monitoring tools
Download
Skip this Video
Download Presentation
Monitoring Tools

Loading in 2 Seconds...

play fullscreen
1 / 18

Monitoring Tools - PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on

Monitoring Tools. Focus Question. What are the common ways of specifying network packets used in tcpdump, wireshark, and snort?. Packet Generators. ping – test network connectivity - icmp hping – sends TCP/IP packets to network hosts traceroute – probes network connectivity

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Monitoring Tools' - palti


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
focus question
Focus Question

What are the common ways of specifying network packets used in tcpdump, wireshark, and snort?

packet generators
Packet Generators
  • ping – test network connectivity - icmp
  • hping – sends TCP/IP packets to network hosts
  • traceroute – probes network connectivity
  • telnet – connects to various ports
  • nc – establishes tcp and udp connections
  • sock – acts as arbitrary client and server
  • nmap – security port scanner
packet sniffers
Packet Sniffers
  • tcpdump – command-line tool for capturing packets.
  • wireshark – graphical sniffer and packet analyzer.
  • snort – packet sniffing and network intrusion detection
packet anatomy
Packet Anatomy
  • ICMP Header information

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

TYPE=

CODE=

Checksum

DATA ::: (depends on Type and Code and is variable in length – some logged

packet anatomy1
Packet Anatomy
  • IP Header information

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Version

IHL

TOS=, PREC=

Total Length: LEN=

Identification: ID=

Fragment Offset: FRAG=

Flags

TTL=

PROTO=

Header Checksum

Source Address: SRC=

Destination Address: DST=

Padding

Options: OPT=, (not decoded, requires –log-ip-options)

packet anatomy2
Packet Anatomy
  • TCP Header information

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Source Port: SPT=

Destination Port: DPT=

Sequence Number: SEQ=, (requires –log-tcp-sequence)

Acknowledgment Number: ACK=, (requires –log-tcp-sequence)

WINDOW=

RES=

ECN

SYN,ACK…

Data Offset

URGP=

Checksum

Options: OPT=, (not decoded, requires --log-tcp-options

packet anatomy3
Packet Anatomy
  • UDP Header information

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Source Port: SPT=

Destination Port: DPT=

Length: LEN=

Checksum

common tcpdump options
Common tcpdump Options
  • tcpdump [-options] [expression]
    • c count# exit after count packets captured
    • iifc # interface to listen on: eth0, lo …
    • s snaplen # number of bytes to capture/packet
    • w filename # save output to filename (binary)
    • e # include the frame header info.
    • n # don’t convert addresses to names
    • x # print data of each packet in hex
    • v # verbose mode

expression: [tcp|udp] [dst|src] [host|net|port] id

snort
Snort
  • Components
    • Binary: /usr/sbin/snort
    • Configuration:
      • /etc/sysconfig/snort
      • /etc/snort/snort.conf
      • /etc/snort/*.rules
    • Logging:
      • /var/log/snort
      • /etc/logrotate.d/snort
uses of snort
Uses of Snort
  • Packet sniffing:
    • snort –vde
  • Packet Logging mode:
    • snort –vde –l ./log # log is a directory
    • snort –vde –l ./log –h 192.168.1.0/24
    • snort –b –l .log # logs in binary format
  • Intrusion Detection:
    • snort –d –l /var/log/snort –c /etc/snort.conf
the snort engine
The Snort Engine

Packetacquisition

Detection Engine

Packet decode

Preprocessors

Log orAlert?

Yes

Output plugins

No

Finished Next Packet

writing snort rules
Writing Snort Rules
  • Figure out what is “bad”
  • Capture traffic that includes the “bad stuff”
  • Learn the protocol
  • Figure out why the “bad stuff” is bad
  • Write a rule
  • Test the rule
  • Goto 5.
rule format basic rule
Rule Format – basic rule

alert tcp 192.168.1.2 any -> 192.168.1.3 80

(msg:”your message”;content:”blah”;sid:10001;)

  • Other keyword:value pairs
  • - reference:url,www.cabrillo.edu - rev:# - priority:# - classtype:type( see classification.config) - nocase; - depth:# - offset:#
focus question1
Focus Question

What are the common ways of specifying network packets used in tcpdump, wireshark, and snort?

  • Network packets are most often identified by IP address, network address or port number
  • Keywords: host, net, and port are used to describe the the above identifiers. If no keyword is specified, host is assumed. e.g. net 192.168.1.0/24 or port 22
  • Direction keywords: src and dst can be used with with logical operators: and, or, not. e.g. src host 192.168.1.5 and dst port 22
ad