snort 2 1 intrusion detection second edition phần 3 potx

snort 2.1 intrusion detection second edition phần 3 potx

... http://www.simpopdf.com 29 5 _Snort2 e_ 03. qxd 5/5/04 2: 55 PM Page 15 1Installing Snort • Chapter 3 15 1 localhost: tcp 587 tcp 25 0.0.0.0 tcp 22 tcp 37 tcp 13 tcp 11 3 OINK! For more information ... http://www.simpopdf.com 29 5 _Snort2 e_ 03. qxd 5/5/04 2: 55 PM Page 13 4 13 4 Chapter 3 • Installing Snort The second example is for versions earlier than 4 .1. For these systems, just enter rpm rebuild snort- 2. 1. 1- 1snort. src.rpm.This ... be 1 92. 16 8.0.0 /24 , which means that the address space of 1 92. 16 8.0. 1 92. 16 8.0 .25 4 will be repre-sented, using a subnet mask of 25 5 .25 5 .25 5.0 (see Figure 3 .14 ). Figure 3 .14 Editing the snort. conf...

76

432

0

snort 2.1 intrusion detection second edition phần 4 potx

... Be Merged 10 .1. 0.0 /22 10 .1. 0.0 /24 , 10 .1 .2. 0 /24 , 10 .1. 4.0 /24 , 10 .1. 6.0 /24 19 8.0.0.0 /20 19 8 .1. 0.0 / 21 , 19 8 .2. 0.0 / 21 10 .10 0.80.0/ 31 10 .10 0.80 .1/ 32 , 10 .10 0.80 .10 1/ 32 Merging subnet masks can save ... jay. 03 / 13 -17 :58: 02. 520 000 xxx.xxx.xxx.xxx :36 922 -> xxx.xxx.xxx.xxx : 23 TCP TTL:64 TOS:0x10 ID: 622 53 IpLen :20 DgmLen: 53 DF ***AP*** Seq: 0x15807E79 Ack: 0x695B 229 5 Win: 0x1 920 TcpLen: 32 TCP ... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03 / 13 -17 :58:06. 410 000 xxx.xxx.xxx.xxx : 23 -> xxx.xxx.xxx.xxx :36 922 TCP TTL : 23 7 TOS:0x0 ID: 533 12 IpLen :20 DgmLen: 53 DF ***AP*** Seq: 0x695B 229 6 Ack: 0x15807E7B Win: 0x2798 TcpLen: 32 TCP...

76

528

0

snort 2.1 intrusion detection second edition phần 1 pptx

... content:"|04|"; depth :1; content:"| 81 F1 03 01 04 9B 81 F1 01| "; content:"sock"; content:"send"; reference:bugtraq,5 31 0 ; classtype:misc- attack; reference:bugtraq,5 31 1 ; reference:url,vil.nai.com/vil/content/v_999 92. htm; ... Unregistered Version - http://www.simpopdf.com 29 5 _Snort_ 2e_ 01. qxd 5/4/04 4:50 PM Page 12 12 Chapter 1 • Intrusion Detection Systems Figure 1. 1 NIDS Network INTERNET Mail DNS NIDS NIDS ... http://www.simpopdf.com 29 5 _Snort_ 2e_ 01. qxd 5/4/04 4:50 PM Page 10 10 Chapter 1 • Intrusion Detection Systems ■ Network-Based Intrusion Detection System (NIDS) ■ Host-Based Intrusion Detection System...

76

365

1

snort 2.1 intrusion detection second edition phần 2 ppt

... packets: INACTIVE ﬂush_data_diff_size: 500 Ports: 21 23 25 53 80 11 0 11 1 14 3 5 13 14 33 Emergency Ports: 21 23 25 53 80 11 0 11 1 14 3 5 13 14 33 HttpInspect Conﬁg: GLOBAL CONFIG Max Pipeline Requests: ... 0xF3 31 5 F 42 Ack: 0x5FAFDF2 Win: 0xE4B4 TcpLen: 20 E9 A2 19 CE 3A 0A C7 AA 75 EA 13 1D 02 6D 3C 12 : u m<. AA 96 1D F8 8E 73 C5 D1 B2 33 41 D4 88 DC A2 53 s 3A S CB 93 79 5E 1B FC 3A 5B 82 1E ... like that: 03 /11 - 12 : 44:45. 424 5 51 0:A0:CC :29 :1D : 13 -> 0 :20 :6F :3: 7:CC type:0x800 len:0x7A 66.80 .14 6.8 :22 00 -> 69 . 13 8 .22 5 . 13 7: 12 8 9 TCP TTL:64 TOS:0x10 ID:5 528 IpLen :20 DgmLen :10 8 DF ***AP***...

76

427

1

snort 2.1 intrusion detection second edition phần 5 pot

... http://www.simpopdf.com 29 5 _Snort2 e_06.qxd 5/6/04 12 : 51 PM Page 31 0 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 29 5 _Snort2 e_06.qxd 5/6/04 12 : 51 PM Page 28 1 Preprocessors • Chapter 6 28 1 ... http://www.simpopdf.com 29 5 _Snort2 e_06.qxd 5/6/04 12 : 51 PM Page 29 3 Preprocessors • Chapter 6 29 3 int num = 0; if(portlist == NULL || *portlist == '\0') { portlist = " ; 21 23 25 11 9"; ... Unregistered Version - http://www.simpopdf.com 29 5 _Snort2 e_06.qxd 5/6/04 12 : 51 PM Page 28 2 28 2 Chapter 6 • Preprocessors IAC SB SING HUMPTY-DUMPTY SE 25 5 25 0 53 1 24 0 There’s more to Telnet than this,...

76

343

0

snort 2.1 intrusion detection second edition phần 1 potx

... 04/06 - 21 : 12 : 49.87 611 6 3 82 1 92. 16 8 .1. 1 02 - 1 92. 16 8 .1. 1 01 - ICMP PING Windows 04/06 - 21 : 12 : 50.0085 43 408 1 92. 16 8 .1. 1 01 - 1 92. 16 8 .1. 1 02 - ICMP Echo Reply 04/06 - 21 : 12 : 50.8776 03 3 82 1 92. 16 8 .1. 1 02 - 1 92. 16 8 .1. 1 01 ... 04/06 - 21 : 12 : 52. 016 027 408 1 92. 16 8 .1. 1 01 - 1 92. 16 8 .1. 1 02 - ICMP Echo Reply 04/06 - 21 : 12 : 52. 879979 3 82 1 92. 16 8 .1. 1 02 - 1 92. 16 8 .1. 1 01 - ICMP PING Windows 04/06 - 21 : 12 : 53. 009 929 408 1 92. 16 8 .1. 1 01 - 1 92. 16 8 .1. 1 02 ... 04/06 - 21 : 13 : 03. 736 479 620 1 92. 16 8 .1. 1 8080 1 92. 16 8 .1. 1 01 31 3 4 SCAN Proxy Port 8080 attempt 04/06 - 21 : 13 :18 .39 4 430 38 5 1 92. 16 8 .1. 1 - 1 92. 16 8 .1. 1 01 - ICMP traceroute 04/06 - 21 : 13 :18 .408880 408 1 92. 16 8 .1. 101...

76

670

0

snort 2.1 intrusion detection second edition phần 7 ppsx

... teardrop_attack_cap 16 : 52: 06. 029 36 8 1 72. 16 .10 .15 1 .1 025 > 1 72. 16 .10 .20 0 . 13 5: [no cksum] udp 28 (frag 24 2 :36 @0+) (ttl 3, len 56) 16 : 52: 06.04 63 02 1 72. 16 .10 .15 1 > 1 72. 16 .10 .20 0: (frag 24 2:4 @24 ) (ttl 3, len ... Alert: [**] [11 3 :2: 1] (spp_frag2) Teardrop attack [**] 02/ 19 -16 : 52: 06.04 63 02 1 72. 16 .10 .15 1 -> 1 72. 16 .10 .20 0 UDP TTL :3 TOS:0x0 ID :24 2 IpLen :20 DgmLen :24 Frag Offset: 0x00 03 Frag Size: 0x0004 ... spoofed? # snort –dvr teardrop_attack.cap 02/ 19 -16 : 52: 06. 029 36 8 1 72. 16 .10 .15 1 -> 1 72. 16 .10 .20 0 UDP TTL :3 TOS:0x0 ID :24 2 IpLen :20 DgmLen:56 MF Frag Offset: 0x0000 Frag Size: 0x0 024 04 01 00 87...

76

579

0

snort 2.1 intrusion detection second edition phần 8 pps

... 12 : 24:49.9 6 13 61 1 92. 16 8 .10 . 13 .30 93 > 1 92. 16 8 .30 .17 1.ssh: P 36 : 72( 36 ) ack 1 win 16 1 92 (DF) **** Press <ENTER> to send the next packet: 12 : 24:49.97 018 7 1 92. 16 8 .30 .17 1.ssh > 1 92. 16 8 .10 . 13 .30 93: ... 12 : 24:58.97 12 0 5 1 92. 16 8 .10 . 13 .30 42 > 1 92. 16 8 .30 . 23 0.ssh: P 10 8 :14 4 (36 ) ack 1 win 16 500 (DF) **** Press <ENTER> to send the next packet: 12 : 24:58.9799 43 1 92. 16 8 .30 . 23 0.ssh > 1 92. 16 8 .10 . 13 .30 42: ... 1 92. 16 8 .10 . 13 .30 31 : P 11 8 :18 3( 65) ack 1 win 16 38 4 (DF) **** Press <ENTER> to send the next packet: 12 : 24:57. 011 31 1 1 92. 16 8 .10 . 13 .30 31 > 20 5 .18 8.8.49. 519 0: . ack 18 3 win 16 5 91 (DF) ****...

76

524

0

snort 2.1 intrusion detection second edition phần 9 pot

... 15 00 port 80 20 4 .17 4.x.x. 535 73 > 68.48.x.x.80: S 3 728 59 510 9 :3 728 59 510 9(0) win 5840 68.48.x.x.80 > 20 4 .17 4.x.x. 535 73: S 25 23 514 769 :25 23 514 769(0) ack 3 728 59 511 0win 57 92 20 4 .17 4.x.x. 535 73 ... 20 4 .17 4.x.x. 535 73 > 68.48.x.x.80: F 11 9 :11 9(0) ack 35 8 win 64 32 68.48.x.x.80 > 20 4 .17 4.x.x. 535 73: F 35 8 :35 8(0) ack 12 0 win 57 92 20 4 .17 4.x.x. 535 73 > 68.48.x.x.80: . ack 35 9 win 64 32 After ... http://www.simpopdf.com 29 5 _Snort_ 2e_ 12 . qxd 5/5/04 6 :10 PM Page 616 616 Chapter 12 • Active Response Figure 12 . 4 WWWBoard passwd.txt Access Packet Trace 20 4 .17 4.x.x. 535 73 > 68.48.x.x.80: . ack 35 8 win 64 32 20 4 .17 4.x.x. 535 73...

76

318

0

snort 2.1 intrusion detection second edition phần 10 doc

... 5 23 1 d2b2 0c 01 d1b2 13 31 c0b0 04 31 d2b2 R1 1 1 0x03c0 12 cd 805b 31 c0 b006 cd80 eb3f e8a5 ffff [1 ? 0x03d0 ff2f 6574 632 f 70 61 737 3 7764 787a 3a3a ./etc/passwdxz:: 0x03e0 30 3a 30 3a 3a2f 3a2f ... 0x0 030 15 0b a 733 4854 5450 2f 31 2e 31 20 34 30 34 3HTTP /1. 1.404 0x0040 20 4e 6f74 20 46 6f75 6e64 0d0a 44 61 7465 .Not.Found Date 0x0050 3a20 5765 642c 20 33 3 12 0 4d 61 722 0 32 3 0 :.Wed,. 31 . Mar .20 0x0060 ... 8050 89c3 31 c9 ( 1 P 1. 0x0 420 31 d2 b2 02 31 c0 b 0 13 cd80 5b59 53 31 d2b2 1 1 [YS1 0x0 430 1f 01 d1b2 08 31 c0b0 04cd 805b 31 c0 b006 1 [1 0x0440 cd80 31 c0 40cd 80a0 e7ff bfa0 e7ff bfa0 1. @ 0x0450...

69

829

0