Passive Host Auditing Using Snort And Other Free Tools by John Ives aka. jives.

Slides:



Advertisements
Similar presentations
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
Advertisements

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
1 Reading Log Files. 2 Segment Format
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
The Free IT Management App & Community. What Do I Have? How Do I Keep Track of Everything? Is Everything Working? How Do I Fix IT? IT Admin What IT Pros.
AVG Internet Security 7.5 Product presentation.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Firewalls and Intrusion Detection Systems
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Host Intrusion Prevention Systems & Beyond
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Spiceworks Overview Enterprise Business Group Jul-2015.
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
MEC /19/2017 7:51 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Automating Endpoint Security Policy Enforcement Computing and Networking Services University of Toronto.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Penetration Testing.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
FIREWALL Mạng máy tính nâng cao-V1.
systemhound © Raxco Software Belgium systemhound PC inventory software.
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 CS4550 Computer Networks II TCP/UDP Ref: Feit Chap 9 Tanenbaum Chap 6.
Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.
Introduction to TCP/IP Copyright 1999 Dale Coddington. All Rights Reserved Intro to TCP/IP What this lecture is n This lecture will.
Hakuna Suricata (it means no worries, except for APT)
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
An overview.
Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Footprinting and Scanning
Firewalls Fighting Spyware, Viruses, and Malware Ch 5.
Machine Learning for Network Anomaly Detection Matt Mahoney.
GFI LANguard Matt Norris Dave Hone Chris Gould. GFI LANguard: Description Through the performances of the three (3) cornerstones of vulnerability management:
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Port Scanning James Tate II
Advanced Troubleshooting with Cisco Prime NAM-3: Use Case
Backdoor Attacks.
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Footprinting and Scanning
Cisco ASA Express Security practice-questions.html.
NETWORK SECURITY LAB Lab 9. IDS and IPS.
Information Security Session October 24, 2005
6. Operating Systems Finger printing & Scanning
Intrusion Detection Systems (IDS)
Intrusion Prevention Systems
TCP Protocol Analysis Access UMKC Home Page.
COEN 252 Computer Forensics
Bro, I Can See You Moving Laterally
Session 20 INST 346 Technologies, Infrastructure and Architecture
Intrusion Detection Systems
Presentation transcript:

Passive Host Auditing Using Snort And Other Free Tools by John Ives aka. jives

The Importance Of Auditing  Identify assets to better protect  Inventory of what you have and where it is on your network

The State Of Auditing Today  Relies primarily on active network scanning  Makes heavy usage of client agents  Difficult to impossible in chaotic decentralized environments

What Is Passive Auditing  Uses packets on the network to answer the question about the hosts  Does not affect end system logging  Uses black hat scans for white hat purposes  Aids policy enforcement  Ultimately its using event correlation to profile a host.

What Can Be Monitored Passively  OS  OS updates  Antivirus/firewall/spyware updates  Network services (e.g. telnet, ftp, http, etc.)  Open Ports  Service versions  Network Application Versions  Policies

What are its Downsides?  Getting started can be labor intensive.  It requires a lot of Data to build an accurate picture  It requires a commitment of time and money  It can be bypassed, but most end users won’t  It actually benefits from an ugly network!

Example Rule (AV/Firewall update) Symantec LiveUpdate alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \ (msg:"PHA - user-agent Symantec liveupdate"; \ flow:to_server,established; \ content:"|0d0a|User-Agent\: Symantec LiveUpdate"; nocase; \ content:"|0d0a|Host\: liveupdate.symantecliveupdate.com"; nocase; \ threshold: type limit, track by_src, count 1, seconds 1800; )

Example packets (AV/Firewall update) Symantec LiveUpdate IP: > hlen=20 TOS=00 dgramlen=283 id=946B MF/DF=0/1 frag=0 TTL=126 proto=TCP cksum=CC44 TCP: port > 80 seq= ack= hlen=20 (data=243) UAPRSF= wnd=65535 cksum=74B4 urg=0 DATA: GET /symantec$20antivirus$20corporate$20client$20nt_9.0_english_livetri.zip HTTP/1.0. Accept: */*. Cache-Control: max-age=0. User-Agent: Symantec LiveUpdate. Host: liveupdate.symantecliveupdate.com : Pragma: no-cache..

Example Rule (OS Update) Windows updating for KB (MS05-026) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \ (msg:"PHA - Windows Update download KB MS05-026";\ content:"GET |2F|"; depth:5; nocase; \ content:"kb896358"; nocase; \ content:".exe HTTP|2F|1.1|0d0a|"; nocase;)

Example packets (OS Update) Windows ME updating for KB (MS05-026) IP: > hlen=20 TOS=00 dgramlen=282 id=2498 MF/DF=0/1 frag=0 TTL=125 proto=TCP cksum=EE37 TCP: port > 80 seq= ack= hlen=20 (data=242) UAPRSF= wnd=17520 cksum=8456 urg=0 DATA: GET /msdownload/update/v /cabpool/WindowsME-KB ENU_7e9ddccce2504c0ee808dffaf52c841.EXE HTTP/1.1. Accept: */*. Range: bytes= User-Agent: Progressive Download. Host: download.windowsupdate.com. Cache-Control: no-cache.

Example Rule (Anti-Spyware Detection) Microsoft Windows Malicious Software Removal Tool alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \ (msg:"PHA - Windows Spyware Tool KB890830";\ content:"GET |2F|"; depth:5; nocase; \ content:"kb890830"; nocase; \ content:".exe HTTP|2F|1.1|0d0a|"; nocase;\ Content:"|0d0a|User-Agent: Microsoft BITS"; nocase;)

Example packets (Spyware Detection) Microsoft Windows Malicious Software Removal Tool IP: > hlen=20 TOS=00 dgramlen=326 id=0611 MF/DF=0/1 frag=0 TTL=125 proto=TCP cksum=4CFC TCP: port > 80 seq= ack= hlen=20 (data=286) UAPRSF= wnd=65535 cksum=0FBC urg=0 DATA: GET /msdownload/update/v /cabpool/windows-kb v1.5- delta-enu_21d25af a6b2dee41479b947829a529db.exe HTTP/1.1. Accept: */*. Accept-Encoding: identity. Range: bytes= User-Agent: Microsoft BITS/6.6. Host: au.download.windowsupdate.com. Connection: Keep-Alive.

Example Rule (OS Update Check-In) RedHat looking for updates via up2date alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \ (msg:"PHA - RedHat Update Up2Date check-in"; flow:to_server,established; \ content:"GET |2F|"; depth:5; nocase; \ content:"header.info HTTP/1.1|0d0a|"; nocase;\ content:"|0d0a|User\-agent\: Up2date\/"; nocase;)

Example packets (OS Update Check-In) RedHat updating via up2date IP: > hlen=20 TOS=00 dgramlen=263 id=1C11 MF/DF=0/1 frag=0 TTL=61 proto=TCP cksum=B667 TCP: port > 80 seq= ack= hlen=32 (data=211) UAPRSF= wnd=1460 cksum=F466 urg=0 DATA: GET /pub/fedora/linux/core/3/i386/os/headers/header.info HTTP/1.1. Host: download.fedora.redhat.com. Accept-Encoding: identity. If-Modified-Since: Wed, 03 Nov :16:42 GMT. User-Agent: RHN-Applet/

Example Rule (another OS update) RedHat updating via up2date alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \ (msg:"PHA - RedHat Update Up2Date check-in"; flow:to_server,established; \ content:"GET |2F|"; depth:5; nocase; \ content:“.rpm HTTP/1.1|0d0a|"; nocase;\ content:"|0d0a|User\-agent\: Up2date\/"; nocase;)

Example packets (another OS update) RedHat updating via up2date IP: > hlen=20 TOS=00 dgramlen=263 id=1C11 MF/DF=0/1 frag=0 TTL=61 proto=TCP cksum=B667 TCP: port > 80 seq= ack= hlen=32 (data=211) UAPRSF= wnd=1460 cksum=F466 urg=0 DATA: GET /pub/fedora/linux/core/updates/4/i386//kernel _FC4.i686.rpm HTTP/1.1 Accept-Encoding: identity Host: download.fedora.redhat.com Connection: close User-agent: Up2date /Yum

Misc. Example Rules Syn Packets for p0f alert tcp $HOME_NET any -> any any (msg:"PHA syn packet capture for p0f"; \ flags:s; threshold: type limit, track by_src, count 1, seconds 1800; ) IIS 5.1 on Windows XP alert tcp $HOME_NET 80 -> $EXTERNAL_NET any \ (msg:"PHA - IIS 5.1 running on Windows XP"; flow: from_server; \ content:"|0D 0A|Server\: Microsoft-IIS/5.1|0D 0A|"; nocase; \ threshold: type limit, track by_src, count 1, seconds 1800;)

Tools  Snort  p0f  tcpdump  tcpshow and/or ngrep  Bro IDS  Custom Scripts  Database

Thank You Thank you for coming today If you are interested in getting more information or volunteering to help out, you can me at Updated scripts, rules, etc will be available at

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.