study of snort rule set privacy impact
play

Study of Snort Rule- set Privacy Impact Nils Ulltveit-Moe and - PowerPoint PPT Presentation

Jan 26, 2023 •38 likes •278 views

Study of Snort Rule- set Privacy Impact Nils Ulltveit-Moe and Vladimir Oleshchuk University of Agder Presented at: Fifth International PrimeLife/IFIP Summer School, Nice, France 7.-11. September 2009. This work is Funded by Telenor R&I

  1. Study of Snort Rule- set Privacy Impact Nils Ulltveit-Moe and Vladimir Oleshchuk University of Agder Presented at: Fifth International PrimeLife/IFIP Summer School, Nice, France 7.-11. September 2009. This work is Funded by Telenor R&I (contract DR-2009-1)

  2. Content • Motivation • Introduction to Intrusion Detection Systems • Case Study of the Snort Community Rule-set • Results • Conclusion and Future Research Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 2

  3. Why is better privacy handling needed for network monitoring systems? • Norwegian scandal: Minister of Defence reports the Defence Security Service (FOST) to the police for illegal surveillance of data traffic from the Government and the Royal Family. • Reason: An employee in the Department of Justice got told off by FOST after having surfed on pornographic pages... • FOST is responsible for network security , but they are not allowed to perform surveillance of data traffic. • How can network monitoring organisations like FOST avoid such a scandal? Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 3

  4. What is needed? • Better routines and methodologies for detecting potentially privacy violating IDS rules. • Improved classification and handling of alerts from security incidents involving private or sensitive material. • Privacy Ombudsman responsible for the privacy side of network monitoring. • External certification authorities that can perform privacy impact assessments. Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 4

  5. Content • Motivation • Introduction to Intrusion Detection Systems • Case Study of the Snort Community Rule-set • Results • Conclusion and Future Research Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 5

  6. How is intrusion detection being performed? • Intrusion Detection Systems (IDSs) - the Internet equivalent of a burglar alarm. Network monitoring is performed using deep packet inspection , which means that the following data can be investigated: • Packet header information; • Payload in each data packet; • Reassembled streams of data spanning several data packets; • Entire communication sessions between a client machine and a server. • An alert is sent to a central console whenever a presumed malicious event is detected. Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 6

  7. Small IDS deployment DMZ Internet Web, email server IDS Intranet Backnet Security Operations Centre (outsourced) Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 7

  8. Small IDS deployment DMZ Internet Web, email server IDS Intranet Backnet Security Operations Centre (outsourced) Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 8

  9. Small IDS deployment DMZ Internet Web, email server IDS Intranet Backnet Security Operations Centre (outsourced) Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 9

  10. Network Intrusion Detection Systems can have a significant privacy impact: • Existing ruleset can be used to monitor: • peer-to-peer (P2P) file sharing; • download or streaming of multimedia files; • chat and instant messaging; • surfing to “inappropriate” web pages; • usage patterns in web shops; • or use of anonymisers (Tor). • Research is therefore needed to: • enhance data privacy handling of IDS systems; • quantify expected data privacy impact; • tune the IDS rule set to minimise data privacy impact; • perform automated testing of data privacy impact. Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 10

  11. Content • Motivation • Introduction to Intrusion Detection Systems • Case Study of the Snort Community Rule-set • Results • Conclusion and Future Research Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 11

  12. Case study of the Snort Community rule set. • 3669 rules were manually categorised into two categories: • Privacy Violating (PV) rules (291 rules); • and A ttack detection rules (3378 rules). • Privacy violating rules: • Broad rules, monitors user behaviour or service usage that may be in violation with a stated usage policy. • Unspecific attack detection rules can also fall into this category. • Attack detection rules: • Specific rules, expected to match malicious traffic only. Founded on known vulnerabilities (CVE, Bugtraq, Arachnids, McAfee, Nessus) • For example buffer overflow, SQL injection, XSS, backdoor, exploit... Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 12

  13. Security considerations • Security interest takes precedence over privacy interests for rules triggering on malicious activities. • Considered bad if insecure services are exposed on the Internet: • for example telnet, finger, rsh, rexec, rlogin and open file shares; • Also business critical services like database servers. • Traffic to or from unexpected services is in general bad: • Often used by trojans, backdoors, worms and other malware. Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 13

  14. Attack detection rule example alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (\ msg:"MS-SQL Worm propagation attempt";\ content:"|04|"; depth:1;\ content:"|81 F1 03 01 04 9B 81 F1 01|";\ content:"sock";\ content:"send";\ reference:bugtraq,5310;\ reference:bugtraq,5311;\ reference:cve,2002-0649;\ reference:nessus,11214;\ reference:url,vil.nai.com/vil/content/v_99992.htm;\ classtype:misc-attack;\ sid:2003;\ rev:8;) • Specific attack-matching rule, vulnerability references Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 14

  15. Privacy Violating rule example alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (\ msg:"MULTIMEDIA Windows Media download";\ flow:from_server,established;\ content:"Content-Type|3A|"; nocase;\ pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)| a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smi";\ classtype:policy-violation;\ sid:1437;\ rev:6;) • Broad rule • Matches any downloaded Windows Media files via web • No references to vulnerability sources Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 15

  16. Content • Motivation • Introduction to Intrusion Detection Systems • Case Study of the Snort Community Rule-set • Results • Conclusion and Future Research Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 16

  17. Results • Our paper focuses on privacy violating rules. • We performed a case study using two different rule sets: • Full Snort rule-set • Default Snort rule-set (15 rule files with 285 rules disabled) Rule set Privacy Violating Number of rules *) % Privacy Violating All rules 291 3669 7.9% Default rule-set 177 3222 5.5% *) Note: wrong column name of Table 1 in short paper. Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 17

  18. Privacy violations by class for default rule-set Snort Class Rules Percent web-application-activity 148 83.6% attempted-reconnaissance 12 6.8% web-application-attack 7 4% protocol-command-decode 3 1.7% attempted-user 3 1.7% other 4 2.2% • 83% of the privacy violating rules in the default rule-set consists of web application activity monitoring. • Monitors access to web mail, shopping carts etc. • Often founded on known vulnerabilities. • Problematic both from a privacy and security perspective. Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 18

  19. Privacy violations by class for full rule-set Snort Class PV- Rules Percent web-application-activity 148 50.9% policy-violation 71 24.3% kickass-porn 30 10.3% misc-activity 14 4.8% attempted-reconnaissance 12 6.8% web-application-attack 7 4% protocol-command-decode 3 1.7% attempted-user 3 1.7% other 4 2.2% • 3 additional classes with privacy violating rules in full set: • policy-violation (71 privacy violating, 9 attack rules); pornography (30 privacy violating rules); and misc-activity (14 privacy violating, 191 attack rules). Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 19

  20. Observations • Web application activity monitoring cause most privacy violating rules in both rule sets. • Problematic both from a privacy and security perspective. • For example monitoring VP-ASP webshop activity. • or Outlook .eml files. (Rule due to the Nimda worm) • Rule files that by default are disabled contain many privacy violating rules detecting for example: chat , pornography , peer-to-peer and multimedia streaming or download. • Even traffic to Tor anonymisers can be monitored... Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 20

  21. Content • Motivation • Introduction to Intrusion Detection Systems • Case Study of the Snort Community Rule-set • Results • Conclusion and Future Research Ulltveit-Moe and Oleshchuk,Study of Snort Rule-set Privacy Impact 21

Recommend

Implementing Snort into SURFids Sander Keemink and Michael van Kleij February 6, 2008 1 / 21

Implementing Snort into SURFids Sander Keemink and Michael van Kleij February 6, 2008 1 / 21

Implementing Snort into SURFids Implementing Snort into SURFids Sander Keemink and Michael van Kleij February 6, 2008 1 / 21 Implementing Snort into SURFids 1 SURFids 2 Snort 3 Assignment 4 Experiments and results 5 Integrating Snort 6

681 views • 21 slides
Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance Engineering & Public Policy Lorrie Faith Cranor November 11, 2014 y & c S a e v c i u r P r i t e y l b L a a s

555 views • 21 slides
Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance Engineering & Public Policy Lorrie Faith Cranor October 29, 2013 y & c S a e v c i u r P r i t e y l b L a a s

245 views • 20 slides
Formal Privacy: Making an Impact at Large Organizations Deploying Differential Privacy for the

Formal Privacy: Making an Impact at Large Organizations Deploying Differential Privacy for the

Formal Privacy: Making an Impact at Large Organizations Deploying Differential Privacy for the 2020 Census of Population and Housing Simson L. Garfinkel Senior Scientist, Confidentiality and Data Access U.S. Census Bureau July 31, 2019 JSM

458 views • 35 slides
Privacy preserving data mining randomized response and association rule hiding Li Xiong

Privacy preserving data mining randomized response and association rule hiding Li Xiong

Privacy preserving data mining randomized response and association rule hiding Li Xiong CS573 Data Privacy and Anonymity Partial slides credit: W. Du, Syracuse University, Y. Gao, Peking University Privacy Preserving Data Mining

659 views • 39 slides
Future of Privacy Forum Higher Education Working Group GLBA Safeguards Rule Dean Forbes Counsel

Future of Privacy Forum Higher Education Working Group GLBA Safeguards Rule Dean Forbes Counsel

Future of Privacy Forum Higher Education Working Group GLBA Safeguards Rule Dean Forbes Counsel September 29, 2017 Agenda Introductions Department of Education Publications on Protecting Student Information GLBA Privacy and

739 views • 45 slides
DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The

DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The

DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification provisions apply to three types of entities, which are known as

111 views • 7 slides
Privacy Rule Ron Honberg, J.D. Senior Advisor, Policy and Advocacy National Alliance on Mental

Privacy Rule Ron Honberg, J.D. Senior Advisor, Policy and Advocacy National Alliance on Mental

Myths and Reality: The HIPAA Privacy Rule Ron Honberg, J.D. Senior Advisor, Policy and Advocacy National Alliance on Mental Illness March 2018 Disclaimer This webinar was developed [in part] under contract number

369 views • 26 slides
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Provisions Sets

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Provisions Sets

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Provisions Sets boundaries on the use/release of health records Holds violators accountable with penalties Strikes a balance when public health

357 views • 12 slides
Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139

Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139

Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established content:"|eb2f 5feb 4a5e 89fb 893e 89f2|" msg:"EXPLOIT x86 linux samba overflow" reference:bugtraq,1816

436 views • 4 slides
Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139

Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139

Sample Snort Signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established content:"|eb2f 5feb 4a5e 89fb 893e 89f2|" msg:"EXPLOIT x86 linux samba overflow" reference:bugtraq,1816

370 views • 8 slides
Manipulation, Privacy and Protection Consumer Behaviour in an Exploratory Study between Europe

Manipulation, Privacy and Protection Consumer Behaviour in an Exploratory Study between Europe

Asian Privacy Scholars Network 4th International Conference Meiji University, Tokyo (10-11 July, 2014) Manipulation, Privacy and Protection Consumer Behaviour in an Exploratory Study between Europe and Asia-Pacific 1 Prof. Dr. Ana Mara Lara

738 views • 21 slides
Presentation to the Standing Committee on Access to Information, Privacy and Ethics in its study of

Presentation to the Standing Committee on Access to Information, Privacy and Ethics in its study of

Presentation to the Standing Committee on Access to Information, Privacy and Ethics in its study of the Privacy of Canadians at Airports, Borders and Travelling in the United States June 15, 2017 Micheal Vonn and Meghan McDermott, British

467 views • 4 slides
Impact of the California Rule AGC SAFETY AND HEALTH COUNCIL Riverside, California March 21, 2012

Impact of the California Rule AGC SAFETY AND HEALTH COUNCIL Riverside, California March 21, 2012

Crane Operator Certification: Impact of the California Rule AGC SAFETY AND HEALTH COUNCIL Riverside, California March 21, 2012 Bob Hornauer, Manager California Affairs, NCCCO Overview of Presentation Scope of the California Rule (and

571 views • 45 slides
Should privacy impact assessments Should privacy impact assessments be mandatory? be mandatory?

Should privacy impact assessments Should privacy impact assessments be mandatory? be mandatory?

Should privacy impact assessments Should privacy impact assessments be mandatory? be mandatory? David Wright David Wright Trilateral Research & Consulting Trilateral Research & Consulting 17 Sept 2009 17 Sept 2009 1 1 Todays

542 views • 35 slides
Rule of Three (a language technique)

Rule of Three (a language technique)

Rule of Three (a language technique) http://study.com/academy/lesson/i-came-i-saw-i-conquered-analysis-of-julius-caesars-quote.html Introduction The purpose of this PowerPoint is to introduce the use of the rule of three as a language

742 views • 14 slides
Sources s of Law HIPAA AA (Health Insurance Portability and Accountability Act of

Sources s of Law HIPAA AA (Health Insurance Portability and Accountability Act of

How the City of Lewisville Has Complied in a Paperless World Sources s of Law HIPAA AA (Health Insurance Portability and Accountability Act of 1996) o Privacy Rule o Security Rule o Enforcement Rule o Genetic Information

416 views • 27 slides
Dillons Rule Historical review and look at precedents since the ruling Impact for

Dillons Rule Historical review and look at precedents since the ruling Impact for

1 Dillons Rule Historical review and look at precedents since the ruling Impact for school district decision making To quote the other (Bob) Dillon Dont think twice, its alright. 2 Board Authority Constitution,

291 views • 8 slides
Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to

Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to

Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to obtaining a persons medical records for court proceedings and law enforcement purposes. A) Entities covered by HIPAA The medical records of a patient

405 views • 6 slides
HOW LONG BEFORE PRESENTATION TAKE XANAX How Long Before Presentation Take Xanax Do you snort or

HOW LONG BEFORE PRESENTATION TAKE XANAX How Long Before Presentation Take Xanax Do you snort or

HOW LONG BEFORE PRESENTATION TAKE XANAX How Long Before Presentation Take Xanax Do you snort or eat xanax Can gp prescribe xanax Drug interactions between suboxone and xanax Kratom mixed with xanax Meet the xanax addicted yakuza 0 Is it safe

577 views • 4 slides
Rule #1: Have a takeaway. Rule #2: Keep It Simple. Rule #3: Repetition is Good. Rule #4: Be

Rule #1: Have a takeaway. Rule #2: Keep It Simple. Rule #3: Repetition is Good. Rule #4: Be

The 4 Rules of Public Speaking Rule #1: Have a takeaway. Rule #2: Keep It Simple. Rule #3: Repetition is Good. Rule #4: Be Prepared! But at the end of the day, we can have the most dedicated teachers, the most supportive parents, the best

395 views • 12 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
FIGHTING FRAUD WITH THE RE D FLAGS RULE & E NSURING ACCURACY WITH THE ADDRE SS DISCRE

FIGHTING FRAUD WITH THE RE D FLAGS RULE & E NSURING ACCURACY WITH THE ADDRE SS DISCRE

FIGHTING FRAUD WITH THE RE D FLAGS RULE & E NSURING ACCURACY WITH THE ADDRE SS DISCRE PANCY RULE Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission WHATS ON YOUR MIND So what So

811 views • 44 slides
An Achilles Heel in Signature-Based IDS: Squealing False Positives in SNORT Sam Patton * Bill

An Achilles Heel in Signature-Based IDS: Squealing False Positives in SNORT Sam Patton * Bill

An Achilles Heel in Signature-Based IDS: Squealing False Positives in SNORT Sam Patton * Bill Yurcik David Doss Department of Applied Computer Science Illinois State University * Overview 1) the problem 2) software tool 3)

750 views • 20 slides

More recommend