chapter 1: foundation - cas – central authentication...

Traffic Analysis 3-1

Traffic Analysis

Dr. G. A. Marin


Packet Dissection with TCPDUMP

TCPDUMP gives most information and Ethereal also but sometimes you want to look at the Hex data directly.

Example in Chapter 7 (sidestep program)Basics:

Need right formats: IP, TCP, ICMP, etc.Use tcpdump –x to obtain Hex (or Ethereal)Ethernet header usually appears as first 14 bytes in Ethereal Output.Ethernet header must be requested from tcpdump with –e flag.


• First six bytes (after line number) are destination mac• Next six bytes are source mac.• The 15th byte begins IP header “45.” type =4 and header length 20 bytes.• IP header described in rfc 791• Next byte “00” is ToS• Next two bytes “003c” is total length = 60• Two bytes “2a a6” = 10918 for packet ID.• Two bytes “00 00” have 3 bits for frag flags and 13 bits for offset.• One byte “80” = 128 TTL• One byte “01” = ICMP for protocol• Two bytes “5d d8” for checksum• 32-bits “co a8 00 64” = 192.168.0.100 for source address• 32-bits “84 aa 6c 8c” = 132.170.108.140 for destination address• Then ICMP Type = 8 and Code = 0 implies echo request (ping)• READ TEXT CHAPTER 7 FOR OTHER EXAMPLES AND SUGGESTIONS.


NIDS Insertion Attack

Idea: Insert an extra packet (NIDS receives but target does not) to confuse pattern-matching algorithms on the IDS.

Do it in such a way that the target host won’t see the extra packet(s).

Good example in text: Suppose hacker has established a backdoor account (REWT) on target machine. IDS system knows to look for attempted log-in to REWT on port 23 (telnet). But hacker sends “R” in correctly formatted packet followed by “O” with invalid TCP checksum. This accepted by IDS and not by target host. Hacker then follows with “EWT” which IDS does not detect because “ROEWT” is ok. But host sees a connectiont to “REWT.”


NIDS Evasion Attack

Same idea but insert an extra packet that target host sees but NIDS does not. For example, it is possible to include data in the opening SYN packet. Nids might not be programmed to accept it. Destination host does. In this case send “R” in SYN and “EWT” in first data packet.


Interpreting IP Header Fields

Version number should be 4 or 6Packet should be “silently discarded” (RFC 1121) if invalid.

Hacker won’t learn anything by sending another value unless router, NIDS, or target does not comply with RFC. If one can determine that NIDS forwards these to destination, then insertion attack can use this technique.


Protocol Number

List available at www.iana.org/assignments/protocol-numbersLater we will cover use of nmap –sO option.Note that nmap assumes protocol is listening if it does not receive an ICMP protocol unreachable.

Firewall may block this.

http://www.iana.org/assignments/protocol-numbers

http://www.iana.org/assignments/protocol-numbers


DF Flag

We’ve covered the function.You may see particular TCP/IP stacks sending “discovery” frames with DF flag set (to new destination) to try to determine MTU along path. Some stacks set DF on particular packets and nmap uses this as a technique for identifying operating systems. If packet arrives at a NIDS from a network with a larger MTU, then DF flag may prevent NIDS from forwarding to target host. This technique can be used for an insertion attack.


MF Flag

We’ve covered the function.One fingerprinting technique is to send an incomplete fragmentation to a listening port.Receipt of first fragment sets a timer. Will eventually time out if no final packet is received. Timeout response may characterize the stack.


IP Address ConsiderationsAn internal address entering your network from an external interface is probably spoofed. (Firewall should block.)Should not see packets with private addresses arriving from outside the network:The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) We will refer to the first block as "24-bit block", the second as "20-bit block", and to the third as "16-bit" block. Note that (in pre-CIDR notation) the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B network numbers, and third block is a set of 256 contiguous class C network numbers.


IP ID Number

New number is generated for each datagram sent.

Usually incremented by 1 but may be 254Should wrap at 65,535

If one observes packets from seemingly unrelated sources that are following a standard increment procedure across the different sources, this may be a sign of spoofing. A string of packets with identical ID also suggests an attack.


Time to LiveInitial values depend on the TCP/IP stack used. Values given in textbook. Interesting to estimate whether a suspicious looking packet seems to be coming from right distance.

Estimate starting value with table 8.1 and then get your own estimate of hops with traceroute.

Many different sources arriving with same TTL value may be a sign of an attack.Some tools randomize TTL. NOTE: Read the TTL&IP ID case study.


Embedded Protocol Headers - TCP

PortsTwo 16-bit fields ranging 1-65,535

In a scan the source port may increment regularly (like by 1). Destination port may be randomized (irregular).

If see many SYNs with constant source port, this is also likely to be a scan (nmap).

Note that scans to port 0 are immediately suspicious and likely to be looking for resets to determine if host alive at @.


TCP and UDP Checksums

Computed including the pseudo-header, tcp(or UDP) header plus data.

Note pseudo-header in Figure 9.1.• Source and destination IP @• 1 byte zero pad• 1 byte protocol field• 2 bytes TCP length (TCP header plus data)

Uses same 1-s complement arithmetic as IP header on 16-bit fields and includes pseudo header.

• May catch an IP destination address corruption that occurs within a router.


TCP Sequence Numbers

Represent the first byte of data in a TCP segment (except when zero bytes with initial sequence number).Nmap attempts to use for OS fingerprinting (starting numbers, increments, etc.)

Newer OS versions tend to use random numbers.Recall that guessing seq no needed for session hijacking.


Acknowledgement numbers

Have covered the function.Value of zero (with flag set) is extremely unlikely.

Ack flag set and zero number may imply an nmap scan.

Ack flag set may generate a reset from the host (indicating host is alive).

Gets past router filtering because it looks like traffic from ongoing TCP connection.


TCP FlagsWe’ve covered the function. Various “mutant” combinations are used for fingerprinting operating systems. Packets sometimes get corrupted so an out-of-spec packet does not NECESSARILY imply an attack.

Vern Paxson labels as crud the “innocuous implementation errors” that create traffic pattern pathologies similar to genuine attacks.


TCP Congestion Controlend-end control (no network assistance)transmission rate limited by congestion window size, Congwin, over segments:

w segments, each with MSS bytes sent in one RTT:

throughput = w * MSSRTT Bytes/sec

Congwin


TCP congestion control:

two “phases”slow start (exponential increase)congestion avoidance (linear increase)

• On timeout, threshold set to half congwin and congwin set to 1 MSS.

important variables:Congwinthreshold: defines threshold between two slow start phases.

“probing” for usable bandwidth:

ideally: transmit as fast as possible (Congwin as large as possible) without lossincrease Congwin until loss (congestion)loss: decrease Congwin, then begin probing (increasing) again


TCP Slowstart

exponential increase (per RTT) in window size (not so slow!)loss event: timeout (Tahoe TCP) and/or or three duplicate ACKs (Reno TCP)

initialize: Congwin = 1for (each segment ACKed)

Congwin++until (loss event OR

CongWin > threshold)

Slowstart algorithmHost A

one segment

RTT

Host B

time

two segments

four segments


TCP Congestion Avoidance

/* slowstart is over */ /* Congwin > threshold */Until (loss event) {every w segments ACKed:

Congwin++}

threshold = Congwin/2Congwin = 1perform slowstart

Congestion avoidance

1

1: TCP Reno skips slowstart (fast recovery) after three duplicate ACKs


ECN Flag Bits

Top two bits of TCP flag byte have been reserved but RFC 3168 defines them for use in supporting ECN.

Use is established in 3-way handshake.If a router along the path sets ECN bits (low order in ToS field of IP header), then receiver sets ECN-echo bit in TCP flag byte. Sender notes the ECN-echo bit set and halves its current window size plus sets Congestion Window Reduced bit. Danger that existing NIDs will begin to alarm on this new use of ECN header bits.


TCP segment structure

source port # dest port #

32 bits

applicationdata

(variable length)

sequence numberacknowledgement number

Receive windowUrg data pnterchecksum

FSRPAUheadlen

notused

Options (variable length)

URG: urgent data (generally not used)

ACK: ACK #valid

PSH: push data now(generally not used)

RST, SYN, FIN:connection estab(setup, teardown

commands)

# bytes rcvr willingto accept

Internetchecksum

(as in UDP)

countingby bytes of data(not segments!)


IP datagram format

ver length

32 bits

data (variable length,typically a TCP

or UDP segment)

16-bit identifierInternetchecksum

time tolive

32 bit source IP address

IP protocol versionnumber

header length(bytes)

max numberremaining hops

(decremented at each router)

forfragmentation/reassembly

total datagramlength (bytes)

upper layer protocolto deliver payload to

head.len

type ofservice

“type” of data flgs fragmentoffset

upperlayer

32 bit destination IP address

Options (if any) E.g. timestamp,record routetaken, specifylist of routers to visit.


OS Fingerprinting Example

Verbo.47322>win98.netbios-ssn: SFP861966446:861066446(0) win 3072 urg 0 <wscale 10,nop,mss 265,timestamp 1061109567[|tcp]>win98.netbios-ssn> Verbo.47322: S 49904150:49904150(0) ack 861966447 win 8215 <mss 1460> (DF)

Windows 98 responds with Syn Ack even though Syn request packet was mutant.

Other examples in text.


Hostile Retransmissions?17:14:18.726864 1.1.1.1.62555 > 192.168.44.63.3128: S 20583734:20583734(0) win 8192 <mss 1380> (DF) (ttl 17, id 15697)17:14:21:781140 1.1.1.1.62555 > 192.168.44.63.3128: S 20583734:20583734(0)win 8192 <mss 1380> (DF) (ttl 17, id 33873)17:14:27.776662 1.1.1.1.62555 > 192.168.44.63.3128: S 20583734:20583734(0)win 8192 <mss 1380> (DF) (ttl 17, id 46113)17:14:39:775929 1.1.1.1.62555 > 192.168.44.63.3128: S 20583734:20583734(0)win 8192 <mss 1380> (DF) (ttl 17, id 54353)

• Looks like multiple attempts to connect to a destination host (SYNs). • Id’s seem to change appropriately for normal retry.• 1st-2nd attempt separated by 3 seconds.• 2nd – 3rd attempt separated by 6 seconds.• 3rd – 4th attempt separated by 12 seconds. Looks ok.• Source port stays the same.• TCP sequence number does not change. • THIS IS NORMAL behavior for retries when destination does not respond.


Nifty Defense: LaBrea (Tar Pit)LaBrea is installed on a local host and listens for for ARP requests from a router (that may have been hit by a scan for active IP addresses).If no host generates an ARP response within seconds, LaBrea host fakes a response ARP reply. If a SYN follows, LaBrea host fakes a SYN/ACK response.

Scanning host now completes handshake and begins sending data. LaBrea host never responds (with an ACK) to sent data.Scanning host is “stuck in the tar pit” until it times out of all retransmission attempts.

Can be critical in delaying worm propagation. Code at www.hackbusters.net.


RFC 1122, section 4.1:The User Datagram Protocol offers only a minimal transport service --non-guaranteed datagram delivery -- and gives applications direct access to the datagram service of the IP layer. UDP is used by applications that do not require the level of service of TCP or that wish to use communications services (e.g., multicast or broadcast delivery) not available from TCP.UDP is almost a null protocol; the only services it provides over IP are checksumming of data and multiplexing by port number. Therefore, an application program running over UDP must deal directly with end-to-end communication problems that a connection-oriented protocol would have handled -- e.g., retransmission for reliable delivery, packetizationand reassembly, flow control, congestion avoidance, etc., when these are required. The fairly complex coupling between IP and TCP will bemirrored in the coupling between UDP and many applications usingUDP.


UDP Format

MAC headerIPheader

UDP header Data :::

UDP header:

Source port: 16 bitsDestination port: 16 bitsLength: 16 bits (Includes header + data. Header = 8 bytes.)Checksum: 16 bits

Frame:


Use of UDP Ports

Normal use does not include port 0.Valid range is 1 to 65,535.Source host initiates with a port greater than 1023. Unlike TCP, UDP does not respond to initial connection.

If host is alive, however, UDP will respond with ICMP port unreachable if port is not listening. Absence of “port unreachable” means listening?


Analyze this


Results

Syn connection attempts to various ports on dns.myplace.comReset from ftp only. Perhaps other responses blocked by a firewall. Other than reset, no response from the firewall.

Does not appear DNS server was compromised.


Netbus Trojan

Looks for windows hosts listening on port 12345.Trojan allows remote access and control of a Windows host through port 12345. Next page shows an excerpt of actual scan.Scan hit 65,000 addresses in a class B network.Only one host responded – turned out not to be infected.


Netbus Scan


Useful Linux Commandsnetstat - show network status SYNOPSIS netstat [-Aan] [-f address_family] [-M core] [-N system] netstat[-bdghimnrs] [-f address_family] [-M core] [-N system] netstat [-bdn] [-I interface] [-M core] [-N system] [-wwait] netstat [-p protocol] [-M core] [-N system] DESCRIPTION The netstat command symbolically displays the contents of various network-related data structures. There are a number of output formats, de-pending on the options for the information presented. The first form of the command displays a list of active sockets for each protocol. The second form presents the contents of one of the other network data structures according to the option selected. Using the third form, with a wait interval specified, netstat will continuously display the information regarding packet traffic on the configured network interfaces. The fourth form displays statistics about the named protocol.


Fuser port/tcp

NAMEfuser - identify processes using a file or file structure

SYNOPSISfuser [-[c|f]kqu] files [[-] [-[c|f]kqu] files

DESCRIPTIONfuser outputs the process IDs of the processes that are using the files specified as arguments. Each process ID is followed by one of these letter codes, which identify how the process is using the file:

If file has the form port/protocol or hostname:port/protocoland names no file or directory, fuser lists all processes using sockets bound or connected to the specified port.

This provides a process number that can be resolved with ps command.


For windows

Netstat usually worksfport reports all open TCP/IP and UDP ports and maps them to the owning application (www.securityfocus.com).

This is the same information you would see using the 'netstat -an' command, but it also

maps those ports to running processes with the PID, process name and path. Fport can be

used to quickly identify unknown open ports and their associated applications.

Usage: C:\>fportFPort v2.0 - TCP/IP Process to Port MapperCopyright 2000 by Foundstone, Inc.http://www.foundstone.com


Pid Process Port Proto Path392 svchost -> 135 TCP C:\WINNT\system32\svchost.exe8 System -> 139 TCP8 System -> 445 TCP508 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe

392 svchost -> 135 UDP C:\WINNT\system32\svchost.exe8 System -> 137 UDP8 System -> 138 UDP8 System -> 445 UDP224 lsass -> 500 UDP C:\WINNT\system32\lsass.exe212 services -> 1026 UDP C:\WINNT\system32\services.exeThe program contains five (5) switches. The switches may be utilized using either a '/' or a '-' preceding the switch. The switches are;Usage:

/? usage help/p sort by port/a sort by application/i sort by pid/ap sort by application path


Analyze:


Results

Fragments closely spaced in time (excerpt from large dataset).No beginning fragment seen (none was found so a firewall probably blocked initial fragment).Repeated fragments for fragments in same fragment train.No final fragment. DoS attack against the router at 192.168.133.0


Analyze


Results (with –vv)Three different source Ip’s attempting connections to three different internal destination IP’s. Source ports and seq numbers don’t change implies retries.

Destination is squid web proxy server (3128).Spoofed?:

Can’t tell from IP ID increments (too far apart in time)Retries on different intervals.TCP options not identical.Probably not spoofed.TTL analysis showed most had traceroute hop count credibly close to indicated hop count.

Traffic from Trojan called RingZero.


Writing TCPdump FiltersGeneral format:

<protocol header>[offset:length] <relation> <value>Example: tcpdump ‘ip[9] = 1’ will select all IP packets that have protocol number 1 (ICMP) at byte 9 of IP header. Begin counting with byte 0.

Single quote keeps UNIX shell from trying to interpret the filter.

You can also create a file, such as /tmp/filter and put “ip[9] = 1” in it.

Then enter tcpdump –F /tmp/filter.Note that ip[12:4] specifies ip source address.

Default length is 1 byte so ip[12:1] is ip[12].


IP datagram format

ver length

32 bits

data (variable length,typically a TCP

or UDP segment)

16-bit identifierInternetchecksum

time tolive

32 bit source IP address

IP protocol versionnumber

header length(bytes)

max numberremaining hops

(decremented at each router)

forfragmentation/reassembly

total datagramlength (bytes)

upper layer protocolto deliver payload to

head.len

type ofservice

“type” of data flgs fragmentoffset

upperlayer

32 bit destination IP address

Options (if any) E.g. timestamp,record routetaken, specifylist of routers to visit.


TCP segment structure

source port # dest port #

32 bits

applicationdata

(variable length)

sequence numberacknowledgement number

Receive windowUrg data pnterchecksum

FSRPAUheadlen

notused

Options (variable length)

URG: urgent data (generally not used)

ACK: ACK #valid

PSH: push data now(generally not used)

RST, SYN, FIN:connection estab(setup, teardown

commands)

# bytes rcvr willingto accept

Internetchecksum

(as in UDP)

countingby bytes of data(not segments!)


Bit Mask

If you need to obtain values for fewer than 8 bits (byte), you can & with bit mask.

Example: ip[0] & 0x0f will zero out the first 4 bits of byte 0 (the IP version) and yield the IP header length. Thus ‘ip[0] & 0x0f = 5’ will select all datagramsin which header length is 5 32-bit words or 20 bytes.‘ip[0] & 0x0f > 5’ will select all datagramshaving IP options.


Filter ExamplesCatch all packets to broadcast address of *.*.*.0 or *.*.*.255

‘ip[19] = 0x00 or ip[19] = 0xff’Alternatively ‘ip[19] = 0 or ip[19] = 255’ (decimal)

‘Not src net 192.168 and (ip[19] = 0x00 or ip[19] = 0xff)’ will catch all broadcast packets except those from 192.168.0.0 network.

Not is negation operatorSrc is a macro indicating traffic from specified source.Net is a macro indicating subnet.


Filter Examples (continued)To specify that “more flag” is set (so fragmentation used) write either

Also, ‘udp and dst port 31337’ will retrieve UDP packets with destination port 31337.

www.snort.org/port.html has pointers on which ports to examine.

If you need a range of values, you must use the offset notation:

udp[2:2] >= 3300 and udp[2:2] < 34000 will find UDP packets for which destination port is in the specified range.

‘Ip[6] & 0x20 != 0’ or ip[6] & 0x20 = 32’ because Byte 6: 00(mf)00000 and mask will be 00100000.

http://www.snort.org/port.html


Try these:

Detect echo replyDetect the router reply “destination port unreachable.”

Use next slide.


ICMP: Internet Control Message Protocolused by hosts, routers, gateways to communication network-level information

error reporting: unreachable host, network, port, protocolecho request/reply (used by ping)

network-layer “above” IP:ICMP msgs carried in IP datagrams

More at www.iana.org/assignments/icmp-parameters

Type Code description0 0 echo reply (ping)3 0 dest. network unreachable3 1 dest host unreachable3 2 dest protocol unreachable3 3 dest port unreachable3 6 dest network unknown3 7 dest host unknown4 0 source quench (congestion

control - not used)8 0 echo request (ping)9 0 route advertisement10 0 router discovery11 0 TTL expired12 0 bad IP header

Note: ICMP is often used for “mapping.”


Answers

An echo reply is ICMP type 0, code 0 (icmp[0] = 0) and (icmp[1] = 0)

Destination port unreachable is type 3, code 3

(icmp[0] = 3) and (icmp[1] = 3)


TCP examples:

Only SYN flag is set:

Reserved urg ack psh rst syn fin

13th byte offset:


TCP examples:

Only SYN flag is set:


13th byte offset:

tcp[13] & 0xff = 2Ortcp[13] = 2 (because exact numeric value)


TCP examples:

Both SYN and FIN flags set:


13th byte offset:


TCP examples:

Both SYN and FIN flags set:


13th byte offset:

tcp[13] =3Note: you must be certain that the reserved bits are not being used. What if you are not?

tcp[13] & 0x3f = 3


TCP examples:

Ack flag set but ack field is zero:


13th byte offset:


TCP examples:

Ack flag set but ack field is zero:


13th byte offset:

(tcp[13] & 0x10=16) and (tcp[8:4] = 0)

Note: this catches certain NMAP fingerprinting scans.


Look for: legitimate syn packets carrying data.

First: syn flag alone is set tcp[13] = 2.Second: total length of ip datagram in bytes: ip[2:2]Third: ip header length in bytes: (ip[0]&0x0f)*4. Multiply to convert from 4-byte words to bytes.Fourth: TCP header length in bytes: (tcp[12]&0xf0)/4 (must be divided by 16 because 4 bits are in upper nibble and then multiplied by 4 to convert from words to bits – net is divide by 4.Result: (tcp[13] = 2) and (ip[2:2] - (ip[0]&0x0f)*4 –(tcp[12]&0xf0)/4) != 0.


SNORT

Marty Roesch (Sourcefire) developed SNORT (1998) to be a NIDS that

Works on multiple operating systemsIncludes a hex dumpDisplays all network packets in same format.Includes flexible filter rules.

Now includes 75,000+ lines of code.Supports Linux, FreeBSD, NetBSD, OpenBSD, Windows, Sparc Solaris, …


Snort ArchitecturePacket SnifferPreprocessor

Identifies packet types, does initial screeningPreprocessor plug-ins can be added and deleted

Detection EngineTakes data from preprocessor and checks against rule setRules updated frequently by community at large and can be downloaded. Grouped: Trojans, Buffer Overflows, Application specific, …

Alerting and LoggingLog files, transmitted, Windows Popups, Databases…


Some of the available add-ons.


Basic SNORT Sniffing• Snort –dev

•-v put snort in packet sniffing mode•-d include IP, TCP, UDP, ICMP headers•-e include data link layer headers

•Format of output similar to tcpdump:


Add Logging and alerts

Snort –dev –l {logging-directory} –h {home- subnet-in-slash-notation}Ex: snort –dev –l /var/adm/snort/logs –h 10.10.1.0/24To collect in binary mode (faster): snort –b –L {logfile}.

Can read with Snort, or with TCPDUMP, or with Ethereal…Can filter with any of these.

For example, to ignore all traffic coming from host 10.10.1.15 on port 21:

Snort –vd –r {file} not host 10.10.1.15 and src port 22.To create a NIDS one adds rules in a configuration file:

Snort –dev –l /var/adm/snort/logs –h 10.10.1.0/24–c /var/adm/snort/rules.conf


Positioning SNORT


SNORT ConcernsSnort may miss packets.Snort may generate false positives or false negatives.May be painful to upgrade (changes in format of rulesets, for example).Snort may be the target of attacks.

System on which Snort resides may be vulnerable because of other applications like SSH, HTTP, HTTPS, MySQL…which are useful with Snort. Need good system administration!

Snort core code is relatively secure.


Snort Rules

Alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any (flags:SF; msg: “SYN-FIN scan”;)

Rule header followed by rule optionsThis rule triggers when tcp traffic is not from the 10.1.1 net (any src port) and is destined to 10.1.1 net (any dest port) and has the SYN and FIN flags set. If a match, generates the message.

Alert represents the action field. Options include alert, log, pass, activate dynamic.


Action Field

Alert – instructs Snort to create an entry in the alert file and create entry in the log file.Log – instructs Snort only to make a log entry.Pass – instructs Snort to drop any matching packet.Activate – instructs Snort to alert on a match and to turn on dynamic rules.Dynamic – instructs Snort that rule is dormant unless/until turned on by an activate. It is also possible to define your own rules (www.snort.org).


Protocol Field

Snort currently supports four protocolsIP (V4)TCPUDPICMP

ARP, RARP, GRE, OSPF, RIP, IPX being considered.


Source/Destination IP Address

May specify one (or multiple) host(s) or subnet(s).Use CIDR notation: x.y.z.w/nnFormat: address/netmask or any or [address/netmask,address/netmask…]

Note: leave no spaces in list.Variables can be defined and certain key variables exist such as $HOME_NET (used in existing Snort rules).


Source & destination ports

Specific number, range of numbers or keyword any.Examples:

Static port: 111All ports: anyRange: 33000:34000Negation: !80Less than or equal :1023Greater or equal 1024:

Quirk: Must specify a port with ICMP –usually any.


Direction Indication

-> Must be traveling from source to destination in order to trigger on rule.<> May be traveling in either direction to trigger on rule.


Selected rule options

Msg – assign an appropriate message to the outcome of a triggered rule.Logto – specify a filename to which to log the activty

Alert udp any any -> 192.168.5.0/24 31335 \(msg: “Trinoo port”; logto: “DDOS”;)

If the above rule is triggered, the output on a typical UNIX host will go to /var/log/snort/DDOS.


Rule Options (Study chapt 14)Ttl – examines the time-to-live field for a specific value. Id – examines the identification field for a specific value.Dsize – looks for data equal-to, less-than, or greater-than specified value. Sequence – checks value of TCP sequence number for specific value. Ack – checks value of ack number for specific value.Flags – can check for specified flags.Content – look for specific payload content.

Be careful because of performance implications.

chapter 1: foundation - cas – central authentication...

Documents