Controlling Intrusion Detection Systems by Generating False Positives: Squealing Proof-of-Concept William Yurcik1 National Center for Supercomputing Applications University of Illinois at Urbana-Champaign
[email protected] Abstract We introduce a new class of attack against a network signature-based Intrusion Detection System (IDS) which we have tested using SNORT and we call “Squealing”. This vulnerability has significant implications since it can be generalized to any IDS. While signature-based IDSs have implementation problems with high false positive rates that require tuning, we show a more serious general vulnerability in that packets can be crafted to match attack signatures such that alarms can be selectively triggered allowing a target IDS to be externally controlled by a malicious attacker.
1. Introduction
signatures are also available (see reference [2]) or can be derived from experimentation.
2. SNORT Pattern Matching SNORT utilizes a pattern matching model for detection of network attack signatures using identifiers such as TCP fields, IP addresses, TCP/UDP port numbers, ICMP type/code, and strings contained in the packet payload. For example, SNORT may have a rule such as shown in Figure 1 which is the pattern-matching rule for the Sun SPARC buffer overflow attack. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”IDS345–OVERFLOW NOOP-Sparc-TCP”; flags; content: “|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|”;)
This paper documents the ability to trigger specific false positive alarms in the intrusion detection logs of the SNORT IDS. This vulnerability has been empirically verified on SNORT version 1.6.3/1.8.1 and was first reported by this author at RAID 2001 [3]. We introduce a new class of attack we call “squealing” (SNORT has a pig logo). Squealing attacks exploit the vulnerability of IDSs to false positive attacks. We agree with the analysis contained in [1] that the limitation of IDS is not the ability to accurately detect misuse behavior but rather the ability to suppress false alarms. At present, a solution to suppressing false positives is not imminent and the problem is getting worse as the number of reported new attacks increases each month - since a signature IDS has to guard against more types of attacks, the number of false positives is likely to increase. However, the problem of suppressing false positives due to detection uncertainty becomes orders of magnitude more difficult when an attacker can generate decoy false positives at will. We selected the SNORT IDS for experimentation because its signaturematching source code is accessible but other IDS 1
This work is a joint project of the SOS research group: additional contact info: voice 217-3339182, hard copy: 45 Oak Park Road, Bloomington IL 61701 USA.
Figure 1. SNORT Pattern-Matching Code
3. Experiments It is possible to create packets crafted to match any SNORT signature. As a proof-of-concept, we developed a tool to provide scriptable access to several IP-based protocols. The tool is intended for internal use (it will not be released) and was given a name with a negative connotation, PCP, to recognize the danger it presents (drug analogy includes units are packets, can be inhaled/snorted, gives user perception of extraordinary abilities). The architecture of PCP is based on reusable C routines that can be separated into two classes: packet writing functions and argument parsing functions. For example, the packet writing functions are used to write TCP, UDP, or ICMP packets. The argument parsing functions are used to provide a command line packet writing capability. PCP was initially used to create packets that cause problems for network routers and to test the correctness of firewall rule configurations.
Other features include sample scripts that can be edited and handling ARPs for non-existent source IPs. As a proof-of-concept, we used PCP to trigger 100% of the signatures in the SNORT rules files which translates into several hundred attack alarms.2 These attack were executed sequentially and simultaneously using multiple sources using the experimental configuration shown in Figure 2.
Figure 2. Experiment Configuration
4. Implications The implications of this class of attack are that signature-based IDSs may be controlled either overtly or covertly by a malicious attacker. Overt attacks include: (1) conditioning attacks that desensitize IDS operators to false positive alarms such that they are ignored or disabled; (2) repudability attacks with strategically implanted false positive alarms that question IDS log integrity; and (3) attack misdirection that serve as decoys. Covert attacks include: (1) noise-masking attacks that conceal underlying attacks and (2) statistical poisoning attacks that feed incorrect data to IDSs based on statistical benchmarks.
attacks based on IDS rule knowledge from having guaranteed success. Problems with this technique include (A) not all attack signatures may have multiple ways to parse for different pattern matching algorithms and (B) in response, attacks will escalate by learning to adapt making it even harder to detect squealing. The second and more powerful technique to be used with adaption is state awareness [4,5]. For speed and processing power, IDS inspect individual packets independently focusing on matching signatures in headers and data payload – no precursor events or post events, in order, are considered. If IDSs had a context for monitored protocols they can distinguish, for instance, a single TCP packet designed to trigger an alarm from an actual TCP connection with a precursor event (3-way handshake) corresponding with timing, interfaces, and packet direction (ingress/egress). The downside of protocol state-awareness is that an IDS may become overloaded with submodules tracking different states. In the game theory of attack/counterattack we have also been successful in triggering alarms in later versions of SNORT that are “stateful” as well as other stateful IDSs by using multiple PCP sources aimed at different IDS ports and knowledge of sequence number/ timing attacks.
6. Summary We have demonstrated a proof-of-concept to show the ability to generate specific false positive alarms on network signature-based IDS – naming this class of attack “squealing”. We successfully tested squealing by targeting the SNORT IDS and we warn this attack can exploit pattern matching vulnerabilities on all signaturebased IDSs. We have concern about other related work that, while independently verifying our conclusions, may lead to the release of squealing exploitation pointand-click script software “into the wild”.
With the emergence of Unicode, the ultimate problem is the ability to disguise character strings in various ways. Since signature-based IDS systems look for character strings within packets indicating certain network attacks, Unicode threatens to make avoiding “squeal” attacks insurmountable.
[1] S. Axelsson. The Base-Rate Fallacy and the Difficulty of Intrusion Detection, ACM Trans. On Info. And System Security, Aug. 2000, pp. 186-205.
5. Possible Solutions
[2] S. Northcutt et. al., Intrusion Signatures and Analysis. New Riders Press, 2001.
We propose two techniques in combination to address squealing: (1) adaptation and (2) state awareness. The first technique is adaptation – changing the signature-matching algorithm randomly during IDS operation. This will prevent squealing 2
SNORT rule sets tested include: x11, web-misc, web-iis, webfrontpage, web-coldfusion, web-cgi, virus, telnet, sql, smtp, scan, rservices, rcp, policy, netbios, misc, info, icmp, ftp, finger, exploit, dos, dns, ddos, backdoor
7. References
[3] S. Patton, W. Yurcik, and D. Doss, An Achilles’ Heel in Signature-Based IDS: Squealing False Positives in SNORT. Recent Advances in Intrusion Detection (RAID), Univ. of California-Davis, 2001. [4] V. Paxson, Bro: A System for Detecting Network Intruders in Real-Time, 7th USENIX Security Symposium, 1998. [5] T. Ptacek and T. Newsham, Insertion, Evasion, and Denial-of-Service: Eluding Network Intrusion Detection, Secure Networks, Inc. Calgary Alberta CA., 1998.
