Presentation is loading. Please wait.

Presentation is loading. Please wait.

Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 -

Published byKendall Mayner Modified over 9 years ago

Similar presentations

Presentation on theme: "Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 -"— Presentation transcript:

1 Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 - ICMP types 17 - Shadow IDS 23 - Snort IDS 25 - Auditing 26 - Resources

2 Author Jerry Shenk D&E Communications

3 IDS Types Host Based –Log files –Programs Network based –Monitor traffic –Sensor/Analyzer

4 Network IDS types Signature based –Looks for specific bad packet signatures Anomoly based –Normal traffic is defined. Other traffic is reported

5 Network IDS responses Pager/E-mail –“real-time” vs. false alarms Blocking –proactive vs. DOS prone Resetting Periodic wrapup –Analyst may not check status

6 Network IDS - Commercial Cisco Secure IDS (NetRanger) ISS RealSecure Axent Intruder Alert (Raptor) NWS Dragon CheckPoint Cyber Attack Defense System

7 Network IDS - free Shadow - Anomoly based –Based on tcpdump –filters are fully configurable although hard to follow –traffic is captured and processed hourly - perl Snort - Signature based –filters are fully configurable and require detailed info but easier than tcpdump

8 Ethernet Encapsulation Frame Header IP Datagram Header ICMP/UDP/TCP Header Frame Data Area IP Data Protocol Data Interface Layer Internet Layer Transport Layer

9 IP Packets 0 1631 versionhdr lnth type of service total length of datagram identification numberfragment offset time-to-live (ttl)protocolheader checksum source IP address (4 bytes) destination IP address (4 bytes) options field (variable length, max length 40 bytes) data 20 bytes RDFMF

10 TCP Packets 016 31 source port numberdestination port number sequence number acknowledgement number hdr lgthreserved U A P R S F window size TCP checksumurgent pointer options field (variable length, max length 40 bytes) data 20 bytes

11 UDP Packets source port number 01631 destination port number UDP datagram length UDP checksum optional data

12 ICMP packets 0816 31 typecodechecksum contents depend on type and code (echo has sender and sequence info)

13 3-way Handshake & Termination client (port = 4247/tcp) server (port = 23/tcp) SYN SYN - ACK ACK [session proceeds] [ACK set for each packet in the of session] ACK FIN ACK ACK Either the client or the server may initiate the closing sequence

14 3-way Handshake & Termination S = SYN flag is set F = FIN flag is set. = none of the SFRP flags are set (ack and urg are displayed differently) (x) = x data bytes in the packet win = advertised window size mss = max segment size announcement DF = don’t fragment flag is set Establishment client.4247 > server.23: S 3073470005:3073470005(0) win 512 server.23 > client.4247: S 1932608000:1932608000(0) ack 3073470006 win 61320 (DF) client.4247 > server.23:. ack 1932608001 win 32120 (DF) Termination client.4247 > server.23: F 3073470006:3073470006(0) ack 1932608001 win 32120 server.23 > client.4247:. ack 3073470007 win 61320 (DF) server.23 > client.4247: F 1932608001:1932608001(0) ack 3073470007 win 61320 (DF) client.4247 > server.23:. ack 1932608002 win 32120 (DF)

15 TCP Flags FIN : sender is finished sending data -- initiate a half close SYN : synchronize the sequence numbers to establish a connection RST : reset (abort) the connection PSH : tells receiver not to buffer the data before passing it to the application (interactive applications use this) ACK : acknowledgement number is valid URG : urgent pointer is valid (often results from an interrupt)

16 ICMP Types msg#description 0echo reply 3destination unreachable 4 source quench 5redirect 8 echo request 9router advertisement 10router solicitation 11time exceeded msg#description 12parameter problem 13 timestamp request 14 timestamp reply 15information request 16 information reply 17address mask request 18address mask reply

17 Shadow initial screen

18 Shadow sample hourly screen

19 Shadow Search

20 Shadow Search 2

21 Shadow tcpdump sensor filter (ip and not ( (igrp or dst port 520 or port 524 or port 1677 or port 1494) or (net 10.0.0.0 mask 255.0.0.0 and ((icmp[0]=8) or (icmp[0]=0))) ) )

22 Shadow tcpdump analyzer filters Analyzer filters - broken into sections to make them easier to read and avoid a size limitation. Use the same syntax as the sensor filter but are much larger. –tcp.filter –udp.filter –icmp.filter –ip.filter

23 Snort rules SYN/FIN scan –alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS198/SYN FIN Scan"; flags: SF;) DNS zone transfer –alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns-zone-transfer"; content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP; offset: "2"; depth: "16";)

24 Snort responses logging resetting

25 Auditing The Network Scan your network - web based http://www.webtrends.net/tools/security/scan.asp https://grc.com/x/ne.dll?bh0bkyd2 More thorough Nessus - runs on unix - free, Windows client Satan/Saint/Sara - runs on unix - free Cisco NetSonar - runs on NT Cybercop (Balista) - http://www.nai.com nmap - unix, command-line, very flexible

26 Resources Port numbers –http://www.snort.org (port search link) –http://dev.whitehats.com/ids/ids.html –http://www.isi.edu/in- notes/iana/assignments/port-numbers

27 Resources Security Sites –http://www.sans.org –http://www.cert.org/advisories/ –http://www.cerias.purdue.edu/coast/ –http://www.nipc.gov/ –http://dev.whitehats.com/

Download ppt "Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 -"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.

Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim 02.25.2009.

CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.

1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
TCP: Transmission Control Protocol Overview Connection set-up and termination Interactive Bulk transfer Timers Improvements.

TCP: Transmission Control Protocol Overview Connection set-up and termination Interactive Bulk transfer Timers Improvements.
Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.

Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.
Transmission Control Protocol (TCP) Basics

Transmission Control Protocol (TCP) Basics
CP476 Internet Computing TCP/IP 1 Lecture 3. TCP / IP Objective: A in-step look at TCP/IP Purposes and operations Header specifications Implementations.

CP476 Internet Computing TCP/IP 1 Lecture 3. TCP / IP Objective: A in-step look at TCP/IP Purposes and operations Header specifications Implementations.
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.

CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

Similar presentations

Ads by Google