Professional Documents
Culture Documents
SECURITY SYSTEMS
MONITORING AND BEHAVIOR ANALYSIS OF NETWORK
SECURITY SYSTEMS
NIDS Snort
--
IP
I P IP
THESIS ABSTRACT
GRADUATE INSTITUTE OF INFORMATION MANAGEMENT
NATIONAL TAIWAN UNIVERSITY
NAME: SHEN, WEN-CHU
..........................................................................................................................................
..................................................................................................................................
THESIS ABSTRACT...............................................................................................................
..........................................................................................................................................
..........................................................................................................................................
......................................................................................................................................
.............................................................................................................................. 1
.............................................................................................................. 1
.............................................................................................................. 2
.............................................................................................................. 2
................................................................................................ 3
.............................................................. 3
2.1.1 DoS ......................................................................................... 3
2.1.2 DDoS .......................................................................... 3
IP (IP Spoofing) .................................................................................... 6
Smurf .......................................................................................... 8
(TCP SYN Flood)....................................................... 10
Trin00 ........................................................................................................ 15
DDoS ................................................................................................ 21
2.6.1 ICMP .......................................................................................... 21
2.6.2 TFN.................................................................................................................. 21
2.6.3 stacheldraht ............................................................................................. 22
2.6.4 TFN2K............................................................................................................. 23
2.6.5 DDoS .................................................................................................. 24
DDoS ............................................................................................. 25
............................................................................................................ 26
.................................................................................................... 26
IDS Snort ............................................................................................................ 28
3.2.1 Snort Rules ...................................................................................................... 29
3.2.3 Rule Tree ......................................................................................................... 33
3.2.4 (Preprocessors) ......................................................................... 34
3.2.5 (Variables)...................................................................................... 34
3.2.6 ................................................................................................................ 35
3.2.7 Snort log ......................................................................................... 35
IP ............................................................................................................ 37
.................................................................................................... 37
rules ...................................................................................... 39
IP ........................................................................................... 39
............................................................................................................ 41
Snort Log ........................................................................................................... 45
............................................................................................................ 45
Snort .......................................................................................... 47
............................................................................................................ 54
............................................................................................................................ 62
.................................................................................................................................. 63
ICMP TYPE and VALUE........................................................................................... 65
Snort Rule ................................................................................................. 68
IP ................................................................................................ 75
.......................................................................................................................................... 77
2-1 DDoS .......................................................................................................... 4
2-2 DDoS -- ....................................................................................................... 5
2-3 DDoS -- ....................................................................................................... 5
2-4 DDoS -- ....................................................................................................... 6
2-5 ICMP ECHO REQUEST/REPLY ................................................................................... 8
2-6 ICMP ECHO REQUEST/REPLY (Spoofing IP)............................................................ 9
2-7 ICMP BROADCAST...................................................................................................... 9
2-8 Smurf Attack ................................................................................................................. 10
2-9 TCP Three-Way Handshake .......................................................................................... 11
2-10 .................................................................................................... 13
2-11 semi-transparent g a t e w a y ......................................................................................14
2-12 synckill finite state machine ........................................................................................15
3-1 Host-based IDS .............................................................................................................26
3-2 IDS ...................................................................................................................27
3-3 Network-based IDS ....................................................................................................... 27
3-2 Snort .............................................................................................................29
3-3 TCP .......................................................................................................................31
3-4 Snort rule tree ................................................................................................... 34
3-5 SnortSnarf ................................................................................................. 36
4-1 BAD IP finite state ........................................................................................................ 40
4-2 .................................................................................................. 44
5-1 2000/05~2001/05 .......................................................................................... 45
5-2 .......................................................................................................... 46
5-3 .......................................................................................................... 46
5-4 4/09-4/15 ...................................................................................................... 46
5-5 4/16-4/22 ...................................................................................................... 46
5-6 4/23-4/29 ..................................................................................................... 46
5-7 5/01-5/08 ...................................................................................................... 47
5-8 5/09-5/16 .................................................................................................. 47
5-9 5/17-5/23 .................................................................................................. 47
5-10 5/24-5/30 ................................................................................................ 47
5-11 rule ...................................................................................................... 48
5-12 rule .................................................................................... 48
5-13 rule .................................................................................... 48
5-14 IP .................................................................................................. 49
5-15 IP .......................................................................................... 49
2-1 DDoS ................................................................................................................ 24
4-1 .................................................................................................................. 42
4-2 .................................................................................................. 42
5-1 Snort ........................................................................................................ 55
5-2 .............................................................................. 59
scalability
(powerful)
(server cluster)
( a t t a c k e r ) (hacker) (DoS)
2 0 0 0 Y a h o o a m a z o n . c o m e b a y . c o m C N N . c o m
E- trade Yankee
Group
2001
.gov
. .
1
DDoS( )
DDoS
DDoS DDoS
( r u l e- based)
IDS
( In t r u s i o n
Detection
S y s t e m) S n o r t
Snort IP
Snort
2.1.1 DoS
( )DoS
(Denial of Service)
( )
web ( f t p s e r v e r )
2.1.2 DDoS
( TANET MRTG )
(multi - tier)
2- 1
3
IP
IP
IP (Traceback)
2-1 DDoS
At t a c k e r :
Master:
D a e m o n: V i c t i m:
D D o S ( Di s t r i b u t e d D e n i a l o f S e r v i c e )
(
) 2-2
2-2 DDoS --
( :[11])
2-3
2-3 DDoS --
( :[11])
2-4
2-4 DDoS --
( :[11])
IP (IP Spoofing)
D o S IP ( I P S p o o f i n g )
D o S IP Spoofing
IP
(Router)
IP
( R o u t i n g ) IP IP
DoS IP Spoofing
( r a n d o m) I P
IP Spoofing
S Y N F l o o d i n g a t t a c k
I P IP
smurf
6
----------------------------------------------
Internet
I P IP
(backbone )
IP mobile ip
u IP Traceback [12] ( m a r k)
Smurf
2- 7 smurf
I C M P E C H O R E Q UE S T
Broadcast Addresses
ICMP ECHO REPLY 2- 8
smurf
u b r o a d c a s t m u l t i c a s t r o u t e r f o r w a r d i n g
of IP directed broadcast
ICMP Echo R e q u e s t b r o a d c a s t a d d r e s s
[rfc2466]
socket sequence
w i n d o w s i z e s
10
( T h r e e - w a y H a ndshake 2 - 9
( C l i e n t R e q u e s t ( S e r v e r )
SYN
(Port
SYN+ACK
ISN
ISN + 1
establishment
timer) 75
TCP
11
TCP
Three-way
Handshake
SYN IP
SYN ACK
IP A C K
( h a l f-o p e n e d c o n n e c t i o n)
D o S IP
IP S Y N A C K
RST(RESET)
u :
h a l f- o p e n e d c o n n e c t i o n t i m e o u t
h a l f- opened connection queue
t i m e o u t round
trip time time out
b a c k l o g h a l f- o p e n e d
backlog
( )
(service ports)
u [13]
(cryptographic hash)
IP
I S N ( s e c r e t e k e y ) Y
ISN ACK IP
I S N Y Y
Y+1, Ba c k l o g
12
u (r e l a y) [13]
( ) three -way handshake
( ) three-way handshake
2 - 1 0
three -way handshake
SYN Flooding
2-10
three-way handshake
u ( semi - t r a n s p a r e n t g a t e w a y) [ 3 ]
13
2 - 11
S Y N A C K
ACK
ACK
t h r e e - w a y h a n d s h a k e b a c k l o g
A C K R S T
SYN Flooding
ACK TCP
ACK
2-11 semi-transparent g a t e w a y
u Active
Monitor[13]:
IP S Y N A C K R S T
I P f i n i t e s t a t e m a c h i n e 2 - 1 2
I P S Y N R S T A C K
IP I P I P
: A c t i v e m o n i t o r
ACK RST
14
Trin00
T r i n0 0 [ 4 ] ( c l i e n t -s erver)
Masters
( D a e m o n s ) M a s t e r (
I P ) M a s t e r
Daemon Daemon
( r o o t a d m i n i s t r a t o r )
( b a c k d o o r ) Trin0 0 daemon
master
(owned list)
15
r o o t TCP port
( p o r t) 1 5 2 4
p o r t 1 5 2 4 / t c p
t r i n . s h s c r i p t Trin00 daemon
--------------------------------------------------------------------./trin.sh | nc owned_host1_ip 1524 &
./trin.sh | nc owned_host2_ip 1524 &
./trin.sh | nc owned_host3_ip 1524 &
./trin.sh | nc owned_host4_ip 1524 &
./trin.sh | nc owned_host5_ip 1524 &
...
--------------------------------------------------------------------
trin.sh :
M a s t e r M a s t e r D a e m o n D a e m o n
UDP
T r i n 0 0
1. Master
u telnet 27665/TCP
u :betaalmostdone
u Master :gOrave
u M a s t e r D a e m o n
27444/UDP
: l 4 4 a d s l ( L)
: command l44adsl args
Daemon *HELLO* Master
( ) t r i no o
Daemon *HELLO* Master
---------------------------------------------------UDP Packet ID (from_IP.port-to_IP.port): daemon_ip. 32656- master_ip.31335
45 E 00 . 00 . 23 # B1 . 5D ] 40 @ 00 . F8 . 11 . B9 . 27 . C0 . A8 . 00 . 01 .
0A . 00 . 00 . 01 . 80 . 6C l 7A z 67 g 00 . 0F . 06 . D4 . 2A * 48 H 45 E 4C L
4C L 4F O 2A *
----------------------------------------------------
M a s t e r p n g D a e m o n P O N G
----------------------------------------------------UDP Packet ID (from_IP.port-to_IP.port): master_ip. 16778- daemon_ip .27444
45 E 00 . 00 . 27 ' 1A . AE . 00 . 00 . 40 @ 11 . 47 G D4 . 0A . 00 . 00 . 01 .
C0 . A8 . 00 . 01 . 04 . 00 . 6B k 34 4 00 . 13 . 2F / B7 . 70 p 6E n 67 g 20
6C l 34 4 34 4 61 a 64 d 73 s 6C l
17
-----------------------------------------------------
u D a e m o n M a s t e r
31335/UDP
u Trin00
( )
betaalmostdone:Master
gOrave:Master
l44adsl: Daemon
killme : Master mdie Daemon
D a e m o n C r o n t a b r o o t
crontab file
----------------------------------------------------------------------------------* * * * /usr/sbin/rpc.listen
---------------------------------------------------------------------------------- M a s t e r - b
D a e m o n I P - b D a e m o n I P
IP B l o w f i s h K E Y
master.c
--------------------------------------------------------------------------------------------------master.cKEY
/* crypt key encrypted with the key 'bored'(so hex edit cannot get key easily?)
18
1 root
root
-rw-------
1 root
root
# cat ...
JPbUc05Swk/0gMvui18BrFH/
# cat ...-b
aE5sK0PIFws0Y0EhH02fLVK.
JPbUc05Swk/0gMvui18BrFH/
------------------------------------------------------------------------------------------------------ :
u 27665/tcp Master
u 31335/udp Master
u 27444/udp Daemon
-------------------------------------------------------------------------------------------------------- n e t s t a t
# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
tcp
Foreign Address
*:27665
*:*
*:31335
*:*
State
LISTEN
...
udp
...
------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------19
S n o r t DDoS - Trin00 r u l e s :
IPIP27665TCPTCP flagpush
ack"killme"Mastermdie
killme"
u alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"IDS187 - DDoS Trin00: DaemontoMaster (PONGdetected)"; content:"PONG";)
IPIP31335UDP
"PONG"DaemonPONGMasterpng
u alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"IDS185 - DDoS Trin00:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*";)
IPIP31335UDP
"*HELLO*"Daemon"*HELLO*"Master
u alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"IDS196 - DDoS Trin00:Attacker to Master default startup pass detected!";flags:PA;
content:"betaalmostdone";)
IPIP27665TCPTCP flagpush
ack" betaalmostdone "
Master
u alert udp !$HOME_NET any -> $HOME_NET 27444 (msg:"IDS197 - DDoS Trin00:MastertoDaemon(defaultpassdetected!)"; content:"l44adsl";)
IPIP27444UDP
"l44"Master"l44adsl"
--------------------------------------------------------------------------------------------------------
20
DDoS
2.6.1 ICMP
ICMP (ICMP Echo Reply Flood Attack)
IP I C M P E c h o R e q u e s t
ICMP Echo Reply
2.6.2 TFN
T F N (Tribe Flood Network) [ 5 ] T r i n 0 0
:
u : A t t a c k e r - > C l i e n t - > D a e m o n
Tr i n o o A t t a c k e r - > Ma s t e r - > D a e m o n
u Master
Daemon
ICMP echoreply
ICMP
config.h
config.h :
----------------------------------------------------------------------------------------------------#ifndef _CONFIG_H
#define CHLD_MAX 50
#define ID_ACK
#define ID_SWITCH
#define ID_SENDSYN
#define ID_SYNPORT
#define ID_ICMP
#define _CONFIG_H
#endif
------------------------------------------------------------------------------------------------- ICMP header id 123 Daemon
M a s t e r r e p l y ,
pattern
u UDP
ICMP
TCP
smurf
2.6.3 stacheldraht
22
S t a c h e l d r a h t [ 6 ] T r i n o o T F N :
:Client->Handler->Agent Trinoo
Attacker->Master->Daemon
Master telnet TCP
Blowfish
Master Daemon TCP ICMP
Daemon rpc(514/tcp)
-> Master: 16660/tcp
Master->Daemon: 65000/tcp, ICMP_ECHOREPLY
->Master ( trinoo ): sicken()
TFN ICMP id
Daemon Master IP ICMP_ECHOREPLY ID 666
skillzMaster ICMP_ECHOREPLY ID
667 skillz Stacheldraht
UDPTCPICMP Smurf
2.6.4 TFN2K
T F N 2 K(Tribe Flood Network 2000) [2] TFN 2 0 0 0
TFN :
u
: Attacker->
Agent(Daemon)
Ma s t e r - > D a e m o n
23
Master(Client)
Tr i n o o
->
Attacker ->
u M a s t e r D a e m o n k e y-based CAST -2 5 6
T C P U D P I C M P
key Master
u D a e m o n M a s t e r M a s t e r IP
Master 20 Daemon
Master
u +< >+< >
u
2.6.5 DDoS
2-1 DDoS
Trinoo
Attacker
|
Master
|
Daemon
Master TCP
TFN
Attacker
|
Client
|
Daemon
Stacheldraht
Client
|
Handler
|
Agent
TCP
TCP
UDP
ICMP
TFN2K
Attacker
|
Master(Client)
|
Agent(Daemon)
TCP
UDP
ICMP
Key-based
CAST-256
MasterDaemon
UDP
ICMP
TCP
ICMP
TCP
UDP
ICMP
Key-based
CAST-256
IP list
Blowfish
Blowfish
Blowfish
Blowfish
24
UDP Flood
Smurf
SYN Flood
UDP Flood
ICMP Flood
Smurf
SYN Flood
UDP Flood
ICMP Flood
Smurf
SYN Flood
UDP Flood
ICMP Flood
DDoS
DDoS
( )
DDoS
(Patch) IDS
IP Spoofing
IP
25
IDS(Intrusion Detection System) [1][9]
m i s u s e a b u s e a t t a c k )
(security policy)
(Firewall) Firewall
(Access Control) (rules)
IDS
u ( H o s t- b a s e d ) I D S :
( P r o t o c o l S t a c k )
3-1
NIDS
NIDS
IDS 3-2
IDS
3-2 IDS
( rule )
P r o t o c o l S t a c k
3-3
27
N I D S
(attack signature/pattren)
IDS Snort
S n o r t[ 1 0 ] M a r t i n R o e s c h
u lightweight
u
IP (logging)
u
u
libpcap c
R u l e- b a s e d
Snort
Rule
u
u
(freeware)
u 3 - 2 L i b p c a p B e r k e l e y P a c k e t
Filter
Rule
b a s e ( p a t t e r n m a t c h i n g )
(log) (alert) (pass)
28
3-2 Snort
Rule
alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any (flags: SF; msg: SYN-FIN Scan;)
|- - - - - - 7 - - - - h e a d e r- - - - - - - - - - ||- - - - - - - o p t i o n s - - - - - - - - |
Rule (heade r)
u (action)
a l e r t s y s l o g
29
l o g
pass
u (protocol)
TCP UDP ICMP
u IP
IP any
IP 140.112.8.164
CIDR 140.112.8/24
! IP ! 1 4 0 . 1 1 2 . 8 / 2 4
1 4 0 . 1 1 2 . 8 . x
u (Port Numbers)
P o r t any
p o r t 80,23
1:2048 port 1 port 2048
:1024 port 1024
512: port %512
! p o r t
(direction)
s o u r c e _ i p _ p o r t - > d e s t i n a t i o n _ i p _ p o r t
<>
Rule (options)
u Msg:
l o g a l e r t
msg: <message text> ;
30
u Logto:
logto: <filename> ;
u IP TTL:
ttl: <number> ;
u IP ID:
IP (Fragment ID)
id: <number> ;
u Dsize:
TTL(time to live)
(Payload)
d s i z e : [ > | < ] <m u m b e r >;
u Content:
|
content: "|90C8 C0FF FFFF|/bin/sh";
u Offset:
u Depth:
u Seq:
d e p t h : <n u m b e r > ;
u Nocase:
nocase;
TCP Sequence Number
s e q : <number>;
3-3 TCP
( :[8])
31
u Flags:
TCP F l a g F l a g
F - FIN
S - SYN
R - RST
P - PSH
A - ACK
U - URG
2 - Reserved bit 2
1 - Reserved bit 1
f l a g s : <flag values>;
u Ack:
u Itype:
ICMP TYPE
i t y p e : <n u m b e r >;
u Icode:
ICMP VALUE
i c o d e : <n u m b e r >;
[ I C M P T Y P E VALUE ]
u S e s s i o n : T C P S e s s i o n
t e l n e t r l o g i n ftp w e b s e s s i o n
Printable te xt
All
s e s s i o n : <p r i n t a b l e | a l l >;
u Icmp_id:
i c m p _ i d : <n u m b e r > ;
u Icmp_seq:
i c m p _ s e q : <n u m b e r >;
u Ipoption:
o p t i o n
rr - Record route
eol - End of list
nop - No op
ts - Time Stamp
32
i p o p t i o n : <o p t i o n >;
r p c : <a p p l i c a t i o n n u m b e r , [ p r o c e d u r e n u m b e r | * ] ,
[program version number|*]>
u Resp: resp_modifier
r s t _ s n d - s e n d T C P - R S T p a c k e t s t o t h e s e n d i n g s o c k e t
r s t _ r c v - s e n d T C P - R S T p a c k e t s t o t h e r e c e i v i n g s o c k e t
rst_all - send TCP_RST packets in both directions
icmp_net - send a ICMP_NET_UNREACH to the sender
icmp_host - send a ICMP_HOST_UNREACH to the sender
icmp_port - send a ICMP_PORT_UNREACH to the sender
icmp_all - send all above ICMP packets to the sender
r e s p : <r e s p _ m o d i f i e r [ , r e s p _ m o d i f i e r ]>;
33
3.2.4 (Preprocessors)
Preprocessor
Snort (detection engine)
3.2.5 (Variables)
<name> : <value>
Snort sonrt.lib
DNS IP
34
3.2.6
p a t t e r n - b a s e d I D S - - S n o r t
# of
from
attack
36
140.109.20.100
1
140.109.20.80
1
140.112.12.24
..
n Percentage and
destination
to
with
140.112.8.164
140.112.8.163
140.112.8.99
.
number of
# of attacks
24.46
32
140.109.20.100
140.112.8.164
12.23
16
140.109.20.80
140.112.8.163
5.35
140.112.12.24
140.112.8.99
from
to
17.95 14
from
type
140.109.20.100
15.38 12
140.109.20.80
12.89 10
140.112.12.24
n
%
to
type
17.95 14
140.112.8.164
15.38 12
140.112.8.163
12.89 10
140.112.8.99
SnortSnarf
S n o r t S n a r f p e r l h t m l
3-5
3-5 SnortSnarf
5n0r7
Michel Kaempf snort log source
IP destination IP frequency
36
IP
..
( I D S . . ) I P
( ) (
IP - Based
IP )
:
u finger whois:
u Traceroute:
(router)
traceroute
u Teleport Pro:
37
portscan( )
p o r t s c a n ( a c t i v e )
portscan :
u : IP ( ) ( )
IP active
u :
( )
( )
port80
8 0 8 0 web server
web web
:
(
) (root) (backdoor)
38
rules
S n o r t r u l e s
:ftp-bad-login ftp
overflow
...
Snort rule :
u E m e r g e n c y : r o o t
u A l e r t :
D D o S a t t a c k
u W a r n i n g : " " M I S C - P C A n y w h e r e
A t t e m p t e d A d m i n i s t r a t o r L o g i n
u N o t i f i c a t i o n :
telent-incorrect Ping
rule
rule
rule
IP
IP
39
u ( Ho s t i l e ) IP
u ( Threatening) IP
u ( Suspicious ) IP
f i n g e r s c a n p i n g
IP Suspicious IP
Wa r n i n g T h r e a te n i n g
Emergency Alert
Hostile 4-1
u I P T h r e a te n i n g N o t i f i c a t i o n
W a r n i n g E m e r g e n c y
A l e r t Hostile
u IP E m e r g e n c y
u
IP
IP
u IP
IP
:
u
B A D I P B u f f e r S t a te :
IP
u Hostile : IP
u T h r e a tening : IP
u Suspicious : IP
u
u
IP
4X4 Snort 4- 1
(6) And Or And rule
41
A l e r t( ) I P ( 1 - 2 )
( 5-6) O r rule A l e r t( )
(1-10) (13-14)
4-1
Rule Type
Point
Hostile
Threatening
Suspicious
Any
Alert
Warning
Notification
Or
Or
Or
All
(1)
(2)
(3)
(4)
And
Or
And
Or
And
Or
And
All
(5)
(6)
(7)
(8)
And
Or
And
Or
And
Or
And
All
(9)
(10)
(11)
(12)
And
All
And
All
And
And
All
ALL
(13)
(14)
(15)
(16)
And
And
And
4 - 1 A n y
Emergency
IP
IP
Or
N o t i f i c a t i o n A n y
:
u A(n,m) O(n,m):
u n:
And Or
rule (E mergency=1,
Notification=4)
u m : ( Ho s t i l e=1, A n y=4)
u 4-2
4-2
42
A( n, 4 ) : E m e r g e n c y A l e r t Warning
Notification IP
A ( 4 , m) : IP R u l e
A(1,1)
E m e r g e n c y
IP O ( 1 , 1 )
E m e r g e n c y I P
A(1,2) A(2,1)
A ( 2 ,2)
A(1,1) rule
IP
r u l e IP
:
__________________________________________________
[**] IDS127 - TELNET - Login Incorrect [**]
05/31-23:24:09.581436 140.112.8.79:23 -> 140.112.240.40:2018
TCP TTL:255 TOS:0x0 ID:42821 IpLen:20 DgmLen:59 DF
***AP*** Seq: 0x196D55F2 Ack: 0x4BC27875 Win: 0x2238 TcpLen: 20
__________________________________________________
r u l e IDS127 - TELNET - Login Incorrect W a r n i n g
I P - - 140.112.8.79 T h r e a t e n i n g
(console)
43
:
u Rule
E m e r g e n c y-
A l e r t-
Warning-
N o t i f i c a t i o n-
u IP
Hostile-
Threatening-
Suspicious-
Others-
s n o r t
r u l e s IP 4 - 2
L e v e l e d R u l e s B A D I P A n a l y z e r
4-2
44
Snort Log
: FreeBSD 3.4
: 140.112.8.x
120
b a c k b o n e C i s c o 7 5 1 3 S w i t c h
port mirror Snort port
u
50 (2001/4/10~2001/5/30)
u :( : )
( ) ;
5-1 2000/05~2001/05
45
5-2
(: week14:4/1~4/7 ; week17:4/29~4/28)
5-3
(: week18:4/29~5/5 ; week22:5/27~6/2)
5-4 4/09-4/15
5-5 4/16-4/22
5-6 4/23-4/29
46
5-7 5/01-5/08
(:5/2~5/5 )
5-8 5/09-5/16
5-9 5/17-5/23
5-10 5/24-5/30
Snort
u :
rule : r u l e
47
5-11 rule
rule : r u l e
5-12 rule
5-13 rule
48
I P : I P
Domain Name
5-14 IP
IP : IP
IP
5-15 IP
u :
rule : rule
49
5-16 rule
portscan : portscan
portscan
5-17 portscan
50
5-18 portscan
I P : IP
IP
5-19 IP
51
5-20 IP
IP : IP
IP 5 - 1 9 5 - 2 0
:
5-21
52
5-23
: T r u s t . l i s t I P
,
====================================
163.28.16.21
163.28.16.23
..
53
====================================
I P : IP
IP
ipserach2.pl
: i p s e a r c h2.pl
ip
Snort :
S n o r t I D S
( d r o p r a t e ) S n o r t d r o p r a t e
( b uffer)
drop rate
:
u S n o r t p a t t e r n m a t c h f i r s t m a t c h ,
rule .
u : u d p t c p i c m p
u :
ftp
Snort
M b / s
30Mb/s
M b y t e s 5 - 1 3 7 M b y t e s
5-1 Snort
(2000 )
04/10
04/12
04/14
04/16
04/18
04/20
04/22
04/24
04/26
04/28
04/30
05/02
05/04
05/06
05/08
05/10
05/12
05/14
05/16
(Bytes)
23828739
7899625
18916880
18721448
24039994
17838996
28323942
20872982
14466870
13054609
14302174
17466401
16908509
10785145
11620110
14139060
11089505
13880452
14728897
( )
(2000 )
183761
63659
123333
126670
158880
119426
173047
135135
98867
86062
97939
109421
107807
71626
81073
92580
74081
93820
99976
04/11
04/13
04/15
04/17
04/19
04/21
04/23
04/25
04/27
04/29
05/01
05/03
05/05
05/07
05/09
05/11
05/13
05/15
05/17
55
(Bytes)
18987631
37623988
16006656
23142112
33304458
16883128
23145466
17666262
28407143
8705657
16112155
33854607
10352758
13405167
12083692
12761647
12257839
13105395
18004435
( )
148827
235125
108655
152465
223183
111531
148888
117095
172189
60528
102875
201853
69093
90732
82907
86080
81001
89612
117231
05/18
05/20
05/22
05/24
05/26
05/28
05/30
10849916
9642692
14361299
12706050
11580667
26730904
37395765
74434
65970
99713
86999
76962
200910
238070
05/19
05/21
05/23
05/25
05/27
05/29
10483621
11813939
13772562
15182451
15084818
15012816
70223
82877
95121
98274
98071
101248
:
u BAD IP :10
u Hostile :80
u T h r e a tening : 6 0
u Suspicious :20
u :
Portscan log:10
Notification log:10
u :
Hostile:0.4
Threatening:0.5
Suspicious:1
IP :
I P
IP ( ) 5- 25
IP 40~60 IP
0-20 :
u IP 2/3
IP
IP
u IP 5 - 2 6
I P
56
5-25 IP
5-26 IP
5 -2 7 28 29 30 40 50
Warning 5- 3
1000
0.10
0 . 3 1 IP 1 / 5
5-27 30
5-28 40
58
5-29 50
5-2
Warning
(1)
Warning
Suspicious
(2)
(2)/(1)
30
(1045/70248)
1.48%
40
(1532/66399)
2.3%
50
(1490/218617)
0.68%
(191/70248)
0.27%
(206/66399)
0.31%
(221/218617)
0.10%
18.24%
13.47%
14.71%
( )
31
Alert
S u s p i c i o u s 5 4 D N S S e r v e r
163.28.16.21 DNS zone transfer 5-3 0
I P t r u s t . l i s t
IP 163.28.16.21 5-31
59
( )
IP 6 2 1 1 2 : 4 5
Snort ,
13:00
87.04 Hostile 5-3 1
IP 5- 32
5-32
61
DD oS Yahoo C N N
DDoS
rule-based
N I D S
rule
--
E m e r g e n c y A l e r t W a r n i n g N o t i f i c a t i o n
I P H o s t i l e
T h r e a t e n i n g S u s p i c i o u s I P
r u l e IP
62
[ 1 ] AXENT Technology Ltd. , Everything You Need to Know About Intrusion Detection,
1999
http:// www.axent.com
[2] Jason Barlow, Woody Thrower, The TFN2K distributed
denial of service attack tool, 2000
h t t p : / / p a c k e t s t o r m . s e c u r i fy . c o m / d i s t r i b u t e d / T F N 2 k _ A n a l y s i s 1.3.txt
[3] C.P.S.T. Ltd., TCP SYN Flooding Attack and the FireWall-l
S Y N D e f e n d e r , O c t. 1 9 9 6
http://www.checkpoint.com/products/firewall-1/syndefender.html
[4] David Dittrich, The trin00 distributed denial of service
attack tool, 1999
http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
[5] D a v i d D i t t r i c h , T h e Tr i b e F l o o d N e t w o r k d i s t r i b u t e d
denial of service attack tool, 1999
http : //staff.washington.edu/dittrich/misc/tfn.analysis.txt
[6] David Dittrich, The stacheldraht distributed denial of
service attack tool, 1999
http://staff.washington.edu/dittrich/misc/stacheldraht.analysi
s.txt
[ 7 ] Thomer M. Gil, MULTOPS:a data strycture for denial-of-service attack detection,
August, 2000
http://pdos.lcs.mit.edu/thomer/mit/multops_usenix2001.pdf
[ 8 ] http://cat.ice.ntnu.edu.tw/tcpip/main.htm
[ 9 ] http://www.sans.org
[10] http://www.snort.org
[11] Gary C. Kessler , Defenses Against Distributed Denial of Service Attacks,
63
64
ICMP TYPE and VALUE
========================================================
I C M P T Y P E V A L U E [ R F C 1 7 0 0 ]
========================================================
Type
---0
Name
------------------------Echo Reply (used by"ping")
Codes
0
No Code
Unassigned
Unassigned
Destination Unreachable
Codes
0
Net Unreachable
Host Unreachable
Protocol Unreachable
Port Unreachable
10
11
Service
65
12
4
Source Quench
Codes
0
No Code
Redirect
Codes
0
R e d i r e c t D a t a g r a m f o r t he N e t w o r k ( o r s u b n e t )
Network
3
6
Unassigned
No Code
Router Advertisement
Codes
0
10
No Code
Router Selection
Codes
0
11
No Code
Time Exceeded
Codes
12
Parameter Problem
Codes
0
2
13
Bad Length
Timestamp
Codes
0
14
No Code
Timestamp Reply
Codes
0
15
No Code
Information Request
Codes
0
16
No Code
Information Reply
Codes
0
17
No Code
18
No Code
19
20-29
No Code
30
Traceroute
31
32
33
34
I P v 6 I- Am - H e r e
35
36
========================================================
67
Snort Rule
TYPE: backdoor
BIND Shell
Back Orifice
Deep Back Orifice
Deep Throat access
EvilFTP access
GateCrasher access
GirlFriend access
NetSphere FTP acces
NetSphere access
Netbus/GabanBus
PCAnywhere
Phase Zero Server Active on Network
Portal Of Doom
Portal of Doom access
Possible EvilFTP access
Possible GirlFriend access
Possible Hack a Tack access
Possible NetSphere FTP acces
Possible NetSphere access
Possible Portal of Doom access
Possible SubSeven access
Whack-a-mole
default Backdoor access!
TYPE:ddos
DDoS - Trin00 Attacker to Master defaultr.i.passdetected!
DDoS - Trin00 Attacker to Master-default mdie pass detected!
IDS100 - DDoS - mstream agent to handler
IDS101- DDoS - mstream handler to agent
IDS102 - DDoS - mstream handler ping to agent
IDS103 - DDoS - mstream agent pong to handler
IDS110 - DDoS - mstream client to handler
IDS110 - DDoS - mstream handler to client
IDS111 - DDoS - mstream client to handler
IDS112 - DDoS - mstream handler to client
IDS182 - DDoS - TFN server response
IDS183 - DDoS - TFN client command LE
IDS184 - DDoS - TFN client command BE
IDS185 - DDoS - Trin00:DaemontoMaster(*HELLO*detected)
68
Warning
Warning
Warning
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Alert
Alert
Emergency
Emergency
Emergency
Warning
Warning
Warning
Warning
Warning
Alert
Warning
Warning
Warning
Alert
Alert
Alert
Alert
Alert
Alert
Warning
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Warning
Alert
Alert
Alert
Warning
Warning
Warning
Alert
Warning
Alert
Alert
Warning
Warning
Alert
Warning
Warning
Alert
Alert
Warning
Emergency
Warning
Notification
Notification
Notification
Emergency
Alert
Notification
Notification
Notification
Emergency
Notification
Warning
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Warning
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
OVERFLOW-NOOP-Digital
OVERFLOW-NOOP-HP
OVERFLOW-NOOP-SGI
OVERFLOW-NOOP-Solaris
OVERFLOW-NOOP-Sparc
OVERFLOW-NOOP-X86
OVERFLOW-Named-ADM-NXT - 8.2->8.2.1
OVERFLOW-NextFTP-client
OVERFLOW-POP2-x86linux
OVERFLOW-POP2-x86linux2
OVERFLOW-POP3-x86bsd
OVERFLOW-POP3-x86bsd2
OVERFLOW-POP3-x86linux
OVERFLOW-POP3-x86sco
OVERFLOW-QPOP
OVERFLOW-named
OVERFLOW-sco-calserver
OVERFLOW-x86-linux-imapd2
OVERFLOW-x86-linux-imapd3
OVERFLOW-x86-linux-imapd4
OVERFLOW-x86-linux-imapd5
OVERFLOW-x86-linux-imapd6
OVERFLOW-x86-linux-mountd
OVERFLOW-x86-linux-mountd2
OVERFLOW-x86-linux-mountd3
OVERFLOW-x86-linux-ntalkd
OVERFLOW-x86-linux-samba
OVERFLOW-x86-solaris-nlps
OVERFLOW-x86-windows-CSMMail
OVERFLOW-x86-windows-MailMax
TYPE:ping
ICMP Destination Unreachable
ICMP Information Reply
ICMP Information Request
ICMP Message
ICMP Parameter Problem
ICMP Source Quench
ICMP Time Exceeded
ICMP Timestamp
IDS028 - PING NMAP TCP
IDS151 - PING BeOS4.x
IDS152 - PING BSD
IDS153 - PING Cisco Type.x
IDS154 - PING CyberKit 2.2 Windows
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
71
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Emergency
Emergency
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Warning
Alert
Alert
Alert
Alert
Alert
Alert
Alert
flags:PA
Alert
Alert
Alert
Alert
Notification
Emergency
74
Notification
Warning
Emergency
Warning
Warning
Alert
webiis
Warning
Warning
Warning
Warning
Warning
Emergency
Emergency
IP
(2001)
04/10
04/11
04/12
04/13
04/14
04/15
04/16
04/17
04/18
04/19
04/20
04/21
04/22
04/23
04/24
04/25
04/26
04/27
04/28
04/29
04/30
05/01
05/02
05/03
05/04
05/05
05/06
05/07
05/08
05/09
05/10
05/11
05/12
05/13
05/14
05/15
05/16
05/17
05/18
05/19
05/20
05/21
05/22
IP
46
55
45
40
34
36
47
77
67
62
65
63
61
62
57
54
61
53
45
39
64
40
47
61
61
42
44
47
61
54
44
55
42
39
51
56
47
57
44
39
34
47
47
IP
46
22
18
16
7
9
17
41
18
14
19
28
22
17
12
9
17
14
6
6
20
9
6
13
13
-1
13
7
11
6
7
17
10
9
0
14
9
15
-1
4
1
3
1
75
IP
46
68
86
102
109
118
135
176
194
208
227
255
277
294
306
315
332
346
352
358
378
387
393
406
419
418
431
438
449
455
462
479
489
498
498
512
521
536
535
539
540
543
544
05/23
05/24
05/25
05/26
05/27
05/28
05/29
55
47
43
40
44
49
43
11
9
11
1
8
12
9
76
555
564
575
576
584
596
605
105 4 3
77