| @fernand0 | Hello, |
|---|---|
| @fernand0 | once again we are here to start this meeting about security at UniNet. |
| @fernand0 | It |
| @fernand0 | is our second edition and we hope to be able to provide a place to have |
| @fernand0 | interesting talks and discussions. |
| @fernand0 | It is very nice to see you all here, and to see so many speakers willing to |
| @fernand0 | participate and to share their knowledge with us. |
| @fernand0 | |
| @fernand0 | Let me start giving thanks to all of you for comming here. |
| @fernand0 | We also would like to thank the speaker for their time and dedication |
| @fernand0 | Finally, let me also remember our gratitude to the people that have been |
| @fernand0 | more involved in organization, preparing this event. |
| @fernand0 | For registered people, you will get information in our mailing list. |
| @fernand0 | You also can find information in our web page (http://infosec.uninet.edu/), in particular at http://infosec.uninet.edu/infosec2003/english/programa_eng.html, with a |
| @fernand0 | fancy tool that helps with the timetable and different time zones. |
| @fernand0 | Thank you to some volunteers, there will be simultaneous translation at |
| @fernand0 | #redes, and we have the channel #qc por questions and comments. |
| @fernand0 | We will publish the logs of the talks in our web page as soon as possible. |
| @fernand0 | Ismael Briones will introduce now our first speaker. Thank you again. |
| @fernand0 | Traducción en #redes, gracias a los voluntarios por hacerla posible. |
| @ismak | hello all |
| @ismak | Our first speaker is Javier Fernández-Sanguino. |
| @ismak | He is working in the Security Department of Germinus XXI |
| @ismak | He is an active Debian GNU/Linux developer. Actually he is doing his doctorate in ETSIT-UPM |
| @ismak | He is taking part in the development of some free security tools, like Nessus, Bastille and Tiger, and he is the leader of the last one |
| @ismak | The title of the first infosec conference is "UNIX host-based intrusion detection and audits,a look at current development" |
| @ismak | You can see the conference's slides at |
| @ismak | http://www.dat.etsit.upm.es/~jfs/debian/doc/ids-unix/ |
| @ismak | and nothing more, its time to start Infosec 2003. Please Javier, it's your time |
| @jfs | [more precisely in the unix-ids.ps file (or the TeX file if you do not have a graphic display)] |
| @jfs | I'm right now compiling the last version of the slides, so please bear with me |
| @jfs | Also mi DSL connection from home does not have the highest bandwith :-) |
| @jfs | In any case, I would like first to thank the organisation for setting up these talks |
| @jfs | I hope you all enjoy this week, there are a lot of interesting talks |
| @jfs | The topic of this talk is about UNIX host-based intrusion detection |
| @jfs | First let me say that I would welcome any questions as I go through the conference |
| @jfs | (please make them at the #qc channel) |
| @jfs | I wouldn't like this conference to just be the kind of conference in which I speak, you listen and that's all. I think we can all find it a better conference if you all participate |
| @jfs | As a side note: the postscript file (compressed) with the slides is now available |
| @jfs | Why do I want to talk about _host_ based intrusion detection? |
| @jfs | Well, the main reason is that intrusion detection has been centered on network based type and I want to shift the balance :-) |
| @jfs | But, then, why on _intrusion detection_? |
| @jfs | Let me first give you a view on what intrusion detection is |
| @jfs | From the SANS ID Faq: |
| @jfs | the art of detecting inappropriate, incorrect, or anomalous |
| @jfs | activity. ID systems that operate on a host to detect malicious |
| @jfs | activity on that host are called host-based ID systems, and ID systems |
| @jfs | that operate on network data flows are called network-based ID |
| @jfs | systems. |
| @jfs | so, the main idea is to be able to detect things that are going on in information technology systems which shouldn't |
| @jfs | However, who says what is appropiate or not on a system? |
| @jfs | The security policy |
| @jfs | (BTW, This is a similar introduction to the one I did last year when talking about Tiger, so feel free to go to last year talks to expand it a little bit since I will not go into much detail today) |
| @jfs | So, we want to detect violations of the security policy, that's what makes an intruder |
| @jfs | However, many people do not have security policies defined, does this mean they cannot detect intruders? |
| @jfs | Not really. |
| @jfs | Similarly to vulnerabilities, some things in ID are an intrusion regardless of your security policy |
| @jfs | Why do I say "similarly to vulnerabilities"? |
| @jfs | Because one of the things the people at the CVE project (cve.mitre.org) discussed quite a lot was the precise definition of a vulnerability |
| @jfs | since some vulnerabilities are configuration issues and some others might be a vulnerability in one organisation but not to another (sample: finger service enabled) |
| @jfs | they separated vulnerabilities (those that are considered as such by any organisation) |
| @jfs | and exposures (those that are not really vulnerabilities but depend on the organisation's security policy) |
| @jfs | Similarly, when defining intrusion, if one does not have a security policy there are several things that might be considered an intrusion, regardless of what he is handling |
| @jfs | Let's thing of a multi-task multi-user system, for example, in which a normal user, without adminsitrative access, gets it through devious means (exploitation of a local vulnerability for example) |
| @jfs | That's an intrusion, regardless of a security policy |
| @jfs | Well, Richard Stallman would probably not agree with me on this however :-) |
| @jfs | Do you agree? |
| @jfs | (answer at #qc, this channel is moderated) |
| @jfs | In any case, some other things might or might not be an intrusion, depeding on your policy |
| @jfs | or, if none, depending on your usage of IT systems |
| @jfs | Sample: somebody connecting to the database server at 1 am. Is that an intrusion= |
| @jfs | sorry,? |
| @jfs | Well, depends really. When DBAs connect to the databases to do maintenance |
| @jfs | at those hours, it might not be |
| @jfs | But if it's my own database server at home, and I'm sleeping at 1am, it might be. |
| @jfs | So, that's why it is important to have in mind when talking about intrusion detection systems, developments or tools the following: |
| @jfs | false positives might arise |
| @jfs | an intrusion event that is not really such and is |
| @jfs | reported |
| @jfs | But since the admin does not know beforehand he has to work it out |
| @jfs | false negatives might too |
| @jfs | that is, an event that is part of an intrusion but does _not_ get reported |
| @jfs | Now, ID systems, depending on how they are made, can lead to false positives, false negatives or both! |
| @jfs | (usually the later is more true) |
| @jfs | (I'll give some time for #redes to catch-up, feel free to ask questions in #qc) |
| @jfs | now, let's go and see different ID systems |
| @jfs | (slide 8) |
| @jfs | That slide shows a taxonomy for ID systems based on: where is ID done? how is the data analysed? |
| @jfs | So, you have primarily two places where ID is done: the host and "the network" |
| @jfs | and you have two analysis methos: do I check for abnormal behaviour? or do I check for things I know are bad? |
| @jfs | sorry, s/methos/methods/ |
| @jfs | Now, host-based ID make the ID taking data from the host using an ID agent |
| @jfs | And network-based ID also uses an agent (usually called a 'sensor') but takes information by tapping into the network |
| @jfs | Obviously, the agent is implemented in a host in both cases |
| @jfs | But in the first case the agent is installed in a host that wants to be protected |
| @jfs | while in the second case you use a host to do the analysis, but it is not a critical asset |
| @jfs | The data analysis division is simple |
| @jfs | You can either check deviations from an established baseline, and determine that is abnormal behaviour and thus an intrusion |
| @jfs | For example: a user connecting off-hours, CPU usage of a system going up, processes being spawned that were never there, traffic in TCP/UDP ports that were previously unused |
| @jfs | Or you can check for things you "know" are intrusions (and notice the "know" there) |
| @jfs | For example: try to find a given attack in the network traffic, try to find a given trojan in a system... |
| @jfs | The difference is that, even if the data source is the same, in the first one you do not know what is an intrusion and in the second one you do |
| @jfs | The fist type of analysis is usually implemented using artificial intelligence (AI) techiques, such as data mining, neural networks, expert systems |
| @jfs | Whileas the second one is implemented using rule-based systems |
| @jfs | (the same core technology for antivirus really) |
| @jfs | Before going on to ID on UNIX let me state that there are two reasons for host ID to not be the most prevalent ID technology |
| @jfs | 1.- you need to modify the critical asset (install something on it, usually with performance impact) |
| @jfs | 2.- it's very easy to make signatures for remote attacks using known vulnerabilities than for local attacks |
| @jfs | That's why rule-based network intrusion detection systems are most prevalent |
| @jfs | They are easier to build, and false positives are low |
| @jfs | However, false negatives might be moderately high since they "only" look at attacks making use of known vulnerabilities or misconfigurations |
| @jfs | Mejnour asks if "rules" is the same as "signatures" |
| @jfs | And the answer is yes, network intrusion detection systems use the term "signatures" to determine the rules they know about when analysing packets |
| @jfs | Now, on to ID on UNIX |
| @jfs | Unless if there is any unanswered question |
| @jfs | (when making questions in #qc please prefix it with 'jfs:' so I see it easily) |
| @jfs | Ok, no questions? |
| @jfs | Ok, let's proceed |
| @jfs | When talking about ID on UNIX we have first to determine where can we make ID on a host |
| @jfs | Slide 9 shows different places where ID can take place: |
| @jfs | 1.- At the kernel level |
| @jfs | 2.- At the userspace level |
| @jfs | An in 2) you can check the local filesystem (integrity checks) |
| @jfs | or analyse the system behaviour |
| @jfs | Of course, you can also take a look at the network too, just like a network ID can |
| @jfs | interopen, asks ' if snort say "WEB-CLIENT javascript URL host spoofing attempt" what kind of atack is this?' |
| @jfs | that attack is based on a rule that tries to find javascript code in network packets which might redirect a browser to another server to capture cookies and such |
| @jfs | if you take a look at the snort rule: |
| @jfs | ert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT javascript URL host spoofing attempt"; flow:to_client,established; content:"javascript\://"; nocase; classtype:attempted-user; reference:bugtraq,5293; sid:1841; rev:2;) |
| @jfs | is a packet from an HTTP server that contains javascript:// |
| @jfs | this is sometimes a false positive, one of the nice things about snort is that provides external references to security database (such as bugtraq here) |
| @jfs | check http://online.securityfocus.com/bid/5293 here |
| @jfs | you will see which browsers might be vulnerable to this attack, if you don't use those browsers, turn the rule off :-) |
| @jfs | Shadow: asks, where do I recommend to setup an ID system (at userpace or kernelspace)? |
| @jfs | I will get to that in a minute |
| @jfs | Mejnour wonders if I talk about tripwire when talking about integrity checks |
| @jfs | the answer is yes, but partly, will see |
| @jfs | Ok, backt to the talk :-) |
| @jfs | You can use a network ID in a host, ant that usually makes a "host-based NID" |
| @jfs | kind of a hybrid in ID |
| @jfs | it will _remote_ (network-based) intrusion attempts targeted to the host |
| @jfs | but not to other network elements |
| @jfs | (so the card does not need to be setup in promiscous mode) |
| @jfs | slide 10 shows some NID tools that can be used for this mixed mode, with Snort being one to highliht in the free software arena |
| @jfs | Of course, it's not the only one, you have port-scanners detectors (like psad or portsentry) |
| @jfs | and other (I belive currently in beta) NID implementations such as firestorm or bro |
| @jfs | And, in the propietary arena you have Dragon (from Enterasys), NFR, RealSecure Network Sensor (from ISS) and some others |
| @jfs | (but these are the most prevalent) |
| @jfs | If you take a look at free software host-based intrusion detection tools you will find quite a number of them |
| @jfs | (slide 11) |
| @jfs | [just a minute, I'm going to check since some people are having issues downloading the slides] |
| @jfs | as you see there are quite a number of freely available ID tools |
| @jfs | from logchecking tools to integrity checking, back to configuration checks and also tools to find rootkits |
| @jfs | It is worthwhile noticing that many GNU/Linux and *BSD distributions shipe a 'checksecurity' script (it's not the same implementation for all of them, only the name stands) |
| @jfs | This script does usually do some custom security checks (setuid files, password integrity and such) |
| @jfs | There are few propietary UNIX vendors that provide similar tools (AFAIK) |
| @jfs | but you can use these in such environments too! |
| @jfs | Also, many free software distributions come with a number of these tools already included |
| @jfs | Debian, which I know quite well, provides a huge variety of integrity checkers, logcheckers and other tools |
| @jfs | I would, personally recommend some of the tools I am going to briefly talk about |
| @jfs | 1.- One tool for integrity checking, chose your own, tripwire is best known, but other less known tools (like samhain) provide very interesting features |
| @jfs | 2.- One tool for automatic log-checking, I chose logcheck, since it has been quite improved in Debian GNU/Linux |
| @jfs | 3.- One tool for local checks, and I chose Tiger together with chkrootkit (as a rootkit detector) |
| @jfs | Obviously, I'm biased for 3) since I'm the upstream developer for it :-) |
| @jfs | One of the issues with free software tools, however, is that they are slightly coupled |
| @jfs | If we check the popietary tools available for UNIX (quite expensive BTW) |
| @jfs | (slide 12) |
| @jfs | We will see that there are quite a number of them, from Dragon Squire to ISS's Server Sensor |
| @jfs | There is an issue there, however |
| @jfs | Not all of them run on all UN*X variants |
| @jfs | You might have one for your UN*X environment, but add a new OS and it might not fit in |
| @jfs | Propietary ID systems usually make a combination of the things I said previously: integrity checking (MD5sums, permissions on files, setuid bits), logcheck analysis (with a set of rules for the vendor) and some behaviour rules |
| @jfs | However, one other issue is that propietary ID solutions do not talk between themselves |
| @jfs | Vendors usually want you to use only their security solutions, which means that having a very strong coupling between their tools (ID tools, vulnerability scanners, even firewalls) means they will have you buy all of them |
| @jfs | But they are reluctant to cooperate with other vendors because, in a way, they are allowing them "into their playground" in some scenarios |
| @jfs | That's why there has been so many proliferation of third-party correlation tools which can "talk" to different vendors, and can integrate different ID+firewall+VA+.... security tools |
| @jfs | Any case, that's another issue, but suffice to say that vendors are usually not interested in providing ways to talk with other software systems through a common interface (we'll see some later on) |
| @jfs | Now, I can talk about some host-based ID tools |
| @jfs | I gave a talk last year about Tiger, so I've already talked about it in uninet |
| @jfs | Snort is widely know so I will not talk about it |
| @jfs | But what about logcheck? |
| @jfs | How many of you have logchecking tools? |
| @jfs | (i.e. automatically logchecking, not tail -f :-) |
| @jfs | (some people answer that they do use logcheck, in Debian BTW) |
| @jfs | Well, logcheck is a wonderful ID tool |
| @jfs | And is based on both anomaly detection and rules |
| @jfs | The main idea is that it parses some logfiles and sends e-mail with things that: |
| @jfs | a.- it did not expect |
| @jfs | b.- it knows are security violations |
| @jfs | the way it determines it "did not expect" something is through by filtering out known events |
| @jfs | the way it determines security violations is by "filtering in" some others |
| @jfs | (it also includes some other security-related events depending on your configuration) |
| @jfs | (slide 13 shows a brief introduction) |
| @jfs | (slide 14) |
| @jfs | You will see that logcheck was started way back, by Psionic (now purchased by Cisco) as part of the "Abacus" project which wanted to make a suite of tools to protect hosts |
| @jfs | The abacus tools were: logcheck, portsentry and hostsentry |
| @jfs | There has been no development from the original version since 1997, it was designed to work on multiple UNIX systems (just like Tiger, with similar methods) |
| @jfs | The Debian version has grown out to be a complete rewrite of that tool, but there are some other forks. |
| @jfs | Hopefully they will be reunited some time in the future (because a lot of bugs have been fixed in different branches) |
| @jfs | (that's one of the problems and advantajes of opensource: forks :-) |
| @jfs | Any questions up to here?= |
| @jfs | I'm not going to talk about Tiger (slides 15,16, or 17) since we are tight on time and I already talked about it |
| @jfs | (last year) |
| @jfs | But I do want to talk about Prelude |
| @jfs | which is a very interesting project |
| @jfs | The main idea of Prelude (slide 18) is to provide a hybrid (network and host-based) modular and distributed IDS |
| @jfs | so that it provides a _framework_ to deploy IDS |
| @jfs | which is one of the issues when you want to start deploying multiple sensores (i.e. more than one) |
| @jfs | Prelude provides a way for all sensors to talk a common language and talk with the management server so that all intrusions are kept in a single place (usually a database) |
| @jfs | The Prelude project also provides a number of tools to correlate with other security tools (such as Nessus, the vulnerability scanner) |
| @jfs | But the most important thing about it is that it's a framework, and it's free software (GPL) |
| @jfs | Obviously, propietary ID systems already provide a framework for deploying ID systems, but, as I've said they don't talk between each other |
| @jfs | Prelude, however, is open both in software and in standard, since it uses IDMEF |
| @jfs | which is a common (XML, iirc) language to define intrusions which is being defined by the IETF (currently in draft) |
| @jfs | As an aside question: juanac wonders "how does portsentry work?" |
| @jfs | Well, porstenty works by opening quite a number of ports |
| @jfs | since those ports are not common services and should not be accessed, if something accesses them then it's somebody who is port-scanning you to detect your services |
| @jfs | it's more like a honeypot (lure intruders to services which shouldn't be there) than an ID system |
| @jfs | But honeypots work quite well as ID systems too :-) |
| @jfs | I was talking about IDMEF |
| @jfs | Some propietary systems also implement it |
| @jfs | Now, I talked about some user-level HID |
| @jfs | How about some kernel-level HID? |
| @jfs | Many commercial UNIX implement strict auditing of the kernel |
| @jfs | But few implement intrusion detection right in the kernel |
| @jfs | (slide 20) |
| @jfs | Notably, there are quite some (free software) intrusion detection subsystems for the Linux kernel |
| @jfs | They are not yet integrated into it, but might be for 2.6, once the Linux Security Modules implementation is finished |
| @jfs | So currently they are patches to the kernel |
| @jfs | Most notably LIDS and Snare |
| @jfs | There is quite an interesting point in doing ID in the kernel |
| @jfs | Even if you lose much more performance, the kernel is more difficutl to tamper with |
| @jfs | (A side note, ID: intrusion detection, HID: host intrusion detection, NID: network intrusion detection) |
| @jfs | So that's where we get to some of the issues implementing ID |
| @jfs | Sorry, implementing HID. How do you implement detection? (slide 22) how do you execute it? (slide 23) |
| @jfs | Obviously, one of the issues if that is the HID is running on a system that can be compromised, one of the first things the intruder will do is to remove the HID completely |
| @jfs | Currently, many HID solutions are either executed through the cron daemon or through a dedicated process (daemon) |
| @jfs | Which means that if you kill them, you kill the HID |
| @jfs | Also, even if the HID is running, if the mechanism it uses to send alerts (SNMP? mail? logfiles? other type of communication?) |
| @jfs | is subverted (removed, replaced...) then the HID is moot |
| @jfs | That's why it might, in the end, only make sense to do HID in the kernel level |
| @jfs | _However_ since there is a lot of issues doing this (not only performance-wise) |
| @jfs | And since building an HID in user space is very inexpensive (in time) |
| @jfs | It sometimes make sense to setup only user-space HID |
| @jfs | Depends on your paranoia level |
| @jfs | (and on your resources) |
| @jfs | :-) |
| @jfs | Even kernel-level HID can be subverted, if the user gets administrative access to it and he can tamper with the kernel image he can (theoretically) remove the HID |
| @jfs | but it's a greater hurdle |
| @jfs | On with the final remarks of host-based intrusion detection on UNIX |
| @jfs | and finishing the job (sorry again for the delay) |
| @jfs | (slide 24) |
| @jfs | I have (hopefully) shown you were can HID be implemented and some of the tools that currently exist (both free software and propietary) |
| @jfs | [So you have no excuse now to setup intrusion detection on your UNIX systems :-)] |
| @jfs | The problem with open source / free software solution is that there are a lot of specific tools to do the work |
| @jfs | and are lightly coupled (but since it's free software you can do it) |
| @jfs | However, Prelude might help change this in the near future |
| @jfs | The problem with propietary solutions is that they might not tackled your prefered OS |
| @jfs | And also do not cooperate |
| @jfs | However, one of the things to notice is that many OS vendors start to ship intrusion detection tools as part of the OS |
| @jfs | Notably, most GNU/Linux ditributions I know of, *BSD operating systems and also HP-UX |
| @jfs | (if anyone knows of other propietary unix vendors that does this too I would be glad to hear it) |
| @jfs | Finishing, it's important to notice that there are few ID standards |
| @jfs | So if these improve it might be possible to have better HID in the future |
| @jfs | That's all I wanted to talk about, sorry for talking too much |
| @jfs | I don't know if we have time for some questions |
| @jfs | But, in any case, be sure to attend some other of the intrusion detection talks that will be held at Infosec |
| @jfs | (Notably, there is one about intrusion detection with free software. Hopefully, I have not stepped too much into what will be talked there) |
| @jfs | Any final questions? |
| @jfs | Xpato wonders about further references |
| @jfs | You have a number of them in slide 25 |
| @jfs | most notably |
| @jfs | SANS ID FAQ. http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm |
| @jfs | and |
| @jfs | Securityfocus IDS area: http://www.securityfocus.com/ids |
| @jfs | (very good mailing lists there :-) |
| @jfs | [and also, if you want to have a laugh, test the ultimate solution: PISS: http://piss.olea.org/] |
| @sarnold | jfs: thanks for the great presentation on intrusion detection :) |
| @sarnold | jfs: you've been giving presentations at uninet longer than I recall, and we thank you for it ;) |
| @jfs | sarnold: no problem, it's great to be here :-) |
| @sarnold | the next presentation is by dr jose nazario, about internet worms :) |
| @sarnold | clap clap clap clap clap clap |
| @sarnold | clap clap clap clap clap clap |
| @sarnold | clap clap clap clap clap clap |
| @jose_n | clap*1000! |
| ahd | clap !!! |
| ahd | clap !!! |
| cthulhu_ | clap clap clap |
| xpato | clap |
| badtz | clap clap!! |
| @EMPEROR | plas plas plas plas plas plas plas plas |
| @ismak | congratulations plasplasplasplasplas |
| @EMPEROR | plas plas plas plas plas plas plas plas |
| badtz | clap clap!! |
| @EMPEROR | plas plas plas plas plas plas plas plas |
| @ismak | plasplasplasplasplas |
| badtz | clap clap!! |
| @ismak | plasplasplasplasplas |
| @ismak | plasplasplasplasplas |
| @ismak | plasplasplasplasplas |
| @ismak | plasplasplasplasplas |
| @ismak | plasplasplasplasplas |
| @ismak | plasplasplasplasplas |
| @elzo | plasplasplas |
| @ismak | plasplasplasplasplas |
| dreimon | while true ; do echo "clap" ; done |
| xpman | fiiiuuuu! |
| ahd | if (0 != 0) { printf= clap !!! } |
| ahd | :D |
| KeeNaN | bravo ! |
| KeeNaN | :D |
| xpman | clap forever; |
| Gambrerr | clap your mind |