1 / 27

Table of Contents

3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake. 15 - TCP flags 16 - ICMP types 17 - Shadow IDS 23 - Snort IDS 25 - Auditing 26 - Resources. Table of Contents. Author. Jerry Shenk D&E Communications. IDS Types.

jagger
Download Presentation

Table of Contents

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 - ICMP types 17 - Shadow IDS 23 - Snort IDS 25 - Auditing 26 - Resources Table of Contents

  2. Author • Jerry Shenk • D&E Communications

  3. IDS Types • Host Based • Log files • Programs • Network based • Monitor traffic • Sensor/Analyzer

  4. Network IDS types • Signature based • Looks for specific bad packet signatures • Anomoly based • Normal traffic is defined. Other traffic is reported

  5. Network IDS responses • Pager/E-mail • “real-time” vs. false alarms • Blocking • proactive vs. DOS prone • Resetting • Periodic wrapup • Analyst may not check status

  6. Network IDS - Commercial • Cisco Secure IDS (NetRanger) • ISS RealSecure • Axent Intruder Alert (Raptor) • NWS Dragon • CheckPoint Cyber Attack Defense System

  7. Network IDS - free • Shadow - Anomoly based • Based on tcpdump • filters are fully configurable although hard to follow • traffic is captured and processed hourly - perl • Snort - Signature based • filters are fully configurable and require detailed info but easier than tcpdump

  8. Ethernet Encapsulation Interface Layer Frame Header Frame Data Area Internet Layer IP Datagram Header IP Data Transport Layer ICMP/UDP/TCP Header Protocol Data

  9. IP Packets 16 31 0 version hdr lnth total length of datagram type of service identification number fragment offset R DF MF 20 bytes time-to-live (ttl) protocol header checksum source IP address (4 bytes) destination IP address (4 bytes) options field (variable length, max length 40 bytes) data

  10. 0 16 31 source port number destination port number sequence number acknowledgement number hdr lgth reserved U A P R S F window size TCP checksum urgent pointer options field (variable length, max length 40 bytes) data TCP Packets 20 bytes

  11. UDP Packets 0 16 31 destination port number source port number UDP datagram length UDP checksum optional data

  12. 0 8 16 31 type code checksum contents depend on type and code (echo has sender and sequence info) ICMP packets

  13. server client (port = 23/tcp) (port = 4247/tcp) ACK FIN ACK FIN ACK ACK 3-way Handshake & Termination SYN SYN - ACK ACK [ACK set for each packet in the of session] [session proceeds] Either the client or the server may initiate the closing sequence

  14. Establishment client.4247 > server.23: S 3073470005:3073470005(0) win 512 <mss 1460> server.23 > client.4247: S 1932608000:1932608000(0) ack 3073470006 win 61320 <mss 1460> (DF) client.4247 > server.23: . ack 1932608001 win 32120 (DF) Termination client.4247 > server.23: F 3073470006:3073470006(0) ack 1932608001 win 32120 server.23 > client.4247: . ack 3073470007 win 61320 (DF) server.23 > client.4247: F 1932608001:1932608001(0) ack 3073470007 win 61320 (DF) client.4247 > server.23: . ack 1932608002 win 32120 (DF) S = SYN flag is set F = FIN flag is set . = none of the SFRP flags are set (ack and urg are displayed differently) (x) = x data bytes in the packet win = advertised window size mss = max segment size announcement DF = don’t fragment flag is set 3-way Handshake & Termination

  15. TCP Flags • FIN : sender is finished sending data -- initiate a half close • SYN :synchronize the sequence numbers to establish a connection • RST : reset (abort) the connection • PSH : tells receiver not to buffer the data before passing it to the application (interactive applications use this) • ACK : acknowledgement number is valid • URG : urgent pointer is valid (often results from an interrupt)

  16. msg# description 0 echo reply 3 destination unreachable 4 source quench 5 redirect 8 echo request 9 router advertisement 10 router solicitation 11 time exceeded msg# description 12 parameter problem 13 timestamp request 14 timestamp reply 15 information request 16 information reply 17 address mask request 18 address mask reply ICMP Types

  17. Shadow initial screen

  18. Shadow sample hourly screen

  19. Shadow Search

  20. Shadow Search 2

  21. Shadow tcpdump sensor filter • (ip and not • ( (igrp or dst port 520 or port 524 or port 1677 or port 1494) • or • (net 10.0.0.0 mask 255.0.0.0 and ((icmp[0]=8) or (icmp[0]=0))) • ) )

  22. Shadow tcpdump analyzer filters • Analyzer filters - broken into sections to make them easier to read and avoid a size limitation. Use the same syntax as the sensor filter but are much larger. • tcp.filter • udp.filter • icmp.filter • ip.filter

  23. Snort rules • SYN/FIN scan • alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS198/SYN FIN Scan"; flags: SF;) • DNS zone transfer • alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns-zone-transfer"; content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP; offset: "2"; depth: "16";)

  24. Snort responses • logging • resetting

  25. Auditing The Network • Scan your network - web based • http://www.webtrends.net/tools/security/scan.asp • https://grc.com/x/ne.dll?bh0bkyd2 • More thorough • Nessus - runs on unix - free, Windows client • Satan/Saint/Sara - runs on unix - free • Cisco NetSonar - runs on NT • Cybercop (Balista) - http://www.nai.com • nmap - unix, command-line, very flexible

  26. Resources • Port numbers • http://www.snort.org (port search link) • http://dev.whitehats.com/ids/ids.html • http://www.isi.edu/in-notes/iana/assignments/port-numbers

  27. Resources • Security Sites • http://www.sans.org • http://www.cert.org/advisories/ • http://www.cerias.purdue.edu/coast/ • http://www.nipc.gov/ • http://dev.whitehats.com/

More Related