csce 815 network security lecture 25 data control in honeynets ssh april 22, 2003
TRANSCRIPT
CSCE 815 Network Security CSCE 815 Network Security Lecture 25 Lecture 25CSCE 815 Network Security CSCE 815 Network Security Lecture 25 Lecture 25
Data Control in HoneyNetsData Control in HoneyNets
SSHSSH
April 22, 2003
– 2 – CSCE 815 Sp 03
Machines to AttackMachines to Attack
129.252.140.3129.252.140.3
129.252.140.7129.252.140.7
NOT!!!NOT!!!
129.252.140.1 - gateway129.252.140.1 - gateway
– 3 – CSCE 815 Sp 03
Honeynet BridgeHoneynet Bridge
Internet
Eth0-NO IP
Eth1-NO IP
129.252.140.3 192.252.140.7
AdministrativeInterfaceSSH ConnectionsTrusted Hosts
Eth2- 129.252.xxx.yyy
– 4 – CSCE 815 Sp 03
Honeynet Communication ChannelHoneynet Communication Channel
ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
Data LinkData Link
PhysicalPhysical
ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
Data LinkData Link
PhysicalPhysical
Eth1-Promiscuous Mode Eth0-Promiscuous Mode
IP Forwarding
Source IP: 129.252.140.7Destination IP: 208.122.101.1TTL : 30Source MAC : 07 E2 G5 89 P1Destination MAC:0H F5 7F 2L G2
Src IP: 129.252.140.7Dest IP: 208.122.101.1TTL : 30Src MAC:07 E2 G5 89 P1Dest MAC:0H F5 7F 2L G2
Hub
– 5 – CSCE 815 Sp 03
What is Data Control and Why?What is Data Control and Why?
Process used to control or contain traffic to a honeynetProcess used to control or contain traffic to a honeynet
Upstream liability – an attck from one of your Upstream liability – an attck from one of your honeypotshoneypots
Snort-inline – South Florida Honeynet ProjectSnort-inline – South Florida Honeynet Project
– 6 – CSCE 815 Sp 03
GEN II Data ControlGEN II Data Control
Gen II :Gen II : Incorporates a firewall and IDS in one system Provides more stealthy data control Can be implemented for layer 2 bridging or Layer 3 NAT translation Packets passed from internet to honeynet as layer 2
(datalink) layer packets no TTL decrement
– 7 – CSCE 815 Sp 03
IPTables for GEN II HoneynetIPTables for GEN II Honeynet
IPTables is a free, stateful, Open Source firewall for IPTables is a free, stateful, Open Source firewall for Linux 2.4.x and 2.5.x kernelsLinux 2.4.x and 2.5.x kernels
Each packet header is compared to a set of “chains”Each packet header is compared to a set of “chains”
Chains contain rules: ACCEPT, DROP, REJECT, QueueChains contain rules: ACCEPT, DROP, REJECT, Queue
Custom ChainsCustom Chains tcpHandler udpHandler icmpHandler
– 8 – CSCE 815 Sp 03
Example Rule Example Rule
Shell ScriptShell Script
$IPTABLES –A tcpHandler –j LOG –log-prefix “OUTBOUND” $IPTABLES –A tcpHandler –j LOG –log-prefix “OUTBOUND”
if test $QUEUE = “yes” then if test $QUEUE = “yes” then
$IPTABLES –A tcpHandler –j QUEUE$IPTABLES –A tcpHandler –j QUEUE
fifi
$IPTABLES –A tcpHandler –j ACCEPT$IPTABLES –A tcpHandler –j ACCEPT
Environment variable “$QUEUE” controls action of the ruleEnvironment variable “$QUEUE” controls action of the rule
Queueing Queueing
Connection limitsConnection limits
– 9 – CSCE 815 Sp 03
Snort-InlineSnort-Inline
Snort: The Open Source Network Intrusion Detection Snort: The Open Source Network Intrusion Detection System System http://www.snort.org/http://www.snort.org/
Snort-Inline: Snort + ability to retrieve packets from the Snort-Inline: Snort + ability to retrieve packets from the Queue targetQueue target
Gen I : Alert.sh operated at Layer 3 (IP layer) which Gen I : Alert.sh operated at Layer 3 (IP layer) which made it visible by TTL decrement and routingmade it visible by TTL decrement and routing
Gen II Data ControlGen II Data Control
if attacker runs traceroute to view router hops thenif attacker runs traceroute to view router hops then
““I see nothing” Sargeant SchultzI see nothing” Sargeant Schultz
/sbin/traceroute 129.252.140.3/sbin/traceroute 129.252.140.3
– 10 – CSCE 815 Sp 03
Set UpSet Up
lsmodlsmod
modprobe ip_queue // to load the ip_queue module into modprobe ip_queue // to load the ip_queue module into kernel space kernel space
lsmodlsmod
modprobe -r ip_queue // to removemodprobe -r ip_queue // to remove
– 11 – CSCE 815 Sp 03
Data Control: Snort-Inline and IPTables Data Control: Snort-Inline and IPTables Modes of OperationModes of Operation
Connection Limiting Mode: Count packets by protocol type Drop Mode: Libipq reads packets from kernel space.Packets
are matched against snort signatures and dropped if there is a match
Replace Mode: Packets are matched against snort signatures and if they match the harmful content of packet is scrubbed and returned to the attacker
– 12 – CSCE 815 Sp 03
Connection Limiting ModeConnection Limiting Mode
Hub
Data ControlSnort-InlineIPTables
Enemy
DROP
Packet No =10
IPTables
– 13 – CSCE 815 Sp 03
Snort-Inline Drop ModeSnort-Inline Drop Mode
Enemy Data ControlSnort-Inline
Hub
IP Tables
Ip_queue
Snort-InlineSnort Rules=Drop
IPTables Drop
– 14 – CSCE 815 Sp 03
Snort-Inline Replace ModeSnort-Inline Replace Mode
Enemy Data ControlSnort-Inline
Hub
IP Tables
Ip_queue
Snort-InlineSnort Rules=Replace
IPTables
bin/sh->ben/sh
– 15 – CSCE 815 Sp 03
Supporting Tools for Gen II Supporting Tools for Gen II
libipq – development library for iptableslibipq – development library for iptables Netfilter
provides a mechanism for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel
http://www.cs.princeton.edu/~nakao/libipq.htm
Libpcap libpcap is a packet capture library used by Libpcap libpcap is a packet capture library used by most Open Source sniffers most Open Source sniffers
Bridge-Utils: Bridge-Utils is used to set up the Linux Bridge-Utils: Bridge-Utils is used to set up the Linux Ethernet bridge Ethernet bridge
Latest Snort RulesLatest Snort Rules
rc.firewall script: everything you need to set up the rc.firewall script: everything you need to set up the GenII data control system GenII data control system http://http://project.honeynet.org/papers/honeynet/tools/rc.firewallproject.honeynet.org/papers/honeynet/tools/rc.firewall
– 16 – CSCE 815 Sp 03
Rc.firewall scriptRc.firewall script
This script uses IPTables to create a gateway that This script uses IPTables to create a gateway that counts inbound # and outbound connections and counts inbound # and outbound connections and blocks connections once a limit # has been met. blocks connections once a limit # has been met.
Kernel must be compiled with Bridge supportKernel must be compiled with Bridge support
Modifications HistoryModifications History 21 Apr 2003: Added STOP_OUT option to allow user to block
# all outbound connections. Think of this as the # honeynet safe mode.
– 17 – CSCE 815 Sp 03
Protect the Administrator InterfaceProtect the Administrator Interface
PortsentryPortsentry Detects SYN/Half Open, FIN, NULL scans Will block host in real time and report to the administrator
– 18 – CSCE 815 Sp 03
Data Control: Tripwire Data Control: Tripwire
Maintains integrity of data on the systemMaintains integrity of data on the system
Creates cryptographic checksums of files and Creates cryptographic checksums of files and directoriesdirectories
Reports when changes are made toReports when changes are made to Access permissions, inode number, Userid, groupid, date
and time, size
http://www.tripwire.com/http://www.tripwire.com/
– 19 – CSCE 815 Sp 03
Data Capture MechanismsData Capture Mechanisms
Snort-InlineSnort-Inline
Comlog: Log commands executed by cmd.exe Comlog: Log commands executed by cmd.exe (Windows)(Windows)
Eventlog: forwards packets to syslog server(Windows)Eventlog: forwards packets to syslog server(Windows)
Sebek: (Linux)Sebek: (Linux) Keystroke logging Uses UDP connection
USCSh – Unix keystroke logging 1984USCSh – Unix keystroke logging 1984
Windows Keystroke logging PhD dissertation 1990sWindows Keystroke logging PhD dissertation 1990s
– 20 – CSCE 815 Sp 03
Data CollectionData Collection
Syslog:Syslog: To deceive intruder maintain another Syslog.conf file in a
different location Remote Syslog
Stored data on remote machine
– 21 – CSCE 815 Sp 03
Data AnalysisData Analysis
Log Sentry:Log Sentry:• Audits logs and reports any violations
The @stake Sleuth Kit:The @stake Sleuth Kit:• Analyses images generated by dd command
Converts and copies a file
• Displays deleted files• Creates timeline for file activity
– 22 – CSCE 815 Sp 03
Risk AnalysisRisk Analysis
Placed on the 129.252.140 SubnetPlaced on the 129.252.140 Subnet Can be shut down in case of emergency
Efficient Data Control MechanismsEfficient Data Control Mechanisms Firewall (Connection Limiting Mode) Snort-Inline (Drop Mode)
– 23 – CSCE 815 Sp 03
ReferencesReferences
Librenix: http://librenix.comfirewallsLibrenix: http://librenix.comfirewalls types of firewalls configurations access contro
Newsforge: Newsforge: http://newsforge.com/newsforgehttp://newsforge.com/newsforge
Deploying a GenII Honeynet: MS Thesis Harish Deploying a GenII Honeynet: MS Thesis Harish SiripurapuSiripurapu
http://www.honeynet.ie/main.htmhttp://www.honeynet.ie/main.htm
GenII Data Control for Honeynets – Univ South FloridaGenII Data Control for Honeynets – Univ South Florida
http://cert.uni-stuttgart.de/archive/honeypots/2003/02/msg00056.htmlhttp://cert.uni-stuttgart.de/archive/honeypots/2003/02/msg00056.html