Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Reading Log Files. 2 Segment Format

Published byWaylon Buckles Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Reading Log Files. 2 Segment Format"— Presentation transcript:

1 1 Reading Log Files

2 2 Segment Format http://www.networksorcery.com/enp/protocol/tcp.htm

3 3 Datagram Header Three key fields –Source IP address –Destination IP address –Type (contents)

4 TCP Flags TCP packets have one-bit flags Flags are used to specify the meaning of the packet. –SYN (Start of connection): S –ACK (Acknowledge): ack –FIN ("FINish" or French for “end”): F –RESET: R –PUSH: P –URGENT: urg

5 5 Connection Establishment Active participant (client) Passive participant (server) SYN, SequenceNum = x ACK, Acknowledgment =y+1 Acknowledgment =x+1 SYN+ACK, SequenceNum=y,

6 6 Sequence of Messages – TCP Flow Control

7 7 TCPDump

8 8 TCPdump – Absolute and Relative Sequence Numbers

9 9 TCPdump Trace 3-Way Handshake Data Transfer

10 10 TCPdump Trace Connection Termination

11 11 TCPdump Trace ACK Scan

12 12 Snort

13 13 Snort

14 14 Introduction to Practicals

15 15 Introduction to Practicals Network or system log trace of an event of interest on which the practical is based Source of the detect –e.g., snort Probability that the source address was spoofed Description of the attack Attack mechanism Correlations Evidence of active targeting Severity Defensive recommendation Multiple-choice question

16 16 Introduction to Practicals The traffic was logged because it violated the security policy The network or system trace –False positives –False negatives –False interpretations

17 17 One Trace Example P. 21 of the textbook

18 18 Probability the source address was spoofed Probably spoofed –DoS attacks: Smurf, ICMP broadcast, etc. Probably not spoofed –TCP packets are not spoofed if the three-way handshake is completed Combination of both aspects Despoof: checking TTL to determine whether a received packet is spoofed or not –http://packetstormsecurity.org/advisories/bindview/

19 19 Description of Attack Common Vulnerabilities and Exposures (CVE) –http://cve.mitre.orghttp://cve.mitre.org –One of the most important standards efforts for intrusion detection and information security in general –For example: TCP SYN flood, ADM buffer overflow against DNS, etc.

20 SYN Flood Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood. –CVE-1999-0116 –Keeping track of each half-open connection takes up resources

21 21 Attack Mechanism Is this a stimulus or response? –RFCs are the standards documents –Unfortunately, different implementations of TCP/IP react differently to deliberate violations of RFC standards What service is being targeted? Does the service have known vulnerabilities or exposures? Is this benign, an exploit, DoS, or reconnaissance?

22 22 Expected Stimulus-Response Destination Host Listens on Requested Port –Stimulus –Response

23 23 Expected Stimulus-Response Destination Host not listening on Requested Port –Stimulus –Response

24 24 Expected Stimulus-Response Destination Host Does not Exist –Stimulus –Response

25 25 Expected Stimulus-Response Destination Port Blocked –Stimulus –Response

26 26 Expected Stimulus-Response Destination Port Blocked, Router Does not Respond –Stimulus –Response

27 27 Protocol Benders FTP –Session Negotiations –Dir command issued by the user

28 28 Abnormal Stimuli Evasion stimulus, Lack of Response

29 29 Abnormal Stimuli No Stimulus, All Response –Suppose no out bound traffic

Download ppt "1 Reading Log Files. 2 Segment Format"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
Computer Security and Penetration Testing

Computer Security and Penetration Testing
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP)
Intermediate TCP/IP TCP Operation.

Intermediate TCP/IP TCP Operation.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Lecture 7 Transport Layer

Lecture 7 Transport Layer
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Fundamentals of Computer Networks ECE 478/578 Lecture #20: Transmission Control Protocol Instructor: Loukas Lazos Dept of Electrical and Computer Engineering.

Fundamentals of Computer Networks ECE 478/578 Lecture #20: Transmission Control Protocol Instructor: Loukas Lazos Dept of Electrical and Computer Engineering.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.

1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.

CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
Chapter 7 – Transport Layer Protocols

Chapter 7 – Transport Layer Protocols
TRANSPORT LAYER  Session multiplexing  Segmentation  Flow control (TCP)  Connection-oriented (TCP)  Reliability (TCP)

TRANSPORT LAYER  Session multiplexing  Segmentation  Flow control (TCP)  Connection-oriented (TCP)  Reliability (TCP)
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service

Similar presentations

Ads by Google