Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Reading Log Files. 2 Segment Format

Similar presentations


Presentation on theme: "1 Reading Log Files. 2 Segment Format"— Presentation transcript:

1 1 Reading Log Files

2 2 Segment Format http://www.networksorcery.com/enp/protocol/tcp.htm

3 3 Datagram Header Three key fields –Source IP address –Destination IP address –Type (contents)

4 TCP Flags TCP packets have one-bit flags Flags are used to specify the meaning of the packet. –SYN (Start of connection): S –ACK (Acknowledge): ack –FIN ("FINish" or French for “end”): F –RESET: R –PUSH: P –URGENT: urg

5 5 Connection Establishment Active participant (client) Passive participant (server) SYN, SequenceNum = x ACK, Acknowledgment =y+1 Acknowledgment =x+1 SYN+ACK, SequenceNum=y,

6 6 Sequence of Messages – TCP Flow Control

7 7 TCPDump

8 8 TCPdump – Absolute and Relative Sequence Numbers

9 9 TCPdump Trace 3-Way Handshake Data Transfer

10 10 TCPdump Trace Connection Termination

11 11 TCPdump Trace ACK Scan

12 12 Snort

13 13 Snort

14 14 Introduction to Practicals

15 15 Introduction to Practicals Network or system log trace of an event of interest on which the practical is based Source of the detect –e.g., snort Probability that the source address was spoofed Description of the attack Attack mechanism Correlations Evidence of active targeting Severity Defensive recommendation Multiple-choice question

16 16 Introduction to Practicals The traffic was logged because it violated the security policy The network or system trace –False positives –False negatives –False interpretations

17 17 One Trace Example P. 21 of the textbook

18 18 Probability the source address was spoofed Probably spoofed –DoS attacks: Smurf, ICMP broadcast, etc. Probably not spoofed –TCP packets are not spoofed if the three-way handshake is completed Combination of both aspects Despoof: checking TTL to determine whether a received packet is spoofed or not –http://packetstormsecurity.org/advisories/bindview/

19 19 Description of Attack Common Vulnerabilities and Exposures (CVE) –http://cve.mitre.orghttp://cve.mitre.org –One of the most important standards efforts for intrusion detection and information security in general –For example: TCP SYN flood, ADM buffer overflow against DNS, etc.

20 SYN Flood Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood. –CVE-1999-0116 –Keeping track of each half-open connection takes up resources

21 21 Attack Mechanism Is this a stimulus or response? –RFCs are the standards documents –Unfortunately, different implementations of TCP/IP react differently to deliberate violations of RFC standards What service is being targeted? Does the service have known vulnerabilities or exposures? Is this benign, an exploit, DoS, or reconnaissance?

22 22 Expected Stimulus-Response Destination Host Listens on Requested Port –Stimulus –Response

23 23 Expected Stimulus-Response Destination Host not listening on Requested Port –Stimulus –Response

24 24 Expected Stimulus-Response Destination Host Does not Exist –Stimulus –Response

25 25 Expected Stimulus-Response Destination Port Blocked –Stimulus –Response

26 26 Expected Stimulus-Response Destination Port Blocked, Router Does not Respond –Stimulus –Response

27 27 Protocol Benders FTP –Session Negotiations –Dir command issued by the user

28 28 Abnormal Stimuli Evasion stimulus, Lack of Response

29 29 Abnormal Stimuli No Stimulus, All Response –Suppose no out bound traffic


Download ppt "1 Reading Log Files. 2 Segment Format"

Similar presentations


Ads by Google