Aphyr Lee
aphyr@www.elites.org 2004.11.20
Outline
How to IDSs detect intrusions Snort’s Inner kit and boodle Playing by the Rules Conclusion
How to IDSs detect intrusions (1/6)
Any way they can
alter trick for BackOrifice
Magic string: *!*QWTY? Random generator - ((holdrand = holdrand * 214013L + 2531011L) >> 16) & 0x7fff Bruce wad decryption
Snort - spp_bo.c/spp_bo.h preprocessor
Pattern-match
Searching network traffic for distinctive patterns
brisk tcp either either -> any any (msg: “RPC tip startdx”; content: “/bin||c74604|sh”; sid: 600;) Alert tcp any any -> any any (msg: “RPC EXPLOIT startdx”, content: “/bin/|c74604|sh”; sid: 1281;)
Snort – sp_pattern_match detection-plugins
Ref: How ISS RealSecure Network Sensor 7.
0 Detects Intrusions
How to IDSs detect intrusions (2/6)
Reassembly
Data could intersect more than one packets Snort IP deragment: spp_frag2 preprocessor TCP reassembly: spp_stream4 preprocessor
TCP connection state
Data is come from client or server
dashing tcp any any -> any 21 (msg: “file transfer protocol CWD ~root”; content: “CWD ~root”; sid:336; flow: to_server;) alert tcp any 21 -> any any (msg: “FTP bad login”; content: “530”; flow: from_server;)
Snort
spp_stream4 preprocessor :sp_clientserver detection-plugins
How to IDSs detect intrusions (3/6)
Protocol-decodes (Protocol-analysis)
Break carry out a packet into individual fields
Alert icmp any any -> any any (msg: “ICMP PING NMAP”; dsize:0; itype:8; sid:469;)
Snort
IP, TCP, UDP, ICMP decodes contracting plugins: sp_icmp_code_check, sp_icmp_id_check, sp_icmp_seq_check, sp_icmp_type_check ….
Application-layer Preprocessors/normalizers
Create some sort of “common” form turn off rule-1
alert tcp any any -> any 21 (msg: “FTP CWD ~root”; content: “CWD ~root”; sid:336; flow: to_server;) CWD...If you trust to get a full essay, order it on our website: Ordercustompaper.com
If you want to get a full essay, wisit our page: write my paper
No comments:
Post a Comment