To effectively capture intrusion behavior, IDS must have a strong intrusion characteristic database, just like the public security department must have a sound criminal information database. However, the feature databases generally carried by IDS are relatively rigid, and they often meet and don’t know each other when encountering “face-changing” intrusions. Therefore, it is necessary for administrators to learn how to create feature data templates that meet actual needs, and to adapt to changes in all aspects! This article will introduce the concept, types of invasive features and how to create features, hoping to help readers master the methods to deal with "face changes" as soon as possible.
1. Basic concepts of characteristics
The characteristic of IDS refers to sample data used to determine the types of communication information, which is usually divided into many types. The following are some typical situations and identification methods:
Connection attempts from reserved IP addresses: they can be easily identified by checking the source address of the IP header.
Data packets with illegal TCP flag conjunctions: can be identified by comparing the differences between the flag set in the TCP header and the known correct and wrong flag conjunctions.
Emails containing special virus information: can be identified by comparing the topic information of each email with the topic information of a pathological email, or by searching for the vicinity of a specific name.
Query the DNS buffer overflow attempts in the load: The buffer overflow attempts using the DNS domain can be identified by resolving the DNS domain and checking the length of each domain. Another method of identification is: search for the load of "exploit shellcode" sequence code combination.
DoS attack caused by issuing thousands of the same command to the POP3 server: by tracking and recording the number of consecutive times a command is issued to see if it exceeds the preset upper limit, and alarm information is issued.
File access attacks on FTP servers using file and directory commands when not logged in: By creating feature templates with status tracking to monitor FTP conversations that have successfully logged in, discover unverified intrusion attempts that issue commands.
From the above classification, we can see that the coverage of features is very wide, including simple header domain values, highly complex connection state tracking, and extended protocol analysis. A leaf can tell autumn. This article will start with the simplest features and discuss its functions, development and customization methods in detail.
Please note that the characteristics and functions of different IDS products are also different. For example: some network IDS systems only allow for the customization of existing feature data or the writing of required feature data, while others allow the customization or writing of feature data within a wide range, or even any feature; some IDS systems can only check the determined header or load value, while others can obtain data at any location of any information packet.
2. What are the functions of characteristics?
This seems to be a very obvious question: the feature is a boilerplate that detects whether the suspicious content in the packet is really "not necessary", that is, "bad molecule cloning". The IDS system itself has this important part, so why do you still need to customize or write features? It's like this: Maybe you often see some familiar communication information flows wandering on the network. Since the IDS system's feature database expires or the communication information is not attack or detection data itself, the IDS system does not pay attention to them. At this time, your curiosity arises, and you want to issue an alarm when these suspicious data passes again, want to capture them, and carefully see where they come from and what it is expensive. Therefore, the only way is to customize the existing feature database or write new feature data.
The degree of customization or writing of features can be rough or thin, which depends entirely on actual needs. Or just determine whether abnormal behavior has occurred and not sure what the specific attack name is, thus saving resources and time; or determine the specific attack methods or exploit methods to obtain more information. I feel that the former is suitable for leaders, while the latter needs to be used by specific people, macro and micro, so that the enemy cannot come in!
3. Chief characteristic representative: Header Values
The structure of the header value is relatively simple and the abnormal header information can be clearly identified, so it is the chief candidate for feature data. A classic example is: TCP packets that clearly violate the TCP standards specified in RFC793 and have SYN and FIN tags set. This data packet is used by many intrusion software to launch attacks on firewalls, routers, and IDS systems. There are several sources of exception header values:
Because most operating systems and application software are written assuming that RFC is strictly followed and no error handlers are added for exception data, many exploits containing header values will deliberately violate RFC's standard definitions and blatantly expose the attacked object's cutting corners.
Many imperfect software that contains error codes can also produce header value data that violates RFC definitions.
Not all operating systems and applications can fully support the RFC definition, and at least one aspect will be inconsistent with RFC.
Over time, protocols that perform new functions may not be included in existing RFCs.
Due to the above situations, IDS feature data strictly based on RFC may produce missed or false positive effects. In this regard, RFC is also constantly updating with emerging violation information, and it is necessary for us to regularly review or update the existing characteristic data definitions.
Illegal header values are a very basic part of feature data, and legal but suspicious header values are equally important. For example, if there is a suspicious connection to port 31337 or 27374, the alarm may be called to say that there may be a * horse active; with other more detailed detection information, it can further determine whether it is a real horse or a fake horse.
1. Basic concepts of characteristics
The characteristic of IDS refers to sample data used to determine the types of communication information, which is usually divided into many types. The following are some typical situations and identification methods:
Connection attempts from reserved IP addresses: they can be easily identified by checking the source address of the IP header.
Data packets with illegal TCP flag conjunctions: can be identified by comparing the differences between the flag set in the TCP header and the known correct and wrong flag conjunctions.
Emails containing special virus information: can be identified by comparing the topic information of each email with the topic information of a pathological email, or by searching for the vicinity of a specific name.
Query the DNS buffer overflow attempts in the load: The buffer overflow attempts using the DNS domain can be identified by resolving the DNS domain and checking the length of each domain. Another method of identification is: search for the load of "exploit shellcode" sequence code combination.
DoS attack caused by issuing thousands of the same command to the POP3 server: by tracking and recording the number of consecutive times a command is issued to see if it exceeds the preset upper limit, and alarm information is issued.
File access attacks on FTP servers using file and directory commands when not logged in: By creating feature templates with status tracking to monitor FTP conversations that have successfully logged in, discover unverified intrusion attempts that issue commands.
From the above classification, we can see that the coverage of features is very wide, including simple header domain values, highly complex connection state tracking, and extended protocol analysis. A leaf can tell autumn. This article will start with the simplest features and discuss its functions, development and customization methods in detail.
Please note that the characteristics and functions of different IDS products are also different. For example: some network IDS systems only allow for the customization of existing feature data or the writing of required feature data, while others allow the customization or writing of feature data within a wide range, or even any feature; some IDS systems can only check the determined header or load value, while others can obtain data at any location of any information packet.
2. What are the functions of characteristics?
This seems to be a very obvious question: the feature is a boilerplate that detects whether the suspicious content in the packet is really "not necessary", that is, "bad molecule cloning". The IDS system itself has this important part, so why do you still need to customize or write features? It's like this: Maybe you often see some familiar communication information flows wandering on the network. Since the IDS system's feature database expires or the communication information is not attack or detection data itself, the IDS system does not pay attention to them. At this time, your curiosity arises, and you want to issue an alarm when these suspicious data passes again, want to capture them, and carefully see where they come from and what it is expensive. Therefore, the only way is to customize the existing feature database or write new feature data.
The degree of customization or writing of features can be rough or thin, which depends entirely on actual needs. Or just determine whether abnormal behavior has occurred and not sure what the specific attack name is, thus saving resources and time; or determine the specific attack methods or exploit methods to obtain more information. I feel that the former is suitable for leaders, while the latter needs to be used by specific people, macro and micro, so that the enemy cannot come in!
3. Chief characteristic representative: Header Values
The structure of the header value is relatively simple and the abnormal header information can be clearly identified, so it is the chief candidate for feature data. A classic example is: TCP packets that clearly violate the TCP standards specified in RFC793 and have SYN and FIN tags set. This data packet is used by many intrusion software to launch attacks on firewalls, routers, and IDS systems. There are several sources of exception header values:
Because most operating systems and application software are written assuming that RFC is strictly followed and no error handlers are added for exception data, many exploits containing header values will deliberately violate RFC's standard definitions and blatantly expose the attacked object's cutting corners.
Many imperfect software that contains error codes can also produce header value data that violates RFC definitions.
Not all operating systems and applications can fully support the RFC definition, and at least one aspect will be inconsistent with RFC.
Over time, protocols that perform new functions may not be included in existing RFCs.
Due to the above situations, IDS feature data strictly based on RFC may produce missed or false positive effects. In this regard, RFC is also constantly updating with emerging violation information, and it is necessary for us to regularly review or update the existing characteristic data definitions.
Illegal header values are a very basic part of feature data, and legal but suspicious header values are equally important. For example, if there is a suspicious connection to port 31337 or 27374, the alarm may be called to say that there may be a * horse active; with other more detailed detection information, it can further determine whether it is a real horse or a fake horse.