Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 - ICMP types 17 - Shadow IDS 23 - Snort IDS 25 - Auditing 26 - Resources

Author Jerry Shenk D&E Communications

IDS Types Host Based –Log files –Programs Network based –Monitor traffic –Sensor/Analyzer

Network IDS types Signature based –Looks for specific bad packet signatures Anomoly based –Normal traffic is defined. Other traffic is reported

Network IDS responses Pager/ –“real-time” vs. false alarms Blocking –proactive vs. DOS prone Resetting Periodic wrapup –Analyst may not check status

Network IDS - Commercial Cisco Secure IDS (NetRanger) ISS RealSecure Axent Intruder Alert (Raptor) NWS Dragon CheckPoint Cyber Attack Defense System

Network IDS - free Shadow - Anomoly based –Based on tcpdump –filters are fully configurable although hard to follow –traffic is captured and processed hourly - perl Snort - Signature based –filters are fully configurable and require detailed info but easier than tcpdump

Ethernet Encapsulation Frame Header IP Datagram Header ICMP/UDP/TCP Header Frame Data Area IP Data Protocol Data Interface Layer Internet Layer Transport Layer

IP Packets versionhdr lnth type of service total length of datagram identification numberfragment offset time-to-live (ttl)protocolheader checksum source IP address (4 bytes) destination IP address (4 bytes) options field (variable length, max length 40 bytes) data 20 bytes RDFMF

TCP Packets source port numberdestination port number sequence number acknowledgement number hdr lgthreserved U A P R S F window size TCP checksumurgent pointer options field (variable length, max length 40 bytes) data 20 bytes

UDP Packets source port number destination port number UDP datagram length UDP checksum optional data

ICMP packets typecodechecksum contents depend on type and code (echo has sender and sequence info)

3-way Handshake & Termination client (port = 4247/tcp) server (port = 23/tcp) SYN SYN - ACK ACK [session proceeds] [ACK set for each packet in the of session] ACK FIN ACK ACK Either the client or the server may initiate the closing sequence

3-way Handshake & Termination S = SYN flag is set F = FIN flag is set. = none of the SFRP flags are set (ack and urg are displayed differently) (x) = x data bytes in the packet win = advertised window size mss = max segment size announcement DF = don’t fragment flag is set Establishment client.4247 > server.23: S : (0) win 512 server.23 > client.4247: S : (0) ack win (DF) client.4247 > server.23:. ack win (DF) Termination client.4247 > server.23: F : (0) ack win server.23 > client.4247:. ack win (DF) server.23 > client.4247: F : (0) ack win (DF) client.4247 > server.23:. ack win (DF)

TCP Flags FIN : sender is finished sending data -- initiate a half close SYN : synchronize the sequence numbers to establish a connection RST : reset (abort) the connection PSH : tells receiver not to buffer the data before passing it to the application (interactive applications use this) ACK : acknowledgement number is valid URG : urgent pointer is valid (often results from an interrupt)

ICMP Types msg#description 0echo reply 3destination unreachable 4 source quench 5redirect 8 echo request 9router advertisement 10router solicitation 11time exceeded msg#description 12parameter problem 13 timestamp request 14 timestamp reply 15information request 16 information reply 17address mask request 18address mask reply

Shadow initial screen

Shadow sample hourly screen

Shadow Search

Shadow Search 2

Shadow tcpdump sensor filter (ip and not ( (igrp or dst port 520 or port 524 or port 1677 or port 1494) or (net mask and ((icmp[0]=8) or (icmp[0]=0))) ) )

Shadow tcpdump analyzer filters Analyzer filters - broken into sections to make them easier to read and avoid a size limitation. Use the same syntax as the sensor filter but are much larger. –tcp.filter –udp.filter –icmp.filter –ip.filter

Snort rules SYN/FIN scan –alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS198/SYN FIN Scan"; flags: SF;) DNS zone transfer –alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns-zone-transfer"; content: "| |"; flags: AP; offset: "2"; depth: "16";)

Snort responses logging resetting

Auditing The Network Scan your network - web based More thorough Nessus - runs on unix - free, Windows client Satan/Saint/Sara - runs on unix - free Cisco NetSonar - runs on NT Cybercop (Balista) - nmap - unix, command-line, very flexible

Resources Port numbers – (port search link) – – notes/iana/assignments/port-numbers

Resources Security Sites – – – – –