by June 7, 2004 0 comments



In January this year, we’d talked about the design and architecture issues of a signature-based network IDS (Intrusion Detection System) in the article Signature-based IDS, page 62. This time, we’ll show you the workings of one such system that we’ve developed for Linux. Its source code is available on this month’s CD (zip file called, Hawk_ids.zip), so you can try building it yourself. In this article, we’ll focus on the working procedures considered in the implementation of IDS, elaborating on the implementation of a lightweight IDS. It functions as a 
packet sniffer, and has an enhanced GUI and a packet-generator program. 

Features
There are several things that HAWK can do, which include packet-protocol analysis, signature-database initialization, packet analysis and detection and packet generation. We’ll look at these and at the GUI individually. 

Packet-protocol analysis
In any sophisticated IDS, the algorithm must detect anomalies in the traffic in real time and in a reliable way. In order to do this, the real-time detection operation in HAWK has been partitioned into three different pathways, one for each transport protocol, namely TCP, UDP and ICMP. NetPacket APIs are used to label the packets for each of these streams. The protocol attribute of the IP object is used to identify which underlying transport protocol it is carrying, namely, TCP, UDP or ICMP. Based on the protocol being used to transmit information, each packet is mapped against the signature database for that particular protocol. Provision has been made to include more signatures during operation without suspension of the services being offered.

Signature-database initialization
One of the most important aspects of an IDS is the scan engine. We’ve used the pattern-matching capabilities of Perl to compare effectively each packet against the signature database for the protocol to which it belongs. The process to do this signature initialization is as follows.

  • Reading the rule files
  • Message extraction from a signature entry
  • Content extraction from a signature entry
  • Port number extraction from a signature entry
  • Flag field extraction from a signature entry
  • Sequence number extraction from a signature entry
  • Acknowledgment number extraction from a signature entry
Direct
Hit!
Applies to: Network security specialists
USP:
Detect, analyze and capture packets
S/w on CD: Hawk_ids.zip

Packet analysis and  detection 
This part involves retrieving relevant information from each packet and detecting traffic attacks. For the first task, the NetPacket APIs retrieve the various attributes of each packet, including data, flags, sequence number, acknowledgement number, source IP, destination IP and port number. For the second task, the detection algorithm has been fine-tuned by categorizing traffic attacks and intrusions into three basic classes.

  • Attacks with content and flags and other parameters that might be present
  • Attacks with content and other parameters such as SEQ and ACK numbers that might be present 
  • Flags and other additional parameters

Packet generation
One of the most important phases of any software development process is the task of testing the product against challenges in its operational environment. In case of the implementation of IDS, some suspicious traffic on the network is mandatory as a test case. It can be extremely hard to get somebody to hack into your network at any instant of time. Building a packet generator that could set different attributes of a TCP, UDP or ICMP packet is a viable solution to the problem of testing IDS. 

The GUI
HAWK uses the Perl/Tk module to build the GUI. It primarily uses the following Tk structures.

TableMatrix: Tk: TableMatrix is a table/matrix widget extension to Perl, Tk for displaying data in a table (or spreadsheet) format.
Label Widget:
This widget is used to display text label and captions.
Button Widget: These widgets are used to perform certain specific tasks on invocation.

The top window shows incoming traffic, while the lower left window shows the actual data 

Deploying HAWK IDS
The following packages must be installed at the deployment phase of the IDS: Tk (including Tk::Splashscreen), Tk::TableMatrix, NetPacket and Net::Pcap. HAWK has been designed to run in Super user mode for security reasons. Once the program has been initialized, the system administrator may select the operation Start IDS from the Menu on the HAWK window. This sets off a sequence of checks to determine the network interface present on the system, setup of a packet capture descriptor on the interface etc. If any of these checks fails, an appropriate error message would be shown. Whenever alerts are generated, the administrator may decide to either watch traffic by the use of the See Packets button or hide traffic by the use of the Hide Packets button. Logging proceeds in the manner described earlier, maintaining states for each violator of the rules. Additional testing and debugging may be carried out with the use of the HAWK PGEN tool to test rules and
configurations.

Installation
HAWK IDS operates using the Snort style signatures for parsing purposes and traffic analysis. All development and testing have been done using RedHat Linux 8. The following packages (or higher versions) must be installed (preferably in the Super user mode) at the deployment phase of the IDS.

To generate a packet, all relevant fields, such as IP addresses, port 
numbers, payload and the number of packets to be dispatched, must be 
entered. Click on the Set Flags button to see the flags you can set

Net-Pcap-0.04
NetPacket-0.04
Net-RawIP-0.1
Net-PcapUtils-0.01
Tk-804.027
Tk-TableMatrix-1.1
Time-HiRes-1.59
Tk-Splash-0.10
Tk-Splashscreen-1.0

To install these components, uncompress and un-archive each. Then compile the Makefile.pl file and finally run the ‘make’ and ‘make install’ commands to compile the package. 

#tar -zxvf <filename.tar.gz>
#cd filename
#perl Makefile.pl
#make && make install

Note, while installing Time-HiRes you can get an error such as ‘Makefile 91: *** missing separator’. This is a known bug and you can rectify this by running the following command

#export LC_ALL=C

and then compiling the package from the scratch. Once installed, you can run the HAWK IDS using the following command.

perl hawk.pl

Once the program has been initialized, the user may select the operation Start IDS from the menu on the HAWK window to begin the packet-scanning action. All rules files are referenced from the main directory where the IDS is installed.

Limitations and known bugs
The HAWK IDS has not been implemented to detect fragmentation-based attacks. It only detects TCP, UDP and ICMP based attacks. The GUI goes into a blocking state if there is no traffic on the network, due to the absence of support for multi-threading operations in the Tk toolkit. So it’s good for networks and not for stand-alone systems. The PGEN for TCP packets does not support customization of packet contents (through the Pkt Payload input box). This has been set aside as a future enhancement. 

For more information on this, you can refer to these books, Implementing Intrusion Detection Systems by Tim Crothers, Network Intrusion Detection by Stephen Northcutt and Judy Novak, and Security in Computing by Charles P. Pfleeger and Shari Lawrence
Pfleeger.

Sumanth Naropanth Wipro Technologies Manu Manianchira Mind Tree Consulting
Dr Balasubramanian Thangaraju  Wipro Technologies

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<