 Wow, I'm really kind of surprised. Is this many people? I'm going to start off with a warning for those of you who I think that you might be able to like attack other people using what I'm Going to talk about. I have yet to figure out a black hat method about black hat use for this because if you already own the IDS It's too late. You know, you can get everything and I'm only looking for the good things When I'm talking on is passive auditing we encountered a problem where I work where we have so many users That it became really difficult to find out what they're doing because nobody wanted to run like a client or something So we couldn't see what activity they were doing, you know Were they patching stuff like this? so we started developing signatures actually that actually kind of takes that out and Actually illuminates the need for us to actually run a client on the end users And so that's what I'm going to talk about here is whether signatures are the sort of things you can find out in signatures Just by watching the network passively So of course Why you need to audit? Identifies assets so you that when you get your alerts going through, you know, if it's an attack on is do you really care of it? hitting a patchy box And in the story of what you have where you have it, you know, all that other good stuff The state of auditing today basically it relies a lot on active scanning It uses the heavy usage of clients so you need to have a client on that end machine You connect to that client, you know, it runs the scan tells you what's on the box And it's difficult or impossible in decentralized environment. I work at a major university. We have about We have three class B Addresses and about a dozen class C's, you know, it becomes really kind of difficult in that environment Especially since most of them don't like us What I'm what we're doing with passive auditing is we're using packets on the network stuff that they're doing anyways to find out What their patch levels are whether they're doing antivirus software where they're updating at all What OS is they're doing? Does not affect in-system logging. That's one of the great things about is because we get a lot of complaints every time We do try to scan because they complain like ad nauseam about the amount of logs they get My feeling is tough, but okay Also, we get to take advantage of all those black hat scans are coming through when you're in a university Frequently, you don't have firewalls or you have very limited use of firewalls So I can find out what ports are open without ever touching the box because the time it goes across my sensors. I've got it It aids policy enforcement. Some people like policies. Some people don't Ultimately what it comes down to is event correlation and that's where it becomes a real pain in the ass When you're looking at that many hosts, you know, if you want to keep track of what they patch level is That's you know, every patch has its own low line that database Correlated to IP address or Mac if you can get access to the hour cash. It's a lot easier So these are things that we can monitor passively OS OS updates whether they're getting antivirus and firewalls and spyware updates Network services. Are they using telnet FTP? Whatever open ports Service versions network application versions. That's mostly that's more banner grabbing though if you really get into it There are ways of telling without actually grabbing banners and policies The downsides of this is well, it's labor-intensive. It takes a lot of disk space takes a lot of time to build a big Pick the big picture that you need because you will not get it in the first week In fact, you probably won't get in the first couple months. You had to start really accumulating data before you know What's happening? It's a lot of data Requires a commit and a time and money and that's not always something that works out. Well, you know Everybody's saying well, we need to know this data now go buy a scanner. Hopefully you get to the firewalls If you are willing to actually take the time you'll get a better pickmonger You'll get a different picture than if you do scanning You can be bypassed if people manually download stuff to one machine and they copy off that patch I'm not going to see it Though you can't bypass all this stuff you go back that OS stuff as long as they want to talk on the network I can find out what they've got Actually benefits from an ugly network It's one of those few places and not having firewalls really helps because I can see so much traffic So I'm gonna start with some rules. I wanted to jump right into rules. I've only got 20 minutes here So here's a basic snort rule try to keep these all nice and easy very little like stuff done with And bin hex I'm sorry in hex. I'm just looking at the strings here with a couple exceptions So this first one it looks for people actually updating antivirus and Information antivirus actually in firewalls because that's with the semantic corporate edition You notice here. You see the user agent User agents are your friend if you want to do this because they really coming to handy everybody wants to advertise what they've got Well, this is where you get homes and handy So you capture on this you capture on that user agent You can capture on the host because they actually semantic sense everything to one place and I everybody does that's yet to watch them Then right down here that last line. You have a threshold type limit track So what we're gonna do is we look at the type limit track by source. So each source IP address Count one so we only looking for we only need one packet here to find out this is working and we only record this every That went on 80 and 80 seconds Sorry, 1800 seconds The reason I had to do this with this particular rule is that it will go and do that get so many times There's so many different things who's pulling up logs. I need to know they did it I don't need to know how many times they did it And this is what it's sort of traffic you get out of this is you notice and that I'm gonna get down to the data That's it tells you right in that line what they're updating semantic antivirus corporate client NT 9.0 English So it's language. No, you have everything there So By that there's 20s are gonna cross gonna be the space characters. That's what they're using them So another pat another rule. This is an OS update. We're looking for a specific windows update here I wrote a rule that just looks for the KB article if you actually really quick They actually released the article numbers Before they released the patches, but you have to know where to find them at Microsoft site I didn't include that in slide, which I should have So you can get a slight jump and now actually I really recommend using generic rules I'll catch everything and post-processing really big on post-processing speeds up the whole process From a machine point and so what we're looking for is has that string it says to get space and that's a slash character Some reason somebody's well, this is me. I like using hex in those points And you have a depth of five so this has to be in the first five hex desks of the first five Characters coming from that host in the TCP feel in the level So then you're looking for the knowledge base article and you want this line to end off with the exe Basically the get this is the whole get string. These are elements out of it One of these days I'm going to get around to rewrite these in PCRE so they have the program battle regular expressions Make the whole line a little easier to read however There's a penalty hit there, and I haven't quite figured out if it's going to be something I can keep up with So out of this we then find out it's a Windows ME host because it's right there in that string that it actually downloaded So you say MS download update version? Capital you get down there. It's a Windows ME knowledge base article, and this is also an English box So this is all the stuff you see in their files that you they're downloading from Microsoft Also this progressive download there. That's the user agent for ME for there when you do the automatic update through them Next rule Windows malicious software removal tool their new anti spyware stuff Again, this is a rule using similar functionalities the last one right now We're going with the Windows the Microsoft bits for the agent that is the normal XP 2000 Agent the you're going to see and this is what you see here You see this packet come through For this one actually just in case anybody's curious this one was TCP show I used to grab these packets out I've also written some scripts for just extracting text from TCP dump files you P caps so you have you find out this is Windows. It doesn't really specify which one knowledge base article Name of the program and everything again English Now this is where it starts getting a little more fun Now with the red hat you send to see a lot of people using their automatic update the up-to-date stuff This one is just checking in it's saying you know are there any updates available It's really I answer questions about OS is also because all of a sudden you don't know just that it's a Linux box You know it's a red hat So you get this whole string the header info file is the one that actually says what is the differences between now? What I have and what is available so you're going to see this one any time it checks in whether it gets a download or not So you guys actually allows you to actually map out who is trying to be a good network citizen and Here's what you get, but if you look at the get string on this one you see the pub fedora Linux core 3 so you know they're running core 3 and I 3a6 so you now see you have an idea of the architecture Though there's a better one for that one in the next night up and you see they're using the red hat applet Now you can actually rewrite these so that You can download second anything there's a you had to draw a line here Where is the privacy you don't want to actually be capturing everything they do but you also have to say you know This is the information we need to know to protect the network And that is the biggest problem. We've had it's actually where do you draw that line? Now this one this is another update looking for the Actually, I rewrote this one early this morning. I messed up. It's not a check-in anymore. You're actually looking for The actual downloading of the update Well, when you get to this one My slide here Okay, well, I'll tell you what that one did download and it actually saw the kernel and when you see the kernel goes by You get to see the architecture at a different level you to see is I686 You're gonna see the language you get to see the specific kernel version So once you you take this stuff out you post process that you can actually find out a lot of stuff in that one kernel Oh, and that one get request about the box I'm going a lot faster. I thought it would include more rules So this is the check-in again Okay, now this is where it gets a little more obscure this top one here all this path and all this Snort signature does as he catches one sin for each host every half hour It just tapes the p-dump file a p-cap dump of this stuff. I Use this one actually to map OS this because I can take this the p-cap file Post boxes it through p0f and all of a sudden you have a list of every IP address and what it's talking and what the OS is Now there are I have this every half hour You will start encountering problems when you get to VMWare or they're running NAT boxes This is where that ARP cache comes in using that ARP cache if you have access to the ARP table You can say at this point was it the same market the same Mac address as the one that was there before So you can say if this it's two different Mac addresses It's probably two different machines However, if you have the same Mac address you now looking at VMWare and adding if you go over and look at that Up the Mac address you can probably tell if it is at link system More router or if it is actually No Adele so Adele box in which case you know it's VMWare So it's actually all about collecting so much data that you can actually then make logical choices about what's happening on the net about the host themselves The second one Here is the ability to actually map what services are doing. This one actually uses banner grabbing There's also some signatures for doing like what versions of SSH. They're running When you actually get down the version that becomes really important because you actually can say hey There's a vulnerable version here, and you can actually notify people say, you know, you need to fix this You never had to scan the box. You didn't you just watch them doing their traffic on their own So in that one you're catching you're looking for basically the server return field from the server This is one of the places where you can start mapping out what's happening on your host That aren't them doing things as people coming into them So this here we're looking at Microsoft's IS 5.1 that a version actually only exists in XP. So, you know that they're running XP also This can be spooked of course with Apache you can compile it with any browser with any server You can actually compile this stuff in and change it. I Say any that's actually an overstatement But the idea is that you the people are really trying to do that stuff These are people are good admins anyways, and I'm not worried about them I'm worried about the the idiot who runs their box, you know, they have never patched it They just put it up on the network and five minutes later, you know, it's a wearer's box and it's attacking 30 million other hosts That's my issue. I don't have a care about the person who's actually sitting there doing their job It's all the ones that aren't doing the job. I'm trying to find with this This also gets by the biggest problem that we had on campus really was dealing with firewalls Windows XP to SP to came out every all these firewalls all of a sudden we can't get into these boxes with the scanners We do have If you want to write a rule that will allow an IP address to talk to Rocks like that. You actually end up writing 65,000 535 TCP rules 65,000 535 UDP rules because they don't actually allow you to set an IP a trusted IP Microsoft's firewall does not have that concept. It's trusted ports trusted programs. That's it This way, we don't have to worry about that. We actually see the patching We don't have to do the vulnerability scanning is still great. Scanning will help you a lot It will answer questions faster than this will but in the long run you get a different picture here Because if you look at those like the user agent stuff, you can see are they running kaza? Are they using you know outlook? You can see all the stuff by looking at the traffic that comes out of this box Things that you will never see you can't tell what browser somebody's using by a scanner You know are they running a three-year-old version of IE I got a break-in yesterday Actually two days ago on campus. They were running a version of IE that had a flaw that was fixed two years ago Now I'm saying they've got a whole batch of extra stuff on their computer. They didn't know about This I can tell I mean by ban it by actually watching the get requests that comes out of that box You know how they request things because that's it also in there I mean when you say you're gonna get that you know download this I go back a couple screens. That's where you The user agent comes in because the user agent is Trying it's not not required. You don't see this in DBN when it doesn't patching it doesn't do this Actually, I didn't include all my I have a lot of signatures for this. I didn't include all of them But I have patches for SUSE Debian Mandrake You know all these things that these are all available out there. The information is available The hardest one I actually had to come up with was it one for Solaris because if you look at like Solaris 10 This automatic update feature encrypts the whole channel however When you look at an SSL certificate when you do that key exchange at the beginning and it sends what the certificate is There's a place in there where it says Who bought the license and what machine it goes on? Well, it just so happens that Sun that machine is Like Sun update that Sun, you know, it's like Solaris update that Sun.com or something like that So you find that string, you know, what's happening. You know, they're now being a good network citizen You don't know what patches they grabbed And I'm sorry that I haven't figured out a way to get around the SSL And if anybody has any ideas come and talk to me, you know, we got a lot of other things We can do with that one I Won't have to go back to work on Monday So I can't get around that one but I can help, you know, give you an idea of who is actually helping on the network Who's being good? I've got a question Yeah, using using statistic analysis, you actually could do that. There's a program. I'm going to mention at the end It's a different IDS system called bro It's kind of a I refer to as a bastard stepchild out of LB and L But actually they love it and they use it a lot It is a written by Vern Paxton and it does some great Anomaly detection, but it also keeps a connection log that says this IP address on this port talked to this IP on this port This is how much traffic went by and this is what time it happened and how long it took Using that you can go back and do the statistical analysis and actually get a good idea of did they didn't download one patch Or did they update the whole system? I really didn't think I'd go through this this fast So under here so these are the tools that I use for doing a snort, I'm a big snort fan It's easy. You can really get into it. It's really fairly powerful if you get into it These are F, you know that OS fingerprinting that I do I post processing it through there. It helps a lot. Make sure you do have One of the latest versions because the one I first installed it didn't give me a timestamp It just kind of said relative to when I started running P0F Didn't really help me identify when you have to go back to that art table to figure it out You need that timestamp. So make sure you have the latest one TCP dump. I use TCP dump for everything I'm sure everybody here does a question Actually our network group on campus. They actually have a database that they keep of it They dump the ARP cache from every switch and every router on campus every 15 minutes So we go back to the database What was that too much too many years of punk concerts, I'm really gonna do I have a suggestion I'm Fortunately, I don't it's just not something I've had to encounter yet. I haven't had to figure out how to do it Yes TCP show and engrep those are tools that actually are helpful. You'll pull out those strings now actually TCP show Has one flaw in that it doesn't give you an accurate time It actually doesn't dump the time in a format that I could use well and Engrep does that however core dumped on large files. So I wrote my own It really is just a simple pearl script if you think about it you pull out the pearl you actually if you wrap the You do the cap in the minus lowercase x with TCP dump It gives you that whole binary and it gives you the hex actually Well, you can just process through it measure out. Okay. This is the IP header This is the TCP header and now you want the data after that So actually on the website that will give you I have that script. It's a really actually a very simple script And so I use that's where I go back to I use TCP dump more than anything else and Pearl Pearl is great. Now I mentioned that bro. I DS if you are interested in that It's a really great idea system awesome anomaly detection Really kind of hard to use though. I mean be prepared, but it's bro. I DS dot Bro dash I DS org It is a really good one It's just and we'll never compile into windows. So don't even try if you're running ID windows a lot of custom scripts It is really you really have to be able to write your own programs to do this stuff At least for now. I'm hoping that eventually I'll get enough of them that I can just hand them off to people Say hey use this but for now now you're gonna want to write some of your own I have some example scripts that I use so if you want them, they'll be on the website They should be on your CD though. I've updated all of them. So go to the website And a database at the end of the day you are gonna need a database more than you're gonna need anything else that I talk about Because if you figure that Microsoft has released about 35 Major patches this year already knows of the major the MS05 They've already released like 35 and this is actually kind of a slow year for them and you look at like 40,000 hosts and Then you look at all the antivirus programs, and then you look at all the OS is they're running You need a database. I mean I've been doing actually for a while with ingrept Well, not so I not ingrept FGREP So I just grabbed out flat files and we're building the database now I had to prove that it could be done before they built and then somebody would take the time to build a database for me So at the end of day though, you are gonna need a database to do this So I'm gonna say thank you for coming Got an address there if you go to www.passiveaudit.org You'll see all the scripts. I have all the signatures and I really would like to actually have more people writing signatures than just me Hey, I do this at home at like three o'clock in the morning. So help This is how I and when I have time I do this because I find it fun I'm kind of curious how far can I go can I actually you know? I can actually find out they got office and stuff But how much can I learn about the hook about the computer? I don't want to let anybody think that I'm actually trying to learn out stuff about the people That'd be wrong At least that we're down campus. Okay. Thank you I'll be outside if anybody wants to get questions or wants to volunteer All right, thank you we need everyone out those doors there