Using argus audit trails to enhance ids analysis
Download
1 / 18

Using Argus Audit Trails to Enhance IDS Analysis - PowerPoint PPT Presentation


  • 94 Views
  • Uploaded on

Using Argus Audit Trails to Enhance IDS Analysis. Jed Haile Nitro Data Systems [email protected] Overview. What is an audit trail? What is Argus? Overview of IP audit trails Why are they useful? Using audit trails to monitor your network

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Using Argus Audit Trails to Enhance IDS Analysis' - samira


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Using argus audit trails to enhance ids analysis

Using Argus Audit Trailsto Enhance IDS Analysis

Jed Haile

Nitro Data Systems

[email protected]


Overview
Overview

  • What is an audit trail?

  • What is Argus?

  • Overview of IP audit trails

  • Why are they useful?

  • Using audit trails to monitor your network

  • Detecting interesting network events using audit trails

  • Enhancing IDS analysis using audit trails


What is an ip audit trail
What is an IP Audit Trail?

  • An IP audit trail is a collection of network flows across some point of a network.

  • A network flow is an identifiable exchange of data between two endpoints on a network.

  • Flows may be delineated by normal protocol (a SYN replied to by an RST) or by timeouts.

  • Flows may become exaggerated, as not all network traffic is readily broken into correct sessions with available information


What is argus
What is Argus?

  • Written by Carter Bullard as part of a DoD contract while he was at Carnegie-Mellon’s SEI

  • Runs on unix

  • The free version is available at http://www.qosient.com/argus

  • A commercial version is under development by Qosient


More about argus
More about Argus

  • Argus uses a client server model:

    • Data collection engine (Server): Monitors the network using libpcap, collects network data into audit trails. This engine can output the data to a file or to a socket.

    • Argus client: Reads audit data from a file or from a socket. There are a number of clients available for various purposes.


Argus clients
Argus Clients

  • ra: reads Argus data and displays it on stdout

  • ragator: aggregates flows in arbitrary fashions

  • ramon: produce rmon style reports and tables

  • racount: counts bytes and packets

  • rasort: sorts Argus records

  • raxml: display all fields in xml format

  • Others: ratop, ragrep, rahistogram, rasrvstats

  • Lacking: Database client!!


Default ra output
Default RA output

timestamp protocol src IP direction dst IP status

17 Apr 02 09:59:16 icmp 192.172.1.26 <-> 192.172.1.253 ECO

17 Apr 02 09:59:16 tcp 192.172.191.46.458 -> 207.68.162.24.80 FIN

17 Apr 02 09:59:16 icmp 192.172.1.25 <-> 192.172.1.253 ECO

17 Apr 02 09:59:16 tcp 192.18.221.25.119 -> 192.172.191.61.25 FIN

17 Apr 02 09:59:16 tcp 192.172.1.6.3562 -> 209.10.33.195.80 FIN

17 Apr 02 09:59:16 tcp 192.172.1.23.5936 -> 61.200.81.153.80 EST

17 Apr 02 09:59:16 tcp 192.172.191.46.4585 -> 64.4.30.24.80 FIN

17 Apr 02 09:59:17 tcp 192.172.191.46.4990 -> 12.12.162.203.80 RST

17 Apr 02 10:00:04 tcp 192.172.191.46.240 -> 216.33.240.24.80 RST

17 Apr 02 09:59:17 tcp 142.177.221.77.177 -> 192.172.18.27.634 RST

17 Apr 02 10:00:02 icmp 192.172.1.25 -> 192.172.1.253 ECO

17 Apr 02 10:00:02 icmp 129.82.45.220 -> 192.172.1.3 ECO

17 Apr 02 10:00:02 icmp 129.82.45.220 -> 192.172.1.3 ECO

17 Apr 02 10:00:02 udp 205.158.62.41.967 -> 192.172.191.6.53 TIM

17 Apr 02 10:00:02 icmp 129.82.45.220 -> 192.172.1.3 ECO

There is still a lot of other useful data we can capture!!


Data model
Data Model

  • Source IP address

  • Destination IP address

  • Source Port

  • Destination Port

  • Protocol

  • Time of first packet

  • Time of last packet

  • Packets sent

  • Bytes sent

  • Packets received

  • Bytes received

  • This set of data is surprisingly rich!


Why are these useful
Why are these useful?

  • This set of data can be analyzed to find network sessions, or sets of session that appear to be suspicious.

  • In the case of a compromise, the audit trails can be examined to find out what else might have happened.

  • Excellent tool for network policy monitoring. Makes finding unauthorized servers, or services, or backdoors much easier to detect.

  • Much smaller than full packet captures, so more can be stored for longer.

  • Well suited to statistical analysis


Reducing record counts
Reducing Record Counts

  • A major problem with collecting network flows is the extreme rate and large quantity of records

  • Fortunately network flows are readily aggregated

  • All flows with the same source and destination addresses and ports can be collapsed to a single row, with a counter


Portscan detection
Portscan Detection

  • IP audit trails are an excellent tool for detecting network enumeration attempts.

  • Snort’s spp_portscan2 uses network flows to detect portscans

  • To detect portscanning simply count connections from external hosts to distinct hosts and ports on your network

  • A well defined concept of home network versus external network is critical

  • A portscan attempt which also correlates to an IDS alert, or to a session that is long or that moves some data might point to a successful compromise


Long sessions
Long Sessions

  • Long sessions are common on networks

  • Due to the more stateless nature of udp and icmp, distinct network flows might be collapsed into a single network flow

  • Long sessions to interesting ports, or inbound to unexpected locations, or with IDS alerts are the things we want to focus on

  • Extensive correlation is critical to making the important long sessions stand out


Traffic to nonexistent hosts
Traffic to Nonexistent Hosts

  • Inbound traffic to a host that is known to not exist

  • A good way of detecting network enumeration attempts


Traffic to high ports
Traffic to High Ports

  • Sessions being initiated to high ports on your home network should always be viewed with suspicion

  • There are exceptions (ftp traffic)

  • By keeping “state” on your network’s flows you can eliminate many of the valid inbound high port connections

  • High port traffic + IDS alert…


High connection rate
High Connection Rate

  • High connection rates could point to DOS attempts, port scanning, auto rooter, P2P activity, worm activity, and more

  • There are valid network activities which can generate high connection rates

  • Correlation of high connection rates to other anomalous activities is what we need to look for


High packet rate
High Packet Rate

  • Another example of could be bad, could be good activity

  • High packet rates might indicate worm activity, portscanning, or other nastiness

  • A sudden appearance of high packet rates linked to a previous session which had IDS alerts associated could indicate a host that has been successfully compromised


Stepping stone detection
Stepping Stone Detection

  • A stepping stone is a computer that is used as an intermediate point between two other computers

  • Stepping stones are frequently used by attackers to obscure their location/identity

  • Stepping stones can be detected by correlation of on/off times between two network flows. This is prone to false positives.

  • A better approach is to correlate on and off times of packet activity inside the flow, but requires finer granularity in the data than can be provided by argus.


Summary
Summary

  • Using IP audit trails is a powerful enhancement to IDS

  • IP audit trails also give new ways of looking for anomalous traffic, new services on your network, or for getting a better perspective on your networks operation

  • There is lots to be done!


ad