 |
|
|
SPECTER
Intrusion Detection System
by
Bob Walder
Introduction The Intrusion Detection System (IDS) market place is growing rapidly. New products are appearing all the time to monitor host log files and system files for suspicious changes, or to monitor network connections for suspect activity. Honeypot As you might guess from its name, SPECTER Intrusion Detection System fits into this broad product category, but it is not your average IDS. There has been a concept in the security world for some time now which is known colloquially as the “honeypot”. The idea is to provide one or more “decoy” systems, sacrificial lambs if you will, that will attract hackers and report on their activities, whilst keeping them busy and away from your main systems. Commercial implementations of the honeypot have been few and far between until recently, with the appearance of CyberCop Sting and SPECTER IDS. SPECTER runs on an NT platform and emulates a number of common operating systems and services, providing an irresistible environment for the would-be hacker. SPECTER consists of two parts: the Engine and the Control. The Engine performs the packet sniffing duties and handles the network connections, whilst the Control provides a simple GUI front-end for configuration. All configuration is performed from a single screen and every option has a Help button associated with it. OS Simulation The SPECTER system can simulate one of nine different operating systems, including Windows NT, Windows 95 / 98, MacOS, Linux, SunOS / Solaris, Digital Unix, NeXTStep, Irix, and Unisys Unix). It does not try to emulate each OS completely, of course. If you scan the SPECTER host remotely it still looks for all the world like an NT system. However, SPECTER will modify its responses to various connection requests depending on the OS you select (i.e. the FTP and Telnet banners will change), and did return different results to our CyberCop and ISS Internet Scanner probes depending on which OS and services we had selected. The SPECTER system can simulate five different network services and seven “traps”. All connections are logged with the IP of the remote host, exact time, type of service and state of the Engine at the time of connection. If SMTP is selected, SPECTER will simulate an Internet mail server. Depending on the other settings, the SPECTER system will accept mail from the intruders and pretend to process it as expected. All information about the mail, such as recipient and content, are logged, as is the complete transcript of the SMTP dialogue with the remote host. SPECTER can also emulate an FTP server, and the complete transcript of the FTP dialogue with the remote host is logged. Should an intruder attempt to gain access to the host password files, SPECTER will send fake password files formatted according to the OS that is being emulated. The Telnet service will likewise provide a complete transcript of� the session with the remote host, whilst the simulated FINGER daemon pretends to provide information about users on a system, again while logging the session transcript. The final SPECTER service emulates the NETBUS Trojan program. Spring the trap The “traps” (a new feature in the latest release) are actually port monitoring devices which are triggered by connection attempts with the respective protocols. Default traps include DNS, HTTP, SUN-RPC, POP3, IMAP4, and BO2K (Back Orifice 2000). This means that the administrator can simulate an HTTP or POP3 service without having to deploy real Web or mail servers, and SPECTER will raise alerts every time an attempted connection is made. There is one “Generic” trap where the administrator can specify the port to be monitored – we would like to see this feature extended to provide monitoring of several user-defined ports. Depending on the calibre of hacker you are expecting as an administrator, it is also possible to have SPECTER respond in different ways in order to simulate several different “levels” of security configuration:
Alerting Probably the weakest part of SPECTER is its reporting and alerting capability. Each time a connection request is received and processed a message pops up in a small alert window on the Control program. However, given that the Control program is not always forced to be running, it is also possible to have everything logged to a disk file and/or e-mailed to the administrator. Unfortunately, every alert is written to its own small file on disk, which makes gathering and reporting on the data incredibly tedious, given the fact there is no built-in reporting tool. One of the nicest features of SPECTER is the back track capability. As each connection is made to the fake services, SPECTER pretends to be cooperating with the intruder while it quietly runs a Finger and/or a port scan against the intruder’s machine. Obviously this will not always work, but it could provide a wealth of forensic information if the would-be hacker does not know how to cover his/her tracks. Any information gained from the scans is also written to the log file and e-mail message. All in all, SPECTER is an extremely valuable tool. While it could never stand on its own as an IDS, it is not really meant to. Instead, it is designed as a complement to a traditional IDS system that could allow you to distract would-be intruders long enough to extract some information from them, or at least divert their attention from your live systems. Well worth a look. Verdict Ideal to run alongside your existing IDS, either on your DMZ or inside your corporate firewall, SPECTER will help you divert hacker attention away from your sensitive systems and gather evidence of any wrongdoing. Product: Specter Intrusion Detection System 4.01
|
|
Send mail to webmaster
with questions or�
|
