Download presentation
Presentation is loading. Please wait.
1
1 Reading Log Files
2
2 Segment Format http://www.networksorcery.com/enp/protocol/tcp.htm
3
3 Datagram Header Three key fields –Source IP address –Destination IP address –Type (contents)
4
TCP Flags TCP packets have one-bit flags Flags are used to specify the meaning of the packet. –SYN (Start of connection): S –ACK (Acknowledge): ack –FIN ("FINish" or French for “end”): F –RESET: R –PUSH: P –URGENT: urg
5
5 Connection Establishment Active participant (client) Passive participant (server) SYN, SequenceNum = x ACK, Acknowledgment =y+1 Acknowledgment =x+1 SYN+ACK, SequenceNum=y,
6
6 Sequence of Messages – TCP Flow Control
7
7 TCPDump
8
8 TCPdump – Absolute and Relative Sequence Numbers
9
9 TCPdump Trace 3-Way Handshake Data Transfer
10
10 TCPdump Trace Connection Termination
11
11 TCPdump Trace ACK Scan
12
12 Snort
13
13 Snort
14
14 Introduction to Practicals
15
15 Introduction to Practicals Network or system log trace of an event of interest on which the practical is based Source of the detect –e.g., snort Probability that the source address was spoofed Description of the attack Attack mechanism Correlations Evidence of active targeting Severity Defensive recommendation Multiple-choice question
16
16 Introduction to Practicals The traffic was logged because it violated the security policy The network or system trace –False positives –False negatives –False interpretations
17
17 One Trace Example P. 21 of the textbook
18
18 Probability the source address was spoofed Probably spoofed –DoS attacks: Smurf, ICMP broadcast, etc. Probably not spoofed –TCP packets are not spoofed if the three-way handshake is completed Combination of both aspects Despoof: checking TTL to determine whether a received packet is spoofed or not –http://packetstormsecurity.org/advisories/bindview/
19
19 Description of Attack Common Vulnerabilities and Exposures (CVE) –http://cve.mitre.orghttp://cve.mitre.org –One of the most important standards efforts for intrusion detection and information security in general –For example: TCP SYN flood, ADM buffer overflow against DNS, etc.
20
SYN Flood Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood. –CVE-1999-0116 –Keeping track of each half-open connection takes up resources
21
21 Attack Mechanism Is this a stimulus or response? –RFCs are the standards documents –Unfortunately, different implementations of TCP/IP react differently to deliberate violations of RFC standards What service is being targeted? Does the service have known vulnerabilities or exposures? Is this benign, an exploit, DoS, or reconnaissance?
22
22 Expected Stimulus-Response Destination Host Listens on Requested Port –Stimulus –Response
23
23 Expected Stimulus-Response Destination Host not listening on Requested Port –Stimulus –Response
24
24 Expected Stimulus-Response Destination Host Does not Exist –Stimulus –Response
25
25 Expected Stimulus-Response Destination Port Blocked –Stimulus –Response
26
26 Expected Stimulus-Response Destination Port Blocked, Router Does not Respond –Stimulus –Response
27
27 Protocol Benders FTP –Session Negotiations –Dir command issued by the user
28
28 Abnormal Stimuli Evasion stimulus, Lack of Response
29
29 Abnormal Stimuli No Stimulus, All Response –Suppose no out bound traffic
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.