Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 -

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
TCP: Transmission Control Protocol Overview Connection set-up and termination Interactive Bulk transfer Timers Improvements.
Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.
Transmission Control Protocol (TCP) Basics
CP476 Internet Computing TCP/IP 1 Lecture 3. TCP / IP Objective: A in-step look at TCP/IP Purposes and operations Header specifications Implementations.
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
Lecture 23: Network Primer 7/15/2003 CSCE 590 Summer 2003.
Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
Transport Layer TCP and UDP IS250 Spring 2010
ECE Prof. John A. Copeland fax Office: Klaus 3362.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 12 Transmission Control Protocol (TCP) Basics.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
6.1. Transport Control Protocol (TCP) It is the most widely used transport protocol in the world. Provides reliable end to end connection between two hosts.
TCP/IP Basic Theory V1.2. Course Outline OSI model and layer function TCP/IP protocol suite Transfer Control Protocol Internet Protocol Address Resolution.
1 LAN Protocols (Week 3, Wednesday 9/10/2003) © Abdou Illia, Fall 2003.
TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.
© Introduction to Internetworking – Alex Kooijman 04/04/2000 Introduction to internetworking Part Two.
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
 network appliances to filter network traffic  filter on header (largely based on layers 3-5) Internet Intranet.
TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
Networked Graphics Building Networked Virtual Environments and Networked Games Chapter 3: Overview of the Internet.
Cisco Networking Academy S2 C9 TCP/IP. ensure communication across any set of interconnected networks Stack components such as protocols to support file.
Internet Protocol Formats. IP (V4) Packet byte 0 byte1 byte 2 byte 3 data... – up to 65 K including heading info Version IHL Serv. Type Total Length Identifcation.
1 Introduction to TCP/IP. 2 OSI and Protocol Stack OSI: Open Systems Interconnect OSI ModelTCP/IP HierarchyProtocols 7 th Application Layer 6 th Presentation.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Slide #1 CIT 380: Securing Computer Systems TCP/IP.
1 CSE 5346 Spring Network Simulator Project.
1 Figure 3-5: IP Packet Total Length (16 bits) Identification (16 bits) Header Checksum (16 bits) Time to Live (8 bits) Flags Protocol (8 bits) 1=ICMP,
© Jörg Liebeherr (modified by Malathi Veeraraghavan) 1 Overview Formats, Data Transfer, etc. Connection Management.
Transport Protocols.
or call for office visit,
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
Two Transport Protocols Available Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Provides unreliable transfer Requires minimal – Overhead.
Introduction To TCP/IP Networking Mr. Zeeshan Ali, Asst. Professor
Introduction to TCP/IP networking
or call for office visit, or call Kathy Cheek,
or call for office visit,
Chapter 17 and 18: TCP is connection oriented
TCP/IP Internetworking
Process-to-Process Delivery
TCP.
© 2003, Cisco Systems, Inc. All rights reserved.
TCP/IP Internetworking
TCP - Part I Karim El Defrawy
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.
32 bit destination IP address
Transport Layer 9/22/2019.
TCP Connection Management
Presentation transcript:

Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 - ICMP types 17 - Shadow IDS 23 - Snort IDS 25 - Auditing 26 - Resources

Author Jerry Shenk D&E Communications

IDS Types Host Based –Log files –Programs Network based –Monitor traffic –Sensor/Analyzer

Network IDS types Signature based –Looks for specific bad packet signatures Anomoly based –Normal traffic is defined. Other traffic is reported

Network IDS responses Pager/ –“real-time” vs. false alarms Blocking –proactive vs. DOS prone Resetting Periodic wrapup –Analyst may not check status

Network IDS - Commercial Cisco Secure IDS (NetRanger) ISS RealSecure Axent Intruder Alert (Raptor) NWS Dragon CheckPoint Cyber Attack Defense System

Network IDS - free Shadow - Anomoly based –Based on tcpdump –filters are fully configurable although hard to follow –traffic is captured and processed hourly - perl Snort - Signature based –filters are fully configurable and require detailed info but easier than tcpdump

Ethernet Encapsulation Frame Header IP Datagram Header ICMP/UDP/TCP Header Frame Data Area IP Data Protocol Data Interface Layer Internet Layer Transport Layer

IP Packets versionhdr lnth type of service total length of datagram identification numberfragment offset time-to-live (ttl)protocolheader checksum source IP address (4 bytes) destination IP address (4 bytes) options field (variable length, max length 40 bytes) data 20 bytes RDFMF

TCP Packets source port numberdestination port number sequence number acknowledgement number hdr lgthreserved U A P R S F window size TCP checksumurgent pointer options field (variable length, max length 40 bytes) data 20 bytes

UDP Packets source port number destination port number UDP datagram length UDP checksum optional data

ICMP packets typecodechecksum contents depend on type and code (echo has sender and sequence info)

3-way Handshake & Termination client (port = 4247/tcp) server (port = 23/tcp) SYN SYN - ACK ACK [session proceeds] [ACK set for each packet in the of session] ACK FIN ACK ACK Either the client or the server may initiate the closing sequence

3-way Handshake & Termination S = SYN flag is set F = FIN flag is set. = none of the SFRP flags are set (ack and urg are displayed differently) (x) = x data bytes in the packet win = advertised window size mss = max segment size announcement DF = don’t fragment flag is set Establishment client.4247 > server.23: S : (0) win 512 server.23 > client.4247: S : (0) ack win (DF) client.4247 > server.23:. ack win (DF) Termination client.4247 > server.23: F : (0) ack win server.23 > client.4247:. ack win (DF) server.23 > client.4247: F : (0) ack win (DF) client.4247 > server.23:. ack win (DF)

TCP Flags FIN : sender is finished sending data -- initiate a half close SYN : synchronize the sequence numbers to establish a connection RST : reset (abort) the connection PSH : tells receiver not to buffer the data before passing it to the application (interactive applications use this) ACK : acknowledgement number is valid URG : urgent pointer is valid (often results from an interrupt)

ICMP Types msg#description 0echo reply 3destination unreachable 4 source quench 5redirect 8 echo request 9router advertisement 10router solicitation 11time exceeded msg#description 12parameter problem 13 timestamp request 14 timestamp reply 15information request 16 information reply 17address mask request 18address mask reply

Shadow initial screen

Shadow sample hourly screen

Shadow Search

Shadow Search 2

Shadow tcpdump sensor filter (ip and not ( (igrp or dst port 520 or port 524 or port 1677 or port 1494) or (net mask and ((icmp[0]=8) or (icmp[0]=0))) ) )

Shadow tcpdump analyzer filters Analyzer filters - broken into sections to make them easier to read and avoid a size limitation. Use the same syntax as the sensor filter but are much larger. –tcp.filter –udp.filter –icmp.filter –ip.filter

Snort rules SYN/FIN scan –alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS198/SYN FIN Scan"; flags: SF;) DNS zone transfer –alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns-zone-transfer"; content: "| |"; flags: AP; offset: "2"; depth: "16";)

Snort responses logging resetting

Auditing The Network Scan your network - web based More thorough Nessus - runs on unix - free, Windows client Satan/Saint/Sara - runs on unix - free Cisco NetSonar - runs on NT Cybercop (Balista) - nmap - unix, command-line, very flexible

Resources Port numbers – (port search link) – – notes/iana/assignments/port-numbers

Resources Security Sites – – – – –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.