Table of Contents
advertisement
Table of Contents • • • • • • • 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake • • • • • • 15 - TCP flags 16 - ICMP types 17 - Shadow IDS 23 - Snort IDS 25 - Auditing 26 - Resources Author • Jerry Shenk • D&E Communications IDS Types • Host Based – Log files – Programs • Network based – Monitor traffic – Sensor/Analyzer Network IDS types • Signature based – Looks for specific bad packet signatures • Anomoly based – Normal traffic is defined. Other traffic is reported Network IDS responses • Pager/E-mail – “real-time” vs. false alarms • Blocking – proactive vs. DOS prone • Resetting • Periodic wrapup – Analyst may not check status Network IDS - Commercial • • • • • Cisco Secure IDS (NetRanger) ISS RealSecure Axent Intruder Alert (Raptor) NWS Dragon CheckPoint Cyber Attack Defense System Network IDS - free • Shadow - Anomoly based – Based on tcpdump – filters are fully configurable although hard to follow – traffic is captured and processed hourly - perl • Snort - Signature based – filters are fully configurable and require detailed info but easier than tcpdump Ethernet Encapsulation Interface Layer Internet Layer Transport Layer Frame Header Frame Data Area IP Datagram Header IP Data ICMP/UDP/TCP Header Protocol Data IP Packets31 16 0 version hdr lnth identification number time-to-live (ttl) total length of datagram type of service R DF MF protocol fragment offset header checksum source IP address (4 bytes) destination IP address (4 bytes) options field (variable length, max length 40 bytes) data 20 bytes TCP Packets 0 16 source port number 31 destination port number sequence number acknowledgement number hdr lgth reserved U A P R S F TCP checksum window size urgent pointer options field (variable length, max length 40 bytes) data 20 bytes UDP Packets 0 16 source port number 31 destination port number UDP datagram length optional data UDP checksum ICMP packets 0 8 type 16 code 31 checksum contents depend on type and code (echo has sender and sequence info) 3-way Handshake & Termination SYN SYN - ACK ACK client (port = 4247/tcp) [ACK set for each packet in the of session] [session proceeds] FIN ACK ACK FIN ACK ACK server (port = 23/tcp) Either the client or the server may initiate the closing sequence 3-way Handshake & Termination Establishment client.4247 > server.23: S 3073470005:3073470005(0) win 512 <mss 1460> server.23 > client.4247: S 1932608000:1932608000(0) ack 3073470006 win 61320 <mss 1460> (DF) client.4247 > server.23: . ack 1932608001 win 32120 (DF) Termination client.4247 > server.23: F 3073470006:3073470006(0) ack 1932608001 win 32120 server.23 > client.4247: . ack 3073470007 win 61320 (DF) server.23 > client.4247: F 1932608001:1932608001(0) ack 3073470007 win 61320 (DF) client.4247 > server.23: . ack 1932608002 win 32120 (DF) S = SYN flag is set F = FIN flag is set . = none of the SFRP flags are set (ack and urg are displayed differently) (x) = x data bytes in the packet win = advertised window size mss = max segment size announcement DF = don’t fragment flag is set TCP Flags • FIN : sender is finished sending data -- initiate a half close • SYN : synchronize the sequence numbers to establish a connection • RST : reset (abort) the connection • PSH : tells receiver not to buffer the data before passing it to the application (interactive applications use this) • ACK : acknowledgement number is valid • URG : urgent pointer is valid (often results from an interrupt) ICMP Types msg# description msg# description 0 3 4 5 8 9 10 11 echo reply destination unreachable source quench redirect echo request router advertisement router solicitation time exceeded 12 13 14 15 16 17 18 parameter problem timestamp request timestamp reply information request information reply address mask request address mask reply Shadow initial screen Shadow sample hourly screen Shadow Search Shadow Search 2 Shadow tcpdump sensor filter • (ip and not • ( (igrp or dst port 520 or port 524 or port 1677 or port 1494) • or • (net 10.0.0.0 mask 255.0.0.0 and ((icmp[0]=8) or (icmp[0]=0))) • ) ) Shadow tcpdump analyzer filters • Analyzer filters - broken into sections to make them easier to read and avoid a size limitation. Use the same syntax as the sensor filter but are much larger. – – – – tcp.filter udp.filter icmp.filter ip.filter Snort rules • SYN/FIN scan – alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS198/SYN FIN Scan"; flags: SF;) • DNS zone transfer – alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns-zone-transfer"; content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP; offset: "2"; depth: "16";) Snort responses • logging • resetting Auditing The Network • Scan your network - web based • http://www.webtrends.net/tools/security/scan.asp • https://grc.com/x/ne.dll?bh0bkyd2 • More thorough • • • • • Nessus - runs on unix - free, Windows client Satan/Saint/Sara - runs on unix - free Cisco NetSonar - runs on NT Cybercop (Balista) - http://www.nai.com nmap - unix, command-line, very flexible Resources • Port numbers – http://www.snort.org (port search link) – http://dev.whitehats.com/ids/ids.html – http://www.isi.edu/innotes/iana/assignments/port-numbers Resources • Security Sites – – – – – http://www.sans.org http://www.cert.org/advisories/ http://www.cerias.purdue.edu/coast/ http://www.nipc.gov/ http://dev.whitehats.com/
