-
Network Detection Mechanisms
Network signatures have two basic forms: patterns within the packet contents and patterns within the header information. Encryption eliminates the ability to see packet contents so you will need to rely more on header analysis if your organization uses network encryption.
-
Packet Content Signatures
These signatures are basically pattern matches with the packet contents. Packet contents, also known as payload, are the data of the network packet that is being communicated from the source to the destination machines. Content signatures are the most common and provide the greatest detail in detection because they are deterministic.
-
Phf Attack
Phf is an old CGI scrip-debugging tool with a "feature" that can be exploited to run any command and attacker wants on your Web server. When this pattern is detected it indicates that the user attempted to run shell commands on the HTTP host using a 'phf' vulnerability. Executing the CGI script, 'phf' with the argument sequence 'get /cgi-bin/phf ? <garbage%0a<command>' can allowa user to execute shell commands on an HTTP host. This may be an indication that a user is attempting to circumvent system security.
-
Packet Header (Traffic) Analysis
Traffic analysis is a method to detect suspicious network activity without needing to look at the packet contents.
-
Broadcasts
Broadcasts are a class of attacks that cause machines to crash. Sending a packet to a system with the source and destination fields identical will cause the protocol stack to fail in most IP implementations.
-
Land Attack
There are numerous derivatives of the broadcast attack. One is the Land Attack where the Sync flag is set.
-
Host-Based Signatures
Signature recognition is the most common detection mechanism in host-based systems. These signatures are predefinied patterns that have been defined as interesting by the security officer. Signatures are also known as rules or rule-based systems. When rules are triggered an alarm is generated, a response is executed, a notifcation is sent, or some other action takes place. Signatures are a priori rules that define a sequence of events and a set of transitions between the events.
-
Types of Signatures
Single event, multi-event, multi-host, enterprise, and compound signatures. Most signatures are single event.
-
Single Event Signatures
A single event with selected characteristics that indicates interesting activity. Ninety percent of signatures are single event. This is because most interesting activities can be represented in single events.
-
Writing to an Executable
This usually happens during controlled software updates and other scheduled administrative activities. However, attackers planting trojan horses and viruses infecting executables are detectable using this simple pattern.
-
Multi-event Signatures
Multi-event signatures are sequences that include two or more events and a set of transitions between the events.
-
Three Failed Logins
Three Failed Login attemps is indicative of password guessing. Although this attack is relatively low tech, it can still be very effective because users always make poor password choices.
-
Multi-Host Signatures
Multi-host signatures are, as the name implies, signatures that are an aggregation of events from multiple hosts that indicate a noteworthy action. Multi-host signatures are useful for detecting stealth attacks.
-
Stealth Attacks
Stealth attacks are where an attacker does only a little bit of an attack on each machine to stay "under the radar" of the intrusion detection system.
-
Enterprise Signatures
Enterprise signatures are a special class of signature that implies a multi-event signature from any combination of targets in the enterprise. This is a special class because in large environments there may be multiple detection servers compounding the data aggregation problem.
|
|