SlideShare a Scribd company logo

Presentation

Download as PPT, PDF
L
Lior Boim

Workshop in Information Security: Building a Firewall within the Linux Kernel 0368-3500-34, Spring 2015 Lecturer: Eran Tromer Teaching assistant: Roei Ben Harush Student: Lior Bomwurzel

Education
1 of 32
Workshop in Information Security: Building a Firewall within the Linux Kernel 0368-3500-34, Spring 2015 Lecturer: Eran Tromer Teaching assistant: Roei Ben Harush Student: Lior Bomwurzel
General description • kernel module that inspect packets using Netfilter- each packet that traverses the NF_INET_FORWARD stage will be inspected by the ip headers,TCP flags,and the data. • stateless packet inspection with static rule table for packet that are not part of a open connection • stateful packet inspection for TCP packets we inspect that the TCP flow and the protocols (HTTP and FTP) are ok. • Vulnerability check- each packet of an open connection will be checked for DLP for C code,Webster,Zabbix vulnerabilities
stateless packet inspection • each packet that is not a part of a open connection will be inspect to find if there is a rule that match its headers of ip src/dst port src/dst and protocol and direction. • if there is a matching rule the packet reason will be logged as the rule number and the action accept the packet will be with accordance of the rule. • if the packet match a rule that accept it, and the packet is with protocol TCP, we create a new dynamic connection and we inspect its flow in the stateful packet inspection • if there isn't a matching rule the packet will be dropped with the reason REASON_NO_MATCHING_RULE
stateful packet inspection I define a state machine that follows the protocols of the connection and the state of the protocols. For new connection (first packet of TCP that accepted by the stateless inspection) I open new dynamic connection ,direction of the connection is defined by the first side who started the connection ,first the connection protocol is defined as TCP
• State TCP_SYN (0)-first try to establish tcp connection, (handle in handle_static_inspection) if there is SYN flag and the connection is approved in the static rule table, we open new connection. we open timer of 25 seconds to end of the handshake. • State TCP_SYN_ACK (1)- second send SYN ACK • State OPEN_CONN (2)-first send ACK , we close the timer and by that we treat the connection as finished the handshake and until the end of the session it will stay open. • stateEND_SERVER (3),stage END_CLIENT (5)- if packet comes with FIN flag , and the state of the packet is above OPEN_CONN we forward the state of the connection to one of the stages (3/5 depend from which side the FIN arrived) • state4,6(logical stages) - packet arrived from the other side with the FIN flag, we open the timer again and by that we let the last ACK of the tcp termination to arrive,if its arrived we delete the connection, if it doesn't we delete the connection anyway after 25 second. • state READY_TO_NEW (-1) -when we know that a packet of a new connection is going to come with a SYN flag
• FTP-1)the server need to send from port 21 data with 220 (server waits for open connection) we forward the state to be FTP_READY_TO_CLIENT. And the protocol to be FTP_PROT 2) we validate the connection as successfully established by that the server send 230 in the data ,we forward the state to be FTP_ACCEPT_CLIENT, 3)in that state we parse the data to find PORT command form the client in order to open new connections for the receiving of the data. 4) if we find PORT command we open new dynamic connection on the right ports and ips as the protocol define ,the state of the connection READY_TO_NEW (-1) and the protocol will be FTP_PROT • HTTP-for defining a session as HTTP the client need to send to port 80 data with “GET” string we then forward the connection to be in state HTTP_GET_REQUEST. in that state we parse the data for finding http redirect ( “HTTP/1.1 3”) means we need to open new connection, I preparing place in the dynamic connections in the form of source ip and port are any(to let the fw the ability to defend on several hosts), and the destination is like the port and ip we got in the http redirect,the protocol is HTTP_PROT, the state of the connection is READY_TO_NEW (-1) .after the first match of the rule I replace the port and the ip to be as the source port
General concept • the DLP for C code inspection is measured between ratio of number of words in the packet and the weight defined • if the weight is higher than the number of words, the packet will be dropped, and logged as DLP, and the connection will be deleted • each weight form the weight rules will be multiple by the number of brackets (“ { }”) surround it +1
Weight rules 1. I search for patterns #include and #define in the following manner, #include -have to be with 2 words, and ends with .h or .c at end of the second word #define- have to be with 3 words. I weight each #include and #define as the number of words they have multiply by 5 the code of this rule is found in weight_macros function 2. each line with the pattern print#(#“#”); or scan#(#“#”); will be count as the number of words the pattern took from start to end. If there are inside the pattern %d %s /n I increase the weight by one for each the code of this rule is found in weight_known_pattern function 3. Each line with the pattern if#(#) for#(#;#;#) while#(#) will be count as the number of words the pattern took from start to end. If there are inside the pattern == <&& || > I increase the weight by one for each the code of this rule is found in weight_flow function 4. I weight each “;” I found as 1 and each “->” as 2
DLP inspection example 2*5 #include 2 words and the last with .h 0 no .h or .c at last word 0 #define with more then 3 words 3*5 define with 3 words 0 not in the right pattern 2 -> 5+3 (number of words + special chars) 0 no ; at end 1*2 in{} and one word 0 2*3 in {{ }} and equal 2 0 (4+3)*2 in {} , 4 words+3 special chars 0 Sum=10+15+2+8+2+6+14=57 Number of words=31 The packet will be dropped
DLP inspection example
Reply on normal sized url that not found
Code flow
Vulnerability
Flow in ollydbg
64 size url
Buffer overflow
Vulnerability 2
Code flow ollydbg
Buffer overflow
FW inspectoin if packet came with port 80 and with the GET request ,I inspect the packet that the requested url length is last then 64 chars because of the Webster vulnerability, else I dropped the packet with reason WEBSTER (enum -8) and the connection will be deleted
Fw logs on detect
Zabbix today
previous zabbix
Metasploit code
Metasploit explit
Fw inspection • iftheTCPdatacontainsthefollowingstring: “GET/zabbix/httpmon.php?applications=“ IinspectthenextcharstovalidatethattheyrepresentanumberbecauseofthisiswhatZabbixserver expecttoget, elsethepacketwillbedroppedandloggedasZABBIX(enum-10), andtheconnectionwillbedeleted.
FW log

Recommended

Tcp header/IP Header/Authentication header
Tcp header/IP Header/Authentication headerTcp header/IP Header/Authentication header
Tcp header/IP Header/Authentication header
Faizan Shaikh
 
Introduction to TCP
Introduction to TCPIntroduction to TCP
Introduction to TCP
Pradeep Kumar TS
 
Features of tcp (part 2) .68
Features of tcp (part 2) .68Features of tcp (part 2) .68
Features of tcp (part 2) .68myrajendra
 
Unit III IPV6 UDP
Unit III IPV6 UDPUnit III IPV6 UDP
Unit III IPV6 UDPsangusajjan
 
An overview of TCP (Transmission Control Protocol)
An overview of TCP (Transmission Control Protocol)An overview of TCP (Transmission Control Protocol)
An overview of TCP (Transmission Control Protocol)
Ammad Marwat
 
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
k33a
 
An effective RC4 Stream Cipher
An effective RC4 Stream CipherAn effective RC4 Stream Cipher
An effective RC4 Stream Cipher
Tharindu Weerasinghe
 
Wireshark udp solution
Wireshark udp solutionWireshark udp solution
Wireshark udp solution
Yasin Abdullah
 

Recommended

Tcp header/IP Header/Authentication header
Tcp header/IP Header/Authentication headerTcp header/IP Header/Authentication header
Tcp header/IP Header/Authentication header
Faizan Shaikh
 
Introduction to TCP
Introduction to TCPIntroduction to TCP
Introduction to TCP
Pradeep Kumar TS
 
Features of tcp (part 2) .68
Features of tcp (part 2) .68Features of tcp (part 2) .68
Features of tcp (part 2) .68myrajendra
 
Unit III IPV6 UDP
Unit III IPV6 UDPUnit III IPV6 UDP
Unit III IPV6 UDPsangusajjan
 
An overview of TCP (Transmission Control Protocol)
An overview of TCP (Transmission Control Protocol)An overview of TCP (Transmission Control Protocol)
An overview of TCP (Transmission Control Protocol)
Ammad Marwat
 
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
k33a
 
An effective RC4 Stream Cipher
An effective RC4 Stream CipherAn effective RC4 Stream Cipher
An effective RC4 Stream Cipher
Tharindu Weerasinghe
 
Wireshark udp solution
Wireshark udp solutionWireshark udp solution
Wireshark udp solution
Yasin Abdullah
 
Intake 38 11
Intake 38 11Intake 38 11
Intake 38 11
Mahmoud Ouf
 
Wireshark lab ssl v7 solution
Wireshark lab ssl v7 solutionWireshark lab ssl v7 solution
Wireshark lab ssl v7 solution
United International University
 
Tcp Udp
Tcp UdpTcp Udp
Tcp UdpEri Alam
 
Wireshark Lab HTTP, DNS and ARP v7 solution
Wireshark Lab HTTP, DNS and ARP v7 solutionWireshark Lab HTTP, DNS and ARP v7 solution
Wireshark Lab HTTP, DNS and ARP v7 solution
United International University
 
Isola 12 presentation
Isola 12 presentationIsola 12 presentation
Isola 12 presentation
Iakovos Ouranos
 
Totem
TotemTotem
Totem
bin liu
 
Tugas komjar 7-yee
Tugas komjar 7-yeeTugas komjar 7-yee
Tugas komjar 7-yee
ramasatriaf
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions
Vlad Garbuz
 
TCP sockets
TCP socketsTCP sockets
TCP socketsTanya Srivastava
 
Ip header
Ip headerIp header
Ip headerJohnGorny
 
5. icmp
5. icmp5. icmp
5. icmpSwati Arora
 
Research paper
Research paperResearch paper
Research paperSanchit Rathi
 
Transport layer services
Transport layer servicesTransport layer services
Transport layer services
Melvin Cabatuan
 
Wireshark tcp
Wireshark tcpWireshark tcp
Wireshark tcp
Yasin Abdullah
 
Wireshark tcp - 2110165028
Wireshark tcp - 2110165028Wireshark tcp - 2110165028
Wireshark tcp - 2110165028
Nanda Afif
 
Chap 12 tcp
Chap 12 tcpChap 12 tcp
Chap 12 tcp
Sparsh Samir
 
tcpcongest
tcpcongesttcpcongest
tcpcongestBill Bao
 
MPI message passing interface
MPI message passing interfaceMPI message passing interface
MPI message passing interface
Mohit Raghuvanshi
 
Retransmission Tcp
Retransmission TcpRetransmission Tcp
Retransmission Tcp
Ram Dutt Shukla
 
Icmp V4 And Icmp V6
Icmp V4 And Icmp V6Icmp V4 And Icmp V6
Icmp V4 And Icmp V6
Ram Dutt Shukla
 
Computer network transport layer MODUL 2.pptx
Computer network transport layer MODUL 2.pptxComputer network transport layer MODUL 2.pptx
Computer network transport layer MODUL 2.pptx
pallavir61
 
Unit-4 (1).pptx
Unit-4 (1).pptxUnit-4 (1).pptx
Unit-4 (1).pptx
poonamsngr
 

More Related Content

What's hot

Intake 38 11
Intake 38 11Intake 38 11
Intake 38 11
Mahmoud Ouf
 
Wireshark lab ssl v7 solution
Wireshark lab ssl v7 solutionWireshark lab ssl v7 solution
Wireshark lab ssl v7 solution
United International University
 
Wireshark Lab HTTP, DNS and ARP v7 solution
Wireshark Lab HTTP, DNS and ARP v7 solutionWireshark Lab HTTP, DNS and ARP v7 solution
Wireshark Lab HTTP, DNS and ARP v7 solution
United International University
 
Isola 12 presentation
Isola 12 presentationIsola 12 presentation
Isola 12 presentation
Iakovos Ouranos
 
Totem
TotemTotem
Totem
bin liu
 
Tugas komjar 7-yee
Tugas komjar 7-yeeTugas komjar 7-yee
Tugas komjar 7-yee
ramasatriaf
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions
Vlad Garbuz
 
Transport layer services
Transport layer servicesTransport layer services
Transport layer services
Melvin Cabatuan
 
Wireshark tcp
Wireshark tcpWireshark tcp
Wireshark tcp
Yasin Abdullah
 
Wireshark tcp - 2110165028
Wireshark tcp - 2110165028Wireshark tcp - 2110165028
Wireshark tcp - 2110165028
Nanda Afif
 
Chap 12 tcp
Chap 12 tcpChap 12 tcp
Chap 12 tcp
Sparsh Samir
 
tcpcongest
tcpcongesttcpcongest
tcpcongestBill Bao
 
MPI message passing interface
MPI message passing interfaceMPI message passing interface
MPI message passing interface
Mohit Raghuvanshi
 
Retransmission Tcp
Retransmission TcpRetransmission Tcp
Retransmission Tcp
Ram Dutt Shukla
 
Icmp V4 And Icmp V6
Icmp V4 And Icmp V6Icmp V4 And Icmp V6
Icmp V4 And Icmp V6
Ram Dutt Shukla
 

What's hot (20)

Intake 38 11
Intake 38 11Intake 38 11
Intake 38 11
 
Wireshark lab ssl v7 solution
Wireshark lab ssl v7 solutionWireshark lab ssl v7 solution
Wireshark lab ssl v7 solution
 
Tcp Udp
Tcp UdpTcp Udp
Tcp Udp
 
Wireshark Lab HTTP, DNS and ARP v7 solution
Wireshark Lab HTTP, DNS and ARP v7 solutionWireshark Lab HTTP, DNS and ARP v7 solution
Wireshark Lab HTTP, DNS and ARP v7 solution
 
Isola 12 presentation
Isola 12 presentationIsola 12 presentation
Isola 12 presentation
 
Totem
TotemTotem
Totem
 
Tugas komjar 7-yee
Tugas komjar 7-yeeTugas komjar 7-yee
Tugas komjar 7-yee
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions
 
TCP sockets
TCP socketsTCP sockets
TCP sockets
 
Ip header
Ip headerIp header
Ip header
 
5. icmp
5. icmp5. icmp
5. icmp
 
Research paper
Research paperResearch paper
Research paper
 
Transport layer services
Transport layer servicesTransport layer services
Transport layer services
 
Wireshark tcp
Wireshark tcpWireshark tcp
Wireshark tcp
 
Wireshark tcp - 2110165028
Wireshark tcp - 2110165028Wireshark tcp - 2110165028
Wireshark tcp - 2110165028
 
Chap 12 tcp
Chap 12 tcpChap 12 tcp
Chap 12 tcp
 
tcpcongest
tcpcongesttcpcongest
tcpcongest
 
MPI message passing interface
MPI message passing interfaceMPI message passing interface
MPI message passing interface
 
Retransmission Tcp
Retransmission TcpRetransmission Tcp
Retransmission Tcp
 
Icmp V4 And Icmp V6
Icmp V4 And Icmp V6Icmp V4 And Icmp V6
Icmp V4 And Icmp V6
 

Similar to Presentation

Computer network transport layer MODUL 2.pptx
Computer network transport layer MODUL 2.pptxComputer network transport layer MODUL 2.pptx
Computer network transport layer MODUL 2.pptx
pallavir61
 
Unit-4 (1).pptx
Unit-4 (1).pptxUnit-4 (1).pptx
Unit-4 (1).pptx
poonamsngr
 
Protocol.ppt
Protocol.pptProtocol.ppt
Protocol.ppt
amuthadeepa
 
Transport_Layer_Protocols.pptx
Transport_Layer_Protocols.pptxTransport_Layer_Protocols.pptx
Transport_Layer_Protocols.pptx
AnkitKumar891632
 
MANET Routing Protocols , a case study
MANET Routing Protocols , a case studyMANET Routing Protocols , a case study
MANET Routing Protocols , a case study
Rehan Hattab
 
transport layer
transport layertransport layer
transport layer
BishalWosti1
 
Analytical Research of TCP Variants in Terms of Maximum Throughput
Analytical Research of TCP Variants in Terms of Maximum ThroughputAnalytical Research of TCP Variants in Terms of Maximum Throughput
Analytical Research of TCP Variants in Terms of Maximum Throughput
IJLT EMAS
 
Computer network (11)
Computer network (11)Computer network (11)
Computer network (11)
NYversity
 
iptable casestudy by sans.pdf
iptable casestudy by sans.pdfiptable casestudy by sans.pdf
iptable casestudy by sans.pdf
Admin621695
 
TRANSPORT LAYER ppt.pptx
TRANSPORT LAYER ppt.pptxTRANSPORT LAYER ppt.pptx
TRANSPORT LAYER ppt.pptx
utkarshlodhi4
 
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENTTCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
mayank's it solution pvt.ltd
 
Week4 lec1-bscs1
Week4 lec1-bscs1Week4 lec1-bscs1
Week4 lec1-bscs1
syedhaiderraza
 
Mit6 02 f12_chap18
Mit6 02 f12_chap18Mit6 02 f12_chap18
Mit6 02 f12_chap18
Wogayehu Atilaw
 
Web and internet technology notes for BCA students
Web and internet technology notes for BCA studentsWeb and internet technology notes for BCA students
Web and internet technology notes for BCA students
nawejakhatar10063
 
Dynamic time warping and PIC 16F676 for control of devices
Dynamic time warping and PIC 16F676 for control of devicesDynamic time warping and PIC 16F676 for control of devices
Dynamic time warping and PIC 16F676 for control of devices
Roger Gomes
 
Mcseminar
McseminarMcseminar
Mcseminar
Ankit Anand
 
Intake 37 12
Intake 37 12Intake 37 12
Intake 37 12
Mahmoud Ouf
 
5-LEC- 5.pptxTransport Layer. Transport Layer Protocols
5-LEC- 5.pptxTransport Layer. Transport Layer Protocols5-LEC- 5.pptxTransport Layer. Transport Layer Protocols
5-LEC- 5.pptxTransport Layer. Transport Layer Protocols
ZahouAmel1
 

Similar to Presentation (20)

Computer network transport layer MODUL 2.pptx
Computer network transport layer MODUL 2.pptxComputer network transport layer MODUL 2.pptx
Computer network transport layer MODUL 2.pptx
 
Unit-4 (1).pptx
Unit-4 (1).pptxUnit-4 (1).pptx
Unit-4 (1).pptx
 
Protocol.ppt
Protocol.pptProtocol.ppt
Protocol.ppt
 
Transport_Layer_Protocols.pptx
Transport_Layer_Protocols.pptxTransport_Layer_Protocols.pptx
Transport_Layer_Protocols.pptx
 
MANET Routing Protocols , a case study
MANET Routing Protocols , a case studyMANET Routing Protocols , a case study
MANET Routing Protocols , a case study
 
transport layer
transport layertransport layer
transport layer
 
Analytical Research of TCP Variants in Terms of Maximum Throughput
Analytical Research of TCP Variants in Terms of Maximum ThroughputAnalytical Research of TCP Variants in Terms of Maximum Throughput
Analytical Research of TCP Variants in Terms of Maximum Throughput
 
Computer network (11)
Computer network (11)Computer network (11)
Computer network (11)
 
Pdp12
Pdp12Pdp12
Pdp12
 
iptable casestudy by sans.pdf
iptable casestudy by sans.pdfiptable casestudy by sans.pdf
iptable casestudy by sans.pdf
 
TCP Vs UDP
TCP Vs UDP TCP Vs UDP
TCP Vs UDP
 
TRANSPORT LAYER ppt.pptx
TRANSPORT LAYER ppt.pptxTRANSPORT LAYER ppt.pptx
TRANSPORT LAYER ppt.pptx
 
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENTTCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
 
Week4 lec1-bscs1
Week4 lec1-bscs1Week4 lec1-bscs1
Week4 lec1-bscs1
 
Mit6 02 f12_chap18
Mit6 02 f12_chap18Mit6 02 f12_chap18
Mit6 02 f12_chap18
 
Web and internet technology notes for BCA students
Web and internet technology notes for BCA studentsWeb and internet technology notes for BCA students
Web and internet technology notes for BCA students
 
Dynamic time warping and PIC 16F676 for control of devices
Dynamic time warping and PIC 16F676 for control of devicesDynamic time warping and PIC 16F676 for control of devices
Dynamic time warping and PIC 16F676 for control of devices
 
Mcseminar
McseminarMcseminar
Mcseminar
 
Intake 37 12
Intake 37 12Intake 37 12
Intake 37 12
 
5-LEC- 5.pptxTransport Layer. Transport Layer Protocols
5-LEC- 5.pptxTransport Layer. Transport Layer Protocols5-LEC- 5.pptxTransport Layer. Transport Layer Protocols
5-LEC- 5.pptxTransport Layer. Transport Layer Protocols
 

Recently uploaded

2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
vaibhavrinwa19
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
camakaiclarkmusic
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
Jean Carlos Nunes Paixão
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
Pavel ( NSTU)
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
Nguyen Thanh Tu Collection
 
Multithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race conditionMultithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race condition
Mohammed Sikander
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
Celine George
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
Kartik Tiwari
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
gb193092
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
SACHIN R KONDAGURI
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
TechSoup
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Thiyagu K
 
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHatAzure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
Scholarhat
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.
Atul Kumar Singh
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
Vikramjit Singh
 

Recently uploaded (20)

2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
 
Multithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race conditionMultithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race condition
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
 
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHatAzure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
 

Presentation

  • 1. Workshop in Information Security: Building a Firewall within the Linux Kernel 0368-3500-34, Spring 2015 Lecturer: Eran Tromer Teaching assistant: Roei Ben Harush Student: Lior Bomwurzel
  • 2. General description • kernel module that inspect packets using Netfilter- each packet that traverses the NF_INET_FORWARD stage will be inspected by the ip headers,TCP flags,and the data. • stateless packet inspection with static rule table for packet that are not part of a open connection • stateful packet inspection for TCP packets we inspect that the TCP flow and the protocols (HTTP and FTP) are ok. • Vulnerability check- each packet of an open connection will be checked for DLP for C code,Webster,Zabbix vulnerabilities
  • 3. stateless packet inspection • each packet that is not a part of a open connection will be inspect to find if there is a rule that match its headers of ip src/dst port src/dst and protocol and direction. • if there is a matching rule the packet reason will be logged as the rule number and the action accept the packet will be with accordance of the rule. • if the packet match a rule that accept it, and the packet is with protocol TCP, we create a new dynamic connection and we inspect its flow in the stateful packet inspection • if there isn't a matching rule the packet will be dropped with the reason REASON_NO_MATCHING_RULE
  • 4. stateful packet inspection I define a state machine that follows the protocols of the connection and the state of the protocols. For new connection (first packet of TCP that accepted by the stateless inspection) I open new dynamic connection ,direction of the connection is defined by the first side who started the connection ,first the connection protocol is defined as TCP
  • 5. • State TCP_SYN (0)-first try to establish tcp connection, (handle in handle_static_inspection) if there is SYN flag and the connection is approved in the static rule table, we open new connection. we open timer of 25 seconds to end of the handshake. • State TCP_SYN_ACK (1)- second send SYN ACK • State OPEN_CONN (2)-first send ACK , we close the timer and by that we treat the connection as finished the handshake and until the end of the session it will stay open. • stateEND_SERVER (3),stage END_CLIENT (5)- if packet comes with FIN flag , and the state of the packet is above OPEN_CONN we forward the state of the connection to one of the stages (3/5 depend from which side the FIN arrived) • state4,6(logical stages) - packet arrived from the other side with the FIN flag, we open the timer again and by that we let the last ACK of the tcp termination to arrive,if its arrived we delete the connection, if it doesn't we delete the connection anyway after 25 second. • state READY_TO_NEW (-1) -when we know that a packet of a new connection is going to come with a SYN flag
  • 6. • FTP-1)the server need to send from port 21 data with 220 (server waits for open connection) we forward the state to be FTP_READY_TO_CLIENT. And the protocol to be FTP_PROT 2) we validate the connection as successfully established by that the server send 230 in the data ,we forward the state to be FTP_ACCEPT_CLIENT, 3)in that state we parse the data to find PORT command form the client in order to open new connections for the receiving of the data. 4) if we find PORT command we open new dynamic connection on the right ports and ips as the protocol define ,the state of the connection READY_TO_NEW (-1) and the protocol will be FTP_PROT • HTTP-for defining a session as HTTP the client need to send to port 80 data with “GET” string we then forward the connection to be in state HTTP_GET_REQUEST. in that state we parse the data for finding http redirect ( “HTTP/1.1 3”) means we need to open new connection, I preparing place in the dynamic connections in the form of source ip and port are any(to let the fw the ability to defend on several hosts), and the destination is like the port and ip we got in the http redirect,the protocol is HTTP_PROT, the state of the connection is READY_TO_NEW (-1) .after the first match of the rule I replace the port and the ip to be as the source port
  • 7.
  • 8. General concept • the DLP for C code inspection is measured between ratio of number of words in the packet and the weight defined • if the weight is higher than the number of words, the packet will be dropped, and logged as DLP, and the connection will be deleted • each weight form the weight rules will be multiple by the number of brackets (“ { }”) surround it +1
  • 9. Weight rules 1. I search for patterns #include and #define in the following manner, #include -have to be with 2 words, and ends with .h or .c at end of the second word #define- have to be with 3 words. I weight each #include and #define as the number of words they have multiply by 5 the code of this rule is found in weight_macros function 2. each line with the pattern print#(#“#”); or scan#(#“#”); will be count as the number of words the pattern took from start to end. If there are inside the pattern %d %s /n I increase the weight by one for each the code of this rule is found in weight_known_pattern function 3. Each line with the pattern if#(#) for#(#;#;#) while#(#) will be count as the number of words the pattern took from start to end. If there are inside the pattern == <&& || > I increase the weight by one for each the code of this rule is found in weight_flow function 4. I weight each “;” I found as 1 and each “->” as 2
  • 10. DLP inspection example 2*5 #include 2 words and the last with .h 0 no .h or .c at last word 0 #define with more then 3 words 3*5 define with 3 words 0 not in the right pattern 2 -> 5+3 (number of words + special chars) 0 no ; at end 1*2 in{} and one word 0 2*3 in {{ }} and equal 2 0 (4+3)*2 in {} , 4 words+3 special chars 0 Sum=10+15+2+8+2+6+14=57 Number of words=31 The packet will be dropped
  • 12.
  • 13. Reply on normal sized url that not found
  • 22. FW inspectoin if packet came with port 80 and with the GET request ,I inspect the packet that the requested url length is last then 64 chars because of the Webster vulnerability, else I dropped the packet with reason WEBSTER (enum -8) and the connection will be deleted
  • 23. Fw logs on detect
  • 24.
  • 26.
  • 27.
  • 31. Fw inspection • iftheTCPdatacontainsthefollowingstring: “GET/zabbix/httpmon.php?applications=“ IinspectthenextcharstovalidatethattheyrepresentanumberbecauseofthisiswhatZabbixserver expecttoget, elsethepacketwillbedroppedandloggedasZABBIX(enum-10), andtheconnectionwillbedeleted.

Editor's Notes

  1. The message to response is: IDS_404_MESSAGE &amp;quot;&amp;lt;HEAD&amp;gt;&amp;lt;TITLE&amp;gt;404 Not Found&amp;lt;/TITLE&amp;gt;&amp;lt;/HEAD&amp;gt;\n&amp;lt;BODY&amp;gt;&amp;lt;H1&amp;gt;404 Not Found&amp;lt;/H1&amp;gt;\nThe requested URL &amp;lt;%s&amp;gt; was not found on this server.&amp;lt;BR&amp;gt;\n&amp;lt;/BODY&amp;gt;\r\n” which size is 136 (without “%s“ include “/0”) When asking url of 64+ chars there is a buffer overflow in buf[200]
  2. Override exception handler
  3. Each url that comes we hit this function. That logs the request. If the request is ~ 200 chars, there is buffer overflow
  4. Return address is overridden
  5. Taken from Corelan team
  6. The code sends Get request and in the application variable inject the sql query. The query is for session id from the zabbix session table where the user is admin (userid=1) and the user is not logged in (status=0)