Intrusion detection system FAQ (all)
Create time: 2002-08-24
Article attribute: finishing
Article Source:
Www.cnsafe.net
Article submission:
Mayi (Mayi99_at_263.net)
1 Introduction
- How do invaders enter the system?
- Why should invaders invade the system?
- How do intruders get passwords?
- Typical intrusion process?
- What are the types of general intrusion?
- What is an exploits?
- What is reconnaisance [Translation: Original, suspected to reconnaissance?]
- What is a refusal service (DOS)?
- How dangerous attack now?
- Where can I find the statistics of the current attack behavior?
Schema
- How does intrusion are detected?
-Nid how to distinguish into inflow data?
- What did NIDS have been detected after being attacked?
- What is similar to NIDS?
- should I install NIDS in the network?
- How to make IDS suitable for other parts of the security architecture?
- How do I detect if I have running IDS?
3. Countermeasures
How to improve intrusion detection and prevention under WinNT?
How to improve intrusion detection and prevention under WIN95 / 98?
- How to improve intrusion detection and prevention under UNIX?
How to improve intrusion detection and prevention under Macintosh?
- How to improve corporate intrusion detection and prevention?
- How to achieve intrusion detection within the company?
- What should I do after being attacked?
- Some people say that they are attacked from me, how should I do?
- How to collect enough to invade people's evidence?
4. Product
- What free software (freeware) or shared software (Shareware) intrusion detection system?
- What are the commercial intrusion detection systems?
- What is the "Network GREP" system?
- What tools do you use to enter my system?
- Do I should care about other intrusion detection systems?
6. Resources
- Where can I find new system vulnerabilities?
- Other resources related to security and intrusion detection?
- What are the worthless sites?
7.IDS and firewall (Firewall)
- Why do I need IDS with firewall?
- With intrusion detection, do you need a firewall?
-IDS where to get information? Is the firewall?
8. Implementation Guide
- should I ask about IDS providers?
- How do I maintain the system based on on-going?
- How do I stop inappropriate web browsing?
- How do I build my own IDS (write code)?
-Nids legal? Since this is an eavesdrophor?
- How to protect the log file is not tamper with evidence?
9.NIDS limitations
- Switching network (inherent limitations)
- Resource limitations
-NIDS attack
- Simple reason
- Complex cause
-tool
10. Miscellaneous
- What standards / interoperability efforts
11. honeypot and fraudulent system
- What is a honeypot?
What are the advantages of honeypot?
What are the disadvantages of honeypots?
- How to set my own honeypot?
What types of honeypots do?
- Building a positive and opposite effect of a system that can be attacked?
- Is there any example of people using honeypots?
What honeypot products do you have?
- What is deception?
1 Introduction
1.1 What is the network intrusion detection system (NIDS)?
Intrusion refers to some people (called 'hacker', 'hacker') attempt to enter or abuse your system. The range of words 'Abuse' is wide, which can include strict stealing confidential data to some secondary things, such as abuse your email system spam (although many people in us, this is the main) .
The intrusion detection system (IDS) is used to detect these intrusion systems. According to this FAQ, IDS can have the following categories:
Network Intrusion Detection System (NIDS) Monitoring the data package of the network cable and attempts to have a hacker / hacker attempt to enter the system (or reject the service attack DOS). A typical example is a system-observing a large number of TCP connection requests for many different ports of a target host to find that someone is performing TCP port scanning. A NIDS can operate on the target host (usually integrated in the protocol stack or service itself), or run traffic on the stand-alone host (hub, router, detector [probe]). Note that a "network" IDS monitors many hosts, but other other monitors a host (they installed). The System Complete Inspection (SIV) monitoring system file is trying to find if an invasioner has changed the file (may leave a back door). This is the most famous of this system is TripWire. A SIV should also be able to monitor other components, such as Windows registry and Chron configuration, and the purpose is to find a well-known signs. He should also detect a general user who caught Root / Administrator level permissions. More products in this area should be considered a tool instead of a system: such as TripWire, tools detect changes to critical system components, but cannot produce real-time alarms.
Log File Monitor (LFM) Monitoring the log file generated by the network device. Similar to NIDS, these systems make recommendations for intruder attacks by matching the pattern of log files. A typical example is to analyze HTTP log files to find that intruders try to have some well-known vulnerabilities (such as PHF attacks) instances have SWATCH.
There are also some pseudo-services that are deceived (including DECOYS, LURES, FLY-TRAPS, HONEYPOTS) to simulate some well-known caves to trap hackers. See example in the palm toolkit:
http://www.all.net/dtk/. You can also simply create a wide range of audits by renaming NT system administrator accounts. About this document
More descriptions of the deception system. See also see
http://www.enteract.com/~lspitz/honeypot.html
other
See: For more information:
http://www.icsa.net/idswhite/.
1.2 Who is abused (MISUSING) system?
There are two words to describe attackers: hackers and hackers. Hackers are a general term: people who like to enter things. Beneficial hackers are those who like to enter him / her own computer. Malicious hackers are those who like to enter others. Beneficial hacker hopes that the media can stop harsh criticism to all hackers, using hackers to do alternatives. Unfortunately, this idea is not accepted, in any case, the words used in this FAQ are 'intruder', which generally indicates those who want to enter others.
Invasants can be divided into two categories:
External: invasive in your network, or may attack your externally (messy web server, spam through the E-mail server). External invasive may come from Internet, dial line, physical intervention, or partner network (seller, customer, middleman, etc.) connected to your network (seller, customer, middleman, etc.).
Internal: legal uses your interconnect network invasive network. People who include abuse of power (such as social security employees, because they don't like someone to die) and mimic changes to the power of the power (such as the terminal of others). A commonly cited statistics are 80% of security issues related to internal people.
There are several types of invasive people: 'Happy Riders (Joy Riders) is black;' cultural destroyer '(Vandals) is intended to destroy or change the web page; profiters is intended, such as control system Stealing data profile.
1.3 How do the intruder enters the system?
The main way for intruders enter the system:
Physical invasion: If an invasator has physical entry permissions to the host. (For example, they can use the keyboard or participate in the system), it should be able to enter. The method includes console privileges until the physical participation system and removes the disk (in additional machine read / write). Even BIOS protection is also easy to pass: In fact, all BIOS has a back door password.
System invasion: This type of invasion is a more authority in the system user. If the system does not play the latest vulnerability patches, it will provide invasants with a chance to obtain system administrator privileges with well-known vulnerabilities.
Remote intrusion: This type of intrusion refers to the system from the system through the network. The invasive manner has a variety of forms from no privornity. For example, if there is a firewall with a firewall between his / her and the victim host, there is much more complicated.
It should be noted that the network invasion detection system mainly cares about remote intrusion.
1.4 Why can the intruder invaded the system?
The software always exists. System administrators and developers will never discover and solve all possible vulnerabilities. Invasive, as long as you find a vulnerability, you can invade the system.
1.4.1 software bug
Software bug exists in the server rear program (DAEMONS), a client, an operating system, and a network protocol stack. The software bug can be divided into the following:
Buffer overflow: Almost all security vulnerabilities we read are attributed to this. A typical example is a developer set a 256-character long buffer to store username. Developers think about that no one is longer than this. But hacker thinks if I entered a very long user name what happened? Where is the additional character? If the hacker happens to be correct, they send 300 characters, including the code executed by the server, and, They entered the system.
The hackers found these bugs through several ways. First, many service source code is open on the network. Hackers often read these code to find programs with buffer overflow issues. Second, the hackers can read the program itself to see if there is a problem, although the reading code output is really difficult. Third, the hackers will check all the inputs and attempt to overflow with random data. If the program crashes, there will be opportunities for hackers carefully construct input and allow access. It should be noted that this problem is generally existed in the program written in C / C , but rarely appears in the Java program.
Accidental combination: The program is usually combined into a lot of layer code, including potential as the lowermost operating system layer. Invasive can often send some of the meaningful inputs, but it makes sense to other layers. The most commonly controlled user input in the web is Perl. Perl written procedures tend to send these inputs to other programs to further process. A common hacker technology is to enter strings "| mail
Unprocessed input: Many programs are written to handle valid inputs, and many programmers do not know that when some people's input does not meet the consequences of specifications.
Competition (RACE): Many systems now are multitasking / multi-threaded. This means they can run multiple programs at the same time. It will happen if the two programs accesses the same data at the same time. Imagine two programs of A and B, you need to modify the same file. To modify, each program reads the file into the memory, change the content in memory, and then copy memory to the file.
When the program A reads the file into memory and modifies, it produces a competitive condition. Program B performs and obtains read and write permissions before the A write file. The program A is now copied to the file. Because the program A starts before B modification, all B modifications are lost. Because you have to get the right order, competitive conditions are very rare. Invasants usually have to try thousands of times, then obtain permissions, enter the system.
1.4.2 System configuration
System configuration bug can be divided into the following categories:
Default configuration: Many default easy-to-use configurations employed when the system is delivered to customers. Unfortunately, "easy to use" means "easy intrusion". Almost all delivered to your UNIX and Winnt systems can be easily attacked.
Lazy System Administrator: Amazing digital host is configured to have no system administrator password. This is because the system administrator is too lazy to lazy immediately configure one, they just want the system to start running as soon as possible. Unfortunately, they never come back to set up, let the invasant easily come in. The easiest thing that invasive is to first scan all the machines to find the host without a password.
Generated Vulnerabilities: In fact, all programs may be configured as a non-secure mode. Sometimes the system administrator will open a vulnerability on the host. Many System Administrator's Manual recommends that system administrators turn off all the programs and services that are not absolutely necessary to avoid accidental vulnerabilities. It should be noted that security audit packs can usually find these vulnerabilities and remind system administrators' trust in trust: invaders often use the "Island jumping" method to use trust relationship attack network. A network that trusts the host is as safe as they are the most vulnerable link.
1.4.3 password decryption
This is a special part.
True fragile password: Many people use their own name, the name of the child, the name of the spouse, the name of the pet, or the model of the trolley. There are also users who use "password" or nothing. This gives a list of not many and 30 possibilities that invaders can type themselves.
Dictionary Attack: After the above attack fails, invasants began trying to "Dictionary Attack". This method, the invasator utilizes each possibility of trying the words in the dictionary. Dictionary attacks can utilize repeated landing or collecting encrypted passwords and trying to match words in the encrypted dictionary. Invasants usually use a dictionary in an English dictionary or other languages. They also use additional class dictionary databases such as names and common passwords.
Brute Force Attacks: Similar to Dictionary attacks, invasants may try all character combination. A 4 password consisting of lowercase letters can be cracked in a few minutes. (About a total of 500,000 possible combinations) a longer password consisting of uppercase letters, including numbers and punctuation (100 trillion possible combinations) can be cracked within one month, if you can try 100 per second Ten thousand kinds of combinations. (In fact, a single machine can count thousands per second.)
1.4.4 Monitor insecure communication
Shared Media: Traditional Ethernet, you can see all communication in a network segment as long as you start Sniffer online. Now this method is difficult because more companies use exchange Ethernet.
Server monitors: However, in an exchanged network, if you can install a Sniffer program in a server (especially router), you can use the information to attack the customer host and trust host. For example, you may not know the password of a user, you can get his password by monitoring the Telnet session when he logged in.
Remote monitor: A large number of hosts can RMON, with a public community string. When the bandwidth is very low (you can't listen to all communications), you will show interesting possibilities.
1.4.5 Disadvantages
Even when a software is fully implemented, it may still be invaded because of bugs in design.
TCP / IP protocol Disadvantages: TCP / IP protocol is designed before we have many black experience. As a result, there are many shortcomings that may cause security issues. Some examples such as Smurf attacks, ICMP unreachable links, IP kids, and SYN FLOODS. The biggest problem is that the IP protocol itself is very trust: hacking free forged and changing IP data. IPSec is designed to solve a lot of shortcomings, but there is no extensive application.
Unix Design Disadvantages: There are many UNIX inherent shortcomings that make the UNIX system frequently invaded. The main problem is the authority control system, only "root" is the system administrator privilege. result:
1.5 How do you get a password?
The invader uses the following method to obtain a password:
Marking: Some protocols (Telnet, FTP, basic http) use clear textwords, meaning that they are not encrypted during the customer / server transmission. Intruders can use a protocol analyzer to observe such a password on the cable. There is no need for more efforts; invaders can use these passwords immediately to log in.
Ciphertext monitor: Many protocols use encrypted passwords. In this case, the intruder needs to execute a dictionary or a powerful attack password to try to decrypt. It should be noted that you can't find the existence of intruders, because he / she is completely passive and does not deliver anything to the cable. The password crack is not allowed to send people and things to the cable when the invaders use their own machines.
Replay Attack: Many cases, intruders do not have to decode password. They can use the encrypted format instead of the landing system. This usually needs to re-encode client software to steal the encrypted password password: All user databases are typically stored on a single file on disk. Under UNIX is / etc / passwd (or other mirror of this file), Under WinNT, it is a SAM file, once the invader gets this file, he / she can run the decryption program (as described above). To discover some fragile passwords in the document.
Observing: A traditional password security issue is that the password must be long and difficult to guess (making the dictionary and strong attack unreasonable). However, such a password is often difficult to remember, so the user wrote it in a certain manner. Intruders can often search for a personal desk to find a password written on a small note (generally under the keyboard). Intruders can also trained their own way of viewing the password back.
Communicative Engineering: A normal (and successful) skill is a simple call to users and say "Hi, I am Bob, we are tracking some questions on the network, and appear in your machine. You use What is the password? "Many users will give up their password in this case. (Many companies have policies to make users never give their password, even their own MIS departments, but this trick is still successful. A simple solution is that MIS group calls 6 months of employee asking them a password, then criticizing Their mistakes, so they will not forget :-)
1.6 Typical intrusion process?
A typical intrusion process may be as follows:
Step 1. External investigation -
Intrusioners will actually give them information as much as possible. They often pass public information or disguise into normal users. In this way, the intruder will make you unaware. Such as your network Sign up with your Domain Name (for example, foobar.com), invaders can use the 'WHOIS' to check the table to try to find out your network information (NetWork).
Intruders may find out the name of your machine via your DNS table (using 'NSlookup', 'Dig', or other tools). Intruders will browse other public information, such as your public Site and anonymous ftp site. Intruders may look for news files and newspapers for your company.
Step 2. Internal investigation - intruders use more aggressive technologies to scan information, but they will not destroy anything. They will be found by you all of the web pages (CGIScripts is often easily invaded). They Perhaps use 'ping' in order to test the presence of the host. They may use UDP / TCP CAN / STROB to find the available service (SERVICES) of the target host. They may perform a "RPCINFO ',' SHOWMOUNT ',' SNMPWALK ', etc. Tools to find information. For this point, intruders just make "normal" network behavior and have not made anything classified as intrusion (Intrusion). move.
In response to this point, NIDS will tell you "Someone checks your door grip", but no one really tried to open the door.
Step 3. Invasion -
The invaders violated the rules and began to make a possible vulnerability to the target host. Intrusioners tried to pass a shell instruction in an input material, thus jeopardizing the CGI script. Intruder tried to pass a lot of information, Infringe a known buffer-overrun vulnerability. The invader started to check if there is a simple guess (or even) password account. A hacker will be invaded by several phases. For example, if hacker You can get a user's account, and he will try to make a further intrusion to obtain root / admin.
Step 4. Based on -
At this stage, intruders have been infected by the machine, successfully in your network.
The main purpose of invaders is to hide the invasion evidence (Audit TRAIL and LOG) and confirm that he can invade again. They may install 'Toolkits' to let them perform. Use them with backdoor passwords. Trojan (Trojanhorses) Original service or create a user account. System Integrityverifiers (SIVS) can notice the change of the file to detect the invaders that use these means. Due to most of the networks are difficult to defend Internal infringers, intruders will use this machine as a hopping island for other machines. Step 5. Interest -
Intrusioners use their advantages to steal confidential information, abuse system resources (stage sex by other machines) or destroy your web pages.
Other plots may be different. Whether it is invading specific sites or randomly scans specific vulnerabilities in the network world. For example, intruders may try to scan the entire network with Sendmail Debug vulnerabilities. They can easily invade Vulnerability machine. They won't directly target you, don't know who you are. (It seems like 'birthdayattack ", lists known system vulnerabilities and IP position, find a machine with a hole with a hole
1.7 What are the general intrusion types?
There are three ways of attack:
Scouts - including ping scans, DNS ZONE conversion, E-mail reconnaissance, TCP, or UDP port scan (SCAN), discovers CGI vulnerabilities with possible indexing that is possible with the public web server.
Vulnerabilities - intruders will use a hidden feature or defect (BUGS) to access the system.
Denial-of-Service (DOS) attack - intruder tries to destroy the service (or machine), making the network link overload, CPU overload, fill the hard disk.
Intruders don't want to get information, but just like destroyed behavior without letting you use the machine.
1.8 What are the common vulnerabilities?
1.8.1 CGI Scripts (Scripts)
The CGI program is unsafe. Typical security vulnerabilities include the use of the shell special character (Metacharacters), directly transferred the metamorphic input in the command shell. Use hidden variables, specify the file name in the system, filename, Or disclose more systems. The most well-known CGI defect is to load the 'phf' database (library) of NCSA HTTPTD. 'PHF'Library assumes to allow servo parsing HTML, resulting in any file Vulnerability. Other intruders tried to use well-known CGI script vulnerabilities: TextCounter, Guestbook, EWS, Info2www, count.cgi, handler, webdist.cgi, php.cgi, files.pl, nph-test-cgi, nph-publish, Anyform, Formmail. If you find someone trying to access the CGI script described above (but you didn't use them), this clearly showed an intrusion intent (assuming you didn't use the CGI script you want to use with that defect version).
1.8.2 WEB Server (Server) attack
After the CGI program is executed, the web server may have other vulnerabilities. Very many self-written web servers (including IIS 1.0 and NetWare2.x)
Because in a file name, you can write a series of ".." in the path (PATH) name, and thus jump to other places of the system file to get any files.
Other general vulnerabilities are overflow in the request (Field), or the buffer of other HTTP data.
The web server often has an interactive relationship with its underlying Operating System. There is an old vulnerability in Microsoft IIS, which has two file names in the file - a long-term name and a short corresponding 8.3 form. Name, sometimes bypassing the allowed mechanism to get access. NTFS (The New File System) has a feature called - "Alternate Data Streams" similar to the data and resources of the Macintosh system. You can pass the streamname, Add ":: $ DATA" (this is to see his script instead of execution), to access his file. The server has a problem for urls for a long time. For example, "Death By A Thousand Slashes"
Problem, causing Apache to produce a large number of CPU loads because it tries to handle each directory in thousands of "/" URLs.
1.8.3 Web browser attack
Microsoft and Netscape's web browsers have security vulnerabilities (Of course, although the latest version, we have not found), including URL, HTTP, HTML, JavaScript, Frames, Java, with ActiveX attack.
The URL data segment will have a buffer spill, and when it is interpreted by the HTTP header (HEADER), it is displayed on the screen, or in some form (such as being stored by Cache History). Moreover, With ancient InternetExplorer vulnerability in the browser, when performing the LNK or URL command, it will accompany vulnerabilities that can affect internal.
HTTP headers may generate a vulnerability because of the functions transmitted to only a particular value
HTML often has a vulnerability, such as the MIME-TYPE buffer overlying the
JavaScript has been very fondon for a long time, and often tries to infringe "File Upload" via generating a file name and automatically hiding "submit" Button. There are many different vulnerabilities to be corrected, but there will be new The method discovered to bypass the correction.
Frames often uses a part of JavaScript, or Java Hack to use a screen via a pixel size, hide the web page) but they present a special problem. If I can contain a trusted user frames Site, then replace part of the Frames in the web page of my own site, so they will appear in front of one of that remote site.
Java
There is a sound security model (Model), but it has confirmed that model has a special vulnerability (although compared to anything, it is confirmed to be one of the most secure components throughout the system). Further, its sound security Perhaps it is its undoing: Normal Java Applets cannot access the local (local) system, but sometimes if they can really access the local system, they will be more useful. So, "Trust" model Completed, it is easier to invade.
ActiveX is even more dangerous than Java, when it is a trusted model that is purely operated and implemented in the original (Native) program code. You even accidentally infect Virus (Virus) (accidentally Imbeded).
1.8.4 SMTP (Sendmail) attack
Sendmail is an extremely complex and widely used procedure, which is the source of security vulnerabilities. In the past (the period of '88 Morris Worm),
The hacker uses the vulnerability of the debug command or hides the feature of Wiz to break into SMTP. Recently, they often try to use buffer relief means. SMTP is also used to use the reconnaissance attack, if you use the vrfy command to find the user name child.
1.8.5 Access
Failed Login attempts, failed files take attempt, password cracking, managers' abuse.
1.8.6 IMAP
The user receives Email from the server via the IMAP protocol (under comparison, SMTP is transmitting E-mail between servers). Hackers have discovered vulnerabilities in some popular IMAP servers.
1.8.7 IP Spoofing
Some types of attacks use technology to fake (or 'spoof') your IP address. An original address is accompanied by each IP package (Packet) is transmitted,
In fact, it may not be used for Routing. This means that when talking to the server (Talkin), an intruder can be loaded into you. The intruder will not receive a response package (although your machine is seen, but Put them because they do not meet any requests you passed before. The intruder does not obtain data via this manner, but still furnish into you, send commands to the server.
IP Spoof often uses part of the other attacks:
Smurf
Bring a large number of machine responses in a fake source address, resulting in a large number of machine responses, replying to the victim, making it (or its link) load.
TCP serial number
At the beginning of the TCP connection, you must select a serial number at this end, and the server side must choose a serial number. The older TCP stack selects a predictable contrase, so that the invader is from a forged IP address (they I shouldn't see answering packages) I will bypass the safety mechanism.
DNS is poisoned by presenced serial number
The DNS server will "recursively" to parse the DNS name. Therefore, when it meets a client request (Request), it itself has become a sequence number of the customer who is recursive next to the next server is predictable. Therefore, an intruder A next server that requires the DNS server and transmits a response to the server to camouflage becomes the next server. It will believe in the camouflage and use it to meet other clients.
1.8.8 buffer severity
Some other buffer spill attacks are:
DNS seating.
Excessive DNS name, transferred to the server. The DNS name limits each secondary component (SUBComponent) is 64-bytes and is generally 256-bytes.
Statd sewage
When submitted too long file name.
1.8.9 DNS attack
DNS is a primary goal. Because if you can violate the Corrupt DNS server, you can use trust relationships.
DNS buffer poisoning
Each DNS package, including a "question" section and "answer" section. Defective server will believe (and cache) Most of the answers when transferring problems, but not all DNS The server has been patch (PATCHED) in 1998.
DNS Poisoning Through sequence prediction
Above
DNS spill
Above
1.10 What is a refusal service? (DOS)?
1.10.1 ping-of-death
The invalid segment (FRAGENT) is extended before the end of the package (Packet) is transmitted.
1.10.2 SYN flood (FLOOD)
Quickly transmit the TCP SYN package (Connection), so that the victim is waiting to complete a large number of connections, resulting in the exhaustion of his resources and the legal connection. A new prevention measures - "SYN "Each connection has his own order. For a SYN reaction, the attacked machine produces a special order (a link" cookie ") and forget about everything about the connection. and then When a legal connection package is arriving, it can create omissions about the connection.
1.10.3 land / latierra
Transfer the same forged SYN package as the source / destination address / number, the victims tried to complete the infinite loop of the TCP connection.
1.10.4 WinNuke
The OOB / URG data is transmitted in the TCP connection to the NetBIOS session / SMB, resulting in a Windows system (crash) HANG.
Collection: Mayi
Www.cnsafe.net
