AND TEST Metasploit: Testing Amun VS + Corso di Protocolli e Sicurezza dei Sistemi in Rete – Anno Accademico 2011/12 53