Using Argus Audit Trailsto Enhance IDS Analysis Jed Haile Nitro Data Systems firstname.lastname@example.org
Overview • What is an audit trail? • What is Argus? • Overview of IP audit trails • Why are they useful? • Using audit trails to monitor your network • Detecting interesting network events using audit trails • Enhancing IDS analysis using audit trails
What is an IP Audit Trail? • An IP audit trail is a collection of network flows across some point of a network. • A network flow is an identifiable exchange of data between two endpoints on a network. • Flows may be delineated by normal protocol (a SYN replied to by an RST) or by timeouts. • Flows may become exaggerated, as not all network traffic is readily broken into correct sessions with available information
What is Argus? • Written by Carter Bullard as part of a DoD contract while he was at Carnegie-Mellon’s SEI • Runs on unix • The free version is available at http://www.qosient.com/argus • A commercial version is under development by Qosient
More about Argus • Argus uses a client server model: • Data collection engine (Server): Monitors the network using libpcap, collects network data into audit trails. This engine can output the data to a file or to a socket. • Argus client: Reads audit data from a file or from a socket. There are a number of clients available for various purposes.
Argus Clients • ra: reads Argus data and displays it on stdout • ragator: aggregates flows in arbitrary fashions • ramon: produce rmon style reports and tables • racount: counts bytes and packets • rasort: sorts Argus records • raxml: display all fields in xml format • Others: ratop, ragrep, rahistogram, rasrvstats • Lacking: Database client!!
Default RA output timestamp protocol src IP direction dst IP status 17 Apr 02 09:59:16 icmp 126.96.36.199 <-> 188.8.131.52 ECO 17 Apr 02 09:59:16 tcp 184.108.40.206.458 -> 220.127.116.11.80 FIN 17 Apr 02 09:59:16 icmp 18.104.22.168 <-> 22.214.171.124 ECO 17 Apr 02 09:59:16 tcp 126.96.36.199.119 -> 188.8.131.52.25 FIN 17 Apr 02 09:59:16 tcp 184.108.40.206.3562 -> 220.127.116.11.80 FIN 17 Apr 02 09:59:16 tcp 18.104.22.168.5936 -> 22.214.171.124.80 EST 17 Apr 02 09:59:16 tcp 126.96.36.199.4585 -> 188.8.131.52.80 FIN 17 Apr 02 09:59:17 tcp 184.108.40.206.4990 -> 220.127.116.11.80 RST 17 Apr 02 10:00:04 tcp 18.104.22.168.240 -> 22.214.171.124.80 RST 17 Apr 02 09:59:17 tcp 126.96.36.199.177 -> 188.8.131.52.634 RST 17 Apr 02 10:00:02 icmp 184.108.40.206 -> 220.127.116.11 ECO 17 Apr 02 10:00:02 icmp 18.104.22.168 -> 22.214.171.124 ECO 17 Apr 02 10:00:02 icmp 126.96.36.199 -> 188.8.131.52 ECO 17 Apr 02 10:00:02 udp 184.108.40.206.967 -> 220.127.116.11.53 TIM 17 Apr 02 10:00:02 icmp 18.104.22.168 -> 22.214.171.124 ECO There is still a lot of other useful data we can capture!!
Data Model • Source IP address • Destination IP address • Source Port • Destination Port • Protocol • Time of first packet • Time of last packet • Packets sent • Bytes sent • Packets received • Bytes received • This set of data is surprisingly rich!
Why are these useful? • This set of data can be analyzed to find network sessions, or sets of session that appear to be suspicious. • In the case of a compromise, the audit trails can be examined to find out what else might have happened. • Excellent tool for network policy monitoring. Makes finding unauthorized servers, or services, or backdoors much easier to detect. • Much smaller than full packet captures, so more can be stored for longer. • Well suited to statistical analysis
Reducing Record Counts • A major problem with collecting network flows is the extreme rate and large quantity of records • Fortunately network flows are readily aggregated • All flows with the same source and destination addresses and ports can be collapsed to a single row, with a counter
Portscan Detection • IP audit trails are an excellent tool for detecting network enumeration attempts. • Snort’s spp_portscan2 uses network flows to detect portscans • To detect portscanning simply count connections from external hosts to distinct hosts and ports on your network • A well defined concept of home network versus external network is critical • A portscan attempt which also correlates to an IDS alert, or to a session that is long or that moves some data might point to a successful compromise
Long Sessions • Long sessions are common on networks • Due to the more stateless nature of udp and icmp, distinct network flows might be collapsed into a single network flow • Long sessions to interesting ports, or inbound to unexpected locations, or with IDS alerts are the things we want to focus on • Extensive correlation is critical to making the important long sessions stand out
Traffic to Nonexistent Hosts • Inbound traffic to a host that is known to not exist • A good way of detecting network enumeration attempts
Traffic to High Ports • Sessions being initiated to high ports on your home network should always be viewed with suspicion • There are exceptions (ftp traffic) • By keeping “state” on your network’s flows you can eliminate many of the valid inbound high port connections • High port traffic + IDS alert…
High Connection Rate • High connection rates could point to DOS attempts, port scanning, auto rooter, P2P activity, worm activity, and more • There are valid network activities which can generate high connection rates • Correlation of high connection rates to other anomalous activities is what we need to look for
High Packet Rate • Another example of could be bad, could be good activity • High packet rates might indicate worm activity, portscanning, or other nastiness • A sudden appearance of high packet rates linked to a previous session which had IDS alerts associated could indicate a host that has been successfully compromised
Stepping Stone Detection • A stepping stone is a computer that is used as an intermediate point between two other computers • Stepping stones are frequently used by attackers to obscure their location/identity • Stepping stones can be detected by correlation of on/off times between two network flows. This is prone to false positives. • A better approach is to correlate on and off times of packet activity inside the flow, but requires finer granularity in the data than can be provided by argus.
Summary • Using IP audit trails is a powerful enhancement to IDS • IP audit trails also give new ways of looking for anomalous traffic, new services on your network, or for getting a better perspective on your networks operation • There is lots to be done!