入侵检测规则基础知识Word格式.docx
《入侵检测规则基础知识Word格式.docx》由会员分享,可在线阅读,更多相关《入侵检测规则基础知识Word格式.docx(8页珍藏版)》请在冰豆网上搜索。
TheDNSbufferoverflowattemptisincludedinthequeuepayload.YoucananalyzetheDNSdomainandcheckthelengthofeachqueue
Degrees,sothatIDScantellifthereisabufferoverflowattemptintheDNSdomain.Oranotherway,
Tofindoutifthereisanoverflowprograminthepayloadqueue.
AdenialofserviceattackonaPOP3serverisimplementedbycommittingthousandsofidenticalcommands.Thewaytodealwiththisattack
Itisthenumberoftimesthatthecommandiscommitted,andthealarmwillbeissuedoncemorethanthenumberoftimesitisset.
FileaccessattacksonFTPserversbysubmittingfilesordirectoriestotrytoskipthepreviousloginprocess.Youcanopen
SendatrackingsystemtomonitorthesuccessfullandingofFTPcommunicationsifyoufindsomeonetryingtoadvancethroughthesystem
Incoming,thealarmwillbeissued.
Asyoucanseefromabove,thescopeoftheruleisverybroad,fromthesimplestcheckheadertohighlycomplex,forexample
Truetrackingofconnectionstatusorextensiveprotocolanalysis.Inthisarticle,we'
lllookatsomesimplerules,andthen
Discusstheircomplexityindevelopment.NotethattheabilityoftherulechangesindifferentIDS,sothisarticle
Thetechniquesdescribedmaynotbeapplicableinthefirewallyouuse.Forexample,somenetworkIDSproductsareprovidedtocustomers
Theabilitytowriterulesorconfigureexistingrulesisweak,andthereareproductsthatalmostallowyoutocustomizealltheexistingrules
Anddefinealltherulesthatyoucanthinkofinthesystem.AnotherimportantfactortoconsiderissomeIDSproducts
Youcancheckthepayloadpropertiesofaspecificheaderfile,andsomeproductscangiveyoudataonanypartofanypackage.
Whatarethefunctionalservicesoftherule
Whatisthepurposeofintrusiondetectionrules?
Theansweristhatdifferentruleshavedifferentpurposes.Theresultsweneed
Whenanintrusionoccurs,thesystemalertsyou.Butlet'
sthinkagain,whydoweneedtocustomizeormodifyourownrules
Then?
Youmayseesomesinglecommunicationonthenetwork,andyouwanttoalertthenexttimesuchacommunicationoccurs.
Youmayhavenoticedthatithasaspecialheaderfile,andyouwanttodefinearuletomatchthisknown
Mark;
MaybeyouwanttoconfigureIDStodetectthosethingsthatarenotnormalorsuspicious,
Ratherthandetectingattacksandattacks
Detection.Somerulescantellyouwhichspecificattacksarebeingcarriedout,orifanattackeristryingtotargetavulnerability
Whileotherrulesmerelyindicatethatthereisanabnormalbehavior,ratherthanpointingoutwhichattacksarespecific.Theformerisboundtoflower
Spendmoretimeandresources,butcangiveyoumoreinformation,suchaswhyareyouattackedortheattacker'
spurpose
Yao.
Headerfileattribute
Wehavequicklydescribedthetypesofrules,andthenlet'
slookatasimplerulefeature:
headerfileproperties.a
Someheaderfileattributesareclearlyabnormal,sowehavetomakealotofoptionsintherules.Theclassicexampleofthisruleisthebelt
TCPpackageSettingswithSYNandFINflags.ThereisoneinRFC793(usedtodefinetheTCPstandard)
Aloopholethatallowsmanytoolstotrytobypassthefirewall,router,andintrusiondetectionsystem.very
Themulti-attackprogramincludesheaderfileattributeswhosepurposeistoviolateRFCsbecausemanyoperatingsystemsandapplicationsarebased
CompliancewithRFCsassumptionsanderrorsincommunicationbasedonthisarenotcorrected.Therearealotofkitsoutthere
Containserrorsorincompletecode,andpackagesmadefromthesetoolscontaintheheaderfileattributesthatviolateRFCs.
Thosepoorlywrittentoolsandvariousintrusiontechniquesprovidediscernibleattributesforwritingrules.
Thissoundsgood,butnotethatnotalloperatingsystemsandapplicationsarefullyinheritedfromRFCs.things
Infact,manysystemsorprogramsviolateRFCatleastontheonehand.So,withthepassageoftime,theagreementispossible
NewattributesarenotincludedintheRFC,andthennewstandardsemerge,turningpreviouslyunjustifiedstandardsintothepresent
Themethod.RFC3168isagoodexample.So,therulesofIDSarecompletelydependentontheRFC
Thatleadstoalotofpositiveerrors.Ofcourse,RFCisstillasignificantpartoftheruledevelopmentbecauseofalotofmalice
TheattackswereallaimedatRFCs.DuetotheRFCupgradeandotherfactors(whichwewilldiscusslater),
Soyouneedtoreviewandupgradeexistingrulesperiodically.
Whileanillegalheaderfileattributeisabasiccomponentoftherule,itisalsoimportanttohavelegitimatebutsuspectheaderproperties.Forexample,
Forconnectionsuspiciousportssuchas31337or27374(theseareoftenassociatedwithTrojanports),ifthisisthecase
ThelinkwarnsthattheTrojanhorsecanbequicklyidentified.Unfortunately,somenormalandbenigncommunicationmayalsobeusedthesame
Theport.Ifyoudon'
tusemoredetailedrulestodefinetheotherfeaturesofthecommunication,youwillfinditdifficulttodeterminethetruenatureofthecommunication
Sex.Suspiciousbutlegalproperties,suchassomeportNumbers,arebestconsideredwithotherattributes.
Identifypossiblerulecomponents
Thebestwaytodeveloprulesbasedontheheaderfileattributesisthroughaninstance.Synscanisawidelyusedsweep
Traceandprobesystemtools.
Itwasactiveinearly2001becauseitscodewasoftenusedtomakeit
ThefirststageofbuildingRamenworms.Thisactivityprovidesagoodexample,becausethepackagecontainsalotofknowledge
Don'
tcharacteristics.HerearesomeoftheIPandTCPheaderfilesthatexistintheearlywormpropagationintheRamenwormpacket
Sex.(notethatmyIDSisconfiguredtocancelunrequestedcommunicationbydefault,soIcanonlyseeeachattempt
Initialpackage)
1varioussourceIPaddresses
2TCPsourceport21,targetport21
Theservicetypeis0
4IPidentificationnumber39426
5SYNandFINtagSettings
6variousserialnumberSettings
VariousconfirmationnumberSettings
8TCPWindowssizeis1028
NowthatweknowthefeaturesoftheSynscanpackage'
sheaderfile,wecanstartthinkingabouthowtomakeagoodone
Therules.Let'
slookforillegal,abnormal,andsuspectattributesthatareinmanycases
Thecorrespondingattackertriestoexploitvulnerabilitiesoraspecialtechniqueusedbytheattacker.Althoughnormalpackagepropertiesareincluded
Itoftenincludesrestrictionsonsomecommunications,butthisrestrictiondoesnotmakeforgoodrulecharacteristics.Forexample,wewillmaketheagreement
ThenormalIPprotocolattributeisdefinedas6,sowecanonlylookattheTCPpacket.Butothersareperfectlynormal
Features,suchassettingtheservicetypeto0,areverydetrimentaltothedevelopmentoftherules.
SomeunusualfeaturesoftheSynscanpackagecanbeidentifiedusingthefollowingrules:
OnlytheSYNandFINmarkersareclearlymarkedformaliciousbehavior.
2anotherfeatureisthatthesepacketshavedifferentpropertiesbuttheACKflagisnotset.Ifyoudon'
thaveSettings
TheACKmark,theconfirmationnumbershouldbesetto0.
Thereisalsoasuspiciousfeaturethatbothsourceandtargetportsaresetto21,whichisanabnormalFTPserver
Theagentisassociated.IfthetwoportNumbersarethesame,wecallthemreflexive.Inadditiontosomespecialcommunications(suchasspecificNe
TBIOScommunications,usuallyshouldnotexist.Theanti-bodyportdoesnotviolatetheTCPstandard,butismostly
Thenumberofeventsisabnormal.InnormalFTPcommunication,wewillseeahighend(greaterthan1023)
Asthesourceport,thetargetportis21.
Inthisway,wefoundthreefeaturesthatcanbeusedtomaketherules:
SYNandFINmarkers,andtheconfirmationnumberisnot
0andnoACKtagsareset,andthereflexiveportissetto21.Twothingstonotehere:
TCPw
Theindowssizeisoftensetto1028andtheIPidentificationnumbersetsallpackages39426.Usually,we
TheexpectedTCPWindowssizeisgreaterthan1028,althoughthisvalueisnotveryabnormal,butitisalso
Shouldbenoticed.Inthesameway,
IPRFCdefinesIPidentificationNumbersthatshouldhavedifferentvaluesindifferentpackages,so
Fixedvaluesarehighlyquestionable.
Choosearule
Sincewehavefoundfiveelementsthatcanbearule,wehaveanumberofdifferentoptionstodevelopbasedonheaders
Therulesofafile,andagoodruleshouldincludemorethanonefeature.Ifyoujustwanttosetthesimplestrules,then
YoucanusepackagesofSYNandFINtagstosetup.Althoughthisisabetterwaytoidentifybadbehavior,itcan'
t
Giveareasonwhythishappens.RememberthatSYNandFINareusuallyusedtobypassfirewallsandotherdevices
Theycanactasascanner,informationcollectionorattack.So,the