Security Lab 2: Intrusion Detection
Name:
Date:
Introduction
The lab aims to provide students with practical experience using tools for intrusion detection. In this lab, we explore two patterns of Internet traffic to distinguish regular patterns of network traffic from a popular form of
irregular network traffic known as a port scanning. The differences between these usage patterns are precisely the types of patterns intrusion detection systems employ to alert administrators of potential problems.
Vocabulary Review
Security Intrusion: A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.
Intrusion Detection: A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near-real time warning of, attempts to access system resources in an unauthorized manner. Intrusion detection systems rely on one of two general approaches: anomaly detection and signature detection.
Base-Rate Fallacy: The base-rate fallacy is a common error found in
reasoning that discounts statistical evidence in the analysis of a specific case. For our purposes, if an IDS is not properly configured, the system will
produce too many false alarms because its rules will not be able to discriminate between bona fide users and attackers.
Knoppix Security Tools Distribution: Primer
Knoppix Security Tools Distribution (STD Knoppix) is a collection of security tools bundled in a Knoppix live CD format. For a detailed account of STD Knoppix, please refer to the Website: http://www.knoppix-std.org/
Live CDs are designed to provide a fully functional operating system via a bootable CD-ROM. Simply insert the CD into the CD tray and restart your system. If your system is properly configured to boot CDs, you will see the STD Knoppix icon and the prompt boot: .
At the boot: prompt simply hit enter. The system will begin its boot process. If the system asks you to select a screen resolution select option 0 from the list. After the boot process has completed, you will see a red and black desktop environment. For the entire menu of options, simple right-click on the desktop. The menu has many, many options. We will briefly outline the applications we will use in this lab. In other labs, we will explore other tools and options as needed.
CAUTION: These disks are extremely powerful. If used improperly, it is possible to do serious damage to systems and networks. Please use
discretion when using these tools. If you are unsure of what to do, please ask. Purposeful misuse will be treated with utmost severity!!!
Apache is the most popular Web server software in the world. STD
Knoppix includes a pre-configured Apache Web server. We will use this as a starting point for monitoring network traffic.
Mozilla Firebird is a simple Web browser similar to firefox. We will use this to generate network traffic over TCP port 80, the well-known port for HTTP.
Ethereal is a packet sniffer that captures and analyzes network packets. We will use Ethereal to record and examine network traffic patterns.
Nmap is a tool commonly used for port scanning. Port scanning is a
technique whereby users search hosts for listening services. In many cases, port scanning activity signals intruder behavior, i.e., a hacker is searching for specific services with vulnerabilities to exploit. As we will see, port
Exercise 1: Examining Network Traffic Generated by Web Browser
In this exercise, we will examine the characteristics of an extremely common form of network traffic: Web browser to Web Server traffic. Step 1) Starting your Web Server
a. Right-click on the Desktop
b. Select servers → Apache Web Server → Start
Step 2) Starting a Root Terminal Session for Administration
a. Right-click on the Desktop b. Select Xshells → Root aTerm
c. In the aTerm window, type: netstat -an d. Examine the display and look for TCP port 80
e. If you see port 80 in the output, then your Web Server has started properly
Step 3) Starting Firebird
a. Right-click on the Desktop
b. Select Internet --> Mozilla Firebird
c. Visit the following URL: http://127.0.0.1
d. If you see a Welcome page, you are ready to continue
Step 4) Starting Ethereal
a. Right-click on the Desktop b. Select Sniffers --> Ethereal c. Select Capture --> Start d. Select interface lo e. Click OK
Step 5) Refreshing Web Browser Connection to Generate Traffic
Step 6) Examine Network Traffic in Ethereal
a. Click stop in the Ethereal collection window
b. Examine the series of TCP and HTTP packets captured
Step 7) Traffic Analysis
What is the nature of this type of network traffic?
How many packets were captured?
How many and which TCP ports were referenced?
Does the pattern conform to what you know about the proper function of TCP/IP?
Exercise 2: Examining Network Traffic Generated by Nmap
Step 1) Practicing with nmap
a. nmap is an extremely powerful command. For help type: man nmap
b. For this lab, we will use the following technique for port scanning nmap -sS -P0 127.0.0.1
c. nmap commands should be executed in the aTerm window
These options tell nmap to scan by sending SYN requests to ports on the host 127.0.0.1. Practice executing this command and reading about exactly how the port scan works in the help file.
Step 2) Capture Traffic with Ethereal
Step 3) Firing off a port scan with nmap
a. Execute the following command in the aTerm window: nmap -sS -P0 127.0.0.1
What does the nmap command return to the console?
What does nmap tell us about the host we scanned?
Step 4) Examine Network Traffic in Ethereal
a. Click stop in the Ethereal collection window
b. Examine the series of TCP and HTTP packets captured
Step 5) Traffic Analysis
What is the nature of this type of network traffic?
How many packets were captured?
How many and which TCP ports were referenced?
Does the pattern conform to what you know about the proper function of TCP/IP?
Discussion
servers. For example, Web Browsers make requests to Web Servers by sending requests to TCP port 80. The application layer service (HTTP) knows how to process the application-level requests such as GET and POST commands. Exercise 1 demonstrated a reasonably normal connection
pattern for an HTTP request over TCP. TCP packets were exchanged in a well-known pattern as specified in the RFC. In essence, the client / server handshake in exercise 1 worked as it was designed.
Exercise 2, on the other hand, demonstrated an entirely irregular connection pattern for TCP/IP. The client simply sent SYN requests to a variety of ports to check for responses. Rather than waiting for the response and continuing the specified pattern of the protocol, the client simply sends another SYN request to the next port for testing purposes. In essence, nmap simply sends test signals without ever completing the packet exchange specified in the protocol. No web client works in this manner. Therefore, traffic that conforms to this pattern is the type of traffic that will raise an alert in an intrusion detection system.
Intrusion detection systems, therefore, require a great deal of
configuration because each network will have different usage characteristics that must be taken into account. In this lab, we recreated a fairly simple example. The problem on a complicated network with sophisticated users is much more difficult to manage. Skilled hackers learn to disguise port
scanner activity with distributed scans and randomized port access.
Moreover, scanning activity is much more difficult to detect with many users working at the same time. Administrators of IDSs must collect data and define alert rules that accurately reflect the usage patterns found on their networks and hosts. If these rules are not well-defined, the IDS
implementation will fail because the system will produce too many false positives.