入侵检测规则基础知识.docx

1、入侵检测规则基础知识入侵检测规则基础知识（Basic knowledge of intrusion detection rules）Basic knowledge of intrusion detection rulesNetwork intrusion detection system rule refers to a pattern that we need to find in network communication. In order for you to be different from each otherThe rules of the type have a basic

2、concept, so lets look at some examples and methods that can be used to identify.A connection request sent from a fixed IP. This can be easily identified by the original address area in the IP header file.A collection with an illegal TCP tag package. This can be done through known legal and illegal c

3、ollection of tags and TCP header filesThe markers compare and draw conclusions.Contains the special virus E-mail. IDS can be associated with a known virus message by the name of the mail or the name of the attachmentThe title of guan is compared and concluded.The DNS buffer overflow attempt is inclu

4、ded in the queue payload. You can analyze the DNS domain and check the length of each queueDegrees, so that IDS can tell if there is a buffer overflow attempt in the DNS domain. Or another way,To find out if there is an overflow program in the payload queue.A denial of service attack on a POP3 serve

5、r is implemented by committing thousands of identical commands. The way to deal with this attackIt is the number of times that the command is committed, and the alarm will be issued once more than the number of times it is set.File access attacks on FTP servers by submitting files or directories to

6、try to skip the previous login process. You can openSend a tracking system to monitor the successful landing of FTP communications if you find someone trying to advance through the systemIncoming, the alarm will be issued.As you can see from above, the scope of the rule is very broad, from the simpl

7、est check header to highly complex, for exampleTrue tracking of connection status or extensive protocol analysis. In this article, well look at some simple rules, and thenDiscuss their complexity in development. Note that the ability of the rule changes in different IDS, so this articleThe technique

8、s described may not be applicable in the firewall you use. For example, some network IDS products are provided to customersThe ability to write rules or configure existing rules is weak, and there are products that almost allow you to customize all the existing rulesAnd define all the rules that you

9、 can think of in the system. Another important factor to consider is some IDS productsYou can check the payload properties of a specific header file, and some products can give you data on any part of any package.What are the functional services of the ruleWhat is the purpose of intrusion detection

10、rules? The answer is that different rules have different purposes. The results we needWhen an intrusion occurs, the system alerts you. But lets think again, why do we need to customize or modify our own rulesThen? You may see some single communication on the network, and you want to alert the next t

11、ime such a communication occurs.You may have noticed that it has a special header file, and you want to define a rule to match this knownMark; Maybe you want to configure IDS to detect those things that are not normal or suspicious,Rather than detecting attacks and attacksDetection. Some rules can t

12、ell you which specific attacks are being carried out, or if an attacker is trying to target a vulnerabilityWhile other rules merely indicate that there is an abnormal behavior, rather than pointing out which attacks are specific. The former is bound to flowerSpend more time and resources, but can gi

13、ve you more information, such as why are you attacked or the attackers purposeYao.Header file attributeWe have quickly described the types of rules, and then lets look at a simple rule feature: header file properties. aSome header file attributes are clearly abnormal, so we have to make a lot of opt

14、ions in the rules. The classic example of this rule is the beltTCP package Settings with SYN and FIN flags. There is one in RFC793 (used to define the TCP standard)A loophole that allows many tools to try to bypass the firewall, router, and intrusion detection system. veryThe multi-attack program in

15、cludes header file attributes whose purpose is to violate RFCs because many operating systems and applications are basedCompliance with RFCs assumptions and errors in communication based on this are not corrected. There are a lot of kits out thereContains errors or incomplete code, and packages made

16、 from these tools contain the header file attributes that violate RFCs.Those poorly written tools and various intrusion techniques provide discernible attributes for writing rules.This sounds good, but note that not all operating systems and applications are fully inherited from RFCs. thingsIn fact,

17、 many systems or programs violate RFC at least on the one hand. So, with the passage of time, the agreement is possibleNew attributes are not included in the RFC, and then new standards emerge, turning previously unjustified standards into the presentThe method. RFC3168 is a good example. So, the ru

18、les of IDS are completely dependent on the RFCThat leads to a lot of positive errors. Of course, RFC is still a significant part of the rule development because of a lot of maliceThe attacks were all aimed at RFCs. Due to the RFC upgrade and other factors (which we will discuss later),So you need to

19、 review and upgrade existing rules periodically.While an illegal header file attribute is a basic component of the rule, it is also important to have legitimate but suspect header properties. For example,For connection suspicious ports such as 31337 or 27374 (these are often associated with Trojan p

20、orts), if this is the caseThe link warns that the Trojan horse can be quickly identified. Unfortunately, some normal and benign communication may also be used the sameThe port. If you dont use more detailed rules to define the other features of the communication, you will find it difficult to determ

21、ine the true nature of the communicationSex. Suspicious but legal properties, such as some port Numbers, are best considered with other attributes.Identify possible rule componentsThe best way to develop rules based on the header file attributes is through an instance. Synscan is a widely used sweep

22、Trace and probe system tools.It was active in early 2001 because its code was often used to make itThe first stage of building Ramen worms. This activity provides a good example, because the package contains a lot of knowledgeDont characteristics. Here are some of the IP and TCP header files that ex

23、ist in the early worm propagation in the Ramen worm packetSex. (note that my IDS is configured to cancel unrequested communication by default, so I can only see each attemptInitial package)1 various source IP addresses2 TCP source port 21, target port 21The service type is 04 IP identification numbe

24、r 394265 SYN and FIN tag Settings6 various serial number SettingsVarious confirmation number Settings8 TCP Windows size is 1028Now that we know the features of the Synscan packages header file, we can start thinking about how to make a good oneThe rules. Lets look for illegal, abnormal, and suspect

25、attributes that are in many casesThe corresponding attacker tries to exploit vulnerabilities or a special technique used by the attacker. Although normal package properties are includedIt often includes restrictions on some communications, but this restriction does not make for good rule characteris

26、tics. For example, we will make the agreementThe normal IP protocol attribute is defined as 6, so we can only look at the TCP packet. But others are perfectly normalFeatures, such as setting the service type to 0, are very detrimental to the development of the rules.Some unusual features of the Syns

27、can package can be identified using the following rules:Only the SYN and FIN markers are clearly marked for malicious behavior.2 another feature is that these packets have different properties but the ACK flag is not set. If you dont have SettingsThe ACK mark, the confirmation number should be set t

28、o 0.There is also a suspicious feature that both source and target ports are set to 21, which is an abnormal FTP serverThe agent is associated. If the two port Numbers are the same, we call them reflexive. In addition to some special communications (such as specific NeTBIOS communications, usually s

29、hould not exist. The anti-body port does not violate the TCP standard, but is mostlyThe number of events is abnormal. In normal FTP communication, we will see a high end (greater than 1023)As the source port, the target port is 21.In this way, we found three features that can be used to make the rul

30、es: SYN and FIN markers, and the confirmation number is not0 and no ACK tags are set, and the reflexive port is set to 21. Two things to note here: TCP wThe indows size is often set to 1028 and the IP identification number sets all packages 39426. Usually, weThe expected TCP Windows size is greater

31、than 1028, although this value is not very abnormal, but it is alsoShould be noticed. In the same way,IP RFC defines IP identification Numbers that should have different values in different packages, soFixed values are highly questionable.Choose a ruleSince we have found five elements that can be a

32、rule, we have a number of different options to develop based on headersThe rules of a file, and a good rule should include more than one feature. If you just want to set the simplest rules, thenYou can use packages of SYN and FIN tags to set up. Although this is a better way to identify bad behavior, it cantGive a reason why this happens. Remember that SYN and FIN are usually used to bypass firewalls and other devicesThey can act as a scanner, information collection or attack. So, the