1 / 18

Monitoring Tools

Monitoring Tools. Focus Question. What are the common ways of specifying network packets used in tcpdump, wireshark, and snort?. Packet Generators. ping – test network connectivity - icmp hping – sends TCP/IP packets to network hosts traceroute – probes network connectivity

palti
Download Presentation

Monitoring Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Monitoring Tools

  2. Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark, and snort?

  3. Packet Generators • ping – test network connectivity - icmp • hping – sends TCP/IP packets to network hosts • traceroute – probes network connectivity • telnet – connects to various ports • nc – establishes tcp and udp connections • sock – acts as arbitrary client and server • nmap – security port scanner

  4. Packet Sniffers • tcpdump – command-line tool for capturing packets. • wireshark – graphical sniffer and packet analyzer. • snort – packet sniffing and network intrusion detection

  5. Packet Anatomy • ICMP Header information 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 TYPE= CODE= Checksum DATA ::: (depends on Type and Code and is variable in length – some logged

  6. Packet Anatomy • IP Header information 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Version IHL TOS=, PREC= Total Length: LEN= Identification: ID= Fragment Offset: FRAG= Flags TTL= PROTO= Header Checksum Source Address: SRC= Destination Address: DST= Padding Options: OPT=, (not decoded, requires –log-ip-options)

  7. Packet Anatomy • TCP Header information 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Source Port: SPT= Destination Port: DPT= Sequence Number: SEQ=, (requires –log-tcp-sequence) Acknowledgment Number: ACK=, (requires –log-tcp-sequence) WINDOW= RES= ECN SYN,ACK… Data Offset URGP= Checksum Options: OPT=, (not decoded, requires --log-tcp-options

  8. Packet Anatomy • UDP Header information 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Source Port: SPT= Destination Port: DPT= Length: LEN= Checksum

  9. Common tcpdump Options • tcpdump [-options] [expression] • c count# exit after count packets captured • iifc # interface to listen on: eth0, lo … • s snaplen # number of bytes to capture/packet • w filename # save output to filename (binary) • e # include the frame header info. • n # don’t convert addresses to names • x # print data of each packet in hex • v # verbose mode expression: [tcp|udp] [dst|src] [host|net|port] id

  10. Wireshark

  11. Wireshark

  12. Snort • Components • Binary: /usr/sbin/snort • Configuration: • /etc/sysconfig/snort • /etc/snort/snort.conf • /etc/snort/*.rules • Logging: • /var/log/snort • /etc/logrotate.d/snort

  13. Uses of Snort • Packet sniffing: • snort –vde • Packet Logging mode: • snort –vde –l ./log # log is a directory • snort –vde –l ./log –h 192.168.1.0/24 • snort –b –l .log # logs in binary format • Intrusion Detection: • snort –d –l /var/log/snort –c /etc/snort.conf

  14. The Snort Engine Packetacquisition Detection Engine Packet decode Preprocessors Log orAlert? Yes Output plugins No Finished Next Packet

  15. Writing Snort Rules • Figure out what is “bad” • Capture traffic that includes the “bad stuff” • Learn the protocol • Figure out why the “bad stuff” is bad • Write a rule • Test the rule • Goto 5.

  16. Rule Format – basic rule alert tcp 192.168.1.2 any -> 192.168.1.3 80 (msg:”your message”;content:”blah”;sid:10001;) • Other keyword:value pairs • - reference:url,www.cabrillo.edu - rev:# - priority:# - classtype:type( see classification.config) - nocase; - depth:# - offset:#

  17. Review

  18. Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark, and snort? • Network packets are most often identified by IP address, network address or port number • Keywords: host, net, and port are used to describe the the above identifiers. If no keyword is specified, host is assumed. e.g. net 192.168.1.0/24 or port 22 • Direction keywords: src and dst can be used with with logical operators: and, or, not. e.g. src host 192.168.1.5 and dst port 22

More Related