snort 2 1 intrusion detection second edition phần 4 potx

snort 2.1 intrusion detection second edition phần 4 potx

... Be Merged 10 .1. 0.0 /22 10 .1. 0.0 / 24 , 10 .1 .2. 0 / 24 , 10 .1. 4. 0 / 24 , 10 .1. 6.0 / 24 19 8.0.0.0 /20 19 8 .1. 0.0 / 21 , 19 8 .2. 0.0 / 21 10 .10 0.80.0/ 31 10 .10 0.80 .1/ 32, 10 .10 0.80 .10 1/ 32 Merging subnet masks can save ... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03 /13 -17 :58: 02. 530000 xxx.xxx.xxx.xxx:36 922 -> xxx.xxx.xxx.xxx :23 TCP TTL: 64 TOS:0x10 ID: 622 54 IpLen :20 DgmLen: 52 DF ***A**** Seq: 0x15807E7A Ack: 0x695B 229 6 Win: 0x1 920 TcpLen: 32 TCP ... jay. 03 /13 -17 :58: 02. 520 000 xxx.xxx.xxx.xxx:36 922 -> xxx.xxx.xxx.xxx :23 TCP TTL: 64 TOS:0x10 ID: 622 53 IpLen :20 DgmLen:53 DF ***AP*** Seq: 0x15807E79 Ack: 0x695B 229 5 Win: 0x1 920 TcpLen: 32 TCP...

76

528

0

snort 2.1 intrusion detection second edition phần 3 potx

... be 1 92. 16 8.0.0 / 24 , which means that the address space of 1 92. 16 8.0. 1 92. 16 8.0 .25 4 will be repre-sented, using a subnet mask of 25 5 .25 5 .25 5.0 (see Figure 3 . 14 ). Figure 3 . 14 Editing the snort. conf ... http://www.simpopdf.com 29 5 _Snort2 e_03.qxd 5/5/ 04 2: 55 PM Page 13 4 13 4 Chapter 3 • Installing Snort The second example is for versions earlier than 4 .1. For these systems, just enter rpm rebuild snort- 2. 1. 1- 1snort. src.rpm.This ... /usr/ports/net /snort/ w -snort- 2. 0.0p1/fake-i386/usr/local/man/man8 install -c -o root -g bin -m 44 4 /usr/ports/net /snort/ w -snort- 2. 0.0p1 /snort- 2. 0.0 /snort. 8 /usr/ports/net /snort/ w -snort- 2. 0.0p1/fake-...

76

432

0

snort 2.1 intrusion detection second edition phần 1 pptx

... Unregistered Version - http://www.simpopdf.com 29 5 _Snort_ 2e_ 01. qxd 5 /4/ 04 4:50 PM Page 12 12 Chapter 1 • Intrusion Detection Systems Figure 1. 1 NIDS Network INTERNET Mail DNS NIDS NIDS ... http://www.simpopdf.com 29 5 _Snort_ 2e_ 01. qxd 5 /4/ 04 4:50 PM Page 10 10 Chapter 1 • Intrusion Detection Systems ■ Network-Based Intrusion Detection System (NIDS) ■ Host-Based Intrusion Detection System ... . 42 2 Installing SnortSnarf . . . . . . . . . . . . . . . . . . . . . . 42 2 Configuring Snort to Work with SnortSnarf . . . . . 42 4 Basic Usage of SnortSnarf . . . . . . . . . . . . . . . . . . 42 5 Swatch...

76

365

1

snort 2.1 intrusion detection second edition phần 2 ppt

... like that: 03 /11 - 12 : 44 :45 . 42 4 5 51 0:A0:CC :29 :1D :13 -> 0 :20 :6F:3:7:CC type:0x800 len:0x7A 66.80 . 14 6.8 :22 00 -> 69 .13 8 .22 5 .13 7: 12 8 9 TCP TTL: 64 TOS:0x10 ID:5 528 IpLen :20 DgmLen :10 8 DF ***AP*** ... packets: INACTIVE ﬂush_data_diff_size: 500 Ports: 21 23 25 53 80 11 0 11 1 14 3 513 14 33 Emergency Ports: 21 23 25 53 80 11 0 11 1 14 3 513 14 33 HttpInspect Conﬁg: GLOBAL CONFIG Max Pipeline ... 0xF3 315 F 42 Ack: 0x5FAFDF2 Win: 0xE4B4 TcpLen: 20 E9 A2 19 CE 3A 0A C7 AA 75 EA 13 1D 02 6D 3C 12 : u m<. AA 96 1D F8 8E 73 C5 D1 B2 33 41 D4 88 DC A2 53 s 3A S CB 93 79 5E 1B FC 3A 5B 82 1E...

76

427

1

snort 2.1 intrusion detection second edition phần 5 pot

... http://www.simpopdf.com 29 5 _Snort2 e_06.qxd 5/6/ 04 12 : 51 PM Page 310 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 29 5 _Snort2 e_06.qxd 5/6/ 04 12 : 51 PM Page 28 1 Preprocessors • Chapter 6 28 1 ... Unregistered Version - http://www.simpopdf.com 29 5 _Snort2 e_06.qxd 5/6/ 04 12 : 51 PM Page 28 2 28 2 Chapter 6 • Preprocessors IAC SB SING HUMPTY-DUMPTY SE 25 5 25 0 53 1 24 0 There’s more to Telnet than this, ... http://www.simpopdf.com 29 5 _Snort2 e_06.qxd 5/6/ 04 12 : 51 PM Page 29 3Preprocessors • Chapter 6 29 3 int num = 0; if(portlist == NULL || *portlist == '\0') { portlist = " ; 21 23 25 11 9";...

76

343

0

snort 2.1 intrusion detection second edition phần 1 potx

... 04/ 06 - 21 : 12 : 52. 016 027 40 8 1 92. 16 8 .1. 1 01 - 1 92. 16 8 .1. 1 02 - ICMP Echo Reply 04/ 06 - 21 : 12 : 52. 879979 3 82 1 92. 16 8 .1. 1 02 - 1 92. 16 8 .1. 1 01 - ICMP PING Windows 04/ 06 - 21 : 12 : 53.009 929 40 8 1 92. 16 8 .1. 1 01 - 1 92. 16 8 .1. 1 02 ... 04/ 06 - 21 : 12 : 49 .87 611 6 3 82 1 92. 16 8 .1. 1 02 - 1 92. 16 8 .1. 1 01 - ICMP PING Windows 04/ 06 - 21 : 12 : 50.008 543 40 8 1 92. 16 8 .1. 1 01 - 1 92. 16 8 .1. 1 02 - ICMP Echo Reply 04/ 06 - 21 : 12 : 50.877603 3 82 1 92. 16 8 .1. 1 02 ... - 1 92. 16 8 .1. 1 01 - ICMP PING Windows 04/ 06 - 21 : 12 : 51. 008837 40 8 1 92. 16 8 .1. 1 01 - 1 92. 16 8 .1. 1 02 - ICMP Echo Reply 04/ 06 - 21 : 12 : 51. 878793 3 82 1 92. 16 8 .1. 1 02 - 1 92. 16 8 .1. 1 01 - ICMP PING Windows 04/ 06 - 21 : 12 : 52. 016 027 ...

76

670

0

snort 2.1 intrusion detection second edition phần 7 ppsx

... teardrop_attack_cap 16 : 52: 06. 029 368 1 72. 16 .10 .15 1 .1 025 > 1 72. 16 .10 .20 0 .13 5: [no cksum] udp 28 (frag 24 2:36@0+) (ttl 3, len 56) 16 : 52: 06. 046 3 02 1 72. 16 .10 .15 1 > 1 72. 16 .10 .20 0: (frag 24 2 :4 @ 24 ) (ttl ... [**] [11 3 :2: 1] (spp_frag2) Teardrop attack [**] 02/ 19 -16 : 52: 06. 046 3 02 1 72. 16 .10 .15 1 -> 1 72. 16 .10 .20 0 UDP TTL:3 TOS:0x0 ID : 24 2 IpLen :20 DgmLen : 24 Frag Offset: 0x0003 Frag Size: 0x00 04 Begin ... spoofed? # snort –dvr teardrop_attack.cap 02/ 19 -16 : 52: 06. 029 368 1 72. 16 .10 .15 1 -> 1 72. 16 .10 .20 0 UDP TTL:3 TOS:0x0 ID : 24 2 IpLen :20 DgmLen:56 MF Frag Offset: 0x0000 Frag Size: 0x0 0 24 04 01 00 87...

76

579

0

snort 2.1 intrusion detection second edition phần 8 pps

... 12 : 24: 49.9 613 61 1 92. 16 8 .10 .13 .3093 > 1 92. 16 8.30 .17 1.ssh: P 36: 72( 36) ack 1 win 16 1 92 (DF) **** Press <ENTER> to send the next packet: 12 : 24: 49.97 018 7 1 92. 16 8.30 .17 1.ssh > 1 92. 16 8 .10 .13 .3093: ... 12 : 24: 58.97 12 0 5 1 92. 16 8 .10 .13 .30 42 > 1 92. 16 8.30 .23 0.ssh: P 10 8 : 14 4( 36) ack 1 win 16 500 (DF) **** Press <ENTER> to send the next packet: 12 : 24: 58.979 943 1 92. 16 8.30 .23 0.ssh > 1 92. 16 8 .10 .13 .30 42 : ... 12 : 24: 52. 970009 1 92. 16 8 .10 .13 .30 42 > 1 92. 16 8.30 .23 0.ssh: P 72: 10 8(36) ack 1 win 16 500 (DF) **** Press <ENTER> to send the next packet: 12 : 24: 52. 979 929 1 92. 16 8.30 .23 0.ssh > 1 92. 16 8 .10 .13 .30 42 : ...

76

524

0

snort 2.1 intrusion detection second edition phần 9 pot

... > 20 4 .17 4. x.x.53573: S 25 23 5 14 769 :25 23 5 14 769(0) ack 3 728 59 511 0win 57 92 20 4 .17 4. x.x.53573 > 68 .48 .x.x.80: . ack 1 win 5 840 20 4 .17 4. x.x.53573 > 68 .48 .x.x.80: P 1: 119 (11 8) ack 1 win 5 840 ... 20 4 .17 4. x.x.53573 > 68 .48 .x.x.80: F 11 9 :11 9(0) ack 358 win 64 32 68 .48 .x.x.80 > 20 4 .17 4. x.x.53573: F 358:358(0) ack 12 0 win 57 92 20 4 .17 4. x.x.53573 > 68 .48 .x.x.80: . ack 359 win 64 32 After ... http://www.simpopdf.com 29 5 _Snort_ 2e_ 12 . qxd 5/5/ 04 6 :10 PM Page 616 616 Chapter 12 • Active Response Figure 12 . 4 WWWBoard passwd.txt Access Packet Trace 20 4 .17 4. x.x.53573 > 68 .48 .x.x.80: . ack 358 win 64 32 20 4 .17 4. x.x.53573...

76

318

0

snort 2.1 intrusion detection second edition phần 10 doc

... eth0 20 4 .17 4. x.x .48 6 62 > 1 92. 16 8 .10 .20 .80: S 78368 948 4:78368 948 4(0) win 5 840 1 92. 16 8 .10 .20 .80 > 20 4 .17 4. x.x .48 6 62: S 23 23 945 5 04 :23 23 945 5 04( 0) ack 78368 948 5 win 57 92 20 4 .17 4. x.x .48 6 62 > ... ml;.charset=iso- 20 4 .17 4. x.x .48 6 62 > 1 92. 16 8 .10 .20 .80: . ack 5 72 win 68 52 20 4 .17 4. x.x .48 6 62 > 1 92. 16 8 .10 .20 .80: F 11 9 :11 9(0) ack 5 72 win 68 52 1 92. 16 8 .10 .20 .80 > 20 4 .17 4. x.x .48 6 62: F 5 72: 5 72( 0) ack 12 0 win 57 92 ... 0x0030 15 0b a733 48 54 545 0 2f 31 2e 31 20 34 30 34 3HTTP /1. 1 .40 4 0x0 040 20 4e 6f 74 20 46 6f75 6e 64 0d0a 44 61 746 5 .Not.Found Date 0x0050 3a20 5765 642 c 20 33 3 12 0 4d 61 722 0 323 0 :.Wed,. 31. Mar .20 0x0060...

69

829

0