Monitoring tools
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

Monitoring Tools PowerPoint PPT Presentation


  • 46 Views
  • Uploaded on
  • Presentation posted in: General

Monitoring Tools. Focus Question. What are the common ways of specifying network packets used in tcpdump, wireshark, and snort?. Packet Generators. ping – test network connectivity - icmp hping – sends TCP/IP packets to network hosts traceroute – probes network connectivity

Download Presentation

Monitoring Tools

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Monitoring tools

Monitoring Tools


Focus question

Focus Question

What are the common ways of specifying network packets used in tcpdump, wireshark, and snort?


Packet generators

Packet Generators

  • ping – test network connectivity - icmp

  • hping – sends TCP/IP packets to network hosts

  • traceroute – probes network connectivity

  • telnet – connects to various ports

  • nc – establishes tcp and udp connections

  • sock – acts as arbitrary client and server

  • nmap – security port scanner


Packet sniffers

Packet Sniffers

  • tcpdump – command-line tool forcapturing packets.

  • wireshark – graphical sniffer and packet analyzer.

  • snort – packet sniffing and networkintrusion detection


Packet anatomy

Packet Anatomy

  • ICMP Header information

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

TYPE=

CODE=

Checksum

DATA ::: (depends on Type and Code and is variable in length – some logged


Packet anatomy1

Packet Anatomy

  • IP Header information

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Version

IHL

TOS=, PREC=

Total Length: LEN=

Identification: ID=

Fragment Offset: FRAG=

Flags

TTL=

PROTO=

Header Checksum

Source Address: SRC=

Destination Address: DST=

Padding

Options: OPT=, (not decoded, requires –log-ip-options)


Packet anatomy2

Packet Anatomy

  • TCP Header information

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Source Port: SPT=

Destination Port: DPT=

Sequence Number: SEQ=, (requires –log-tcp-sequence)

Acknowledgment Number: ACK=, (requires –log-tcp-sequence)

WINDOW=

RES=

ECN

SYN,ACK…

Data Offset

URGP=

Checksum

Options: OPT=, (not decoded, requires --log-tcp-options


Packet anatomy3

Packet Anatomy

  • UDP Header information

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Source Port: SPT=

Destination Port: DPT=

Length: LEN=

Checksum


Common tcpdump options

Common tcpdump Options

  • tcpdump [-options] [expression]

    • c count# exit after count packets captured

    • iifc # interface to listen on: eth0, lo …

    • s snaplen # number of bytes to capture/packet

    • w filename # save output to filename (binary)

    • e # include the frame header info.

    • n# don’t convert addresses to names

    • x# print data of each packet in hex

    • v# verbose mode

      expression: [tcp|udp] [dst|src] [host|net|port] id


Wireshark

Wireshark


Wireshark1

Wireshark


Snort

Snort

  • Components

    • Binary: /usr/sbin/snort

    • Configuration:

      • /etc/sysconfig/snort

      • /etc/snort/snort.conf

      • /etc/snort/*.rules

    • Logging:

      • /var/log/snort

      • /etc/logrotate.d/snort


Uses of snort

Uses of Snort

  • Packet sniffing:

    • snort –vde

  • Packet Logging mode:

    • snort –vde –l ./log # log is a directory

    • snort –vde –l ./log –h 192.168.1.0/24

    • snort –b –l .log # logs in binary format

  • Intrusion Detection:

    • snort –d –l /var/log/snort –c /etc/snort.conf


The snort engine

The Snort Engine

Packetacquisition

Detection Engine

Packet decode

Preprocessors

Log orAlert?

Yes

Output plugins

No

Finished Next Packet


Writing snort rules

Writing Snort Rules

  • Figure out what is “bad”

  • Capture traffic that includes the “bad stuff”

  • Learn the protocol

  • Figure out why the “bad stuff” is bad

  • Write a rule

  • Test the rule

  • Goto 5.


Rule format basic rule

Rule Format – basic rule

alert tcp 192.168.1.2 any -> 192.168.1.3 80

(msg:”your message”;content:”blah”;sid:10001;)

  • Other keyword:value pairs

  • - reference:url,www.cabrillo.edu- rev:#- priority:#- classtype:type( see classification.config)- nocase;- depth:#- offset:#


Monitoring tools

Review


Focus question1

Focus Question

What are the common ways of specifying network packets used in tcpdump, wireshark, and snort?

  • Network packets are most often identified by IP address, network address or port number

  • Keywords: host, net, and port are used to describe the the above identifiers. If no keyword is specified, host is assumed. e.g. net 192.168.1.0/24 or port 22

  • Direction keywords: src and dst can be used with with logical operators: and, or, not. e.g. src host 192.168.1.5 and dst port 22


  • Login