Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

Published byDustin Clarke Modified over 8 years ago

Similar presentations

Presentation on theme: "CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,"— Presentation transcript:

1 CIS 193A – Lesson12 Monitoring Tools

2 CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark, and snort?

3 CIS 193A – Lesson12 Packet Generators ping – test network connectivity - icmp hping – sends TCP/IP packets to network hosts traceroute – probes network connectivity telnet – connects to various ports nc – establishes tcp and udp connections sock – acts as arbitrary client and server nmap – security port scanner

4 CIS 193A – Lesson12 Packet Sniffers tcpdump – command-line tool for capturing packets. wireshark – graphical sniffer and packet analyzer. snort – packet sniffing and network intrusion detection

5 CIS 193A – Lesson12 Packet Anatomy ICMP Header information 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 TYPE= CODE= Checksum DATA ::: (depends on Type and Code and is variable in length – some logged

6 CIS 193A – Lesson12 Packet Anatomy IP Header information VersionIHL TOS=, PREC=Total Length: LEN= Identification: ID= Flags Fragment Offset: FRAG= Header Checksum TTL= PROTO= Source Address: SRC= Destination Address: DST= Padding Options: OPT=, (not decoded, requires –log-ip-options) 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

7 CIS 193A – Lesson12 Packet Anatomy TCP Header information 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Source Port: SPT=Destination Port: DPT= Sequence Number: SEQ=, (requires –log-tcp-sequence) Acknowledgment Number: ACK=, (requires –log-tcp-sequence) Data Offset RES=ECNSYN,ACK… WINDOW= URGP= Checksum Options: OPT=, (not decoded, requires --log-tcp-options

8 CIS 193A – Lesson12 Packet Anatomy UDP Header information 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Checksum Length: LEN= Source Port: SPT= Destination Port: DPT=

9 CIS 193A – Lesson12 Common tcpdump Options tcpdump [-options] [expression] –c count # exit after count packets captured –i ifc # interface to listen on: eth0, lo … –s snaplen # number of bytes to capture/packet –w filename # save output to filename (binary) –e # include the frame header info. –n # don’t convert addresses to names –x # print data of each packet in hex –v # verbose mode expression: [tcp|udp] [dst|src] [host|net|port] id

10 CIS 193A – Lesson12 Wireshark

11 CIS 193A – Lesson12 Wireshark

12 CIS 193A – Lesson12 Snort Components –Binary: /usr/sbin/snort –Configuration: /etc/sysconfig/snort /etc/snort/snort.conf /etc/snort/*.rules –Logging: /var/log/snort /etc/logrotate.d/snort

13 CIS 193A – Lesson12 Uses of Snort Packet sniffing: –snort –vde Packet Logging mode: –snort –vde –l./log # log is a directory –snort –vde –l./log –h 192.168.1.0/24 –snort –b –l.log # logs in binary format Intrusion Detection: –snort –d –l /var/log/snort –c /etc/snort.conf

14 CIS 193A – Lesson12 The Snort Engine Packet acquisition Packet decode Preprocessors Detection Engine Log or Alert? Yes No Finished Next Packet Output plugins

15 CIS 193A – Lesson12 Writing Snort Rules 1.Figure out what is “bad” 2.Capture traffic that includes the “bad stuff” 3.Learn the protocol 4.Figure out why the “bad stuff” is bad 5.Write a rule 6.Test the rule 7.Goto 5.

16 CIS 193A – Lesson12 Rule Format – basic rule alert tcp 192.168.1.2 any -> 192.168.1.3 80 (msg:”your message”;content:”blah”;sid:10001;) Other keyword:value pairs - reference:url,www.cabrillo.edu - rev:# - priority:# - classtype:type ( see classification.config) - nocase; - depth:# - offset:#

17 CIS 193A – Lesson12 Review

18 CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark, and snort? Network packets are most often identified by IP address, network address or port number Keywords: host, net, and port are used to describe the the above identifiers. If no keyword is specified, host is assumed. e.g. net 192.168.1.0/24 or port 22 Direction keywords: src and dst can be used with with logical operators: and, or, not. e.g. src host 192.168.1.5 and dst port 22

Download ppt "CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,"

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Discussion Monday (11-3-2014). ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier header checksum time to live.

Discussion Monday ( ). ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier header checksum time to live.
REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX Gregory Detal*, Benjamin Hesmans*, Olivier Bonaventure*, Yves Vanaubel° and Benoit Donnet°. *Université.

REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX Gregory Detal*, Benjamin Hesmans*, Olivier Bonaventure*, Yves Vanaubel° and Benoit Donnet°. *Université.
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Department of Computer Science, The University of Houston 4. TCP/IP & Software Tools 1 Intrusion Detection Module Stephen Huang Department of Computer.

Department of Computer Science, The University of Houston 4. TCP/IP & Software Tools 1 Intrusion Detection Module Stephen Huang Department of Computer.
Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 -

Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 -
Tcpdump Traceroute Ping. A packet tracing tool  Works on various host platforms  Captures packets going through a certain network interface  Shows.

Tcpdump Traceroute Ping. A packet tracing tool  Works on various host platforms  Captures packets going through a certain network interface  Shows.
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
CIS 235: Networks Fall, 2007 Western State College Computer Networks Fall, 2007 Prof Peterson.

CIS 235: Networks Fall, 2007 Western State College Computer Networks Fall, 2007 Prof Peterson.
1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.

1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.
Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.

Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.

Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.
ECE-6612 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office: Klaus 3362.

ECE Prof. John A. Copeland fax Office: Klaus 3362.
Linux Networking Commands

Linux Networking Commands
Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.

Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Similar presentations

Ads by Google