lec 7.pptx
Transcript
CYB236 Chapter 6 Signature Detection Techniques 02 Lecture Objectives 04 06 SignatureBased IDS Detection Process Attack Signature a 01 Define Signature 03 0 5 Advantages and disadvantages Known Attacks 2 What is a Signature? A pattern within a packet or a series of packets in a network traffic that...
CYB236 Chapter 6 Signature Detection Techniques 02 Lecture Objectives 04 06 SignatureBased IDS Detection Process Attack Signature a 01 Define Signature 03 0 5 Advantages and disadvantages Known Attacks 2 What is a Signature? A pattern within a packet or a series of packets in a network traffic that corresponds to a known threat and can be used by the IDS to identify such threat. Example: The CONFICKER worm contains: “|e8 ff ff ff ff c1|^|8d|N|10 80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|& 192.168.1.2 443 (msg: “TCP SYN flood”; flags:!A; flow: stateless; detection_filter: track by_dst, count 100, seconds 10; sid:1000001;) This SNORT rule is designed to detect TCP SYN flood attack to a web server using port 443 (HTTPS) and it issues an alert if a client sends more than 100 TCP SYN requests to the server within 10 seconds. ICMP flood attack: alert icmp any any -> any any (msg:"ICMP flood"; sid:1000002; rev:1; classtype: icmp-event; detection_filter: track by_dst, count 500, seconds 3;) This SNORT rule is designed to prevent ICMP floods (for example: ping messages) if a client sends more than 500 ICMP packet within 3 seconds. 9 Examples of known attacks signatures Ping of Death attack: alert icmp any any -> any any (msg:"Possible Ping of Death"; dsize: > 10000; sid:1111111; rev:1;) Ping of Death is a denial of service (DoS) attack caused by an attacker deliberately sending an IP packet larger than the 65,536 bytes allowed by the IP protocol. This rule alerts if an ICMP packet is larger than 10,000 bytes. Brute Force attack: alert tcp any any -> any 22 (msg:"INDICATOR-SCAN SSH brute force login attempt"; flow:to_server, established; content:"SSH-"; depth:4; detection_filter:track by_src, count 5, seconds 60; metadata:service ssh; classtype:misc-activity; sid:19559; rev:5;) This SNORT rule is designed to detect brute force attack to obtain the login password of SSH if a client had more than 5 login attempts in 60 seconds. 10 Intrusion Detection Datasets DARPA/KDD Cup 99 CAIDA NSL-KDD ISCX 2012 ADFA-LD and ADFA-WD 11 THANKS! Best Regards!
