study of snort rule set privacy impact
play

Study of Snort Rule- set Privacy Impact Nils Ulltveit-Moe and - PowerPoint PPT Presentation

Jan 26, 2023 •38 likes •278 views

Study of Snort Rule- set Privacy Impact Nils Ulltveit-Moe and Vladimir Oleshchuk University of Agder Presented at: Fifth International PrimeLife/IFIP Summer School, Nice, France 7.-11. September 2009. This work is Funded by Telenor R&I

  1. Study of Snort Rule- set Privacy Impact Nils Ulltveit-Moe and Vladimir Oleshchuk University of Agder Presented at: Fifth International PrimeLife/IFIP Summer School, Nice, France 7.-11. September 2009. This work is Funded by Telenor R&I (contract DR-2009-1)

  2. Content • Motivation • Introduction to Intrusion Detection Systems • Case Study of the Snort Community Rule-set • Results • Conclusion and Future Research Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 2

  3. Why is better privacy handling needed for network monitoring systems? • Norwegian scandal: Minister of Defence reports the Defence Security Service (FOST) to the police for illegal surveillance of data traffic from the Government and the Royal Family. • Reason: An employee in the Department of Justice got told off by FOST after having surfed on pornographic pages... • FOST is responsible for network security , but they are not allowed to perform surveillance of data traffic. • How can network monitoring organisations like FOST avoid such a scandal? Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 3

  4. What is needed? • Better routines and methodologies for detecting potentially privacy violating IDS rules. • Improved classification and handling of alerts from security incidents involving private or sensitive material. • Privacy Ombudsman responsible for the privacy side of network monitoring. • External certification authorities that can perform privacy impact assessments. Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 4

  5. Content • Motivation • Introduction to Intrusion Detection Systems • Case Study of the Snort Community Rule-set • Results • Conclusion and Future Research Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 5

  6. How is intrusion detection being performed? • Intrusion Detection Systems (IDSs) - the Internet equivalent of a burglar alarm. Network monitoring is performed using deep packet inspection , which means that the following data can be investigated: • Packet header information; • Payload in each data packet; • Reassembled streams of data spanning several data packets; • Entire communication sessions between a client machine and a server. • An alert is sent to a central console whenever a presumed malicious event is detected. Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 6

  7. Small IDS deployment DMZ Internet Web, email server IDS Intranet Backnet Security Operations Centre (outsourced) Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 7

  8. Small IDS deployment DMZ Internet Web, email server IDS Intranet Backnet Security Operations Centre (outsourced) Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 8

  9. Small IDS deployment DMZ Internet Web, email server IDS Intranet Backnet Security Operations Centre (outsourced) Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 9

  10. Network Intrusion Detection Systems can have a significant privacy impact: • Existing ruleset can be used to monitor: • peer-to-peer (P2P) file sharing; • download or streaming of multimedia files; • chat and instant messaging; • surfing to “inappropriate” web pages; • usage patterns in web shops; • or use of anonymisers (Tor). • Research is therefore needed to: • enhance data privacy handling of IDS systems; • quantify expected data privacy impact; • tune the IDS rule set to minimise data privacy impact; • perform automated testing of data privacy impact. Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 10

  11. Content • Motivation • Introduction to Intrusion Detection Systems • Case Study of the Snort Community Rule-set • Results • Conclusion and Future Research Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 11

  12. Case study of the Snort Community rule set. • 3669 rules were manually categorised into two categories: • Privacy Violating (PV) rules (291 rules); • and A ttack detection rules (3378 rules). • Privacy violating rules: • Broad rules, monitors user behaviour or service usage that may be in violation with a stated usage policy. • Unspecific attack detection rules can also fall into this category. • Attack detection rules: • Specific rules, expected to match malicious traffic only. Founded on known vulnerabilities (CVE, Bugtraq, Arachnids, McAfee, Nessus) • For example buffer overflow, SQL injection, XSS, backdoor, exploit... Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 12

  13. Security considerations • Security interest takes precedence over privacy interests for rules triggering on malicious activities. • Considered bad if insecure services are exposed on the Internet: • for example telnet, finger, rsh, rexec, rlogin and open file shares; • Also business critical services like database servers. • Traffic to or from unexpected services is in general bad: • Often used by trojans, backdoors, worms and other malware. Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 13

  14. Attack detection rule example alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (\ msg:"MS-SQL Worm propagation attempt";\ content:"|04|"; depth:1;\ content:"|81 F1 03 01 04 9B 81 F1 01|";\ content:"sock";\ content:"send";\ reference:bugtraq,5310;\ reference:bugtraq,5311;\ reference:cve,2002-0649;\ reference:nessus,11214;\ reference:url,vil.nai.com/vil/content/v_99992.htm;\ classtype:misc-attack;\ sid:2003;\ rev:8;) • Specific attack-matching rule, vulnerability references Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 14

  15. Privacy Violating rule example alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (\ msg:"MULTIMEDIA Windows Media download";\ flow:from_server,established;\ content:"Content-Type|3A|"; nocase;\ pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)| a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smi";\ classtype:policy-violation;\ sid:1437;\ rev:6;) • Broad rule • Matches any downloaded Windows Media files via web • No references to vulnerability sources Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 15

  16. Content • Motivation • Introduction to Intrusion Detection Systems • Case Study of the Snort Community Rule-set • Results • Conclusion and Future Research Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 16

  17. Results • Our paper focuses on privacy violating rules. • We performed a case study using two different rule sets: • Full Snort rule-set • Default Snort rule-set (15 rule files with 285 rules disabled) Rule set Privacy Violating Number of rules *) % Privacy Violating All rules 291 3669 7.9% Default rule-set 177 3222 5.5% *) Note: wrong column name of Table 1 in short paper. Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 17

  18. Privacy violations by class for default rule-set Snort Class Rules Percent web-application-activity 148 83.6% attempted-reconnaissance 12 6.8% web-application-attack 7 4% protocol-command-decode 3 1.7% attempted-user 3 1.7% other 4 2.2% • 83% of the privacy violating rules in the default rule-set consists of web application activity monitoring. • Monitors access to web mail, shopping carts etc. • Often founded on known vulnerabilities. • Problematic both from a privacy and security perspective. Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 18

  19. Privacy violations by class for full rule-set Snort Class PV- Rules Percent web-application-activity 148 50.9% policy-violation 71 24.3% kickass-porn 30 10.3% misc-activity 14 4.8% attempted-reconnaissance 12 6.8% web-application-attack 7 4% protocol-command-decode 3 1.7% attempted-user 3 1.7% other 4 2.2% • 3 additional classes with privacy violating rules in full set: • policy-violation (71 privacy violating, 9 attack rules); pornography (30 privacy violating rules); and misc-activity (14 privacy violating, 191 attack rules). Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 19

  20. Observations • Web application activity monitoring cause most privacy violating rules in both rule sets. • Problematic both from a privacy and security perspective. • For example monitoring VP-ASP webshop activity. • or Outlook .eml files. (Rule due to the Nimda worm) • Rule files that by default are disabled contain many privacy violating rules detecting for example: chat , pornography , peer-to-peer and multimedia streaming or download. • Even traffic to Tor anonymisers can be monitored... Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 20

  21. Content • Motivation • Introduction to Intrusion Detection Systems • Case Study of the Snort Community Rule-set • Results • Conclusion and Future Research Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Implementing Snort into SURFids Sander Keemink and Michael van Kleij February 6, 2008 1 / 21

Implementing Snort into SURFids Sander Keemink and Michael van Kleij February 6, 2008 1 / 21

Implementing Snort into SURFids Implementing Snort into SURFids Sander Keemink and Michael van Kleij February 6, 2008 1 / 21 Implementing Snort into SURFids 1 SURFids 2 Snort 3 Assignment 4 Experiments and results 5 Integrating Snort 6

681 views • 21 slides
Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance Engineering & Public Policy Lorrie Faith Cranor November 11, 2014 y & c S a e v c i u r P r i t e y l b L a a s

555 views • 21 slides
Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance Engineering & Public Policy Lorrie Faith Cranor October 29, 2013 y & c S a e v c i u r P r i t e y l b L a a s

245 views • 20 slides
Formal Privacy: Making an Impact at Large Organizations Deploying Differential Privacy for the

Formal Privacy: Making an Impact at Large Organizations Deploying Differential Privacy for the

Formal Privacy: Making an Impact at Large Organizations Deploying Differential Privacy for the 2020 Census of Population and Housing Simson L. Garfinkel Senior Scientist, Confidentiality and Data Access U.S. Census Bureau July 31, 2019 JSM

458 views • 35 slides
Privacy preserving data mining randomized response and association rule hiding Li Xiong

Privacy preserving data mining randomized response and association rule hiding Li Xiong

Privacy preserving data mining randomized response and association rule hiding Li Xiong CS573 Data Privacy and Anonymity Partial slides credit: W. Du, Syracuse University, Y. Gao, Peking University Privacy Preserving Data Mining

659 views • 39 slides
Future of Privacy Forum Higher Education Working Group GLBA Safeguards Rule Dean Forbes Counsel

Future of Privacy Forum Higher Education Working Group GLBA Safeguards Rule Dean Forbes Counsel

Future of Privacy Forum Higher Education Working Group GLBA Safeguards Rule Dean Forbes Counsel September 29, 2017 Agenda Introductions Department of Education Publications on Protecting Student Information GLBA Privacy and

739 views • 45 slides
DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The

DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The

DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification provisions apply to three types of entities, which are known as

111 views • 7 slides
Privacy Rule Ron Honberg, J.D. Senior Advisor, Policy and Advocacy National Alliance on Mental

Privacy Rule Ron Honberg, J.D. Senior Advisor, Policy and Advocacy National Alliance on Mental

Myths and Reality: The HIPAA Privacy Rule Ron Honberg, J.D. Senior Advisor, Policy and Advocacy National Alliance on Mental Illness March 2018 Disclaimer This webinar was developed [in part] under contract number

369 views • 26 slides
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Provisions Sets

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Provisions Sets

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Provisions Sets boundaries on the use/release of health records Holds violators accountable with penalties Strikes a balance when public health

357 views • 12 slides
Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139

Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139

Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established content:"|eb2f 5feb 4a5e 89fb 893e 89f2|" msg:"EXPLOIT x86 linux samba overflow" reference:bugtraq,1816

436 views • 4 slides
Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139

Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139

Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established content:"|eb2f 5feb 4a5e 89fb 893e 89f2|" msg:"EXPLOIT x86 linux samba overflow" reference:bugtraq,1816

370 views • 8 slides
Manipulation, Privacy and Protection Consumer Behaviour in an Exploratory Study between Europe

Manipulation, Privacy and Protection Consumer Behaviour in an Exploratory Study between Europe

Asian Privacy Scholars Network 4th International Conference Meiji University, Tokyo (10-11 July, 2014) Manipulation, Privacy and Protection Consumer Behaviour in an Exploratory Study between Europe and Asia-Pacific 1 Prof. Dr. Ana Mara Lara

738 views • 21 slides
Presentation to the Standing Committee on Access to Information, Privacy and Ethics in its study of

Presentation to the Standing Committee on Access to Information, Privacy and Ethics in its study of

Presentation to the Standing Committee on Access to Information, Privacy and Ethics in its study of the Privacy of Canadians at Airports, Borders and Travelling in the United States June 15, 2017 Micheal Vonn and Meghan McDermott, British

467 views • 4 slides
Impact of the California Rule AGC SAFETY AND HEALTH COUNCIL Riverside, California March 21, 2012

Impact of the California Rule AGC SAFETY AND HEALTH COUNCIL Riverside, California March 21, 2012

Crane Operator Certification: Impact of the California Rule AGC SAFETY AND HEALTH COUNCIL Riverside, California March 21, 2012 Bob Hornauer, Manager California Affairs, NCCCO Overview of Presentation Scope of the California Rule (and

571 views • 45 slides
Should privacy impact assessments Should privacy impact assessments be mandatory? be mandatory?

Should privacy impact assessments Should privacy impact assessments be mandatory? be mandatory?

Should privacy impact assessments Should privacy impact assessments be mandatory? be mandatory? David Wright David Wright Trilateral Research & Consulting Trilateral Research & Consulting 17 Sept 2009 17 Sept 2009 1 1 Todays

542 views • 35 slides
Rule of Three (a language technique)

Rule of Three (a language technique)

Rule of Three (a language technique) http://study.com/academy/lesson/i-came-i-saw-i-conquered-analysis-of-julius-caesars-quote.html Introduction The purpose of this PowerPoint is to introduce the use of the rule of three as a language

742 views • 14 slides
Dynamic profiles for malware communication Joao Marques, Mick Cox MSc System & Network

Dynamic profiles for malware communication Joao Marques, Mick Cox MSc System & Network

Dynamic profiles for malware communication Joao Marques, Mick Cox MSc System & Network Engineering University of Amsterdam Monday 6 February, 2017 Outline Introduction Part I - Intrusion Detection Part II: Botnets & Advanced

625 views • 40 slides
Opioid Overdose Overview Sarah Bryant, MPH, RN Division Manager Health Promotion and Prevention

Opioid Overdose Overview Sarah Bryant, MPH, RN Division Manager Health Promotion and Prevention

Opioid Overdose Overview Sarah Bryant, MPH, RN Division Manager Health Promotion and Prevention Programs Ingham County Health Department Learning Objectives Importance of opioid use and abuse Decreasing opioid overdose deaths

324 views • 21 slides
What s Ahead s Ahead What The arc of attaining competency How is the Coast Guard is

What s Ahead s Ahead What The arc of attaining competency How is the Coast Guard is

What s Ahead s Ahead What The arc of attaining competency How is the Coast Guard is changing the qualification process? The arcana of assessing competency How do you build an assessment system? The art of assessing competency How can

254 views • 21 slides
Deep Packet Inspection Using GPUs Qian Gong, Wenji Wu, Phil DeMar GPU Technology Conference 2017

Deep Packet Inspection Using GPUs Qian Gong, Wenji Wu, Phil DeMar GPU Technology Conference 2017

Deep Packet Inspection Using GPUs Qian Gong, Wenji Wu, Phil DeMar GPU Technology Conference 2017 May 2017 Background Main uses for network traffic analysis Operations & management Capacity planning Performance troubleshooting

520 views • 24 slides
Motivation: MSA Motivation: MSA Current attacks to distributed systems involve multiple steps

Motivation: MSA Motivation: MSA Current attacks to distributed systems involve multiple steps

Secure Configuration of Intrusion Detection Secure Configuration of Intrusion Detection Sensors for Changing Enterprise Systems Gaspar Modelo-Howard, Jevin Sweval, Saurabh Bagchi Presented by Amiya Kumar Maji Dependable Computing Systems Lab

611 views • 12 slides
Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar

Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar

Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar Supervisor: Prof. Slobodan Petrovic FINSE 10th of may 2017 Contents Introduction Snort: a misuse-based intrusion detection Problem

247 views • 14 slides
Jaal: Towards Network Intrusion Detection at ISP Scale A. Aqil, K. Khalil , A. Atya, E.

Jaal: Towards Network Intrusion Detection at ISP Scale A. Aqil, K. Khalil , A. Atya, E.

Jaal: Towards Network Intrusion Detection at ISP Scale A. Aqil, K. Khalil , A. Atya, E. Paplexakis, University of California S. Krishnamurthy, KK. Ramakrishnan Riverside T. Jaeger Penn State University P. Yu, A. Swami US Army Research Lab 1

533 views • 18 slides
Memristor Based Autoencoder for Unsupervised Real-Time Network Intrusion and Anomaly Detection

Memristor Based Autoencoder for Unsupervised Real-Time Network Intrusion and Anomaly Detection

Memristor Based Autoencoder for Unsupervised Real-Time Network Intrusion and Anomaly Detection Md. Shahanur Alam, B. Rasitha Fernando, Yassine Jaoudi, Chris Yakopcic, Raqibul Hasan, Tarek M. Taha, and Guru Subramanyam Dept. Of Electrical and

428 views • 19 slides

More recommend