|
Intrustion Detection Project (DoD)
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Intrusion Detection Project
It is one thing to run a device that monitors and logs data
concerning network traffic and another entirely to be able to extract
useful information from the data.
Intrusion Detection is a project that can never be complete. Here are
some of the steps we have made so far.
Port scans are certainly not subtle and are fairly easy to detect. A
port scan might be as simple as a program that probes an IP
Address sequentially to detect services. We need data, so lets
assume we have TAMU's netlog program, a sample fragment might
read:
05/06/96 11:46:11 onxx.ex.cxm 1916 -> pokey 14
05/06/96 11:46:14 onxx.ex.cxm 1917 -> pokey 15
05/06/96 11:46:15 onxx.ex.cxm 1918 -> pokey 16
Notice that in the example above, the column on the far right is
ascending. This is the TCP Destination Port. That is, onxx.ex.cxm
first calls pokey on port 14, then on 15, and on the last line TCP/IP
port 16. Now consider the Perl fragment from inportscan.pl below:
# The loop below will print connects to a host below TCP/IP
# port 100 that are NOT IN THE /ETC/SERVICES file.
foreach $i (0 .. 100){
if ($destport eq $i){ # If the destination port matches the
counter
$resrc = join('.', $shost,$sorg,$ssubdom,$sdom); #put the
name back together
print "$date $time $host $resrc $destport \n"; #and print it!
} #end if eq $i
} #end foreach $i
Incoming probes using well known ports and services. I suppose
this is the most rudimentary of all techniques, but if one knows
nothing whatsoever about hacking and cracking, one can always ftp
or telnet somewhere and wildly guess userids and passwords. A
slightly improved variation on this theme, is to try
anonymous/fake_email_id at some number of ports. At NSWC
Dahlgren, we have even had each and every host probed for ftp
service (talk about subtle!). In every case detection couldn't be
easier. Here is a Perl program inftp.pl that records incoming ftps.
Of course it would be far better to have a program like inpattern.pl
that simply looked for whatever port or service you were interested
in tracking. Once again, it is one thing entirely to generate a list of
incoming ftps or rlogins or whatever, it is something else to make
this into useful information. While I am busy sleeping at night, my
computers run cron scripts to study inbound connections and throw
out the stuff I don't want to look at. Oh yeah, by the way, if you are
all warm and fuzzy because you are sitting behind a firewall and
none of this can happen to you, you might want to study the output
of a program like TCPDUMP for a month looking for frags and
incomplete handshakes :)
Numeric Ports. The simple truth is that one of your machines can
always get hacked and have a sniffer or whatever installed on it.
The best way to detect such an event is a top notch system admin
who has installed a program like tripwire correctly. A poor, but
common way, to detect a sniffer is when you system runs out of
disk space because it is all being used to store network data. A long
shot though is to detect the intruder when they try to collect their
information. Taking a close look at numeric ports is also a real eye
opener for a network administrator, it is amazing how many
services just "pop up". OK, a definition, by numeric port, I am
referring to a TCP port that is not in my /etc/services file.
$ more /etc/services
ftp-data 20/tcp
ftp 21/tcp
telnet 23/tcp
Now, right, wrong, or indifferent, what I have done is taken the
service out of my /etc/services that I don't understand. The original
file for instance, had an entry: echo 7/tcp. I took that entry out. I do
understand echo in the sense that if you telnet some_host 7 and
type an 'a', an 'a' will be echoed bact at you. I do not understand
echo in the sense, that I have warm and fuzzies about
some_internet_host echoing around NSWC Dahlgren. So how
might an intruder be detected when they come back for their data?
Very often, they create a login port at some arbitrary TCP port. So I
look for connections being established at high (and low) port
numbers. I haven't found any intruders, but I have found a whole lot
of other stuff. A simple Perl program that looks for inbound
numeric ports is innumericport.pl
Click Here
You can look for intrusions from a central point until you turn
green, but that will leave you open to a back door attack. This is
why we are trying to migrate our intrusion detection architecture to
one that is distributed across the domain. One handy tool to do this
is swatch, the syslog watcher. On Oct 08 1996 we were fortunate
enought to have a (friendly) intrusion attempt which was flagged by
swatch. Here is what it looked like.
Detection of an incident from a host computer is more probable
than from a network logger. Here are some of the tale tell signs
from 5239-19P.
Intrusion detection seems to be a lot more exciting than intrusion
protection, but the latter probably buys you more. Here is a
whitepaper that covers the basics on this subject.
Page created by Stephen Northcutt ([email protected])
Comments or questions e-mail: [email protected]
|
|
