Reading Log Files - Lamar University
Download
Report
Transcript Reading Log Files - Lamar University
Reading Log Files
1
Segment Format
0
10
4
16
31
SrcPort
DstPort
SequenceNum
Acknowledgment
HdrLen
0
Flags
AdvertisedWindow
Checksum
UrgPtr
Options (variable)
Data
http://www.networksorcery.com/enp/protocol/tcp.htm
2
Datagram Header
• Three key fields
– Source IP address
– Destination IP address
– Type (contents)
3
TCP Flags
•TCP packets have one-bit flags
•Flags are used to specify the meaning of the packet.
–SYN (Start of connection): S
–ACK (Acknowledge): ack
–FIN ("FINish" or French for “end”): F
–RESET: R
–PUSH: P
–URGENT: urg
Connection Establishment
Active participant
(client)
Passive participant
(server)
5
Sequence of Messages – TCP Flow Control
6
TCPDump
7
TCPdump – Absolute and Relative
Sequence Numbers
8
TCPdump Trace
•3-Way Handshake
•Data Transfer
9
TCPdump Trace
•Connection Termination
10
TCPdump Trace
• ACK Scan
11
Snort
12
Snort
13
Introduction to Practicals
14
Introduction to Practicals
• Network or system log trace of an event of interest on which
the practical is based
• Source of the detect
– e.g., snort
•
•
•
•
•
•
•
•
Probability that the source address was spoofed
Description of the attack
Attack mechanism
Correlations
Evidence of active targeting
Severity
Defensive recommendation
Multiple-choice question
15
Introduction to Practicals
• The traffic was logged because it violated the
security policy
• The network or system trace
– False positives
– False negatives
– False interpretations
16
One Trace Example
P. 21 of the textbook
17
Probability the source address was spoofed
• Probably spoofed
– DoS attacks: Smurf, ICMP broadcast, etc.
• Probably not spoofed
– TCP packets are not spoofed if the three-way handshake is completed
• Combination of both aspects
• Despoof: checking TTL to determine whether a received
packet is spoofed or not
– http://packetstormsecurity.org/advisories/bindview/
18
Description of Attack
• Common Vulnerabilities and Exposures (CVE)
– http://cve.mitre.org
– One of the most important standards efforts for
intrusion detection and information security in
general
– For example: TCP SYN flood, ADM buffer
overflow against DNS, etc.
19
SYN Flood
•Denial of service when an attacker sends many
SYN packets to create multiple connections
without ever sending an ACK to complete the
connection, aka SYN flood.
–CVE-1999-0116
–Keeping track of each half-open connection takes
up resources
Attack Mechanism
• Is this a stimulus or response?
– RFCs are the standards documents
– Unfortunately, different implementations of TCP/IP react
differently to deliberate violations of RFC standards
• What service is being targeted?
• Does the service have known vulnerabilities or
exposures?
• Is this benign, an exploit, DoS, or reconnaissance?
21
Expected Stimulus-Response
• Destination Host Listens on Requested Port
– Stimulus
– Response
22
Expected Stimulus-Response
• Destination Host not listening on Requested Port
– Stimulus
– Response
23
Expected Stimulus-Response
• Destination Host Does not Exist
– Stimulus
– Response
24
Expected Stimulus-Response
• Destination Port Blocked
– Stimulus
– Response
25
Expected Stimulus-Response
• Destination Port Blocked, Router Does not Respond
– Stimulus
– Response
26
Protocol Benders
• FTP
– Session Negotiations
– Dir command issued by the user
27
Abnormal Stimuli
• Evasion stimulus, Lack of Response
28
Abnormal Stimuli
• No Stimulus, All Response
– Suppose no out bound traffic
29