LINUXsecure_LOGO
Issues on Linux and Security
 
-->
button Security Tasks
Protection
Detection
Reaction
 
button Description
Firewall
Packetfilter
Proxies
IDS
Policy
 
button Protection
In general
Iptables
Good Rules
SSH
Jail
 
button Detection
In general
Snort
Sniffing
Tripwire
Portsentry
Virus scanner
Rootkit scanner
Security scanner
 
button Hardening
In general
Openssh
Tinyproxy
 
button Bridging
Bridge
Bridging Firewall
Bridging IPS
 
button Other
Home
Vulnerabilities
Books
Links
F2html.pl
mp3riot
Downloads
News
Pigsparty
Gallery
Contributors
Impressum
 
button Search
Google
This Site

 
search in regular content
news
vulnerabilities
books
home
button Description --> Intrusion Detection System
 

Just under contruction, version 0.3, last update 2003/07/22

Contents

Contents
  1. What is an Intrusion Detection System?
  2. Signatures
  3. The Need for Intrusion Detection
  4. Flexible Responses
  5. Links

What is an Intrusion Detection System?

The aim of an IDS (Intrusion Detection System) is to detect activities that might compromise the integrity, the availability, and the privacy of ressources like computers, data etc. Network IDS (NIDS) is a technology that is works centralized and is network based. Good network intrusion detection system can have an enormous positive impact on the overall security. Although network intrusion detection systems are designed to examine network traffic to identify threats by detecting probes, scans, and attacks, it does not interfere with traffic in any way, unlike firewalls, router etc. do.

An IDS has three main components:

  • data collection,
  • data analysis, and
  • data (and result) visualization.

For the success of an IDS the source of the data to be analyzed for intrusion signatures is very important. There are three main sources available:

  • audit data like the one from syslog (staus information and messages of various components),
  • share of ressources given away by the operation sytem (cpu state, number of active network connections etc.)
  • the amount of network traffic (by ip, port, protocol etc.).

The process of detection by the means of data analysis can be based on different techniques: misuse detection and anomaly detection.

Misuse detection tries to identify typical patterns for known attacks in the audit data. Preconditions for this technique are the knowlegde about what the attack is based on and to make this knowlegde available and interpretable for the IDS.

In contrast, anomaly detection is based on the idea, that an attack results in an atypical system behaviour, by which it can be identified. Therefore it is necessary to define a normal system behaviour. Such systems treat special sequences of events as typical. If the IDS watches the beginning of such a sequence of events, then it expects, that the following events occure as defined by the sequence. If this is not the case, the system behaviour will be valued as abnormal.

Of the same importance is the user friendly presentation of the results of the IDS. It may be important for the user to assign a level of importance to every attack (positive). In general, a userfriendly presentation of results means, that results are displayed graphically and that summaries are generated automatically in order to present the most important things at the first view. It is also important to send an alarm to the security operator (for example by pager, email, via a message over the local network etc.).

An attack over the local network can be based on several, non exclusive, system vulnerabilities:

  • missconfiguration,
  • implementation errors,
  • design errors in the communication protocol,
  • design errors in the service specification,
  • design errors in the application,
  • user handling errors,
  • other.

In addition to a list of attacks, based on system vulnerabilities, we can make a list of categories of possible (nonexclusive) damages:

  • the attacker collects information about the target: normally the first phase of an attack (maily portscans),
  • the compromise of network ressources (firewalls, router etc.): needed to get packages into the local network,
  • the compromise of server ressources: e.g the ftp server,
  • loss of availability: e.g. Denial-of-Service attacks (services are temporarily unavailable),
  • loss of data integrity during transport: modification of checksums etc.,
  • loss of data reliability during transport: e.g. sniffing,
  • loss of data integrity on a computer: modification of data on a computer,
  • loss of data secrecy on a computer: an attacker can read the data on your computer,
  • loss of source integrity: source of data faked, e.g. email-spoofing,

Signatures

In the case of misuse detection, so called network intrusion detection signatures are of importance. It is a pattern, an NIDS is looking for in the network traffic. If a signature for an attack is matched, an alert is generated. Many signatures are protocol specific and therefore quite complicated, because it can be a precondition to reasseble the data stream before testing for the occurence of the signature.

Using signatures is always a trade off between false negatives and false positives. The more specific a signature is, the more likely it will match a paticular attack. On the other hand it might fail to identify an attack, if the attack is slightly changed (false negatives). If the signature is more general, then it might be able to detect even new or slightly changed attacks. But is might also classify normal activity as attacks (false positives).

The Need for Intrusion Detection

Without intrusion detection you are unaware of many attacks that occur. You will never know about an attack that does not damage your host (only extraction of information). And you will nerver have the information you need, if you have detected an attack, to stop it from happening again. Therefore intrusion detection might be beneficial for you.

You can place an IDS in front of and behind a firewall. In the first scenario the IDS is useful to evaluate the quality and quantity of attacks against your site (the firewall filters a lot of attack attemps). Only with this information you can have a clue about what is going on in order to secure your network.

An IDS behind a firewall can help to detect attacks from inside. It can also detect unauthorized installed server software, and evaluate the correctnes of your firewall policy. But the ideal is to use ids for all network segments, but at least for the ones containing the most important ressources.

To answer the question whether an IDS is necessary for your site, you have to value the following points:

  • Has the situation/environment changed in a way, that I can say: "I need an IDS"? How can the potential dangers be evaluated? Who is threating us and from where? What could be the aim of a potential attack?
  • The costs of installing and maintaining and IDS: How high are the costs, if a hacker gets access to internal ressources like data? Connected to this problem is the violation of secrecy, availability, integrity, and further legal consequences.
  • The use of an IDS: Control of the network traffic to avoid and/or detect incidents, the reevaluation of the efficiency and consistency of firewall policies, the continous investigation of traffic to server, where a security update is not possible.

Flexible Responses

Flexible response is a common feature of Network IDS. It is a technique to react on a positive (a possible attack) automatically in a pre defined way. This reaction must be close in time to the attack (nearly in real time) and should abort the attack somehow or start a counter attack.

Why are automatic responses in the case of a possible intrusion detection problematic? First you have to be shure about that

  • the computer that is used for the attack in not only a jumppoint,
  • the computer that is used for the attack has not spoofed it's ip adress, and
  • a response-attack is justified (self justice effect).

In case of a possible attack your intrusion detection system (IDS) can react via the intrusion response system (IRS). The IRS can try to secure your network and services from the attacker by:

  • closing the relevant udp/tcp ports (for example sending crafted RST-packets ),
  • terminatingrograms and services,
  • deniing ip-datagrams from the attacking ip.-adress fireall,
  • and if the attack is from internal source by closing the user account.

Some possible problems are:

  • If an attacker is spoofing his ipadress you will close out an innocent user by a updating the deny/drop rules of the firewall.
  • If an attacker is connecting via a proxy server, then you will drop the packages of all other people using this proxy.
  • If your IDS is not configured properly, then you can kick out your self by automatic update of firewall rules.
  • If your system terminates programss and services an atacker can easily use this for dos-attacks.
  • Because IDS will never identify attacks in realtime and will never be able to react on an attack in realtime, attackers may crash services or install backdoors before an IDS can do something against it.
  • These things become even worse in case of false positives.

If you look at these points you will see, that IDS will always be a detection system, not a reaction system. The only way to solve all these problems is to implement intrusion detection and reaction on a router. The router will forward packages it receives only after it has analysed these packages and confirmed that they are free of known attack signatures.

Links:

  • Michael Sobirey's Intrusion Detection Systems Page is a page that lists over 90 host- and network based Intrusion Detection (& Response) Systems.
  • Snort is the most popular, widespread, and powerful Open Source Network based Intrusion Detection System. Check it out.
  • AIDE (Advanced Intrusion Detection Environment) is a Host based Intrusion Detection System that is a free replacement for the well known tripwire.
  • In the category IDS Tools on whitehats you will find a list of programs ranging from sniffer over NIDS to event logging programs.
  • In the linuxjournal you will find the article Paranoid Penguin: Understanding IDS for Linux, describing IDS for Linux and presenting some programs like tripwire, portsentry, snort and others.
  • Securityfocus has its own IDS Section where you can find articles, news and other things about IDS issues.

back to top
button Whats New
[2005-02-18] mp3riot version 1.3 released
[2004-10-08] mp3riot version 1.2 is out.
[2004-04-30] Added section Bridging
[2004-01-09] working progress on mp3riot version 1.2
The LWN.net Weekly Edition for September 9, 2010 is available.
[$] LWN.net Weekly Edition for September 9, 2010
The Mozilla project has released firefox 3.6.9 and 3.5.12and SeaMonkey 2.0.7. These updates fix a relatively long list of scary security problems; the firefox 3.6.9 update also add support for X-Frame-Options, which can be used by web sites to prevent their content from being trapped inside another site's frames.
Firefox and SeaMonkey updates released
Debianhas updated typo3-src(fix regression from previous update), freetype(multiple vulnerabilities), and xulrunner(multiple vulnerabilities). Gentoohas updated sarg(buffer overflows - vulnerability from 2008), acroread(multiple vulnerabilities), and clamav(multiple vulnerabilities). openSUSEhas updated kernel(multiple vulnerabilities) and sudo(local privilege escalation). Red Hathas updated seamonkey(RHEL3-4: multiple vulnerabilities), firefox(RHEL4-5: multiple vulnerabilities), and thunderbird(RHEL4-5: multiple vulnerabilities). SUSEhas updated kernel(multiple vulnerabilities). Ubuntuhas updated lftp(remote file creation).
Wednesday's security updates
The second alpha version of the revised Mozilla Public Licensehas been posted; the text has been annotated to make it relatively easy to see what has been changed. "The most significant change in this draft is the patent language. We have made it easier to read but also, we hope, better at protecting communities who choose to use the MPL. It should also have the side effect of making the license Apache-compatible, allowing projects licensed under the next MPL release to include Apache-licensed code in their code bases."
Mozilla Public License Alpha 2
The Mozilla Labs Gaming project has announced its existence. "Modern Open Web technologies introduced a complete stack of technologies such as Open Video, audio, WebGL, touch events, device orientation, geo location, and fast JavaScript engines which make it possible to build complex (and not so complex) games on the Web. With these technologies being delivered through modern browsers today, the time is ripe for pushing the platform. And what better way than through games?"The project is starting with a competitionto see who can build the best web-based game.
Mozilla Labs Gaming launches
Microsoft's CodePlex foundationCodePlex.com has announcedthe donation of $25,000 to support the development of the Mercurial source code management system. "While Team Foundation Server is still the most used version control system on CodePlex, our users are clearly benefiting from having access to Mercurial for their open source projects. The CodePlex team is happy to be able to offer our community of more than 17,000 projects a choice. With Mercurial as an important feature of CodePlex, we are excited to be making this donation to help support the Mercurial project."
CodePlex.com donates $25,000 to Mercurial project
Mozilla has released Thunderbird 3.1.3 and Thunderbird 3.0.7 with security and stability updates. See the release notes for details (3.1.3and 3.0.7).
Thunderbird 3.1.3 and 3.0.7 security updates now available
Watching Ubuntu and Fedora development is something like watching episodes of Iron Chef: Given roughly the same ingredients and the same amount of time, the two projects produce vastly different dishes. The Fedora 14 and Ubuntu 10.10 release cycle is particularly pronounced in this regard, with Ubuntu's focus largely on refining improvements from 10.04 and Fedora introducing major changes to the infrastructure. Subscribers can click below for the full story from this week's Distributions page.
[$] Looking at Fedora 14 and Ubuntu 10.10
Debianhas updated quagga(denial of service). Gentoohas updated maildrop(privilege escalation) and sudo(privilege escalation). openSUSEhas updated xorg-x11-server(privilege escalation). Red Hathas updated sudo(privilege escalation), kernel(RHEL 4, RHEL 4.7: privilege escalation), and rpm(RHEL 4, RHEL 5: privilege escalation). Ubuntuhas updated sudo(privilege escalation).
Security advisories for Tuesday
Your editor had the good fortune to be able to attend the first LinuxCon Brazil event, held in São Paulo. There were a number of interesting talks to be seen, presented by speakers from Brazil and far beyond. This article will cover three in particular (by Jane Silber, Vinod Kutty, and Jon 'Maddog' Hall) which were interesting as a result of the very different views they gave on how Linux users work with their systems.
[$] LC Brazil: Consumers, experts, or admins?
The 1.10.0 release of the Cairo graphics library has finally been released. "One of the more interesting departures for cairo for this release is the inclusion of a tracing utility, cairo-trace. cairo-trace generates a human-readable, replayable, compact representation of the sequences of drawing commands made by an application. This can be used to inspecting applications to understand issues and as a means for profiling real-world usage of cairo."The profiling feature has evidently been used to improve performance in a number of areas. There is also improved printing support, better 16-bit buffer support, and better use of hardware acceleration.
Cairo 1.10.0 available
Martin Graesslin looksat problems with the interaction between KWin and some graphics drivers. "Now that I have explained all our checks we did to ensure a smooth user experience, I want to explain how it could happen that there are regressions in 4.5. In 4.5 we introduced two new features which require OpenGL Shaders: the blur effect and the lanczos filter. Both are not hard requirements. Blur effect can easily be turned off by disabling the effect and the lanczos filter is controlled by the general effect level settings which is also used for Plasma and Oxygen animations. Both new features check for the required extensions and get only activated iff the driver claims support for it. So everything should be fine, shouldn't it? Apparently not when it comes to the free graphics drivers (please note and remember: we do not see such problems with the proprietary NVIDIA driver!)."(Thanks to Jos Poortvliet)
Graesslin: Driver dilemma in KDE workspaces 4.5
Debianhas updated smbind(sql injection). Fedorahas updated pam_mount(F13, F12: arbitrary code execution), libhx(F13, F12: arbitrary code execution), F13: python(multiple vulnerabilities), and F12: sblim-sfcb(arbitrary code execution). Mandrivahas updated lvm2(privilege escalation). Pardushas updated phpmyadmin(cross-site scripting) and mysql(multiple vulnerabilities).
Monday's security updates
Fedora will be holding a Systemd test dayon September 7, 2010. "This week's Test Day, which will take place on Tuesday 2010/09/07 rather than the more usual Thursday, is on systemd, so it's a very important one! It will also serve at least two functions: as usual, the testing will help us to improve the code so that if it does go into the final Fedora 14 release it will work as well as possible, but the Fedora steering committee will also be using the results of the Test Day to help inform their final decision as to whether to go ahead with systemd for the Beta and final release, or whether to revert to upstart. So there's a lot riding on this Test Day."
Systemd Test Day on Tuesday 2010/09/07
Version 7.2 of the GDB debugger is out. New features include support for the D language, some C++ improvements, better Python support, better tracepoint support, and more; see the announcement for the details.
GDB 7.2 released
Linux Kernel 'snd_seq_oss_open()' Multiple Local Memory Corruption Vulnerabilities
Vuln: Linux Kernel 'snd_seq_oss_open()' Multiple Local Memory Corruption Vulnerabilities
EMC Celerra Unified Storage Platform NAS Security Bypass Vulnerability
Vuln: EMC Celerra Unified Storage Platform NAS Security Bypass Vulnerability
Wireshark 0.8.20 through 1.2.8 Multiple Vulnerabilities
Vuln: Wireshark 0.8.20 through 1.2.8 Multiple Vulnerabilities
Wireshark DOCSIS Dissector Denial of Service Vulnerability
Vuln: Wireshark DOCSIS Dissector Denial of Service Vulnerability
ESA-2010-015: EMC Celerra NFS authentication bypass vulnerability using IP spoofing.
Bugtraq: ESA-2010-015: EMC Celerra NFS authentication bypass vulnerability using IP spoofing.
[USN-985-1] mountall vulnerability
Bugtraq: [USN-985-1] mountall vulnerability
ESA-2010-016: RSA, The Security Division of EMC, releases security hot fix for a potential vulnerability in RSAŽ Access Manager Agent when working with RSAŽ Adaptive Authentication.
Bugtraq: ESA-2010-016: RSA, The Security Division of EMC, releases security hot fix for a potential vulnerability in RSAŽ Access Manager Agent when working with RSAŽ Adaptive Authentication.
ESA-2010-014: RSA, The Security Division of EMC, releases security hot fixes for potential vulnerability in RSAŽ Access Manager Server under certain conditions.
Bugtraq: ESA-2010-014: RSA, The Security Division of EMC, releases security hot fixes for potential vulnerability in RSAŽ Access Manager Server under certain conditions.
News, Infocus, Columns, Vulnerabilities, Bugtraq ...
More rss feeds from SecurityFocus
-->