context-based intrusion detection using snort, nessus and bugtraq databases
Post on 13-Jan-2016
45 Views
Preview:
DESCRIPTION
TRANSCRIPT
CONTEXT-BASEDINTRUSION DETECTION
USING SNORT, NESSUS AND BUGTRAQ DATABASES
Presented by Frédéric Massicotte
Communications Research Centre Canada
Department of Systems and Computer Engineering, Carleton University
Privacy, Security and Trust
October 2005
Motivations Current IDS Problems
– Some IDS do not provide a declarative rule specification language• Difficult to verify, compare and update attack scenarios
– Many IDS only rely on one packet or on one TCP stream to identify intrusions• More complex attacks need to be programmed (two specification systems)• False negatives and false positives
– Intrusion signatures do not include a precise network context• Increases the number of false positives (session state not enough)
IDS functionality needed– The IDS signature language should
• be a declarative rule specification language• be independent of the monitoring engine• enable multi-packet rules• specify network-context gathering other than alarms and session states• be used on well-defined models (Packet Model and Network Model)
– The IDS monitoring engine should• be multi-packet• maintain a network-context knowledge base
Our Contributions A multi-packet monitoring engine A declarative rule specification language that uses
the Object Constraint Language A formal packet model and a formal network
model A library of passive information gathering rules to
acquire the network context Missing :
– A library of intrusion detection rules with network context• Prove that these rules could be used to reduce the number
of false positives• Study the correlation potential and accuracy of freely
available security databases
Rule Specification
?OCL
Packet Stream Model Network Model
alarmpacket
Network Model
description : string
Exploitconsequences : stringrequirements : string
Vulnerability
vulnerability
1
exploits
0..*
id : stringorganization : string
Reference
refs
0..*1
time : long
Alarm
OPERATING_SYSTEM : stringFTP : stringTELNET : stringprodname : stringtype : stringversion : string
Productname : string
Vendor
vendor
10..*
CLOSE : boolOPEN : boolTCP : intUDP : intnumber : intstate : booltype : int
Port DOWN : boolUP : booldnsServers[0..*] : stringgateway : stringipAddress : stringmask : stringnames[0..*] : stringrole : intstate : bool
IPStack
macAddress : string
Interface
Host
Session
0..*
destinationPort
1
0..*
sourcePort 1
ports
0..* 1
interfaces1..*
1
exploit1
0..*
configuration
0..*0..*
daemon1
0..*
vulnerabilities0..*
affected1..*
vendor1
0..*
ipStacks
0..* 1
correlates
0..*
0..*
0..*
sourcePort0..1
0..*
destinationPort
0..1
0..*
destinationAddress
1
0..*
sourceAddress 1
0..*
sourceAddress
1
0..*
destinationAddress 1
Network Model
description : string
Exploitconsequences : stringrequirements : string
Vulnerability
vulnerability
1
exploits
0..*
id : stringorganization : string
Reference
refs
0..*1
time : long
Alarm
OPERATING_SYSTEM : stringFTP : stringTELNET : stringprodname : stringtype : stringversion : string
Productname : string
Vendor
vendor
10..*
CLOSE : boolOPEN : boolTCP : intUDP : intnumber : intstate : booltype : int
Port DOWN : boolUP : booldnsServers[0..*] : stringgateway : stringipAddress : stringmask : stringnames[0..*] : stringrole : intstate : bool
IPStack
macAddress : string
Interface
Host
Session
0..*
destinationPort
1
0..*
sourcePort 1
ports
0..* 1
interfaces1..*
1
exploit1
0..*
configuration
0..*0..*
daemon1
0..*
vulnerabilities0..*
affected1..*
vendor1
0..*
ipStacks
0..* 1
correlates
0..*
0..*
0..*
sourcePort0..1
0..*
destinationPort
0..1
0..*
destinationAddress
1
0..*
sourceAddress 1
0..*
sourceAddress
1
0..*
destinationAddress 1
IDS Rules with Network ContextPacket
characteristics
p1.data.match(”/ˆ STAT\s+[ˆ \n]*\x3f/smi”)p1.tcp.destinationPort = 21 and
Session::sessionOpen(p1.ip.sourceAddress,p1.ip.destinationAddress, p1.tcp.sourePort,p1.tcp.destinationPort) and
(IPStack::hasDaemonOnPort(p1.ip.destinationAddress,p1.tcp.destinationPort, Port.TCP, ”IIS”, ”5.0”) or
IPStack::hasDaemonOnPort(p1.ip.destinationAddress,p1.tcp.destinationPort, Port.TCP, ”IIS”, ”5.1”))
Sessionstate
Propernetwork context
IDS Rules with Network Context
IDS Rules Network Context
Bugtraq (VDB)Nessus (VDS)Snort (IDS)
IDS Rules
p1.data.match(”/ˆ STAT\s+[ˆ \n]*\x3f/smi”)
p1.tcp.destinationPort = 21 and
Session::sessionOpen(p1.ip.sourceAddress,p1.ip.destinationAddress, p1.tcp.sourePort,p1.tcp.destinationPort)
with Network Context
(IPStack::hasDaemonOnPort(p1.ip.destinationAddress,p1.tcp.destinationPort, Port.TCP, ”IIS”, ”5.0”) orIPStack::hasDaemonOnPort(p1.ip.destinationAddress,p1.tcp.destinationPort, Port.TCP, ”IIS”, ”5.1”))
Context Packetinv: Packet.allInstances()->forAll(p1 | p1.data.match(”Microsoft IIS 5.0”) andp1.tcp.destinationPort = 80 and...
Context Packetinv: Packet.allInstances()->forAll(p1 | p1.data.match(”Microsoft IIS 5.0”) andp1.tcp.destinationPort = 80 and...
Snort References
CVE and Bugtraq21%
Bugtraq and Nessus
3%
CVE, Bugtraq and Nessus15%
Other types of references
21%
Only Nessus4%
CVE and Nessus3%
Only Bugtraq7%
Only CVE3%
No reference at all23%
Group 1: Direct and Indirect Group 4: No Bugtraq nor
Nessus reference47%
Group 3: Incomplete and Non-Inferable
19%
Group 2: Incomplete but
Inferable18%
Group 1: Direct and Indirect
16%
Bugtraq (VDB)Nessus (VDS)Snort (IDS)
Group 2: Incomplete but Inferable
Group 4: No Bugtraq nor
Nessus reference47%
Group 3: Incomplete and Non-Inferable
19%
Group 2: Incomplete but
Inferable18%
Group 1: Direct and Indirect
16%
Bugtraq (VDB)Nessus (VDS)Snort (IDS)
Group 2: Incomplete but Inferable
Group 4: No Bugtraq nor
Nessus reference47%
Group 3: Incomplete and Non-Inferable
19%
Group 2: Incomplete but
Inferable18%
Group 1: Direct and Indirect
16%
Bugtraq (VDB)Nessus (VDS)Snort (IDS)
Group 3: Incomplete and Non-Inferable
Group 4: No Bugtraq nor
Nessus reference47%
Group 3: Incomplete and Non-Inferable
19%
Group 2: Incomplete but
Inferable18%
Group 1: Direct and Indirect
16%
Bugtraq (VDB)Nessus (VDS)Snort (IDS)
Group 4: No Reference Group 4: No Bugtraq nor
Nessus reference47%
Group 3: Incomplete and Non-Inferable
19%
Group 2: Incomplete but
Inferable18%
Group 1: Direct and Indirect
16%
Bugtraq (VDB)Nessus (VDS)Snort (IDS)
Group 1: Direct and Indirect
Group 1.4: Direct and Indirect Strictly
Intersect5%
Group 1.3: Direct and Indirect are
Disjoint6%
Group 1.2: Indirect Strictly Includes
Direct12%
Group 1.1: Direct Strictly Includes
Indirect6%
Group 1.5: Direct and Indirect are the
Same71%
Results of Relationship Analysis
Only 16% of the Snort rules have references to Bugtraq and Nessus. – Only 11.4% have the same set of Bugtraq references
whether we use the Snort to Bugtraq references or the Snort to Nessus to Bugtraq references.
– 29% of the Group 1 Snort rules present discrepancies, depending on whether we use the direct or indirect relationship to Bugtraq.
– 6% of Group 1 seem to refer to different Bugtraq vulnerabilities.
Results Built a library of small IDS rules with network
context using group 1 Snort rules Tested 20 attack programs against 12 systems
– Reduced the number of false positives, compared to Snort
– Proved that network context is important to reduce false positives
Test Cases
Attacker 1
Attacker 2
Attack
Snort
2.4.18-14
Linux 2..4.19-4GB
OS X
Sun 4.x
PNMT
Attack Attack Attack
Results Results Oraclevs vs
Conclusion The relationships between Snort IDS signatures, Nessus
and Bugtraq still need to be improved Correlation systems using events for these systems only
use a small proportion of relationship potential For the small number of Snort rules that provide accurate
relationships, network context is important to reduce false positives.
Future Work on IDS Rules– Test more context-based intrusion detection rules
– Continue the development of a virtual exploit testing network
– Test rules to identify more complex attacks such as DDOS and Network Discovery Techniques
Questions
top related