Objective
Intrusion Intrusion Detection System Vulnerability Vulnerability Assessment Alert Correlation
Intrusion
An intrusion is any malicious activity carried out by hacker to mainly
Get unauthorized access to the System Read/Write the data Disturb the normal functionality of network Steal the confidential data
CVE or Bugtraq
CVE (Common vulnerability Exposure) is an organisation which defines about the malicious activity. Bugtraq is an another system, which defines the problem of any application/software.
CVE Details
IDS deployment
Computer Computer
IDS
Computer Computer Local Area Network
Router
External world Internet IDS captures all packets and further analyze it.
Vulnerability
A vulnerability is a weakness/Problem in any computer system or application which allows an attacker/hacker to attack on the system.
E.g. Mysql has vulnerability where any remote user can login in the database without providing the password.
Vulnerability can have different level of severity: High, Medium and Low.
Vulnerability Assessment
Vulnerability assessment is a process to find out all problem exists in the system. Like X-ray scans the fracture in bone. Vulnerability Assessment tool keeps a set of plugins/rules to test the vulnerability for a given system/application/service. Plugins are created based on the problem described by CVE or Bugtraq.
Alert Correlation
Alert correlation is process to correlates the alert sent by IDS and vulnerability report sent by the vulnerability assessment tools to find out the valid attack.
Architecture of AC
AN AF AV AP
Alert
Module Description
Data Collector
Collects the alert from IDS
Alert Normalization
Change the alert in standard form (Alert-id, SRC IP, SRC Port, Dst IP, Dst Port, Rule-Id, References, Sensor Id)
Alert preprocessing
Set the create time of alert if its not there.
Alert Fusion
Remove duplicate alert sent by different sensor
Module Description
Alert verification
Verifies each received alert with vulnerability report Takes the destination IP from alert and checks in the vulnerability report to find the vulnerability for given destination IP. If vulnerability exists in the database for given destination ip then further checks that attacked service is running or not. If service is running in the system then it checks the CVE details to make sure that alert is fired for valid service version.
Case Study:
If IDS alert says that there is attack for mysql server version 1.2.5 then, first of all alert verifier checks that, is mysql running on the system or not. If mysql is not running then it is a False Positive. If mysql is running on the system then Alert verifier checks the vulnerability report that, is mysql 1.2.5 version is running or not. If mysql version 1.2.5 is running then it is a valid alert otherwise it is a False positive.
Module description
Alert Profiler
Create the group of alert based on the attacker, victim.
Vulnerability Scanner
Runs the vulnerability scanner with all plugins.
Vulnerability Parser
Parses the vulnerability report and stores in the database.
ADB
All alerts are stored in Alert database.
VDB
Vulnerability database.
Report Engine
View the alert details online.
Design: ER-Diagram
Example of Vulnerability
<Host: 172.16.2.3> <Service: Mysql> <port: 3306> <Severity: high> <plugin-id: 2234> <reference: CVE-2003-2345> <Desription: Mysql does not has the root password> </Service> <Service: Apache> <port: 80> <Severity: low> <plugin-id: 1234> <references: Bugtraq-1234> <Desription: Apache web server has issue> </Service> </Host> <Host:192.168.12.13> </Host> Above example shows that, how vulnerability report has been generated for host 172.16.2.3. This report will get parsed and stored in the Vulnerability Database.
Testing
To test the alert verification process following steps has been followed:
Nemesis tool has been used to create the packet e.g. $nemesis tcp -s 134.13.21.21 d 202.153.144.25 p payload/rule2 Ran the vulnerability scanner and stored the report after parsing in the database. Ran the alert verifier to verify that RULE2 fired by IDS is matching with existing vulnerability database or not.
Tools Used
Snort (as an IDS) Nessus (A Vulnerability Scanner) Nemesis (Packet creation for testing) Nmap (Get the details of services are running on the system) Xerces (XML parser to parse the vulnerability report stored by scanner in xml format) GDB (Program debugging)
Attack report
Attack type
Vulnerability Parsing
Thanks To
IGNOU & Rajiv Ranjan(Guide)