1 Reading Log Files. 2 Segment Format .
-
Upload
waylon-buckles -
Category
Documents
-
view
225 -
download
0
Transcript of 1 Reading Log Files. 2 Segment Format .
![Page 1: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/1.jpg)
1
Reading Log Files
![Page 2: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/2.jpg)
2
Segment Format
Options (variable)
Data
Checksum
SrcPort DstPort
HdrLen 0 Flags
UrgPtr
AdvertisedWindow
SequenceNum
Acknowledgment
0 4 10 16 31
http://www.networksorcery.com/enp/protocol/tcp.htm
![Page 3: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/3.jpg)
3
Datagram Header
• Three key fields– Source IP address
– Destination IP address
– Type (contents)
![Page 4: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/4.jpg)
TCP Flags
•TCP packets have one-bit flags•Flags are used to specify the meaning of the packet.
–SYN (Start of connection): S–ACK (Acknowledge): ack–FIN ("FINish" or French for “end”): F–RESET: R–PUSH: P–URGENT: urg
![Page 5: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/5.jpg)
5
Connection Establishment
Active participant(client)
Passive participant(server)
SYN, SequenceNum = x
ACK, Acknowledgment =y+1
Acknowledgment =x+1
SYN+ACK,
SequenceNum=y,
![Page 6: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/6.jpg)
6
Sequence of Messages – TCP Flow Control
![Page 7: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/7.jpg)
7
TCPDump
![Page 8: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/8.jpg)
8
TCPdump – Absolute and Relative Sequence Numbers
![Page 9: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/9.jpg)
9
TCPdump Trace
•3-Way Handshake
•Data Transfer
![Page 10: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/10.jpg)
10
TCPdump Trace
•Connection Termination
![Page 11: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/11.jpg)
11
TCPdump Trace• ACK Scan
![Page 12: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/12.jpg)
12
Snort
![Page 13: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/13.jpg)
13
Snort
![Page 14: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/14.jpg)
14
Introduction to Practicals
![Page 15: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/15.jpg)
15
Introduction to Practicals
• Network or system log trace of an event of interest on which the practical is based
• Source of the detect– e.g., snort
• Probability that the source address was spoofed• Description of the attack• Attack mechanism• Correlations• Evidence of active targeting• Severity• Defensive recommendation• Multiple-choice question
![Page 16: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/16.jpg)
16
Introduction to Practicals
• The traffic was logged because it violated the security policy
• The network or system trace– False positives– False negatives– False interpretations
![Page 17: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/17.jpg)
17
One Trace Example
P. 21 of the textbook
![Page 18: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/18.jpg)
18
Probability the source address was spoofed
• Probably spoofed– DoS attacks: Smurf, ICMP broadcast, etc.
• Probably not spoofed– TCP packets are not spoofed if the three-way handshake is completed
• Combination of both aspects
• Despoof: checking TTL to determine whether a received packet is spoofed or not– http://packetstormsecurity.org/advisories/bindview/
![Page 19: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/19.jpg)
19
Description of Attack
• Common Vulnerabilities and Exposures (CVE)– http://cve.mitre.org– One of the most important standards efforts for
intrusion detection and information security in general
– For example: TCP SYN flood, ADM buffer overflow against DNS, etc.
![Page 20: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/20.jpg)
SYN Flood
•Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood.
–CVE-1999-0116–Keeping track of each half-open connection takes
up resources
![Page 21: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/21.jpg)
21
Attack Mechanism
• Is this a stimulus or response?– RFCs are the standards documents
– Unfortunately, different implementations of TCP/IP react differently to deliberate violations of RFC standards
• What service is being targeted?• Does the service have known vulnerabilities or
exposures?• Is this benign, an exploit, DoS, or reconnaissance?
![Page 22: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/22.jpg)
22
Expected Stimulus-Response
• Destination Host Listens on Requested Port– Stimulus
– Response
![Page 23: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/23.jpg)
23
Expected Stimulus-Response
• Destination Host not listening on Requested Port– Stimulus
– Response
![Page 24: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/24.jpg)
24
Expected Stimulus-Response
• Destination Host Does not Exist– Stimulus
– Response
![Page 25: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/25.jpg)
25
Expected Stimulus-Response
• Destination Port Blocked– Stimulus
– Response
![Page 26: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/26.jpg)
26
Expected Stimulus-Response
• Destination Port Blocked, Router Does not Respond– Stimulus
– Response
![Page 27: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/27.jpg)
27
Protocol Benders
• FTP– Session Negotiations
– Dir command issued by the user
![Page 28: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/28.jpg)
28
Abnormal Stimuli
• Evasion stimulus, Lack of Response
![Page 29: 1 Reading Log Files. 2 Segment Format .](https://reader035.fdocuments.us/reader035/viewer/2022062301/56649cc35503460f9498b983/html5/thumbnails/29.jpg)
29
Abnormal Stimuli
• No Stimulus, All Response– Suppose no out bound traffic