4 - 1
Information Risk Management - SANS
©2001
1
Risk Management
The Big Picture – Part IV
Network-based Intrusion
Detection
In our next section we are going to introduce network-based intrusion detection. The detect engine
in this case is either a firewall, a personal firewall, or an intrusion detection system. All of these
work quite well.
We will begin with a single attack, just to see how one might work and how we might detect it. Then
we will explore the range of tools and show you how you can get in the game with a very low
investment, possibly even free.
4 - 2
Information Risk Management - SANS
©2001
2
Need for Network-based
Intrusion Detection
• Most attacks come from the Internet
• Detecting these attacks allows a site to
tune defenses
• If we correlate data from a large
number of sources we increase our
capability
The statistic that 90% of all attacks are perpetrated by
insiders is dead wrong.
While insider attacks may cause more damage (because the attacker knows the system assets and what to
target), insider threats are usually addressed by traditional security and audit mechanisms. An insider has a much
greater chance of being caught and prosecuted or dealt with administratively IF DETECTED, since you know

OOB stands for Out Of Band and is actually misnamed;
it should say “Urgent mode”, which is Urgent bit set in
the TCP header flags and the urgent pointer.
Some people call this famous attack an Out of Band attack, however, it is better known as Winnuke.
If you are interested in the classic Windows attacks, you might want to visit:
http://www.winplanet.com/features/reports/netexploits/index2.html
On to Winnuke, older unpatched Windows systems, 3.11, 95 can be crashed by a single, specially
formatted packet. The packet has to be sent to a listening port such as TCP port 139, the NetBIOS
Session service, but any listening ports will do. Hey, quick review, how do you know which ports
are listening on your Windows system? How do you know what programs are responsible for those
ports? How do you know what users are the owners of those programs? If you don’t know the
answer to all three of these questions, you really should redo the previous section on host-based
intrusion detection, If you have a Win95 system, you should get the patch, available at:
http://support.microsoft.com/support/kb/articles/Q168/7/47.asp
4 - 4
Information Risk Management - SANS
©2001
4
Nuke’eM Screen
So how do we create this weird packet? Generally by using a special tool as we see on this slide,
which is a screen shot of version 1.1 of Windows Nuke’eM.
This application has a single purpose, to establish a connection with the TCP three-way handshake
and then hit the remote system with the illegal packet. It doesn’t take any particular skill to run it, as
you see, all we did was enter the IP address of a target system.
4 - 5
Information Risk Management - SANS
©2001
5
Lockdown Screen
On this slide you see a screenshot of a personal firewall called Lockdown that is both detecting the

Enable Logging
The engine settings are managed from the tools menu. Take a minute and look around at the options.
However, while you are there, be sure to enable logging. The logs are stored by default in Program
files, Network Ice, Black Ice’s directory and as you see on the slide have the handy prefix.
4 - 8
Information Risk Management - SANS
©2001
8
Our First False Positive
Yup, bootp, actually, DHCP, Dynamic Host Configuration Protocol is a normal occurrence on this
home network. We reconfigure so often and most of our machines are both mobile and wireless, that
static IP addresses are out of the question. So perhaps we don’t want to alert when that happens. We
simply select an attack we don’t want to see, right click, and select ignore.
Using the tools we have discussed, especially after you complete the training on networking and
TCP/IP that is coming up in this course, you will be equipped to really start drilling down into
network intrusion detection. Sometimes graphics tools can help us know where to look for an
anomalous event.
4 - 9
Information Risk Management - SANS
©2001
9
Visualization Tools - BID
Port Scan
The intense activity shown on your slide was the result of someone probing this network. This gives
us an idea where we might want to look in order to find the evidence file. As a helpful hint, find the
approximate time and if you are looking for a scan, look for the biggest file.
We hope you have enjoyed your introduction to network intrusion detection. We have learned about
a couple of new tools that you can use to start investigating suspicious network traffic. As we move
through the remainder of this section of the course, we will learn more about the tools and techniques
used in network intrusion detection.

©2001
11
Network Intrusion Detection
With Snort
This page intentionally left blank.
4 - 12
Information Risk Management - SANS
©2001
12
Snort Design Goals
• Low cost, lightweight
• Suitable for monitoring multiple
sites/sensors
• Low false alarm rate
• Efficient detect system
• Low effort for reporting
Snort was designed to supplement and be run in parallel with other sensors, such as Linux firewalls.
It has rules for packet content decodes, and also packet headers. This means it can detect data-driven
attacks like buffer overflows and attacks on vulnerable URLs and scripts (like RDS and phf). So if
you use Shadow and Snort, you have a good pattern matcher.
It is free, scalable, and very good at detecting stealthy recon efforts and probes. Its focus on the early
warning to be gained from spotting the recon phase is very valuable, since the actual attack can
happen in seconds and be all over by the time you notice it started.
It is also a good system to learn and experiment with, since it is easy to modify, being all modular
open-source with lots of community developed enhancements.
4 - 13
Information Risk Management - SANS
©2001
13
[**] RPC Info Query [**]

to configure it properly. IDSCenter simplifies this process by providing the type of graphical user
interface that Windows users are accustomed to.
Using simple techniques it is possible to specify the location of the various executable and
configuration files used by Snort. Once the appropriate settings have been made, IDSCenter also
provides easy access to the rule set that determine what alerts Snort will generate.
IDSCenter also provides a simple method to specify and setup the various types of alerts that should
be generated by Snort. It is available from http://idsc.emojo.com/idscenter/index.cfm.