Intrusion detection system FAQ (all)
Create time: 2002-08-24
Article attribute: finishing
Article Source:
Www.cnsafe.net
Article submission:
Mayi (Mayi99_at_263.net)
- How do invaders enter the system?
- Why should invaders invade the system?
- How do intruders get passwords?
- Typical intrusion process?
- What are the types of general intrusion?
- What is an exploits?
- What is reconnaisance [Translation: Original, suspected to reconnaissance?]
- What is a refusal service (DOS)?
- How dangerous attack now?
- Where can I find the statistics of the current attack behavior?
Schema
- How does intrusion are detected?
-Nid how to distinguish into inflow data?
- What did NIDS have been detected after being attacked?
- What is similar to NIDS?
- should I install NIDS in the network?
- How to make IDS suitable for other parts of the security architecture?
- How do I detect if I have running IDS?
3. Countermeasures
How to improve intrusion detection and prevention under WinNT?
How to improve intrusion detection and prevention under WIN95 / 98?
- How to improve intrusion detection and prevention under UNIX?
How to improve intrusion detection and prevention under Macintosh?
- How to improve corporate intrusion detection and prevention?
- How to achieve intrusion detection within the company?
- What should I do after being attacked?
- Some people say that they are attacked from me, how should I do?
- How to collect enough to invade people's evidence?
4. Product
- What free software (freeware) or shared software (Shareware) intrusion detection system?
- What are the commercial intrusion detection systems?
- What is the "Network GREP" system?
- What tools do you use to enter my system?
- Do I should care about other intrusion detection systems?
6. Resources
- Where can I find new system vulnerabilities?
- Other resources related to security and intrusion detection?
- What are the worthless sites?
7.IDS and firewall (Firewall)
- Why do I need IDS with firewall?
- With intrusion detection, do you need a firewall?
-IDS where to get information? Is the firewall?
8. Implementation Guide
- should I ask about IDS providers?
- How do I maintain the system based on on-going?
- How do I stop inappropriate web browsing?
- How do I build my own IDS (write code)?
-Nids legal? Since this is an eavesdrophor?
- How to protect the log file is not tamper with evidence?
9.NIDS limitations
- Switching network (inherent limitations)
- Resource limitations
-NIDS attack
- Simple reason
- Complex cause
-tool
10. Miscellaneous
- What standards / interoperability efforts
11. honeypot and fraudulent system
- What is a honeypot?
What are the advantages of honeypot?
What are the disadvantages of honeypots?
- How to set my own honeypot?
What types of honeypots do?
- Building a positive and opposite effect of a system that can be attacked?
- Is there any example of people using honeypots?
What honeypot products do you have?
- What is deception?
1 Introduction
1.1 What is the network intrusion detection system (NIDS)?
Intrusion refers to some people (called 'hacker', 'hacker') attempt to enter or abuse your system. Word
The range of 'Abuse' is very broad, can include severe stealing confidential data to some of the second
Things, such as abuse your email system spam (although many people in us,
This is the main).
The intrusion detection system (IDS) is used to detect these intrusion systems. According to this FAQ, IDS
Can have the following categories:
Network Intrusion Detection System (NIDS) Monitoring the data package of the network cable and trying to have a hacker / hacker attempt
Enter the system (or reject the service attack DOS). A typical example is a system observation
To a large number of TCP connection requests (SYN) of many different ports of a target host, find that someone
The port scan of TCP is being performed. A NIDS can run on the target host to observe his own
Traffic (usually integrated in the protocol stack or service itself), can also be operated on the independent host
Network traffic (hub, router, detector [probe]). Note that a "network" IDS monitors many hosts, but other other monitors a host (they installed).
System Complete Inspection (SIV) Monitoring System File Attempts to find if there is invasive to change the file (possibly
Leave a back door). This is the most famous of this system is TripWire. A SIV should also be able to monitor other
Components, such as Windows registry and Chron configuration, the purpose is to discover signs of well-known names.
He should also detect a general user who caught Root / Administrator level permissions.
More products in this area should be considered tools rather than a system: such as TripWire
Similar tools detect changes to critical system components, but cannot produce real-time alarms.
Log File Monitor (LFM) Monitoring the log file generated by the network device. Similar to NIDS, these
The system is proposed to have a suggestion for intruder attacks by matching the pattern of log files. a typical
The example is to analyze the HTTP log file to find that the invader tries some well-known vulnerabilities (such as PHF attack)
Example has swatch.
Successful system (including Decoys, Lures, Fly-Traps, Honeypots) also have some pseudo-service,
It is to simulate some well-known caves to embrace hackers. See example in the palm clan toolkit:
http://www.all.net/dtk/. You can also simply rename the NT system administrator
Account, and then create a wide audit for a unsolvened prominent account. About this document
More descriptions of the deception system. See also see
http://www.enteract.com/~lspitz/honeypot.html
other
See: For more information:
http://www.icsa.net/idswhite/.
1.2 Who is abused (MISUSING) system?
There are two words to describe attackers: hackers and hackers. Hacker is a general term: I like to enter things.
People. Beneficial hackers are those who like to enter him / her own computer.
Malicious hackers are those who like to enter others. Beneficial hacker hopes that the media can stop
All hacking criticisms use hackers to do alternatives. Unfortunately, this idea is not accepted.
In any case, the words used in this FAQ are 'intruder', which generally said those who want to enter it.
People in others.
Invasants can be divided into two categories:
External: Invasive in your network, or may attack your externally (messy web
Server, spam through the E-mail server). External invasants may come from
Internet, dial line, physical intervention, or partner network connected to your network (seller,
Customers, middlemen, etc.).
Internal: legal uses your interconnect network invasive network. People including abuse of power (such as society
Safety employees because someone does not like someone to die) and mimic changes to people (such as use
Others' terminals). A commonly cited statistics are 80% of security issues related to internal people.
There are several types of invasive people: 'Happy Riders (Joy Riders) is black;' cultural destroyer '
(VANDALS) is intended to destroy or change the web page; profiters are intended, such as control
The system is lying or stealing data.
1.3 How do the intruder enters the system?
The main way for intruders enter the system:
Physical invasion: If an invasator has physical entry permissions to the host. (Such as they can use keyboard
Or participate in the system), you should enter. Method includes console privileges until the physical participation system
And remove the disk (in additional machine read / write). Even BIOS protection is also easy to pass: facts
All BIOS has a back door password.
System invasion: This type of invasion is a more authority in the system user. Belong
Do not hit the latest vulnerability patch, will provide an invasant to obtain a well-known vulnerability
An opportunity for administrator privileges.
Remote intrusion: This type of intrusion refers to the system from the system through the network. Invasants from no privilege
This invasive manner includes a variety of forms. For example, if there is a firewall between his / her and the victim host
The invasive is much more complicated.
It should be noted that the network invasion detection system mainly cares about remote intrusion.
1.4 Why can the invaders invade the system? The software always exists. System administrators and developers can never find and solve all possible
Vulnerability. Invasive, as long as you find a vulnerability, you can invade the system.
1.4.1 software bug
Software bug exists in server background, client, operating system, network
Agreement stack. The software bug can be divided into the following:
Buffer overflow: Almost all security vulnerabilities we read are attributed to this. a typical
An example is a developer set a 256-character long buffer to store username.
Developers think about that no one is longer than this. But hacker thinks if I
What happens when entering a wrong user name? Where will the attached character go?
If hackers happen to be correct, they send 300 characters, including executable by the server.
Code, and they enter the system. The hackers found these bugs through several ways.
First, many service source code is open on the network. Hackers often read these code
Looking for a program with a buffer overflow problem. Second, hackers can read the program itself to see if
There is a problem, although it is really difficult to read the code code output. Third, the hackers will check the program
All inputs and attempt to overflow with random data. If the program crashes, it will exist.
Let hackers construct input and allow opportunities to enter. Should pay attention to this problem in C / C
The prepared program is generally existed, but rarely appears in the Java program.
Accidental combination: The program is usually combined into a lot of layer code, including potential as the bottom
Operating system layer. Invasive people can often send some inputs for a layer of meaning, but
Other layers are meaningful. The most commonly controlled user input in the web is Perl. Perl written
The program often sends these inputs to other programs to further process. A common
Hacker technology is to enter strings "| mail etc / passwd". This order is executed
It is because the operating system starts an additional program for this input. However, the operating system explains
Pipes "|" and launch the "Mail" program according to the semantic, the result is sent to the password file.
Invasive.
Unprocessed input: Many programs are written into a valid input, and many programmers don't know
When some people's input does not meet the consequences of specifications.
Competition (RACE): Many systems now are multitasking / multi-threaded. This means him
We can run multiple programs at the same time. If two programs accesses the same data at the same time,
Danger. Imagine two programs of A and B, you need to modify the same file. For modification, each
The program reads the file into the memory, change the content in the memory, and then copy the memory to the file.
When the program A reads the file into memory and modifies, it produces a competitive condition.
Program B performs and obtains read and write permissions before the A write file. Now program A copies memory to
Document. Because the program A starts before B modification, all B modifications are lost. Because you have to
Get the correct execution order, so competition conditions are very rare. Invasants often have to
Try thousands of times, then get permissions, enter the system.
1.4.2 System configuration
System configuration bug can be divided into the following categories:
Default configuration: Many default easy-to-use configurations employed when the system is delivered to customers. unfortunately
Yes, "easy to use" means "easy to invade". Almost all delivered to your UNIX and Winnt
The system can be easily attacked.
Lazy System Administrator: Amazing digital host is configured to have no system administrator password.
This is because the system administrator is too lazy to lazy to configure one immediately, they just
I hope that the system can start running as soon as possible. Unfortunately, they never return to set up one.
Let the invasant come in easily. The easiest thing that invasive is to first scan all machines
Look for a host without a password.
Generated Vulnerabilities: In fact, all programs may be configured as a non-secure mode. some
When the system administrator will open a vulnerability on the host. Many system administrators
The manual is recommended that the system administrator turns off all the programs and services that are absolutely necessary to avoid accidents.
Vulnerability. It should be noted that security audit packs can usually find these vulnerabilities and remind system administrators' trust in trust: invaders often use the "Island jumping" method to use trust relationship attack network. One
The network trusted each other is as safe as they are the most vulnerable link.
1.4.3 password decryption
This is a special part.
True fragile password: Many people use their own name, the name of the child, the name of the spouse
Word, pet name, or model of the train is password. Some users use "password"
Or simply don't have anything. This gives the invasive who can typing themselves with 30
Possible list.
Dictionary Attack: After the above attack fails, invasants began trying to "Dictionary Attack". This method,
The invasive uses the program to try each possibility of the word in the dictionary. Dictionary attacks can be used to repeat
Landing or collecting encrypted passwords and attempts to match words in the encrypted dictionary. Invade
People usually use a dictionary in an English dictionary or other languages. They also use additional class dictionaries
Database, such as names and common passwords.
Brute Force Attacks: Similar to Dictionary attacks, invasive may try
All characters combination. A 4 password consisting of lowercase letters can be within a few minutes
Crack. (About 500,000 possible combinations) a long written letter composition
The password, including numbers and punctuation (100 trillion possible combinations) can be cracked within one month.
If you can try 1 million combinations per second. (In fact, a single machine can count thousands per second
Time. )
1.4.4 Monitor insecure communication
Shared Media: In the traditional Ethernet, you can see the Sniffer on the line.
All communication of a network segment. Now this method is sleepy because more companies use Exchange Ethernet.
difficult.
Server monitors: however, in an exchanged network, if you can be in one server (special
Don't do router) Installing a Sniffer program, you can use the information obtained.
Attack customer host and trust host. For example, you may not know the password of a user, pass
Monitor the Telnet session when he logged in, you can get his password.
Remote monitor: A large number of hosts can RMON, with a public community string. When the bandwidth is very low
At the time (you can't listen to all communications), you will show interesting possibilities.
1.4.5 Disadvantages
Even when a software is fully implemented, it is still because of design
BUG brought a invaded.
TCP / IP protocol Disadvantages: TCP / IP protocol is designed before we have many black experience. result
There are many design shortcomings that may cause security issues. Some examples such as Smurf attacks, ICMP
Unreparable link, ip kid, and syn floods. The biggest problem is that the IP protocol is very
Trust: hacking free forged and changing IP data. IPsec is designed to solve many
Disadvantages, but there is no extensive application.
Unix Design Disadvantages: There are many UNIX inherent shortcomings that make the UNIX system frequently invaded.
The main problem is the authority control system, only "root" is the system administrator privilege. result:
1.5 How do you get a password?
The invader uses the following method to obtain a password:
Bettereon listens: Some agreements (Telnet, FTP, basic http) use clear textwords, meaning
They are not encrypted during the customer / server transmission. Intrusioners can use an agreement
Analyzer observes such passwords on the cable. Don't need more efforts; invaders can use
These passwords are logged in.
Ciphertext monitor: Many protocols use encrypted passwords. In this case, the intruder needs to be executed.
Dictionary or powerful attack password to try to decrypt. It should be noted that you can't find the existence of intruders.
Because he / she is completely passive and does not deliver anything to the cable. Password crack in invader
When you use your own machine to authenticate, you must not send people and things to the cable.
Replay Attack: Many cases, intruders do not have to decode password. They can use encryption
The format is replaced by the landing system. This usually needs to re-encode client software to use encrypted passwords.
Password files: All user databases are typically stored on a single file on the disk. This file under UNIX is / etc / passwd (or other mirror of this file), Winnt, is a SAM file
Each method, once the invader gets this file, he / she can run the decryption program (as above
This is described to discover some fragile passwords in the file.
Observe: A traditional password security issue is that the password must be long and difficult to guess (make the dictionary and strong attack
The difficulty of hitting unreasonable). However, such a password is often difficult to remember, so the user is written in a certain manner.
Down. Intruders can often search for a personal desk to find a password written on a small note (general
Under the keyboard). Intruders can also trained their own way of viewing the password back.
Communicative Engineering: A ordinary (and successful) skill is a simple call to users and say "Hi,
I am a Bob of the MIS group, we are tracking some questions on the network and appear in your machine.
What password do you use? "Many users will give up their password in this case. (Many public
The division policy allows users to give their passwords, even their own MIS departments, but
This trick is still successful. A simple solution is the MIS group to call 6 months of employees
Ask them a password, then criticize their mistakes, so they will not forget :-)
1.6 Typical intrusion process?
A typical intrusion process may be as follows:
Step 1. External investigation -
Intrusioners will find as much as possible, do not directly give them information.
They often use public information or camouflage as normal users.
In this way, the invaders will make you really feel. Such as your
The network is registered with your Domain Name (for example, foobar.com), the invader can
Use the 'WHOIS' this check table (Lookup) to try to find your network information.
Intruders may via your DNS table (using 'nslookup', 'Dig', or
Other tool programs are used as Domain's conversion) to find the name of your machine.
Intruders will browse other public information, such as your public site and
Anonymous FTP site. Intruders may look for your company's
News files and newspapers in newspapers.
Step 2. Internal investigation -
Intruders use more aggressive technologies to scan information, but will not destroy
Anything. They will find CGI Scripts by you all of your pages (CGI)
Scripts is often easily invaded). They may be in order to try the host
Use 'ping'. They may use udp / tcp scan / strob (scanning)
Find the availability of the target host. They may execute one
Toolproof like 'RPCINFO', 'ShowMount', 'SNMPWalk', etc.
To find information available. About this, intruders only make "normal"
Online behavior, and no movement that is classified as intrusion.
In response to this, NIDS will tell you "Someone is checking your door grip", but no one
I really tried to open the door.
Step 3. Invasion -
The invaders violated the rules and began to make possible vulnerabilities for the target host.
The invader tried to pass a shell command in one input material, so
Endangering CGI script. Intrusioners trying to pass a lot of information,
A known buffer-overrun vulnerability. Intruder starts checking
There is a simple guess (or even) password account. A hacker, will
Several phases of invasion. For example, if hackers get a user's account,
He will try to make a further intrusion to get root / admin.
Step 4. Based on -
At this stage, intruders have been infected by the machine, successfully in your network.
The main purpose of intruders is to hide invasive evidence (Audit TRAIL and LOG)
And confirm that he can invade again. They may install 'Toolkits' that allows them to perform.
Use them to replace the original service with a backdoor password.
Or create a user account. System Integrityverifiers (SIVS) can notice the changes of files to use these means
Make a test. Since most of the network is difficult to defend against the internal infringement, the invaders will use
This machine is used as the hopping island of other machines.
Step 5. Interests -
Intruders use their advantages to steal confidential information, abuse system resources (stage sex by other machines)
Invading your machine) or destroy your webpage.
Other plots may be different. Whether it is invading a specific site or randomly
Scan specific vulnerabilities in the network world. For example, intruders may try to scan
Sendmail Debug Vulnerability The entire network of the machine. They can easily invade the robots with vulnerabilities.
They will not directly target you, don't even know who you are. (Just like 'birthdayattack ",
List known system vulnerabilities and IP positions, find a machine with a vulnerability by luck)
1.7 What are the general intrusion types?
There are three ways of attack:
Scout - including ping scan, DNS ZONE conversion, E-mail reconnaissance,
TCP or UDP Port (Port) Scan (SCAN), servo with public webpage
Possible indexing to discover CGI vulnerabilities.
Vulnerabilities - intruders will use a hidden feature or defect (BUGS) to access the system.
Denial-of-Service (DOS) attack - invader tries
Destroy the service (or machine), make the network link overload, CPU overload, fill the hard disk.
Intruders don't want to get information, but only if destroyed
Behavior without letting you use the machine.
1.8 What are the common vulnerabilities?
1.8.1 CGI Scripts (Scripts)
The CGI program is unsafe. Typical security vulnerability
Including special fl cells via shell (Metacharacters)
Utilization, directly transfer the metamorphic input in the command shell.
Use hidden variables, specify file names in the system (filename)
Or reveal the penetration of more systems. The most well-known CGI flaw is
Loaded in the 'PHF' database (library) of NCSA HTTPTD.
'pHf'Library assumes to allow servo parsed HTML,
Causes the vulnerability of any file. Other intruders tried to use
Well-known CGI script vulnerabilities are: TextCounter, Guestbook, EWS,
Info2www, count.cgi, handler, webdist.cgi,
PHP.CGI, FILES.PL, NPH-TEST-CGI, NPH-PUBLISH,
Anyform, Formmail. If you find someone trying to access the above
CGI script (but you didn't use them), this clearly shows one
Intrusion intent (assuming you didn't put the CGI script you want to use
Install with that defect version).
1.8.2 WEB Server (Server) attack
After the CGI program is executed, the web server may have other vulnerabilities.
Very large Self-Written web server (including IIS 1.0 and NetWare2.x)
Will be named in a file
Among them, you can write a series of "../" in the path (PATH) name,
Thus, you jump to other places of the system file to get any files.
Other general vulnerabilities are in the request (Field),
Or the buffer overflow of other HTTP data.
Web server often because of Operating System with its underlying
There is an interactive relationship, and a loophole. In Microsoft IIS
There is an old vulnerability to be used, and there are two file names due to the file -
A long-term name and a short corresponding 8.3 form name, sometimes
Get access. NTFS (The New File System) bypass the allowed mechanism
There is a featured name - "Alternate Data streams" is similar to
Macintosh system data with resources forks. You can pass stream
When Name, add ":: $ data" (this is to see his script instead of doing what)
To access his files.
The server has a problem for a long time because of URLs. For example,
"Death By A Thousand Slashes" problem, causing Apache to produce a lot of
CPU load, because it tries to handle each directory in thousands of "/" URL.
1.8.3 Web browser attack
Microsoft and Netscape's web browsers have security vulnerabilities (of course, though
In the latest version, we haven't found it yet), including URL, HTTP, HTML,
JavaScript, Frames, Java, attack with ActiveX.
The URL data segment will have a buffer spill, when it is http header (header)
When you are already asked, it is displayed on the screen or in some form (such as
Stored by Cache History). Moreover, with ancient Internet
Explorer vulnerability is accompanied by the browser, when performing the LNK or URL command
Vulnerabilities that can affect internal.
HTTP headers may generate a vulnerability because of the functions transmitted to only a particular value
HTML often has a vulnerability, such as MIME-TYPE buffer overlying
Netscape Communicator's
JavaScript has been very popular for a long time, and often tries to pass through
Generate a file name and automatically hide "Submit" Button
To violate the "File Upload" card. There are many different this
The vulnerability is corrected, but there will be new discovery methods to bypass the correction.
Frames is often a part of JavaScript, or Java Hack
To use the screen via a pixel size, hide the web page)
But they present a special problem. If I can contain a link to
A trusted user Frames site, then use my own station
Point web page replacement part of the frames, so they will
One of the remote sites appear in front of you.
Java
There is a sound security model (Model), but it has confirmed that model has
Special vulnerability (although compared to anything else, it is confirmed to be the entire system
One of the most secure components). Furthermore, its sound security, perhaps
Its undoing: Normal Java Applets cannot access local
(Local) System, but sometimes, if they can really access the local system,
They will be more useful. So, "Trust" model is completed, it is easier to invade.
ActiveX is even more dangerous than Java, when it is a trust model
Pure operation
And implement the original (NATIVE) program code. You will even accidentally
Infected to virus (Virus) (accident in the manufacturer's program code)
Imbeded).
1.8.4 SMTP (Sendmail) attack
Sendmail is an extremely complex and widely used procedure,
It is a source of security vulnerabilities. In the past (the period of '88 Morris Worm),
Hackers will use the vulnerability of the debug command or hide the feature of Wiz,
To break into SMTP. Recently, they often try to use buffer segments.
SMTP is also used to attack reconnaissance, such as using
The vrfy command finds the username.
1.8.5 Access
Failed Login attempted, failed files, Password
CRACKING,
The abuse of managers power.
1.8.6 IMAP
The user receives Email from the server via the IMAP protocol (under comparison, SMTP is between
Transfer E-mail between servers). Hack
Vulnerabilities have been found in some popular IMAP servers.
1.8.7 IP Spoofing
Some types of attacks use technology to fake (or 'spoof') your IP address.
An original address is accompanied by each IP package (Packet) is transmitted,
In fact it can not be used for routing. This means that when
When talking (talkin), an intruder can be loaded into you. Intruder
Will not receive a response package (although your machine is seen,
But discard them because they do not meet any of your previous
Request). The intruder does not obtain data via this manner.
Instead, it is still equipped with you, transfer commands to the server. IP spoof often uses part of the other attacks:
Smurf
Broadcasting ways in a forged source address, resulting in a large number of machines
Respond, via the address, replying to the victim, making it (or its link) load.
TCP serial number
At the beginning of the TCP connection, you must choose a serial number at this end, and
The server must also choose a serial number. Older TCP
Stack Choose a predictable contuite to make intruders by a forged
IP addresses (they should not see answering packages) must bypass the safety mechanism.
DNS is poisoned by presenced serial number
The DNS server will "recursively" to parse the DNS name.
Therefore, when it meets a user-end request (Request), it itself
Become a customer who is recursive next
It is predictable.
Therefore, an intruder can transfer a request to the DNS server and
Transfer a response to the server to camouflage into a link
Next server. It will believe in camouflage and use it
Meet other users.
1.8.8 buffer severity
Some other buffer spill attacks are:
DNS seating.
Excessive DNS name, transferred to the server. DNS name is limited
Subcomponent is 64-Bytes and is generally 256-bytes.
Statd sewage
When submitted too long file name.
1.8.9 DNS attack
DNS is a primary goal. Because if you can violate (CORRUPT)
DNS server, you can use trust relationship.
DNS buffer poisoning
Each DNS package, including a "question" section
With the "Answer" section. Defective server will
I believe (and cache) an answer when sending a problem
Most, but not
All DNS servers have been patch (PATCHED) in 1998.
DNS Poisoning Through sequence prediction
Above
DNS spill
Above
1.10 What is a refusal service? (DOS)?
1.10.1 ping-of-death
Pass one start at the end of the package (packet), but
An invalid fragment (Fragment) extends to the end of the package.
1.10.2 SYN flood (FLOOD)
TCP SYN package quickly quickly (Connection) is turned on)
, Let the victim are waiting to complete a large number of connections, causing him
The depletion of the source and the legal connection. A new
Preventive measures - "Syn cookies". Each end
His own order (sequence-number). For a SYN reaction,
The attacked machine produces a special order (a linkable "cookie")
Then forget everything about the connection. Then when a legal connection is coming
When it can create omissions about the connection.
1.10.3 land / latierra
Transfer and source / destination address / 号
Forgery SYN package, the victim system tries to complete the TCP connection
Infinite loop.
1.10.4 WinNuke
Transfer OOB / URG data when TCP connection
On the NETBIOS Session / SMB,
Resulting in a Windows system (crash) HANG.
Collection: Mayi
Www.cnsafe.net