. ..
6
:
..
, 2007
6
.
.
-
, IDS Snort 2.6.1.4, WinDump 3.8.3, NMap 4.20, WinPcap 4.0.
IDS Intrusion Detection System . IDS ( DoS) , .
. TCP/IP . IDS IP-, , . , TCP- ( SYN-) . , - TCP-.
, . , , . IDS.
(Network IDS NIDS) , , , (, ). NIDS , (, ).
(System Integrity Verifiers SIV) , , . , , . , , SIV , , , .
(Log-file Monitors LFM) , . NIDS, , , , , . log- HTTP-, , , , phf.
|
|
, IDS. , RealSecure Internet Security Systems (http://www.iss.net) . LIDS (Linux Intrusion Detection System, http://www.lids.org) Snort (http://www.snort.org). Portsentry, Hostsentry Logsentry Psionic.
IDS , . , . , . , . IDS . IDS .
IDS , . , , , . , , . IDS . , (. . 1).
. 1. IDS
, . , 70% . , , , . . , . , , , . IDS .
IDS , . , . IDS , .
IDS . . , , http- .
, , \FOR_READING\.
|
|
IDS Snort:
__.mht
Intrusion_Detection_Systems_with_Snort_2003.pdf
OReilly_Snort_Cookbook_2005.chm
Snort_FAQ.pdf
:
________.mht
NMap:
___NMap___2003.htm
( , WinDump):
.mht
WINDUMP SNIFFER
Sniffer ( ) , . Network Associates Sniffer (r) Network Analyzer, , . sniffer (network sniffer) , , , , .
. () :
− (packet capturing) (machine readable) , ();
− (decoding) (human readable) ;
− ;
− ;
− ( , );
− , , , , , .
:
− ();
− .
. , . , ,
, Ethernet, . , Ethernet , . , 48 , MAC- , . , . , . promiscuous mode, .
promiscuous mode, Ethernet , . ARP-. : broadcast domain, , , ARP- , , ( RP-, MAC- ). -.
|
|
:
− ;
− ;
− .
. , , .
:
− troubleshooting ( );
− ;
− ;
− .
:
− ;
− , (plain text) ( telnet, POP, IMAP, NNTP, IRC, -, , SNMP v1 community-strings ..).
, WinDump () .
WinDump Windows, *NIX TCPDump. , TCPDump, .
WinDump
WinDump , . , -, WinDump (, , ). (, TCP, UDP, ICMP), . . WinDump TCP. TCP, WinDump:
09:32:43:910000 nmap.edu.1173 > dns.net.21: S 62697789:62697789(0) win 512
09:32:43:910000. : , , .
nmap.edu. - . - IP- ( -n WinDump), -, IP-.
1173. , , (, 21 FTP).
>. .
dns.net. - .
21. .
S. TCP. S SYN, TCP.
62697789:62697789(0). TCP: TCP ( ). TCP . (ISN initial sequence number), . , TCP. , , , 0. , . .
win 512. TCP ( ) nmap.edu.
TCP
TCP . . TCP, WinDump .
|
|
TCP | ||
SYN | S | , TCP. |
ack | . . | |
FIN | F | . |
RESET | R | . |
PUSH | P | , . , . , Telnet, , PUSH. |
URGENT | urg | , . Ctrl+C, FTP. |
. | SYN, FIN, RESET PUSH, (). |
WinDump
WinDump [-adeflnNOpqStvx] [-c count ] [-F file ] [-I interface ]
[-r file ] [-s snaplen ] [-T type ] [-w file ] [ expression ].
Windump: [-D] [-B size ].
-a .
-c count .
-d .
-dd -.
-ddd .
-e .
-f .
-F file ( ).
-i interface . , WinDump ( loopback). Windows interface ( , WinDump - D).
-l stdout. :
WinDump - l | tee dat,
WinDump - l > dat & tail - f dat.
-n (.e. , ..) .
-N . .. , tcpdump nic nic.ddn.mil.
-O . , .
-p promiscuous mode.
-q . .
-r file ( - w). , file -.
-s snap_len ( SunOS- NIT 96). 68 IP, ICMP, TCP UDP, , , DNS NFS .
-T type expression. : rpc (Remote Procedure Call), rtp (Real-Time Applications protocol), rtcp (Real-Time Applications control protocol), vat (Visual Audio Tool), wb (distributed White Board).
-S TCP-.
-t .
-tt .
-v . , .
-vv . , NFS reply packets.
-w raw- file, - r. , file -.
-x ( ). snap_len .
-B size . 1 . , . - 10 Ethernet, .
- D , . : number , name , . , , . I:
|
|
WinDump - i name,
WinDump - i number.
Expression , . expression , . , expression.
Expression . id ( ) . :
type , . : host, net port. , host foo, net 128.3, port 20. type , host.
dir , . src, dst, src or dst src and dst. , src foo, dst net 128.3, src or dst port ftp-data. dir , src or dst. null ( ppp slip) inbound outbound .
proto . : ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp udp. , ether src foo, arp net 128.3, tcp port 21. , . (fddi ether, .. FDDI- Ethernet- Ethernet- . FDDI- , .)
, : gateway, broadcast, less, greater .
and, or not . , host foo and not port ftp and not port ftp-data. . , tcp dst port ftp or ftp-data or domain , tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain.
:
dst host host , IP destination host, .
src host host , IP source host.
host host , source destination host. : ip, arp, rarp : ip host host ether proto \ip and host host. host IP-, .
ether dst ehost , Ethernet- ehost. Ehost /etc/ethers (. ethers(3N).
ether src ehost , Ethernet- ehost.
ether host ehost , Ethernet- ehost.
gateway host , host gateway. .. Ethernet- host, IP , IP host. Host , /etc/hosts /etc/ethers. ( ether host ehost and not host host, host / ehost.)
dst net net , IP net. Net /etc/networks .
src net net , IP net.
net net , IP net.
net net mask mask , IP- net c netmask. src dst.
net net/len , IP net, a len (CIDR-). src dst.
dst port port , ip/tcp ip/udp port. port /etc/services ( tcp(4P) udp(4P)). , . , (.. dst port 513 tcp/login udp/who, port domain tcp/domain udp/domain).
src port port , port.
port port , port. , : tcp src port port tcp- port.
less length , length, len <= length.
greater length , length, len >= length.
ip proto protocol , IP protocol. Protocol icmp, igrp, udp, nd, tcp.
ether broadcast , Ethernet-. ether .
ip broadcast , IP-.
ether multicast , thernet multicast-. ether . ether[0] & 1!= 0.
ip multicast , IP-multicast .
ether proto protocol , Ethernet. Protocol : ip, arp, rarp.
decnet src host , DECNET- host, 10.123, DECNET- . (DECNET Ultrix ).
decnet dst host , DECNET- host.
decnet host host , DECNET- host.
proto [ expr: size ]
Proto ether, fddi, ip, arp, rarp, tcp, udp, icmp, . expr. Size , , 1,2 4, 1.