1
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
1
Intrusion Detection
The Big Picture – Part III
Stephen Northcutt
S. Northcutt – v1.0 – Jul 2000
Edited by J. Kolde – v1.1 – Aug 2000
2
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
2
Network-Based Intrusion
Detection
• Host Based Intrusion Detection
–Unix
– Windows NT, 95, 98
• Network-Based Intrusion Detection
– Libpcap based tools, Snort, Shadow
– ISS RealSecure
–Cisco Netranger
OK, after that in-depth look at host-based intrusion detection, we turn our focus to network-based
intrusion detection tools.
3
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
3
Network-Based ID
4
Intrusion Detection - The Big Picture - SANS GIAC

srcip: 172.20.20.1 dstip: 192.168.1.88
protocolname: tcp srcburb: 1
srcport: 4645 dstport: 53
Key to Understanding:
This sidewinder log is reporting a TCP probe targeted at host
192.168.1.88 to destination port 53. This could be a zone
transferor a buffer overflow attempt.
Bar none, most network intrusions that are identified are found by firewalls. There are limitations to
what can be done with these logs and even the risk of making an error of interpretation, since the log
does not provide information like the TCP flags or code bits. That said, these are a great data source
and every intrusion analyst should be familiar with their site’s firewall logs.
6
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
6
Libpcap-Based Systems
FW
Analysis/Display Station
Collect Data
Analyze Data
Display Information
Most Network-Based Intrusion Detection Systems
Unix or Windows are libpcap based
The first network-based intrusion detection systems we look at are libpcap based. These include:
Shadow, Snort, NetRanger and NFR. Libpcap is designed to get the data from the kernel space and
pass it to the application. There are implementations for Windows and Unix, it is reliable and has the
big advantage of being free.
A sensor is distinguished by how much on-board policy information it has. The Shadow sensor is
designed to be stupid. It lives outside the firewall. If it should fall, no information about the site will
be lost. This is one of the characteristics that sets Shadow apart from most intrusion detection

Snort
[**] RPC Info Query [**]
06/29-00:15:29.137285 211.72.115.100:623 -> z.y.w.98:111
TCP TTL:46 TOS:0x0 ID:29416 DF
*****PA* Seq: 0x1EDB7784 Ack: 0xD4A024FE Win: 0x7D78
TCP Options => NOP NOP TS: 86724706 118751139
80 00 00 28 08 70 BB FF 00 00 00 00 00 00 00 02 ...(.p..........
00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 ............
The Snort detects are displayed in log files like this separated by blank lines. For this primer we will
primarily focus on the various detects.
An advantage of Snort is that this trace is easy to cut and paste into an email to send to your CIRT.
This is better than several commercial tools that, while they show an easy to understand colorful
icon, it’s hard to get to the raw data to verify or report the detect.
This is the more detailed log file, notice the rule that found the detect is displayed at the top. Then
summary information about the packet. The trace begins with the content of the detect. RPC attacks
like this are part of the Top Ten list (www.sans.org/topten.htm). Notice all the zeros? RPC packets
are padded to 32-bit words, often to carry a field that only has a choice of single integer, so the zeros
are an indication of RPCs.
9
Intrusion Detection - The Big Picture - SANS GIAC
© 2000
9
Why TCPdump
• Libpcap
• Always available
• Compiles on many Unix platforms
• Runs on Window 9x and NT
•High fidelity
• Same program for data collection and

you
• Worth the time to give connection
attempts to these systems an extra look
The “goodhost” filters in the documentation and software distribution give examples of web servers,
DNS servers and mail relays. If you build a good filter profile for another type of commonly
deployed host and are willing to share your filter, you can mail it to: and if it
checks out we will get it into future releases of the software.