網路安全監控與攻擊行為之分析與實作 PDF

MONITORING AND BEHAVIOR ANALYSIS OF NETWORK
SECURITY SYSTEMS

MONITORING AND BEHAVIOR ANALYSIS OF NETWORK
SECURITY SYSTEMS
NIDS Snort
--
IP
I P IP

THESIS ABSTRACT
GRADUATE INSTITUTE OF INFORMATION MANAGEMENT
NATIONAL TAIWAN UNIVERSITY
NAME: SHEN, WEN-CHU
MONTH/YEAR: JUNE, 2001
ADVISER: Yeali S. Sun
MONITORING AND BEHAVIOR ANALYSIS OF NETWORK SECURITY

SYSTEMS
The network security problem will be more importance
because the popular of Internet and Electric Business. Distributed
denial of service attack not only successful on ordinary company,
but also the well - known company such as Yahoo. The attackers
click action will make the business lost much transaction. The
impact of information security will more serious such as the war
of information.
This paper will discuss the distributed denial of service
attack and its defense. But we think that the real solution is to
enhance the protection of every host. After that, the attacker will
u n a b l e t o c o n s t r u c t t h e n e t w o r k o f D D o S . T h e N e t w o r k- b a s e d
Intrusion Detection System is a good solution before overall
individual protection. A subnet only need one IDS to monitor all
the hosts. But the IDS have a common problem large log data.
For this problem, we analyse the behavior of attack and use NIDS
snort to implement. Leveling rule as four levels Emergency,
Alert, Warning and Notification. Using the level of event log to
mark ip as Hostile state, Threatening state and Suspicious state.
The state and ip address will be saved in an IP-State database.
L a s t , w e u s e di f f e r e n t r u l e l e v e l a n d I P s t a t e t o d i f f e r e n t i a t e t h e
importance of the log for network administrator. We hope that
will alleviate the problem of large log data.
Keywords: Network SecurityDistributed Denial of Service Attack

DDoSIntrusion Detection SystemIDS.

..........................................................................................................................................
..................................................................................................................................
THESIS ABSTRACT...............................................................................................................
..........................................................................................................................................
..........................................................................................................................................
......................................................................................................................................
.............................................................................................................................. 1
.............................................................................................................. 1
.............................................................................................................. 2
.............................................................................................................. 2
................................................................................................ 3
.............................................................. 3
2.1.1 DoS ......................................................................................... 3
2.1.2 DDoS .......................................................................... 3
IP (IP Spoofing) .................................................................................... 6
Smurf .......................................................................................... 8
(TCP SYN Flood)....................................................... 10
Trin00 ........................................................................................................ 15
DDoS ................................................................................................ 21
2.6.1 ICMP .......................................................................................... 21
2.6.2 TFN.................................................................................................................. 21
2.6.3 stacheldraht ............................................................................................. 22
2.6.4 TFN2K............................................................................................................. 23
2.6.5 DDoS .................................................................................................. 24
DDoS ............................................................................................. 25
............................................................................................................ 26
.................................................................................................... 26
IDS Snort ............................................................................................................ 28
3.2.1 Snort Rules ...................................................................................................... 29
3.2.3 Rule Tree ......................................................................................................... 33
3.2.4 (Preprocessors) ......................................................................... 34
3.2.5 (Variables)...................................................................................... 34
3.2.6 ................................................................................................................ 35
3.2.7 Snort log ......................................................................................... 35
IP ............................................................................................................ 37
.................................................................................................... 37
rules ...................................................................................... 39
IP ........................................................................................... 39
............................................................................................................ 41
Snort Log ........................................................................................................... 45
............................................................................................................ 45
Snort .......................................................................................... 47
............................................................................................................ 54
............................................................................................................................ 62
.................................................................................................................................. 63
ICMP TYPE and VALUE........................................................................................... 65
Snort Rule ................................................................................................. 68
IP ................................................................................................ 75
.......................................................................................................................................... 77

2-1 DDoS .......................................................................................................... 4
2-2 DDoS -- ....................................................................................................... 5
2-3 DDoS -- ....................................................................................................... 5
2-4 DDoS -- ....................................................................................................... 6
2-5 ICMP ECHO REQUEST/REPLY ................................................................................... 8
2-6 ICMP ECHO REQUEST/REPLY (Spoofing IP)............................................................ 9
2-7 ICMP BROADCAST...................................................................................................... 9
2-8 Smurf Attack ................................................................................................................. 10
2-9 TCP Three-Way Handshake .......................................................................................... 11
2-10 .................................................................................................... 13
2-11 semi-transparent g a t e w a y ......................................................................................14
2-12 synckill finite state machine ........................................................................................15
3-1 Host-based IDS .............................................................................................................26
3-2 IDS ...................................................................................................................27
3-3 Network-based IDS ....................................................................................................... 27
3-2 Snort .............................................................................................................29
3-3 TCP .......................................................................................................................31
3-4 Snort rule tree ................................................................................................... 34
3-5 SnortSnarf ................................................................................................. 36
4-1 BAD IP finite state ........................................................................................................ 40
4-2 .................................................................................................. 44
5-1 2000/05~2001/05 .......................................................................................... 45
5-2 .......................................................................................................... 46
5-3 .......................................................................................................... 46
5-4 4/09-4/15 ...................................................................................................... 46
5-5 4/16-4/22 ...................................................................................................... 46
5-6 4/23-4/29 ..................................................................................................... 46
5-7 5/01-5/08 ...................................................................................................... 47
5-8 5/09-5/16 .................................................................................................. 47
5-9 5/17-5/23 .................................................................................................. 47
5-10 5/24-5/30 ................................................................................................ 47
5-11 rule ...................................................................................................... 48
5-12 rule .................................................................................... 48
5-13 rule .................................................................................... 48
5-14 IP .................................................................................................. 49
5-15 IP .......................................................................................... 49
5-16 rule .......................................................................................... 50

5-17 portscan .................................................................................................. 50
5-18 portscan .......................................................................................... 51
5-19 IP .......................................................................................... 51
5-20 IP .......................................................................................... 52
5-21 ........................................................................................................ 52
5-22 Emergency IP Threatening ...................... 53
5-23 ............................................................................................................ 53
5-24 Drop Rate ................................................................................. 54
5-25 IP .......................................................................................... 57
5-26 IP .................................................................................................. 57
5-27 30 ................................................................................ 58
5-28 40 ................................................................................ 58
5-29 50 ................................................................................ 59
5-30 Alert Suspicious .................................................................... 60
5-31 13:00 BADIP ......................................................................................... 60
5-32 ................................................................................................ 61

2-1 DDoS ................................................................................................................ 24
4-1 .................................................................................................................. 42
4-2 .................................................................................................. 42
5-1 Snort ........................................................................................................ 55
5-2 .............................................................................. 59
scalability
(hit rate) 300
(powerful)
(server cluster)
( a t t a c k e r ) (hacker) (DoS)
2 0 0 0 Y a h o o a m a z o n . c o m e b a y . c o m C N N . c o m
E- trade Yankee
Group
2001

.gov
. .

1

DDoS( )

DDoS
DDoS DDoS
( r u l e- based)
IDS
( In t r u s i o n
Detection
S y s t e m) S n o r t

Snort IP
Snort
2.1.1 DoS
( )DoS
(Denial of Service)
( )
web ( f t p s e r v e r )
2.1.2 DDoS
( TANET MRTG )
(multi - tier)
2- 1
3
IP
IP
IP (Traceback)
2-1 DDoS
At t a c k e r :
Master:
D a e m o n: V i c t i m:
D D o S ( Di s t r i b u t e d D e n i a l o f S e r v i c e )
(
) 2-2
2-2 DDoS --
( :[11])
2-3
2-3 DDoS --
( :[11])

2-4
2-4 DDoS --
( :[11])
IP (IP Spoofing)

D o S IP ( I P S p o o f i n g )
D o S IP Spoofing
IP
(Router)
IP
( R o u t i n g ) IP IP

DoS IP Spoofing
( r a n d o m) I P
IP Spoofing
S Y N F l o o d i n g a t t a c k
I P IP
smurf
6
u Ingress and egress filtering [RFC2267]

IP
IP
(drop)
cisco router edge router ACL

--------------------------------------------access-list 187 deny ip {customer network} {customer network mask} any
access-list 187 permit ip any any
access-list 188 permit ip {customer network} {customer network mask} any

access-list 188 deny ip any any
interface {egress interface} {interface #}

ip access-group 187 in
ip access-group 188 out
----------------------------------------------

Internet
I P IP

(backbone )
IP mobile ip

u IP Traceback [12] ( m a r k)

Smurf

Smurf[7] ICMP(Internet Control Message

Protocol) ICMP
ECHO REQUEST ECHO REPLY UNIX
p i n g r o u n d - t r i p d e l a y A
ECHO REQUEST B B
E C H O R E P L Y A 2 - 5 B I C M P
I P IP B
IP 2-6
2-5 ICMP ECHO REQUEST/REPLY
2-6 ICMP ECHO REQUEST/REPLY (Spoofing IP)

ICMP REQUEST Network Base Address (x.x.x.0
f o r c l a s s C ) B r o a d c a s t A d d r e s s ( x . x . x . 2 5 5 c l a s s C )

2- 7 smurf
I C M P E C H O R E Q UE S T
Broadcast Addresses
ICMP ECHO REPLY 2- 8
smurf
2-7 ICMP BROADCAST
2-8 Smurf Attack
u b r o a d c a s t m u l t i c a s t r o u t e r f o r w a r d i n g
of IP directed broadcast
ICMP Echo R e q u e s t b r o a d c a s t a d d r e s s
[rfc2466]
(TCP SYN Flood)

T C P ( T r a n s m i s s i o n C o n t r o l P r o t o c o l [ 8 ]
TCP
(
numbers
socket sequence
w i n d o w s i z e s
10
( T h r e e - w a y H a ndshake 2 - 9
( C l i e n t R e q u e s t ( S e r v e r )
SYN
(Port
Number) ISN initial sequence

n u m b e r
SYN
SYN+ACK
ISN SYN ACK

a c k n o w l e d g e I S N + 1
ISN
A C K
ISN
ISN + 1
2-9 TCP Three-Way Handshake

S Y N
b a c k l o g T C P
(Reset) backlog
backlog
TCP connection entry
(connection
establishment
timer) 75
TCP

11
TCP
Three-way
Handshake
SYN IP
SYN ACK
IP A C K
( h a l f-o p e n e d c o n n e c t i o n)
D o S IP
IP S Y N A C K
RST(RESET)
u :
h a l f- o p e n e d c o n n e c t i o n t i m e o u t
h a l f- opened connection queue
t i m e o u t round
trip time time out
b a c k l o g h a l f- o p e n e d

backlog
( )
(service ports)
u [13]
(cryptographic hash)
IP
I S N ( s e c r e t e k e y ) Y
ISN ACK IP
I S N Y Y
Y+1, Ba c k l o g
12
u (r e l a y) [13]

( ) three -way handshake
( ) three-way handshake
2 - 1 0
three -way handshake
SYN Flooding
2-10

three-way handshake
u ( semi - t r a n s p a r e n t g a t e w a y) [ 3 ]

13
2 - 11
S Y N A C K
ACK
ACK
t h r e e - w a y h a n d s h a k e b a c k l o g
A C K R S T
SYN Flooding
ACK TCP
ACK
2-11 semi-transparent g a t e w a y
u Active
Monitor[13]:
IP S Y N A C K R S T
I P f i n i t e s t a t e m a c h i n e 2 - 1 2
I P S Y N R S T A C K
IP I P I P

: A c t i v e m o n i t o r
ACK RST
14
2-12 synckill finite state machine
Trin00
T r i n0 0 [ 4 ] ( c l i e n t -s erver)
Masters
( D a e m o n s ) M a s t e r (
I P ) M a s t e r
Daemon Daemon

( r o o t a d m i n i s t r a t o r )
( b a c k d o o r ) Trin0 0 daemon
master

(owned list)
15
r o o t TCP port
( p o r t) 1 5 2 4
p o r t 1 5 2 4 / t c p

t r i n . s h s c r i p t Trin00 daemon

--------------------------------------------------------------------./trin.sh | nc owned_host1_ip 1524 &
./trin.sh | nc owned_host2_ip 1524 &
...
--------------------------------------------------------------------
trin.sh :
-------------------------------------------------------------------echo "rcp some_host_ip: /usr/sbin/rpc.listen"

echo "echo rcp is done moving binary"
echo "chmod +x /usr/sbin/rpc.listen"
echo "echo launching trinoo"

echo "/usr/sbin/rpc.listen"
echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron"

echo "crontab cron"
echo "echo launched"
echo "exit"
------------------------------------------------------------------ Trin00 2-1
16
M a s t e r M a s t e r D a e m o n D a e m o n
UDP

T r i n 0 0
1. Master
u telnet 27665/TCP
u :betaalmostdone
u Master :gOrave
u M a s t e r D a e m o n

27444/UDP
: l 4 4 a d s l ( L)
: command l44adsl args
Daemon *HELLO* Master
( ) t r i no o
Daemon *HELLO* Master
---------------------------------------------------UDP Packet ID (from_IP.port-to_IP.port): daemon_ip. 32656- master_ip.31335
45 E 00 . 00 . 23 # B1 . 5D ] 40 @ 00 . F8 . 11 . B9 . 27 . C0 . A8 . 00 . 01 .
0A . 00 . 00 . 01 . 80 . 6C l 7A z 67 g 00 . 0F . 06 . D4 . 2A * 48 H 45 E 4C L
4C L 4F O 2A *
----------------------------------------------------
M a s t e r p n g D a e m o n P O N G
----------------------------------------------------UDP Packet ID (from_IP.port-to_IP.port): master_ip. 16778- daemon_ip .27444
45 E 00 . 00 . 27 ' 1A . AE . 00 . 00 . 40 @ 11 . 47 G D4 . 0A . 00 . 00 . 01 .
C0 . A8 . 00 . 01 . 04 . 00 . 6B k 34 4 00 . 13 . 2F / B7 . 70 p 6E n 67 g 20
6C l 34 4 34 4 61 a 64 d 73 s 6C l
17
UDP Packet ID (from_IP.port-to_IP.port): daemon_ip. 32658- master_ip.31335

45 E 00 . 00 . 20 13 . 81 . 40 @ 00 . F8 . 11 . 57 W 07 . C0 . A8 . 00 . 01 .
0A . 00 . 00 . 01 . 80 . 6F o 7A z 67 g 00 . 0C . 4E N 24 $ 50 P 4F O 4E N 47 G
-----------------------------------------------------
u D a e m o n M a s t e r

31335/UDP
u Trin00
( )

betaalmostdone:Master
gOrave:Master
l44adsl: Daemon
killme : Master mdie Daemon

D a e m o n C r o n t a b r o o t
crontab file
----------------------------------------------------------------------------------* * * * /usr/sbin/rpc.listen
---------------------------------------------------------------------------------- M a s t e r - b
D a e m o n I P - b D a e m o n I P
IP B l o w f i s h K E Y
master.c
--------------------------------------------------------------------------------------------------master.cKEY
/* crypt key encrypted with the key 'bored'(so hex edit cannot get key easily?)
18
comment out for no encryption... */

#define CRYPTKEY "ZsoTN.cq4X31"
. . .
----------------------------------------------------------------------------------------------------# ls -l ... ...-b

-rw-------
1 root
root
25 Sep 26 14:46 ...
-rw-------
1 root
root
50 Sep 26 14:30 ...-b
# cat ...
JPbUc05Swk/0gMvui18BrFH/
# cat ...-b
aE5sK0PIFws0Y0EhH02fLVK.
JPbUc05Swk/0gMvui18BrFH/
------------------------------------------------------------------------------------------------------ :
u 27665/tcp Master
u 31335/udp Master
u 27444/udp Daemon
-------------------------------------------------------------------------------------------------------- n e t s t a t
# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
tcp
Foreign Address
*:27665
*:*
*:31335
*:*
State
LISTEN
...
udp
...
------------------------------------------------------------------------------------
IDS(Intrusion Detection System) Snort

( )
(Rules)
---------------------------------------------------------------------------------------------19
S n o r t DDoS - Trin00 r u l e s :
u alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"DDoS - Trin00

Attacker to Master-default mdie pass detected!";flags:PA; content:"killme";)
IPIP27665TCPTCP flagpush
ack"killme"Mastermdie
killme"
u alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"IDS187 - DDoS Trin00: DaemontoMaster (PONGdetected)"; content:"PONG";)
IPIP31335UDP
"PONG"DaemonPONGMasterpng
u alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"IDS185 - DDoS Trin00:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*";)
IPIP31335UDP
"*HELLO*"Daemon"*HELLO*"Master
u alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"IDS196 - DDoS Trin00:Attacker to Master default startup pass detected!";flags:PA;
content:"betaalmostdone";)
IPIP27665TCPTCP flagpush
ack" betaalmostdone "
Master
u alert udp !$HOME_NET any -> $HOME_NET 27444 (msg:"IDS197 - DDoS Trin00:MastertoDaemon(defaultpassdetected!)"; content:"l44adsl";)
IPIP27444UDP
"l44"Master"l44adsl"
--------------------------------------------------------------------------------------------------------
20
DDoS
2.6.1 ICMP
ICMP (ICMP Echo Reply Flood Attack)
IP I C M P E c h o R e q u e s t
ICMP Echo Reply
2.6.2 TFN
T F N (Tribe Flood Network) [ 5 ] T r i n 0 0
:
u : A t t a c k e r - > C l i e n t - > D a e m o n
Tr i n o o A t t a c k e r - > Ma s t e r - > D a e m o n
u Master
Daemon
ICMP echoreply
ICMP ICMP echo

u Master Daemon
u ( )
header ID
ICMP
config.h
config.h :
----------------------------------------------------------------------------------------------------#ifndef _CONFIG_H
/* user defined values for the teletubby flood network */
#define HIDEME "tfn-daemon"

#define HIDEKIDS "tfn-child"
21
#define CHLD_MAX 50
/* #define ATTACKLOG "attack.log" keep a log of attacks/victims on all

hosts running td for debugging etc. (hint: bad idea) */
/* These are like passwords, you might want to change them */
#define ID_ACK
123 /* for replies to the master */
#define ID_SHELL 456 /* to bind a rootshell, optional */

#define ID_PSIZE
789 /* to change size of udp/icmp packets */
#define ID_SWITCH
234 /* to switch spoofing mode */
#define ID_STOPIT 567 /* to stop flooding */

#define ID_SENDUDP
890 /* to udp flood */
#define ID_SENDSYN
345 /* to syn flood */
#define ID_SYNPORT
678 /* to set port */
#define ID_ICMP
901 /* to icmp flood */
#define ID_SMURF 666 /* haps! haps! */
#define _CONFIG_H
#endif
------------------------------------------------------------------------------------------------- ICMP header id 123 Daemon
M a s t e r r e p l y ,
pattern
u UDP
ICMP
TCP
smurf
2.6.3 stacheldraht
22
S t a c h e l d r a h t [ 6 ] T r i n o o T F N :
:Client->Handler->Agent Trinoo
Attacker->Master->Daemon
Master telnet TCP
Blowfish
Master Daemon TCP ICMP
Daemon rpc(514/tcp)
-> Master: 16660/tcp
Master->Daemon: 65000/tcp, ICMP_ECHOREPLY
->Master ( trinoo ): sicken()
TFN ICMP id
Daemon Master IP ICMP_ECHOREPLY ID 666
skillzMaster ICMP_ECHOREPLY ID
667 skillz Stacheldraht
UDPTCPICMP Smurf
2.6.4 TFN2K
T F N 2 K(Tribe Flood Network 2000) [2] TFN 2 0 0 0
TFN :
u
: Attacker->
Agent(Daemon)
Ma s t e r - > D a e m o n
23
Master(Client)
Tr i n o o
->
Attacker ->
u M a s t e r D a e m o n k e y-based CAST -2 5 6
T C P U D P I C M P
key Master
u D a e m o n M a s t e r M a s t e r IP
Master 20 Daemon
Master
u +< >+< >
u
2.6.5 DDoS
2-1 DDoS
Trinoo
Attacker
|
Master
|
Daemon
Master TCP
TFN
Attacker
|
Client
|
Daemon
Stacheldraht
Client
|
Handler
|
Agent
TCP
TCP
UDP
ICMP
TFN2K
Attacker
|
Master(Client)
|
Agent(Daemon)
TCP
UDP
ICMP
Key-based
CAST-256
MasterDaemon
UDP
ICMP
TCP
ICMP
TCP
UDP
ICMP
Key-based
CAST-256
IP list
Blowfish
Blowfish
Blowfish
Blowfish
24
UDP Flood
Smurf
SYN Flood
UDP Flood
ICMP Flood
Smurf
SYN Flood
UDP Flood
ICMP Flood
Smurf
SYN Flood
UDP Flood
ICMP Flood
DDoS
DDoS
( )
DDoS
(Patch) IDS
IP Spoofing
IP

25

IDS(Intrusion Detection System) [1][9]
m i s u s e a b u s e a t t a c k )
(security policy)
(Firewall) Firewall
(Access Control) (rules)

IDS
u ( H o s t- b a s e d ) I D S :
( P r o t o c o l S t a c k )
3-1
3-1 Host-based IDS

u ( N e t w o r k - b a s e d ) I D S ( N I D S ) I D S
26
NIDS

NIDS
IDS 3-2
IDS

3-2 IDS
( rule )

P r o t o c o l S t a c k
3-3
3-3 Network-based IDS
27

N I D S
(attack signature/pattren)
IDS Snort
S n o r t[ 1 0 ] M a r t i n R o e s c h

u lightweight
u
IP (logging)
u
u
libpcap c
R u l e- b a s e d
Snort
Rule
u
u
GNU( GENERAL PUBLIC LICENSE )
(freeware)
u 3 - 2 L i b p c a p B e r k e l e y P a c k e t
Filter
Rule
b a s e ( p a t t e r n m a t c h i n g )
(log) (alert) (pass)
28
3-2 Snort
3.2.1 Snort Rules
Snort rule matching

rule
Rule
Rule header + Rule options
alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any (flags: SF; msg: SYN-FIN Scan;)
|- - - - - - 7 - - - - h e a d e r- - - - - - - - - - ||- - - - - - - o p t i o n s - - - - - - - - |
Rule (heade r)
u (action)
a l e r t s y s l o g

29
l o g
pass
u (protocol)
TCP UDP ICMP
u IP
IP any
IP 140.112.8.164
CIDR 140.112.8/24
! IP ! 1 4 0 . 1 1 2 . 8 / 2 4
1 4 0 . 1 1 2 . 8 . x
u (Port Numbers)
P o r t any
p o r t 80,23

1:2048 port 1 port 2048
:1024 port 1024
512: port %512
! p o r t
(direction)
s o u r c e _ i p _ p o r t - > d e s t i n a t i o n _ i p _ p o r t

<>
Rule (options)
u Msg:
l o g a l e r t
msg: <message text> ;
30
u Logto:

logto: <filename> ;
u IP TTL:
ttl: <number> ;
u IP ID:
IP (Fragment ID)
id: <number> ;
u Dsize:
TTL(time to live)
(Payload)
d s i z e : [ > | < ] <m u m b e r >;
u Content:
|
content: "|90C8 C0FF FFFF|/bin/sh";
content: <content string> ;
u Offset:
offset: <content string> ;
u Depth:
u Seq:
d e p t h : <n u m b e r > ;
u Nocase:
nocase;
TCP Sequence Number
s e q : <number>;
3-3 TCP
( :[8])
31
u Flags:
TCP F l a g F l a g
F - FIN
S - SYN
R - RST
P - PSH
A - ACK
U - URG
2 - Reserved bit 2
1 - Reserved bit 1
f l a g s : <flag values>;
u Ack:
TCP a c knowledgement number

a c k : <number>;
u Itype:
ICMP TYPE
i t y p e : <n u m b e r >;
u Icode:
ICMP VALUE
i c o d e : <n u m b e r >;
[ I C M P T Y P E VALUE ]
u S e s s i o n : T C P S e s s i o n
t e l n e t r l o g i n ftp w e b s e s s i o n
Printable te xt
All
s e s s i o n : <p r i n t a b l e | a l l >;
u Icmp_id:
ICMP ECHO ICMP ID Number
i c m p _ i d : <n u m b e r > ;
u Icmp_seq:
ICMP ECHO ICMP Sequence Number
i c m p _ s e q : <n u m b e r >;
u Ipoption:
o p t i o n
rr - Record route
eol - End of list
nop - No op
ts - Time Stamp
32
sec - IP security option

lsrr - Loose source routing
ssrr - Strict source routing
satid - Stream identifier
i p o p t i o n : <o p t i o n >;
u Rpc: RPC application, procedure,and program

v e r s i o n
r p c : <a p p l i c a t i o n n u m b e r , [ p r o c e d u r e n u m b e r | * ] ,
[program version number|*]>
u Resp: resp_modifier
r s t _ s n d - s e n d T C P - R S T p a c k e t s t o t h e s e n d i n g s o c k e t
r s t _ r c v - s e n d T C P - R S T p a c k e t s t o t h e r e c e i v i n g s o c k e t
rst_all - send TCP_RST packets in both directions
icmp_net - send a ICMP_NET_UNREACH to the sender
icmp_host - send a ICMP_HOST_UNREACH to the sender
icmp_port - send a ICMP_PORT_UNREACH to the sender
icmp_all - send all above ICMP packets to the sender
r e s p : <r e s p _ m o d i f i e r [ , r e s p _ m o d i f i e r ]>;
3.2.3 Rule Tree

S n o r t r u l e 6 0 0
rule Rule
S n o r t T r e e R u l e s R u l e h e a d e r
Rule option Rule header
R u l e h e a d e r R u l e h e a d e r
Rule option 3-4
Rule head er
rule Option

33
3-4 Snort rule tree
3.2.4 (Preprocessors)
Preprocessor
Snort (detection engine)
pr e p r o c e s s o r < n a m e > : <o p t i o n s >
3.2.5 (Variables)

<name> : <value>
Snort sonrt.lib
DNS IP
34
3.2.6
p a t t e r n - b a s e d I D S - - S n o r t

3.2.7 Snort log

snort_stat.pl
perl snort log
:
n
Number of attack from same host to same destination

using same method
# of
from
attack
36
140.109.20.100
1
140.109.20.80
1
140.112.12.24
..
n Percentage and
destination
to
with
140.112.8.164
140.112.8.163
140.112.8.99
.
number of
PING-ICMP Time Exceeded

FTP-bad-login
IDS159-PING Microsoft Windows
.
attacks fro m a host to a
# of attacks
24.46
32
140.109.20.100
140.112.8.164
12.23
16
140.109.20.80
140.112.8.163
5.35
140.112.12.24
140.112.8.99
from
to
Percentage and number of attacks from one host to any

with same method
# of
attacks
17.95 14
from
type
140.109.20.100
ICMP Destination Unreachable

35
15.38 12
140.109.20.80
12.89 10
140.112.12.24
n
%
Percentage and number of attacks to one certain host

# of
attacks
to
type
17.95 14
140.112.8.164
15.38 12
140.112.8.163
12.89 10
140.112.8.99
SnortSnarf
S n o r t S n a r f p e r l h t m l
3-5
3-5 SnortSnarf
5n0r7
Michel Kaempf snort log source
IP destination IP frequency
36
IP

..

( I D S . . ) I P
( ) (
IP - Based
IP )
:
u finger whois:
u Traceroute:
(router)
traceroute
u Teleport Pro:
37
portscan( )
p o r t s c a n ( a c t i v e )

portscan :
u : IP ( ) ( )
IP active
u :
( )
( )

port80
8 0 8 0 web server
web web
:
(
) (root) (backdoor)
DDoS master daemon

38
rules
S n o r t r u l e s
:ftp-bad-login ftp
overflow
...

Snort rule :
u E m e r g e n c y : r o o t

u A l e r t :
D D o S a t t a c k
u W a r n i n g : " " M I S C - P C A n y w h e r e
A t t e m p t e d A d m i n i s t r a t o r L o g i n
u N o t i f i c a t i o n :
telent-incorrect Ping
rule
rule
rule
IP
IP

39
u ( Ho s t i l e ) IP
u ( Threatening) IP
u ( Suspicious ) IP
f i n g e r s c a n p i n g
IP Suspicious IP
Wa r n i n g T h r e a te n i n g
Emergency Alert
Hostile 4-1
4-1 BAD IP finite state

u I P N o t i f i c a t i o n
Buffer
Suspicious
Suspicious
u I P S u s p i c i o u s N o t i f i c a t i o n
Warning
T h r e a te n i n g E m e r g e n c y A l e r t
Hostile
40
u I P T h r e a te n i n g N o t i f i c a t i o n
W a r n i n g E m e r g e n c y
A l e r t Hostile
u IP E m e r g e n c y

u
IP

IP
u IP

IP
:
u
B A D I P B u f f e r S t a te :
IP
u Hostile : IP
u T h r e a tening : IP
u Suspicious : IP
u
u
IP
4X4 Snort 4- 1
(6) And Or And rule
41
A l e r t( ) I P ( 1 - 2 )
( 5-6) O r rule A l e r t( )
(1-10) (13-14)
4-1
Rule Type
Point
Hostile
Threatening
Suspicious
Any
Alert
Warning
Notification
Or
Or
Or
All
(1)
(2)
(3)
(4)
And
Or
And
Or
And
Or
And
All
(5)
(6)
(7)
(8)
And
Or
And
Or
And
Or
And
All
(9)
(10)
(11)
(12)
And
All
And
All
And
And
All
ALL
(13)
(14)
(15)
(16)
And
And
And
4 - 1 A n y
Emergency
IP
IP
Or
N o t i f i c a t i o n A n y

:
u A(n,m) O(n,m):
u n:
And Or
rule (E mergency=1,
Notification=4)
u m : ( Ho s t i l e=1, A n y=4)
u 4-2
4-2
42
O(1,1) O(2,1) O(3,1) O(4,1)

A(1,1) A(2,1) A(3,1) A(4,1)
O(1,2) O(2,2) O(3,2) O(4,2)
A(1,2) A(2,2) A(3,2) A(4,2)
O(1,3) O(2,3) O(3,3) O(4,3)
A(1,3) A(2,3) A(3,3) A(4,3)
O(1,4) O(2,4) O(3,4) O(4,4)
A(1,4) A(2,4) A(3,4) A(4,4)

A( i , j ) >= A( k,l) for i >=k and j >=l

O ( i , j ) >= O(k,l) for i >=k and j >=l
A( n, 4 ) : E m e r g e n c y A l e r t Warning
Notification IP
A ( 4 , m) : IP R u l e

A(1,1)
E m e r g e n c y
IP O ( 1 , 1 )
E m e r g e n c y I P
A(1,2) A(2,1)
A ( 2 ,2)
A(1,1) rule
IP
r u l e IP
:
__________________________________________________
[**] IDS127 - TELNET - Login Incorrect [**]
05/31-23:24:09.581436 140.112.8.79:23 -> 140.112.240.40:2018
TCP TTL:255 TOS:0x0 ID:42821 IpLen:20 DgmLen:59 DF
***AP*** Seq: 0x196D55F2 Ack: 0x4BC27875 Win: 0x2238 TcpLen: 20
__________________________________________________
r u l e IDS127 - TELNET - Login Incorrect W a r n i n g
I P - - 140.112.8.79 T h r e a t e n i n g
(console)
43
:
u Rule
E m e r g e n c y-
A l e r t-
Warning-
N o t i f i c a t i o n-
u IP
Hostile-
Threatening-
Suspicious-
Others-
s n o r t
r u l e s IP 4 - 2
L e v e l e d R u l e s B A D I P A n a l y z e r
4-2
44
Snort Log
u Snort : 1.6.3 rules 687

u : PCIII-550 RAM:256MB
u
: FreeBSD 3.4
: 140.112.8.x
120
b a c k b o n e C i s c o 7 5 1 3 S w i t c h
port mirror Snort port

u
50 (2001/4/10~2001/5/30)
u :( : )
( ) ;
5-1 2000/05~2001/05
45
5-2
(: week14:4/1~4/7 ; week17:4/29~4/28)
5-3
(: week18:4/29~5/5 ; week22:5/27~6/2)
5-4 4/09-4/15
5-5 4/16-4/22
5-6 4/23-4/29
46
5-7 5/01-5/08
(:5/2~5/5 )
5-8 5/09-5/16
5-9 5/17-5/23
5-10 5/24-5/30
Snort
u :
rule : r u l e
47
5-11 rule
rule : r u l e
5-12 rule
5-13 rule
48
I P : I P
Domain Name
5-14 IP
IP : IP
IP
5-15 IP
u :
rule : rule

49
5-16 rule
portscan : portscan
portscan
5-17 portscan
50
5-18 portscan
I P : IP
IP
5-19 IP
51
5-20 IP
IP : IP
IP 5 - 1 9 5 - 2 0
:

5-21
52
5-22 Emergency IP Threatening

u
:

5-23
: T r u s t . l i s t I P
,
====================================
163.28.16.21
163.28.16.23
..
53
====================================
I P : IP
IP
ipserach2.pl

: i p s e a r c h2.pl
ip
:ipserach2.pl 140.112.8.164 0501 0530

Snort :
S n o r t I D S
( d r o p r a t e ) S n o r t d r o p r a t e
( b uffer)
drop rate 5-24
5-24 Drop Rate

54
drop rate
:
u S n o r t p a t t e r n m a t c h f i r s t m a t c h ,
rule .
u : u d p t c p i c m p

u :
ftp

Snort
M b / s
30Mb/s
M b y t e s 5 - 1 3 7 M b y t e s
5-1 Snort

(2000 )
04/10
04/12
04/14
04/16
04/18
04/20
04/22
04/24
04/26
04/28
04/30
05/02
05/04
05/06
05/08
05/10
05/12
05/14
05/16

(Bytes)
23828739
7899625
18916880
18721448
24039994
17838996
28323942
20872982
14466870
13054609
14302174
17466401
16908509
10785145
11620110
14139060
11089505
13880452
14728897
( )
(2000 )
183761
63659
123333
126670
158880
119426
173047
135135
98867
86062
97939
109421
107807
71626
81073
92580
74081
93820
99976
04/11
04/13
04/15
04/17
04/19
04/21
04/23
04/25
04/27
04/29
05/01
05/03
05/05
05/07
05/09
05/11
05/13
05/15
05/17
55

(Bytes)
18987631
37623988
16006656
23142112
33304458
16883128
23145466
17666262
28407143
8705657
16112155
33854607
10352758
13405167
12083692
12761647
12257839
13105395
18004435

( )
148827
235125
108655
152465
223183
111531
148888
117095
172189
60528
102875
201853
69093
90732
82907
86080
81001
89612
117231
05/18
05/20
05/22
05/24
05/26
05/28
05/30
10849916
9642692
14361299
12706050
11580667
26730904
37395765
74434
65970
99713
86999
76962
200910
238070
05/19
05/21
05/23
05/25
05/27
05/29
10483621
11813939
13772562
15182451
15084818
15012816
70223
82877
95121
98274
98071
101248
:
u BAD IP :10
u Hostile :80
u T h r e a tening : 6 0
u Suspicious :20
u :
Portscan log:10
Notification log:10
u :
Hostile:0.4
Threatening:0.5
Suspicious:1
IP :
I P
IP ( ) 5- 25
IP 40~60 IP
0-20 :
u IP 2/3
IP
IP
u IP 5 - 2 6
I P
56
5-25 IP
5-26 IP

5 -2 7 28 29 30 40 50
Warning 5- 3
1000
0.68 2.3 Warning Suspicious

57
0.10
0 . 3 1 IP 1 / 5

5-27 30
5-28 40
58
5-29 50
5-2
Warning
(1)
Warning
Suspicious
(2)
(2)/(1)
30
(1045/70248)
1.48%
40
(1532/66399)
2.3%
50
(1490/218617)
0.68%
(191/70248)
0.27%
(206/66399)
0.31%
(221/218617)
0.10%
18.24%
13.47%
14.71%
( )
31
Alert
S u s p i c i o u s 5 4 D N S S e r v e r
163.28.16.21 DNS zone transfer 5-3 0
I P t r u s t . l i s t
IP 163.28.16.21 5-31
59
5-30 Alert Suspicious
( )
IP 6 2 1 1 2 : 4 5
Snort ,
13:00
87.04 Hostile 5-3 1
IP 5- 32
5-31 13:00 BADIP

60
5-32
61

DD oS Yahoo C N N
DDoS
rule-based
N I D S

rule
--
E m e r g e n c y A l e r t W a r n i n g N o t i f i c a t i o n

I P H o s t i l e
T h r e a t e n i n g S u s p i c i o u s I P
r u l e IP
62

[ 1 ] AXENT Technology Ltd. , Everything You Need to Know About Intrusion Detection,
1999
http:// www.axent.com
[2] Jason Barlow, Woody Thrower, The TFN2K distributed
denial of service attack tool, 2000
h t t p : / / p a c k e t s t o r m . s e c u r i fy . c o m / d i s t r i b u t e d / T F N 2 k _ A n a l y s i s 1.3.txt
[3] C.P.S.T. Ltd., TCP SYN Flooding Attack and the FireWall-l
S Y N D e f e n d e r , O c t. 1 9 9 6
http://www.checkpoint.com/products/firewall-1/syndefender.html
[4] David Dittrich, The trin00 distributed denial of service
attack tool, 1999
http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
[5] D a v i d D i t t r i c h , T h e Tr i b e F l o o d N e t w o r k d i s t r i b u t e d
denial of service attack tool, 1999
http : //staff.washington.edu/dittrich/misc/tfn.analysis.txt
[6] David Dittrich, The stacheldraht distributed denial of
service attack tool, 1999
http://staff.washington.edu/dittrich/misc/stacheldraht.analysi
s.txt
[ 7 ] Thomer M. Gil, MULTOPS:a data strycture for denial-of-service attack detection,
August, 2000
http://pdos.lcs.mit.edu/thomer/mit/multops_usenix2001.pdf
[ 8 ] http://cat.ice.ntnu.edu.tw/tcpip/main.htm
[ 9 ] http://www.sans.org
[10] http://www.snort.org
[11] Gary C. Kessler , Defenses Against Distributed Denial of Service Attacks,
63
November 29, 2000

http://www.sans.org/infosecFAQ/threats/DDoS.htm
[12] S t e f a n S a v a g e , D a v i d W e t h e r a l l , A n n a K a r l i n , a n d T o m
Anderson ,Practical Support for IP Traceback, ACM
SIGCOMM, pp. 295-306, August, 2000
[13] C h r i s t o p h L . S c h u b a , I v a n V. K r s u l , M a r k u s G . K u h n , E u g e n e
H. Spafford, Aurobindo Sundaram, Diego Zamboni, Analysis
of A D e n i a l o f S e r v i c e A t t a c k o n T C P , S e c u r i t y a n d P r i v a c y,
1997. Proceedings., 1997 IEEE Symposium on , 1997
64

ICMP TYPE and VALUE
========================================================
I C M P T Y P E V A L U E [ R F C 1 7 0 0 ]
========================================================
Type
---0
Name
------------------------Echo Reply (used by"ping")
Codes
0
No Code
Unassigned
Unassigned
Destination Unreachable
Codes
0
Net Unreachable
Host Unreachable
Protocol Unreachable
Port Unreachable
Fragmentation Needed and Don't Fragment was Set
Source Route Failed
Destination Network Unknown
D e s t i nation Host Unknown
Source Host Isolated
Communication with Destination Network is

Administratively Prohibited
10
Communication with Destination Host is

Administratively Prohibited
11
Destination Network Unreachable for Type of
Service
65
12
4
Destination Host Unreachable for Type of Service
Source Quench
Codes
0
No Code
Redirect
Codes
0
R e d i r e c t D a t a g r a m f o r t he N e t w o r k ( o r s u b n e t )
Redirect Datagram for the Host
Redirect Datagram for the Type of Service and
Network
3
6
Redirect Datagram for the Type of Service and Host
Alternate Host Address

Codes
0
Alternate Address for Host
Unassigned
Echo (used by "ping")

Codes
0
No Code
Router Advertisement
Codes
0
10
No Code
Router Selection
Codes
0
11
No Code
Time Exceeded
Codes
12
Time to Live exceeded in Transit
Fragment Reassembly Time Exceeded
Parameter Problem
Codes
0
Pointer indicates the error
Missing a Required Option

66
2
13
Bad Length
Timestamp
Codes
0
14
No Code
Timestamp Reply
Codes
0
15
No Code
Information Request
Codes
0
16
No Code
Information Reply
Codes
0
17
No Code
Address Mask Request

Codes
0
18
No Code
Address Mask Reply

Codes
0
19
20-29
No Code
Reserved (for Security)

Reserved (for Robustness Experiment)
30
Traceroute
31
Datagram Conversion Error
32
Mobile Host Redirect
33
IPv6 Where- Are- You
34
I P v 6 I- Am - H e r e
35
Mobile Registration Request
36
Mobile Registration Reply
========================================================
67

Snort Rule
TYPE: backdoor
BIND Shell
Back Orifice
Deep Back Orifice
Deep Throat access
EvilFTP access
GateCrasher access
GirlFriend access
NetSphere FTP acces
NetSphere access
Netbus/GabanBus
PCAnywhere
Phase Zero Server Active on Network
Portal Of Doom
Portal of Doom access
Possible EvilFTP access
Possible GirlFriend access
Possible Hack a Tack access
Possible NetSphere FTP acces
Possible NetSphere access
Possible Portal of Doom access
Possible SubSeven access
Whack-a-mole
default Backdoor access!
TYPE:ddos
DDoS - Trin00 Attacker to Master defaultr.i.passdetected!
DDoS - Trin00 Attacker to Master-default mdie pass detected!
IDS100 - DDoS - mstream agent to handler
IDS101- DDoS - mstream handler to agent
IDS102 - DDoS - mstream handler ping to agent
IDS103 - DDoS - mstream agent pong to handler
IDS110 - DDoS - mstream client to handler
IDS110 - DDoS - mstream handler to client
IDS111 - DDoS - mstream client to handler
IDS112 - DDoS - mstream handler to client
IDS182 - DDoS - TFN server response
IDS183 - DDoS - TFN client command LE
IDS184 - DDoS - TFN client command BE
IDS185 - DDoS - Trin00:DaemontoMaster(*HELLO*detected)
68
Warning
Warning
Warning
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Alert
Alert
Emergency
Emergency
Emergency
Warning
Warning
Warning
Warning
Warning
Alert
Warning
Warning
Warning
Alert
Alert
Alert
Alert
Alert
Alert
Warning
Alert
Alert
Alert
Alert
Alert
Alert
Alert
IDS186 - DDoS - Trin00:DaemontoMaster(messagedetected)

IDS187 - DDoS - Trin00:DaemontoMaster(PONGdetected)
IDS190 - DDoS - Stacheldraht client-check
IDS191 - DDoS - Stacheldraht server-response
IDS192 - DDoS - Stacheldraht client-spoofworks
IDS193 - DDoS - Stacheldraht server-spoof
IDS194 - DDoS - Stacheldraht client-check-gag
IDS195 - DDoS - Stacheldraht server-response-gag
IDS196 - DDoS - Trin00:Attacker to Master default startup pass detected!
IDS197 - DDoS - Trin00:MastertoDaemon(defaultpassdetected!)
IDS252 - DDoS shaft synflood incoming
IDS253 - DDoS shaft synflood outgoing
IDS254 - DDoS shaft client to handler
IDS255 - DDoS shaft handler to agent
IDS256 - DDoS shaft agent to handler
TYPE:finger
FINGER-Bomb
FINGER-root
TYPE:ftp
FTP-NT-bad-login
FTP-bad-login
FTP-cwd~root
FTP-forward
FTP-linux-nullpass
FTP-linux-nulluser
FTP-rhosts
FTP-shosts
FTP-user-root
FTP-user-warez
IDS137 - CVE-1999-0183 - TFTP parent directory
IDS138 - CVE-1999-0183 - TFTP rootdirectory
IDS148 - CVE-1999-0183 - TFTP Write
IDS213 - FTP-Password Retrieval
IDS257 - Aix FTP Buffer Overflow
TYPE:misc
BUGTRAQ ID 1009 - Possible attempt at Bay/Nortel Nautica Marlin DoS)
IDS003 - MISC-Traceroute UDP
IDS115 - MISC-Traceroute-UDP
IDS118 - MISC-Traceroute ICMP
IDS147 - CVE-1999-004 - IMAP-x86-linux-buffer-overflow
IDS212 - MISC - DNS Zone Transfer
IDS239 - MISC-PCAnywhere Startup
IDS240 - MISC-PCAnywhere Failed Login
IDS246 - MISC - Large ICMP Packet
69
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Alert
Warning
Alert
Alert
Alert
Warning
Warning
Warning
Alert
Warning
Alert
Alert
Warning
Warning
Alert
Warning
Warning
Alert
Alert
Warning
Emergency
Warning
Notification
Notification
Notification
Emergency
Alert
Notification
Notification
Notification
IDS267 - Delegate proxy overflow

MISC-PCAnywhere Attempted Administrator Login
MISC-Passwd-Attempt
MISC-Traceroute TCP
Napster 4444 Data
Napster 5555 Data
Napster 6666 Data
Napster 7777 Data
Napster 8888 Data
Napster Server Login
SNMP public access
TYPE:netbios
Possible RFParalyze Attempt
TYPE:overflow
IDS181 - OVERFLOW-NOOP-X86
IDS214 - OVERFLOW - Client - netscape47-unsucessful
IDS215 - OVERFLOW - Client - netscape47-retrieved
IDS242 - RPC ttdbserv Solaris Overflow
IDS273 - Sniffit overflow
IDS274 - NNTP Cassandra Overflow
IDS275 - Cisco Web Crash
OVERFLOW-86-linux-imap1
OVERFLOW-BOOTP--x86linux
OVERFLOW-BOOTP-x86bsd
OVERFLOW-DNS-sparc
OVERFLOW-DNS-x86freebsd-rotsb
OVERFLOW-DNS-x86linux-ADMv2
OVERFLOW-DNS-x86linux-ADMv3
OVERFLOW-DNS-x86linux-generic
OVERFLOW-DNS-x86linux-rotsb
OVERFLOW-FTP-1!
OVERFLOW-FTP-2!
OVERFLOW-FTP-generic1
OVERFLOW-FTP-generic2
OVERFLOW-FTP-x86linux-adm
OVERFLOW-FTP-x86linux-duke
OVERFLOW-FTP-x86linux-sekure
OVERFLOW-FTP-x86linux-smiler
OVERFLOW-FTP-x86linux-wh0a
OVERFLOW-IMAP
OVERFLOW-IRC-client-Chocoa
OVERFLOW-LinuxCommonTCP
OVERFLOW-LinuxCommonUDP
OVERFLOW-NOOP-AIX
70
Emergency
Notification
Warning
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Warning
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
OVERFLOW-NOOP-Digital
OVERFLOW-NOOP-HP
OVERFLOW-NOOP-SGI
OVERFLOW-NOOP-Solaris
OVERFLOW-NOOP-Sparc
OVERFLOW-NOOP-X86
OVERFLOW-Named-ADM-NXT - 8.2->8.2.1
OVERFLOW-NextFTP-client
OVERFLOW-POP2-x86linux
OVERFLOW-POP2-x86linux2
OVERFLOW-POP3-x86bsd
OVERFLOW-POP3-x86bsd2
OVERFLOW-POP3-x86linux
OVERFLOW-POP3-x86sco
OVERFLOW-QPOP
OVERFLOW-named
OVERFLOW-sco-calserver
OVERFLOW-x86-linux-imapd2
OVERFLOW-x86-linux-mountd
OVERFLOW-x86-linux-mountd2
OVERFLOW-x86-linux-mountd3
OVERFLOW-x86-linux-ntalkd
OVERFLOW-x86-linux-samba
OVERFLOW-x86-solaris-nlps
OVERFLOW-x86-windows-CSMMail
OVERFLOW-x86-windows-MailMax
TYPE:ping
ICMP Information Reply
ICMP Information Request
ICMP Message
ICMP Parameter Problem
ICMP Source Quench
ICMP Time Exceeded
ICMP Timestamp
IDS028 - PING NMAP TCP
IDS151 - PING BeOS4.x
IDS152 - PING BSD
IDS153 - PING Cisco Type.x
IDS154 - PING CyberKit 2.2 Windows
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Emergency
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
71
IDS155 - PING Delphi-Piette Windows

IDS156 - PING Flowpoint 2200DSL Router
IDS157 - PING IP NetMonitor Macintosh
IDS158 - PING ISS Pinger
IDS159 - PING Microsoft Windows
IDS161 - PING Network Toolbox 3 Windows
IDS162 - PING Nmap2.36BETA
IDS163 - PING Pinger Windows
IDS164 - PING Ping-O-MeterWindows
IDS166 - PING Seer Windows
IDS167 - PING TJPingPro1.1Build 2 Windows
IDS168 - PING WhatsupGold Windows
IDS169 - PING Windows Type
IDS216 - ICMP Subnet Mask Request
PING *NIX Type
TYPE:rpc
IDS217 - RPC AMD Overflow
IDS242 - CVE-1999-0003 - RPC ttdbserv Solaris Overflow
TYPE:scan
IDS004 - SCAN-NULL Scan
IDS005 - SCAN-Possible NMAP Fingerprint attempt
IDS027 - SCAN-FIN
IDS029 - SCAN-Possible Queso Fingerprint attempt
IDS132 - CVE-1999-0612 - Cybercop Finger Query
IDS145 - SCAN-Cybercop-OS-Probe sfp
IDS146 - SCAN-Cybercop OS Probe sf12
IDS149 - SCAN-Cybercop OS Probe pa12
IDS150 - SCAN-Cybercop OS Probe sfu12
IDS236 - SCAN-IP Eye SYN Scan
IDS26 - NFS Showmount
IDS277 - NAMED Iquery Probe
IDS278 - NAMED Version Probe
NMAP TCP ping!
Possible NMAP Fingerprint attempt
Possible Queso Fingerprint attempt
SCAN - Whisker Stealth - Mall log order access attempt
SCAN - Whisker Stealth Mode 4- HEAD
SCAN - Whisker Stealth Mode 4- head
SCAN - Whisker Stealth Mode 8- DBML Parser access attempt
SCAN - Whisker Stealth Mode 8- Handler CGI access attempt
SCAN - Whisker Stealth Mode 8- Mall log order access attempt
SCAN - Whisker Stealth Mode 8- Order log access attempt
SCAN - Whisker Stealth Mode 8- Start Stop Web access attempt
SCAN - Whisker Stealth Mode 8- Web Distribution access attempt
72
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Emergency
Emergency
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
SCAN - Whisker Stealth Mode 8- cfappman access attempt

SCAN - Whisker Stealth Mode 8- wrap CGI access attempt
SCAN - Whisker Stealth- BigConf access attempt
SCAN - Whisker Stealth- IIS search97 access attempt
SCAN - Whisker Stealth- Order log access attempt
SCAN - Whisker Stealth- Shopping cart access attempt
SCAN - Whisker Stealth- Start Stop Web access attempt
SCAN - Whisker Stealth- WS_FTP.INI access attempt
SCAN - Whisker Stealth- cfappman access attempt
SCAN - Whisker Stealth- mlog access attempt
SCAN - Whisker Stealth- mylog access attempt
SCAN-ADM-FTPcheck
SCAN-Cybercop-SMTPehlo
SCAN-Cybercop-SMTPexpn
SCAN-Cybercop-UDP-bomb
SCAN-Cybercop-WEB
SCAN-ICMP Sniffer Pro/NetXRay network scan
SCAN-ISS-FTPcheck
SCAN-SAINT-FTPcheck
SCAN-SATAN-FTPcheck
SCAN-SYN FIN
SCAN-Whisker!
SCAN-pISS-FTPcheck
Traceroute
WinGate 1080 Attempt
WinGate 8080 Attempt
Windows Traceroute
TYPE:smtp
IDS031 - SMTP-expn-root
IDS032 - SMTP-expn-decode
IDS119 - SMTP-exploit555
IDS124 - SMTP-exploit8610ha
IDS139 - CVE-1999-0204 - SMTP-exploit869a
IDS140 - CVE-1999-0204 - SMTP-exploit869b
IDS141 - CVE-1999-0204 - SMTP-exploit869c
IDS142 - CVE-1999-0204 - SMTP-exploit869d
IDS172 - CVE-1999-0095 - SMTP Exploit558
IDS249 - SMTP Relaying Denied
IDS266 - CAN-1999-0261 - SMTP Chameleon Overflow
TYPE: telnet
73
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Notification
Warning
Alert
Alert
Alert
Alert
Alert
Alert
Alert
flags:PA
Alert
Alert
Alert
Alert
Notification
Emergency
IDS008 - TELNET - daemon-active

IDS127 - TELNET - Login Incorrect
TELNET - Attempted SU from wrong group
TELNET - Livingston-DoS
TELNET - NotOnConsole
TYPE:webcgi
WEB-CGI-CGI view-source access attempt
TYPE
IIS - Possible Attempt at FPCOUNT.EXE DoS
IIS - Possible Attempt at NT DNS.EXE 100% CPU Utilization
IIS - Possible Attempt at NT INETINFO.EXE 100% CPU Utilization
IIS - Possible Attempt at NT TCPSVCS.EXE 100% CPU Utilization
IIS - Possible Attempt at NT WINS.EXE 100% CPU Utilization
IIS-Overflow-htr
TYPE:webmisc
IDS180 - WEB-netscape-overflow-unixware
74
Notification
Warning
Emergency
Warning
Warning
Alert
webiis
Warning
Warning
Warning
Warning
Warning
Emergency
Emergency

IP
(2001)
04/10
04/11
04/12
04/13
04/14
04/15
04/16
04/17
04/18
04/19
04/20
04/21
04/22
04/23
04/24
04/25
04/26
04/27
04/28
04/29
04/30
05/01
05/02
05/03
05/04
05/05
05/06
05/07
05/08
05/09
05/10
05/11
05/12
05/13
05/14
05/15
05/16
05/17
05/18
05/19
05/20
05/21
05/22
IP
46
55
45
40
34
36
47
77
67
62
65
63
61
62
57
54
61
53
45
39
64
40
47
61
61
42
44
47
61
54
44
55
42
39
51
56
47
57
44
39
34
47
47
IP
46
22
18
16
7
9
17
41
18
14
19
28
22
17
12
9
17
14
6
6
20
9
6
13
13
-1
13
7
11
6
7
17
10
9
0
14
9
15
-1
4
1
3
1
75
IP
46
68
86
102
109
118
135
176
194
208
227
255
277
294
306
315
332
346
352
358
378
387
393
406
419
418
431
438
449
455
462
479
489
498
498
512
521
536
535
539
540
543
544
05/23
05/24
05/25
05/26
05/27
05/28
05/29
55
47
43
40
44
49
43
11
9
11
1
8
12
9
76
555
564
575
576
584
596
605
105 4 3
77

網路安全監控與攻擊行為之分析與實作 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

網路安全監控與攻擊行為之分析與實作 PDF

Uploaded by

Copyright:

Available Formats

MONITORING AND BEHAVIOR ANALYSIS OF NETWORK

MONTH/YEAR: JUNE, 2001

ADVISER: Yeali S. Sun

MONITORING AND BEHAVIOR ANALYSIS OF NETWORK SECURITY

Keywords: Network SecurityDistributed Denial of Service Attack

5-16 rule .......................................................................................... 50

(hit rate) 300

u Ingress and egress filtering [RFC2267]

cisco router edge router ACL

access-list 188 permit ip {customer network} {customer network mask} any

interface {egress interface} {interface #}

Smurf[7] ICMP(Internet Control Message

2-5 ICMP ECHO REQUEST/REPLY

2-6 ICMP ECHO REQUEST/REPLY (Spoofing IP)

2-7 ICMP BROADCAST

2-8 Smurf Attack

(TCP SYN Flood)

Number) ISN initial sequence

ISN SYN ACK

2-9 TCP Three-Way Handshake

2-12 synckill finite state machine

-------------------------------------------------------------------echo "rcp some_host_ip: /usr/sbin/rpc.listen"

echo "chmod +x /usr/sbin/rpc.listen"

echo "echo launching trinoo"

echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron"

UDP Packet ID (from_IP.port-to_IP.port): daemon_ip. 32658- master_ip.31335

comment out for no encryption... */

----------------------------------------------------------------------------------------------------# ls -l ... ...-b

25 Sep 26 14:46 ...

50 Sep 26 14:30 ...-b

IDS(Intrusion Detection System) Snort

u alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"DDoS - Trin00

ICMP ICMP echo

/* user defined values for the teletubby flood network */

#define HIDEME "tfn-daemon"

/* #define ATTACKLOG "attack.log" keep a log of attacks/victims on all

/* These are like passwords, you might want to change them */

123 /* for replies to the master */

#define ID_SHELL 456 /* to bind a rootshell, optional */

789 /* to change size of udp/icmp packets */

234 /* to switch spoofing mode */

#define ID_STOPIT 567 /* to stop flooding */

890 /* to udp flood */

345 /* to syn flood */

678 /* to set port */

901 /* to icmp flood */

#define ID_SMURF 666 /* haps! haps! */

3-1 Host-based IDS

3-3 Network-based IDS

GNU( GENERAL PUBLIC LICENSE )

3.2.1 Snort Rules

Snort rule matching

Rule header + Rule options

content: <content string> ;

offset: <content string> ;

TCP a c knowledgement number

ICMP ECHO ICMP ID Number

ICMP ECHO ICMP Sequence Number

sec - IP security option

u Rpc: RPC application, procedure,and program

3.2.3 Rule Tree

3-4 Snort rule tree

pr e p r o c e s s o r < n a m e > : <o p t i o n s >