1
Reading Log Files
2
Segment Format
Options (variable)
Data
Checksum
SrcPort DstPort
HdrLen 0 Flags
UrgPtr
AdvertisedWindow
SequenceNum
Acknowledgment
0 4 10 16 31
http://www.networksorcery.com/enp/protocol/tcp.htm
3
Datagram Header
• Three key fields– Source IP address– Destination IP address– Type (contents)
TCP Flags
•TCP packets have one-bit flags•Flags are used to specify the meaning of the packet.
–SYN (Start of connection): S–ACK (Acknowledge): ack–FIN ("FINish" or French for “end”): F–RESET: R–PUSH: P–URGENT: urg
5
Connection Establishment
Active participant(client)
Passive participant(server)
SYN, SequenceNum =x
ACK, Acknowledgment =y+1
Acknowledgment =x+1SYN+ACK, SequenceNum=y,
6
Sequence of Messages – TCP Flow Control
7
TCPDump
8
TCPdump – Absolute and Relative Sequence Numbers
9
TCPdump Trace
•3-Way Handshake
•Data Transfer
10
TCPdump Trace
•Connection Termination
11
TCPdump Trace• ACK Scan
12
Snort
13
Snort
14
Introduction to Practicals
15
Introduction to Practicals
• Network or system log trace of an event of interest on which the practical is based
• Source of the detect– e.g., snort
• Probability that the source address was spoofed• Description of the attack• Attack mechanism• Correlations• Evidence of active targeting• Severity• Defensive recommendation• Multiple-choice question
16
Introduction to Practicals
• The traffic was logged because it violated the security policy
• The network or system trace– False positives– False negatives– False interpretations
17
One Trace Example
P. 21 of the textbook
18
Probability the source address was spoofed
• Probably spoofed– DoS attacks: Smurf, ICMP broadcast, etc.
• Probably not spoofed• Combination of both aspects
• Despoof: checking TTL to determine whether a received packet is spoofed or not– http://packetstormsecurity.org/advisories/bindview/
19
Description of Attack
• Common Vulnerabilities and Exposures (CVE)– http://cve.mitre.org– One of the most important standards efforts for
intrusion detection and information security in general
– For example: TCP SYN flood, ADM buffer overflow against DNS, etc.
SYN Flood
•Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood.
–CVE-1999-0116–Keeping track of each half-open connection takes up resources
21
Attack Mechanism
• Is this a stimulus or response?– RFCs are the standards documents– Unfortunately, different implementations of TCP/IP react
differently to deliberate violations of RFC standards
• What service is being targeted?• Does the service have known vulnerabilities or
exposures?• Is this benign, an exploit, DoS, or reconnaissance?
22
Expected Stimulus-Response
• Destination Host Listens on Requested Port– Stimulus
– Response
23
Expected Stimulus-Response
• Destination Host not listening on Requested Port– Stimulus
– Response
24
Expected Stimulus-Response
• Destination Host Does not Exist– Stimulus
– Response
25
Expected Stimulus-Response
• Destination Port Blocked– Stimulus
– Response
26
Expected Stimulus-Response
• Destination Port Blocked, Router Does not Respond– Stimulus
– Response
27
Protocol Benders
• FTP– Session Negotiations
– Dir command issued by the user
28
Abnormal Stimuli
• Evasion stimulus, Lack of Response
29
Abnormal Stimuli
• No Stimulus, All Response– Suppose no out bound traffic
Top Related