Network Intrusion Detection: An Analysis Handbook

Thanks to D3 for reviewing Stephen Northcutt's Network Intrusion Detection: An Analysis Handbook. Recently published, this book is designed for those of you trying to keep people outside of your machines. Click below for more. Network Intrusion Detection: An Analyst's Handbook author Stephen Northcutt pages 267 publisher rating 8/10 reviewer D3 ISBN summary Any company or group that is serious about doing Intrusion Detection should read this book. Background

I have been learning about real computer and network security since January of this year. Thankfully I have been working under someone who really knows his stuff and once worked with the author, Stephen Northcutt. I have attended SANS '99 in Baltimore and will be at the New Orleans conference in October. I am by no means an expert on security or cracking. However, it is one of the most interesting aspects of what I do. I feel this book will be an essential tool in my career development.

To me the field of computer network security seems like a blossoming flower. Yes, people have been hacking, cracking, and fixing systems since the dawn of computing. However, I firmly believe once the we have recovered from the Y2K hangover, security will be the big buzz. You can already see it happening in the media with the attention certain incidents have had.

So where does Northcutt's book fit in? If you are an admin charged with securing the way your company interacts with other companies, the internet, your internal employees, e-mail, etc. this book can be an excellent resource. Keep in mind that Intrusion Detection is not a starting point. It is an integrated part to the overall picture. Having cool intrusion detection at your site does little good if you don't even have a decent firewall, acceptable use policies, e-mail filters, safe CGI's on your web, and current patch levels to your systems. Yes, you will be able to know where you were cracked from but you will have still been cracked. Likewise, if you don't understand networking and protocols to an advanced admin level this book may be a bit intimidating.

A search for Network Intrusion Detection on Amazon on Monday showed me a total of 3 titles on the subject and Northcutt's was one of them. He is certainly an expert in the field, having been the lead on the Navy Shadow Intrusion Detection Team for DoD, as well as being the current Chief Information Warfare Officer for the U.S. Ballistic Missle Defense Organization.

The Book

The best advice on how to get the value out of this book comes from the opening of chapter 6 which reads "If you do not have a lot of experience with Internet Protocol (IP), here's a suggestion to get the most out of this book: read Chapters 6, 7, and 8 twice." Northcutt starts out with a review of the Mitnick attack on Tsutomu Shimomura's system. The format of using real world examples carries throughout the rest of the book. His writing style is much the same as his lectures at SANS. He draws you in to interact with the examples he has chosen. Instead of just pointing out what he wants you to see he will ask you to think about what part of a given signature is important. Then he'll ask you to go back and look again for what he feels important. I wish textbooks in college were written this way because it helped me learn.

Included with Ch. 1 is a review of TCP/IP packet structure. Chapter Two carries on with introducing signatures and filters. This clearly explains how to tell what particular attack the script kiddie used to bring down your site. The chapter on Architectural Issues is a nice overview of sensor placement, hardware, and other implementation factors. This comes off as a little light with respect to comparing and contrasting, especially with regard to choice of OS. To be fair, these generalities will probably help keep the book relevant in the ever changing world of OS/Hardware combo. The final two chapters prior to the critical 6, 7, and 8 trio, deal with important factors to consider a good IDS solution should have and a review of known commercial and government software. Unfortunately the rapid changes involved in this field prevent a complete overview of all the available products out there. My suggestion is to read Ch. 4 more closely if you are about to make a decision on an IDS. It will help you ask the right questions to get the solution which will best suit your needs.

As I alluded to above, Chs. 6 through 8 are the guts of the book. The tcpdumps give you a real insider's view of what some classic attacks look like. Again, Northcutt is very thourough in what he presents. The exploits, like the IDS solutions, are also an ever evolving series and there is no way to write a book to cover them all. The point here is to begin to educate the eyes of the analyst. Only someone who has an idea of what traffic is normal versus what smells can hope to make good decisions when it comes to sounding the alarm. As Northcutt points out, sometimes the difference is as subtle as what port is being used. He is encouraging in that you can find the signature "fingerprint" of a given attack. He even admits that there are strange patterns he's seen but has not yet solved what tool or script was used to generate them.

Chapter 9's Introduction to Hacking takes you from the target to the attacker. With data from a crack where the attacker forgot to remove the history file, you can see how quickly a box can be 'owned'. Ten gives a look into coordinated attacks while Eleven shows some of the tools of the trade. The final chapters deal with convincing management to do things the right way and gives a taste of where IDS is heading. I don't mean to downplay the importance of these chapters. Keep in mind that the best way to play with cool toys on your job is to have management backing!

Summary

Any company or group that is serious about doing Intrusion Detection should read this book. Northcutt's tongue in cheek humor keeps things from getting too heavy. His reference to the best remote NT administration tool being a car had me chuckling for a while. The information provided is very thorough. His examples are clear and informitive. The areas where I wanted more information, he provides links to help follow up. I wouldn't be surprised if crackers used this as a reference to develop ways around detection and so the cycle will continue. I should also add the book went through technical review by Tim Aldrich, M. Dodge Mumford (of NFR), Judy Novak, and Larry Paccone.

Purchase this book at Amazon.

Contents

Acknowledgments

Tell Us What You Think

Introduction

Shadow History

Shadow Friends

1. Mitnick Attack

2. Introduction to Filters and Signatures

3. Architectural Issues

4. Interoperability and Correlation

5. Network-Based Intrusion Detection Solutions

6. Detection of Exploits

7. Denial of Service

8. Intelligence Gathering Techniques

9. Introduction to Hacking

10. Coordinated Attacks

11. Additional Tools

12. Risk Management and Intrusion Detection

13. Automated and Manual Response

14. Business Case for Intrusion Detection

15. Future Directions

Index

Get Real

[Skyshadow]

Yeah, bud. The next time I build a Linux server for one of my buddies with a cable modem who wants IP masq, I'll be sure to bring in some consultant at $120 and hour to do an "official" review of my security.

Besides, the *only* way to really know how to secure systems is by trying to bust into them. Some of us call it White Hat Cracking, other just call it common sense. The first thing I do when I think I'm done setting up a network is to pound the hell out of it every way I know how. Generally, if I can't get in, neither can 99% of the baddies out there.

You'll never stop the script kiddies from having access to this info -- making it illegal will only keep it out of the hands of people who need it the most - admins. Security through obscurity is BS; read Cliff Stoll's "The Cuckoo's Egg" if you need an object lesson as to why.

----

Re:Ping attacks?

[Skyshadow]

The best thing I know to do (short of a counterstrike, which raises liability issues) is to block 'em at the router. It's a pain, but it's not really difficult. This is probably the problem of your upstream provider, unless you're MCI or something.

----

Re:Excellent timing

[dattaway]

Take a trip to rootshell for some good reading about security. Its a great site that shows what is vulnerable and what deserves attention.

Are you nuts?

[CrAlt]

So everyone running a server needs to get a license to be safe? Whats to keep a cracker from getting a license? If he did he would own the internet, all those 1000's of unlicensed systems out there would be open to him.

And who would get the license fee? You? The US Govmt?

Re:Intrusion Detection FAQs

[Dagmar+d'Surreal]

Actually, after reading further down, I suggest people just skip that document entirely. It's heavily flawed, and it's not going to do anything but confuse newbies. (Although it may make experienced system administrators chuckle a bit.)

Low cost, complete IDS

[RobertGraham]

At http://www.networkice.com, you can buy a $40 intrusion detection system (BlackICE Defender) for Win95-WinNT that detects over 300 different intrusions (listed at http://advice.networkice.com/advice/ intrusions. It also comes with a built-in firewall that's actually managed by the IDS component (i.e. somebody attacks your personal web server, then he IDS component reconfigures the firewall rules).

The reason its sold for $40 rather than $4000 is that it runs "non-promiscuous". The personal version is just the "Sentry" version with the sniffing component removed.

Doesn't work on Linux, though :-( But it will detect/block intrusions if the Windows box is used as a router (though that violates the license agreement, it doesn't check).

Re:Examples would make the book..

[D3]

I guess this wasn't clear from what I wrote. The examples he uses are compiled from real world incidents. He only cleans the data in some cases to keep you from knowing which real IP address it was.

Re:....

[d0dge]

You may also want to check out Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response by Edward Amoroso. I think it's a good introduction to the topics which covers a bunch of the theory behind this stuff.

I've also looked at Intrusion Dection: Network Security Beyond the Firewall by Terry Escamilla, and it's not bad.

I know I've got another book lying around somewhere, but I can't find it and don't remember who wrote it. :(

"IT is easy to run a secure computer system. You merely have to disconnect all dial-up connections and permit only direct-wired terminals, put the machine and its terminals in a shielded room, and post a guard at the door." - F.T. Grampp and R. H. Morris.

Re:Some Advice.

[dennisp]

Actually, I use a slightly modified version of AIDE. It has the same feature set as tripwire as well as a couple of other features. Search on freshmeat with the keyword 'tripwire' and you'll get many similar utilities.

As well as that, I run a tty watching daemon that monitors user commands and pages me and mails a message if someone tries something especially stupid. I also have the regular userland jailed to prevent regular users from doing something stupid as well.

Another tip for the real sysadm nazi is to mount the filesystem with system commands as read only so that idgits can't install their handy rootkit that prevents you noticing what they are doing.

As well as that, you could also set it up to log certain breaking attempts and to automatically send mail to the set arin administrator of that ip range. That sometimes works and is satisfying when I get a reply back stating that the user doing such a thing was deleted (though you'll never get a response if it is a large ISP and doesn't care at all [see uunet dialup users and no responses for repeated spammers and breakin attempts]).
----------

Re:Ping attacks?

[dennisp]

Yes exactly. You have to get the packets filtered at the backbone provider though. It only makes matters worse when the DoS kiddie brings down your small ISP's (if you have one) entire network. Also note that we're talking about icmp echo-reps that come with smurf, not icmp echo's that would come with a ping attack. Why? Because it's almost impossible for someone to mount such an attack unless you only have a t1 and they have 20 shells. Now, if you're getting a genuine ping flood, you can do something about that (though it won't necessarily help much unless you pay by line traffic). Then there is the syn attack. Of course, you should already have all ports that shouldn't be available to external users closed. I'd recommend only opening privileged ports to certain ip ranges. This includes ssh, telnet, x, and other administrative ports. Anyway, the fewer ports abusive users have to attack, the better. The only useful way to stop syn attacks is to limit syns, or to drop ip addresses flooding (that is of course assuming they aren't spoofed addresses). If you're getting flooded with spoofed syn attacks, you're pretty much screwed, unless your operating system or firewall software will dynamically drop excess syn packets. The only patch I've ran into for this is for FreeBSD 3.x, and you can get it here That text file also includes an explanation as to its use in a bugtraq message. Note that you can also limit all ICMP packets to an arbitrary number in FreeBSD with options ICMPLIMIT. Oh yeah, and if you're constantly getting flooded with syn or ICMP packets, then you've either pissed a lot of people off, or you have idiot users on IRC losing you a heck of a lot of money. So get to the root of the problem as well as preparing yourself.
----------

Re:Free NIDS

[dennisp]

Realsecure is a nice complement to the system, yes. However, if you run a large network, it isn't the only thing you should be doing. How much do they update realsecure? There are sure to be many security vulnerabilities that ISS doesn't know about weeks or months before they add that support into the realsecure security scanner.

In other words, use it as a complement to a large network with hundreds of machines not all administrated by you -- but don't think that by itself will stop all problems.
----------

Surefire ways

[Scurrilous+Knave]

The only sure-fire way to keep people OUT of your machine is to keep yourself from being connected in the first place.

And the only surefire way to prevent pregnancy is abstinence. Yet there is a thriving contraception business. Y'see, what we really want to do is have sex, and be connected, and minimize the risk as much as possible. There's a nice wide gap between "surefire" and "please crack me cuz I'm an idiot" and that's where I want to build my house.

And while we're at it, cutting the wire is not a surefire way, either. Several years ago, a nasty little Gollum of a burglar stole my machine and the two hundred-odd floppies that made up my software development archives. I was left with only the sadly out-of-date safety-deposit-box copies, and one box of diskettes that I had taken into another room to riffle through, as memoirs of almost three years worth of design and coding. Ah, hell, most of it was crap anyway, and as fast as PCs were changing, it was all for the best, but I didn't think so at the time.

So, in summary, the only surefire way to keep people out of your computer is not to have one. And that sucks almost as much as not being connected. Or not having sex.

Free NIDS

[DoomHaven]

For those of you who are interested, there is a trial version of ISS's Real Secure, which is a very good intrusion detection system; it's the best I have ever seen and used.

I fully agree that IDSs work best as a part of a greater security infrastructure. This technology is the perfect complement to firewall, just as internal alarm system complements a locked door. How many people *here* would trust only a locked door to protect their computer?

BTW: there are versions of RealSecure (agent, for sure, and I think manager to) that run on NT, Solaris, and (drum roll, please) LINUX, so check it out!

Very Good Read

[lw54]

I highly recommend this book. I enjoyed every minute of this book and I feel that people can get a lot out of it no matter what their security knowledge is. Go read it!

Licensed

[$nyper]

"This kind of information should only be traded among LICENSED security consultants "

Hey guy, I don't mean to burst your bubble but the crackers/hackers that you really should be worried about are security consultants and such. The dangerous ones are those good guys who got stepped on or just got plain bored one day. Don't worry about the script kiddies they are for the most part a harmless pain the butt.

"(yes, we need licensing) because... this is dangerous stuff."

Remember what crackers/hackers are really all about, knowledge and the demand for free access to information. You close that door in their face and you might as well be throwing out propoganda for a cyberspace riot.

Rerouting IP Traffic

[$nyper]

Rerouting IP Traffic

The idea that states you should get your ISP envolved is a good one. But you can also set your server up to reroute packets when your server is flooded with ip requests. Most people will reroute the traffic to a fake address in the 192.168.x.x or 10.x.x.x address ranges alotted for NAT. But I guess if your ISP refuses to help like mine did, you could reroute the traffic to their main webserver and see how long it takes them to respond to your request for help. Exactly 6 hrs and 3 DoS attacks later I was conntacted by the one of their senior network engineers. He informed that they would gladly look into the DoS matter if I would stop rerouting traffic to their site. HEHE... Diplomacy is way overrated!

Rerouting the traffic will only do so much, even with a well designed plan for rerouting flood traffic your servers are still vulnerable to DoS. But if you reroute the traffic you will more than likely discourage those plebes who don't understand why their DoS attack wasn't effective in the first place.

Re:Rerouting IP Traffic

[terry]

As an administrator of a couple mid sized ISP's I think your approach is not only detrimental to the entire Internet but plain childish.

Most often the souce of the packets is spoofed and therefore very hard to block while still allowing normal traffic to come through. ISPs don't mind getting involved in helping to find the source of the problem but you must realize that they aren't the problem. This is akin to getting mad at Greyhound for the derelicts they keep dropping off in your neighborhood.

Your ISP is affected by this just as much as you are. ISPs do not, and cannot, buy enough bandwidth to support everyone at full speed. If an ISP sells 10 T-1's to customers chances are the ISP will only have the equivilant of 7 or 8 T-1's of bandwidth to the Internet. It's economically impossible to not oversell bandwidth. Because of this an attack to your connection that goes across the network of your ISP is using precious bandwidth.

You need to get in contact with hte ISP and give them as much data as you can. Simply calling and saying "it don't work" or something along those lines will not get to a solution as fast as getting some details and passing them along. You also need to realize that the ISP is probably just going to figure which incoming Internet connection this is coming from and call his upstream provider giving them the same information you gave. At this point the ISP can no longer do much about it except follow-up. And if you've ever dealt with a Telco or a bigger NSP you'll know how slow and incompetent these guys can be.

Your approach of just IP forwarding the packets to the ISP is not unlike finding unwanted garbage in your lawn and just tossing it to the neighbors lawn.

Re:Off-topic is myopic

[Alban]

Hmmmm, I must admit I don't see how a ping flooding question can be off topic when the subject was a network intrusion book.

Maybe they are being VERY picky and ping flooding was considered off topic since it's not an intrusion attack but rather a DoS attack? :)

Bah, just keep in mind that slashdot's system randomly assigns moderating rights to some users for a very limited amount of time. I guess the system is good in general, and like all systems sometimes weird people are given moderation rights (for a short while luckily). It's just frustrating for you since you are the victim, but in general it works ok.

(and yes, my post is definitely off topic)

FYI: Free IDSs

There are some free (GPL) IDSs that are pretty good. If you're interested in examining the internal workings of IDSs, these might be a good place to start.

There's one called Snort that's pretty neat at http://www.clark.net/~roesch/security.ht ml

PortSentry is a port scan detector that can be found at http://www.psionic.com/abacus/portsentry

Northcutt's SHADOW project stuff is at http://www.nswc.navy.mil/ISSEC/CID/

Examples would make the book..

[Thomas+Charron]

Using REAL WORLD examples would really, REALLY make the book. It gives something to 'link' what your trying to grasp to real world implications. I think this is something many technical books on this topic lack.

I'm going to have to check this one out.

Re:Ping attacks?

[dattaway]

What can you do if your bombarded by constant ping attacks?

I'm not a sysadmin, nor do I play one on TV, but if you are getting a denial of service, contact your ISP and let them look into it. If they are incompetent pushbutton droids, change to a more enlightened localy owned service that are usually staffed by college students and other smart nerds. If even that isn't an option, well, all I can say is that your ISP only knows the source as pings can be spoofed. Leave them if they don't care about your service.

My recent experience.

[The+Evil+Dwarf+from]

Saturday a system I built at home got cracked. This was largely my fault as I had installed RedHat 5.1 (I left my other distros at the office). I was in the process of downloading 6.0 when a script kiddy came in through the inetd hole. I noticed the introsion when my system response went into the toilet. (He had started a port scanner on the class A subnet 209.0.0.0. I caught it shortly after it started)
I had shadow passwords enabled, but they overwrote /bin/login to disable them. They also mucked up all of the system commands too. The stupid things is they didn't even touch my log files, which were in the default location as I had just finished building the system. I have a complete view of the intrusion since they didn't even delete .bash_history. Also the secure log has a complete view of the attack since it took them a couple of hours to crack the box.

Just goes to show that even after year of admin experience, anyone can get cracked when they do dumb things.

New Riders link

[D3]

Just wanted to point out that the link under Publisher says D3 but I have _no_ affiliation with New Riders publishing. Also, the proper link should be: www.newriders.com

Excellent timing

[Scurrilous+Knave]

I just got cracked a couple of weeks ago, and a colleague got owned twice in close succession shortly thereafter. And neither of us knows how the intruders gained entrance, including the third time which was on a freshly-installed brandy-new system with nearly every available security upgrade in place. Two days after his second intrusion, my colleague saw a new CERT advisory that may explain how we were penetrated. But it's only a guess.

While buying this book is certainly on our agenda now, we were both wondering if there was any useful information currently on line about the subject. Most of the security stuff I could find was aimed squarely at prevention rather than detection and tracking. While that's a laudable goal, once you've been cracked, it would be nice to know who did it and how.

Not that I would track the little rat weasels down and wear their hides for coats, but knowing which hole to plug first, or again, would make me sleep better at night and urinate more freely during the day. Or is it the other way 'round?

Intrusion Detection FAQs

[RobertGraham]

If you are interested in this book, you might like the FAQs on my site. These documents describe intrusion detection in detail, and are really useful in "forensics", studying the evidence of the attack.

Network IDS FAQ
This document explains how network intrusion detection systems works and how to use them.

firewall-seen FAQ
This document answers the age old question "I'm seeing XXXX on my firewall, what does it mean?". It also applies to intrusion detection system, it describes today's most common attacks, why the attacker is doing them, and which ones may be false-positives.

Sniffing/wiretap FAQ
Describes how "sniffing/wiretap/eavesdropping" works, which is the technology that IDS is base upon. Also describes how to analyze packets in detail, because when you get attacked, you NEED to be able to pull out a protocol analyzer and look at the attack.

Some Advice.

[dennisp]

Ok, I admit, I did some cracking back when i was 15. My advice to most admins would be to actually close all services to all but those machines that actually need the service. Do you really want to give the entire world a free chance at taking over one of your systems because you wanted to open a certain service to one or two people? What you should really do, is close everything except the absolutely needed ports (httpd, imap, pop3, smtp) and watch those closely. If you absolutely need un-ip-restricted access to a network, set up one box with ssh open, with nothing else on it, then allow that ip to connect to all your other boxes running the other services.

You also have to keep up on bugtraq. However, that's not going to always help, as people have a lot of these exploits weeks and even months before someone posts the vulnerability there. So that's where intrusion detection comes in. Tripwire and other nice programs work pretty well. You should probably also do a remote syslog or immediate mailings when problems are detected. This includes users or intruders editing or modifying files they shouldn't be, contacting remote ports they shouldnt be, having a local ethernet interface on promiscuous mode, immediate pager or mailing for commands that shouldnt be executed, such as su (use the command yourself, but copy it to another file name, so if someone else uses it, you know its unauthorized).

Now, if your problem is local authorized users, then you can do many things. You can, again, set up some intrusion detection -- or even a jailed login so you can minimize the damage that they can do once logged in. That, as well as limiting how man processes and memory users can take up, just in case you're worried about fork attacks or you just dont want your users using excessive resources.

heh, anyway. Have fun.

----------