SlideShare a Scribd company logo

Modul 4 Intrusion Detection System IDS.ppt

Download as PPT, PDF
C
cemporku

Snort merupakan salah satu alat IDS yang paling populer dan banyak digunakan. Snort dapat berjalan dalam tiga mode yaitu sniffer, pencatat paket, dan detektor intrusi jaringan. Snort dapat mendeteksi berbagai jenis serangan berdasarkan signature yang terdapat dalam basis data rulesnya. Output yang dihasilkan Snort berisi informasi mendetail mengenai paket jaringan yang ditangkap seperti alamat IP sumber dan tujuan, port, flag TCP, opsi TCP dan

Education
1 of 50
Download to read offline
1
2
3
4
5
6
7
8
9
Most read
10
Most read
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Most read
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Intrusion Detection System POLITEKNIK ELEKTRONIKA NEGERI SURABAYA 1
Objective  Mengerti pengertian Intrussion Detection  Pengertian Snort  Installasi Snort 2
Pengertian IDS (Cont…)  Intrusion  Didefinisikan sebagai kegiatan yang bersifat anomaly, incorrect, inappropriate yang terjadi di jaringan atau di host  Klasifikasi intrusi :  Attempted Break-ins  Masquerade attacks  Penetration of Security Control Systems  Leakage  Denial of Service  Malicious Use  Anomaly merupakan Traffic/aktivitas yang tidak sesuai dgn policy:  akses dari/ke host yang terlarang  memiliki content terlarang (virus)  menjalankan program terlarang (web directory traversal:GET ../..;cmd.exe )
Intrusion Detection  Intrusion detection adalah proses mencari, meneliti, dan melaporkan tindakan tidak sah atau yang membahayakan aktivitas jaringan atau komputer 4
Kenapa Butuh System Pendeteksi Intrusi  Firewall adalah Sistem Pengamanan utama, tapi Tidak semua akses melalui firewall  Ada beberapa aplikasi yang memang diloloskan oleh firewall (Web, Email, dll)  Tidak semua ancaman berasal dari luar firewall, tapi dari dalam jaringan sendiri  Firewall kadang merupakan object serangan  Perlu suatu aplikasi sebagai pelengkap Firewall yang bisa mendeteksi ancaman yang tidak bisa diproteksi oleh firewall
Mobile worker Web site Hacker Hacker Supplier Branch Office Mail server Manufacturing Engineering HR/Finance Corporate Intranet Hacker Internet
Basic Intrusion Detection Target System Intrusion Detection System Intrusion Detection System Infrastructure Monitor Respond Report 7
Intrusion Detection Ada 2 pendekatan  Preemptory  Tool Intrusion Detection secara aktual mendengar traffic jaringan. Ketika ada aktifitas mencurigakan dicatat, sistem akan mengambil tindakan yang sesuai  Reactionary  Tool Intrusion Detection mengamati log. Ketika ada aktifitas mencurigakan dicatat, sistem akan mengambil tindakan yang sesuai 8
Teknologi IDS Berdasar Penempatan  Network-based  memantau anomali di jaringan, misal melihat adanya network scanning  Menyediakan real-time monitoring activity jaringan:  mengcapture, menguji header dan isi paket,  membandingkan dengan pattern dengan threat yang ada di database dan  memberikan respon jika dianggap intruder.  Packet monitors bisa ditempatkan di luar firewall (mendeteksi Internet- based attacks) and di dalam jaringan(mendeteksi internal attacks).  Respons berupa : notifying a console, sending an e-mail message, terminating the session.  Tools : Snort  Host-based memantau anomali di host, misal memonitor logfile, process, file owenership, mode  Tools : Log scanners  Swatch  Log check  Mod_security File System Integrity Checkers  Tripwire
Metode Pendeteksian Attack  Rule Based / Misuse detection / signature analysis  Biasa disebut misuse detection / signature detection  Misuse detection mendeteksi intrusi dengan melakukan monitoring trafik jaringan dan mencocokkan pola penyerangan (signature) yang serupa.  Perlu memodelkan pattern berbagai macam intrusi adalah pekerjaan yang sangat sulit dan membutuhkan waktu serta tidak dapat mendeteksi adanya jenis intrusi baru yang sebelumnya tidak dikenali  Yang termasuk dalam kategori ini adalah Snort dan Bro  Anomaly detection.  sistem mendefinisikan pola atau behaviour jaringan sebelumnya. Semua deviasi dari pola normal akan dilaporkan sebagai serangan  Bisa mendeteksi attack baru dengan cara melihat deviasi dari pola normal
11 Thresholds  A rule tells the IDS which packets to examine and what action to take  Similar to a firewall rule  Alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 86 a5|”;msg:”mountd access”;)  Alert specifies the action to take  Tcp specifies the protocol  Any any 192…. specifies the source and destination within the given subnet  111 specifies the port  Content specifies the value of a payload  Msg specifies the message to send
12 Thresholds  Threshold is a value that represents the boundary of normal activity  Example: Maximum three tries for login  Common thresholds:  file I/O activity  network activity  administrator logins and actions
13 Intrusion Detection  An IDS is sensitive to configuration  Possible types of IDS errors:  False positive (unauthorized user let in)  False negative (authorized user denied access)  Subversion error (compromised the system from detecting intrusion)
Metode Pendeteksian Anomali  Analisa Header  berusaha menganalisa suatu attak berdasarkan analisa nilai field yang dimiliki oleh header layer datalink, network dan transport, analisa paket header tidak menganalisa layer aplikasi atau isi paket. Biasanya digunakan untuk menganalisa attack dari traffik yang tidak mempunyai koneksi penuh ke network.  Analisa Payload (Contents Paket)  didapatkan dari ektraksi sehimpunan attribut dari setiap kejadian baik koneksi TCP maupun UDP termasuk di dalamnya isi dari paket . Digunakan untuk menganalisa perilaku attak yang sudah masuk ke sistem, misal U2R R2L
Anomaly Detection Metode Anomaly detection  Pertama-tama data traffic jaringan ditangkap dengan perangkat lunak tcpdump,  setelah melalui tahap preprocessing data dibagi menjadi dua bagian yaitu data training dan data testing.  Dengan menggunakan Metode tertentu data training diklasifikasikan menjadi dua kelas intrusi dan non intrusi.  Hasil training digunakan untuk melakukan testing Attacker RawAudit Data Capture Packet Preprocessing (Connection Session/ Record) Class1 Class -1 0,tcp,http,SF,215,45076,0,0,0,0,0,1,0,0,0,0,0,0,0,0 ,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,0,0,0.0 0,0.00,0.00,0.00,0.00,0.00,0.00,0.00,normal. 0,tcp,http,SF,162,4528,0,0,0,0,0,1,0,0,0,0,0,0,0,0, 0,0,2,2,0.00,0.00,0.00,0.00,1.00,0.00,0.00,1,1,1.0 0,0.00,1.00,0.00,0.00,0.00,0.00,0.00,normal. 10:35:41.5 128.59.23.34.30 > 113.22.14.65.80 : . 512:1024(512) ack 1 win 9216 10:35:41.5 102.20.57.15.20 > 128.59.12.49.3241: . ack 1073 win 16384 SVM Classification
Prinsip Kerja Anomali detection  menganalisa paket normal saja, deviasi normal dianggap anomali/attack  sebagian besar IDS untuk anomali dilakukan dengan cara mengobservasi port dan ip yang tidak umum.  Mempunyai nilainya tidak ada pada data normal yang ditrainingkan.  Attack kebiasaan memanfaat bug software untuk masuk ke sistem  Teknik attack biasanya : menggunakan bad checksum, unusual TCP flags or IP options, invalid sequence numbers, spoofed addresses, duplicate TCP packets with differing payloads, packets with short TTLs  Beberapa perilaku attack  Smurf melakukan pengiriman ICMP an echo request secara berlebihan  UDPStorm mengirim request secara berlebihan dari ip yang dispoof  Keduanya punya karakteristik checksum error  Biasanya target program yang diserang perilakuk menjadi tidak normal menghasilkan urutan sistem call yang tidak normal dan menghasilkan output yang tidak normal pula
The Honeynet Project  http://www.honeynet.org/  Non-profit volunteer research organization dedicated to improving the security of the Internet at no cost to the public  Its mission is to learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned
What are Honeypots  Honeypots are real or emulated vulnerable systems ready to be attacked.  Primary value of honeypots is to collect information.  This information is used to better identify, understand and protect against threats.  Honeypots add little direct value to protecting your network.
Why HoneyPots  The goal is to research and analyze various attacks  Build anti-virus signatures.  Build SPAM signatures and filters.  ISP’s identify compromised systems.  Assist law-enforcement to track criminals.  Hunt and shutdown botnets.  Malware collection and analysis.
Honeynet Project Architecture
Our Honeypot VM Architecture
Example Honeynet Project  Sebek  Honeywall CDROM  the Ghost USB honeypot
Sebek  Hidden kernel module that captures all host activity  Dumps activity to the network.  Attacker cannot sniff any traffic based on magic number and dst port.
Gost  Ghost is a honeypot for malware that spreads via USB storage devices.  Detects infections with such malware without the need of any further information
Sebek Architecture
Honeywall CDROM  Attempt to combine all requirements of a Honeywall onto a single, bootable CDROM.  Honewall as Data Control and Data Capture  May, 2003 - Released Eeyore  May, 2005 - Released Roo  Based on Fedora Core 3  Vastly improved hardware and international support.  Automated, headless installation  New Walleye interface for web based administration and data analysis.  Automated system updating
Honeynet Architecture
Snort  Snort adalah Network IDS dengan 3 mode: sniffer, packet logger, and network intrusion detection.  Snort dapat juga dijalankan di background sebagai sebuah daemon. 28
Snort  Cepat, flexible, dan open-source  Dikembangkan oleh : Marty Roesch, bisa dilihat pada (www.sourcefire.com)  Awalnya dikembangkan di akhir 1998-an sebagai sniffer dengan konsistensi output 29
Output Snort  04/18-11:32:20.573898 192.168.120.114:1707 -> 202.159.32.71:110  TCP TTL:64 TOS:0x0 ID:411 IpLen:20 DgmLen:60 DF  ******S* Seq: 0x4E70BB7C Ack: 0x0 Win: 0x16D0 TcpLen: 40  TCP Options (5) => MSS: 1460 SackOK TS: 6798055 0 NOP WS: 0  =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+  04/18-11:32:20.581556 202.159.32.71:110 -> 192.168.120.114:1707  TCP TTL:58 TOS:0x0 ID:24510 IpLen:20 DgmLen:60 DF  ***A**S* Seq: 0x423A85B3 Ack: 0x4E70BB7D Win: 0x7D78 TcpLen: 40  TCP Options (5) => MSS: 1460 SackOK TS: 163052552 6798055 NOP WS: 0  =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+  04/18-11:32:20.581928 192.168.120.114:1707 -> 202.159.32.71:110  TCP TTL:64 TOS:0x0 ID:412 IpLen:20 DgmLen:52 DF  ***A**** Seq: 0x4E70BB7D Ack: 0x423A85B4 Win: 0x16D0 TcpLen: 32  TCP Options (3) => NOP NOP TS: 6798056 163052552  =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+ 30
 Snort analyzed 255 out of 255 packets, dropping 0(0.000%) packets  Breakdown by protocol: Action Stats:  TCP: 211 (82.745%) ALERTS: 0  UDP: 27 (10.588%) LOGGED: 0  ICMP: 0 (0.000%) PASSED: 0  ARP: 2 (0.784%)  IPv6: 0 (0.000%)  IPX: 0 (0.000%)  OTHER: 15 (5.882%)  DISCARD: 0 (0.000%)  =======================================================================  Fragmentation Stats:  Fragmented IP Packets: 0 (0.000%)  Fragment Trackers: 0  Rebuilt IP Packets: 0  Frag elements used: 0  Discarded(incomplete): 0  Discarded(timeout): 0  Frag2 memory faults: 0  =======================================================================  TCP Stream Reassembly Stats:  TCP Packets Used: 0 (0.000%)  Stream Trackers: 0  Stream flushes: 0  Segments used: 0  Stream4 Memory Faults: 0  =======================================================================  Snort received signal 2, exiting 31
Dimana diletakkan SNORT ?  Dalam Firewall  Luar Firewall 32
Contoh Installasi Snort 33
Solution Positioning Firewall Internet User/Attacker Web Servers Application Servers Database App IDS 34
Aksi SNORT  Alert : Membuat entry pada alert dan melogging paket  Log : Hanya melogging paket  Pass : Dilewatkan, tidak ada aksi  Activate : Alert, membangkitkan rule lain (dynamic)  Dynamic : Diam, sampai diaktivasi 35
Installasi Snort  Di Debian Linux, sebagai root:  apt-get install snort  File dan direktori yang terinstall:  /etc/snort berisi file conf dan rule  /var/log/snort berisi log  /usr/local/bin/ berisi binary snort 36
Testing Snort  Jalankan snort di root :  # snort –v  Dari host lain jalankan NMAP  nmap –sP <snort_machine_IP_address>  Akan nampak alert : 03/27-15:18:06.911226 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 192.168.1.20 -> 192.168.1.237 37
Rule Snort  Rule adalah kumpulan aturan perilaku snort pada  Disimpan di : /rules/, ftp.rules,ddos.rules,virus.rule, dll  Alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any (flags:SF;msg:”SYN-FINscan”;)  Rule header – aksi, protokol, IP source dan tujuan, port source dan tujuan.  Rule body – keywords dan arguments untuk memicu alert 38
Rule Header Alert tcp 1.1.1.1 any -> 2.2.2.2 any Rule Options (flags: SF; msg: “SYN-FIN Scan”;) Alert tcp 1.1.1.1 any -> 2.2.2.2 any Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: S12; msg: “Queso Scan”;) (flags: F; msg: “FIN Scan”;) Detection Engine: Rules 39
Tahap-Tahap Rule :  Mengidentifikasi karakteristik dari trafik yg dicurigai  Menulis rule berdasarkan karakteristik  Mengimplementasikan rule  Testing terhadap trafik yg dicurigai  Mengubah rule sesuai hasil testing  Testing dan mengecek hasilnya 40
/var/log/snort  Apr 4 19:00:21 202.159.32.71:110 -> 192.168.120.114:2724 NOACK 1*U*P*S*  Apr 4 20:47:43 168.143.117.4:80 -> 192.168.120.114:2916 NOACK 1*U*P*S*  Apr 5 06:04:04 216.136.171.200:80 -> 192.168.120.114:3500 VECNA 1*U*P***  Apr 5 17:28:20 198.6.49.225:80 -> 192.168.120.114:1239 NOACK 1*U*P*S*  Apr 6 09:35:56 202.153.120.155:80 -> 192.168.120.114:3628 NOACK 1*U*P*S*  Apr 6 17:44:06 205.166.76.243:80 -> 192.168.120.114:1413 INVALIDACK *2*A*R*F  Apr 6 19:55:03 213.244.183.211:80 -> 192.168.120.114:43946 NOACK 1*U*P*S*  Apr 7 16:07:57 202.159.32.71:110 -> 192.168.120.114:1655 INVALIDACK *2*A*R*F  Apr 7 17:00:17 202.158.2.4:110 -> 192.168.120.114:1954 INVALIDACK *2*A*R*F  Apr 8 07:35:42 192.168.120.1:53 -> 192.168.120.114:1046 UDP  Apr 8 10:23:10 192.168.120.1:53 -> 192.168.120.114:1030 UDP  Apr 8 10:23:49 192.168.120.1:53 -> 192.168.120.114:1030 UDP  Apr 20 12:03:51 192.168.120.1:53 -> 192.168.120.114:1077 UDP  Apr 21 01:00:11 202.158.2.5:110 -> 192.168.120.114:1234 INVALIDACK *2*A*R*F  Apr 21 09:17:01 66.218.66.246:80 -> 192.168.120.114:42666 NOACK 1*U*P*S*  Apr 21 11:00:28 202.159.32.71:110 -> 192.168.120.114:1800 INVALIDACK *2*A*R*F 41
Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)  alert action to take; also log, pass, activate, dynamic  tcp protocol; also udp, icmp, ip  $EXTERNAL_NET source address; this is a variable – specific IP is ok  27374 source port; also any, negation (!21), range (1:1024)  -> direction; best not to change this, although <> is allowed  $HOME_NET destination address; this is also a variable here  any destination port 42
Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)  msg:”BACKDOOR subseven 22”; message to appear in logs  flags: A+; tcp flags; many options, like SA, SA+, !R, SF*  content: “|0d0…0a|”; binary data to check in packet; content without | (pipe) characters do simple content matches  reference…; where to go to look for background on this rule  sid:1000003; rule identifier  classtype: misc-activity; rule type; many others  rev:4; rule revision number  other rule options possible, like offset, depth, nocase 43
Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)  alert action to take; also log, pass, activate, dynamic  tcp protocol; also udp, icmp, ip  $EXTERNAL_NET source address; this is a variable – specific IP is ok  27374 source port; also any, negation (!21), range (1:1024)  -> direction; best not to change this, although <> is allowed  $HOME_NET destination address; this is also a variable here  any destination port 44
Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)  msg:”BACKDOOR subseven 22”; message to appear in logs  flags: A+; tcp flags; many options, like SA, SA+, !R, SF*  content: “|0d0…0a|”; binary data to check in packet; content without | (pipe) characters do simple content matches  reference…; where to go to look for background on this rule  sid:103; rule identifier  classtype: misc-activity; rule type; many others  rev:4; rule revision number  other rule options possible, like offset, depth, nocase 45
Snort Rules  bad-traffic.rules exploit.rules scan.rules  finger.rules ftp.rules telnet.rules  smtp.rules rpc.rules rservices.rules  dos.rules ddos.rules dns.rules  tftp.rules web-cgi.rules web-coldfusion.rules  web-frontpage.rules web-iis.rules web-misc.rules  web-attacks.rules sql.rules x11.rules  icmp.rules netbios.rules misc.rules  backdoor.rules shellcode.rules policy.rules  porn.rules info.rules icmp-info.rules  virus.rules local.rules attack-responses.rules 46
Snort in Action  3 operational mode:  Sniffer: snort –dve akan menampilkan payload, verbose dan data link layer  Packet logger: snort –b –l /var/log/snort akan menampilkan log binary data ke direktori /var/log/snort  NIDS: snort –b –l /var/log/snort –A full –c /etc/snort/snort.conf akan melakukan log binary data ke direktori /var/log/snort, dengan full alerts dalam /var/log/snort/alert, dan membaca configuration file dalam /etc/snort 47
Software IDS  Jika tidak ada Snort, Ethereal adalah open source yang berbasis GUI yang bertindak sbg packet viewer  www.ethereal.com :  Windows: www.ethereal.com/distribution/win32/ethereal- setup-0.9.2.exe  UNIX: www.ethereal.com/download.html  Red Hat Linux RPMs: ftp.ethereal.com/pub/ethereal/rpms/ 48
49
Software IDS  tcpdump juga merupakan tool packet capture  www.tcpdump.org untuk UNIX  netgroup-serv.polito.it/windump/install/ untuk windows bernama windump 50

More Related Content

PPT
IMK - Strategi Banyak Window
nadiapreviani
 
PPTX
Rpl 5-perencanaan proyek perangkat lunak
f' yagami
 
PPTX
Arsitektur sistem terdistribusi
arfianti
 
PDF
Testing dan implementasi
DWC
 
PPT
Struktur Data Tree
Siti Khotijah
 
PDF
Modul Data Warehouse
Nina Hendra Putri
 
PPTX
Presentasi Pembuatan Website E-Commerce
Shofura Kamal
 
PDF
Perancangan Data Warehouse (Logical dan Physical)
dedidarwis
 
IMK - Strategi Banyak Window
nadiapreviani
 
Rpl 5-perencanaan proyek perangkat lunak
f' yagami
 
Arsitektur sistem terdistribusi
arfianti
 
Testing dan implementasi
DWC
 
Struktur Data Tree
Siti Khotijah
 
Modul Data Warehouse
Nina Hendra Putri
 
Presentasi Pembuatan Website E-Commerce
Shofura Kamal
 
Perancangan Data Warehouse (Logical dan Physical)
dedidarwis
 

What's hot (20)

PDF
Basis Data Client-Server
Desty Yani
 
DOCX
Soal essay basis data xi
tia irma
 
DOCX
MAKALAH CLOUD COMPUTING
Hanny Maharani
 
PDF
Pemrograman Python untuk Pemula
Oon Arfiandwi
 
PPT
Power Point Presentasi Komunikasi Data
dodolbetawi
 
PDF
Rpl 011 - arsitektur sistem terdistribusi
Febriyani Syafri
 
DOCX
Tutorial Pentaho - Membuat Data base werehaouse
James Montolalu
 
DOC
Makalah tentang firewall
Rizky Purnama
 
PPTX
Requirement Engineering
Febryci Legirian
 
PPTX
Presentasi cloud computing
minmon
 
PDF
[RPL2] Class Diagram dan Konsep Object Oriented (1)
rizki adam kurniawan
 
PPTX
Pertemuan 1 Pemrograman Dasar
Disma Ariyanti W
 
PPT
Class diagram
Aris Saputro
 
PDF
3 struktur-sistem-operasi-edit
Trabalistra Bagaz
 
PPTX
Ragam Dialog :: Interaksi Manusia dan Komputer
Auliaa Oktarianii
 
DOC
Dfd sistem pemesanan tiket pesawat (1)
Rahul Aulia
 
PPT
Firewall
Dani Sasmoko
 
PDF
LAPORAN TUGAS AKHIR PERANCANGAN APLIKASI KNOWLEDGE BASE SYSTEM UNTUK INSTRUKS...
Uofa_Unsada
 
PPTX
Virus Pada Komputer
amirahsnh25
 
PDF
4 diagram relasi antar entitas (ERD)
Simon Patabang
 
Basis Data Client-Server
Desty Yani
 
Soal essay basis data xi
tia irma
 
MAKALAH CLOUD COMPUTING
Hanny Maharani
 
Pemrograman Python untuk Pemula
Oon Arfiandwi
 
Power Point Presentasi Komunikasi Data
dodolbetawi
 
Rpl 011 - arsitektur sistem terdistribusi
Febriyani Syafri
 
Tutorial Pentaho - Membuat Data base werehaouse
James Montolalu
 
Makalah tentang firewall
Rizky Purnama
 
Requirement Engineering
Febryci Legirian
 
Presentasi cloud computing
minmon
 
[RPL2] Class Diagram dan Konsep Object Oriented (1)
rizki adam kurniawan
 
Pertemuan 1 Pemrograman Dasar
Disma Ariyanti W
 
Class diagram
Aris Saputro
 
3 struktur-sistem-operasi-edit
Trabalistra Bagaz
 
Ragam Dialog :: Interaksi Manusia dan Komputer
Auliaa Oktarianii
 
Dfd sistem pemesanan tiket pesawat (1)
Rahul Aulia
 
Firewall
Dani Sasmoko
 
LAPORAN TUGAS AKHIR PERANCANGAN APLIKASI KNOWLEDGE BASE SYSTEM UNTUK INSTRUKS...
Uofa_Unsada
 
Virus Pada Komputer
amirahsnh25
 
4 diagram relasi antar entitas (ERD)
Simon Patabang
 
Ad

Similar to Modul 4 Intrusion Detection System IDS.ppt (20)

PPTX
Intrusion detection system IDS
MAURICE NTAHOBARI
 
PDF
Intrusion_Detection_By_loay_elbasyouni
Loay Elbasyouni
 
PPTX
Intrusion Detection Systems Pedagogy.pptx
sowaibakhan3
 
PDF
IS - Firewall
FumikageTokoyami4
 
PPT
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
skpatel91
 
PPT
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
skpatel91
 
PPTX
Introduction to Intrusion detection and prevention system for network
Eng. Mohammed Ahmed Siddiqui
 
PDF
Kx3419591964
IJERA Editor
 
PPSX
Intrusion detection system
gaurav koriya
 
PPTX
L5A - Intrusion Detection Systems.pptx
RebeccaMunasheChimhe
 
PDF
Intrusion detection
Programmer
 
DOCX
Network and web security
Nitesh Saitwal
 
PDF
Module 19 (evading ids, firewalls and honeypots)
Wail Hassan
 
PPT
Data Mining and Intrusion Detection
amiable_indian
 
PDF
Signature-Based or Anomaly-Based Intrusion Detection: The Merits and Demerits
david rom
 
PPTX
Final project.ppt
shreyng
 
PPTX
Network Forensics
primeteacher32
 
PPTX
Intrusion Detection System(IDS)
shraddha_b
 
PPTX
Cyber warfare introduction
jagadeesh katla
 
PPTX
Snort IDS/IPS Basics
Mahendra Pratap Singh
 
Intrusion detection system IDS
MAURICE NTAHOBARI
 
Intrusion_Detection_By_loay_elbasyouni
Loay Elbasyouni
 
Intrusion Detection Systems Pedagogy.pptx
sowaibakhan3
 
IS - Firewall
FumikageTokoyami4
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
skpatel91
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
skpatel91
 
Introduction to Intrusion detection and prevention system for network
Eng. Mohammed Ahmed Siddiqui
 
Kx3419591964
IJERA Editor
 
Intrusion detection system
gaurav koriya
 
L5A - Intrusion Detection Systems.pptx
RebeccaMunasheChimhe
 
Intrusion detection
Programmer
 
Network and web security
Nitesh Saitwal
 
Module 19 (evading ids, firewalls and honeypots)
Wail Hassan
 
Data Mining and Intrusion Detection
amiable_indian
 
Signature-Based or Anomaly-Based Intrusion Detection: The Merits and Demerits
david rom
 
Final project.ppt
shreyng
 
Network Forensics
primeteacher32
 
Intrusion Detection System(IDS)
shraddha_b
 
Cyber warfare introduction
jagadeesh katla
 
Snort IDS/IPS Basics
Mahendra Pratap Singh
 
Ad

More from cemporku (18)

PPT
Lesson 01 Interaksi Manusia Dan Komputer.ppt
cemporku
 
PPTX
02_Slide Step 1 Know your User and Client.pptx
cemporku
 
PPTX
Pengantar PAA Materi pertemuan ke 1.pptx
cemporku
 
PPTX
Interaksi Manusia Dan Komputer Pertemuan 1
cemporku
 
PDF
ABSEN UAS KELAS KA SEMESTER 2 TAHUN 2023 RUANG 1.pdf
cemporku
 
PPT
Materi S8stem Basis Data Entity Relationship Model.ppt
cemporku
 
PDF
Materi matakuliah Ekonomi Digital Pertemuan Ke 1
cemporku
 
PPT
Week5-Jaringan-Komputer.ppt
cemporku
 
PPTX
JARINGAN KOMUNIKASI DATA.pptx
cemporku
 
PPTX
Slide-01.pptx
cemporku
 
PPT
Keamanan Jaringan.ppt
cemporku
 
PPT
Modul 7 Trojan, Backdoors,RootKit.ppt
cemporku
 
PPT
Modul 5 VPN_2.ppt
cemporku
 
PPT
Modul 5 VPN.ppt
cemporku
 
PPT
Modul 3 Firewalll.ppt
cemporku
 
PPT
Modul 2 - Footprinting Scanning Enumeration.ppt
cemporku
 
PPTX
Minggu #1 konsep sistem temu kembali informasi
cemporku
 
DOCX
Materi Pemrograman Visual Pertemuan 4
cemporku
 
Lesson 01 Interaksi Manusia Dan Komputer.ppt
cemporku
 
02_Slide Step 1 Know your User and Client.pptx
cemporku
 
Pengantar PAA Materi pertemuan ke 1.pptx
cemporku
 
Interaksi Manusia Dan Komputer Pertemuan 1
cemporku
 
ABSEN UAS KELAS KA SEMESTER 2 TAHUN 2023 RUANG 1.pdf
cemporku
 
Materi S8stem Basis Data Entity Relationship Model.ppt
cemporku
 
Materi matakuliah Ekonomi Digital Pertemuan Ke 1
cemporku
 
Week5-Jaringan-Komputer.ppt
cemporku
 
JARINGAN KOMUNIKASI DATA.pptx
cemporku
 
Slide-01.pptx
cemporku
 
Keamanan Jaringan.ppt
cemporku
 
Modul 7 Trojan, Backdoors,RootKit.ppt
cemporku
 
Modul 5 VPN_2.ppt
cemporku
 
Modul 5 VPN.ppt
cemporku
 
Modul 3 Firewalll.ppt
cemporku
 
Modul 2 - Footprinting Scanning Enumeration.ppt
cemporku
 
Minggu #1 konsep sistem temu kembali informasi
cemporku
 
Materi Pemrograman Visual Pertemuan 4
cemporku
 

Recently uploaded (20)

PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
Classroom Observation Tools for Teachers
Nicaramirez
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
Lesson notes of climatology university.
sgladness67
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
master seminar digital applications in india
ananyaray35
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
Institutional Correction lecture only . . .
limvtheghins
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
Pre independence Education in Inndia.pdf
goofy5603
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 

Modul 4 Intrusion Detection System IDS.ppt

  • 2. Objective  Mengerti pengertian Intrussion Detection  Pengertian Snort  Installasi Snort 2
  • 3. Pengertian IDS (Cont…)  Intrusion  Didefinisikan sebagai kegiatan yang bersifat anomaly, incorrect, inappropriate yang terjadi di jaringan atau di host  Klasifikasi intrusi :  Attempted Break-ins  Masquerade attacks  Penetration of Security Control Systems  Leakage  Denial of Service  Malicious Use  Anomaly merupakan Traffic/aktivitas yang tidak sesuai dgn policy:  akses dari/ke host yang terlarang  memiliki content terlarang (virus)  menjalankan program terlarang (web directory traversal:GET ../..;cmd.exe )
  • 4. Intrusion Detection  Intrusion detection adalah proses mencari, meneliti, dan melaporkan tindakan tidak sah atau yang membahayakan aktivitas jaringan atau komputer 4
  • 5. Kenapa Butuh System Pendeteksi Intrusi  Firewall adalah Sistem Pengamanan utama, tapi Tidak semua akses melalui firewall  Ada beberapa aplikasi yang memang diloloskan oleh firewall (Web, Email, dll)  Tidak semua ancaman berasal dari luar firewall, tapi dari dalam jaringan sendiri  Firewall kadang merupakan object serangan  Perlu suatu aplikasi sebagai pelengkap Firewall yang bisa mendeteksi ancaman yang tidak bisa diproteksi oleh firewall
  • 6. Mobile worker Web site Hacker Hacker Supplier Branch Office Mail server Manufacturing Engineering HR/Finance Corporate Intranet Hacker Internet
  • 7. Basic Intrusion Detection Target System Intrusion Detection System Intrusion Detection System Infrastructure Monitor Respond Report 7
  • 8. Intrusion Detection Ada 2 pendekatan  Preemptory  Tool Intrusion Detection secara aktual mendengar traffic jaringan. Ketika ada aktifitas mencurigakan dicatat, sistem akan mengambil tindakan yang sesuai  Reactionary  Tool Intrusion Detection mengamati log. Ketika ada aktifitas mencurigakan dicatat, sistem akan mengambil tindakan yang sesuai 8
  • 9. Teknologi IDS Berdasar Penempatan  Network-based  memantau anomali di jaringan, misal melihat adanya network scanning  Menyediakan real-time monitoring activity jaringan:  mengcapture, menguji header dan isi paket,  membandingkan dengan pattern dengan threat yang ada di database dan  memberikan respon jika dianggap intruder.  Packet monitors bisa ditempatkan di luar firewall (mendeteksi Internet- based attacks) and di dalam jaringan(mendeteksi internal attacks).  Respons berupa : notifying a console, sending an e-mail message, terminating the session.  Tools : Snort  Host-based memantau anomali di host, misal memonitor logfile, process, file owenership, mode  Tools : Log scanners  Swatch  Log check  Mod_security File System Integrity Checkers  Tripwire
  • 10. Metode Pendeteksian Attack  Rule Based / Misuse detection / signature analysis  Biasa disebut misuse detection / signature detection  Misuse detection mendeteksi intrusi dengan melakukan monitoring trafik jaringan dan mencocokkan pola penyerangan (signature) yang serupa.  Perlu memodelkan pattern berbagai macam intrusi adalah pekerjaan yang sangat sulit dan membutuhkan waktu serta tidak dapat mendeteksi adanya jenis intrusi baru yang sebelumnya tidak dikenali  Yang termasuk dalam kategori ini adalah Snort dan Bro  Anomaly detection.  sistem mendefinisikan pola atau behaviour jaringan sebelumnya. Semua deviasi dari pola normal akan dilaporkan sebagai serangan  Bisa mendeteksi attack baru dengan cara melihat deviasi dari pola normal
  • 11. 11 Thresholds  A rule tells the IDS which packets to examine and what action to take  Similar to a firewall rule  Alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 86 a5|”;msg:”mountd access”;)  Alert specifies the action to take  Tcp specifies the protocol  Any any 192…. specifies the source and destination within the given subnet  111 specifies the port  Content specifies the value of a payload  Msg specifies the message to send
  • 12. 12 Thresholds  Threshold is a value that represents the boundary of normal activity  Example: Maximum three tries for login  Common thresholds:  file I/O activity  network activity  administrator logins and actions
  • 13. 13 Intrusion Detection  An IDS is sensitive to configuration  Possible types of IDS errors:  False positive (unauthorized user let in)  False negative (authorized user denied access)  Subversion error (compromised the system from detecting intrusion)
  • 14. Metode Pendeteksian Anomali  Analisa Header  berusaha menganalisa suatu attak berdasarkan analisa nilai field yang dimiliki oleh header layer datalink, network dan transport, analisa paket header tidak menganalisa layer aplikasi atau isi paket. Biasanya digunakan untuk menganalisa attack dari traffik yang tidak mempunyai koneksi penuh ke network.  Analisa Payload (Contents Paket)  didapatkan dari ektraksi sehimpunan attribut dari setiap kejadian baik koneksi TCP maupun UDP termasuk di dalamnya isi dari paket . Digunakan untuk menganalisa perilaku attak yang sudah masuk ke sistem, misal U2R R2L
  • 15. Anomaly Detection Metode Anomaly detection  Pertama-tama data traffic jaringan ditangkap dengan perangkat lunak tcpdump,  setelah melalui tahap preprocessing data dibagi menjadi dua bagian yaitu data training dan data testing.  Dengan menggunakan Metode tertentu data training diklasifikasikan menjadi dua kelas intrusi dan non intrusi.  Hasil training digunakan untuk melakukan testing Attacker RawAudit Data Capture Packet Preprocessing (Connection Session/ Record) Class1 Class -1 0,tcp,http,SF,215,45076,0,0,0,0,0,1,0,0,0,0,0,0,0,0 ,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,0,0,0.0 0,0.00,0.00,0.00,0.00,0.00,0.00,0.00,normal. 0,tcp,http,SF,162,4528,0,0,0,0,0,1,0,0,0,0,0,0,0,0, 0,0,2,2,0.00,0.00,0.00,0.00,1.00,0.00,0.00,1,1,1.0 0,0.00,1.00,0.00,0.00,0.00,0.00,0.00,normal. 10:35:41.5 128.59.23.34.30 > 113.22.14.65.80 : . 512:1024(512) ack 1 win 9216 10:35:41.5 102.20.57.15.20 > 128.59.12.49.3241: . ack 1073 win 16384 SVM Classification
  • 16. Prinsip Kerja Anomali detection  menganalisa paket normal saja, deviasi normal dianggap anomali/attack  sebagian besar IDS untuk anomali dilakukan dengan cara mengobservasi port dan ip yang tidak umum.  Mempunyai nilainya tidak ada pada data normal yang ditrainingkan.  Attack kebiasaan memanfaat bug software untuk masuk ke sistem  Teknik attack biasanya : menggunakan bad checksum, unusual TCP flags or IP options, invalid sequence numbers, spoofed addresses, duplicate TCP packets with differing payloads, packets with short TTLs  Beberapa perilaku attack  Smurf melakukan pengiriman ICMP an echo request secara berlebihan  UDPStorm mengirim request secara berlebihan dari ip yang dispoof  Keduanya punya karakteristik checksum error  Biasanya target program yang diserang perilakuk menjadi tidak normal menghasilkan urutan sistem call yang tidak normal dan menghasilkan output yang tidak normal pula
  • 17. The Honeynet Project  http://www.honeynet.org/  Non-profit volunteer research organization dedicated to improving the security of the Internet at no cost to the public  Its mission is to learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned
  • 18. What are Honeypots  Honeypots are real or emulated vulnerable systems ready to be attacked.  Primary value of honeypots is to collect information.  This information is used to better identify, understand and protect against threats.  Honeypots add little direct value to protecting your network.
  • 19. Why HoneyPots  The goal is to research and analyze various attacks  Build anti-virus signatures.  Build SPAM signatures and filters.  ISP’s identify compromised systems.  Assist law-enforcement to track criminals.  Hunt and shutdown botnets.  Malware collection and analysis.
  • 21. Our Honeypot VM Architecture
  • 22. Example Honeynet Project  Sebek  Honeywall CDROM  the Ghost USB honeypot
  • 23. Sebek  Hidden kernel module that captures all host activity  Dumps activity to the network.  Attacker cannot sniff any traffic based on magic number and dst port.
  • 24. Gost  Ghost is a honeypot for malware that spreads via USB storage devices.  Detects infections with such malware without the need of any further information
  • 26. Honeywall CDROM  Attempt to combine all requirements of a Honeywall onto a single, bootable CDROM.  Honewall as Data Control and Data Capture  May, 2003 - Released Eeyore  May, 2005 - Released Roo  Based on Fedora Core 3  Vastly improved hardware and international support.  Automated, headless installation  New Walleye interface for web based administration and data analysis.  Automated system updating
  • 28. Snort  Snort adalah Network IDS dengan 3 mode: sniffer, packet logger, and network intrusion detection.  Snort dapat juga dijalankan di background sebagai sebuah daemon. 28
  • 29. Snort  Cepat, flexible, dan open-source  Dikembangkan oleh : Marty Roesch, bisa dilihat pada (www.sourcefire.com)  Awalnya dikembangkan di akhir 1998-an sebagai sniffer dengan konsistensi output 29
  • 30. Output Snort  04/18-11:32:20.573898 192.168.120.114:1707 -> 202.159.32.71:110  TCP TTL:64 TOS:0x0 ID:411 IpLen:20 DgmLen:60 DF  ******S* Seq: 0x4E70BB7C Ack: 0x0 Win: 0x16D0 TcpLen: 40  TCP Options (5) => MSS: 1460 SackOK TS: 6798055 0 NOP WS: 0  =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+  04/18-11:32:20.581556 202.159.32.71:110 -> 192.168.120.114:1707  TCP TTL:58 TOS:0x0 ID:24510 IpLen:20 DgmLen:60 DF  ***A**S* Seq: 0x423A85B3 Ack: 0x4E70BB7D Win: 0x7D78 TcpLen: 40  TCP Options (5) => MSS: 1460 SackOK TS: 163052552 6798055 NOP WS: 0  =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+  04/18-11:32:20.581928 192.168.120.114:1707 -> 202.159.32.71:110  TCP TTL:64 TOS:0x0 ID:412 IpLen:20 DgmLen:52 DF  ***A**** Seq: 0x4E70BB7D Ack: 0x423A85B4 Win: 0x16D0 TcpLen: 32  TCP Options (3) => NOP NOP TS: 6798056 163052552  =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+ 30
  • 31.  Snort analyzed 255 out of 255 packets, dropping 0(0.000%) packets  Breakdown by protocol: Action Stats:  TCP: 211 (82.745%) ALERTS: 0  UDP: 27 (10.588%) LOGGED: 0  ICMP: 0 (0.000%) PASSED: 0  ARP: 2 (0.784%)  IPv6: 0 (0.000%)  IPX: 0 (0.000%)  OTHER: 15 (5.882%)  DISCARD: 0 (0.000%)  =======================================================================  Fragmentation Stats:  Fragmented IP Packets: 0 (0.000%)  Fragment Trackers: 0  Rebuilt IP Packets: 0  Frag elements used: 0  Discarded(incomplete): 0  Discarded(timeout): 0  Frag2 memory faults: 0  =======================================================================  TCP Stream Reassembly Stats:  TCP Packets Used: 0 (0.000%)  Stream Trackers: 0  Stream flushes: 0  Segments used: 0  Stream4 Memory Faults: 0  =======================================================================  Snort received signal 2, exiting 31
  • 32. Dimana diletakkan SNORT ?  Dalam Firewall  Luar Firewall 32
  • 34. Solution Positioning Firewall Internet User/Attacker Web Servers Application Servers Database App IDS 34
  • 35. Aksi SNORT  Alert : Membuat entry pada alert dan melogging paket  Log : Hanya melogging paket  Pass : Dilewatkan, tidak ada aksi  Activate : Alert, membangkitkan rule lain (dynamic)  Dynamic : Diam, sampai diaktivasi 35
  • 36. Installasi Snort  Di Debian Linux, sebagai root:  apt-get install snort  File dan direktori yang terinstall:  /etc/snort berisi file conf dan rule  /var/log/snort berisi log  /usr/local/bin/ berisi binary snort 36
  • 37. Testing Snort  Jalankan snort di root :  # snort –v  Dari host lain jalankan NMAP  nmap –sP <snort_machine_IP_address>  Akan nampak alert : 03/27-15:18:06.911226 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 192.168.1.20 -> 192.168.1.237 37
  • 38. Rule Snort  Rule adalah kumpulan aturan perilaku snort pada  Disimpan di : /rules/, ftp.rules,ddos.rules,virus.rule, dll  Alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any (flags:SF;msg:”SYN-FINscan”;)  Rule header – aksi, protokol, IP source dan tujuan, port source dan tujuan.  Rule body – keywords dan arguments untuk memicu alert 38
  • 39. Rule Header Alert tcp 1.1.1.1 any -> 2.2.2.2 any Rule Options (flags: SF; msg: “SYN-FIN Scan”;) Alert tcp 1.1.1.1 any -> 2.2.2.2 any Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: S12; msg: “Queso Scan”;) (flags: F; msg: “FIN Scan”;) Detection Engine: Rules 39
  • 40. Tahap-Tahap Rule :  Mengidentifikasi karakteristik dari trafik yg dicurigai  Menulis rule berdasarkan karakteristik  Mengimplementasikan rule  Testing terhadap trafik yg dicurigai  Mengubah rule sesuai hasil testing  Testing dan mengecek hasilnya 40
  • 41. /var/log/snort  Apr 4 19:00:21 202.159.32.71:110 -> 192.168.120.114:2724 NOACK 1*U*P*S*  Apr 4 20:47:43 168.143.117.4:80 -> 192.168.120.114:2916 NOACK 1*U*P*S*  Apr 5 06:04:04 216.136.171.200:80 -> 192.168.120.114:3500 VECNA 1*U*P***  Apr 5 17:28:20 198.6.49.225:80 -> 192.168.120.114:1239 NOACK 1*U*P*S*  Apr 6 09:35:56 202.153.120.155:80 -> 192.168.120.114:3628 NOACK 1*U*P*S*  Apr 6 17:44:06 205.166.76.243:80 -> 192.168.120.114:1413 INVALIDACK *2*A*R*F  Apr 6 19:55:03 213.244.183.211:80 -> 192.168.120.114:43946 NOACK 1*U*P*S*  Apr 7 16:07:57 202.159.32.71:110 -> 192.168.120.114:1655 INVALIDACK *2*A*R*F  Apr 7 17:00:17 202.158.2.4:110 -> 192.168.120.114:1954 INVALIDACK *2*A*R*F  Apr 8 07:35:42 192.168.120.1:53 -> 192.168.120.114:1046 UDP  Apr 8 10:23:10 192.168.120.1:53 -> 192.168.120.114:1030 UDP  Apr 8 10:23:49 192.168.120.1:53 -> 192.168.120.114:1030 UDP  Apr 20 12:03:51 192.168.120.1:53 -> 192.168.120.114:1077 UDP  Apr 21 01:00:11 202.158.2.5:110 -> 192.168.120.114:1234 INVALIDACK *2*A*R*F  Apr 21 09:17:01 66.218.66.246:80 -> 192.168.120.114:42666 NOACK 1*U*P*S*  Apr 21 11:00:28 202.159.32.71:110 -> 192.168.120.114:1800 INVALIDACK *2*A*R*F 41
  • 42. Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)  alert action to take; also log, pass, activate, dynamic  tcp protocol; also udp, icmp, ip  $EXTERNAL_NET source address; this is a variable – specific IP is ok  27374 source port; also any, negation (!21), range (1:1024)  -> direction; best not to change this, although <> is allowed  $HOME_NET destination address; this is also a variable here  any destination port 42
  • 43. Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)  msg:”BACKDOOR subseven 22”; message to appear in logs  flags: A+; tcp flags; many options, like SA, SA+, !R, SF*  content: “|0d0…0a|”; binary data to check in packet; content without | (pipe) characters do simple content matches  reference…; where to go to look for background on this rule  sid:1000003; rule identifier  classtype: misc-activity; rule type; many others  rev:4; rule revision number  other rule options possible, like offset, depth, nocase 43
  • 44. Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)  alert action to take; also log, pass, activate, dynamic  tcp protocol; also udp, icmp, ip  $EXTERNAL_NET source address; this is a variable – specific IP is ok  27374 source port; also any, negation (!21), range (1:1024)  -> direction; best not to change this, although <> is allowed  $HOME_NET destination address; this is also a variable here  any destination port 44
  • 45. Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)  msg:”BACKDOOR subseven 22”; message to appear in logs  flags: A+; tcp flags; many options, like SA, SA+, !R, SF*  content: “|0d0…0a|”; binary data to check in packet; content without | (pipe) characters do simple content matches  reference…; where to go to look for background on this rule  sid:103; rule identifier  classtype: misc-activity; rule type; many others  rev:4; rule revision number  other rule options possible, like offset, depth, nocase 45
  • 46. Snort Rules  bad-traffic.rules exploit.rules scan.rules  finger.rules ftp.rules telnet.rules  smtp.rules rpc.rules rservices.rules  dos.rules ddos.rules dns.rules  tftp.rules web-cgi.rules web-coldfusion.rules  web-frontpage.rules web-iis.rules web-misc.rules  web-attacks.rules sql.rules x11.rules  icmp.rules netbios.rules misc.rules  backdoor.rules shellcode.rules policy.rules  porn.rules info.rules icmp-info.rules  virus.rules local.rules attack-responses.rules 46
  • 47. Snort in Action  3 operational mode:  Sniffer: snort –dve akan menampilkan payload, verbose dan data link layer  Packet logger: snort –b –l /var/log/snort akan menampilkan log binary data ke direktori /var/log/snort  NIDS: snort –b –l /var/log/snort –A full –c /etc/snort/snort.conf akan melakukan log binary data ke direktori /var/log/snort, dengan full alerts dalam /var/log/snort/alert, dan membaca configuration file dalam /etc/snort 47
  • 48. Software IDS  Jika tidak ada Snort, Ethereal adalah open source yang berbasis GUI yang bertindak sbg packet viewer  www.ethereal.com :  Windows: www.ethereal.com/distribution/win32/ethereal- setup-0.9.2.exe  UNIX: www.ethereal.com/download.html  Red Hat Linux RPMs: ftp.ethereal.com/pub/ethereal/rpms/ 48
  • 49. 49
  • 50. Software IDS  tcpdump juga merupakan tool packet capture  www.tcpdump.org untuk UNIX  netgroup-serv.polito.it/windump/install/ untuk windows bernama windump 50