Basic knowledge of the rules
Network Intrusion Detection System is a network communication that we need to find a pattern. To give you different types of rules have a basic idea, let's look at the examples that can be used to identify and methods.
Sent from a fixed IP connection requests. This can be in the original IP header address area easily identified.
Mark packets with illegal TCP set. This can be a known set of legal and illegal, and the TCP header tags in the tag comparison and conclusion.
E-mail containing a special virus. IDS can be the title of the message or the attachment name and e-mail-related viruses known to compare the title of the conclusion.
Included in the payload of the DNS queue buffer overflow attempt. Through the analysis of DNS domains and check the length of each queue, so that IDS can identify the existence of a domain in DNS buffer overflow attempt. Or another way is to look at the payload queue overflow procedure exists.
By submitting thousands of times the same command to carry on the POP3 server denial of service attacks. Way to deal with this attack is to set the number of orders submitted, once more than the number of times the system will set the alarm.
By submitting a file or directory tried to skip the login process prior to access files on the FTP server attacks. Can develop a tracking system to monitor the successful landing of the FTP communication, if we find someone trying to enter in pre-certified through the system, it will sound the alarm.
As you can see from the above, a wide range of rules, from the simplest check header files to highly complex, such as Zhenzhenggenzong Lianjiezhuangtai or extensive protocol analysis Deng. In this article, we will focus on some simple rules and discuss their complexity in development. Please note that the rules of IDS in a different capacity to change, so the technology described in this article may be used in your firewall may not be applicable. For example, some network IDS products to the customers to write their own rules or configure the capacity of the existing rules is weak, and some products allow you to customize almost all the existing rules and to all the rules you can think of the definition into the system. Also to be considered an important factor in some IDS products can only check a specific payload Zhu Xing header files, and some products can be given in any part of Renhe package Shu Ju.
Rules which features services
The purpose of intrusion detection rules so? The answer is, different rules is not the same purpose. The result we need is that when the invasion occurred, the system alerts. But let us think about why we need to customize or modify their own rules? Maybe you see some single network communication, and you want the next warning is given when such communications occur. You may have noticed, it has a special header symbol, you want to define a rule to match this known mark; Perhaps you want to configure the IDS to detect unusual or suspicious that the communication, not just Detection of attacks and detection. Some rules can tell you which way a particular attack or an attacker trying to attempt an attack against which vulnerabilities, while others rule is that there are no abnormal behavior, rather than point out a specific kind of attack. The former is bound to spend more time and resources, but give you more information, such as why you would be the purpose of attack or the attacker is.
Header file attributes
We have fast rules about the type, and then let us focus on the characteristics of a simple rule: header file attributes. Some header file attributes is obviously not normal, so we need to develop a lot of options in the rules. Classic example of this rule is marked with a TCP SYN and FIN packets set. In RFC793 (the standard used to define the TCP) a vulnerability, so many tools are trying through this loophole to try to bypass firewalls, routers and intrusion detection systems. Many exploits, including the header file attributes aimed against the RFCs, because many of the operating system and applications are based on the assumption that compliance with RFCs written, and on this basis of communication in error not be corrected. There are many tools contain errors or incomplete code, so these tools are made by the package which contains the header files against the RFCs property. Those who write very bad invasion of technology tools and a variety of written rules for identifiable property.
It sounds good, but please note that not all operating systems and applications are fully inherited RFCs's. In fact, many systems or procedures are at least partly against the RFC's. So, over time, the agreement may be given not included in the RFC in the new property, then the new standards there would be unlawful prior to the standard into a now legal. RFC3168 is a good example. Therefore, IDS rules rely on the RFC may lead to many positive error occurs. Of course, RFC still in the development of accounting rules is very important position, because many malicious attacks are directed RFCs come. As the RFC upgrades and other factors (such that we'll discuss that later), so need to periodically review and upgrade of existing rules.
While illegal file attributes is the first part of the rule base, the first legal but suspicious file attributes are also important. For example, for connecting the port such as 31337 or 27374 suspicious (these are often related to the port and the horse), if issued a warning on these connections, you can quickly identify the actions Trojan. Unfortunately, some normal healthy communication may also use the same port. If you do not use the more detailed rules to define the communications of the other features, you will be difficult to determine the true properties of communication. Suspicious but legitimate property, such as the number of port number, preferably comprehensive consideration of other properties.
Identify the rules of composition may
Header file attributes based on the best way to develop the rules is by example. Synscan is a widely used tool for scanning and detection system. Interconnection line in early 2001, it frequently activity, because its code is often used to make Ramen worm, the first stage. This event provides a good example, because it's package includes a large number of identifiable characteristics. Here are some of the early spread of the worm exists in the Ramen worm in the IP and TCP packet header file attributes. (Note that my IDS is configured as the default has not been requested cancellation of communication, so I can only see the first packet of each attempt)
A variety of different source IP address
2 TCP source port 21, destination port 21
3 type of service is 0
4 IP identification number 39426
5 SYN and FIN flag set
6 serial number to set the various
Set all the confirmation number 7
8 TCP windows size is 1028
Now we know Synscan package contains the header files which features, we can begin to consider how to develop a good rule. Let us Zhao Zhao those illegal, abnormal, suspicious property, in many cases, these features are corresponding to the attacker trying to exploit loopholes or correspond to the attacker used a special technique. Although the normal package properties often include restrictions on some communication, but such restrictions can not be the characteristics of a good rule. For example, we will deal in properties of the normal IP protocol is defined as 6, this way we can view the TCP packet. However, some other completely normal characteristics, such as the service type is set to 0, the rule of development is very negative.
Synscan package some of the unusual features can be identified using the following rules:
1 only SYN and FIN flag set is a clear sign of malicious behavior.
2 Another feature is the confirmation number of these packages have a variety of different properties but the ACK flag is not set. If the ACK flag is not set, the confirmation number should be set to 0.
3 there is a suspicious feature is that the source port and destination port are set to 21, which is a normal FTP server does not associate. If both of the same port number, which we call reflexive. In addition to some special communication (such as a specific NetBIOS communication), usually such a situation should not exist. Anti-body against the TCP port is not standard, but in most cases is not normal. In the normal FTP communications, we will see a high port (greater than 1023) as the source port, destination port is 21.
Thus, we identified three characteristics can be used to make rules: SYN and FIN flag set, the confirmation number is not set to 0 and no ACK tag, and anti-body port is set to 21. There are also two points to note: TCP windows size of the regular set to 1028, IP identification number is 39426 set all the packages. In general, we expected TCP windows size is greater than 1028, although this value is not very normal, but should also draw attention. Similarly, IP RFC defines IP identification number in a different package should have different values, so a fixed value is highly questionable.
Select a rule
As we have found five to be the rule of the elements, So we have the option to develop many different based on head Wenjian rules and a good rule should include more than one of Te Zheng. If you just want to set the most simple rules, you can use packet marking to set the SYN and FIN. While this is a kind of good identification methods of malignant behavior, but behavior can not be given why this would happen. Remember, SYN and FIN are usually used to bypass firewalls and other equipment, so they can play the role of the scanner, the implementation of information gathering or attacks. Therefore, a SYN and FIN only rule for our purposes is too simple.
However, if a rule includes all of the above five suspicious features, although they could provide more detailed information, but compared with the detection of a property rule only, the utility or much worse. Rules of relevance and accuracy of development are always trade-off between the two. In many cases, the relatively simple rules is easier than the complex identification of positive error, because the relatively simple rules in general for the overall concept. And complex than the simple rule of rules is easier to recognize passive error because the characteristics of some tools and algorithms will change over time.
We assume that a rule intended to determine what kind of tool used. In addition to other markers SYN and FIN, what attributes are most appropriate? Let us look at the anti-body port is very suspicious, but many tools have this feature even with some lawful existence of such communications will feature, it can not provide enough detailed information to Zhidingguize. ACK ACK value is set but no tags, it is clearly illegal, it can and SYN, FIN together to make rules. Windows-1028 size, a little suspicious but can also be considered within the normal range. The IP identification number 39426 then? We can combine the above properties, the development of several different rules. But still can not determine which is the best, because the best rules should change with time and environment at any time adjustments.
Summary
In the next period, we will use to determine which properties SYNSCAN rules, and rules for more SYNSCAN assess the effectiveness of communication. We will further study the general rules relative to the merits of specific rules. We will also continue to focus on discussion of IP protocol header file attributes in the rule development role.
Recommended links:
Vertical Market Apps SpecialistFlash MX features tours of the threeSichuan Instrument flow Meters: precision production of personalized quoteTo work time "to steal food," the employee SETTINGS, "Health Model"comments Text Or DOCUMENT EditorsArticles about Audio PlayersPsychosomatic SYNDROME after holiday revelryWMV to MPEGStealing "technology" Take "clever" With CorelDrawTOD TO WMVBaidu to "PPC" rectification and apologysttray exe entry point not found stlang dll fixAVI to MOVSSL works