Table of Contents

• 3 - IDS types • 15 - TCP flags

• 8 - Ethernet Frame • 16 - ICMP types
• 9 - IP frame • 17 - Shadow IDS
• 10 - TCP frame • 23 - Snort IDS
• 11 - UDP frame • 25 - Auditing
• 12 - ICMP Frame • 26 - Resources
• 13 - 3-way handshake
 Author

• Jerry Shenk
• D&E Communications
 IDS Types

• Host Based
– Log files
– Programs
• Network based
– Monitor traffic
– Sensor/Analyzer
 Network IDS types

• Signature based
– Looks for specific bad packet signatures
• Anomoly based
– Normal traffic is defined. Other traffic is
reported
 Network IDS responses

• Pager/E-mail
– “real-time” vs. false alarms
• Blocking
– proactive vs. DOS prone
• Resetting
• Periodic wrapup
– Analyst may not check status
 Network IDS - Commercial

• Cisco Secure IDS (NetRanger)

• ISS RealSecure
• Axent Intruder Alert (Raptor)
• NWS Dragon
• CheckPoint Cyber Attack Defense System
 Network IDS - free

• Shadow - Anomoly based

– Based on tcpdump
– filters are fully configurable although hard to
follow
– traffic is captured and processed hourly - perl
• Snort - Signature based
– filters are fully configurable and require
detailed info but easier than tcpdump
 Ethernet Encapsulation

Interface Layer Frame Frame Data Area

Header

Internet Layer IP Datagram

IP Data
Header

Transport Layer ICMP/UDP/TCP Protocol

Header Data
0 16 IP Packets31
version hdr lnth type of service total length of datagram

identification number R DF MF fragment offset 20

bytes
time-to-live (ttl) protocol header checksum

source IP address (4 bytes)

destination IP address (4 bytes)

options field (variable length, max length 40 bytes)

data
 TCP Packets
0 16 31

source port number destination port number

sequence number
20
acknowledgement number
bytes
hdr lgth reserved U A P R S F window size

TCP checksum urgent pointer

options field (variable length, max length 40 bytes)

data
 UDP Packets

0 16 31

source port number destination port number

UDP datagram length UDP checksum

optional data
 ICMP packets

0 8 16 31

type code checksum

contents depend on type and code

(echo has sender and sequence info)
 3-way Handshake & Termination
SYN
SYN - ACK
ACK

[ACK set for each packet in the of session]

client [session proceeds] server
(port = 4247/tcp) (port = 23/tcp)

Either the
FIN ACK
client or
ACK the server
may initiate
FIN ACK the closing
ACK sequence
 3-way Handshake & Termination
Establishment
client.4247 > server.23: S 3073470005:3073470005(0) win 512 <mss 1460>
server.23 > client.4247: S 1932608000:1932608000(0)
ack 3073470006 win 61320 <mss 1460> (DF)
client.4247 > server.23: . ack 1932608001 win 32120 (DF)

Termination
client.4247 > server.23: F 3073470006:3073470006(0)
ack 1932608001 win 32120
server.23 > client.4247: . ack 3073470007 win 61320 (DF)
server.23 > client.4247: F 1932608001:1932608001(0)
ack 3073470007 win 61320 (DF)
client.4247 > server.23: . ack 1932608002 win 32120 (DF)

S = SYN flag is set (x) = x data bytes in the packet

F = FIN flag is set win = advertised window size
. = none of the SFRP flags are set mss = max segment size announcement
(ack and urg are displayed differently) DF = don’t fragment flag is set
 TCP Flags
• FIN : sender is finished sending data -- initiate a half
close
• SYN : synchronize the sequence numbers to establish a
connection
• RST : reset (abort) the connection
• PSH : tells receiver not to buffer the data before passing
it to the application (interactive applications use this)
• ACK : acknowledgement number is valid
• URG : urgent pointer is valid (often results from an
interrupt)
 ICMP Types

msg# description msg# description

0 echo reply 12 parameter problem

3 destination unreachable 13 timestamp request
4 source quench 14 timestamp reply
5 redirect 15 information request
8 echo request 16 information reply
9 router advertisement 17 address mask request
10 router solicitation 18 address mask reply
11 time exceeded
Shadow initial screen
Shadow sample hourly screen
Shadow Search
Shadow Search 2
 Shadow tcpdump sensor filter

• (ip and not

• ( (igrp or dst port 520 or port 524 or
port 1677 or port 1494)
• or
• (net 10.0.0.0 mask 255.0.0.0 and
((icmp[0]=8) or (icmp[0]=0)))
• ) )
 Shadow tcpdump analyzer filters

• Analyzer filters - broken into sections to

make them easier to read and avoid a size
limitation. Use the same syntax as the
sensor filter but are much larger.
– tcp.filter
– udp.filter
– icmp.filter
– ip.filter
 Snort rules

• SYN/FIN scan
– alert TCP $EXTERNAL any -> $INTERNAL
any (msg: "IDS198/SYN FIN Scan"; flags: SF;)
• DNS zone transfer
– alert TCP $EXTERNAL any -> $INTERNAL
53 (msg: "IDS212/dns-zone-transfer"; content:
"|01 00 00 01 00 00 00 00 00 00|"; flags: AP;
offset: "2"; depth: "16";)
 Snort responses

• logging
• resetting
 Auditing The Network

• Scan your network - web based

• http://www.webtrends.net/tools/security/scan.asp
• https://grc.com/x/ne.dll?bh0bkyd2
• More thorough
• Nessus - runs on unix - free, Windows client
• Satan/Saint/Sara - runs on unix - free
• Cisco NetSonar - runs on NT
• Cybercop (Balista) - http://www.nai.com
• nmap - unix, command-line, very flexible
 Resources

• Port numbers
– http://www.snort.org (port search link)
– http://dev.whitehats.com/ids/ids.html
– http://www.isi.edu/in-
notes/iana/assignments/port-numbers
 Resources

• Security Sites
– http://www.sans.org
– http://www.cert.org/advisories/
– http://www.cerias.purdue.edu/coast/
– http://www.nipc.gov/
– http://dev.whitehats.com/