Presentation is loading. Please wait.

Presentation is loading. Please wait.

Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 -

Similar presentations


Presentation on theme: "Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 -"— Presentation transcript:

1 Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 - ICMP types 17 - Shadow IDS 23 - Snort IDS 25 - Auditing 26 - Resources

2 Author Jerry Shenk D&E Communications

3 IDS Types Host Based –Log files –Programs Network based –Monitor traffic –Sensor/Analyzer

4 Network IDS types Signature based –Looks for specific bad packet signatures Anomoly based –Normal traffic is defined. Other traffic is reported

5 Network IDS responses Pager/ –“real-time” vs. false alarms Blocking –proactive vs. DOS prone Resetting Periodic wrapup –Analyst may not check status

6 Network IDS - Commercial Cisco Secure IDS (NetRanger) ISS RealSecure Axent Intruder Alert (Raptor) NWS Dragon CheckPoint Cyber Attack Defense System

7 Network IDS - free Shadow - Anomoly based –Based on tcpdump –filters are fully configurable although hard to follow –traffic is captured and processed hourly - perl Snort - Signature based –filters are fully configurable and require detailed info but easier than tcpdump

8 Ethernet Encapsulation Frame Header IP Datagram Header ICMP/UDP/TCP Header Frame Data Area IP Data Protocol Data Interface Layer Internet Layer Transport Layer

9 IP Packets versionhdr lnth type of service total length of datagram identification numberfragment offset time-to-live (ttl)protocolheader checksum source IP address (4 bytes) destination IP address (4 bytes) options field (variable length, max length 40 bytes) data 20 bytes RDFMF

10 TCP Packets source port numberdestination port number sequence number acknowledgement number hdr lgthreserved U A P R S F window size TCP checksumurgent pointer options field (variable length, max length 40 bytes) data 20 bytes

11 UDP Packets source port number destination port number UDP datagram length UDP checksum optional data

12 ICMP packets typecodechecksum contents depend on type and code (echo has sender and sequence info)

13 3-way Handshake & Termination client (port = 4247/tcp) server (port = 23/tcp) SYN SYN - ACK ACK [session proceeds] [ACK set for each packet in the of session] ACK FIN ACK ACK Either the client or the server may initiate the closing sequence

14 3-way Handshake & Termination S = SYN flag is set F = FIN flag is set. = none of the SFRP flags are set (ack and urg are displayed differently) (x) = x data bytes in the packet win = advertised window size mss = max segment size announcement DF = don’t fragment flag is set Establishment client.4247 > server.23: S : (0) win 512 server.23 > client.4247: S : (0) ack win (DF) client.4247 > server.23:. ack win (DF) Termination client.4247 > server.23: F : (0) ack win server.23 > client.4247:. ack win (DF) server.23 > client.4247: F : (0) ack win (DF) client.4247 > server.23:. ack win (DF)

15 TCP Flags FIN : sender is finished sending data -- initiate a half close SYN : synchronize the sequence numbers to establish a connection RST : reset (abort) the connection PSH : tells receiver not to buffer the data before passing it to the application (interactive applications use this) ACK : acknowledgement number is valid URG : urgent pointer is valid (often results from an interrupt)

16 ICMP Types msg#description 0echo reply 3destination unreachable 4 source quench 5redirect 8 echo request 9router advertisement 10router solicitation 11time exceeded msg#description 12parameter problem 13 timestamp request 14 timestamp reply 15information request 16 information reply 17address mask request 18address mask reply

17 Shadow initial screen

18 Shadow sample hourly screen

19 Shadow Search

20 Shadow Search 2

21 Shadow tcpdump sensor filter (ip and not ( (igrp or dst port 520 or port 524 or port 1677 or port 1494) or (net mask and ((icmp[0]=8) or (icmp[0]=0))) ) )

22 Shadow tcpdump analyzer filters Analyzer filters - broken into sections to make them easier to read and avoid a size limitation. Use the same syntax as the sensor filter but are much larger. –tcp.filter –udp.filter –icmp.filter –ip.filter

23 Snort rules SYN/FIN scan –alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS198/SYN FIN Scan"; flags: SF;) DNS zone transfer –alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns-zone-transfer"; content: "| |"; flags: AP; offset: "2"; depth: "16";)

24 Snort responses logging resetting

25 Auditing The Network Scan your network - web based https://grc.com/x/ne.dll?bh0bkyd2 More thorough Nessus - runs on unix - free, Windows client Satan/Saint/Sara - runs on unix - free Cisco NetSonar - runs on NT Cybercop (Balista) - nmap - unix, command-line, very flexible

26 Resources Port numbers –http://www.snort.org (port search link) –http://dev.whitehats.com/ids/ids.html –http://www.isi.edu/in- notes/iana/assignments/port-numbers

27 Resources Security Sites –http://www.sans.org –http://www.cert.org/advisories/ –http://www.cerias.purdue.edu/coast/ –http://www.nipc.gov/ –http://dev.whitehats.com/


Download ppt "Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 -"

Similar presentations


Ads by Google