Saturday, March 18, 2006

Extrusion Detection

I'm currently reading this book, written by Richard Bejtlich. I'm not yet finish reading it but the book is promising, I'm practicing NSM for quite sometimes which I belief it's the best model for Network Security Analyst. NSM takes "Zero Escaped" approach, it is possible to deploy NSM with commercial hard/software but if you are looking fo NSM suite, that must be Sguil which is one powerful Open Source project that allows you to perform NSM operation. Check it out!

Back to the book, I found the book mentionning about Prelude-IDS, I use prelude-IDS for the fact that it allows me to collect host IDS log(with samhain) and firewall log instead of network IDS. Prelude-ids has stopped developing it's own network IDS and instead you can compiled snort with prelude support and enable it in command line with --enable-prelude since the developers of prelude-IDS believes that snort has already done a good job in NIDS and prelude-IDS will take another approach which is agent based system.

Another thing I would like to talk about is the OpenBSD PF usage, especially when performing Extrusion Detection, one of the my own war story that happenned 2 years back is that I enable the log capability for the network interface that connected to intranet on the OpenBSD router that I setup for my friend's company network, and that might help in collecting Firewall logs to analyzt, another tool I use is pftop which is pf state viewer. Pftop can show the statistics and the network flows in real time. It happens where my friend call me up to tell me that his whole network screws up and none can browse the internet. Then I quickly login to his router, check the Firewall log and launch pftop to monitor what was happening, and what surprise me is that there are two hosts that trying to perform denical service as well as trying to connect to port 139 of every single host in the network, it hits the host IP from 1-255. I quickly go down town and ask my friend to shut down all the hosts in the network since I need to collect volatile data from the two hosts that trying to spread malicious functions first before all other hosts get infected, then quickly collecting the data and shutdown those two hosts and resume the network without delay. After all, the network resumes and working properly. Therefore I just took my time to analyze those two machines and found something fishy in registry. Pftop should be used at Extrusion Detection for the fact that it might help when you feel something is wrong in your network and you may see the traffic leaving your network on the fly.

Collecting full content data is expensive especially when the network is a busy one. However you can turn to collect session data if you can't perform full content data logging. For this part I would like to outline something, is there a guideline for the full content data logging, such as for 2Mb internet connection, how much harddrive space we need, and for 8Mb internet connection, how much harddrive space we need to acquire and for how long we can keep it. I'm looking forward for this type of guideline which may help others to deploy NSM model since this is great profiling to be done.

I will talk about the book later when I get to finish reading it. If you found yourself like this book as well as the idea and concept that Richard tries to deliver, you may find yourself enjoy reading his another book which is The Tao of Network Security Monitoring: Beyong Intrusion Detection.

By reading Rich's book and blog, and through chat session with him in IRC, I do learn a lot about network security down from essential to advance, hereby I take this oppoturnity to say thanks again and I do really appreciate, as I always do.

No comments: