1
1
Intrusion Detection - The Big Picture – SANS GIAC
©2000
Intrusion Detection
The Big Picture – Part IV
Stephen Northcutt
S. Northcutt – v1.0 – Jul 2000
Edited by J. Kolde – v1.1 – Aug 2000
2
Intrusion Detection - The Big Picture – SANS GIAC
©2000
2
Intrusion Detection Roadmap
What are the pieces and how they play together
•Honeypots
• Firewalls
–Proxy, State Aware, Filtering Routers
• Risk Assessment and Auditing
–Introduction to Risk Management
–Knowledge-Based Risk Assessment
–Online Auditing Tools
As we begin our next section, we are going to cover a really interesting technology. The timing of
this is really interesting. I am poring over 30 MB of logs from Lance Spitzner’s honeypot system.
We have logs of hackers bragging about their conquests; trading stolen credit card numbers,
passwords and IDs for compromised systems; the list continues. If you want more details on the
approach Lance uses, try: />A honeypot can be a tool and process that is used to capture the tools, plans, and techniques of
attackers, or it can be as simple as a decoy tool that is used to deflect attackers from a compromised
system or a system under fire. A third good use of a honeypot is a sensor - if you have an old, slow
system lying around, it can serve a productive life as a honeypot. In fact, that may be ideal! There is
one important rule of a honeypot: try to engineer it so that it collects information, but it is not used to

Honeypots
• What are they?
–A trap - they run real services on a
sacrificial computer or simulated
instrumented services, (or fake a core
dump)
–TIS Toolkit smap example
So, are there safer alternatives? Network Associates sells a commercial honeypot (CyberSting) that
stands up to a fair amount of scrutiny. We will talk about DTK in some depth. I have had good
success with the free firewall code that was written by Marcus Ranum and has gone by various
names, but was classically known as the TIS toolkit. How would a proxy firewall work as a
honeypot?
To use an attack against sendmail as an example, the toolkit had a sendmail replacement called
“smap”. Smap would take any file that was sent to it and write it into a directory on the system.
Then a separate program takes the file and delivers it. This meant that I could simply place this mail
system up and examine the files for malicious one. Since there were no real users, most of the mail
was either SPAM (a product of Hormel foods) or malicious code. I would check it once a month or
so and see what the pot would catch. The beauty of this approach is that it meets the important rule of
honeypots: smap is a small easily understood program that is not going to suffer a buffer overflow.
5
Intrusion Detection - The Big Picture – SANS GIAC
©2000
5
What are they?
• A decoy - if a machine becomes
“hot”, change the IP address and
name and put in a honeypot
• DNS, Mail, Web servers make great
honeypots on their unused ports
Attackers will not succeed in being able to crack it to attack other systems. Of course, smap is not

tell you it is a DTK. If a substantial number of people ran honeypots such as DTK, and a substantial
people who DIDN’T ran the port 365 service, it would increase the price of hacking. I am sorry to
report that after extensive study of thousands upon thousands of network traces, I have not seen this
in action.
In the notes pages of the next slide, take a minute to look over the logs. This is nice high fidelity
information about what the attackers are attempting.
7
Intrusion Detection - The Big Picture – SANS GIAC
©2000
7
DTK
• What can it do? (cont.)
– Port 365
• Reports that DTK is running on this machine. Can be run on
machines without DTK on other ports.
• May confuse the hackers in the short term.
• Can also be used to access /dtk/log with password.
– Can time-tag and log every typed command.
– Can email notification of break in.
• Example detect in notes pages
JUNE 1999. Also from the latest DTK logs...
'198.143.200.52', '13392', '10752', '1999/06/24 17:37:35', '18023', '275',
'1', 'listen.pl', 'S0', 'R-Peace', 'Init'
'198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275',
'1', 'listen.pl', 'S', 'RPeace-Peace', 'trap '' SIGALRM SIGTRAP'
'198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275',
'1', 'listen.pl', 'S', 'RPeace-Peace',
'PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin;export PATH'
'198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275',
'1', 'listen.pl', 'S', 'RPeace-Peace', '/usr/sbin/rpc.mountd </dev/null'

3 ERROR 100coredumped
What is a state machine? If you meet the condition at the first state, you can transition to the next.
Please take a minute to read the slide.
State 0 is initiated with someone makes contact with the system on TCP port 23, telnet with an active
open, or the SYN flag is set. The system responds with “login”. If the answer is either guest or root,
the system moves to State 1.
In State 1 it offers “Password” and if the password matches the list with root or guest spelled
backwards, the system “logs them in” and gives them a prompt. We move to State 2.
Here we are looking for one of the operating system commands off the list: ls, df, pwd. As you can
see, an attacker will quickly discover this is not a real system. However, it is fine to collect
information about script based attacks.
9
Intrusion Detection - The Big Picture – SANS GIAC
©2000
9
DTK
• Sample log output:
256.160.234.245 13067 110 1998/07/12 12:03:03 27017 176:1 listen.pl S0 Init
256.160.234.245 13067 110 1998/07/12 12:03:03 27017 176:1 listen.pl S0 NoInput
128.38.330.25 1063 110 1998/07/13 11:00:36 31394 176:2 listen.pl S0 Init
128.38.330.25 1063 110 1998/07/13 11:00:40 31394 176:2 listen.pl S0 PASS^M
128.38.330.25 1063 110 1998/07/13 11:00:46 31394 176:2 listen.pl S0 USER taldric^M
128.38.330.25 1063 110 1998/07/13 11:00:53 31394 176:2 listen.pl S0 PASS taldric^M
128.38.330.25 1063 110 1998/07/13 11:01:02 31394 176:2 listen.pl S0 USER taldric^M
128.38.330.25 1063 110 1998/07/13 11:01:09 31394 176:2 listen.pl S0 PASS toor^M
128.38.330.25 1063 110 1998/07/13 11:01:11 31394 176:2 listen.pl S0 ^M
128.38.330.25 1063 110 1998/07/13 11:01:13 31394 176:2 listen.pl S0 ^M
128.38.330.25 1063 110 1998/07/13 11:01:15 31394 176:2 listen.pl S0 QUIT^M
128.38.330.25 1063 110 1998/07/13 11:01:15 31394 176:2 listen.pl S0 WeClose
This slide shows the result of running DTK. This serves as a sensor and has a lot of value. If

11
DTK
• Able to simulate all/any services
– Looks and acts like the real thing
– No indication that it is simulated
– Low CPU/disk overhead
• Will not provide any “real” services
– As it becomes more complex, risk increases
• Easily customized for each machine
The telnetd and the web demon are “real”. They are compiled C code. They simply simulate the
services. This could be important, since they might be vulnerable to a buffer overflow or similar
attack.
That said, on the main DTK is unlikely to be compromised and then the honeypot would be used to
attack other people.
12
Intrusion Detection - The Big Picture – SANS GIAC
©2000
12
DTK
• Log, with timestamp, every keystroke
• Able to simulate complex binary protocols
• Capable of file transfers
• Indicate the hit as it happens
–Email
– Console message
– Call to your pager
– Log files
You can use the way people type on keyboards as a biometric indicator. People make the same
mistakes, for instance I tend to type “telent” instead of telnet. Honeypots allow us to establish the
method of operations (MO) of an attacker.

begin the attack, which can be recorded. That is the end of the show however - at this point the
firewall aborts the connection. However, I have managed to collect a lot of useful information from
just these few packets.
14
Intrusion Detection - The Big Picture – SANS GIAC
©2000
14
TCP 3 Way Handshake
• A -- SYN --> B
• A <--SYN/ACK -- B
• A -- ACK --> B
No valuable content gets sent until the handshake
is complete. Filtering routers and firewalls block on
at least the SYN packet, ergo no content.
Can you name a situation where you might really
want to know the content of the TCP conversation?
In this slide we see the steps that are required to complete a TCP connection. Take a minute and
think about the question on the bottom of the slide. Many times we just want to block the traffic and
not even think about it. However there might be situations where you would really want to see what
the traffic is, they include:
• The example we discussed when an actual userid or login and password is being used. In this case
we want to know the attacker’s intentions and how much they know.
• When we see a particular system is the focus of lots of probes. This can happen for a number of
reasons, we had a researcher give out the name and IP address of a research system when I worked
for the Navy, and for the next three years probes came from all over the world trying to find this
system. I moved it and put a honeypot in its place.
• When we think a new attack or technique is being used. This would allow us to gain information
about what is being done.
15
Intrusion Detection - The Big Picture – SANS GIAC

port 365, think about the implications if everyone ran a tag on port 365. This would make life harder
for attackers, honeypots would answer and say they were honeypots and non-honeypots would
answer and they would say they were honeypots.
This example illustrates why honeypots, if widely deployed, improve security. Currently, the
paradigm in general is when the attackers break in to a system, it really is a compromised system.
They are very bold and free with what they do. The honeypots deployed by Lance illustrate just how
effective this is, because the attackers assume no one can monitor them. If there were another couple
hundred honeypots, then the attackers would have to start slowing down and being more careful and
several of them would end up being arrested. In the next section of the course, we will discuss
Firewalls. These are not only the primary defense tool, they are one of the most important intrusion
detection sensors on the Internet.