Security(ids Basics)
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Security(ids Basics) as PDF for free.
More details
- Words: 892
- Pages: 27
Table of Contents • • • • • • •
3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake
• • • • • •
15 - TCP flags 16 - ICMP types 17 - Shadow IDS 23 - Snort IDS 25 - Auditing 26 - Resources
Author • Jerry Shenk • D&E Communications
IDS Types • Host Based – Log files – Programs
• Network based – Monitor traffic – Sensor/Analyzer
Network IDS types • Signature based – Looks for specific bad packet signatures
• Anomoly based – Normal traffic is defined. Other traffic is reported
Network IDS responses • Pager/E-mail – “real-time” vs. false alarms
• Blocking – proactive vs. DOS prone
• Resetting • Periodic wrapup – Analyst may not check status
Network IDS - Commercial • • • • •
Cisco Secure IDS (NetRanger) ISS RealSecure Axent Intruder Alert (Raptor) NWS Dragon CheckPoint Cyber Attack Defense System
Network IDS - free • Shadow - Anomoly based – Based on tcpdump – filters are fully configurable although hard to follow – traffic is captured and processed hourly - perl
• Snort - Signature based – filters are fully configurable and require detailed info but easier than tcpdump
Ethernet Encapsulation Interface Layer
Internet Layer
Transport Layer
Frame Header
Frame Data Area
IP Datagram Header
IP Data
ICMP/UDP/TCP Header
Protocol Data
IP Packets31
16
0 version hdr lnth
identification number time-to-live (ttl)
total length of datagram
type of service
R DF MF
protocol
fragment offset
header checksum
source IP address (4 bytes) destination IP address (4 bytes) options field (variable length, max length 40 bytes)
data
20 bytes
TCP Packets 0
16 source port number
31 destination port number
sequence number acknowledgement number hdr lgth reserved U A P R S F TCP checksum
window size urgent pointer
options field (variable length, max length 40 bytes) data
20 bytes
UDP Packets 0
16 source port number
31 destination port number
UDP datagram length
optional data
UDP checksum
ICMP packets
0
8 type
16 code
31 checksum
contents depend on type and code (echo has sender and sequence info)
3-way Handshake & Termination SYN SYN - ACK ACK
client (port = 4247/tcp)
[ACK set for each packet in the of session] [session proceeds]
FIN ACK ACK FIN ACK ACK
server (port = 23/tcp)
Either the client or the server may initiate the closing sequence
3-way Handshake & Termination Establishment client.4247 > server.23: S 3073470005:3073470005(0) win 512 <mss 1460> server.23 > client.4247: S 1932608000:1932608000(0) ack 3073470006 win 61320 <mss 1460> (DF) client.4247 > server.23: . ack 1932608001 win 32120 (DF) Termination client.4247 > server.23: F 3073470006:3073470006(0) ack 1932608001 win 32120 server.23 > client.4247: . ack 3073470007 win 61320 (DF) server.23 > client.4247: F 1932608001:1932608001(0) ack 3073470007 win 61320 (DF) client.4247 > server.23: . ack 1932608002 win 32120 (DF)
S = SYN flag is set F = FIN flag is set . = none of the SFRP flags are set (ack and urg are displayed differently)
(x) = x data bytes in the packet win = advertised window size mss = max segment size announcement DF = don’t fragment flag is set
TCP Flags • FIN : sender is finished sending data -- initiate a half close • SYN : synchronize the sequence numbers to establish a connection • RST : reset (abort) the connection • PSH : tells receiver not to buffer the data before passing it to the application (interactive applications use this) • ACK : acknowledgement number is valid • URG : urgent pointer is valid (often results from an interrupt)
ICMP Types
msg#
description
msg#
description
0 3 4 5 8 9 10 11
echo reply destination unreachable source quench redirect echo request router advertisement router solicitation time exceeded
12 13 14 15 16 17 18
parameter problem timestamp request timestamp reply information request information reply address mask request address mask reply
Shadow initial screen
Shadow sample hourly screen
Shadow Search
Shadow Search 2
Shadow tcpdump sensor filter • (ip and not • ( (igrp or dst port 520 or port 524 or port 1677 or port 1494) • or • (net 10.0.0.0 mask 255.0.0.0 and ((icmp[0]=8) or (icmp[0]=0))) • ) )
Shadow tcpdump analyzer filters • Analyzer filters - broken into sections to make them easier to read and avoid a size limitation. Use the same syntax as the sensor filter but are much larger. – – – –
tcp.filter udp.filter icmp.filter ip.filter
Snort rules • SYN/FIN scan – alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS198/SYN FIN Scan"; flags: SF;)
• DNS zone transfer – alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns-zone-transfer"; content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP; offset: "2"; depth: "16";)
Snort responses • logging • resetting
Auditing The Network • Scan your network - web based • http://www.webtrends.net/tools/security/scan.asp • https://grc.com/x/ne.dll?bh0bkyd2
• More thorough • • • • •
Nessus - runs on unix - free, Windows client Satan/Saint/Sara - runs on unix - free Cisco NetSonar - runs on NT Cybercop (Balista) - http://www.nai.com nmap - unix, command-line, very flexible
Resources • Port numbers – http://www.snort.org (port search link) – http://dev.whitehats.com/ids/ids.html – http://www.isi.edu/innotes/iana/assignments/port-numbers
Resources • Security Sites – – – – –
http://www.sans.org http://www.cert.org/advisories/ http://www.cerias.purdue.edu/coast/ http://www.nipc.gov/ http://dev.whitehats.com/
3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake
• • • • • •
15 - TCP flags 16 - ICMP types 17 - Shadow IDS 23 - Snort IDS 25 - Auditing 26 - Resources
Author • Jerry Shenk • D&E Communications
IDS Types • Host Based – Log files – Programs
• Network based – Monitor traffic – Sensor/Analyzer
Network IDS types • Signature based – Looks for specific bad packet signatures
• Anomoly based – Normal traffic is defined. Other traffic is reported
Network IDS responses • Pager/E-mail – “real-time” vs. false alarms
• Blocking – proactive vs. DOS prone
• Resetting • Periodic wrapup – Analyst may not check status
Network IDS - Commercial • • • • •
Cisco Secure IDS (NetRanger) ISS RealSecure Axent Intruder Alert (Raptor) NWS Dragon CheckPoint Cyber Attack Defense System
Network IDS - free • Shadow - Anomoly based – Based on tcpdump – filters are fully configurable although hard to follow – traffic is captured and processed hourly - perl
• Snort - Signature based – filters are fully configurable and require detailed info but easier than tcpdump
Ethernet Encapsulation Interface Layer
Internet Layer
Transport Layer
Frame Header
Frame Data Area
IP Datagram Header
IP Data
ICMP/UDP/TCP Header
Protocol Data
IP Packets31
16
0 version hdr lnth
identification number time-to-live (ttl)
total length of datagram
type of service
R DF MF
protocol
fragment offset
header checksum
source IP address (4 bytes) destination IP address (4 bytes) options field (variable length, max length 40 bytes)
data
20 bytes
TCP Packets 0
16 source port number
31 destination port number
sequence number acknowledgement number hdr lgth reserved U A P R S F TCP checksum
window size urgent pointer
options field (variable length, max length 40 bytes) data
20 bytes
UDP Packets 0
16 source port number
31 destination port number
UDP datagram length
optional data
UDP checksum
ICMP packets
0
8 type
16 code
31 checksum
contents depend on type and code (echo has sender and sequence info)
3-way Handshake & Termination SYN SYN - ACK ACK
client (port = 4247/tcp)
[ACK set for each packet in the of session] [session proceeds]
FIN ACK ACK FIN ACK ACK
server (port = 23/tcp)
Either the client or the server may initiate the closing sequence
3-way Handshake & Termination Establishment client.4247 > server.23: S 3073470005:3073470005(0) win 512 <mss 1460> server.23 > client.4247: S 1932608000:1932608000(0) ack 3073470006 win 61320 <mss 1460> (DF) client.4247 > server.23: . ack 1932608001 win 32120 (DF) Termination client.4247 > server.23: F 3073470006:3073470006(0) ack 1932608001 win 32120 server.23 > client.4247: . ack 3073470007 win 61320 (DF) server.23 > client.4247: F 1932608001:1932608001(0) ack 3073470007 win 61320 (DF) client.4247 > server.23: . ack 1932608002 win 32120 (DF)
S = SYN flag is set F = FIN flag is set . = none of the SFRP flags are set (ack and urg are displayed differently)
(x) = x data bytes in the packet win = advertised window size mss = max segment size announcement DF = don’t fragment flag is set
TCP Flags • FIN : sender is finished sending data -- initiate a half close • SYN : synchronize the sequence numbers to establish a connection • RST : reset (abort) the connection • PSH : tells receiver not to buffer the data before passing it to the application (interactive applications use this) • ACK : acknowledgement number is valid • URG : urgent pointer is valid (often results from an interrupt)
ICMP Types
msg#
description
msg#
description
0 3 4 5 8 9 10 11
echo reply destination unreachable source quench redirect echo request router advertisement router solicitation time exceeded
12 13 14 15 16 17 18
parameter problem timestamp request timestamp reply information request information reply address mask request address mask reply
Shadow initial screen
Shadow sample hourly screen
Shadow Search
Shadow Search 2
Shadow tcpdump sensor filter • (ip and not • ( (igrp or dst port 520 or port 524 or port 1677 or port 1494) • or • (net 10.0.0.0 mask 255.0.0.0 and ((icmp[0]=8) or (icmp[0]=0))) • ) )
Shadow tcpdump analyzer filters • Analyzer filters - broken into sections to make them easier to read and avoid a size limitation. Use the same syntax as the sensor filter but are much larger. – – – –
tcp.filter udp.filter icmp.filter ip.filter
Snort rules • SYN/FIN scan – alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS198/SYN FIN Scan"; flags: SF;)
• DNS zone transfer – alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns-zone-transfer"; content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP; offset: "2"; depth: "16";)
Snort responses • logging • resetting
Auditing The Network • Scan your network - web based • http://www.webtrends.net/tools/security/scan.asp • https://grc.com/x/ne.dll?bh0bkyd2
• More thorough • • • • •
Nessus - runs on unix - free, Windows client Satan/Saint/Sara - runs on unix - free Cisco NetSonar - runs on NT Cybercop (Balista) - http://www.nai.com nmap - unix, command-line, very flexible
Resources • Port numbers – http://www.snort.org (port search link) – http://dev.whitehats.com/ids/ids.html – http://www.isi.edu/innotes/iana/assignments/port-numbers
Resources • Security Sites – – – – –
http://www.sans.org http://www.cert.org/advisories/ http://www.cerias.purdue.edu/coast/ http://www.nipc.gov/ http://dev.whitehats.com/
