IDS & Passive Network Defense
•
2 likes•429 views
In this slides I talked about IDS and his passive (without a firewall) role that it has in the network, analyzing different scenarios. In particularly i used and talked about Snort
Report
Share
Report
Share
Download to read offline
Recommended
Hardening Three - IDS/IPS Technologies
Hardening is a conference of Computer Security, created by Prof. Giampaolo Bella of University of Catania to talk of the way to harden the computer that we use every day. In each edition there are different arguments of Internet/Computer Security. In this edition (29 may 2017) we have talked of Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS), show examples of attacks and applications of these technologies.
Introduction to lecture
https://www.youtube.com/watch?v=tUYbRu1nrz8&feature=youtu.be&a
Port Scanning
Port scanning involves sending packets to ports on a target system to discover which ports are open and may be exploited. There are several common port scanning techniques like TCP connect scanning, SYN scanning, FIN scanning, and UDP scanning. Port scanners try to avoid detection by scanning slowly, spoofing packets, or fragmenting packets. Systems can detect port scans through signatures like many connections to different ports from the same source in a short time.
Dynamic Port Scanning
The document discusses dynamic port scanning (DPS), which integrates ARP poisoning into port scanning to dynamically spoof the source IP address of scan packets. DPS works by poisoning the ARP cache of the target host or gateway so that scan replies are delivered to the scanning machine regardless of the spoofed source IP. This allows the scan to appear as if it is coming from many machines, improving stealth, while still obtaining results unlike traditional IP spoofing techniques. The document outlines how DPS works, current spoofing methods, advantages over other techniques, and limitations.
Port scanning
Port scanning is the process of examining IP addresses to determine what services are running on a network. It can be used by administrators to verify security policies and by attackers to identify vulnerabilities. Nmap is one of the most popular port scanners that adds features like OS detection. Shadow Security Scanner is a port scanning tool that audits services like FTP, SSH, SMTP, and supports expanding capabilities through an open ActiveX architecture. To prevent attacks, network devices should implement IP spoofing and firewalls should only allow necessary traffic while detecting and blocking potentially malicious behavior over time.
Ch 5: Port Scanning
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Port Scanning Overview
Port scanning involves attempting to connect to ports on a target system to discover which ports are open and what services they correspond to. It is done by software that scans a range of ports, usually 0 to 65,536, and analyzes responses to determine whether ports are open, closed, or filtered. Common port scanning tools include Nmap and Netcat. While port scanning can be used maliciously for hacking, it is also used by system administrators to diagnose network issues.
Network scanning
A network consists of 3 parts: IP addresses, services, and ports. An IP address has a network and host address determined by the subnet mask. Services are network protocols that link server and client applications, typically running on specific ports, though any service can run on any port. Ports allow different services to be available from one location, with common services using well-known ports. Network scanning includes host scanning to locate hosts, port scanning to determine services, and vulnerability scanning to find known flaws using signature-based tools like Nmap, Nessus, GFI LANguard, and SuperScan.
Predicting and Abusing WPA2/802.11 Group Keys
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.
Recommended
Hardening Three - IDS/IPS Technologies
Hardening is a conference of Computer Security, created by Prof. Giampaolo Bella of University of Catania to talk of the way to harden the computer that we use every day. In each edition there are different arguments of Internet/Computer Security. In this edition (29 may 2017) we have talked of Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS), show examples of attacks and applications of these technologies.
Introduction to lecture
https://www.youtube.com/watch?v=tUYbRu1nrz8&feature=youtu.be&a
Port Scanning
Port scanning involves sending packets to ports on a target system to discover which ports are open and may be exploited. There are several common port scanning techniques like TCP connect scanning, SYN scanning, FIN scanning, and UDP scanning. Port scanners try to avoid detection by scanning slowly, spoofing packets, or fragmenting packets. Systems can detect port scans through signatures like many connections to different ports from the same source in a short time.
Dynamic Port Scanning
The document discusses dynamic port scanning (DPS), which integrates ARP poisoning into port scanning to dynamically spoof the source IP address of scan packets. DPS works by poisoning the ARP cache of the target host or gateway so that scan replies are delivered to the scanning machine regardless of the spoofed source IP. This allows the scan to appear as if it is coming from many machines, improving stealth, while still obtaining results unlike traditional IP spoofing techniques. The document outlines how DPS works, current spoofing methods, advantages over other techniques, and limitations.
Port scanning
Port scanning is the process of examining IP addresses to determine what services are running on a network. It can be used by administrators to verify security policies and by attackers to identify vulnerabilities. Nmap is one of the most popular port scanners that adds features like OS detection. Shadow Security Scanner is a port scanning tool that audits services like FTP, SSH, SMTP, and supports expanding capabilities through an open ActiveX architecture. To prevent attacks, network devices should implement IP spoofing and firewalls should only allow necessary traffic while detecting and blocking potentially malicious behavior over time.
Ch 5: Port Scanning
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Port Scanning Overview
Port scanning involves attempting to connect to ports on a target system to discover which ports are open and what services they correspond to. It is done by software that scans a range of ports, usually 0 to 65,536, and analyzes responses to determine whether ports are open, closed, or filtered. Common port scanning tools include Nmap and Netcat. While port scanning can be used maliciously for hacking, it is also used by system administrators to diagnose network issues.
Network scanning
A network consists of 3 parts: IP addresses, services, and ports. An IP address has a network and host address determined by the subnet mask. Services are network protocols that link server and client applications, typically running on specific ports, though any service can run on any port. Ports allow different services to be available from one location, with common services using well-known ports. Network scanning includes host scanning to locate hosts, port scanning to determine services, and vulnerability scanning to find known flaws using signature-based tools like Nmap, Nessus, GFI LANguard, and SuperScan.
Predicting and Abusing WPA2/802.11 Group Keys
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.
Nmap(network mapping)
This document discusses various port scanning techniques used by hackers to discover services, operating systems, and open ports on target hosts. It explains common TCP scans like SYN scans which identify open and closed ports, and UDP scans. Timing options and techniques for hiding scans are also covered. The document provides examples of using the Nmap tool to perform scans and identify operating systems.
Security & ethical hacking
This document provides an overview of advanced scanning and exploitation techniques for security testing. It discusses using Nmap to scan for open ports and operating systems. The importance of local IP sweeping to find vulnerable systems on a local network is explained. Netcat is demonstrated as a simple way to create a remote shell on another system. Brief examples of shellcode and exploits that can be delivered through media files like JPGs and MP3s are also provided. The conclusion emphasizes that while this information is shown for educational purposes, actually exploiting systems without permission would be illegal.
Module 3 Scanning
The document discusses scanning techniques used during penetration testing and hacking. It defines different types of scanning like port scanning, network scanning, and vulnerability scanning. It describes tools like Nmap that can be used to perform these scans and examines techniques like SYN scanning, XMAS scanning, NULL scanning, and IDLE scanning. The document also discusses using proxies and anonymizers to hide one's location while scanning and ways to document results like creating network diagrams of vulnerable systems.
Wireless Hacking Fast Track
This document provides information about tools and hardware requirements for wireless hacking and security testing on Linux systems. It discusses wardriving tools like Kismet and Aircrack for detecting wireless networks, as well as tools for cracking WEP keys like Airsnort and cracking WPA pre-shared keys with Cowpatty. It also lists recommended wireless network cards, describes wardriving for passive and active detection, and provides contact information for T'Lab, a technology open source laboratory.
All About Snort
Snort is an open source network intrusion detection system (NIDS) that can perform network monitoring and packet logging. It analyzes network traffic in real-time and compares it to a rulebase to detect anomalous activity such as malware, attacks, and intrusions. Snort works by decoding packet headers and payloads and applying rules to detect patterns across the network, transport, and application layers. It can operate in three modes: sniffer, packet logger, and intrusion detection system. Rules are used to specify conditions that indicate malicious traffic and generate alerts.
Nagios Conference 2013 - Spenser Reinhardt - Intro to Network Monitoring Usin...
Spenser Reinhardt's presentation on Intro to Network Monitoring Using Nagios Network Analyzer and NSTI.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
This document discusses port scanning and various tools used for port scanning. It describes what port scanning is, different types of port scans like SYN and ACK scans, and popular port scanning tools like Nmap, Nessus, and Unicornscan. It also covers ping sweeps to identify active hosts and using shell scripting to automate security tasks.
Security & ethical hacking p2
The document provides an overview of ethical hacking techniques such as advanced scanning with NMAP to identify open ports and operating systems on remote systems. It discusses how tools like Nmap and Angry IP Scanner can be used to scan locally and remotely, and how information gathered can be used to potentially exploit systems. Example exploits discussed include using Netcat to create remote shells and payloads embedded in files like JPEG and MP3 files. The document emphasizes that while the information is presented, actually hacking systems without permission would be illegal.
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
This document summarizes research on breaking encryption schemes that use the RC4 stream cipher. The researchers discovered new biases in the RC4 keystream that allow recovering plaintext more efficiently. They applied these biases to break WPA-TKIP encryption and decrypt HTTPS cookies. For WPA-TKIP, simulating traffic captures allowed decrypting packets and the message integrity check key within an hour. For HTTPS, biases were combined to decrypt 16-character cookies in around 75 hours by manipulating requests sent to a target site. The work significantly advances attacks against protocols still relying on the weakened RC4 cipher.
Network Scanning Phases and Supporting Tools
This presentation focuses on the network penetration scanning phase. It introduces tools and techniques that professional pen-testers and ethical hackers need to master to find target machines, openings on those targets and vulnerabilities.
Pertemuan 9 intrusion detection system
Keamanan Jaringan
Universitas Teknokrat Indonesia
Intrusion detection system
http://spada.teknokrat.ac.id
Recon with Nmap
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
NMAP by Shrikant Antre & Shobhit Gautam
Nmap is a popular port scanning tool used to discover open ports and services on a target system. It works by sending packets with different TCP flags like SYN, ACK, FIN to determine if ports are open or closed. Some scanning techniques used by Nmap include SYN scanning, stealth scanning, Xmas scanning, FIN scanning, and NULL scanning. These techniques allow the user to discover vulnerabilities and compromise target systems by exploiting open ports.
Wireless security beyond password cracking by Mohit Ranjan
Network attacks in wired Lan environments
Protection in wired Lan
Layout of modern networks ( wired + wireless )
Difference between wired and wireless security
Most powerful situation to acquire in any network
Wireless attacks
Why NTP ?
Captive portal attacks
Conclusion and some wild thoughts
For complete data to perform this attack please go to the Github link below:
https://github.com/mohitrajain/Wireless_security_beyond_password_cracking
Snort
This document provides an overview and implementation guide for Snort, an open source intrusion detection and prevention system (IDPS). It discusses what Snort is, how it works, and how to install and configure it on an Ubuntu server. The key points covered include:
- Snort can operate as a network intrusion detection system (NIDS), packet logger, or intrusion prevention system (IPS) through inline mode.
- Configuring an Ubuntu server, installing prerequisites like libpcap and PCRE libraries, and downloading/compiling the latest version of Snort from source.
- Creating directories, configuration files, rules files and setting permissions for Snort to run properly.
- Additional tools
ShinoBOT Suite
ShinoBOT Suite is a cyber attack campaign simulator. This slide was presented at the Black Hat USA 2014 Arsenal.
Practical Verification of TKIP Vulnerabilities
TKIP has vulnerabilities that allow an attacker to:
1) Efficiently cause denial of service attacks by forging packets and triggering integrity check failures.
2) Forge arbitrary packets that can be sent to clients.
3) Decrypt traffic that is sent towards the client by recovering the integrity check key.
Alessio Lama - Development and testing of a safety network protocol
This document discusses the development and testing of safety network protocols for applications in automotive, industrial automation, and other fields. It outlines several issues with network communication such as access denial, repetition, loss, corruption, and timeouts. It then describes techniques for addressing these issues, including the use of VLANs for access control, CRC and hash functions for error detection, supervision packets for connection monitoring, and timestamps for timeout detection. Finally, it discusses tools for testing protocols, such as Wireshark, Scapy, TTCN-3, PTP, and PRP, which provides redundancy against network failures.
Snort
This document discusses the network analysis and intrusion detection software Snort. It provides information on Snort's architecture including its packet sniffer, preprocessor, detection engine, and alert logging capabilities. It also covers using Snort in various modes like sniffer, packet logger, and network intrusion detection system and provides an example Snort rule.
Snort
Snort is an open source network intrusion detection and prevention system that monitors network traffic and compares it against a ruleset to detect anomalous activity. It works on the network, transport, and application layers to analyze packet headers, payloads, and apply detection rules using a string matching algorithm. Snort includes components like a packet decoder, preprocessors, detection engine, and output modules. The detection engine applies rules to packets in priority order to detect known intrusions based on signatures as well as potential new attacks. Improving Snort involves optimizing its rule processing, offloading work to hardware, and developing better detection algorithms.
L5A - Intrusion Detection Systems.pptx
An intrusion detection system (IDS) monitors network traffic and system activities for malicious activities or policy violations. An IDS uses signature-based detection to compare events against known intrusion signatures. It also uses anomaly detection to identify deviations from a baseline of normal user behavior. A network-based IDS monitors all network traffic while a host-based IDS analyzes the activities on an individual system. Other types of IDS include log file monitoring, file integrity checking, and system integrity verification. An IDS helps identify intrusions by detecting anomalies, protocol violations, and unauthorized changes to systems or files.
Network Vulnerabilities And Cyber Kill Chain Essay
This document discusses several networking tools, beginning with Wireshark. Wireshark is described as an open-source packet sniffer that allows users to capture and analyze network traffic passing through their computer. It started development in 1998 under the name Ethereal, and was renamed in 2006. The document then moves on to briefly describe Nmap, TCPDump, and Netcat. Nmap is a port scanning tool used for network discovery and security auditing. TCPDump is a command line packet analyzer that prints out network traffic. Netcat is a networking utility that reads and writes data across network connections using TCP or UDP.
More Related Content
What's hot
Nmap(network mapping)
This document discusses various port scanning techniques used by hackers to discover services, operating systems, and open ports on target hosts. It explains common TCP scans like SYN scans which identify open and closed ports, and UDP scans. Timing options and techniques for hiding scans are also covered. The document provides examples of using the Nmap tool to perform scans and identify operating systems.
Security & ethical hacking
This document provides an overview of advanced scanning and exploitation techniques for security testing. It discusses using Nmap to scan for open ports and operating systems. The importance of local IP sweeping to find vulnerable systems on a local network is explained. Netcat is demonstrated as a simple way to create a remote shell on another system. Brief examples of shellcode and exploits that can be delivered through media files like JPGs and MP3s are also provided. The conclusion emphasizes that while this information is shown for educational purposes, actually exploiting systems without permission would be illegal.
Module 3 Scanning
The document discusses scanning techniques used during penetration testing and hacking. It defines different types of scanning like port scanning, network scanning, and vulnerability scanning. It describes tools like Nmap that can be used to perform these scans and examines techniques like SYN scanning, XMAS scanning, NULL scanning, and IDLE scanning. The document also discusses using proxies and anonymizers to hide one's location while scanning and ways to document results like creating network diagrams of vulnerable systems.
Wireless Hacking Fast Track
This document provides information about tools and hardware requirements for wireless hacking and security testing on Linux systems. It discusses wardriving tools like Kismet and Aircrack for detecting wireless networks, as well as tools for cracking WEP keys like Airsnort and cracking WPA pre-shared keys with Cowpatty. It also lists recommended wireless network cards, describes wardriving for passive and active detection, and provides contact information for T'Lab, a technology open source laboratory.
All About Snort
Snort is an open source network intrusion detection system (NIDS) that can perform network monitoring and packet logging. It analyzes network traffic in real-time and compares it to a rulebase to detect anomalous activity such as malware, attacks, and intrusions. Snort works by decoding packet headers and payloads and applying rules to detect patterns across the network, transport, and application layers. It can operate in three modes: sniffer, packet logger, and intrusion detection system. Rules are used to specify conditions that indicate malicious traffic and generate alerts.
Nagios Conference 2013 - Spenser Reinhardt - Intro to Network Monitoring Usin...
Spenser Reinhardt's presentation on Intro to Network Monitoring Using Nagios Network Analyzer and NSTI.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
This document discusses port scanning and various tools used for port scanning. It describes what port scanning is, different types of port scans like SYN and ACK scans, and popular port scanning tools like Nmap, Nessus, and Unicornscan. It also covers ping sweeps to identify active hosts and using shell scripting to automate security tasks.
Security & ethical hacking p2
The document provides an overview of ethical hacking techniques such as advanced scanning with NMAP to identify open ports and operating systems on remote systems. It discusses how tools like Nmap and Angry IP Scanner can be used to scan locally and remotely, and how information gathered can be used to potentially exploit systems. Example exploits discussed include using Netcat to create remote shells and payloads embedded in files like JPEG and MP3 files. The document emphasizes that while the information is presented, actually hacking systems without permission would be illegal.
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
This document summarizes research on breaking encryption schemes that use the RC4 stream cipher. The researchers discovered new biases in the RC4 keystream that allow recovering plaintext more efficiently. They applied these biases to break WPA-TKIP encryption and decrypt HTTPS cookies. For WPA-TKIP, simulating traffic captures allowed decrypting packets and the message integrity check key within an hour. For HTTPS, biases were combined to decrypt 16-character cookies in around 75 hours by manipulating requests sent to a target site. The work significantly advances attacks against protocols still relying on the weakened RC4 cipher.
Network Scanning Phases and Supporting Tools
This presentation focuses on the network penetration scanning phase. It introduces tools and techniques that professional pen-testers and ethical hackers need to master to find target machines, openings on those targets and vulnerabilities.
Pertemuan 9 intrusion detection system
Keamanan Jaringan
Universitas Teknokrat Indonesia
Intrusion detection system
http://spada.teknokrat.ac.id
Recon with Nmap
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
NMAP by Shrikant Antre & Shobhit Gautam
Nmap is a popular port scanning tool used to discover open ports and services on a target system. It works by sending packets with different TCP flags like SYN, ACK, FIN to determine if ports are open or closed. Some scanning techniques used by Nmap include SYN scanning, stealth scanning, Xmas scanning, FIN scanning, and NULL scanning. These techniques allow the user to discover vulnerabilities and compromise target systems by exploiting open ports.
Wireless security beyond password cracking by Mohit Ranjan
Network attacks in wired Lan environments
Protection in wired Lan
Layout of modern networks ( wired + wireless )
Difference between wired and wireless security
Most powerful situation to acquire in any network
Wireless attacks
Why NTP ?
Captive portal attacks
Conclusion and some wild thoughts
For complete data to perform this attack please go to the Github link below:
https://github.com/mohitrajain/Wireless_security_beyond_password_cracking
Snort
This document provides an overview and implementation guide for Snort, an open source intrusion detection and prevention system (IDPS). It discusses what Snort is, how it works, and how to install and configure it on an Ubuntu server. The key points covered include:
- Snort can operate as a network intrusion detection system (NIDS), packet logger, or intrusion prevention system (IPS) through inline mode.
- Configuring an Ubuntu server, installing prerequisites like libpcap and PCRE libraries, and downloading/compiling the latest version of Snort from source.
- Creating directories, configuration files, rules files and setting permissions for Snort to run properly.
- Additional tools
ShinoBOT Suite
ShinoBOT Suite is a cyber attack campaign simulator. This slide was presented at the Black Hat USA 2014 Arsenal.
Practical Verification of TKIP Vulnerabilities
TKIP has vulnerabilities that allow an attacker to:
1) Efficiently cause denial of service attacks by forging packets and triggering integrity check failures.
2) Forge arbitrary packets that can be sent to clients.
3) Decrypt traffic that is sent towards the client by recovering the integrity check key.
Alessio Lama - Development and testing of a safety network protocol
This document discusses the development and testing of safety network protocols for applications in automotive, industrial automation, and other fields. It outlines several issues with network communication such as access denial, repetition, loss, corruption, and timeouts. It then describes techniques for addressing these issues, including the use of VLANs for access control, CRC and hash functions for error detection, supervision packets for connection monitoring, and timestamps for timeout detection. Finally, it discusses tools for testing protocols, such as Wireshark, Scapy, TTCN-3, PTP, and PRP, which provides redundancy against network failures.
Snort
This document discusses the network analysis and intrusion detection software Snort. It provides information on Snort's architecture including its packet sniffer, preprocessor, detection engine, and alert logging capabilities. It also covers using Snort in various modes like sniffer, packet logger, and network intrusion detection system and provides an example Snort rule.
Snort
Snort is an open source network intrusion detection and prevention system that monitors network traffic and compares it against a ruleset to detect anomalous activity. It works on the network, transport, and application layers to analyze packet headers, payloads, and apply detection rules using a string matching algorithm. Snort includes components like a packet decoder, preprocessors, detection engine, and output modules. The detection engine applies rules to packets in priority order to detect known intrusions based on signatures as well as potential new attacks. Improving Snort involves optimizing its rule processing, offloading work to hardware, and developing better detection algorithms.
What's hot (20)
Nagios Conference 2013 - Spenser Reinhardt - Intro to Network Monitoring Usin...
Nagios Conference 2013 - Spenser Reinhardt - Intro to Network Monitoring Usin...
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
Alessio Lama - Development and testing of a safety network protocol
Alessio Lama - Development and testing of a safety network protocol
Similar to IDS & Passive Network Defense
L5A - Intrusion Detection Systems.pptx
An intrusion detection system (IDS) monitors network traffic and system activities for malicious activities or policy violations. An IDS uses signature-based detection to compare events against known intrusion signatures. It also uses anomaly detection to identify deviations from a baseline of normal user behavior. A network-based IDS monitors all network traffic while a host-based IDS analyzes the activities on an individual system. Other types of IDS include log file monitoring, file integrity checking, and system integrity verification. An IDS helps identify intrusions by detecting anomalies, protocol violations, and unauthorized changes to systems or files.
Network Vulnerabilities And Cyber Kill Chain Essay
This document discusses several networking tools, beginning with Wireshark. Wireshark is described as an open-source packet sniffer that allows users to capture and analyze network traffic passing through their computer. It started development in 1998 under the name Ethereal, and was renamed in 2006. The document then moves on to briefly describe Nmap, TCPDump, and Netcat. Nmap is a port scanning tool used for network discovery and security auditing. TCPDump is a command line packet analyzer that prints out network traffic. Netcat is a networking utility that reads and writes data across network connections using TCP or UDP.
The Security Of Information Security
This document discusses vulnerability assessment tools and their use in evaluating systems for security weaknesses. It outlines setting up a virtual machine environment with Windows, Metasploitable, and Kali Linux virtual machines. The OpenVAS vulnerability scanner is used to scan the Windows and Metasploitable VMs to identify vulnerabilities. The scans find open ports and suggest ways to remedy weaknesses found.
Security onion
Network Security Monitoring (NSM) involves collecting, analyzing, and escalating indications and warnings to detect and respond to intrusions. Security Onion is an open source NSM platform that includes intrusion detection using Snort and Suricata, network analysis tools like Bro and ELSA, and the OSSEC host-based intrusion detection system. It also includes the Sguil, Snorby, and Xplico tools for security information and event management. The demonstration showed setting up Security Onion in a test environment and reviewing configurations, as well as detecting attacks.
Intrusion Detection in WLANs
The document discusses intrusion detection in wireless local area networks (WLANs) to address threats posed by rogue access points. It covers types of attacks launched through rogue APs, limitations of conventional security mechanisms in preventing such attacks, and how intrusion detection systems (IDS) can help. The key components of an IDS include sensors to monitor networks and hosts, a management console, and a signature database. Network-based and host-based IDS are described along with their implementation process, use of signatures, limitations, and the role of intrusion prevention systems.
Pass4sure 640-554 Cisco IOS Network Security
The 640-554 Implementing Cisco IOS Network Security (IINS) exam is associated with the CCNA Security certification. This exam tests a candidate's knowledge of securing Cisco routers and switches and their associated networks.
http://www.pass4surebraindumps.com/640-554.html
ids.ppt
This document discusses intrusion detection and prevention systems. It defines intrusion, intrusion detection, and intrusion prevention. It describes the components and approaches of intrusion detection systems, including misuse detection, anomaly detection, host-based detection, and network-based detection. It compares the pros and cons of different approaches and deployment methods. It also discusses key metrics, architectures, and examples like Snort.
Understanding Intrusion Detection & Prevention Systems (1).pptx
So basically its a intrusion detection system used to detect the if there's any intrusion happening on that device.
Net Defender
1. Net Defender is a simple firewall software designed for personal computers to block unauthorized Internet access. It uses packet filtering and allows or blocks traffic based on port numbers, protocols, and source/destination addresses and ports.
2. Common security issues include lack of initial security design, growing Internet usage, and attacks from criminals, hackers, and corporate spies using techniques like DDoS attacks and port scanning.
3. The Net Defender firewall software has a simple graphical user interface and allows users to add rules to allow or block traffic based on characteristics like port numbers and addresses. It also includes a basic port scanner to detect open ports.
Intrusion_Detection_By_loay_elbasyouni
This document discusses intrusion detection and the technology of Snort. It defines intrusion detection as discovering unauthorized network or computer activities. Intrusion detection aims to detect violations of confidentiality, integrity, and availability. Snort is introduced as an open-source network intrusion detection system that analyzes network traffic and compares it to configurable rules to detect suspicious patterns. Snort runs on both UNIX and Windows platforms and has a small system footprint, making it a lightweight intrusion detection option.
Port scanning
About Port Scanning
Used Nmap and Shadow Security scanner for the best outputs.
A Detailed description on performing the port scanning mostly for the network administrators.
Why to perform? How to perform? Where to perform? these areas are taken into consideration and presented with best output results using tools "nmap scanner" and "shadow security scanner".
CSEC 610 Individual Assignment Essay
Here are three additional new security tools or techniques beyond what was discussed in the text, along with an analysis of their potential:
1. Deception technologies: Tools that deploy deceptive measures like honeypots, honeynets, and decoy documents/credentials to identify and study cyber attacks without putting real systems at risk. These have strong potential to gather threat intelligence and improve defenses.
2. Blockchain authentication: Using distributed ledger technologies like blockchain to securely store credentials and authenticate users. By distributing credential data across multiple nodes, it eliminates single points of failure and could help reduce identity theft if widely adopted.
3. AI-powered behavioral analytics: Leveraging machine learning to analyze patterns in user and system behavior over time
Snort- Presentation.pptx
Intrusion Detecting System (IDS) is used to detect unusual traffic and unauthorized access. In other hand Intrusion Prevention System (IPS) will help us to place a rule to prevent those traffic and access. In general, there are several IDS & IPS tools are available. For instance, CISCO NGIPS, Vectra Cognito, SNORT, and few more. Considering Open source and easy to use, we are going to see “SNORT”. Note: Honeypot is different from IDS since Honeypot will attract the bad hackers by keeping require ports open.
UNIT IV:Security Measurement Strategies
Antivirus Techniques: Firewalls, Intrusion Detection System (IDS), Intrusion Prevention System (IPS).
Brief Introduction about Anti-Phishing Approach (Common Strategies Used For Secured Authentication): Authentication using passwords like One Time Password (OTP) generators, Two Factor Authentications, Secure Socket Layer (SSL), Secure Electronic Transaction (SET), Cryptography.
Ids 00 introduction_ intrusion detection & prevention systems
This document discusses intrusion detection systems (IDS). It begins by explaining that IDS aim to detect attacks as early as possible without taking preventative measures. There are two main approaches - misuse detection which matches system activities to known attack patterns, and anomaly detection which identifies deviations from established normal behavior profiles. IDS can be either host-based, monitoring individual computer processes, or network-based, monitoring network traffic at strategic points. The document then examines different IDS architectures and their limitations in detecting both known and unknown attacks.
Freeware Security Tools You Need
The document summarizes various free security tools that can be used to gain experience with system and network security. It describes tools for port scanning (Nessus, Saint, Nmap), firewalls (TCP Wrappers, Portsentry), intrusion detection (Snort, Logcheck), and system administration (Sudo, Lsof, Crack). The document recommends using freeware tools to familiarize yourself with security issues before evaluating commercial vendor tools.
A Survey on different Port Scanning Methods and the Tools used to perform the...
This document summarizes different port scanning methods and tools used to perform them. It describes non-stealth scanning (TCP connect), inverse mapping scanning, slow scanning, SYN scanning, FIN scanning, Xmas tree scanning, null scanning, UDP scanning, and idle scanning. For each method, it provides details on how the method works, advantages/disadvantages, and example tools that can be used to implement the scanning method. The document is intended to inform readers about various port scanning techniques and their characteristics.
Netdefender
The document describes a firewall called Net Defender that was developed by students to secure personal computers from unauthorized internet access. It discusses security issues on the internet, common attacks like DDoS and port scanning, and how firewalls work using techniques like packet filtering, address filtering and port blocking. It provides details of Net Defender's interface, features like adding rules and a port scanner, and how it prevents attacks and vulnerabilities using these techniques. Future work mentioned includes improving the analysis and extending it to model more complex firewalls.
Information Security.pptx
Intrusion Detection System
Intrusion Prevention System
OS and Network Hardening, Application Hardening
Security measures for networking
This document discusses several types of network security tools and technologies. It begins by explaining firewalls, how they block network traffic between trusted and untrusted networks similar to physical firewalls blocking the spread of fires. It then discusses antivirus software which scans for and removes viruses from computers. Intrusion detection systems monitor network traffic for suspicious activity and may alert administrators or take action like blocking sources. Other sections cover port scanners, network sniffers, network utilities like ping and traceroute, vulnerability scanners and more.
Similar to IDS & Passive Network Defense (20)
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptx
Ids 00 introduction_ intrusion detection & prevention systems
Ids 00 introduction_ intrusion detection & prevention systems
A Survey on different Port Scanning Methods and the Tools used to perform the...
A Survey on different Port Scanning Methods and the Tools used to perform the...
More from Salvatore Lentini
Introduzione all'Information Gathering
Introduzione all'Information Gathering
Course's slides
"Cyber Security Essentials from Theory to Practice"
JRC - Ispra - 5 July 2017
Heartbleed - OpenSSL Bug
OpenSSL Heartblead
Course's slides
"Cyber Security Essentials from Theory to Practice"
JRC - Ispra - 4 July 2017
Exploitation windows7
Una serie di slides per vedere come usare msfvenom per la creazione di un payload da eseguire su una macchina Windows 7 ed effettuare un Exploitation in uno "scenario ideale" di Phishing/Social Engineering.
Subito dopo l'exploitation tratteremo del Maintaining Access installando la backdoor e vedremo qualche funzionalità che offre la shell Meterpreter
unreal IRCd 3281
In queste slides ho parlato:
- Fondamenti su Exploit e Payload
- Cenni sulla struttura di Metasploit Framework
- Analisi Codice exploit UnrealIRCd3281
- Cenni Bind & Reverse Shell e Applicazione caso di studio
Nota Importante al fine di evitare malintesi:
Nelle slides è presente una slide nella quale faccio un analogia con una bomba, nello specifico la bomba atomica. Questa immagine, è stata usata al singolo scopo di esplicitare come è fatto un exploit e far capire qual è la differenza tra un exploit e un payload. Il tutto avviene usando la figura retorica dell'Analogia. Quindi, non ha nulla a che vedere con le vittime della seconda guerra mondiale o riferimenti storici di quel periodo.
Simulazione di un Penetration Test
In questo seminario ho simulato un Penetration Test completo partendo dalla fase di raccolta delle informazioni fino ad arrivare alla fase in cui l'attaccante penetra nel sistema e installa una backdoor per rafforzare la propria presenza nel sistema violato.
Durante ogni singola fase mi sono fermato a parlare di essa portando esempi sia teorici che demo pratiche.
Questo seminario nasce con lo scopo di appassionare i ragazzi e soprattutto far conoscere ad essi il mondo della sicurezza informatica rivolta ai test di penetrazione. Questo seminario nasce dall'invito che ho ricevuto da parte dell'istituto G.B. Vaccarini, essendo io stesso, un loro ex studente.
Cenni su SSL/TLS Heartbleed
SSL/TLS Heartbleed.
In questo talk parlo molto velocemente del bug SSL/TLS Heartbleed, bug che ha afflitto dal 2012 al 2014 la cryptolibreria di OpenSSL. Sfruttando il suddetto bug era possibile violare completamente una comunicazione protetta da SSL/TLS. Il talk si conclude spiegando all'utente che il bug è stato risolto grazie al fatto che il progetto di OpenSSL è OpenSource e questo ha facilitato di molto la scoperta e la rilevazione del codice buggato.
Backdoor Coding: Analisi di una semplice backdoor e prime applicazioni
In questo talk viene analizzata una semplice backdoor realizzata in Python. Il talk procede con l'explotation di una macchina Windows 7 tramite un attacco di Pishing e subito dopo con l'installazione di una backdoor persistence facendo vedere alcune delle funzionalità offerte. Il talk si conclude invitando l'utente a nascondere la propria webcam sensibilizzandolo sull'argomento. Il motivo per cui ho scelto di parlare di questo argomento, ha a che fare con le differenze che sorgono tra software open e software close, dato che nel primo è possibile tramite la lettura e comprensione del codice capire se il sistema ha routine di codice che si comportano come backdoor mentre nel secondo non sappiamo se ne esistono (data l'impossibilità di leggere il codice sorgente) e quindi dal momento che la sicurezza non si è mai basata sulla fiducia del produttore, è importante prevenire (mettendo delle etichette di plastica sulle nostre webcam).
More from Salvatore Lentini (7)
Backdoor Coding: Analisi di una semplice backdoor e prime applicazioni
Backdoor Coding: Analisi di una semplice backdoor e prime applicazioni
Recently uploaded
ESR spectroscopy in liquid food and beverages.pptx
With increasing population, people need to rely on packaged food stuffs. Packaging of food materials requires the preservation of food. There are various methods for the treatment of food to preserve them and irradiation treatment of food is one of them. It is the most common and the most harmless method for the food preservation as it does not alter the necessary micronutrients of food materials. Although irradiated food doesn’t cause any harm to the human health but still the quality assessment of food is required to provide consumers with necessary information about the food. ESR spectroscopy is the most sophisticated way to investigate the quality of the food and the free radicals induced during the processing of the food. ESR spin trapping technique is useful for the detection of highly unstable radicals in the food. The antioxidant capability of liquid food and beverages in mainly performed by spin trapping technique.
8.Isolation of pure cultures and preservation of cultures.pdf
Isolation of pure culture, its various method.
Describing and Interpreting an Immersive Learning Case with the Immersion Cub...
Current descriptions of immersive learning cases are often difficult or impossible to compare. This is due to a myriad of different options on what details to include, which aspects are relevant, and on the descriptive approaches employed. Also, these aspects often combine very specific details with more general guidelines or indicate intents and rationales without clarifying their implementation. In this paper we provide a method to describe immersive learning cases that is structured to enable comparisons, yet flexible enough to allow researchers and practitioners to decide which aspects to include. This method leverages a taxonomy that classifies educational aspects at three levels (uses, practices, and strategies) and then utilizes two frameworks, the Immersive Learning Brain and the Immersion Cube, to enable a structured description and interpretation of immersive learning cases. The method is then demonstrated on a published immersive learning case on training for wind turbine maintenance using virtual reality. Applying the method results in a structured artifact, the Immersive Learning Case Sheet, that tags the case with its proximal uses, practices, and strategies, and refines the free text case description to ensure that matching details are included. This contribution is thus a case description method in support of future comparative research of immersive learning cases. We then discuss how the resulting description and interpretation can be leveraged to change immersion learning cases, by enriching them (considering low-effort changes or additions) or innovating (exploring more challenging avenues of transformation). The method holds significant promise to support better-grounded research in immersive learning.
ESA/ACT Science Coffee: Diego Blas - Gravitational wave detection with orbita...
ESA/ACT Science Coffee: Diego Blas - Gravitational wave detection with orbita...Advanced-Concepts-Team
Presentation in the Science Coffee of the Advanced Concepts Team of the European Space Agency on the 07.06.2024.
Speaker: Diego Blas (IFAE/ICREA)
Title: Gravitational wave detection with orbital motion of Moon and artificial
Abstract:
In this talk I will describe some recent ideas to find gravitational waves from supermassive black holes or of primordial origin by studying their secular effect on the orbital motion of the Moon or satellites that are laser ranged.Shallowest Oil Discovery of Turkiye.pptx
The Petroleum System of the Çukurova Field - the Shallowest Oil Discovery of Türkiye, Adana
Equivariant neural networks and representation theory
Or: Beyond linear.
Abstract: Equivariant neural networks are neural networks that incorporate symmetries. The nonlinear activation functions in these networks result in interesting nonlinear equivariant maps between simple representations, and motivate the key player of this talk: piecewise linear representation theory.
Disclaimer: No one is perfect, so please mind that there might be mistakes and typos.
dtubbenhauer@gmail.com
Corrected slides: dtubbenhauer.com/talks.html
The use of Nauplii and metanauplii artemia in aquaculture (brine shrimp).pptx
Although Artemia has been known to man for centuries, its use as a food for the culture of larval organisms apparently began only in the 1930s, when several investigators found that it made an excellent food for newly hatched fish larvae (Litvinenko et al., 2023). As aquaculture developed in the 1960s and ‘70s, the use of Artemia also became more widespread, due both to its convenience and to its nutritional value for larval organisms (Arenas-Pardo et al., 2024). The fact that Artemia dormant cysts can be stored for long periods in cans, and then used as an off-the-shelf food requiring only 24 h of incubation makes them the most convenient, least labor-intensive, live food available for aquaculture (Sorgeloos & Roubach, 2021). The nutritional value of Artemia, especially for marine organisms, is not constant, but varies both geographically and temporally. During the last decade, however, both the causes of Artemia nutritional variability and methods to improve poorquality Artemia have been identified (Loufi et al., 2024).
Brine shrimp (Artemia spp.) are used in marine aquaculture worldwide. Annually, more than 2,000 metric tons of dry cysts are used for cultivation of fish, crustacean, and shellfish larva. Brine shrimp are important to aquaculture because newly hatched brine shrimp nauplii (larvae) provide a food source for many fish fry (Mozanzadeh et al., 2021). Culture and harvesting of brine shrimp eggs represents another aspect of the aquaculture industry. Nauplii and metanauplii of Artemia, commonly known as brine shrimp, play a crucial role in aquaculture due to their nutritional value and suitability as live feed for many aquatic species, particularly in larval stages (Sorgeloos & Roubach, 2021).
20240520 Planning a Circuit Simulator in JavaScript.pptx
Evaporation step counter work. I have done a physical experiment.
(Work in progress.)
EWOCS-I: The catalog of X-ray sources in Westerlund 1 from the Extended Weste...
Context. With a mass exceeding several 104 M⊙ and a rich and dense population of massive stars, supermassive young star clusters
represent the most massive star-forming environment that is dominated by the feedback from massive stars and gravitational interactions
among stars.
Aims. In this paper we present the Extended Westerlund 1 and 2 Open Clusters Survey (EWOCS) project, which aims to investigate
the influence of the starburst environment on the formation of stars and planets, and on the evolution of both low and high mass stars.
The primary targets of this project are Westerlund 1 and 2, the closest supermassive star clusters to the Sun.
Methods. The project is based primarily on recent observations conducted with the Chandra and JWST observatories. Specifically,
the Chandra survey of Westerlund 1 consists of 36 new ACIS-I observations, nearly co-pointed, for a total exposure time of 1 Msec.
Additionally, we included 8 archival Chandra/ACIS-S observations. This paper presents the resulting catalog of X-ray sources within
and around Westerlund 1. Sources were detected by combining various existing methods, and photon extraction and source validation
were carried out using the ACIS-Extract software.
Results. The EWOCS X-ray catalog comprises 5963 validated sources out of the 9420 initially provided to ACIS-Extract, reaching a
photon flux threshold of approximately 2 × 10−8 photons cm−2
s
−1
. The X-ray sources exhibit a highly concentrated spatial distribution,
with 1075 sources located within the central 1 arcmin. We have successfully detected X-ray emissions from 126 out of the 166 known
massive stars of the cluster, and we have collected over 71 000 photons from the magnetar CXO J164710.20-455217.
Unlocking the mysteries of reproduction: Exploring fecundity and gonadosomati...
The pygmy halfbeak Dermogenys colletei, is known for its viviparous nature, this presents an intriguing case of relatively low fecundity, raising questions about potential compensatory reproductive strategies employed by this species. Our study delves into the examination of fecundity and the Gonadosomatic Index (GSI) in the Pygmy Halfbeak, D. colletei (Meisner, 2001), an intriguing viviparous fish indigenous to Sarawak, Borneo. We hypothesize that the Pygmy halfbeak, D. colletei, may exhibit unique reproductive adaptations to offset its low fecundity, thus enhancing its survival and fitness. To address this, we conducted a comprehensive study utilizing 28 mature female specimens of D. colletei, carefully measuring fecundity and GSI to shed light on the reproductive adaptations of this species. Our findings reveal that D. colletei indeed exhibits low fecundity, with a mean of 16.76 ± 2.01, and a mean GSI of 12.83 ± 1.27, providing crucial insights into the reproductive mechanisms at play in this species. These results underscore the existence of unique reproductive strategies in D. colletei, enabling its adaptation and persistence in Borneo's diverse aquatic ecosystems, and call for further ecological research to elucidate these mechanisms. This study lends to a better understanding of viviparous fish in Borneo and contributes to the broader field of aquatic ecology, enhancing our knowledge of species adaptations to unique ecological challenges.
SAR of Medicinal Chemistry 1st by dk.pdf
In this presentation include the prototype drug SAR on thus or with their examples .
Syllabus of Second Year B. Pharmacy
2019 PATTERN.
Micronuclei test.M.sc.zoology.fisheries.
Current Ms word generated power point presentation covers major details about the micronuclei test. It's significance and assays to conduct it. It is used to detect the micronuclei formation inside the cells of nearly every multicellular organism. It's formation takes place during chromosomal sepration at metaphase.
Authoring a personal GPT for your research and practice: How we created the Q...
Thematic analysis in qualitative research is a time-consuming and systematic task, typically done using teams. Team members must ground their activities on common understandings of the major concepts underlying the thematic analysis, and define criteria for its development. However, conceptual misunderstandings, equivocations, and lack of adherence to criteria are challenges to the quality and speed of this process. Given the distributed and uncertain nature of this process, we wondered if the tasks in thematic analysis could be supported by readily available artificial intelligence chatbots. Our early efforts point to potential benefits: not just saving time in the coding process but better adherence to criteria and grounding, by increasing triangulation between humans and artificial intelligence. This tutorial will provide a description and demonstration of the process we followed, as two academic researchers, to develop a custom ChatGPT to assist with qualitative coding in the thematic data analysis process of immersive learning accounts in a survey of the academic literature: QUAL-E Immersive Learning Thematic Analysis Helper. In the hands-on time, participants will try out QUAL-E and develop their ideas for their own qualitative coding ChatGPT. Participants that have the paid ChatGPT Plus subscription can create a draft of their assistants. The organizers will provide course materials and slide deck that participants will be able to utilize to continue development of their custom GPT. The paid subscription to ChatGPT Plus is not required to participate in this workshop, just for trying out personal GPTs during it.
Sharlene Leurig - Enabling Onsite Water Use with Net Zero Water
Sharlene Leurig - Enabling Onsite Water Use with Net Zero WaterTexas Alliance of Groundwater Districts
Presented at June 6-7 Texas Alliance of Groundwater Districts Business Meetingwaterlessdyeingtechnolgyusing carbon dioxide chemicalspdf
The technology uses reclaimed CO₂ as the dyeing medium in a closed loop process. When pressurized, CO₂ becomes supercritical (SC-CO₂). In this state CO₂ has a very high solvent power, allowing the dye to dissolve easily.
Recently uploaded (20)
ESR spectroscopy in liquid food and beverages.pptx
ESR spectroscopy in liquid food and beverages.pptx
8.Isolation of pure cultures and preservation of cultures.pdf
8.Isolation of pure cultures and preservation of cultures.pdf
Describing and Interpreting an Immersive Learning Case with the Immersion Cub...
Describing and Interpreting an Immersive Learning Case with the Immersion Cub...
Basics of crystallography, crystal systems, classes and different forms
Basics of crystallography, crystal systems, classes and different forms
ESA/ACT Science Coffee: Diego Blas - Gravitational wave detection with orbita...
ESA/ACT Science Coffee: Diego Blas - Gravitational wave detection with orbita...
Equivariant neural networks and representation theory
Equivariant neural networks and representation theory
The use of Nauplii and metanauplii artemia in aquaculture (brine shrimp).pptx
The use of Nauplii and metanauplii artemia in aquaculture (brine shrimp).pptx
20240520 Planning a Circuit Simulator in JavaScript.pptx
20240520 Planning a Circuit Simulator in JavaScript.pptx
EWOCS-I: The catalog of X-ray sources in Westerlund 1 from the Extended Weste...
EWOCS-I: The catalog of X-ray sources in Westerlund 1 from the Extended Weste...
mô tả các thí nghiệm về đánh giá tác động dòng khí hóa sau đốt
mô tả các thí nghiệm về đánh giá tác động dòng khí hóa sau đốt
Unlocking the mysteries of reproduction: Exploring fecundity and gonadosomati...
Unlocking the mysteries of reproduction: Exploring fecundity and gonadosomati...
Authoring a personal GPT for your research and practice: How we created the Q...
Authoring a personal GPT for your research and practice: How we created the Q...
Sharlene Leurig - Enabling Onsite Water Use with Net Zero Water
Sharlene Leurig - Enabling Onsite Water Use with Net Zero Water
waterlessdyeingtechnolgyusing carbon dioxide chemicalspdf
waterlessdyeingtechnolgyusing carbon dioxide chemicalspdf
IDS & Passive Network Defense
- 1. IDS & Passive Network Defense LAB Computer Security 3 May 2017 Lentini Salvatore
- 2. Firewall vs IDS IDS: Shellcode At eleven o’clock FIREWALL: Don’t worry It won’t pass! Introduction
- 3. What’s an IDS? Intrusion Detection System: Inspect the application payloads trying to detect a potential attack It’s a specialized software Search attack vectors ● Ping sweep ● Port scan ● Shellcode ● Sql injection ● Buffer overflow ● …. Detects the traffic generated of a virus/worm If it’s good configurated,detects every kind of network threat Introduction
- 4. Detection? Producer! He provide updates every time a new attack vector is new in the Internet Signatures ! There is the possibility that in the traffic there are false positives (that’s Legitimate traffic, tagged like dangerous) Detection Sensors Software components that inspection network traffic they Intercept traffic they communicate it at IDS Manager Manage policies Administrator manager console Manage policies Introduction
- 5. Introduction Categories of IDS NIDS | Network Intrusion Detection System They inspect the network traffic by means of sensors installed on a router or in a network at risk intrusion like a DMZ HIDS | Host Intrusion Detection System They monitored applications log, File system changes and OS changes
- 6. IDS don't substitute firewall BUT they work together to guarantee a better protection IDS when detect a suspect activity, they alert the administrator but don’t block it Introduction
- 7. SNORT Some detail: Machine Windows 7 Home Edition SP1 (Firewall Off) Installation Snort Download and install WinPcap Download and install Snort https://www.snort.org/ Configuration Snort It’s different from Platform to Platform and on windows is… headache!
- 8. SNORT● Looking snort.conf fix all the paths (using those of windows), variables, put #, take off #, … ● Insert the rules (because in windows the rules folder is empty!) I had create an archive to resolve this situation! ● In the end, use the command -T to check the configuration (Test Configuration)
- 9. SNORT cd C:Snortbin Version: snort -V Test configuration: snort -c C:Snortetcsnort.conf -T -i <interface> List interfaces: snort -W Be Verbose: snort -v -i <interface> Alert Mode: snort -A console -i <interface> Log Mode: snort -c C:Snortetcsnort.conf -l C:Snortlog -i <interface>
- 10. Let’s start in order!
- 11. A simple ping!
- 12. Port Scanning In this case it’s not important that we use a Connect Scan or a Stealth Scan because our IDS detects every packets. In fact, typically a penetration tester use a Stealth Scan to don’t save his activity in the daemons logs. This because the Connect Scan complete the TCP Three way Handshake. So, we shall use the options of EVASION IDS AND SPOOFING
- 13. Note: Port Scanning We have seen in previous slide that there are three TCP Three-way-handshake. Why? The reason is in the behavior of the Stealth Scan Client Server SIN SIN/ACK ACK TCP Three Way Handshake ...Sending data in TCP Connection Attacker Victim SIN SIN/ACK RST (Drop the Handshake) (The port is open) (Is port open?) Not saved in daemon’s log! … but an IDS detect it! Attacker Victim SIN (Is port open?) RST +ACK (The port isn’t open) Stealth Scan
- 14. Payload So, with the free rules of Snort we can detect the exploit’s traffic: NOTE: Without a rule (like an Antivirus), snort not detects the “Bad traffic”. Msfvenom is the join between MsfPayload and MsfEncode and it can generate polymorphic shellcode (Encoder: Shikata ga nai) And this "alert" is the same for all the operation post exploitation
- 15. But we want an explicit alert of the reverse shell! (write the rule) we took this like signature (using wireshark to see and analyze the traffic)
- 16. The signature that we chose! (… fantasy! The start of payload) Note:We can see that the payload is not polymorphic
- 17. IDS & Passive Network Defense Thanks LAB Computer Security 3 May 2017 Lentini Salvatore