What Is Intrusion Detection?
An intrusion detection system (IDS) is an additional protection measure to firewalls, virus scanners, and encryption that helps ward off computer intrusions. IDS systems can be software and hardware devices used to detect an attack. Attacks can take many forms, as we have discussed. You can be attacked through applications such as Netscape, Internet Explorer, Eudora, or Microsoft Outlook. You can be attacked via the operating system, regardless of whether it is Unix-, Windows-, or Mac-based. You also can be attacked via the network through denial-of-service (DoS) attacks or attacks against protocols.
IDS products are used to monitor your connection to try to determine whether someone is launching an attack against you. Everything from a simple port scan to a full attack against your Web server can be detected by the IDS system. A flag is raised when you are being attacked. Some IDS systems just monitor and alert you of an attack, whereas others try to block the attack. As we mentioned when discussing BlackICE, some firewalls alert you of attacks, acting as an IDS.
Capabilities differ greatly between IDS systems. Because the more complicated IDS programs are too expensive for most home users, selecting a firewall that has IDS capabilities, such as BlackICE or ZoneAlarm, can be a key buying feature. Buying a personal firewall with IDS-like capabilities makes more sense for Windows users because free or inexpensive solutions for Windows are very limited. Unix users, on the other hand, have a wider selection of free IDS applications.
Software and hardware designed to detect attackers can pick up many levels of intrusions. IDSs still will not be capable of detecting certain things, such as information about to which ISP your IP address belongs. If someone is checking up on your ISP to find what blocks of IP addresses it owns, you will not know. Public information doesn't really affect your system until the attackers begin to ping your system to see if it is alive. These non-invasive techniques are used for reconnaissance and mapping out potential targets.
Another non-invasive form of reconnaissance is taking advantage of the legitimate services that you have running. If you run a Web site from home or have a mail server running, an attacker can use these legitimate services to find out information about your system. Information can be extracted without setting off any alarms, and normal traffic to your computer systems will not seem out of the ordinary. As we have already mentioned, an attacker can only take advantage of a running service or program that is on your system. If you are running a Web server, an attacker could launch Web server attacks against your machine. It's simple to get the pertinent information from your system through legitimate requests, as we have already mentioned.
As a refresher, when launching an attack, the attacker must know what services you are running to take advantage of the service. For example, if a Web server is running, the attacker wants to know what type of operating system and version of the Web server are being used. The attacker can simply connect to the Web server with a program such as netcat (nc) and get the information shown in Figure 16.1 without setting off IDS alarms.
Figure 16.1. Non-invasive information gathering.
The job of the IDS is to pick up traffic that is outside the normal scope of system operations. Although simply browsing your Web site does not set off an IDS, launching an attack such as IIS traversal attacks does set off a correctly configured IDS. IDS configurations are much like firewall configurations. You set up a number of filter rules to look for certain types of traffic. A normal IDS is not meant to block traffic, but to watch traffic and report back to you on what is occurring against your system. Newer breeds of IDSs such as Entercept (www.entercept.com) can actually stop traffic like a firewall. If attacks match the signatures that Entercept knows, Entercept stops that traffic. The following code shows an example of the Entercept IDS output from an attack, which Entercept detects and blocks. The action taken by the product is Prevent, which stops the attack from doing any actual damage:
IIS Directory Traversal and Code Execution
This event indicates that a Directory Transversal attack was attempted against
Microsoft's Internet Information Server (IIS) through a request made to the web
server using cmd.exe.
Directory Traversal is a method of escaping the IIS webroot
directory, thus allowing access to normally-protected files or permit
execution of arbitrary code on the target host.
<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884"
target=_blank>CVE reference: CVE-2000-0884</a>
Reported by entercept.
Console: IDSConsle
Security Level: High
Application: IIS
Recording Time: 10/10/2001 11:52:48 AM
Incident Time: 10/10/2001 11:52:03 AM
Source: Exp3
User Name: WORKGROUPTestUser
Process: C:WINNTSystem32inetsrvinetinfo.exe
Reaction: Prevent
Agent Type: Windows NT/2000 Web Server
Event Id: 28685
Workstation Name: Local
raw data: GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connection: close
server: www:192.168.1.1:80
local file: C:inetpubscripts..%5c..winntsystem32cmd.exe
Web Server Type: Microsoft-IIS/5.0
source: 192.168.1.20
method: GET
raw url: GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
query: /c+dir
URL: /scripts/../../winnt/system32/cmd.exe
Note
 | Products that have extensive IDS capabilities, such as blocking and firewall capabilities, are very complex and expensive and are not meant for the consumer. Personal firewalls are implementing this type of functionality slowly but surely, and consumers are slowly reaping the benefits of the large commercial programs. |
When an attack is launched that fits the filters that an IDS defines, a flag is raised in the form of screen alerts, e-mail alerts, pager alerts, or any other form of alerting mechanism that is defined. Some firewalls can act as IDS because they provide alerting mechanisms such as onscreen pop-up alerts. BlackICE's alerting mechanisms show up as a small flashing icon in the system tray and show the attacks in the window, as seen in Figure 16.2. In this example, we see two attacks focusing on HTTP and FTP. As we mentioned, the newer personal firewalls can alert you and block attacks, as BlackICE does in this case.
Figure 16.2. BlackICE alert window.
Another of the personal firewalls we tested had good alert pop-up capabilities. ZoneAlarm Pro's alerts are shown in Figure 16.3.
Figure 16.3. ZoneAlarm Pro alert pop-up.
In the corporate environment, firewalls and IDSs are designed to protect the confidentiality, integrity, and availability of data. Firewalls have expanded their capabilities into the IDS arena, and as we have seen with some of the personal firewalls, they can act as IDSs. For your personal information and systems at home, you need strong protection and detection. Confidentiality means protecting your data from unauthorized disclosure. Integrity of your data means that no one was able to access your information and modify it in any way without your permission. You would not want someone accessing your Quicken or TurboTax files and making modifications to your entries. Availability means that you will always have access to your information. You would not want a hacker accessing and destroying your TurboTax files so that you couldn't access your data on April 14.
Note
 | Here are two very good resources for Windows and Unix-based IDSs: |
Michael Sobirey's Intrusion Detection Systems page (http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html)
Coast Intrusion Detection page (http://www.cerias.purdue.edu/coast/intrusion-detection/ids.html)
Benefits of IDS
The main reason to use either a standalone IDS or a firewall that has IDS capabilities is to detect attacks against your system and alert you to the attack. In the same fashion as a virus scanner checking your system for incoming files or data with a virus and alerting you, so does the IDS. The new IDSs take a proactive stance toward attacks and block them in many cases.
The security measures we have discussed, from locking down your operating system to removing services and applications that you do not need, can still leave some vulnerabilities in your system.
To really get the most out of your IDS, you should first understand the potential problems in your environment, as discussed in Chapter 13, “Securing Your Home Network.” By knowing where you are potentially vulnerable, from both the services you have running and applications that are installed, you can use the IDS to shore up those weaknesses. The IDS can block or just let you know when you are being attacked. Just because the IDS flags an attack doesn't mean that the attacker got through the firewall and filter rules you set up. Like the logging capabilities we discussed with firewalls, when an attack flags the IDS filter rules, it alerts you. Knowing your system helps you understand the alerts much better. If you see a Web attack being reported by your IDS and you know that you do not have a Web server running, then you have nothing to worry about. Let the attacker fire away—you won't be compromised if you do not have the Web server or a Web application running.
In the event that your system does get compromised, an IDS can continue to log activity and record the actual break-in. This can be valuable for two reasons. First, if you want to try to track down and prosecute the attacker, you have log files that can be used in a legal case. Second, you can use the log files of the break-in to see how the attacker launched the attacks and potentially what he did to take over your system. You can use this information to patch the holes in your environment so that other attackers cannot use the same hole. If you reinstall the operating system or application, you can be sure not to implement the same vulnerability again. This is, of course, dependent on the attacker not wiping out all your log files or destroying your system!
IDSs can be a great learning experience. If you are interested in seeing what kinds of attacks are launched against your system every day, you can watch all the traffic being logged by the IDS. One project that has been successful in identifying how attackers operate and has logged attacks for analysis is the Honeynet Project (http://project.honeynet.org). This project tracks how an attacker launches attacks against his own test system, or honeypots. Many companies also use honeypots to learn more about how hackers operate without sacrificing a real production system. The goals of the Honeynet Project as stated on the Web site are as follows:
Raise awareness— The first goal is to raise awareness of the threats and vulnerabilities that exist on the Internet today. We raise awareness by demonstrating real systems that were compromised in the wild by the blackhat community. Many people believe it can't happen to them. We hope to change their mind.
Teach and inform— For those in the community who are already aware and concerned, we hope to give you the information to better secure and defend your resources. Historically, intelligence about attackers has been limited to the tools they use. The Project intends to provide additional information, such as their motives in attacking, their methods for communication, the times they attack, and their actions after compromising a system.
Gather intelligence— The third goal is to provide the technology and methods of intelligence gathering. Organizations, such as universities, might be interested in developing their own ability to research threats or adversaries.
Home users can benefit from the lessons learned from the Honeynet Project. Your IDS can monitor attacks, and you can use this data to learn more about incidents and what to look for when you see traffic coming to your network. A great benefit of knowing what traffic is being sent to your site is that you can know when a new form of attack is being launched. That gives you time to ensure that you have the correct security measures in place. For example, if a new worm such as Code Red IV comes out, you will see the traffic being recorded and hopefully stopped by your IDS. You can then check your operating system and applications to ensure you are not vulnerable in the event that the attacks makes it past your IDS or firewall.
Problems with IDS
As we have already mentioned in the logging capabilities of firewalls, too much logging can be just as useless as no logging. One of the main functions of an IDS is to log data. Logging data helps you analyze what attacks are being launched and how your protective measures handle attacks. If you log every bit of data, it's impossible to review it all in a timely fashion. Too much useless data can hide the important bits of information about real, deadly attacks. A consistent attack by a determined intruder can be hidden in mountains of data from script kiddies who don't know any better and are just port scanning at random. You would be subject to data overload and get no benefit from all the attacks you have logged.
Another failure of IDSs is their inability to learn of new attacks in some cases. As we have mentioned, new attacks come out on a daily basis. If the firewall you are using is not versatile enough, a new attack can bypass the filter rules of your IDS without it recognizing it as a new form of attack. For example, many Web attacks use port 80 (http). If your IDS cannot distinguish between normal Web surfing traffic and an attack against the operating system through port 80, you will not know that your Web server is under attack.
Finally, if you set up alerting to let you know when just about anything sets off your IDS filter rules, you will be inundated with alerts and begin to ignore them. By ignoring them, you will probably miss the real alert of a dangerous attack. If you hear a car alarm going off in any big city, what are the odds that you will be concerned and check on your car? The odds are low because these alarms go off all the time and everyone thinks they are no big deal. The same can happen to your IDS alerts if you send out alerts for every little thing that happens on your network. The following code shows some of the numerous log messages that can be written to a file. In this case, we see WinRoute log file information. If you don't know what all these messages mean, you might ignore them or turn logging off altogether. Here's the code:
[21/Oct/2001 11:45:52] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 217.6.114.250:80 -> 10.1.176.234:1326 [21/Oct/2001 11:45:52] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 217.6.114.250:80 -> 10.1.176.234:1326 [21/Oct/2001 11:45:52] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 217.6.114.250:80 -> 10.1.176.234:1326 [21/Oct/2001 11:45:53] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 217.6.114.250:80 -> 10.1.176.234:1326 [21/Oct/2001 11:45:53] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 217.6.114.250:80 -> 10.1.176.234:1326 [21/Oct/2001 11:45:53] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 217.6.114.250:80 -> 10.1.176.234:1326 [21/Oct/2001 11:45:53] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 217.6.114.250:80 -> 10.1.176.234:1326 [21/Oct/2001 11:46:10] Packet filter: ACL 1:6 FE575 Ethernet Adapter: permit packet in: ICMP 216.115.102.79 -> 10.1.176.234 type 0 code 0 [21/Oct/2001 11:46:11] Packet filter: ACL 1:6 FE575 Ethernet Adapter: permit packet in: ICMP 216.115.102.79 -> 10.1.176.234 type 0 code 0 [21/Oct/2001 11:46:12] Packet filter: ACL 1:6 FE575 Ethernet Adapter: permit packet in: ICMP 216.115.102.79 -> 10.1.176.234 type 0 code 0 [21/Oct/2001 11:46:13] Packet filter: ACL 1:6 FE575 Ethernet Adapter: permit packet in: ICMP 216.115.102.79 -> 10.1.176.234 type 0 code 0 [21/Oct/2001 11:50:03] Packet filter: ACL 1:3 FE575 Ethernet Adapter: drop packet in: UDP 10.1.176.234:137 -> 10.1.176.255:137 [21/Oct/2001 11:50:04] Packet filter: ACL 1:3 FE575 Ethernet Adapter: drop packet in: UDP 10.1.176.234:137 -> 10.1.176.255:137 [21/Oct/2001 11:50:05] Packet filter: ACL 1:3 FE575 Ethernet Adapter: drop packet in: UDP 10.1.176.234:137 -> 10.1.176.255:137 [21/Oct/2001 12:01:40] Packet filter: ACL 1:3 FE575 Ethernet Adapter: drop packet in: UDP 10.1.176.234:137 -> 10.1.176.255:137 [21/Oct/2001 12:01:40] Packet filter: ACL 1:3 FE575 Ethernet Adapter: drop packet in: UDP 10.1.176.234:137 -> 10.1.176.255:137 [21/Oct/2001 12:01:41] Packet filter: ACL 1:3 FE575 Ethernet Adapter: drop packet in: UDP 10.1.176.234:137 -> 10.1.176.255:137 [21/Oct/2001 12:01:48] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 216.239.39.101:80 -> 10.1.176.234:1330 [21/Oct/2001 12:01:48] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 216.239.39.101:80 -> 10.1.176.234:1330 [21/Oct/2001 12:01:48] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 216.239.39.101:80 -> 10.1.176.234:1330 [21/Oct/2001 12:01:48] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 216.239.39.101:80 -> 10.1.176.234:1330 [21/Oct/2001 12:01:48] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 216.239.39.101:80 -> 10.1.176.234:1330 [21/Oct/2001 12:01:48] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 216.239.39.101:80 -> 10.1.176.234:1330 [21/Oct/2001 12:01:48] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 216.239.39.101:80 -> 10.1.176.234:1330 [21/Oct/2001 12:01:59] Packet filter: ACL 1:7 FE575 Ethernet Adapter: permit packet in: TCP 216.239.39.101:80 -> 10.1.176.234:1330 [21/Oct/2001 12:02:06] Packet filter: ACL 1:3 FE575 Ethernet Adapter: drop packet in: UDP 10.1.176.234:137 -> 10.1.176.255:137
Why Not to Use IDS
For your home network of probably two to five computers, you are probably the only one administering security to it if you are reading this book. We assume that you are not sitting at home all day watching your firewall and IDS log files. (If you are, get out and go for a walk!) Because watching your home network logs and alerts is not your full-time job, you do not want to be flooded with data and scared every few minutes that you are being hacked.
Most of the attacks you will face are going to be by script kiddies with automated scanners. Unless the scanner does the hacking for them, most of them wouldn't know what to do with a sophisticated vulnerability. You will be constantly port scanned and checked for every exploit that is coded up by an automated vulnerability scanner. If you are running Windows, you really don't care if you are scanned for Linux vulnerabilities.
An IDS is not always necessary for the home environment. If you have just the logging and minimal alerting setup in your firewalls, you can have a decent comfort level. Security monitoring is useless if you don't actually check your logs, watch what is happening, and review files constantly. Most home users will not do this; therefore, practically speaking, implement the firewalls securely with good filtering rules and you probably won't need another form of IDS.
Intrusion Response
When the IDS detects an attack, you can usually set up some form of alert. A response can be anything from disconnecting your system to alerting you to blocking the attack. Your IDS can do several things as a result:
Alert through a sound
Send information to a log utility such as syslogd or NT Event logs
Send an e-mail
Send a page
Automatically block the attack
Save the attack information (timestamp, intruder IP address, victim IP address/port, protocol information)
Look up information on the attacking IP address
Launch a counterhack program (very bad idea)
Terminate the TCP session
Log Analysis
Your logs are the source of all information about attacks against your system. If you are filtering traffic and monitoring just messages and alerts that are a high risk, your IDS will provide more benefits than if you tried to monitor everything. One thing to keep in mind is that you must ensure that your logs are on a secured machine that is not vulnerable. Your logs will be worthless if the computer on which your logs are stored gets hacked. Even if the attacker does not erase the log files, you cannot trust them because the intruder can erase parts of an IDS log file to hide his activity. Programs called rootkits are available on Linux- and Windows-based systems that are used to replace key programs and hide the activity of an intruder. If your IDS is compromised, the odds are that a knowledgeable intruder will install a rootkit to hide his activities. The rootkits will clean out entries of the attack from log files or remove log files completely if the files are on the system that was compromised.
If your log files are wiped out, you wouldn't know how the intruder got in, when he got in, or if Trojan horses and backdoors were installed for later access into the system. Several common Unix rootkits are lrk5, knark, and torn kit. One for Windows NT is Rootkit. Both can be found at www.rootkit.com or packetstorm.decepticons.org. The NT Rootkit can do the following:
Hide processes (that is, keep them from being listed)
Hide files
Hide Registry entries
Intercept keystrokes typed at the system console
Issue a debug interrupt, causing a blue screen of death (BSOD)
Redirect EXE files
As we have discussed with your data, log file information should be backed up regularly. In corporate environments, IDS logs are usually stored on a secure log server. Because you probably won't be dedicating a computer to be a log server, you should just back up the log files in whatever means you use to back up your normal applications and data. If you are compromised and your log is erased or modified, at least you will have some data you can sift through to see if the attacker had done anything previously to your system.
When reviewing your log files, looking for certain types of attacks is important. It's easy to tell a port scan from a concerted attack against your Web server. Attacks are launched against specific ports, and you can tell what type of attack is being launched by the port being used. An attack in which all ports are being contacted is indicative of a port scan. Seeing your FTP port being contacted repeatedly indicates someone trying to take advantage of your FTP server.