An Intrusion Detection System for Automatic Web Page Content Filtering and Blocking
i
URL ii
Abstract Today the network is widely used to transmit information and link resources. However, there are many malicious activities under the network environment. For example, Worms, Spy software, Hackers and Trojan horse programs can be used to attack a computer or steal data from a computer. Hence, security management plays an important role in today s network management tasks. Although, many companies use firewalls to defense the attacks from outside, but it can t ensure the security of the whole computers inside the firewalls. That is, we need a real time intrusion detection system to assist the firewalls. In this paper, we present a flexible, intrusion detection system for the automatic content filtering and blocking of web pages. That is, using our system the users can be protected from the attacks of computer viruses or Trojan horses resides in web pages. Our system may also be used to block improper information, such as pornography from webs. KeywordsIntrusion Detection, Network Security. iii
..... 1 1.1. 1 1.2..... 2 1.3..... 3.....4 2.1..... 4 2.1.1...... 4 2.1.2...... 6 2.1.3...... 7 2.1.4......8 2.2 Snort 9 2.2.1 Snort.........9 2.2.2 Snort 10 2.2.3..........11 2.2.4 Snort.... 13 2.2.5 Snort.......... 16 2.3. 18 2.3.1............18 2.3.2...19 2.3.3.. 20 2.4.21 2.4.1...... 21 2.4.2..23 iv
2.4.3....24 2.4.4........ 25 2.4.5........ 27...........30 3.1.... 31 3.2........ 33 3.3.... 34........ 36 4.1....... 36 4.2.... 38........ 43..... 45 v
2.1....5 2.2....6 2.3 Snort..10 2.4 Snort...... 13 2.5 Snort Rule Tree.....14 2.6 Snort Decode Structure.....15 2.7 Snort s Detection Engine.......16 2.8......18 2.9 TCP/IP SYN.....22 2.10 DDoS......23 2.11.....28 3.1 IDS 31 3.2...32 3.3 URL..32 3.4........ 35 vi
4.1 URL. 36 4.2 snort...... 4.3 snort URL...39 4.4.......40 4.5.... 41 vii
(Internet) (Worm (DoS, Denial of Service Attack) [1] (Hacker) (Virus) (Backdoor) (Network Security) (IDS, Intrusion Detection System) (Firewall) (Application Layer) (Backdoor) (Web Server) 1
1 2 3 4 Web Service (IDS, Intrusion Detection System) (Alert) (Firewall) (Network Layer) (Transport Layer) (Application Layer) IP Session (Proxy Server) 2
3
(Internet) (Firewall) [2] 爲 (Anomaly Detection System)[3] (Misuse Detection System)[4] (log) 4
(logs) (checksum hash, digital signature) (port) 5
[5] [6] (Packet) 6
(Packet) [6] (Misuse Detection system) (Signature-based Detection) (Signature) (Signature Matching) (False Positive, False 7
Alert) [9 (Anomaly Detection System) [3] (Neural Network)[12] [9] (False Positive, False Alert) 8
Snort (IDS, Intrusion Detection System) 1 2 3 4 Snort Snort [10] (open source) Snort Libpcap (Misuse Detection) (Rule-based) CGI SMB DDoS Snort (log) yslog (Misuse) 9
(False Positive)Snort (Plug-Ins) Snort Snort 2.3 2.3 Snort (Packet Capture and Packet Decoder) TCP/IP Libpcap (Detection Engine)Snort (Linking Structure) 10
/ (Logging and Alerting Subsystem) TCPDUMP Syslog Snort 産 Snort (Packet) [11] 産 1 (Protocol Match)Snort IP/TCP/UDP/ICMP TCP (flag) TCP TCP F ( FIN)S ( SYN)R( RESET)P( PUSH)A( ACK)U( URGENT) Snort alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"scan SYN FIN";flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:2;) flags TCP 2 (Signature Match) 11
Snort alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"web-client readme.eml download attempt"; flow:from_client,established; uricontent:"/readme.eml"; nocase; classtype:attempted-user; sid:1284; reference:url,www.cert.org/advisories/ca-2001-26.html; rev:9;) /readme.eml Snort (Preprocessors) Fragment Reassembly (fragmentation) 3 Snort alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"dos MSDTC attempt"; flow:to_server,established; dsize:>1023; reference:bugtraq,4006; classtype:attempted-dos; sid:1408; rev:5;) dsize 1023 麽 4 5 ( ) 産 IP1 100CGI 麽 CGI 12
Snort Snort [12] [13] Snort (Preprocessors Plug-ins (Output Plug-ins) (Keywords) (Rule Parser) 2.5 [12]Snort (Rule Set) RTN(Rule Tree Nod RTN OTN(Optional Tree Nod PcapLoop 13
2.5 Snort Rule Tree (Reassembling Packets) (Decoding protocols) (Nonrule or Protocol anomaly-based detectio) stream4 frag 2.6 14
Snort Decode Structure [12] nort Packet Rule Tree Nod Rule Tree Nod Optional Tree Nod 2.7 Snort s Detection Engine 2.6 Snort Decode Structure Snort 15
SnortDDoS 2.7Snort s Detection Engine Snort (Rule) (Log) Snort 爲 (Rule Header) (Rule Options) Action Protocol SourceIP Port DestinationIP Port ( Option ) Rule Header Rule Option 16
(Rule Action) (Protocol) (source)ip (port) (destination)ip Rule Action PassLogAlertDynamic Activate ICMP TCPIP UDP Snort log udp any any -> $HOME_NET 4120 4120 UDP msglogtottliddsizecontenturicontentoffset depthnocaseflagsseqacksessionflowpriorityicodeitypereference classtypesidrev Snort content "javascript\:// alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"web-client Javascript URL host spoofing attempt"; flow:to_client,established; content:"javascript\://"; nocase; classtype:attempted-user; reference:bugtraq,5293; sid:1841; rev:3;) Snort IP Snort 17
Proxy Server 2.8 (Browser) 18
(Web Server) (Web Page Cache 1 request 2 6 3 4 5 6 19
1 (Caching) 2 (Protocol Handling) (Hyper Text Transfer Protocol) (File Transfer Protocol) ICP(Internet Cache Protocol) URL(Uniform Resource Location) 3 (Garbage Collection 4 (Filtering 5 (Monitoring 20
6 (Access Control (Hacking) (Denial of Service attack) (Denial of Service AttackDOS) 1TCP SYN Flooding (Source IP) (Server) (TCP SYN) 21
SYN+ACK (ACK) TCP (Three-Way Handshake) 2.9 ACK SYN 2.9TCP SYN 2 (Distributed Denial of Service, DDoS) DoS 2.10 DoS Agent (DoS Agent) 3UDP Flood DoS UDP 22
(connectionless) UDP (port) 7(Echo service ) DDoS 4ICMP DoS ICMP ICMP ICMP Ping of Death Ping Ping of Death TCP/IP Ping TCP/IP 65,536 Bytes) (Buffer Overflow attack) 23
80 100 100 System bug and hole Snort http 24
HTTP (Unicode) ASCII ASCII 7 IIS 4.0 5.0 %c1%1c %c0%2f http://192.168.0.1/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir + (Double encod URL "/" %255 %255 %5 "/" IIS (flip slas (IIS) \ / "\" "/" (Full whitespace) Apache (tab) (space) (5) (Internal alert HTTP CONNECT DELETE, GET, HEAD, OPTIONS, POST, PUT, TRACE HTTP 10 HTTP Malicious Code 25
(Virus) (Worm) (Trojan horse (Mellisa) Word Normal.dot Outlook ExploreZip 2001 (Code Red) (Hacker) (IIS Server (Nimda) (1) IIS HTMHTMLASP JavaScript readme.eml (2).eml 26
Outlook readme.eml local cookie data (Trojan Horse) JavaJavaScript Activex (format) HTML Java AppletJavaScript 2.11 27
2.11 [15] (port) (client programs) FTP FTP 28
.exe.dll 29
(log file) ( Snort) IP URL Snort Proxy_filter Snort URL 30
(Layer 4) http URL URL 3.1 IDS 31
3.2 URL 32
Snort http URL spo_proxy_filter URL Proxy URL Reject (Rule set) Web Client (Rule Subset web-client.rule multimedia.rulesporn.rules proxy_filter alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"web-client readme.eml autoload attempt"; flow:to_client,established; content:"window.open(\"readme.eml\""; nocase; classtype:attempted-user; sid:1290; reference:url,www.cert.org/advisories/ca-2001-26.html; rev:8;) proxy_filter alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"web-client readme.eml autoload attempt"; flow:to_client,established; content:"window.open(\"readme.eml\""; nocase; classtype:attempted-user; sid:1290; reference:url,www.cert.org/advisories/ca-2001-26.html; rev:8; proxy_filter;) 33
(web client attacks) proxy_filter Snort Snort (preprocessor) (Detection Engine) spp_http_decode. URL snort (plug-ins) spo_proxy_filter URL spo_proxy_filter 1 ProxyFilterSetup( ) snort plugbase.c InitOutputPlugins( ) snort (Rule Option) proxy_filter 2ProxyFilterInit( snort 3ProxyFilterOptionInit( 4ProxyFilter( URL 34
3. 3.4 35
TANet (Gigabit/Fast Ethernet) TANet 爲 URL 4.1 URL http://www.alsex4u.com service=no cache=no http://www.av-zone.net service=no cache=no http://www.dynamix.net service=no cache=no http://www.topzone.net service=no cache=no http://www.analjapan.com service=no cache=no http://www.xxx-eroticaworld.com service=no cache=no http://nextdoorxxx.com service=no cache=no http://www.sex.com service=no cache=no http://hardcore.nfspace.com/ service=no cache=no http://frank.ac service=no cache=no http://cutegirlies.dr.ag service=no cache=no http://realgayboys.dr.ag service=no cache=no http://thongsong.dr.ag service=no cache=no http://videololitas.dr.ag service=no cache=no http://amateurblondefuck.bl.am service=no cache=no http://linkzone.bl.am service=no cache=no http://3xxx.com.ar service=no cache=no 36
1 (IDS Server CPUIntel Pentium III 850 15G Bytes 100Mbps Linux Fedora core 1 Mysql 4.0.12 Apache 2.0.46 PHP 4.3.2 Adodb 3.30 Acid 0.96b23 JPGraph 1.12.1 LibPcap 0.7.2 Snort 2.0.6 (modified) 2 (Proxy Server CPUIntel Pentium IV 2.0G 40G Bytes 100Mbps Linux Fedora core 1 Mysql 4.0.12 Apache 2.0.46 Squid 2.5 stable 5 3 (Client) CPUIntel Pentium IV 1.6G Intel Pentium III 850 Windows XP 37
4.1 4.2 snort URL 4.2 snort URL URL URL 38
URL URL 4.3 snort URL 4.3 snort URL http://65.19.133.194/index.html http://66.230.170.82/index.php http://66.37.31.69/freepornpasses/index.htm http://208.185.230.221/coolios/cleanrabbitkaexit.shtml?bfree;6 http://208.185.230.221/coolios/rhexit.shtml?bfree;6 http://209.246.235.20/tgp/index.shtml http://209.246.235.20/readthis.html?teenxxxmag http://64.124.210.133/index.html http://209.246.235.128/links/fetish.html http://216.65.30.232/freepmb/bdsm053/index.html http://66.235.195.159/bondage/index.htm http://66.115.135.176/greenguy/bondage.htm http://209.246.235.128/submit_categories.html http://69.31.34.207/index.html http://66.55.170.100/e71ae5b9/exit/active/out4.html http://216.158.129.76/consoles/exitconsole.html?revid=2568 http://65.19.133.194/index.html URL URL ( 4.1) 50 39
6 2003 11 (Proxy log file [18] 50 20 8 1 7 50 4.4 4.4 URL filter 50 50 100% 26% 27 73% 27% 13 22 2 10% 90% 15 75% 25% 2 50 15 30% 70% 34 68% 32% 20 0 0% 100% 20 100% 0% 8 0 0% 100% 8 100% 0% 50 0 0 0% 0 0 0% 200 47% 17% 50 13 URL 26%URL rule base 40
( 4.4 ) Symantec AntiVirus 8.1 2004/4/26 rev.23 8 JavaScript VB Script script IE jav JavaScript Nimda java HTML JavaScript window.open readme.eml 4.5 S 4.5 JS.Exception.Exploit S S S S JS.Nimda S S S S VBS.zulu.A S S S S VBS.FreeLink.B S S S S JS.Trojan.WindowBomb S S S S VBS.happytime.A@mm S S S S VBS.LoveLetter.C(1) S S S S Nimda S S S S 41
( ) 4.5 42
(1) (2) (3) (4) (open source) (1) URL (2) (Misuse Detection) (Anomaly Detection) API Windows API (3) (e-mail) outlook 43
44
[1] Dai Kashiwa, Eric Y. Chen, Hitoshi Fuji, Shuichi Machida, Hiroshi Shigeno, Ken-ichi Okada, and Yutaka Matsushita, Active Countermeasure Platform against DDoS Attacks, IEICE TRANS. INF. & SYST., Vol. E85-D, No. 12, pp. 1918-1928, Dec. 2002. [2] A. Sundaram, An Introduction to Intrusion Detection, URL: http://www.acm.org/crossroads/xrds2-4/intrus.html [3] Emilie Lundin, and Erland Jonsson, Anomaly-Based Intrusion Detection: Privacy Concerns and Other Problems, Proceedings of the Computer Networks, Vol 34, No.5, pp. 624-640, Aug. 2000. [4] Robert F. Erbacher, Kenneth L. Walker, and Deborah A. Frincke, Intrusion and Misuse Detection in Large-Scale Systems, IEEE Transactions on systems, Vol 27, No.3, pp. 38-48, Feb. 2002. [5] Tripwire, URL: http://www.tripwire.org/ [6] Intrusion Detection System & Network Attack, URL: http://www.csie.nctu.edu.tw/~sjhuang/ids.php [7] M. Iguchi and S. Goto, Detection Malicious Activities through Port Profiling, IEICE Transactions on Information and Sytems, Vol.E82-D, No.4, pp. 784-792, Apr. 1999. [8] Susan C. Lee and David V. Heinbuch, Training a Neural-Network Based Intrusion Detector to Recognize Novel Attacks, IEEE Transaction on systems, man, and cybernetics part A: Systems And Humans, Vol. 31, No. 4, pp. 294-299, Jul. 2001. 45
[9] Robert K. Cuningham, Richard P. Lippmann, and Seth E. Webster, Detecting and Displaying Novel Computer Attacks with Macroscope, IEEE Transactions on Systems, Vol. 27, No. 4, pp. 275-281, Jul. 2001. [10] The Open Source Network Intrusion Detection System URL: http://www.snort.org/ [11] Marina Bykova, Shawn Ostermann, and Brett Tjaden, Detection Network Intrusion Via a Statistical Analysis of Network Packet Characteristics, IEEE Transactions on Network Security, Vol.1, pp. 309-314, Jun. 2001. [12] Jay Beale, James C. Foster, Jeffrey Posluns, and Brain Caswell, Snort 2.0 Intrusion Detection. US: Syngress Publishing Inc, 2003. [13] 2002 [14] The Open Source light-weight Network Intrusion Detection System URL: http://www.snortsam.net/ [15] 2001 [16] Ming-Zuo Chen, Intrusion Detection System Base on Hierarchical Rules, Master Thesis, Department of Information Engineering and Computer Science, Feng Chia University, 2002. [17] Ren-Jye Lin Intrusion Detection Using Dynamic Sorting, Master Thesis, Department of Information Engineering and Computer Science, Feng Chia University, 2003. [18], URL: http://tnrc.ncku.edu.tw/ 46