ecs236 winter 2006: intrusion detection #1: ids architecture
DESCRIPTION
ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture. Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ [email protected]. Intrusion Prevention. Prevention : This should/must never be broken in! - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/1.jpg)
01/04/2006 ecs236 winter 2006 1
ecs236 Winter 2006:
Intrusion DetectionIntrusion Detection#1: IDS Architecture
Dr. S. Felix Wu
Computer Science Department
University of California, Davishttp://www.cs.ucdavis.edu/~wu/
![Page 2: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/2.jpg)
01/04/2006 ecs236 winter 2006 2
Intrusion PreventionIntrusion Prevention
Prevention: This should/must never be broken in!– “This” means a perfectly designed,
implemented, and managed/configured secure system!
![Page 3: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/3.jpg)
01/04/2006 ecs236 winter 2006 3
Intrusion DetectionIntrusion Detection
Prevention: This should/must never be broken in!
Detection: “This” will need to face the reality check!– We had, have, will have so many “expected”
unexpected.– Industry never really serious about cyber
security – profit/market-driven
![Page 4: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/4.jpg)
01/04/2006 ecs236 winter 2006 4
We accept it as a fact…We accept it as a fact…
![Page 5: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/5.jpg)
01/04/2006 ecs236 winter 2006 5
And, we have to have…And, we have to have…
![Page 6: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/6.jpg)
01/04/2006 ecs236 winter 2006 6
Intrusion DetectionIntrusion Detection
Prevention: This should/must never be broken in!
Detection: “This” will need to face the reality check!– We had, have, will have so many “expected”
unexpected.– We had, have, will have even more
“unexpected” unexpected!!
![Page 7: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/7.jpg)
01/04/2006 ecs236 winter 2006 7
To: All Faculty, Staff and Students
On Tuesday, January 03, 2006, UC Davis implemented temporary measures to prevent the exploitation of a serious new computer vulnerability for which no patch is yet available. This vulnerability affects Windows 2000, Windows XP, Windows Server 2003, Windows 98 and ME systems and may be exploited when infected email file attachments or infected Web pages are viewed. Once a computer is infected, data may be permanently lost and/or a remote attacker could gain control of the computer. After extensive consultation with the campus leadership, the decision has been made to temporarily block wmf image attachments. These files can have a number of different extensions, but most commonly will have .wmf and .jpg extensions.
![Page 8: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/8.jpg)
01/04/2006 ecs236 winter 2006 8
Max-Sequence # AttackMax-Sequence # Attack Block LSA updates for one hour by injecting
one bad LSA.– You can hit it once and come back in an hour.
Implementation Bug!– Two independently developed OSPF packages.
– MaxSeq# LSA Purging has not been implemented correctly!!
Announced in May, 1997.
![Page 9: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/9.jpg)
01/04/2006 ecs236 winter 2006 9
What is Intrusion Detection?What is Intrusion Detection?
![Page 10: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/10.jpg)
01/04/2006 ecs236 winter 2006 10
Intrusion DetectionIntrusion Detection Detecting intrusions such as
– Viruses, Worms, Spywares, Phishing, Spamming, Insider, Un-authorized activities, faults/failures, among many others
Detecting and Managing anything “unexpected”– Anomalies
Question: “Detecting what??”
![Page 11: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/11.jpg)
01/04/2006 ecs236 winter 2006 11
Intrusion DetectionIntrusion Detection
IntrusionDetection
Model
Input eventsequence Results
![Page 12: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/12.jpg)
01/04/2006 ecs236 winter 2006 12
Results??Results?? This email contains virus XYZ This email might be a spam with 80%
probability This email is somewhat trusted based on
your social network This email might be malicious This email might be malicious for reasons
ABC and DEF.
![Page 13: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/13.jpg)
01/04/2006 ecs236 winter 2006 13
Intrusion DetectionIntrusion Detection
IntrusionDetection
Model
Input eventsequence Results
Pattern matching
![Page 14: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/14.jpg)
01/04/2006 ecs236 winter 2006 14
IDS EventsIDS Events
TCPdump traces OS kernel and Host-level information BGP traces Application Logs Many others…
![Page 15: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/15.jpg)
01/04/2006 ecs236 winter 2006 15
Anti-VirusAnti-Virus
VirusDetection
VirusDefinition
Input eventsequence Results
Pattern matching
![Page 16: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/16.jpg)
01/04/2006 ecs236 winter 2006 16
Credit Card Fraud DetectionCredit Card Fraud Detection
FraudDetection
SpendingPatterns
Input eventsequence Results
Statistical Pattern Matching
![Page 17: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/17.jpg)
01/04/2006 ecs236 winter 2006 17
SNORTSNORT
Rules
Input eventsequence Results
Pattern matching
![Page 18: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/18.jpg)
01/04/2006 ecs236 winter 2006 18
Welcome to ecs236Welcome to ecs236
S. Felix Wu – [email protected], x4-7070
Office: 3057 Engineering II Office Hours:
– 2-3 p.m. on Tuesday and Friday– by appointment
![Page 19: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/19.jpg)
01/04/2006 ecs236 winter 2006 19
Intrusion DetectionIntrusion Detection
Practical Engineering– Performance, Accuracy, Scalability,
CPU/Memory, Correlation, Deployment. Theoretical Foundation
– Detectability/Limitation, Dimensionality, Entropy, False Negative and Positive, Evaluation
![Page 20: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/20.jpg)
01/04/2006 ecs236 winter 2006 20
In this quarter…In this quarter… The architecture of ID and IDS
– Stateful versus stateless– Signature, specification, anomaly
Analysis of ID Results– Explanation and Analysis– Event Correlation
IDS Evaluation or Attacking IDS– Attack Polymorphism and IDS Evasion
IDS Fundamental Principles
A balance between Engineering a High-Performance IDS system
Fundamentally understand our limitations
![Page 21: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/21.jpg)
01/04/2006 ecs236 winter 2006 21
Starter: SNORTStarter: SNORT Understand the architecture and source code How to evaluate SNORT? What is the most critical performance
bottleneck of SNORT? Is SNORT stateful or stateless? Why?
– What are the pros and cons regarding SNORT versus Bro?
http://www.snort.org/
![Page 22: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/22.jpg)
01/04/2006 ecs236 winter 2006 22
SyllabusSyllabus SNORT IDS engine Anomaly-based Approach Event Correlation and Analysis IDS Evaluation Advanced Research Topics
![Page 23: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/23.jpg)
01/04/2006 ecs236 winter 2006 23
Course RequirementsCourse Requirements 30%: Starter 15%: Proposal 30%: Final Project 25%: Class Participation
– “develop interesting/creative research problems related to the lectures/reading assignments, and justify the reasons”
– And, you need to interact with the instructor!– 5 of them 5% each (1~2 pages)
![Page 24: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/24.jpg)
01/04/2006 ecs236 winter 2006 24
Final ProjectsFinal Projects Polymorphic/Metamorphic Worm detection Integration of Network/Host IDSes Anomaly Detection in SNORT IDS Evaluation using TCPopera SNORT event correlation and explanation Stateful SNORT SNORT evasion
![Page 25: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/25.jpg)
01/04/2006 ecs236 winter 2006 25
about Web siteabout Web site
http://www.cs.ucdavis.edu/~wu/ecs236/ all lectures, notes, announcements,
homework assignments, tools, papers will be there.
![Page 26: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/26.jpg)
01/04/2006 ecs236 winter 2006 26
Let’s start it…Let’s start it…
SNORT 2.4.3– You might need to install the PCRE (Perl
Compatible Regular Expression) package. Get it compile and install
– Any platform you like…
![Page 27: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/27.jpg)
01/04/2006 ecs236 winter 2006 27
SnortSnort Open Source, since 1998 Used by many major network security
products Signature-based (more than 3000+) Simple IP header protocol anomaly
detection Simple stateful pattern matching
![Page 28: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/28.jpg)
01/04/2006 ecs236 winter 2006 28
The Spirit of SNORTThe Spirit of SNORT
They started with something very simple and extensible.
If we feel we need the XYZ feature (due to an attack like STICK), we will write a plug-in for XYZ!!
An evolving system– But, not sure how much in the future…
![Page 29: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/29.jpg)
01/04/2006 ecs236 winter 2006 29
Signature-base NIDSSignature-base NIDSMartin Overton, “Anti-Malware Tools: Intrusion Detection Systems”,
European Institute for Computer Anti-Virus Research (EICAR), 2005
Signature found at W32.Netsky.p binary sample
Rules for Snort:
![Page 30: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/30.jpg)
01/04/2006 ecs236 winter 2006 30
Signature-based RuleSignature-based Rulealert tcp $EXTERNAL_NET any -> $HOME_NET 139
flow:to_server,established
content:"|eb2f 5feb 4a5e 89fb 893e 89f2|"
msg:"EXPLOIT x86 linux samba overflow"
reference:bugtraq,1816
reference:cve,CVE-1999-0811
classtype:attempted-admin
![Page 31: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/31.jpg)
01/04/2006 ecs236 winter 2006 31
SNORT RulesSNORT Rules
Alert Pass log
![Page 32: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/32.jpg)
01/04/2006 ecs236 winter 2006 32
![Page 33: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/33.jpg)
01/04/2006 ecs236 winter 2006 33
False Alarm Rate versus False Alarm Rate versus False PositiveFalse Positive
Rules
101 events100 good + 1 bad
Pattern matching
2 alerts1 good + 1 bad
False Alarm Rate = 50%False Positive = 1%
![Page 34: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/34.jpg)
01/04/2006 ecs236 winter 2006 34
STICKSTICK
SNORTrules STICK
AttackPackets
StatelessSNORTAlerts
![Page 35: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/35.jpg)
01/04/2006 ecs236 winter 2006 35
What Alerts do we want?What Alerts do we want?
This is an administrative/policy issue.– Do I want to know this?
Idea: How can we rank the information quantitatively (in a meaningful way)?– Maybe it is hard to rank “one particular alert”– But, it is much more useful to rank “a sequence
of alerts/events” Correlation & Anomaly Detection!!
![Page 36: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/36.jpg)
01/04/2006 ecs236 winter 2006 36
![Page 37: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/37.jpg)
01/04/2006 ecs236 winter 2006 37
![Page 38: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/38.jpg)
01/04/2006 ecs236 winter 2006 38
PreprocessorPreprocessor
Stream4 Frag2 Telenet_negotiation HTTP normalization RPC_decode Portscan Back Orifice
![Page 39: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/39.jpg)
01/04/2006 ecs236 winter 2006 39
Experimental Pre-Experimental Pre-
Arpspoof Asn1_decode Fnord (NOP detection) portscan2
![Page 40: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/40.jpg)
01/04/2006 ecs236 winter 2006 40
![Page 41: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/41.jpg)
01/04/2006 ecs236 winter 2006 41
![Page 42: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/42.jpg)
01/04/2006 ecs236 winter 2006 42
RTNRTNRule Tree Node
![Page 43: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/43.jpg)
01/04/2006 ecs236 winter 2006 43
RTNRTN//OTNOTN MatrixMatrixOptional Tree Node
alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 86 a5|”; msg:”mountd access”;)
![Page 44: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/44.jpg)
01/04/2006 ecs236 winter 2006 44
![Page 45: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/45.jpg)
01/04/2006 ecs236 winter 2006 45
SNORT RulesSNORT Rules
Dynamic Activation Alert Pass log
![Page 46: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/46.jpg)
01/04/2006 ecs236 winter 2006 46
![Page 47: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/47.jpg)
01/04/2006 ecs236 winter 2006 47
![Page 48: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/48.jpg)
01/04/2006 ecs236 winter 2006 48
Fast Multiple PatternsFast Multiple Patterns
Wu-Manber (Bad-word shift)– Consume the least amount of memory
Aho-Corasick (FSM)– Fast, potential for parallelism and FPGA
Boyer-Moore (Bad-word shift)– For small rule sets
![Page 49: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/49.jpg)
01/04/2006 ecs236 winter 2006 49
Example: P = {he, she, his, hers}
0
1
h
2
9
8
6
3
4
57
e
s
i h
s er
s
Initial State
Accepting State
StateTransition Function
h Sh
hh
hh
S
SS
S
S
S
i
h
r
h
•The Construction: linear time.•The search of all patterns in P: linear time
(Edges pointing back to State 0 are not shown).
![Page 50: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/50.jpg)
01/04/2006 ecs236 winter 2006 50
DistanceDistance
content:"SITE"; nocase; content:"EXEC"; distance:0; nocase;
![Page 51: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/51.jpg)
01/04/2006 ecs236 winter 2006 51
WithinWithin
content: "Content-type\: video/x-ms-asf"; content:"|0a|"; within:2;
![Page 52: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/52.jpg)
01/04/2006 ecs236 winter 2006 52
Byte jumpByte jump
byte_jump:4,4, relative,align; byte_jump:4,4, relative,align; content: "|00 01 86 A5|"; within:4;
![Page 53: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/53.jpg)
01/04/2006 ecs236 winter 2006 53
Byte testByte testbyte_test:1,>,7,1;
![Page 54: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/54.jpg)
01/04/2006 ecs236 winter 2006 54
A few issues about A few issues about SNORT basicsSNORT basics
Performance– DoS attack against SNORT
Expressiveness– Statefulness in SNORT – is it enough?
![Page 55: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/55.jpg)
01/04/2006 ecs236 winter 2006 55
HW#1HW#1
I will post HW#1 details on the class website this afternoon (01/11/2006)
![Page 56: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/56.jpg)
01/04/2006 ecs236 winter 2006 56
BroBro
Packet stream
Filtered packet stream
Event stream
AlertsPolicy script
Event control
tcpdump filters
Event Engine
Network
Libpcap
Detection Engine
![Page 57: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/57.jpg)
01/04/2006 ecs236 winter 2006 57
Be Stateful!! (Bro Be Stateful!! (Bro SNORT) SNORT) HTTP server attack
– Snort signature: simple pattern matching on MS ISS attack
– Bro rule: additional check to see if, e.g., host is running Apache ignore alarm
Error code checking– Snort signature: no checking of reply
– Bro rule: Looks at return code for HTTP/FTP/SMTP, signature match + error code = no alert
Multi-stage attacks– Easy in Bro to express “signature A but only if followed by signature B” or
“A unless followed by B”
– Easy to express “generate alarms if given host triggers N or more signatures” or “triggers against N or more local hosts”
![Page 58: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/58.jpg)
01/04/2006 ecs236 winter 2006 58
Stateful is good?Stateful is good? How to design an IDS
– Performance– Statefully powerful??
![Page 59: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/59.jpg)
01/04/2006 ecs236 winter 2006 59
![Page 60: ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture](https://reader035.vdocuments.net/reader035/viewer/2022062423/568146a2550346895db3bcd5/html5/thumbnails/60.jpg)
01/04/2006 ecs236 winter 2006 60