Full eXpert-BSM v.1.5 User Manual
Contents
1. EMERALD eXpert BSM User s Guide Page 76 ARNING 13 13 7323 BSM_SUSPICIOUS_SETUID Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 15 02 952379 PST Command chmod 2 Parent cmd usr bin chmod Outcome 0 Attacker em_userl Attacker_attrs auid 50001 ruid 50001 euid 50001 pid 25402 sid 25336 Resource usr emerald em_userl gurka Resource_owner em_userl Recommendation fixperms fn usr emerald em_userl gurka da kess newattr 000 kill pid 25402 sid 25336 da kess notify uid 50001 da kess checkcfg da kess nam BSM_ADMINISTRATIVE_USER_LIST Comment relevant params BSM_ADMINISTRATIVE_USER_LIST ATTACK 14 14 7355 BSM_SUSPICIOUS_SETUID Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 15 16 402415 PST Command chmod 2 Parent cmd usr bin chmod Outcome 0 Attacker em_userl Attacker_attrs auid 50001 ruid 50001 euid 50002 pid 25406 sid 25336 Resource usr emerald em_userl file_owned_by_2 Resource_owner em_user2 Recommendation fixperms fn usr emerald em_userl file_owned_by_2 da kess newattr 000 kill pid 25406 sid 25336 da kess notify uid 50002 da kess checkcfg da kess name BSM_ADMINISTRATIVE_USER_LIST Comment relevant params BSM_ADM2. BSM_ECHO_FLOOD_WINDOW Test 3 General buffer overflow except ps BSM_BUFFER_OVERFLOW_EXEC Run the eject exploit program renamed to something non suspicious Time 1999 12 30 19 08 13 371242 EST UserName admin_u EffectiveName root AuditName admin_u RUID 2037 EUID 0O AUID 2037 PID 25345 EMERALD eXpert BSM User s Guide Page 59 Test 4 Known attack name BSM SUSPICIOUS _EXEC_ ARGUMENT Run a phony program such as an empty script where the program name contains any of the forbidden words in BSM_SUSPICIOUS_EXEC_LIST Time 1999 12 30 19 08 51 011335 EST UserName em_userl EffectiveName m_userl AuditName em_userl RUID 50001 EUID 50001 AUID 50001 PID 25346 Path List usr bin anyexploitany Time 1999 12 30 19 08 51 011335 EST UserName em_userl EffectiveName m_userl AuditName em_userl RUID 50001 EUID 50001 AUID 50001 PID 25346 Path List usr emerald em_userl anyexploitany Test 5 Special User Executes Program BSM SPECIAL USER EKEC H As em admin su to root then su to one of BSM_EXEC_ for example bin and run ls ESS ACCOUNTS Time 1999 12 30 19 09 27 631431 EST UserName bin EffectiveName bin AuditName admin_u RUID 2 EFUID 2 AUID
3. Time 1999 12 30 19 11 09 361710 EST UserName em useri EffectiveName m_userl AuditName em_userl RUID 50001 EUID 50001 AUID 50001 PID 25368 Command open 2 read Ret_Val 1 Error_Number 13 Parent Command file Path List export home core object owner root 0 Test 9 Change User Environment File BSM CHANGE USER ENVIRON FILE As em_userl use vi to create a new file cshrc in a dir named em_user2 Time 1999 12 30 19 12 56 712041 EST UserName em_userl EffectiveName m_userl AuditName em_userl RUID 50001 EUID 50001 AUID 50001 PID 25389 Command creat 2 Ret_Val 5 Error Number 0 Parent Command vi Path List usr emerald em user2 cshrc EMERALD eXpert BSM User s Guide Page 61 Also as em_userl run touch rhosts in a dir named em_user2 in which there was no rhosts file already Time 1999 12 30 19 13 14 562088 EST UserName em_userl EffectiveName m_userl AuditName em_userl RUID 50001 EUID 50001 AUID 50001 PID 25391 Command creat 2 Ret_Val 3 Error Number 0 Parent Command touch Path List usr emerald em user2 rhosts object owner em_userl 50001 Time 1999 12 30 19 13 14 562088 EST UserName em useri fectiveName m_userl AuditName em_userl RUID 50001 EUID 50001 AUID 50001
4. Attention You are about to install the EMERALD TM BSM Monitor intrusion detection monitor into your system This component is designed for Solaris 6 thru 8 operating systems 32 64 bit with audit facilities installed If you have not installed the Solaris audit facilities on this machine please abort this installation and install audit facilities first You may ctrl C out of this script at any time if you do not wish to continue the installation It is extremely important that you have read Sections 8 9 and 10 of the eXpert BSM User Manual before attempting to install and operate this system If you have not read these sections please read them before continuing EMERALD eXpert BSM User s Guide Page 19 Have you reviewed these section Y N To stop execution of the script hold down the control key while hitting c and then press return You will be asked a question whether you have reviewed this documentation If you an swer no the script will exit and will indicate that you should review Sections 8 9 and 10 of this document 3 Install_eXpert_BSM will provide a warning message to inform you about patch requirements for Solaris WARNING This operating system is SunOS 5 7 in 64 bit mode It could have the following serious bugs Sun Bug ID Description Possible Patch 4194454 auditing to pipe causes system 105621 24 5 6 to panic 106541 12 5 7 4229414 Solaris 7 64 bit BSM auditing 10654
5. 50001 50001 512 50001 512 21131 21131 0 20 pooh emerald sri com text bad password return failure 1 ftp access Fri Jan 21 09 48 16 2000 945280661 msec subject 50001 50001 512 50001 512 21132 21132 0 20 pooh emerald sri com text bad password return failure 1 Test 28 FTP anonymous write BSM_FTP_ANON_WRITE FTP in as user ftp or anonymous and upload a file toa directory which is not in BSM_FTP_UPLOAD_PATHS open 2 write creat trunc Fri Jan 21 09 52 09 2000 850943250 msec path usr local ftp pub upload passwd attribute 100666 65533 65533 8388614 80160 0 subject 2 65533 65533 root root 21147 0 0 0 0 0 0 0 return success 4 chown 2 Fri Jan 21 09 52 09 2000 870945353 msec argument 2 0xfffd new file uid argument 3 O0xffffffff EMERALD eXpert BSM User s Guide Page 70 new file gid path usr local ftp pub upload passwd attribute 100666 65533 65533 8388614 80160 0 subject 2 65533 65533 root root 21147 0 0 0 0 0 0 0 return success 0 open 2 write creat trunc Fri Jan 21 09 54 08 2000 168689095 msec path usr local ftp pub warez win2000 attribute 100666 65533 65533 8388614 137088 0 subject 2 65533 65533 root root 21154 0 0 0 0 0 0 0 return success 4 chown 2 Fri Jan 21 09 54 08 2000 188688803 msec argument 2 0xfffd new file uid argument 3 O0xffffffff new file gid path usr local ftp pub warez
6. Contact Information 55 Appendix I Attack Battery Test Data Description 59 Appendix IT Attack Battery Console Alerts 74 EMERALD eXpert BSM User s Guide Page 2 1 Notice to Users eXpert BSM is a host based intrusion detection solution for Sun Solaris operating plat forms representing one component in a suite of advanced intrusion detection technolo gies developed by the EMERALD Development Team at SRI International See our Web site http www sdl sri com emerald for additional information Before You Start You should not attempt to install or operate the EMERALD eXpert BSM host intrusion detection monitor without first reading this document This document describes the proper system preparation installation policy configuration important caveats and re sults expectations which are critical to successfully operating this component To lessen your burden we ve tried to be as concise as possible in the material that follows so please invest some time to read this manual We have included a Quickstart section for your convenience but that should not be viewed as a substitute for reading the rest of this document About the Evaluation Edition SRI provides this release of eXpert BSM as a stand alone intrusion detection system for Sun Microsystems Solaris operating systems for use on a single host system for internal evaluation purposes only For more information regarding advanced features and techni cal support please contact
7. Out come 255 Test 25 Port scanning BSM_SUSPICIOUS_PORT_PROBE Run for example nmap against the host Please note the following Accept records are only produced on 5 6 and later Only TCP connect scans can produce accept records There must be a service responding on the port for an accept record to be produced severity ports hit port weight sum threshold Warning 512 4 21 3 540 1 13 1 9 9 Severe warning 61344 ZLB ye 23013 2513 13 LS Attack 512 4 21 3 540 1 13 1 513 4 23 3 7 1 9 1 18 18 Start_time 2000 01 14 11 12 34 378988 EST End_time 2000 01 14 11 12 34 468992 EST Command connect Parent_cmd not_present Outcome 0 Attack r 130 107 215 128 Attacker_attrs target_ports 13 540 512 21 Start_time 2000 01 14 11 16 33 073903 EST End_time 2000 01 14 11 16 33 993933 EST Command connect Parent_cmd not_present Outcome 0 EMERALD eXpert BSM User s Guide Page 68 Attacker 130 107 15 118 Attacker_attrs target_ports 25 913 23 21 7 Start_time 2000 01 14 11 21 49 210476 EST End_time 2000 01 14 11 21 49 400490 EST Command connect Parent_cmd not_present Outcome 0 Attacker 130 107 15 118 Attacker_attrs target ports 13 9 7 540 512 513 23 21 Test 26 External connection to forbidden port BSM_BAD_PORT_CONN Telnet from a machine not listed in
8. Real time BSM data retrieval Utility to set the BSM audit policy Results file dump utility EMERALD expert system BSM analyzer Utility script for killing processes I O buffering process Monitor configuration directory Surveillance policy configuration Knowledge base configuration local IP address map User ID to user name map built at in stall time Results and log directory EMERALD binary format alerts file ASCII console alerts and error log BSM data converter log This directory contains the EMERALD GUI subsystem for JAVA 1 1 8 An extensive battery of BSM records encoded in EMERALD binary format that exercise the eXpert BSM knowledge base Page 15 8 Pre Installation Cautions and Caveats What You Need Before Installation Root privilege is required to install eXpert BSM for real time operation If you wish to limit the use of this component to batch mode operation root privilege is not required e We strongly recommend that you install eXpert BSM on the target host s local hard drive rather than an NFS mounted partition when operating this system in real time mode This is due to both performance and reliability concerns e Certain versions of the Solaris operating systems require certain service patches from Sun Microsystems see the section on Solaris Bugs e The EMERALD Alert Management Interface GUI requires the use of the JAVA Development Kit JDK 1 1 8 which must be installed
9. auid 0 ruid 0 euid 0 pid 122 sid 0 Recommendation filter sa 130 107 12 103 da kess dp 21 checkcfg da kess name BSM_MAX_FTP_BADPASSWORDS checkcfg da kess name BSM_FAILED_LOGIN_WINDOW Comment relevant params BSM_MAX_FTP_BADPASSWORDS BSM FAILED LOGIN WINDOW R e S Command open 2 read write Parent_cmd lt unknown 122 gt Outcome 0 A A WARNING 37137110444 BSM_FTP_PASSWD_GUESSER Target kess Count 4 Xpert BSM Observer_Location kess Observer src big_test bsm tart time 2000 01 21 09 47 23 046354 PST End time 2000 01 21 09 48 00 235610 PST ommand open 2 read write Parent_cmd lt unknown 122 gt Outcome 0 ttacker em_userl ttacker_attrs src_ip 130 107 12 103 auid 0 ruid 0 euid 0 pid 122 sid 0 Recommendation filter sa 130 107 12 103 da kess dp 21 checkcfg da kess nam BSM_MAX_FTP_BADPASSWORDS checkcfg da kess name BSM FAILED LOGIN WINDOW Comment relevant params BSM_MAX_FTP_BADPASSWORDS BSM_FAILED_LOGIN_WINDOW ATTACK 38 38 10599 BSM_FTP_ANON_WRITE Target kess Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 2000 01 21 09 52 09 850942 PST Command open 2 write creat trunc Parent cmd usr sbin in ftpd Outcome 0 Attacker 130 107 12 103 Attacker_attrs auid 0 ruid 0 euid 65533 pid 21147 sid 0 Resource usr local ftp pub upload passwd Res
10. www sdl sri com emerald releases eXpert BSM Release_Notes html For the list of Frequently Asked Questions regarding eXpert BSM visit http www sdl sri com emerald releases expert BSM fag html EMERALD eXpert BSM User s Guide Page 52 17 Version Status EMERALD eXpert BSM Version 1 5 April 2002 See the EMERALD software distribu tion web page http www sdl sri com emerald releases for further information regarding our follow on release that will precede the expiration of this release EMERALD eXpert BSM User s Guide Page 53 18 Credits and Acknowledgements EMERALD Development Team emerald sdl sri com Martin Fong Ulf Lindqvist PI Phillip Porras PD Keith Skinner Alfonso Valdes PI Peter Neumann Sandy Smith Steven Cheung John Khouri Kenneth Nitz Magnus Almgren EMERALD Development Project August 1996 to April 2002 Acknowledgments DARPA Information Technology Office DARPA Information Systems Office National Security Agency EMERALD eXpert BSM User s Guide Page 54 19 License Feedback amp Contact Infor mation This Section describes the license and distribution terms for the release of eXpert BSM evaluation edition See the EMERALD software distribution web page http www sdl sri com emerald releases for further information regarding follow on re leases See the end of this Section Contact and Experience Reporting Information for pointers on where to send questions bug reports and detect
11. Attacker_attrs auid 2037 ruid 0 euid 0 pid 25427 sid 25039 Resource usr bin who Resource_owner bin Recommendation killall uname admin u pid 25427 da kess lockout uname admin_u da kess fixperms fn usr bin who da kess newattr 000 checkcfg da kess nam BSM_SYSTEM_BIN_LOCATIONS Comment relevant params BSM_SYSTEM_BIN_LOCATIONS WARNING 20 20 7620 BSM_MOD_SYSTEM_RESOURCE Target 130 107 15 118 Count 1 Xpert BSM Observer_Location kess Observer src big_test bsm tart time 1999 12 30 16 19 15 333061 PST ommand creat 2 Parent_cmd usr bin touch Outcome 13 ttacker em_userl ttacker_attrs auid 50001 ruid 50001 euid 50001 pid 25429 sid 25336 Resource var log nasty Resource_owner not_present Recommendation killall unam m_userl pid 25429 da kess lockout uname em_user1 da kess checkcfg da kess name BSM_SYSTEM_LOG_LOCATIONS checkcfg da kess nam BSM_SYSTEM_RESOURCE_FILES checkcfg da kess name BSM_SYSTEM_RESERVED_ACCOUNTS Comment relevant params BSM_SYSTEM_LOG_LOCATIONS BSM_SYSTEM_RESOURCE_FILES BSM_LAST_RESERVED_ACCOUNT ARNING 21 21 7695 BSM SUSPICIOUS SETUID Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 20 01 183188 PST Command chmod 2
12. Change User Environ File BSM Illegal Shadow Passwd Access BSM_Mod_System_Executable EMERALD eXpert BSM User s Guide Page 38 BSM Root By NonAdmin BSM Disallowed File Read BSM Disallowed File Exec BSM Disallowed File Write BSM Promiscuous Mode BSM Self Echo Alert BSM Inetd Subversion Configuring the Local Network Address List eXpert BSM maintains a local IP address list that is used to distinguish internal from ex ternal port connections in those heuristics that deal with network connections The local network IP address list is located in U gt Install resource_object config local_netmap conf It should enumerate the list of IP addresses that are considered local to your administra tive domain These IP addresses can be enumerated in either of two ways by subnet mask or by specific IP address syntax net lt network address network bits gt or host lt ip_address or fully qualified hostname gt The optional network bits field indicates how many of the most significant bits in the network address are considered to be the network or subnet while the rest of the bits de note the host The file can contain any number of net and host entries The following is an example of specifications of addresses in the local_netmap conf file net 172 16 0 0 net 190 80 20 0 24 host 192 168 1 1 host myhost mydomain com The above entry will inform eXpert BSM that hosts from the class B network 172
13. Dependent Rules BsM_PROMISCUOUS_MODE_ATTEMPT e Purpose The list of interfaces available on this machine Use ifconfig a to list the interface names e Default hme0 MsgString BSM_EMERALD NIC NAMES hmeO 3 Parameter BSM SYSTEM BIN LOCATIONS e Dependent Rules BSM MOD SYSTEM EKECUTABLE e Purpose The list of directories under which system binaries are stored Altera tions of files from these locations are not allowed e Default bin usr bin usr local bin opt local bin usr sbin MsgString BSM_SYSTEM_BIN_LOCATIONS bin usr bin usr local bin usr sbin EMERALD eXpert BSM User s Guide Page 31 opt local bin Parameter BSM SYSTEM LOG LOCATIONS e Dependent Rules BSM_MOD_SYSTEM_RESOURCES BSM_SYSTEM_RESOURCE_FILES e Purpose The list of directories under which system logging files are stored Al terations of the log files under these directories from non authorized users in these locations are not allowed e Default var log var adm MsgString BSM SYSTEM LOG LOCATIONS var log var adm Parameter BSM SYSTEM RESOURCE FILES e Dependent Rules BSM_MOD_SYSTEM_RESOURCES BSM_SYSTEM_RESOURCE_FILES e Purpose An explicit list of files within which security relevant configuration pa rameters are stored Alterations of files from non authorized users in these loca tions are not allowed e Default Selected configuration files MsgString BSM_SYSTEM_RESOURCE_FILES etc group etc h
14. PID 25391 Command old utime 2 Ret_Val 0 Error Number 0 Parent Command touch Path List usr emerald em user2 rhosts object owner em_userl1 50001 Test 10 Private File Access BSM ACCESS PRIVATE FILE As em user2 run touch filel where filel is a file owned by em useri and whose full path begins with the prefix defined as location of home directories in BSM USER HOMES LOCATION Time 1999 12 30 19 13 51 042193 EST UserName em_user2 EffectiveName m_user2 AuditName em_user2 RUID 50002 EUID 50002 AUID 50002 PID 25395 Command old utime 2 Ret_Val 1 Error_Number 13 Parent Command touch Path List export home filel object owner em_userl 50001 Test 11 Non admin Enabled Setuid File BSM_SUSPICIOUS_SETUID_ENABLER As em_userl set the SUID bit on a file that you own e g chmod uke gurka Time 1999 12 30 19 15 02 952379 EST UserName em_userl EffectiveName m_userl AuditName em_userl RUID 50001 EUID 50001 AUID 50001 PID 25402 EMERALD eXpert BSM User s Guide Page 62 Command chmod 2 Ret_Val 0 Error Number 0 Parent Command chmod Path List usr emerald em_userl gurka object owner em_userl 50001 Test 12 Non owner Enabled Setuid File BSM SUSPICIOUS SETUID ATTACKER As em_userl set the SUID bit on a file owned by em_user2 This is a litt
15. Parent_cmd usr bin chmod Outcome 0 Attacker em_userl Attacker_attrs auid 50001 ruid 50001 euid 50001 pid 25436 sid 25336 Resource usr emerald em_userl csh Resource_owner em_userl Recommendation fixperms fn usr emerald em_userl csh da kess newattr 000 kill pid 25436 sid 25336 da kess notify uid 50001 da kess checkcfg da kess nam BSM_ADMINISTRATIVE_USER_LIST Comment relevant params BSM_ADMINISTRATIVE_USER_LIST ARNING 22 22 7775 BSM_SUSPICIOUS_SETUID Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 20 48 143320 PST Command chmod 2 Parent_cmd usr bin chmod Outcome 0 Attacker em_userl Attacker_attrs auid 50001 ruid 50001 euid 50001 pid 25443 sid 25336 Resource tmp gurka Resource_owner em_userl Recommendation fixperms fn tmp gurka da kess newattr 000 kill pid 25443 sid 25336 da kess notify uid 50001 da kess checkcfg da kess nam EMERALD eXpert BSM User s Guide Page 78 BSM_ADMINISTRATIVE_USER_LIST Comment relevant params BSM_ADMINISTRATIVE_USER_LIST ATTACK 23 23 7864 BSM_ROOT_BY_NONADMIN Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 21 36 283444 PST Command old setuid 2 Parent_cmd usr bin su Outcome 0 Atta
16. Version 1 2 available in Instal1 doc Emerald AMI 1 2 manual pdf EMERALD eXpert BSM User s Guide Page 50 15 eXpert BSM Testing EMERALD provides an extensive test suite of attacks to exercise its host IDS knowledge base The attack battery is an EMERALD encoded Solaris BSM data set that can be in voked directly from the Run eKpert BSM script Run_eXpert_BSM TEST A full test description of the EMERALD host based attack battery is available in Appendix I The console alerts produced from the EMERALD host based attack battery are available for review in Appendix II Remember that when testing eXpert BSM in real time mode you must ensure that the session you are mounting test attacks from is not the same session under which you ini tialized eXpert BSM i e to initiate a new session log completely out of the target host The use of network based vulnerability scanners has become a prominent practice in se curity evaluation procedures An evaluator pointing a scanner such as one of the popular commercial or free network based vulnerability scanners against a host system with a host based intrusion detection system such as eXpert BSM is likely to be disappointed when eXpert BSM does not react to all elements of the scan EMERALD eXpert BSM User s Guide Page 51 16 Caveats and Known Bugs For the latest set of caveats known bugs and frequently asked questions visit our current Release Notes at http
17. config BSM_USER_ENV_FILES e BSM_Illegal_Shadow_Passwd_Access BSM Monitor observed destructive ac cess to the OS password shadow file occurring through an unknown facility and non administrative user config BSM_ADMINISTRATIVE_USER_LIST BSM_Mod_System_Executable BSM Monitor observed the alteration of a sys tem executable It catches attempts to modify system binaries This is a highly general heuristic for recognizing common actions that occur after compromise config BSM SYSTEM BIN LOCATIONS BSM Root By NonAdmin BSM Monitor is capable of maintaining a list of who is and is not allowed to acguire administrative privilege When a non administrative user acguires privilege via any facility this alert is raised In sys tems with no strong policy about who is allowed to acguire root this facility can be disabled config BSM ADMINISTRATIVE USER LIST BSM Read Private File BSM Monitor allows users to specify sensitive file lists and associate with those lists groups of users who are and are not allowed to reference files in the lists For more information see Setting a Monitoring Pol icy Configuring eXpert BSM e BSM_Write_Private_File BSM Monitor allows users to specify sensitive file lists and associate with those lists groups of users who are and are not allowed to modify or destroy files in the list For more information see Setting a Monitoring
18. ebsmgen set IPC METHOD SOCKETS e EFUNNEL MODE Run_eXpert_BSM can be configured to forward its alerts to other subscriber EMERALD correlation response or visualization services lo cated on remote servers Connection establishment can be set to 1 filemode indi cating alerts should be sent to the local log file 2 passive indicating eXpert BSM should allow a subscriber running on the EFUNNEL HOST to connect to it or 3 initiate indicating eXpert BSM should connect into the subscriber on the EFUNNEL HOST useful for firewall policies that may prevent eXpert BSM from connecting out Filemode is the default Z set EFUNNEL MODE FILEMODE e EFUNNEL_ HOST If set this is the host that eXpert BSM will send its resolver alerts to if this function was enabled as described above This parameter is com mented out by default causing Run_eXpert_BSM to prompt the user for the host name You can give either a hostname or an IP address set EFUNNEL HOST consumer your domain org EMERALD eXpert BSM User s Guide Page 28 Configuring the eXpert BSM Knowledge Base eXpert BSM provides parameters for customizing its knowledge base for use in your en vironment The parameters are accessible from Install resource object config eXpert config inc The complete list of parameters that are available for knowl edge base custimization are provided below At a minimum the operator should closely consider the following parameter
19. emerald sdl sri com For those who would like to license this component for operational deployment in multi host enterprise wide deployments we provide a full featured advanced version of eXpert BSM which includes the following features e Multi host alert management with additional components users can consolidate and analyze alerts from a suite of distributed eXpert BSM or other EMERALD monitors e DBMS services users can manage and view alerts from a distributed suite of eXpert BSM or other EMERALD monitors using our relational database interface component We currently support Oracle and Postgres e Alert translation services additional EMERALD components allow users to translate EMERALD alert reports into a variety of binary and ascii formats e eResponder a countermeasure invocation system tightly coupled with eX pert BSM which provides both automated and manual response directive execu tion under development Value added services from SRI the EMERALD development team can also be en gaged for these additional services associated with use of eXpert BSM EMERALD eXpert BSM User s Guide Page 3 e Consulting services SRI can negotiate contracts for technical support consult ing services and feature extensions for use with this and other EMERALD com ponents e Knowledge base updates licensed users will receive any updates to the eXpert BSM intrusion detection knowledge base produced by S
20. is currently running shut it down before attempting to uninstall this component Remove the eXpert BSM install directory If you want to restore the original BSM audit configuration of the host as root move to directory etc security and untar file etc security orig_aud it_file install timestamp tar gz If you would like to disable the audit capability of the system you could follow the procedure in Solaris Audit Installation but use the bsmunconv script instead of bsmconv If you have configured eXpert BSM for autoboot mode the following files and di rectories should be removed etc init d expert BSM etc rc2 d S80eXpert BSM var adm securityd EMERALD eXpert BSM User s Guide Page 47 14 eXpert BSM Report Formats The EMERALD eXpert BSM monitor produces three forms of intrusion reports console alert EMERALD resolver alerts and IDIP alerts Console Alert Format eXpert BSM produces attack alerts which by default are placed in Install _BSM results bsm expert timestamp log The console alert format is structured as follows a a a 1 RepID ThreadID lt Severity gt lt rule gt Target lt gt Count lt gt 2 Observer lt gt Observer location lt gt Observer _src lt gt 3 Start_time lt gt End_time lt gt 4 Command lt gt Parent_cmd lt gt Outcome lt gt 5 Attacker lt gt 6 Attacker_attrs lt attribute list gt Ts Command_arg lt gt 8 Resource lt g
21. local_netmap confn to one of the ports in BSM_UNACCEPTABLE_PORT_CONNECTIONS e g 514 provided there is a service responding on the victim port Start_time 2000 01 21 11 36 49 118565 EST Command accept 2 Parent_cmd lt unknown 137 gt Outcome Attacker 130 107 15 118 Attacker_attrs src port 1903 dst_port 514 Test 27 FTP username guessing BSM_FTP_UNAME_GUESSER Conect using FTP and give invalid usernames BSM_MAX_FTP_BADPASSWORDS within BSM FAILED LOGIN WINDOW ftp access Fri Jan 21 subj ct 1 1 1 1 YA 09 41 57 2000 t 214 1052111070 20 text unknown user APA return fai ure 2 ftp access Fri Jan 21 09 42 03 2000 subject 1 1 1 1 1 21111 21111 0 20 text unknown user bepa return fai ftp access Fri Jan 21 subj ct 1 1 1 1 lure 2 09 42 16 2000 L y 24 712442 FE1 2570 20 text unknown user cepa return failure 2 ftp access Fri Jan 21 09 42 20 2000 subj ct FL lt SL L text unknown user depa return ftp access Fri Jan 21 1 subj ct 1 1 1 T tp 21113421 113 0 20 failure 2 09 42 30 2000 1 21114 21114 0 20 text unknown user P fepa return failure 2 EMERALD eXpert BSM User s Guide 82522111 msec pooh emerald sri 342394836 msec pooh emerald sri 292135865 msec pooh emera
22. login as root and move to directory Install _BSM From there run Install_eXpert_BSM 1 This script first attempts to determine if the installation host is running Solaris 2 6 or newer If it is not the following message appears Unsupported operating system X This version of the EMERALD BSM Monitor is designed for Solaris 6 7 and 8 2 If this operating system is supported by this release the following banner is shown EMERALD eXpert BSM User s Guide Page 18 k k k x k k k k k k k k k k x kx x x x x k x x xk k k k k k k x k x x x x xk x x x k xk x k k k x x x x x x x x x x eXpert BSM BSM monitor installation lt timestamp gt kkk k k k kx kx kx x xk xk xk xk k k k k k k k k k k k k k k k k k x k xk xk x x x x x x x x x x x x x x x x x k x x x x EMERALD tm Event Monitoring Enabling Reponses to Anomalous Live Disturbances copyright 1996 2002 SRI International This is an UNPUBLISHED work of SRI International and is not to be used copied or disclosed except as provided in the Software Distribution Agreement with SRI International EMERALD eXpert BSM eXpert Net eXpert HTTP eXpert SMTP eXpert TCP eXpert UDP eXpert FTP eXpert ARP eXpert Session eXpert ICMP eBayes TCP M Correlator eAggregator are Trademarks of SRI International kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkxkxk FF FF HF FF HF HF HF HF HF F FF FF F FF HF F HF HF HF HF HF Hit return to continue
23. modes as follows SInstall _BSM Run_eXpert_BSM Usage Run_eXpert_BSM TEST or Run_eXpert_BSM bsm_file Modes REALTIME no arguments TEST optional TEST directive invokes eXpert BSM against attack battery located in SInstall samples attack battery ebin BATCH optional lt bsm_file gt provided Real time The advantage of running eXpert BSM with direct kernel record capture is that it significantly reduces the overhead of secondary storage write and read operations as well as the expense of secondary storage to maintain a permanent audit file Instead eXpert BSM reads audit records directly from the kernel and alerts about those records representing malicious activity To begin analysis move to the eXpert BSM run directory Install _BSM and execute the following command Run_eXpert_BSM Test Mode eXpert BSM can be directed to process an EMERALD encoded binary audit file to test and illustrate the effectiveness and reporting structure of this component The binary file SInstall samples emerald attack battery ebin will auto matically be accessed when the TEST flag is set Run_eXpert_BSM TEST Batch Mode Post processing of Solaris Audit Files eXpert BSM can be targeted to an arbitrary BSM audit file To begin analysis move to the eXpert BSM run directory SInstall _BSM and execute the following command Run_eXpert_BSM lt BSM Audit File gt S
24. on your system and acces sible to the account from which you will run EMERALD EMERALD eXpert BSM User s Guide Page 16 9 Installing eXpert BSM Enabling Solaris Audit Module Solaris auditing must be configured for auditing before eXpert BSM is installed This can be done as follows 1 Make sure that users are logged off Log in on the console as root Reboot the system and from the console log into the system in single user mode by using telinit see init 1M man page etc telinit 1 2 In single user mode change directory to etc security andrun bsmconv cd etc security bsmconv This process creates an audit_startup file Upon completion of bsmconv you will be prompted to reboot DO NOT reboot until instructed to do so in step 5 3 Rename etc security audit_startup to something else see example below This is to prevent the audit daemon from starting at system boot The eXpert BSM installation contains ebsmprobe which is a replacement for auditd mv etc security audit_startup etc security audit_startup we_dont_want_auditd_to_start 4 If there is a line set abort_enable 0 in etc system you might want to comment it out by making the first character of the line a star This line is added by bsmconv in Solaris 2 6 and later to disable STOP A halting It adds marginal security to a desktop machine but is inconvenient when you need to halt a server from the console 5 Reboot the syste
25. per missions as specified e FILTER lt IP address gt if a firewall is available disal low network connectivity from this indicated IP address e CHECKCFG lt Host gt lt Service gt identifies system service that appears to have been attacked or has died e DIAGNOSE lt Network Service Filesystem gt Validate the correct operation of the named network service or the availability of the named filesystem Line 10 optional The primary use of this line is to indicate the relevant user configura tion parameters that modify the behavior of the rule that generated this alert EMERALD Resolver alerts The EMERALD resolver alerts are by default written to Install _BSM results bsm alert timestamp resolver but could also be sent to another EMERALD components such as the alert collection ap plication efunnel or an analysis engine on a higher level Resolver alerts can be displayed by the graphical EMERALD Alert Management Interface described in the following sec tion Alert Management Interface EMERALD provides a unique graphical user interface for managing alerts produced by EMERALD sensors Using this interface you can view individual alerts manage inci dent handling reports print reports forward reports via email and view recommenda tions on responding to attacks For more information on the Alert Management Inter face refer to the EMERALD Alert Management Interface User s Guide
26. sys types h gt include lt sys stat h gt include lt fcntl h gt main int argc char argv ine iz lt Bd char filename FILENAME _MAX 1 if arge 2 fprintf stderr Usage s path n argv 0 exit fprintf stdout WARNING This will consume all inodes on the filesystem n where s is resided by creating a very large number of empty An files in s Hit Cntrl C NOW if you do not want this to happen n Otherwise hit the return key to proceed n argv 1 argv 1 getchar fprintf stdout Hold on while filling s n argv 1 for i 0 1 i fFilename 0 O sprintf filename s file d argv 1 i fprintf stderr Filename s n filename if fd creat filename 0 lt 0 perror creat EMERALD eXpert BSM User s Guide Page 67 exit close fd Start_time 2000 01 11 12 04 04 631142 EST Command creat 2 Parent_cemd usr bin tcsh Outcome 28 Start_time 2000 01 11 12 04 09 621150 EST Command creat 2 Parent_cemd usr bin tcsh Outcome 28 Test 24 Attempted root login on non console terminal BSM_ATTEMPTED_ROOT_LOGIN Try to telnet or rlogin as root Start_time 2000 01 11 12 51 56 836267 EST Command login telnet Parent_cmd lt unknown 12782 gt Outcome 255 Start_time 2000 01 11 12 52 10 226282 EST Command login rlogin Parent_cmd lt unknown 12785 gt
27. win2000 attribute 100666 65533 65533 8388614 137088 0 subject 2 65533 65533 root root 21154 0 0 0 0 0 0 0 return success 0 Test 29 FTP warez activity BSM_FTP_WAREZ ACTIVITY Upload a file anonymously and then download it in BSM_FTP_WAREZ_ COMPLAINT anonymous sessions open 2 read Fri Jan 21 09 54 25 2000 938331667 msec path usr local ftp pub warez win2000 attribute 100666 65533 65533 8388614 137088 0 subject 2 65533 65533 root root 21156 0 0 0 0 0 0 0 return success 4 Repeated on the following times Fri Jan 21 09 55 03 2000 937574993 msec Fri Jan 21 09 55 23 2000 417191074 msec Fri Jan 21 09 55 42 2000 416812353 msec Fri Jan 21 09 55 57 2000 506512892 msec Fri Jan 21 09 56 13 2000 416197895 msec Fri Jan 21 09 56 27 2000 25943165 msec Fri Jan 21 09 56 42 2000 95650128 msec Test 30 Inetd exhaustion BSM_CLIENT_INET_WATCH telnet victim gt amp dev null amp telnet victim gt amp dev null 6 etc for at least BSM MAK CLIENT PROCS PER CYCLE connects in total during BSM_EXTERNAL_CONN_THRESHOLD_WINDOW NOTE sisko 5 6 did not produce inetd records but owl 5 5 1 did EMERALD eXpert BSM User s Guide Page 71 inetd Mon Feb 07 19 29 20 2000 916180946 msec subject root root root root root 0 0 0 0 sevenof9 emerald sri com text telnet ip ad
28. 1 12 5 7 with targv policy break exec 4307306 stopping c2 auditing does not 105621 24 5 6 always stop auditing in the 106541 12 5 7 kernel 108875 07 5 8 Itis VERY IMPORTANT that you make sure that the appropriate patches are installed before you try to run eXpert BSM The OS bugs listed above could render your system UNUSABLE when triggered by eXpert BSM Use showrev p to see what patches are installed See also http sunsolve Sun COM for information on bugs and patches Do you wish to continue the installation Y N You can use the Solaris showrev command to verify that you have a properly patched installation of Solaris before proceeding If you answer no the script will exit 4 Install_eXpert_BS verifies that you are operating as user root Root is re quired to modify the audit configuration and enable real time access to kernel audit data If you are not root you will see the following message WARNING Installation process should be run as root EMERALD eXpert BSM User s Guide Page 20 Do you wish to continue y n If you wish to employ eXpert BSM for real time use type n to exit this installation script become root and restart the installation process If you intend to use eXpert BSM exclusively for batch mode processing you may type y and continue Please note that when you do not run as root the script cannot correctly determine whether BSM is enabled on your system and yo
29. 16 subnet 190 80 20 host 192 168 1 1 and host myhost mydomain com are local to the administrative domain of the eXpert BSM host machine Configuring the Surveillance Policy for Local File Access eXpert BSM provides a facility for specifying a surveillance policy over file reads writes and executions Under this policy you may specify groups of users and files or directo ries and then use these groups to specify surveillance policies regarding file accesses EMERALD eXpert BSM User s Guide Page 39 Please note that this is a surveillance policy that is used to warn about access violations eXpert BSM is a passive monitor that cannot prevent the access violations from taking place There are three distinct components to be specified within an eXpert BSM access policy specification The first the UserGroups 1 section allows you to specify groups of users which are then referenced in the access policy The UserGroups section is specified as follows UserGroups user list 1 fuserla userlb user list 2 fuser2a user2b The names specified under the user groups should be present as valid login names de fined within the password file and user names can appear in multiple lists The second section FileGroups allows you to specify a set of files and directo ries that may be referenced together as a group while enumerating the access policy The FileGroups section is specified as follows F
30. 2037 PID 25350 Command execve 2 Ret_Val 0 Error Number 0 Parent Command su Time 1999 12 30 19 09 33 451448 EST UserName bin EffectiveName bin AuditName admin_u RUID 2 FUID 2 AUID 2037 PID 25352 Command execve 2 Ret_Val 0 Error Number 0 Parent Command ls Test 6 SUID program execs non authored program BSM_EXEC_NON_AUTHOR As user em_userl run a program that is setuid to em_user2 and which exec s a program owned by em_userl Time 1999 12 30 19 10 05 101532 EST UserName em useri EffectiveName m user2 AuditName em useri RUID 50001 EUID 50002 AUID 50001 PID 25354 Command execve 2 Ret_Val 0 Error Number 0 EMERALD eXpert BSM User s Guide Page 60 Parent Command sample Test 7 Root Core File Created BSM_ROOT CORE CREATE As root run touch core in a directory where there was no core file already Time 1999 12 30 19 10 40 051626 EST UserName root EffectiveName root AuditName admin_u RUID 0 EU TD O AUID 2037 PID 25362 Command creat 2 Ret_Val 3 Error Number 0 Parent Command touch Path List export home core object owner root 0 Test 8 Root Core File Access BSM ROOT CORE ACCESS As em_userl run file core on a file called core owned by root such as the one created for BSM ROOT CORE CREATE
31. 4 BSM SPECIAL USER EKEC Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 09 27 631431 PST Command execve 2 Parent cmd usr bin sh Outcome 0 Attacker bin Attacker attrs auid 2037 ruid 2 euid 2 pid 25350 sid 25039 Command_arg su Resource usr bin sh Resource_owner bin Recommendation killall uname admin u pid 25350 da kess checkcfg da kess name BSM EKEC LESS ACCOUNTS Comment relevant params BSM EKEC LESS ACCOUNTS ATTACK 7171716652 BSM SPECIAL USER EKEC Target 130 107 15 118 Count L Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 09 33 451448 PST Command execve 2 Parent cmd usr bin 1s Outcome 0 Attacker bin Attacker attrs auid 2037 ruid 2 euid 2 pid 25352 sid 25039 Command_arg ls Resource usr bin 1ls Resource_owner bin Recommendation killall uname admin u pid 25352 da kess checkcfg da kess name BSM EKEC LESS ACCOUNTS Comment relevant params BSM EKEC LESS ACCOUNTS ATTACK 8 8 6676 BSM EKEC NON AUTHOR Target 130 107 15 118 Count 1 EMERALD eXpert BSM User s Guide Page 75 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 10 05 101532 PST Command execve 2 Parent_cmd usr e
32. 7 Count lockout uname em_userl newperms 000 checkcfg filter sa 130 107 15 118 1 Page 83 1 Resource accounting DBMS payroll db Resource_owner admin_u Recommendation kill uname root pid 2822 da kess filter sa 130 107 15 118 da kess dp 21 checkcfg da kess name accesspolicy inc Comment see accesspolicy conf relevant params BSM_LOCAL_FTPD_UID F RE WARNING 49 49 12070 BSM_TIME_WARP Target 130 107 12 70 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 2000 01 21 08 11 13 118565 PST Command clock Parent cmd not present Outcome 0 A A ttacker non present ttacker attrs backward drift 1584252 seconds Recommendation diagnose scv systime da kess currtime 950055325 prevtime 948471073 checkcfg da kess name BSM MAK BACKWARD TIME Comment relevant params BSM MAK BACKWARD TIM appcommon c 251 NoDataCB SignificantEvent Interface clos idle 1009 msec vent manager saw 12072 events last seq 12071 max idle 360000 msec 2Xpert BSM event channel closing PBEST shutting down EMERALD eXpert BSM User s Guide Page 84
33. 99 12 30 19 18 41 722972 EST UserName root EffectiveName root AuditName admin_u RUID 0 EULD O AUID 2037 PID 25427 EMERALD eXpert BSM User s Guide Page 64 Command chmod 2 Ret_Val 0 Error Number 0 Parent Command chmod Path List usr bin who object_owner bin 2 Test 18 Unpriv d user changed system resource BSM_MOD_SYSTEM_RESOURCE As em_userl make a change to a directory in BSM_SYSTEM_LOG_LOCATIONS e g touch var log nasty Time 1999 12 30 19 19 15 333061 EST UserName em_userl EffectiveName m_userl AuditName em_userl RUID 50001 EUID 50001 AUID 50001 PID 25429 Command creat 2 Ret_Val 1 Error_Number 13 Parent Command touch Path List var log nasty Disabled loadmodule rules now triggers BSM_SUSPICIOUS_SETUID_ENABLER twice Test 19 Root acquired by non admin user BSM_ROOT_BY_NONADMIN As em_userl su to root Time 1999 12 30 19 21 36 283444 EST UserName root EffectiveName root AuditName em_userl RUID 0 EUID O AUID 50001 PID 25446 Command execve 2 Ret_Val 0 Error Number 0 Parent Command tcsh Exec Args tcsh Path List usr bin tcsh usr lib ld so 1 object owner root 0 Test 20 Admin SU performed by non admin user BSM_SETREUID_BY_NONADMIN As em_userl su to em_admin also triggered by the su to root test
34. D 4 Parameter BSM_FAILED LOGIN WINDOW e Dependent Rules BSM_Reach_Max_BadLogin BSM_FTP_Passwd_Guesser e Purpose Indicates the time window in which the failed logins must occur That is if N bad logins occur during S seconds where N BSM_MAX_LOGIN_THRESHOLD and S BSM_FAILED_LOGIN_WINDOW then a repeated failed login warning is raised e Default 180 seconds 3 minutes Ulong BSM_FAILED_LOGIN_WINDOW 180 EMERALD eXpert BSM User s Guide Page 33 Parameter BSM MAX FTP BADPASSWORDS e Dependent Rules BSM_FTP_Passwd_Guesser BSM_FTP_Username_Guesser e Purpose Indicates the number of failed FTP login attempts that must occur before an alert is raised This applies to failed FTP logins resulting from either bad user names or bad passwords e Default 4 bad usernames or passwords submitted to the ftp authentication service Ulong BSM_MAX FTP_BADPASSWORDS 4 Parameter BSM MAY NOSPACE_ ERRORS e Dependent Rules BSM_File_Exhaustion_Threshold e Purpose Indicates the number of repeated failed write attempts that must occur during the time window before a filesystem exhaustion alert is raised e Default 8 file write or create failures due to no space errors per threshold cycle Ulong BSM_MAX NOSPACE_ERRORS 8 Parameter BSM WRITE ERR THRESHOLD WINDOW e Dependent Rules BSM_File_Exhaustion_Threshold e Purpose the time window represented in seconds during which repeated failed write attempts must occur e Def
35. EMERALD eXpert BSM Evaluation Edition http www sdl sri com emerald Sun Solaris Host Based Intrusion Detection System System Design Laboratory SRI International Release Date April 2002 User s Guide Version 1 5 EMERALD Event Monitoring Enabling Responses to Anomalous Live Disturbances copyright 1996 2002 SRI International This is an UNPUBLISHED work of SRI International and is not to be used copied or disclosed except as provided in the Software Distribution Agreement with SRI International EMERALD and eXpert BSM are Trademarks of SRI International 2001SRI International 333 Ravenswood Avenue Menlo Park CA 94025 3493 All rights reserved EMERALD and eXpert BSM are trademarks of SRI Interna tional SRI International is a nonprofit corporation S N A A RW NK a e e e me me e amp SCN Aw RA NNS 19 Table of Contents Notice to Users 3 Quickstart 5 EMERALD eXpert BSM Overview 6 eXpert BSM Detection Summary 8 System Reguirements 13 Download Instructions 14 Contents of Distribution 15 Pre Installation Cautions and Caveats 16 Installing eXpert BSM 17 Configuring eXpert BSM 27 Operating Instructions 43 Shutdown Instructions 46 Uninstalling eXpert BSM 47 eXpert BSM Report Formats 48 eXpert BSM Testing 51 Caveats and Known Bugs 52 Version Status 53 Credits and Acknowledgements 54 License Feedback amp
36. ID 130 107 15 118 error 4 invalid password login telnet from user em_userl UID 50001 on host PID 25456 time 1999 12 30 19 25 04 483990 EST sequence num ber 1 Etype 6154 machineID 130 107 15 118 error 4 Test 22 Process exhaustion BSM_PROC_EXHAUST_THRESHOLD fail Make fork BSM_FAIL ELLICk include lt signal h gt include lt stdio h gt include lt errno h gt main while YA fork gt BSM MAK FAIL ED PROCS THRESHOLD WI HI This little NDOW EMERALD eXpert BSM User s Guide D_PROCS_PER_CYCLE times during C prog does the Page 66 perror whilelfork Sigsend P_PGID P_MYID SIGKILL Be aware that this brings the machine to its knees for several minutes and can have some bizarre effects Use with great caution Start_time 2000 01 05 20 45 34 375296 EST Command fork 2 Parent_cmd not_present Outcome 11 Attacker em_userl Attacker_attrs auid 50001 ruid 50001 euid 50001 pid 16307 sid 15242 Test 23 File system exhaustion BSM_FILE_EXHAUST_THRESHOLD Make a file system run out of inodes preferably a floppy disk and then try to create a file there BSM MAK NOSPAC within BSM_WRITE_ERR_THRESHOLD_WINDOW T _ ERRORS times This little C prog consumes all inodes include lt stdio h gt include lt
37. INISTRATIVE_USER_LIST WARNING 15 15 7401 BSM_ROOT_CORE_EVENT Target 130 107 15 118 Count 1 Xpert BSM Observer_Location kess Observer src big_test bsm tart time 1999 12 30 16 16 08 512544 PST ommand coredump Parent_cmd not_present Outcome 0 ttacker admin_u ttacker_attrs auid 2037 ruid 0 euid 0 pid 25411 sid 25039 Resource export home cor Resource_owner root Recommendation fixperms fn export home cor da kess newattr 000 ATTACK 16 16 7528 BSM_ILLEGAL SHADOW PASSWD ACCESS Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 17 46 182810 PST Command unlink 2 Parent_cmd usr bin rm Outcome 13 Attacker em_userl Attacker_attrs auid 50001 ruid 50001 euid 50001 pid 25422 sid 25336 Resource etc shadow Resource_owner root Recommendation killall unam m_userl pid 25422 da kess lockout uname em_userl da kess checkcfg da kess name BSM_ADMINISTRATIVE_USER_LIST Comment relevant params BSM_ADMINISTRATIVE_USER_LIST ATTACK 17 17 7553 BSM PROMISCUOUS MODE arget 130 107 15 118 Count 1 Observer eXpert BSM Observer Location kess Observer src big test bsm Start time 1999 12 30 16 18 07 622872 PST Command open 2 read write Parent cmd usr emerald em_userl tcpdump Outcome 0 Attacker em
38. Policy Configuring eXpert BSM e BSM_Dissallowed_FTP_Read BSM Monitor observed an FTP process refer ence the content of a file in violation of the site survieillance policy For more in formation see Setting a Monitoring Policy Configuring eXpert BSM BSM_Dissallowed_FTP_Write BSM Monitor observed an FTP process modify the content of a file in violation of the site survieillance policy For more informa tion see Setting a Monitoring Policy Configuring eXpert BSM e BSM Illegal Execution BSM Monitor allows users to specify lists of binaries and shell scripts and associate with those lists groups of users who are and are not allowed to execute the programs in the list For more information see Setting a Monitoring Policy Configuring eXpert BSM EMERALD eXpert BSM User s Guide Page 11 e BSM_Promiscuous_Mode BSM Monitor observed a process open a promiscu ous mode port e g a sniffer and reports the promiscuous mode event if the user is not an admin config BSM ADMINISTRATIVE USER LIST BSM EMERALD NIC NAMES e BSM_Self Echo Alert BSM Monitor observed a self ping DoS attack con fig BSM_MAX_ECHOS_RECEIVED BSM ECHO FLOOD WINDOW e BSM_Inetd_Subversion BSM Monitor observed that an inetd service executa ble has been overlayed in an illegal manner This indicates that a root privileged service has been subverted for example via a data segment buffer overf
39. RI To find outmore about the advanced version of eXpert BSM for production use in multi host deployments please contact emerald sdl sri com EMERALD eXpert BSM User s Guide Page 4 2 Quickstart This section is intended as a checklist for the minimum steps required to start eXpert BSM and is provided for your convenience To utilize the full potential of eXpert BSM you must read the remainder of this document 1 Check the System Requirements especially with respect to Solaris bugs and patches Before installing eXpert BSM you must enable BSM auditing See Enabling So laris Audit Module for more information on BSM audit configuration Untar the package amd in the _BS directory using the user account from which you will run eXpert BSM not root You need to know the name of a group that is allowed to run the monitor and the path to your Java installation Move to the install _BSM directory su to root and as root run the install script Install_eXpert_BS Go into the resource object config directory In the file lo cal_netmap conf you need to specify what hosts are internal see Configuring the Local Network Address List In file eXpert Config inc at least list the administrators in the parameter BSM_ADMINISTRATIVE_USER_LIST see Configuring the eXpert BSM Knowledge Base As a user in the group specified during installation go into the _BSM directory and run Run_eXpert_BSM The three oper
40. SM_FTP_Username_Guesser BSM Monitor observed a series of attempts to submit invalid usernames to the FTP daemon The FTP daemon responds differ ently when an invalid account name is submitted This allows someone to repeat edly attempt FIP logins until a valid name is discovered config BSM_MAX_FTP_BADPASSWORDS BSM FAILED LOGIN WINDOW e BSM_Suspicious_Exec_Argument BSM Monitor is capable of recognizing file accesses with arguments that match a set of known attack names This is just an indicator that the record is worthy of inspection and is not an attack trig ger config BSM_SUSPICIOUS_EXEC_LIST e BSM Time Warp BSM Monitor observed a movement in local host time greater than N seconds default 10 min This is a potential indicator of some one attempting to hide his or her tracks after penetrating a system config BSM MAK BACKWARD TIME BSM Root Core Access BSM Monitor observed an access to a root core file by a non administrative user There are known exploits that allow access to the shadow password files by causing a root core dump directly after a failed USER login request BSM Access Private File BSM Monitor raises a warning indicator when a private file in a non public location is altered by someone other than the file owner config BSM USER HOMES LOCATIONS e BSM Mod System Resource BSM Monitor raises an alert indicator when a nonreserved account user alt
41. ST MDT PT PST PDT or an hour min offset from GMT such as 9 The ET CT MT and PT versions auto adjust for daylight saving time in these time zones e g ET is EMERALD eXpert BSM User s Guide Page 27 EDT between 2AM on the first Sunday in April and 2A M on the last Sunday in October otherwise it is EST and set the default timezone to standard time set Local_Timezone PT e SETTING DEBUG MODE eXpert BSM can operate in debug mode under which it generates a console debug message for every BSM record it encounters The settings for this variable are off default and on to produce event stream debug messages set DEBUG MODE off e SETTING DELETION PROMPT FOR RESULTS DIRECTORY You can spec ify whether Run_eXpert_BSM will prompt you to delete the current contents of the results directory You can disable this check for non interactive batch runs moon by setting this variable to off on is the default set CLEAR RES DIR on e SETTING INVOCATION PROMPT FOR GUI Run_eXpert_BSM can be con figured to prompt the user for GUI invocation This check can be disabled for non interactive batch runs by setting this variable to off on is the default set CHECK_GUI_INVOCATION on e ENABLING IPC TRANSPORT METHOD IPC_METHOD tells eXpert BSM that its components shall use Solaris sockets unamed pipes or shared memory By default sockets are used for communication between eXpert BSM and
42. _userl Attacker_attrs auid 50001 ruid 50001 euid 0 pid 25424 sid 25336 Resource devices pseudo clone 0 hm Resource_owner root Recommendation killall unam m_userl pid 25424 da kess lockout uname em_userl da kess checkcfg da kess name BSM_ADMINISTRATIVE_USER_LIST checkcfg da kess name BSM_EMERALD_NIC_NAMES Comment relevant params BSM_ADMINISTRATIVE_USER_LIST BSM_EMERALD_NIC_NAMES EMERALD eXpert BSM User s Guide Page 77 ARNING 18 18 7591 BSM_MOD_SYSTEM_EXECUTABLE Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start_time 1999 12 30 16 18 37 552959 PST Command chmod 2 Parent_cmd usr bin chmod Outcome 0 Attacker admin_u Attacker_attrs auid 2037 ruid 0 euid 0 pid 25426 sid 25039 Resource usr bin who Resource_owner bin Recommendation killall uname admin u pid 25426 da kess lockout uname admin_u da kess fixperms fn usr bin who da kess newattr 000 checkcfg da kess nam BSM_SYSTEM_BIN_LOCATIONS Comment relevant params BSM_SYSTEM_BIN_LOCATIONS ARNING 1911917600 BSM MOD SYSTEM EKECUTABLE Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 18 41 722972 PST Command chmod 2 Parent cmd usr bin chmod Outcome 0 Attacker admin_u
43. art time 2000 01 14 08 21 49 210476 PST End time 2000 01 14 08 21 49 400490 PST Command connect Parent cmd not present Outcome 0 Attacker 130 107 15 118 Attacker attrs target ports 13 9 7 540 512 513 23 21 Recommendation filter sa 130 107 15 118 da kess checkcfg da kess nam BSM PORTHIT WARNING checkcfg da kess name BSM PORT ANALYSIS WINDOW Comment relevant params BSM PORTHIT WARNING BSM PORT ANALYSIS WINDOW RE WARNING 35 35 10065 BSM BAD PORT CONNECTION Target kess Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 2000 01 21 08 36 49 118565 PST Command accept 2 Parent cmd lt unknown 137 gt Outcome 0 A A ttacker 130 107 15 118 ttacker_attrs src port 1903 dst port 514 Recommendation filter sa 130 107 15 118 da kess checkcfg da kess nam BSM MAK CONN FACTS checkcfg da kess name BSM PORT ANALYSIS WINDOW Comment relevant params BSM UNACCEPTABLE PORT CONNECTIONS host and net lists in usr emerald test final Emerald_eXpert_BSM_v1 4 resource object config local_netmap conf E WARNING 36 36 10222 BSM_FTP_USERNAME_GUESSER Target kess Count 5 bserver eXpert BSM Observer_Location kess Observer src big_test bsm tart time 2000 01 21 09 41 57 082521 PST End time 2000 01 21 09 42 30 071862 PST ttacker 130 107 12 103 ttacker_attrs
44. asswd_Guesser BSM_FTP_Username_Guesser BSM_PS_Exploit BSM_Suspicious_Exec_Argument BSM_Root_Core_Access BSM_Access_Private_File BSM_Make_Temp_Sym BSM_Mod_System_Resource BSM FTP Anon Write BSM_FTP_Warez_Activity BSM_Setreuid_By_Nonadmin BSM_Proc_Exhaust_Threshold BSM_Client_INET_Watch BSM_File_Exhaust_Threshold BSM_Attempted Root_Login BSM_Suspicious_Setuid BSM_Port_Sweep BSM_Suspicious_Port_Probing BSM Bad Port Connection BSM_AfterHours_Access BSM_Buffer_Overflow_Exec BSM Special User Ezec BSM Ezec Non Author BSM Change User Environ File BSM Self Echo Alert BSM Illegal Shadow Passwd Access BSM Root By NonAdmin BSM Disallowed File Read BSM_Disallowed_File_Exec BSM Disallowed File Write BSM_Promiscuous_Mode BSM_Mod_System_Executable BSM_Inetd_Subversion e Default All rules enabled MsgString BSM_ENABLED_ HEURISTICS BSM_Time_Warp BSM_Root_Core_Creat BSM_Reach_Max_BadLogin BSM_Root_Core_Event BSM_FTP_Passwd_Guesser BSM_FTP_Username_Guesser BSM_Suspicious_Exec_Argument BSM AfterHours Access BSM Root Core Access BSM Access Private File BSM Mod System Resource BSM FTP Anon Write BSM FTP Warez Activity BSM Setreuid By Nonadmin BSM Client INET Watch BSM Proc Ezhaust Threshold BSM File Ezhaust Threshold BSM Attempted Root Login BSM Suspicious Setuid BSM Port Sweep BSM Suspicious Port Probing BSM Bad Port Connection BSM_PS_Exploit BSM Buffer Overflow_Exec BSM_Special_User_Exec BSM Exec Non Author BSM
45. at are then instantiated with an EMERALD monitor and which can then be distributed to an appro priate observation point in the computing environment This enables a spectrum of con figurations from lightweight distributed eXpert signature engines to heavy duty central ized host layer eXpert engines such as those constructed for use in eXpert s predeces sors NIDES Next Generation Intrusion Detection Expert System and MIDAS Multics Intrusion Detection Alerting System In a given environment P BEST based eXperts may be independently distributed to analyze the activity of multiple network services e g FTP SMTP HTTP or network elements e g a router or firewall As each EMERALD eXpert is deployed to its target it is instantiated with an appropriate resource object e g an FTP resource object for FTP monitoring while the eXpert code base re mains independent of the analysis target For more information about the eXpert infer ence engine design capabilities and language see http www sdl sri com emerald pbest sp99 cr pdf What is EMERALD The EMERALD Event Monitoring Enabling Responses to Anomalous Live Distur bances environment is a distributed scalable tool suite for tracking malicious activity through and across large networks EMERALD introduces a highly distributed building block approach to network surveillance attack isolation and automated response It combines models from research in distributed high volume ev
46. ating modes are described in Operating Instructions The results will show up in the _BSM results directory and in the GUI if you chose to enable and start it To confirm that the monitor is working in real time mode try the following In a separate session login not su as a user not listed as an administrator Let that user su to a user who is listed as an administrator That should result in an alert from the monitor See Appendix I for additional ways to generate alerts To shut down the GUI go to the File menu and choose Exit To shut down the monitor run _BSM Shutdown_eXpert_BSM EMERALD eXpert BSM User s Guide Page 5 3 EMERALD eXpert BSM Overview What is eXpert BSM eXpert BSM EMERALD s host based intrusion detection monitor for Solaris BSM audit trails encapsulates the most comprehensive knowledge base for detecting misuse in host audit trails that has ever been fielded Section 4 eXpert BSM Detection Summary enu merates the warning and attack heuristics available to the eXpert BSM inference engine eXpert BSM is packaged and distributed as a stand alone intrusion detection service for detecting insider misuse and security policy violations on Sun Solaris operating systems The EMERALD eXpert pronounced E expert is a highly targetable signature analysis engine based on the expert system shell P BEST Under EMERALD s eXpert architec ture event stream specific rule sets are encapsulated within resource objects th
47. audit records add a single record which has a timestamp that is at least BSM MAK BACKWARD TIME earlier EMERALD eXpert BSM User s Guide Page 72 than the previously last record for example cat singlerec bsm gt gt big_test bsm where singlerec bsm contains a single accept record with timestamp Fri Jan 21 08 11 13 2000 118566453 msec EMERALD eXpert BSM User s Guide Page 73 Appendix II Attack Battery Console Alerts EST runtime library built Wed Oct 6 09 56 34 PDT 1999 ser Map usr emerald test final Emerald_eXpert_BSM_v1 4 resource object config EST username_map conf Loaded Successfully ERALD eXpert P BEST Signature Engine An unpublished work of SRI International System Design Laboratory SRI International All Rights Reserved EMERALD tm Trademark SRI International Direct all comments or questions to emerald release sdl sri com onitor Started Sat Sep 29 17 28 21 2001 Dperating from Hostname kess IP Address 130 107 12 70 Report Log lt STDOUT gt oading Internal IP List usr emerald test final Emerald_eXpert_BSM_v1 4 resource object config local_netmap conf load complete Access Policy Configuration File usr emerald test final Emerald_eXpert_BSM_v1 4 resource object config accesspolicy conf Loaded Successfully ATTACK 1 1 2 BSM_BUFFER_OVERFLOW_EXEC Target 197 218 177 69 Count 1 Observer eXpert BSM Observer_Locati
48. ault 60 seconds Ulong BSM_WRITE_ERR_THRESHOLD_WINDOW 60 Parameter BSM_MAX_ CLIENT PROCS PER CYCLE e Dependent Rules BSM Client INET Watch e Purpose Indicates the number of inetd connections that may occur during the time window This heuristic is relevant for detecting process table exhaustion de nial of service e Default 8 connections Ulong BSM MAK CLIENT_PROCS PER CYCLE 8 Parameter BSM EKTERNAL CONN THRESHOLD WINDOW EMERALD eXpert BSM User s Guide Page 34 e Dependent Rules BSM Client INET Watch e Purpose The time window represented in seconds during which repeated inetd connections are measured e Default 60 seconds Ulong BSM_EXTERNAL_CONN_THRESHOLD_ WINDOW 60 Parameter BBM MAX FAILED PROCS PER CYCLE e Dependent Rules BSM_PROC_EXHAUST_THRESOLD e Purpose Indicates the number of failed forks observed by eXpert BSM during the time window This heuristic is relevant for detecting process table exhaustion de nial of service e Default 8 connections over 60 second period Ulong BSM_MAX FAILED_PROCS_PER_CYCLE 8 Parameter BSM MAZ FAILED_PROCS_THRESHOLD_WINDOW e Dependent Rules BSM_PROC_EXHAUST_THRESOLD e Purpose The time window represented in seconds during which repeated failed forks may be observed e Default 60 seconds Ulong BSM_FAILED_PROCS_THRESHOLD_ WINDOW 60 Parameter BSM MAY ECHOS RECEIVED e Dependent Rules BSM Self Echo Flood Purpose Indicates the number of l
49. break exec 105621 24 5 6 106541 12 5 7 108875 07 5 8 stopping c2 auditing does not always stop au 4307306 diting in the kernel In addition there are problems in Solaris 8 SunOS 5 8 that require patches to be applied for eXpert BSM to function properly Those are also covered by patch 108875 07 or newer Java environment The EMERALD Alert Management Interface requires the use of the JAVA Development Kit JDK 1 1 8 which in most cases is installed as part of your standard Sun Solaris in stallation package If Java JDK 1 1 8 is not installed on your Solaris platform you can obtain this package directly from Sun Microsystems at http www sun com solaris java EMERALD eXpert BSM User s Guide Page 13 6 Download Instructions Evaluation versions of EMERALD eXpert BSM are available for download to those who apply for registration on our download request page on the following URL http www sdl sri com emerald releases By registering your contact information on this page and agreeing to the Software Distri bution Agreement and Reporting and Feedback Agreement you will receive within 5 business days an email message with an appropriate password to decrypt the eXpert BSM binary release The binary will require decryption using the GNU Privacy Guard algo rithm available from our registration page or from www gnupg org The release will also require Solaris uncompress and tar EMERALD eX
50. cker em_userl Attacker_attrs auid 50001 ruid 0 euid 0 pid 25446 sid 25336 Recommendation kill pid 25446 sid 25336 da kess lockout uname em_userl da kess checkcfg da kess name BSM ADMINISTRATIVE USER LIST checkcfg da name BSM_NONADMIN_EXPIRE Comment relevant params BSM_ADMINISTRATIVE_USER_LIST BSM_NONADMIN_EXPIR ATTACK 24 24 7970 BSM ROOT BY NONADMIN Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 21 57 423508 PST Command old setuid 2 Parent_cmd usr bin su Outcome 0 Attacker em_userl Attacker_attrs auid 50001 ruid 50000 euid 50000 pid 25448 sid Recommendation kill pid 25448 sid 25336 da kess lockout uname em_userl da kess checkcfg da kess name BSM ADMINISTRATIVE USER LIST checkcfg da BSM_NONADMIN_EXPIRE Comment relevant params BSM_ADMINISTRATIVE_USER_LIST BSM_NONADMIN_EXPIR ATTACK 25 25 8071 BSM ROOT BY NONADMIN Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 22 23 663584 PST Command old setuid 2 Parent_cmd usr bin su Outcome 0 Attacker em_userl Attacker_attrs auid 50001 ruid 50002 euid 50002 pid 25451 sid Recommendation kill pid 25451 sid 25336 da kess lockout uname em_userl da k
51. dress sevenof9 emerald sri com ip port 0x8043 return success 0 Repeated on the following times Mon Feb 07 19 29 20 2000 966180837 Mon Feb 07 19 29 21 2000 46180242 Mon Feb 07 19 29 21 2000 126183000 Mon Feb 07 19 29 21 2000 196182216 Mon Feb 07 19 29 21 2000 266183540 Mon Feb 07 19 29 21 2000 326185824 Mon Feb 07 19 29 21 2000 396185327 Test 31 Access policy for direct access as run result policy em_userl usr sbin iffconfig failure disallowed em_userl usr sbin ifconfig success disallowed em_userl cat secret file failure disallowed em_userl cat accounting DBMS payroll db success disallowed em accnt cat accounting DBMS payroll db success allowed em_userl rm accounting DBMS payroll db failure disallowed a chmod in between em_userl rm accounting DBMS payroll db success disallowed Test 32 Access policy with respect to ftp FTP in as run result policy em_userl get secret file file failure disallowed em_userl get accounting DBMS payroll db payroll db success dis allowed em_admin get secret file file failure al lowed em_admin get accounting DBMS payroll db payroll db success al lowed ftp put ls bin 1ls failure disallowed translates to usr local ftp usr bin 1s Test 33 Time warp BSM_TIMEWARP To the end of the stream of
52. e U N Convention on Contracts for the International Sale of Goods to the Agreement Reporting and Feedback Agreement EMERALD eXpert BSM is made available for your use in the spirit of free software evaluation and for the improvement of security across all computing environments As a downloader and user of this software you agree to the following terms and conditions 1 Tell us your experiences using this software Let us know if eXpert BSM leads to the detection of any security compromises in your site If so please tell us which alert name s succeeded in providing useful detec tions Tell us if in your environment any rules are encountered which re peatedly misfire on what you consider to be normal operating functions 2 Tell us of any suggestions you may have in additional attack heuristics that you would like us to incorporate in future versions of eXpert BSM 3 Tell us of any documentation errors script failures or system errors that you experience while using eXpert BSM See Contact and Experience Reporting Information for information on how to submit feedback and bug reports Contact and Experience Reporting Information If you experience problems or locate a problem in eXpert BSM please inform us using our address emerald release sdl sri com We will do our best to incorporate fixes to your problems in the next release of EMERALD eXpert BSM We regret that individual end user support is not possible in this evaluation edi
53. e core da kess newattr 000 ATTACK es is es Wp a 7233 BSM CHANGE USER ENVIRON FILE Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 13 26 812124 PST Command unlink 2 Parent_cmd usr bin rm Outcome 0 Attacker em_user2 Attacker_attrs auid 50002 ruid 50002 euid 50002 pid 25393 sid 25372 Resource usr emerald em_user2 rhosts Resource_owner em_userl Recommendation fixperms fn usr emerald em_user2 rhosts da kess newattr 000 fixperms fn usr emerald em_user2 rhosts da kess newnam usr emerald em_user2 rhosts corrupted by em_user2 notify uid 50001 da kess checkcfg da kess name BSM_USER_ENV_FILES Comment relevant params BSM_USER_ENV_FILES WARNING 12 12 7254 BSM ACCESS PRIVATE FILE Target 130 107 15 118 Count 1 Xpert BSM Observer_Location kess Observer src big_test bsm tart time 1999 12 30 16 13 51 042193 PST ommand old utime 2 Parent cmd usr bin touch Outcome 13 ttacker em user2 ttacker attrs auid 50002 ruid 50002 euid 50002 pid 25395 sid 25372 Resource export home filel Resource_owner em_userl Recommendation fixperms fn export home filel da kess newattr 000 notify uid 50001 da kess checkcfg da kess name BSM_USER_HOMES_LOCATIONS Comment relevant params BSM USER HOMES LOCATION
54. ecurity Daemon Mode autoboot operation The Solaris operating system can be configured to automatically start eKpert BSM as part of its initialization procedures This capability is done by inserting the script in the etc init d expert BSM and creating a symbolic link etc rc2 d S80eXpert BSM to that shell script If EMERALD eXpert BSM User s Guide Page 43 you would like to alter the startup ordering position of eXpert BSM you can do so by al tering the name of the symbolic link We recommend that if you would like to temporar ily disable eXpert BSM you do so by modifying the name of the symbolic link to etc rc2 d disabled S80eXpert BSM To reinsert eXpert BSM into the So laris Startup procedure simply restore the name of the symbolic link In Security daemon mode all eXpert BSM alert logs are stored in directory var adm securityd During the startup and shutdown process syslog entries are pro vided as facility type daemon and severity level notice and allow the user to determine the state of eXpert BSM The following syslog entries are possible Solaris security daemon mode started eXpert BSM has been suc cessfully started Solaris security daemon mode shutdown eXpert BSM has successfully shutdown securityd error missing argument a problem has occurred in with the etc init d eXpert BSM script Please try re running Install_eXpert_BSM securityd path not located Perhaps the eXpert BSM installation direc
55. ecve 2 Parent_cmd usr sbin ifconfig Outcome 0 ttacker em_userl ttacker_attrs auid 50001 ruid 50001 euid 50001 pid 2654 sid 2647 Command_arg usr sbin ifconfig Resource usr sbin ifconfig Resource_owner bin Recommendation killall unam m_userl pid 2654 da kess lockout uname em_userl uid 50001 da kess checkcfg da kess name accesspolicy inc Comment see accesspolicy conf ARNING 43 43 11538 BSM_DISALLOWED_FILE_READ Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 2000 02 08 10 55 37 079844 PST Command open 2 read Parent cmd usr bin cat Outcome Attacker em_userl Attacker_attrs auid 50001 ruid 50001 euid 50001 pid 2655 sid 2647 EMERALD eXpert BSM User s Guide Page 82 Res oure secret Resource_owner not_present Recommendation killall unam m_user da kess Comment s 1 pid 2655 da kess checkcfg da kess name accesspolicy inc ee accesspolicy conf ERE bs tt Res R e S Command A A WARNING 44 44 11553 BSM DISALLOWED FIL rver acker ource Xpert BSM Observer_Location kes tart_time 2000 02 08 10 55 48 819615 open 2 read Parent_cmd em_user1 ttacker_attrs auid 50001 ruid 5 accounting DBMS payroll db PST s Observer_src E READ Target usr bin cat Outc
56. ed attack summaries Your responsibilities as an EMERALD eXpert BSM User There is no charge to use this application Support for this evaluation edition is very lim ited in that the EMERALD team is not able to provide individual support However technical support is provided to licensees of the advanced version of eXpert BSM called eXpert BSM Enterprise Edition which is directly available for licensing from SRI Inter national contact emerald sdl sri com for pricing information and licensing conditions By agreeing to the online version of the Software Distribution Agreement and download ing and using eXpert BSM evaluation edition you have agreed to the following terms and conditions e You will adhere to the Software Distribution Agreement below e You will adhere to the Reporting and Feedback Agreement below Software Distribution Agreement U S A Government Purpose Rights Contract No F30602 96 C 0294 Contractor Name SRI International Contractor Address 333 Ravenswood Ave The Government s rights to use modify reproduce release perform display or disclose this software are restricted by paragraph b 2 of the Rights in Noncommercial Com puter Software and NonCommercial Computer Software Documentation clause contained in the above identified contract Any reproduction of this software or portions thereof marked with this legend must also reproduce the markings Non U S A Government Use Rights EMERALD eXpe
57. endation BSM_PORTHIT_WARNING Comment Parent_cmd target ports filter sa 130 107 15 118 checkcfg da kess relevant params BSM_PORTHIT_WARNING BSM_SUSPICIOUS_PORT_PROBE Observer_Location 2000 01 14 08 12 34 378988 PST not present 118 kess 13 540 512 21 Target Observer src End time 2000 01 14 08 12 34 468992 PST Outcome 130 0 1074121479 Count big_test bsm nam da kess BSM PORI checkcfg da kess BSM PORT ANALYSIS WINDOW T ANALYSIS WINDOW nam WARNING 33 33 9 Xpert BSM tart_time ommand connect ttacker 130 107 15 ttacker_attrs Parent_cmd target ports 677 118 BSM_SUSPICIOUS_PORT_PROBE Observer_Location 2000 01 14 08 16 33 073903 PST not_present kess L 25 3137 2321 7 EMERALD eXpert BSM User s Guide End_time Outcome 0 arget Observer_src 2000 01 14 08 16 33 993933 PST 130 107 12 70 big_test bsm nam OW Count 8 ESHOLD_WINDOW OW Count 1 1 Count 4 Count 4 Page 80 Recommendation filter sa 130 107 15 118 da kess checkcfg da kess nam BSM PORTHIT WARNING checkcfg da kess name BSM PORT ANALYSIS WINDOW Comment relevant params BSM PORTHIT WARNING BSM PORT ANALYSIS WINDOW ATTACK 34 34 9890 BSM SUSPICIOUS PORT PROBE Target 130 107 12 70 Count 8 Observer eXpert BSM Observer Location kess Observer src big test bsm St
58. ent correlation methodolo gies with over a decade of intrusion detection research and engineering experience The approach is novel in its use of highly distributed independently tunable surveillance and response monitors that are deployable polymorphically at various layers within a network computing environment OS application network service TCP IP These monitors con tribute to a streamlined event analysis system that combines signature analysis with sta tistical profiling to provide localized real time protection of the most widely used net work services on the Internet The EMERALD project represents a comprehensive at tempt to develop an architecture that inherits well developed analytical techniques for detecting intrusions and casts them in a framework that is highly reusable interoperable and scalable in large network infrastructures EMERALD eXpert BSM User s Guide Page 6 A key aspect of this approach is the introduction of the EMERALD monitors An EMERALD monitor is dynamically deployed within an administrative domain to provide localized real time analysis of infrastructure e g routers or gateways and service privi leged subsystems with network interfaces An EMERALD monitor may interact with its environment passively reading activity logs or actively via probing to supplement nor mal event gathering As monitors produce analytical results they disseminate these re sults asynchronously to other client EMERALD m
59. er eXpert BSM Observer Location kess Observer src big test bsm Start time 2000 01 21 09 54 08 188687 PST End time 2000 01 21 09 55 57 506511 PST Command open 2 read Parent cmd usr sbin in ftpd Outcome 0 Attacker root Attacker_attrs auid 0 ruid 0 euid 65533 pid 21160 sid 0 Resource usr local ftp pub warez win2000 Resource_owner ftp Recommendation fixperms fn usr local ftp pub warez win2000 da kess newattr 000 checkcfg da kess name BSM_FTP_WAREZ_ COMPLIANT checkcfg da kess name BSM LOCAL FTPD_UID Comment relevant params BSM_FTP_WAREZ COMPLIANT BSM_LOCAL_FTPD_UID ARNING 41 41 11516 BSM_DISALLOWED_FILE_EXEC Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 2000 02 08 10 55 19 470184 PST Command execve 2 Parent_cmd usr sbin iffconfig Outcome 2 Attacker em_userl Attacker_attrs auid 50001 ruid 50001 euid 50001 pid 2653 sid 2647 Resource usr sbin iffconfig Resource_owner not_present Recommendation killall unam m_userl pid 2653 da kess lockout uname em_userl da kess checkcfg da kess name accesspolicy inc Comment see accesspolicy conf WARNING 42 42 11518 BSM_DISALLOWED_FILE_EXEC Target 130 107 15 118 Count 1 Xpert BSM Observer_Location kess Observer src big_test bsm tart time 2000 02 08 10 55 26 850043 PST ommand ex
60. eries of service ports that collectively indicate apotential selective port scan config BSM PORT ANALYSIS WINDOW BSM Bad Port Connection 1 BSM Monitor allows specification of a set of network ports that should not be accessed be external clients BSM Monitor raises an alert when external connections to these ports occur including the re questor IP address config BSM_UNACCEPTABLE_PORT_CONNECTIONS BSM_Buffer_Overflow_Exec BSM Monitor observed a buffer overflow attack This could triggered by eject fdformat ffbconfig rdist or several other known buffer overflow attacks It covers the entire class of SUID stack smashing on lo cal applications at initialization BSM_Special_User_Exec Some reserved accounts are not intended to run proc esses but rather are present for file ownership purposes The BSM Monitor raises an alert if it identifies an exec call from a reserved account config BSM_EXEC_LESS_ACCOUNTS EMERALD eXpert BSM User s Guide Page 10 e BSM_Exec_Non_Author BSM Monitor raises an alert if it identifies an exec call from a setuid process such that the exec d file is a program not owned by root or the SUID user config BSM_LAST_RESERVED_ACCOUNTS e BSM Change User Environ File BSM Monitor observed the contents of a user s environment files being modified by another user This is a highly general heuristic for recognizing common actions that occur after compromise
61. ers a system resource log file This is a highly general heuristic for recognizing common actions that occur after compromise config BSM_SYSTEM_RESOURCE_FILES BSM_LAST_RESERVED_ACCOUNT BSM_SYSTEM_LOG_LOCATIONS e BSM_FTP_Anon_Write BSM Monitor observed an anonymous user modifying the filesystem e g writing deleting directory creation chmod When a file is written the filename is registered in the fact base and employed by BSM_FTP_Warez_Activity config BSM_ANON_FTP_MONITOR_WINDOW BSM_LOCAL_FTP_UID e BSM_FTP_Warez_Activity BSM monitor observed N anonymous users re trieving an anonymously uploaded file that has been registered by the BSM_FTP_Anon_Write rule config BSM ANON FTP MONITOR WINDOW BSM FTP WAREZ COMPLAINT BSM LOCAL FTP UID e BSM Client INET Watch BSM Monitor observed a flood of inetd based con nections from a remote location These include in telnetd in ftpd and in fingerd The process table attack is an example exploit for this rule set config BSM_SUSPICIOUS_EXEC_LIST EMERALD eXpert BSM User s Guide Page 9 BSM_Proc_Exhaust_Threshold BSM Monitor observed process resource ex haustion This heuristic provides threshold analysis on failed forks config BSM_MAX_FAILED_PROCS_PER_CYCLE BSM_FAILED_PROC_THRESHOLD_WINDOW e BSM_File_Exhaust_Threshold BSM Monitor observed a series of failed write operations
62. ess checkcfg da kess name BSM_ADMINISTRATIVE_USER_LIST checkcfg da name BSM_NONADMIN_EXPIRE Comment relevant params BSM_ADMINISTRATIVE_USER_LIST BSM_NONADMIN_EXPIR ARNING 26 26 8230 BSM REACH MAK BADLOGIN Target kess Count 4 Observer eXpert BSM Observer Location kess Observer src big test bsm Start time 1999 12 30 16 25 40 634080 PST Command login telnet Parent_cmd usr bin login Outcome 1 Attacker not_present Recommendation filter sa da kess checkcfg da kess name BSM MAK LOGIN THRESHOLD checkcfg da kess name BSM FAILED LOGIN WINDOW Comment relevant params BSM_ADMINISTRATIVE_USER_LIST BSM_NONADMIN_EXPIRE Comment 130 107 15 118 login telnet invalid user name from invalid username Comment 130 107 15 118 login telnet invalid password from em_user2 Comment 130 107 15 118 login telnet invalid password from em_userl Comment 130 107 15 118 login telnet invalid password from em_userl Comment relevant params BSM MAK LOGIN THRESHOLD BSM FAILED LOGIN WINDOW RE WARNING 27 27 8569 BSM PROC EKHAUST THRESHOLD Target 130 107 15 118 counts T Observer eXpert BSM Observer Location kess Observer src big test bsm Start time 2000 01 05 17 45 34 375296 PST Command fork 2 Parent_cmd not_present Outcome 11 A A F ttacker em_userl ttacke
63. eview if executed on the host The list can also be employed for site specific surveillance needs e Default A small set of well known hacker programs MsgString BSM_SUSPICIOUS_EXEC_LIST perlmagic rootk ps_exp smurf pepsi nfsshell sniffer slammer satan nmap Parameter BSM EXEC LESS ACCOUNTS e Dependent Rules BSM_Special_User_Exec e Purpose A list of user accounts not intended to run processes These accounts are present strictly for file ownership purposes Other good candidates include in gress uucp nuucp adm listen e Default bin sys noaccess MsgString BSM_EXEC_LESS ACCOUNTS bin sys noaccess Parameter BSM_USER_ENV_FILES e Dependent Rules BSM_Change_User_Environ_File EMERALD eXpert BSM User s Guide Page 30 e Purpose a list of environment initialization files that should not be modi fied by anyone other than the owner of the files Other good candidate files include X server and mail configuration files e Default cshrc forward rhosts login logout profile tcshrc bach login bash profile MsgString BSM USER ENV FILES cshrc forward rhosts login logout profile tcshrc bash login bash profile Parameter BSM USER HOMES LOCATION e Dependent Rules BSM Access Private File Purpose The top directory under which user home directories are available from the host machine e Default homes Char BSM_USER_HOMES LOCATION homes Parameter BSM EMERALD NIC NAMES e
64. if root is listed as an admin Time 1999 12 30 19 21 36 283444 EST UserName root EffectiveName root AuditName em_userl RUID 0 EUID O AUID 50001 PID 25446 Command old setuid 2 Ret_Val 0 Error Number 0 Parent Command su EMERALD eXpert BSM User s Guide Page 65 Time 1999 12 30 19 21 57 423508 UserName em_admin T EffectiveNam EST em_userl RUID 50000 EUID Command old setuid Parent Command su 50000 2 AUID Ret_Val 50001 0 PI D Error_Number m_admin AuditName 25448 0 Test 21 Maximum Bad Logins Reached BSM_MAX BAD LOGINS Make repeated failed logins invalid user name login telnet mix invalid username passwd from user invalid_username UID 0 on host PID 25456 time 1999 12 30 19 25 40 634080 EST sequence num ber 1 Etype 6154 machineID 130 107 15 118 error 3 invalid password login telnet from user em_user2 UID 50002 on host PID 25456 time 1999 12 30 19 25 30 734056 EST sequence num ber 1 Etype 6154 machineID 130 107 15 118 error 4 invalid password login telnet from user em_userl UID 50001 on host PID 25456 time 1999 12 30 19 25 11 564003 EST sequence num ber 1 Etype 6154 machine
65. ileGroups file_list file_list _l filela filela directoryla _2 filela filela directoryla Files specified in the file groups should be fully qualified pathnames You can also spec ify directories as shown below in the example access policy specification Files and di rectories can appear in multiple lists The third section is Policy within which you specify illegal read write and exe cute accesses between users and files The Policy 1 section is specified as follows Policy user list 1f nread file list 1 file list 2 nwrite file list 3 file list 4 nexec file_list_5 file_list_6 user_list_2 nread file list 1 file list 2 nwrite file list 3 file list 4 nexec file_list_5 file_list_6 EMERALD eXpert BSM User s Guide Page 40 The policy involves a series of relations defined between user and file groups For each user group entered in the policy three possible relations can be specified nread nwrite and nexec nread indicates that users in the associated list are not allowed to read files matching the file lists specified in the bracket clause Illegal file writes and executions are specified similarly It is not necessary for every relation to be specified in the user list and file lists may be empty indicating no defined restrictions The following is an exa
66. is Agreement The license authorizes you to use the Program on one computer or network system and SOLELY for your personal use and evaluation You agree that you are li censing the Program for its end use only and not for resale or redistribution 3 1 This license authorizes you to use the Program solely in accordance with this Agree ment You shall not sell lease assign transfer sub license disseminate modify trans late duplicate reproduce or copy the Program or permit any of the foregoing or dis close the Program or any information pertaining thereto any other party without the prior written consent of SRI 3 2 You may not reverse assemble or reverse compile or otherwise attempt to create the source code from the Program 4 Confidentiality You acknowledge that the Program including the related documenta tion and any new releases modifications and enhancements thereto belongs to SRI and that SRI retains all right title and interest in and to the Program You further acknowl edge that the Program and information relating thereto constitute valuable trade secrets of SRI You agree to comply with the terms and conditions of this Agreement and agree to treat the Program as the confidential and proprietary information of SRI EMERALD eXpert BSM User s Guide Page 56 5 Disclaimer of Warranty This Program is pre release code and as such may not operate correctly and may be substantially modified prior to first commercial relea
67. l data as specified by the associated nread function Regular staff may not write to files in the company secrets programs payroll or admin tools Further regular staff may not execute admin tools If eXpert BSM ob serves user activity that contradicts this policy an alert is raised Management staff is not allowed to modify files in the program or admin tools file groups but have unrestricted read and execute access over the entire system Members of the accounting staff are not allowed to modify files in the program or admin file groups read company secret files or execute admin tools Dynamically Adjusting eXpert BSM s Configuration Modifications to the configuration parameters specified in eXpert Config inc user name map accesspolicy conf and local_netmap conf can be dynamically recognized without restarting eXpert BSM To do this perform a SIGHUP see kill 1 for more in formation on sending SIGHUP signals to processes on the running eXpert BSM and all parameters in these files will be reloaded from the disk Using the Configuration GUI to Set Parameters eXpert BSM provides a Java based configuration management interface for setting the values of runtime parameters This interface may be invoked directly from the eXpert BSM installation program or it may be invoked at any time using the Run_config script EMERALD eXpert BSM User s Guide Page 42 11 Operating Instructions eXpert BSM can be invoked in three operating
68. ld sri 752048324 msec pooh emerald sri 71863177 msec pooh emerald sri com com com com com Page 69 ftp access Fri Jan 21 09 42 36 2000 31742396 msec subject 1 1 1 1 1 21115 21115 0 20 pooh emerald sri com text unknown user gepa return failure 2 ftp access Fri Jan 21 09 42 44 2000 21586038 msec subject 1 1 1 1 1 21116 21116 0 20 pooh emerald sri com text unknown user hepa return failure 2 Test 28 FTP password guessing BSM_FTP_PASSWD_GUESSER Conect using FTP and give valid usernames but invalid passwords BSM_MAX_FTP_BADPASSWORDS within BSM FAILED LOGIN WINDOW ftp access Fri Jan 21 09 47 23 2000 46354724 msec subject 50001 50001 512 50001 512 21127 21127 0 20 pooh emerald sri com text bad password return failure 1 ftp access Fri Jan 21 09 47 36 2000 236091094 msec subject 50002 50002 512 50002 512 21128 21128 0 20 pooh emerald sri com text bad password return failure 1 ftp access Fri Jan 21 09 47 45 2000 455911912 msec subject 50001 50001 512 50001 512 21129 21129 0 20 pooh emerald sri com text bad password return failure 1 ftp access Fri Jan 21 09 47 56 2000 715689103 msec subject 50000 50000 512 50000 512 21130 21130 0 20 pooh emerald sri com text bad password return failure 1 ftp access Fri Jan 21 09 48 06 2000 925481601 msec subject
69. le tricky you need a program which is setuid to em_user2 that F j performs the chmod operation Time 1999 12 30 19 15 16 402415 EST UserName em_userl EffectiveName m_user2 AuditName em_userl RUID 50001 EUID 50002 AUID 50001 PID 25406 Command chmod 2 Ret_Val 0 Error_Number 0 Parent Command chmod Path List usr emerald em_userl file_owned_by_2 object_owner em_user2 50002 Test 13 Root core dump event BSM_ROOT_CORE_EVENT As root run for example sleep 20 and hit cntrl hold control and press backslash while the program is running to force a core dump Time 1999 12 30 19 16 08 512544 EST UserName root EffectiveName root AuditName admin_u RUID 0 UTD 0 AUID 2037 PID 25411 Command process dumped core Ret_Val 0 Error Number 0 Path List export home core object owner root 0 Test 14 Suspicious symlink creation BSM MAKE TMP SYM As em_userl create a symbolic link in tmp Time 1999 12 30 19 17 15 672732 EST UserName em_userl EffectiveName m_userl AuditName em_userl RUID 50001 EUID 50001 AUID 50001 PID 25420 Command symlink 2 Ret_Val 0 Error Number 0 Parent Command 1n Path List tmp grepa EMERALD eXpert BSM User s Guide Page 63 object owner em_userl 50001 Test 15 Illegal Shadow Password Access Vi
70. llall unam m_user da da kess kess Comment s name accesspolicy inc ee accesspolicy conf 1 pid 2672 da kess fixperms fn accounting DBMS payroll db da kess ARNING Obs Command Att 47 4 7111919 BSM_DISALLOWED_FIL E READ Evers acker Xpert BSM Observer_Location kes Start_time 2000 02 08 16 13 52 837138 open 2 read Parent_cmd 13 0 10 7 153118 Attacker_attrs auid 0 ruid 0 eu Res Recommendation ourc PST usr sbin in ftpd id 50 Target kess s Observer_src 001 pid 2822 secret Resource_owner not_present kill uname root pid 2822 da kess da kess dp 21 checkcfg da kess name acc Comment s ee accesspolicy conf relevant params sspolicy inc tt ommand WARNING 48 48 11920 BSM_DISALLOWED_FIL E READ Target acker Xpert BSM Observer_Location kes tart_time 2000 02 08 16 14 21 076567 open 2 read Parent_cmd 1307107415444118 ttacker_attrs auid 0 ruid eu PST usr sbin in ftpd id 50 EMERALD eXpert BSM User s Guide s Observer_src 001 pid 2822 Count 1 big_test bsm Outcome 2 sid 0 BSM_LOCAL_FTPD_UID kess Count big_test bsm Outcome 0 sid 0 lockout uname em_userl Count 2647 nis 2647 lockout uname em_userl 1 lockout uname em_userl newperms 000 checkcfg 8 264
71. low Ex amples include the Solaris sadmin data segment overflow exploit config BSM_TCP_WRAPPER EMERALD eXpert BSM User s Guide Page 12 5 System Requirements Operating System The EMERALD eXpert BSM Monitor requires a Sun Microsystems Sparc platform run ning one of e SunOS 5 6 Solaris 2 6 service patch 105621 24 or newer e Solaris 7 service patch 106541 12 or newer e Solaris 8 service patch 108875 07 or newer The EMERALD eXpert BSM monitor generally consumes around 5 12MBs of process space We recommend running eXpert BSM on machines with 64MBs or more of mem ory and 20MBs or more of available disk space on a local drive For more information on expected process growth refer to the eXpert BSM FAQ http www sdl sri com emerald releases expert BSM faq html Caution Solaris Bugs If you are attempting to install eXpert BSM on certain versions of Solaris you must en sure that the appropriate patches are installed before you try to run eXpert BSM The OS bugs listed below could render your system unusable when triggered by eXpert BSM Use showrev p to see what patches are installed and if needed visit the Sun Mi crosystems web page http sunsolve sun com for information on bugs and patches Sun Bug ID Description Possible Patch OS me 105621 24 5 6 4194454 auditing to pipe causes system to panic 106541 12 5 7 4229414 Solaris 7 64 bit BSM auditing with argv 106541 12 5 7 policy
72. m into multiuser mode usr sbin reboot 6 Running the following command as root after reboot should indicate audit condition unset usr sbin auditconfig getcond EMERALD eXpert BSM User s Guide Page 17 For more information consult the SunShield Basic Security Module Guide for Solaris available from http docs sun com Security Recommendation eXpert BSM requires privilege only to capture the audit records from the kernel This privileged function has been isolated into an independent probe process which can be granted setuid capability independently from the rest of the eXpert BSM process chain We recommend the following setup strategy advisory only not required 1 Create an exclusive account for running eXpert BSM called emerald and an exclusive group with the same name 2 Extract the eXpert BSM package into the target SInstall directory owned by the emerald account 3 Limit accessibility of the directory to the emerald account Setup Instructions Log in with root privilege invoke the script Install _BSM Install_eXpert_BSM and follow the directions Note The eXpert BSM process chain does not audit itself There is no need to configure etc security audit_user to exclude user emerald Installation Sample Dialog with Explanation This section describes the individual steps involved in the installation of eXpert BSM Additional commentary is numbered To begin installation
73. merald em_userl sample Outcome 0 Attacker em_userl Attacker_attrs auid 50001 ruid 50001 euid 50002 pid 25354 sid 25336 Command_arg sample Resource usr emerald em_userl sampl Resource_owner em_userl Recommendation killall unam m_userl pid 25354 da kess fixperms fn usr emerald em_userl sampl da kess newattr 000 notify uid 50001 da kess checkcfg da kess name BSM LAST RESERVED ACCOUNT Comment relevant params BSM_LAST_RESERVED_ACCOUNT ARNING 9 9 6743 BSM ROOT CORE CREATE Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 10 40 051626 PST Command creat 2 Parent cmd usr bin touch Outcome 0 Attacker admin u Attacker_attrs auid 2037 ruid 0 euid 0 pid 25362 sid 25039 Resource export home cor Resource_owner root Recommendation fixperms fn export home cor da kess newattr 000 WARNING 10 10 6834 BSM ROOT CORE ACCESS Target 130 107 15 118 Count 1 Xpert BSM Observer_Location kess Observer src big_test bsm tart time 1999 12 30 16 11 09 361710 PST ommand open 2 read Parent cmd usr bin file Outcome 13 ttacker em_userl ttacker attrs auid 50001 ruid 50001 euid 50001 pid 25368 sid 25336 Resource export home cor Resource_owner root Recommendation kill pid 25368 sid 25336 da kess fixperms fn export hom
74. mple EMERALD access policy specification UserGroups RegStaff em_userl em_user2 Management em_admin Accnt em_acct FileGroups Programs bin usr bin usr local bin usr local ftp bin Admtools etc bin etc sbin usr sbin sbin CompanySecrets secret Payroll accounting DBMS payroll db Policy RegStafft nread CompanySecrets Payroll nwrite CompanySecrets Programs Payroll Admtools nexec Admtools Management read write Programs Admtools exec Accnt write Programs Admtools read CompanySecrets exec Admtools 3 33 5 75 353 35 3 In the above example which illustrates a valid access policy specification there exists a small group of regular staff defined as em_user1 and em_user2 There is a manage ment staff with one manager em_admin and an accounting group consisting of user em_acct Four file groups are defined The first is the programs group where pro grams are defined as being located in bin usr bin usr local bin EMERALD eXpert BSM User s Guide Page 41 and usr local ftp bin An administrative tools bin consists of files in etc bin etc sbin usr sbin and sbin A directory containing com pany secrets is named secret A payroll file group consists of a file called accounting DBMS payroll db The access policy is now ready to be specified In the example regular staff are not al lowed to read company secrets or payrol
75. ocal pings that must be observed during the time window before the self ping denial of service alert is raised e Default 30 echoes received in this cycle see BSM ECHO FLOOD WINDOW Ulong BSM_MAX ECHOS RECEIVED 30 Parameter BSM ECHO FLOOD WINDOW EMERALD eXpert BSM User s Guide Page 35 e Dependent Rules BSM_Self_Echo_Flood e Purpose The time window represented in seconds during which repeated echo flood must occur e Default 60 seconds Ulong BSM_ECHO_FLOOD_WINDOW 60 Parameter BSM_UNACCEPTABLE_PORT_CONNECTS e Dependent Rules BSM_Alert_On_Port e Purpose List of TCP ports to which external clients should not connect e Default ports 53 dns 143 imap 514 syslog Ulong BSM_UNACCEPTABLE_PORT_CONNECTIONS 53 143 514 Parameter BSM_NONADMIN_EXPIRE e Dependent Rules BSM_Root_By_Nonadmin e Purpose Once an alert is raised indicating that a non administrative user is oper ating as an administrator eXpert BSM suppresses repeated alerts of this condition for a duration of BSM_NONADMIN_EXPIRE seconds e Default 600 seconds 10 minutes Ulong BSM_NONADMIN_EXPIRE 600 Parameter BSM_FTP_WAREZ_COMPLAINT e Dependent Rules BSM_FTP_Warez_Activity e Purpose In some environments an external anonymous user may be permitted to upload a file This capability is subject to several abuses including the potential for turning the target host into a warez site This variable specifies the number of times an anonymou
76. olation BSM_ILLEGAL SHADOW_PASSWD_ACCESS As em_userl run rm etc shadow make sure you are NOT root Time 1999 12 30 19 17 46 182810 EST UserName em_userl EffectiveName m_userl AuditName em_userl RUID 50001 EUID 50001 AUID 50001 PID 25422 Command unlink 2 Ret_Val 1 Error Number 13 Parent Command rm Path List etc shadow object owner root 0 Test 16 Promiscious Mode succeeded by non admin user BSM_PROMISCUOUS_MODE As em_userl run a setuid root program which sets the network in terface in promiscuous mode e g tcpdump Time 1999 12 30 19 18 07 622872 EST UserName em_userl EffectiveName root AuditName em_userl RUID 50001 UTD O AUID 50001 PID 25424 Command open 2 read write Ret_Val 3 Error Number 0 Parent Command tcpdump Path List devices pseudo clone 0 hme object owner root 0 Test 17 Alteration to system ezecutable BSM MOD SYSTEM EKECUTABLE As root make a modification to something in usr bin e g chmod g x usr bin who and change it back again Time 1999 12 30 19 18 37 552959 EST UserName root EffectiveName root AuditName admin_u RUID 0 EUID O AUID 2037 PID 25426 Command chmod 2 Ret_Val 0 Error Number 0 Parent Command chmod Path List usr bin who object_owner bin 2 Time 19
77. ome 0001 euid 50001 pid Resource_owner m_accnt Recommendation killall unam m_user da kess Comment s 1 pid 2657 da kess checkcfg da kess name accesspolicy inc ee accesspolicy conf ARNING Obs 4514 5 11794 BSM_DISALLOWED_FIL E WRITE rver Command u Att acker Xpert BSM Observer_Location kes Start_time 2000 02 08 10 56 35 328695 nlink 2 Parent_cmd usr bin rm em_userl Attacker_attrs auid 50001 ruid 5 Res ource accounting DBMS payroll db PST s Observer_src Outcome 13 0001 euid 50001 pid 130 107 15 118 big_test bsm 0 2657 sid Target 130 107 15 118 Cou big_test bsm 2667 sid Resource_owner m_accnt Recommendation killall unam m_user da da kess kess Comment s name accesspolicy inc ee accesspolicy conf 1 pid 2667 da kess fixperms fn accounting DBMS payroll db da kess tt Res WARNING 46 46 11840 BSM_DISALLOWED_FIL E WRITE Target ommand u acker ource Xpert BSM Observer_Location kes tart_time 2000 02 08 10 57 17 887843 PST nlink 2 Parent_cmd usr bin rm em_user1 ttacker_attrs auid 50001 ruid 5 accounting DBMS payroll db s Observer_src Outcome 0 0001 euid 50001 pid 1302107 25441 big_test bsm 2672 sid Resource_owner m_accnt Recommendation ki
78. on kess Observer src big_test bsm Start time 1998 07 29 16 27 29 562456 PDT Command execve 2 Parent_cmd usr bin ps Outcome 0 Attacker user_v Attacker_attrs auid 2053 ruid 2053 euid 0 pid 5593 sid 5584 Command_arg ps Resource usr bin ps Resource_owner root Recommendation lockout uname user v da kess killall uname user v pid 5593 da kess Comment root compromise WARNING 2 2 6309 BSM SELF ECHO ALERT Target 130 107 12 70 Count 6306 Xpert BSM Observer_Location kess Observer src big_test bsm tart time 1999 04 05 17 17 10 001999 PDT End time 1999 04 05 17 18 09 992008 PDT ommand echo Parent cmd inetd Outcome 0 ttacker 172 16 114 50 Recommendation checkcfg da kess name BSM_MAX_ECHOS_RECEIVED checkcfg da kess name BSM_ECHO_FLOOD_WINDOW Comment relevant params BSM_MAX_ECHOS_RECEIVED BSM_ECHO_FLOOD_WINDOW ATTACK 3 3 6562 BSM_BUFFER_OVERFLOW_EXEC Target 130 107 15 118 Count 1 Observer eXpert BSM Observer tion kess Observer src big test bsm EMERALD eXpert BSM User s Guide Page 74 Start_time 1999 12 30 16 08 13 371242 PST Command execve 2 Parent_cmd usr bin eject Outcome 0 Attacker admin_u Attacker_attrs auid 2037 ruid 2037 euid pid 25345 sid 24792 Command_arg eject Resource usr bin eject Resource_owner ro
79. onitors Client monitors may operate at the domain layer correlating results from service layer monitors or at the enterprise layer correlating results produced across domains Under the EMERALD framework a layered analysis hierarchy may be formed to support the recognition of more global threats to interdomain connectivity including coordinated attempts to infiltrate or destroy connectivity across an enterprise The monitors themselves stand alone as independently tunable self contained analysis modules with a well defined interface for sharing and receiving event data and analytical results with third party security services An EMERALD monitor performs either signa ture analysis or probabilistic anomaly detection or both on a target event stream EM ERALD s signature analysis subsystem employs a variant of the P BEST expert system which allows administrators to instantiate a rule set customized to detect predefined problem activity occurring on the analysis target Underlying the deployment of an EMERALD monitor is the selection of a target specific event stream The event stream is derived from a variety of sources including audit data network datagrams SNMP traffic application logs and analysis results from other intru sion detection instrumentation The event stream is parsed filtered and formatted by the target specific event collection methods provided by the monitor s pluggable configura tion library referred to as the reso
80. osts equiv etc inittab etc motd etc resolv conf etc netconfig etc nfssec conf etc printcap etc system etc inetd conf etc inet inetd conf etc printers conf etc inet ntp conf etc hosts deny etc hosts allow etc nsswitch conf etc defaultrouter etc syslog conf etc defaultdomain etc resolv conf etc hostname hme0 Parameter BSM LAST RESERVED ACCOUNT e Dependent Rules BBM MOD SYSTEM RESOURCES e Purpose Indicates the last priviledged UID present on the system Unix systems often by convention will assign priviledged or other system accounts low number EMERALD eXpert BSM User s Guide Page 32 UIDs e g between 0 and 100 Such accounts include root sys bin daemon ftp uucp and lp If the target host employs this convention then assign to this variable the last system account ID If not set this value to the last UID disable its use e Default UID 100 Ulong BSM_LAST_RESERVED_ACCOUNT 100 Parameter BSM LOCAL FTPD UID e Dependent Rules BSM FITP Anon Write BSM FIP Warez Activity e Purpose For environments in which a non zero UID is employed for the ftpd system process e Default UID 0 Ulong BSM LOCAL FTPD_UID 65533 Parameter BSM MAY LOGIN_THRESHOLD e Dependent Rules BSM_Reach_Max_BadLogin e Purpose Indicates the number of bad logins that must occur during the FAILED_LOGIN_WINDOWS before a warning is raised for repeated failed log ins e Default 4 Ulong BSM_MAX LOGIN_THRESHOL
81. ot Recommendation lockout uname admin_u da kess killall uname admin_u pid 25345 da kess Comment root compromise ARNING 4 4 6575 BSM_SUSPICIOUS_EXEC_ARGUMENT Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start_time 1999 12 30 16 08 51 011335 PST Command execve 2 Parent_cmd usr bin anyexploitany Outcome 2 Attacker em_userl Attacker_attrs auid 50001 ruid 50001 euid 50001 pid 25346 sid 25336 Resource usr bin anyexploitany Resource_owner not_present Recommendation fixperms fn usr bin anyexploitany da kess newattr 000 checkcfg da kess name BSM_SUSPICIOUS_EXEC_LIST Comment relevant params BSM_SUSPICIOUS_EXEC_LIST ARNING 5 5 6576 BSM_SUSPICIOUS_EXEC_ARGUMENT Target 130 107 15 118 Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 1999 12 30 16 08 51 011335 PST Command execve 2 Parent_cmd usr emerald em_userl anyexploitany Outcome 2 Attacker em_userl Attacker_attrs auid 50001 ruid 50001 euid 50001 pid 25346 sid 25336 Resource usr emerald em_userl anyexploitany Resource_owner not_present Recommendation fixperms fn usr emerald em_userl anyexploitany da kess newattr 000 checkcfg da kess name BSM_SUSPICIOUS_EXEC_LIST Comment relevant params BSM_SUSPICIOUS_EXEC_LIST ATTACK 6161664
82. ource_owner ftp Recommendation reset sa 130 107 12 103 da kess dp 21 kill pid 21147 sid 0 da kess checkcfg da kess name BSM ANON FILE EKPIRE checkcfg da kess nam BSM_LOCAL_FTPD_UID checkcfg da kess name BSM ANON FTP MONITOR WINDOW checkcfg da kess name BSM FTP UPLOAD PATHS Comment relevant params BSM ANON FIL EXPIRE BSM LOCAL FTPD UID EMERALD eXpert BSM User s Guide Page 81 3SM_ANON_FTP_MONITOR_WINDOW BSM FTP UPLOAD PATHS ATTACK 3939110693 BSM FTP ANON WRITE Target kess Count 1 Observer eXpert BSM Observer_Location kess Observer src big_test bsm Start time 2000 01 21 09 54 08 168688 PST Command open 2 write creat trunc Parent cmd usr sbin in ftpd Outcome 0 Attacker 130 107 12 103 Attacker_attrs auid 0 ruid 0 euid 65533 pid 21154 sid 0 Resource usr local ftp pub warez win2000 Resource_owner ftp Recommendation reset sa 130 107 12 103 da kess dp 21 kill pid 21154 sid 0 da kess checkcfg da kess name BSM ANON FILE EKPIRE checkcfg da kess nam BSM_LOCAL_FTPD_UID checkcfg da kess name BSM ANON FTP MONITOR WINDOW checkcfg da kess name BSM FTP UPLOAD PATHS Comment relevant params BSM ANON FILE EKPIRE BSM_LOCAL_FTPD_UID BSM ANON FTP MONITOR WINDOW BSM FTP UPLOAD PATHS ARNING 401401710949 BSM FTP WAREZ ACTIVITY arget not present Count 5 Observ
83. pert BSM User s Guide Page 14 7 Contents of Distribution The following files are contained in this distribution of the EMERALD eXpert BSM Monitor indentation indicates containment doc Emerald AMT pdf user manual 1 2 pdf copyright license pdf PBEST 1999 pdf _BSM Install_eXpert_BSM Run_eXpert_BSM Run_config Shutdown_eXpert_BSM Start_GUI _bsm_to_ebin ebin to ascii eXpert config sh autoboot auto_start autoboot auto_stop bin SunOS 5 ask_yn ebsmgen ebsmprobe ebsmsetpolicy emsgdump eXpert BSM slay throttle resource object config accesspolicy conf eXpert Config inc E local_netmap conf E username_map cont _BSM results bsm alerts resolver bsm expert log bsm generator log gui samples emerald attack battery ebin EMERALD eXpert BSM User s Guide Documentation directory Java GUI User s Guide This user document EMERALD copyright information License and distribution information Technical article about P BEST EMERALD control directory Installation script run as root Startup script Start Configuration GUI Shutdown script Alert GUI start script Convert BSM file to EMERALD binary file Convert EMERALD binary file to ASCII Run_eXpert_BSM parameter config file autoboot start script autoboot stop script Solaris 2 6 thru 2 8 executables EMERALD executables directory Utility script BSM to EMERALD data converter
84. pt invocations IDIP alert production and socket use e Configuring the eXpert BSM Knowledge Base provides the user unprecedented control over the intrusion detection heuristics Required for proper operation of eXpert BSM e Configuring the Local Network Address List provides eXpert BSM a list of in ternal IP addresses for use in network related heuristics e Configuring the Surveillance Policy for Local File Access optional provides an optional configuration facility for specifying an access policy to be monitored by eXpert BSM Configuring the Run_eXpert_BSM Script eXpert BSM is run through the csh script Install _BSM Run_eXpert_BSM M script See Operating Instructions for more information on using Run_eXpert_BSM The fol lowing settings are available for modification through file Install _BSM eXpert config sh which is referenced by Run_eXpert_BSM e This variable will cause the Run_eXpert_BSM script to run silently with no user command prompts This overrides all interactive settings below except CHECK_EFUNNEL If set to off then by default the GUI will not be invoked Wu n n H i and the results directory will not be cleared Values on off yes no set Interactive on e SETTING LOCAL TIME ZONE You can set the default timezone as appropriate for this installation by setting the variable called Local_Timezone Valid values are UTC GMT ET EST EDT CT CST CDT MT M
85. r_attrs auid 50001 ruid 50001 euid 50001 pid 16307 sid 15242 Recommendation checkcfg da kess name BSM_MAX_FAILED_PROCS_PER_CYCLE checkcfg EMERALD eXpert BSM User s Guide Page 79 da kess nam BSM_FAIL Comment BSM_FAILED_PROCS_THR relevant params BSM_MAX_FATLED_PROCS_P ED PROCS THRESHOLD WINDOW R_CYCL ESHOLD_WINDOW F WARNING bserver tart_time creat 2 Xpert BSM ttacker Recommendation BSM_MAX_NOSPAC Comment relevan 2812818723 _ ERRORS t params BSM_FI F _EXHAUS Observer Location 2000 01 11 09 04 04 631142 PST Parent_cmd non_present diagnose fs mnt floppy sample3 usr bin tcsh kess _ THRESHOLD Outcome Target Observer_src 130 107 15 118 big_test bsm 28 Count 8 checkcfg BSM_MAX_NOSPAC da kess nam ERRO RS da kess checkcfg da kess BSM_WRITE_ R_THRESHOLD_WINDOW BSM_WRIT ERR_THRESHOLD_WIND WARNING Xpert BSM tart_time ommand creat 2 ttacker Recommendation 29 29 8731 non_present diagnose fs mnt Observer Parent_cmd name BSM MAK NOSPAC BSM_FI Location 2000 01 11 09 04 09 621150 PST usr bin tcsh __EXHAUS kess _ THRESHOLD Outcome Ta
86. resource object audit_config tar for your inspection Install EMERALD BSM configuration files Y N 12 The files discussed in 11 are moved to etc security and permissions are set appropriately EMERALD eXpert BSM User s Guide Page 24 13 You may enable eXpert BSM to automatically startup during the system boot proc ess eXpert BSM Autoboot Installation You have the opportunity to configure eXpert BSM to automatically start during the boot procedure If you elect to enable eXpert BSM to automatically start at system boot the following files will be created 1 sh script etc init d eXpert BSM 2 symlink etc rc2 d S80eXpert BSM which points to the sh script and 3 alert log directory var adm securityd To temporarily disable eXpert BSM autoboot mode we recommend you rename etc rc2 d S80eXpert BSM to etc rc2 d disabled S80eXpert BSM See Section 9 for more details Do you wish to enable eXpert BSM autoboot mode Y N 14 This completes the installation phase Before running eXpert BSM you must follow the configuration phase discussed in Configuring eXpert BSM eXpert BSM installation phase complete Configuration Phase is required before running eXpert BSM Please refer to Section 10 of the eXpert BSM User Manual for information on configuring this component The following configuration files should be configured before running eXpert BSM emerald_install _BSM eXpert config sh emerald_install
87. resource object config accesspolicy conf emerald_install resource object config eXpert Config inc emerald_install resource object config local_netmap conf emerald_install resource object config username_map conf k k xk k k k xk x k k k k k k k k k k x k k x x x x x x x k k k k k k x k x x x x x x x x k k x xk k k x x x x x x x x x x x Do you wish to configure eXpert BSM now Y N EMERALD eXpert BSM User s Guide Page 25 Now that you have completed installation proceed to Chapter 10 for information on prop erly configuring eXpert BSM for you environment EMERALD eXpert BSM User s Guide Page 26 10 Configuring eXpert BSM eXpert BSM provides an unprecedented degree of dynamically adjustable user control over its runtime operation However this greater user flexibility also implies greater re sponsibility on you the user to fully understand how to configure this engine for your needs and environment After completion of the installation phase of eXpert BSM described in the previous sec tion you must perform the eXpert BSM configuration phase While we provide generally applicable default values some aspects of the configuration process requires customiza tion to your environment before eXpert BSM can properly operate The configuration phase of eXpert BSM proceeds as follows e Configuring the Run_eXpert BSM Script sets various external parameters to con trol the settings for your local time debug mode script prom
88. rge Observer_src 130 107 15 118 big_test bsm 28 fFloppy sample3 da kess _ ERRORS Comment relevant params chec BSM_MAX_NOSPAC kcfg da kess ERRORS nam BSM_WR checkcfg da kess ITE_ERR_THR BSM_WRIT ERR_THRESHOLD_WIND WARNING Xpert BSM tart_time ommand ttacker 130 107 15 ttacker_attrs auid Recommendation 30 30 8766 Observer_Location 2000 01 11 09 51 56 836267 PST login telnet Parent_cmd BSM_ATT 118 0 ruid F PT ED kess 0 euid 0 Comment Attempted remote root login ROOT_LOGIN Observer src lt unknown 12782 gt pid filter sa 130 107 15 118 da kess Targe Ou 12782 130 107 15 118 big_test bsm tcome 255 sid 12782 WARNING Xpert BSM tart_time ommand ttacker 130 107 15 ttacker_attrs auid Recommendation 3113118768 login rlogin BSM_ATT ahs 0 ruid EMP T kess 0 euid 0 ED ROOT LOGIN Observer Location 2000 01 11 09 52 10 226282 PST Parent_cmd lt unknown 12785 gt pid filter sa 130 107 15 118 da kess Comment Attempted remote root login 12785 Target Observer src Outcome 130 107 15 118 big_test bsm 255 sid 12785 ARNING 32 32 9530 Observer eXpert BSM Start_time Command connect Attacker 130 107 15 Attacker_attrs Recomm
89. rname_map will be rebuilt If you answer yes the script will prompt you for the editor you wish to use Enter the editor you wish to use default vi If you press enter your default editor will be used Now entering the editor vi on the user name map file Make any adjustments to the file save it and exit the editor to continue with the installation When you are done the script will reply as follows Welcome Back If you need to modify the usermap file again it can be found in resource object config username_map conf For more information on username_map conf see the user documentation 6 eXpert BSM requires privilege to capture the audit records from the kernel This privi leged function has been isolated into an independent probe process called ebsmprobe The eXpert BSM startup requires root privilege for ebsmprobe realtime BSM data retrieval code Do you wish to allow set UID to root for ebsmprobe Y N 7 You are prompted to enter the group name of the individual s needing access to the eXpert BSM results For example if eXpert BSM will be operated under the emerald group then type emerald Use of eXpert BSM should be restricted to a limited group of us ers Enter the group name or username that will be allowed to run the BSM monitor e g emerald 8 The script checks whether the audit daemon is currently running If it is you are prompted to shut it down If you do not wish to run eXpert BSM in real
90. roduced occurrences of this activity are rare or non existent Next the rule represents the name of the rule that has fired which may be potentially useful for tuning rules should the user not desire some alerts The Target field indi cates the hostname of the machine and the Count field indicates the number of times the malicious activity is observed for this report Line 2 indicates the name of the sensor that produced the alert in this case the ob server is eXpert BSM In addition the observer location represents the IP ad dress of the host on which observer is run and observer_src indicates whether the sensor is operating in real time or batch mode If batch mode the BSM filename is pro vided Line 3 provides the Start time and End time of the attack The Start_time is mandatory and represents the timestamp relative to the event stream at which the mali cious activity is observed The End_time is optional and used only for intrusion re ports that span a duration Line 4 provides the name of the operation that is being performed With respect to BSM this represents the system call name or high level audit event name provided by the BSM audit trail of the key record used to distinguish the attack The Parent_cmd is a synthetically generated string derived by tracing the process within the audit stream For example if the file bin rm is invoked such that eXpert BSM reports an illegal unlink 2 operation the command repor
91. rt BSM User s Guide Page 55 THE FOLLOWING IS A LICENSE AGREEMENT RELATING TO THE ACCOMPANYING SOFTWARE CAREFULLY READ ALL OF THE AGREEMENT S TERMS AND CONDITIONS BEFORE PROCEEDING IF YOU DO NOT AGREE TO SUCH TERMS AND CONDITIONS AND INDICATE YOUR ACCEPTANCE BELOW YOU WILL NOT BE PERMITTED TO USE THE SOFTWARE By having clicked the YES box on the eXpert BSM evaluation edition registration and download page of SRI s website you have agreed to the following provisions as a condi tion precedent to your possession and use of eXpert BSM an evaluation version software program for a Solaris Host Based Intrusion Detection System the Program from SRI International SRI pursuant to the California Uniform Electronic Transactions Act 1 Authority You represent that you are either acting as an individual person on your own behalf or that you are acting on behalf of your employer and are authorized to accept these terms and conditions on its behalf in either case hereinafter referred to as you You agree that you have read and understand this Agreement 2 Copyright This Program is owned by SRI and is protected by United States copyright laws and international treaty provisions Therefore you must treat the Program like any other copyrighted material 3 Grant of License SRI hereby grants to you a nontransferable and nonexclusive license to possess and use the Program in accordance with the terms and conditions of th
92. se SRI does not guarantee service results or represent or warrant that the Program will be completely error free The Program is provided by SRI AS IS 5 1 SRI HEREBY DISCLAIMS ALL WARRANTIES OF ANY NATURE EXPRESS IMPLIED OR OTHERWISE OR ARISING FROM TRADE OR CUSTOM INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY NONINFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE 5 2 SRI SHALL NOT BE LIABLE FOR DAMAGES OF ANY KIND INCLUDING GENERAL DIRECT SPECIAL INCIDENTAL AND CONSE QUENTIAL DAMAGES RESULTING FROM OR ARISING OUT OF THIS AGREEMENT OR YOUR USE OF THE PROGRAM 6 Indemnity You shall be solely responsible for the supervision management and con trol of your use of the Program and any related products and documentation You hereby indemnify and hold harmless SRI and its affiliates the Indemnified Parties against any loss liability damages costs or expenses suffered or incurred by the Indemnified Parties at any time as a result of any claim action or proceeding arising out of or relating to your use operation or implementation of the Program For purposes of this Agreement affili ate means any Company division or subsidiary or any other entity involved in the manu facture of the Program The Indemnified Parties shall not be responsible and you shall have no recourse against the Indemnified Parties for any loss liability damages costs or expenses which may be suffered or incurred at any time by you as a resul
93. settings before using eXpert BSM e EXPERT ACTIVE REPORTS ENABLED e BSM ADMINISTRATOR USER LIST e BSM USER HOMES LOCATION e BSM LAST RESERVED ACCOUNT e BSM LOCAL FTPD_UID e BSM_FTP_UPLOAD_ PATHS e BSM_TCP_WRAPPER LIST Parameter EXPERT_ACTIVE_REPORTS_ENABLED e Dependent Rules Status Message Generatrion e Purpose This flag enables the production of I m alive status messages for use by EMERALD remote user interface software e Default None 0 disabled Ulong EXPERT_ACTIVE_REPORTS_ENABLED 0 Parameter BSM ADMINISTRATIVE USER LIST e Dependent Rules BSM_Suspicious_Setuid BSM_Illegal_Shadow_Passwd_Access BSM_Promiscuous_Mode BSM_Root_by_Nonadmin BSM_Setreuid_by_Nonadmin e Purpose This list informs eXpert BSM who the current list of users are that may legally acquire root control Note leaving this list empty effectively disables heuristics that depend on it e Default None root MsgString BSM_ADMINISTRATIVE_USER_LIST root EMERALD eXpert BSM User s Guide Page 29 Parameter BSM MAY BACKWARD_ TIME e Dependent Rules BSM TIME Warp e Purpose Indicates the number of seconds the host s time is allowed to be set backward before an alarm is raised e Default 600 seconds 10 minutes Ulong BSM_MAX BACKWARD TIME 600 Parameter BSM_SUSPICIOUS_EXEC_LIST e Dependent Rules BSM_SUSPICIOUS_EXEC_ARGUMENT e Purpose A list of highly suspicious program names that may be worthy of admin istrative r
94. sly uploaded file can be downloaded by other external ftp cli ents e Default 5 Ulong BSM_FTP_WAREZ COMPLAINT 5 EMERALD eXpert BSM User s Guide Page 36 Parameter BSM_ANON_FILE_EXPIRE e Dependent Rules BSM_FTP_Warez_Activity e Purpose Indicates the amount of time eXpert BSM will remember a file written by an anonymous ftp user During this period if there is a subsequent flood of anonymous external reads of this file an alert is raised of potential warez client activity e Default 259200 seconds or 72 hours Ulong BSM_ANON_FILE_EXPIRE 259200 Parameter BSM FTP UPLOAD PATHS e Dependent Rules BSM FTP Anon Write e Purpose Indicates the directory path under which anonymous ftp writes are al lowed e Default pub ftp incoming MsgString BSM_FTP_UPLOAD_PATHS pub ftp incoming Parameter BSM_TCP_WRAPPER_LIST e Dependent Rules BSM_Inetd_Subversion e Purpose Indicates the full pathname of any and all TCP wrapper binaries em ployed by Inetd services e Default empty list MsgString BSM_TCP_WRAPPER_LIST Parameter BSM ENABLED HEURISTICS e Dependent Rules All Purpose Indicates the list of active heuristics enabled within the knowledge base By removing an entry you effectively disable the rule upon the next initialization of eXpert BSM Heuristics BSM_Time_Warp BSM Root Core Creat EMERALD eXpert BSM User s Guide Page 37 BSM_Reach_Max_BadLogin BSM_Root_Core_Event BSM_FTP_P
95. t Resource_owner lt gt 9 Recommendation lt gt 10 Comment lt gt Console alerts contain a maximum of 10 lines Lines 6 10 are optional Line 1 provides a summary of the key attributes of the attack The RepID is a unique identifier for this alert its value is derived from the event count of the audit record under which the alert was generated In addition a ThreadID is provided which is used to associate the alert with a previous report The ThreadID is usually equal to the RepID unless the report is a follow on with additional information from a previously written report In that case the ThreadID equals the RepID of the preceding associ ated alert The Severity field indicates the type of alert this report represents Debug Informative Warning Severe_Warning Attack These values are defined as follows DEBUG_INFO Optional console message only for event stream de bugging and low priority messages INFORMATIVE Optional low priority messages on monitor status Exceptional activity that is symptomatic of possible system distress or security relevant operations The accumulation of WARNING level alerts is worthy of administrative review SEVERE_WARNING Activity that maps to known intrusive activity Other nonmalicious explanations are possible WARNING EMERALD eXpert BSM User s Guide Page 48 Indicates activity maps to known intrusive activity ATTACK Nonmaliciously p
96. t find file INSTALL resource obect config accesspolicy conf This is not a required file securityd alerts are forwarding to lt EFUNNEL_HOST gt eXpert BSM has successfully connected to the efunnel host target and will send intrusion alerts to that machine securityd alerts are availble in lt results file gt eXpert BSM will send intrusion alerts to the named results file securityd stop path not located Perhaps the eXpert BSM installation directory has been moved or is no longer available Please locate the eXpert BSM instal lation directory and rerun Install_eXpert_BSM The eXpert BSM Process Chain Run_eXpert_BSM is a csh script that invokes the following programs e ebsmsetpolicy real time mode establishes an optimized audit policy con figuration with the kernel This utility needs to be setuid root and is therefore not distributed as a shell script It exits immediately after setting the audit configura tion e ebsmprobe real time mode establishes process to process communication between the Solaris kernel and ebsmgen This is a setuid application Proper shutdown of eXpert BSM requires this utility to be terminated first by either a SIGTERM or SIGHUP signal throttle real time mode is an intermediate message utility to handle safe buffering between the kernel and ebsmgen Always terminate ebsmprobe before terminating this application otherwise the kernel may enter an unstable state as it fills its in
97. t of your reliance upon or use of the Program or as a result of any claim action or proceeding against you arising out of or relating to the use of the Program or as a result of your defense of any such claim action or proceeding 7 Term and Termination Your license term is for a period of the lesser of one hundred and eighty 180 days after downloading the Program or until January 31 2003 Subse quent one hundred and eighty 180 day periods under this license may be granted at SRI s sole discretion through your use of your assigned password see web page instruc tions in which event the terms and conditions of this license agreement shall remain in full force and effect SRI may otherwise immediately terminate this license upon notice to you whereupon you shall immediately destroy all copies of the Program Upon the natural expiration of the initial license period of this agreement the Program will auto matically cease to function 8 Reporting At least once during the license term you shall report back to SRI your ex periences with the use of the Program see Contact and Experience Reporting Section below for feedback address EMERALD eXpert BSM User s Guide Page 57 9 Applicable Law This Agreement and any disputes arising hereunder shall be gov erned by the laws of the state of California United States of America without regard to conflicts of laws principles The parties hereby expressly exclude the application of th
98. ted by the alert is unlink and the Par ent_cmd will be bin rm The Outcome reports the audit return value on a given operation Interpretation of this field is operation dependent Line 5 indicates the identity of the attacker If at all possible this represents the user name of the individual responsible for the attack For network related attacks this repre sents the remote IP address of the attacking host Line 6 optional provides an alert dependent enumeration of supportive information Line 7 optional where applicable provides additional information regarding the argu ments used to invoke an operation With respect to BSM analysis the Command_arg field is used to represent the exec_args parameter with respect to process executions Line 8 optional where applicable this line provides additional information regarding resources usually files that are manipulated during the malicious activity and the owner of the object Line 9 optional provides recommended countermeasure directives for responding to intrusive activities eXpert BSM employs EMERALD eXpert BSM User s Guide Page 49 e KILL KILL_ALL lt session_id gt terminate the intru sive session e g kill 9 lt session_id gt e LOCKOUT lt username gt disable the user account until the individual responsible for the malicious activity associated with this account is found e FIXPERMS lt filename gt alter the target file access
99. ternal audit record queues e ebsmgen all modes accepts Solaris BSM audit records and converts and forwards them as EMERALD messages to eXpert BSM e eXpert BSM all modes is the EMERALD forward chaining expert system EMERALD eXpert BSM User s Guide Page 45 12 Shutdown Instructions Login under the account that started eXpert BSM or root and invoke Install _BSM gt Shutdown_eXpert_BSM This script kills the process chain for the eXpert BSM In real time mode this script kills ebsmprobe throttle ebsmgen and eXpert BSM in that order CAUTION When running in real time mode do not attempt to kill the process throttle by hand before shutting down ebsmprobe Doing so will cause system instability Note If several start stop runs are made the output will accumulate in the results direc tory i e the results of each run do not overwrite the previous results but you could tell the run script to clear the results directory before starting a new run You may delete any old i e log resolver or ascii results at any time as long as they are not the output of a currently running monitor Autoboot Shutdown When running in autoboot mode eXpert BSM can be manually terminated by the follow ing command Install _BSM gt etc init d eXpert BSM stop EMERALD eXpert BSM User s Guide Page 46 13 Uninstalling eXpert BSM The eXpert BSM monitor can be safely uninstalled as follows 1 If eXpert BSM
100. that were rejected for lack of available filesystem space config BSM_MAX_NOSPACE_ERRORS BSM_WRITE_ERR_THRESHOLD_WINDOW e BSM_Attempted_Root_Login BSM Monitor observed a failed attempted root login via login telnet rlogin rsh su With BSM installed direct root login is disallowed Administrators are required to login under their own accounts and transition to root via su 1 e BSM_Suspicious_Setuid BSM Monitor observed that the setuid bit has been en abled by a non administrative user i e a process whose original login ID is not a known administrator If the user enabling the setuid bit owns the file then a warning is raised If the user enabling the setuid bit is not the owner of the file then this alert is flagged as an attack clear authority violation This is an excel lent heuristic for recognizing common actions that occur during an intrusion where the attacker subverts the system into enabling the setuid bit on a root owned file This heuristic also distinguishes between administrative users and non adminstrative users config BSM ADMINISTRATIVE USER LIST e BSM_Setreuid_By_Nonadmin The BSM Monitor observed a non administrative user process changing its real user ID to an administrator ID con fig BSM_ADMINISTRATIVE_USER_LIST e BSM_Suspicious_Port_Probing 1 Applicable to Solaris 2 6 and above The BSM Monitor observed a remote host attempting to connect to a s
101. time mode you could restart auditd after the install script is finished ps indicates that auditd is running auditd must be shutdown to initialize EMERALD EMERALD eXpert BSM User s Guide Page 22 Do you wish to shutdown the audit daemon Y N If you agree to terminate the process the following command is run usr sbin audit t 9 eXpert BSM determines whether the audit daemon is currently set to start at boot time on your system This should not be the case if you want to run in real time as eXpert BSM real time mode does not work in parallel with the Solaris audit daemon Type Y to continue with the installation process To later re enable the Solaris audit daemon to start at boot time simply rename the file audit_startup renamed_by_emerald file back to audit_startup eXpert BSM has determined that auditing is currently enabled on your system and that auditd will continue to be enabled on system reboot Note In real time mode eXpert BSM cannot operate in parallelwith auditd so disabling auditd facilitates the regular use of eXpert BSM Details to disable auditd from automatically restarting at system reboot this script will rename the audit_startup script from etc security audit_startup to etc security audit_startup renamed_by emerald Do you wish to rename the audit script y n 10a eXpert BSM attempts to install a custom audit configuration eXpert BSM provides a highly optimized BSM configura
102. tion which reduces CPU load and is required to function properly You can optionally back up your current configuration before the eXpert BSM configuration is installed 10b eXpert BSM needs to modify the audit configuration of your Solaris host Selecting Y yes stores your previous files in a file called etc security orig_aud it_file timestamp tar EMERALD eXpert BSM User s Guide Page 23 Do you wish to back up your current BSM configuration Y N 10c eXpert BSM will prompt you to remove the default audit configuration files As suming you select Y to question 10b you will be able to later restore the original So laris configuration files should you choose to uninstall eXpert BSM see Uninstalling eXpert BSM BSM configuration files etc security audit_class etc security audit_control etc security audit_event etc security audit_user have been BACKED UP to etc security orig_audit_01Jun21 0731 tar Z Next the install script will ask to remove the old BSM configuration files The BSM configuration files etc security audit_class etc security audit_control etc security audit_event etc security audit_startup renamed_by emerald etc security audit_user etc security audit_warn etc security audit_data will be deleted OK to delete Y N 11 eXpert BSM unloads and installs the following files into etc security audit_class audit_control audit_event audit_user The files are located in Install
103. tion regarding sub sequent releases The following attack heuristics are available within the release of this component e BSM_Root_Core_Creat BSM Monitor observed the creation of a root core file There are multiple known attacks that exploit or generate as a side effect root owned core files and some attacks that are formulated to ensure that the core file will include content from the shadow password file e BSM_Reach_Max_BadLogin BSM Monitor observed N default 4 failed login attempts If the username was invalid the user field contains invalid username Otherwise this represents a series of bad login attempts config BSM_MAX LOGIN_THRESHOLD BSM_FAILED_LOGIN_WINDOW e BSM_Root_Core_Event BSM Monitor observed a root process suffering a core dump This event occurs commonly as a result of root process subversion or at tacks designed to shut down root services The kernel itself detects the event It does not indicate core file creation or the location of that core file which may or may not occur e BSM_FTP_Passwd_Guesser BSM Monitor observed N default 4 failed login attempts via the FTP daemon If the username was invalid the user field contains invalid username Otherwise this represents a series of bad passwords submitted for a user s account config BSM FAILED LOGIN WINDOW BSM_MAX_FTP_BADPASSWORDS EMERALD eXpert BSM User s Guide Page 8 e B
104. tion release For other questions re garding the EMERALD program and the availability of other specialized security tools you may contact the EMERALD Program Director Phil Porras at porras sdl sri com For users requiring technical support for eXpert BSM evaluation edition direct all ques tions regarding special arrangement support agreements and licensing conditions to emerald support sdl sri com Please direct all experience reporting and feedback discussed in the Reporting and Feed back Agreement to emerald feedback sdl sri com EMERALD eXpert BSM User s Guide Page 58 Appendix I Attack Battery Test Data De scription This document describes the 33 attack tests used for the EMERALD eXpert BSM self test attack battery Test 1 Buffer overflow in ps BSM PS EXPLOIT Run the appropriate exploit program or use LL data uid 2053 Start_time 1998 07 29 19 27 29 562456 EDT Command execve 2 Parent_cmd usr bin ps Outcome 0 Attacker_attrs auid 2053 ruid 2053 euid 0 pid 5593 sid 5584 Command_arg ps Resource usr bin ps Resource_owner root Test 2 Selfping BSM_SELF_ECHO_ALERT Start_time 1999 04 05 20 17 10 001999 EDT End_time 1999 04 05 20 18 09 992008 EDT Command echo Parent_cmd inetd Outcome 0 Attacker 130 107 15 118 Attacker_attrs auid 2037 ruid 0 euid 0 pid 24892 sid 24802 Recommendation KILL 24802 Comment relevant params BSM MAX _ECHOS_RECEIVED
105. tory has been moved or is no longer available Please locate the eXpert BSM installation di rectory and rerun Install_eXpert_BSM securityd cannot run with auditd eXpert BSM determines whether the audit daemon is currently set to start at boot time on your system This should not be the case if you want to run in real time as eXpert BSM real time mode does not work in parallel with the Solaris audit daemon Auditd should have been deleted as part of the installation procedure Please rerun the installation script securityd directories unavailable Perhaps the eXpert BSM installation directory has been moved or is no longer available or a key configuration file is missing Please locate the eXpert BSM installation directory and rerun Install_eXpert_BS M If that doesn t work reinstall the eXpert BSM package securityd resource object not available Please locate the eXpert BSM installation directory and rerun Install_eXpert_BSM If that doesn t work reinstall the eXpert BSM package securityd results directory unavailable directory var adm securityd does not exist and eXpert BSM could not create the direc tory securityd EFUNNEL_HOST undefined variable EFUNNEL HOST in SINSTALL _BSM eXpert config sh references a host that is unreachable by eX pert BSM Disable alert forwarding or reassign the target hostname EMERALD eXpert BSM User s Guide Page 44 securityd access map not found eXpert BSM could no
106. u will again be asked whether you want to continue 5 The installation script automatically constructs the file username_map conf which is located in SInstall resource_object config Now building the first cut user name map file As you add new accounts to your environment you may wish to re run this install pro gram to add the additional usernames and IDs Note if you are not running yp you may encounter a yppasswd related error Just ignore this error Would you like to edit the username map usually not necessary Y N The username_map conf is automatically generated by the installation script and provides eXpert BSM with a mapping between Subject IDs and human readable user names Both the local etc passwd file and the NIS yp passwd database are used as input This resulting map allows eXpert BSM to avoid performing expensive name look ups at runtime as it receives audit records Here is an example of the username map file root daemon bin sys adm lp uucp nuucp listen 37 operator 28 johnny 443 suzie 445 ound b UW MN HO Updating the username map After you have added or deleted user accounts on the sys tem there are two ways to update the username map Once you have completed modifications you may activate these configuration changes by sending a SIGHUP to the eXpert BSM process EMERALD eXpert BSM User s Guide Page 21 Edit the file with a text editor or simply rerun the install script The use
107. urce object Event records are then forwarded to the monitor s analysis engine s for processing For more information regarding the EMERALD design see http www sdl sri com emerald emerald niss97 html EMERALD eXpert BSM User s Guide Page 7 4 eXpert BSM Detection Summary The eXpert BSM knowledge base represents the most sophisticated and comprehensive collection of audit based intrusion detection heuristics ever assembled under a sin gle host based intrusion detection system The majority of these heuristics focus on de tecting the underlying compromises that occur within and across attack methods relevant across Unix hosts Where possible rules are implemented to provide the most general coverage for misuse detection and security policy violations to cover the widest range of attack classes possible from audit based analysis These rules have been extensively tested for their ability to recognize the intrusive activity described below as well as avoiding false positives See Configuring eXpert BSM for more information on how to configure the rule parameters for this knowledge base The following is a snapshot of the EMERALD eXpert BSM knowledge base for warnings and intrusion indicators as of the date of this release The EMERALD team continues to actively extend our current knowledge sets for both host and network based monitors Our EMERALD software distribution web page http www sdl sri com emerald releases has further informa
Download Pdf Manuals
Related Search