Snort TM diagrams for developers
|
|
- Nigel Paul
- 5 years ago
- Views:
Transcription
1 Snort TM diagrams for developers by: Andrés Felipe Arboleda Charles Edward Bedón Universidad del Cauca - Colombia 14 th April 2005 Version 0.2 alpha
2 Copyright 2005 Andrés Felipe Arboleda, Charles Edward Bedón
3 Contents Introduction General operation Sequence diagrams 1, 2 and 3 Snort initialization and rules file parsing Rules file parsing Function ParseRulesFile() Function ParseRule() Function ProcessHeadNode() Function ParseRuleOptions() Data structures after parsing Sequence diagram 4 Fast packet detection engine initialization Initialization of the fast packet detection engine Sequence diagrams 5 and 6 When a packet arrives Tools and resources Source code statistics To do References
4 INTRODUCTION Diagrams shown on next pages aim to represent a part of Snort functionality. Objects from UML sequence diagrams (rectangles on top of each diagram) represent source code files, and messages (arrows) represent calls to functions within such files. All sequence diagrams are sorted by execution, in other words, Snort execution begins with the diagram shown in Figure 1 continuing with diagram in Figure 2 and so on. This document does not describe in a detailed way Snort source code, it is just kinda map for people who want to know on which part of the code is located when is reading one of the Snort s source files. This diagrams were done for Snort-2.2.0, executed with the next command line: snort -d -l <path to log directory> -c <path to configuration file> This document is a sub-product of the degree work named Intrusion Detection System Using Artificial Intelligence, that is being developed by the authors under direction of Engineer Siler Amador Donado. Comments and suggestions are welcome.
5 1. GENERAL OPERATION Figure 1. Snort block diagram. Each module is described as follows Decoder: fits the captured packets into data structures and identifies link level protocols. Then, it takes the next level, decodes IP, and then TCP or UDP depending on the case in order to get useful information like ports and addresses. Snort will alert if it finds malformed headers, unusual length TCP options and things like that.
6 Preprocessors: They could be seen like some kind of filter, which identifies things that should be checked later (in the next modules e.g. the Detection Engine), such as suspicious connection attempts to some TCP/UDP ports or too many UDP packets sent in a short period of time (port scan). Preprocessors function is to take packets potentially dangerous for the detection engine to try to find known patterns. Rules Files: These are plane text files which contain a list of rules with a known syntax. This syntax includes protocols, addresses, output plug-ins associated and some other things. Those rules files are updated like the virus definition files are. Detection Plug-ins: Those modules are referenced from its definition in the rules files, and they're intended to identify patterns whenever a rule is evaluated. Detection Engine: Making use of the detection plug-ins, it matches packets against rules previously charged into memory since Snort initialization. Output Plug-ins: These modules allow to format the notifications (alerts, logs) for the user to access them by many ways (console, extern files, databases, etc).
7 Figure 2. Snort initialization (Sequence diagram 1).
8 Figure 3. Snort initialization (Sequence diagram 2).
9 Figure 4. Rules file parsing (Sequence diagram 3).
10 2. RULES FILE PARSING Next functions are within the file./parser.c. Function ParseRulesFile() This function analyses, through a cycle, each configuration file line (i.e.: snort.conf). If the line is a valid rule (is not a commentary), it is passed to the rule parser (the function ParseRule()). Function ParseRule() This function is executed one time per each valid rule in the configuration file. Initially, it searches for lines that are not detection rules, in other words, instructions like include, var, preprocessor, output plugins, config, etc. In case of finding preprocessors and output plugins, it calls the initialization functions for each one. If the rule is a detection one, it is to say, begins with alert, log, pass, activation or dynamic, the rule is verified and charged into memory by the function ProcessHeadNode(). The detection rules are stored in memory inside the structures RuleTreeNode (RTN) and OptTreeNode (OTN); such structures are declared in the file./rules.h. A detailed explanation can be found in question 3.17 How does rule ordering work? of [SnortFAQ 03]. Function ProcessHeadNode() This is the function s prototype: ProcessHeadNode(RuleTreeNode *test_node, ListHead *list, protocol) It takes a RTN pointed by test_node and attaches it at the end of the RTNs chain of the respective protocol, in the ListHead pointed by list [Schildt 90].
11 Figure 5. Data structures associated to ProcessHeadNode(). Function ParseRuleOptions() This is the function s prototype: ParseRuleOptions(char *rule, int rule_type, int protocol) It creates OTNs and attaches them to the RTN pointed by the global variable rtn_tmp which is set by the function ProcessHeadNode(). This last was called previously by ParseRule(). In this manner gets formed the RTNs and OTNs linked matrix (we call linked matrix to a two dimensional linked list structure) which is the place where rules are stored in memory. RTNs keep data previously given by the rule header, while OTNs keep data given by the rule options section. An example rule: alert tcp any any -> / (content: a5 ; msg: mountd access ;) Header Options
12 The linked matrix is shown as follows. In the figure each square represents a data structure and each arrow, a pointer. Figure 6. Linked matrix. 3. DATA STRUCTURES AFTER PARSING After the rules file is parsed, these rules keep stored in RTNs and OTNs forming the next structure.
13 Figure 7. Where rules are stored. RuleLists pointer is a global variable declared in the file./parser.c, it is useful to go over all rules that are stored in memory. It points to the first element of a RuleListNode linked list. Each node of the list has a ListHead pointer, there is one for each rule type (Alert, Dynamic, Log, Pass and Activation). Finally, each ListHead has four pointers, one per protocol (Ip, Tcp, Udp and Icmp); each pointer points to a RTNs and OTNs linked matrixes where rules are. In other words, it could be up to four matrixes per rule type.
14 Figure 8. Fast packet detection engine initialization (Sequence diagram 4).
15 4. INITIALIZATION OF THE FAST PACKET DETECTION ENGINE Initialization begins with the calling to function fpcreatefastpacketdetection() in the file./fpcreate.c from SnortMain(). Function fpcreatefastpacketdetection() goes over all rules stored in memory using the global variable RuleLists which is a RuleListNode pointer, each rule is classified according to its content (Content, UriContent o NoContent). Content is determined through the OTN associated with the rule. In this OTN exists a field named ds_list, it is an array of pointers pointing to diverse data structures, depending on type of these structures the content is set. After that first classification, it is determined if the rule is bidirectional and either the function prmaddrule(), prmaddruleuri() or prmaddrulenc() is called depending on content type. These functions sort rules in tables according to source-port and destination-port given in the rule. The objective of all this is to make the packet comparison to rules faster as possible.
16 Figure 9. Data structures associated to fast packet detection engine. If we look into the function fpcreatefastpacketdetection(), we found declared one PORT_RULE_MAP for each protocol (tcp, udp, ip, icmp), inside each PORT_RULE_MAP there are three groups of PORT_GROUP: one is the source port table (prmsrcport), other is the destination port table (prmdstport) and last is the generic table (prmgeneric) which is used for rules with srcport=any and dstport=any.
17 Figure 10. When a packet arrives (Sequence diagram 5).
18 Figure 11. When a packet arrives (Sequence diagram 6).
19 OpenOffice O.S.: Linux (Mandrake 10.1 Official). IDE: Kdevelop v3.0 (GNU tools: make, gdb,...) 5. TOOLS AND RESOURCES
20 6. SOURCE CODE STATISTICS For Snort General Number of.c files 135 Number of.h files 154 Number of source code lines (approx.) Total size of files bytes Number of.c and.h files per directory: Directory Number of.c files Number of.h files Number of code lines in. c files Number of code lines in. h files Total code lines in.c and.h files./ /detection-plugins /output-plugins /parser /preprocessors /preprocessors/flow /preprocessors/HttpInspect /sfutil /win32/WIN32-Code TOTALS: Number of source code lines includes commentaries in each file.
21 7. TO DO Explain each referenced file in the sequence diagrams and say more things about those diagrams Explain many other processes inside Snort like preprocessors, what happens once a packet arrives and a long list of things. Update this documentation for 2.3+ versions of Snort Release the documentation in other formats (e.g. HTML)
22 REFERENCES [Schildt 90] Herbert Schildt. C: Manual de referencia. Segunda edición, Ed. McGraw-Hill, España [SnortFAQ 03] The Snort Core Team. The Snort FAQ,
HSNORT: A Hybrid Intrusion Detection System using Artificial Intelligence with Snort
HSNORT: A Hybrid Intrusion Detection System using Artificial Intelligence with Snort Divya Asst. Prof. in CSE Department Haryana Institute of Technology, India Surender Lakra Asst. Prof. in CSE Department
More informationOverview Intrusion Detection Systems and Practices
Overview Intrusion Detection Systems and Practices Chapter 13 Lecturer: Pei-yih Ting Intrusion Detection Concepts Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy
More informationChapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)
SeoulTech UCS Lab Chapter 7 Network Intrusion Detection and Analysis 2015. 11. 3 (Daming Wu) Email: wdm1517@gmail.com Copyright c 2015 by USC Lab All Rights Reserved. Table of Contents 7.1 Why Investigate
More informationIntrusion Detection - Snort
Intrusion Detection - Snort Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures
More informationIntrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia
Intrusion Detection - Snort Network Security Workshop 25-27 April 2017 Bali Indonesia Issue Date: [31-12-2015] Revision: [V.1] Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied
More informationIntrusion Detection - Snort
Intrusion Detection - Snort 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures not always up to date 0-days get through Someone brings in an infected
More informationIntrusion Detection. What is Intrusion Detection
Intrusion Detection 1 What is Intrusion Detection We are referering to the act of detecting an unauthorized intrusion by a computer on a Network. Attemp to compromise or otherwise do harm, to other Network
More informationSnort 初探. Aphyr Lee
Snort 初探 Aphyr Lee aphyr@www.elites.org 2004.11.20 Outline How to IDSs detect intrusions Snort s Inner Workings Playing by the Rules Conclusion How to IDSs detect intrusions (1/6) Any way they can Specialized
More informationIntrusion Detection. October 19, 2018
Intrusion Detection October 19, 2018 Administrative submittal instructions answer the lab assignment s questions in written report form, as a text, pdf, or Word document file (no obscure formats please)
More informationExam : SCNS_EN. Title : SCNS SCNS Tactical Perimeter Defense. Version : Demo
Exam : SCNS_EN Title : SCNS SCNS Tactical Perimeter Defense Version : Demo 1.The exhibit represents a simple routed network. Node 7 is a Windows 2000 Professional machine that establishes a TCP communication
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST IT Certification Guaranteed, The Easy Way! \ http://www.pass4test.com We offer free update service for one year Exam : SCNS Title : SCNS Tactical Perimeter Defense Vendors : EXIN Version : DEMO
More informationRSA NetWitness Platform
RSA NetWitness Platform Event Source Log Configuration Guide Cisco Sourcefire Defense Center (formerly Sourcefire Defense Center) Last Modified: Monday, November 5, 2018 Event Source Product Information:
More informationRSA NetWitness Logs. Airtight Management Console. Event Source Log Configuration Guide. Last Modified: Thursday, May 04, 2017
RSA NetWitness Logs Event Source Log Configuration Guide Airtight Management Console Last Modified: Thursday, May 04, 2017 Event Source Product Information: Vendor: AirTight Event Source: Airtight Management
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationDynamic Software Updating (DSU) on a Large Scale. Karla Saur
Dynamic Software Updating (DSU) on a Large Scale Karla Saur Kitsune: A Practical DSU System Whole-program updates for C Entirely standard compilation and tools Previously with Kitsune: 2 Kitsune: A Practical
More informationReputation Preprocessor
alert udp any any -> any 5060 (sip_body; content:"c=in 0.0.0.0"; within 100;) pcre SIP overloads two options for pcre: H: Match SIP header for request or response, Similar to sip header. P: Match SIP body
More informationImplementing a network operations centre management console: Netmates
Section 1 Network Systems Engineering Implementing a network operations centre management console: Netmates R.Bali and P.S.Dowland Network Research Group, University of Plymouth, Plymouth, United Kingdom
More informationTopexam. 一番権威的な IT 認定試験ウェブサイト 最も新たな国際 IT 認定試験問題集
Topexam 一番権威的な IT 認定試験ウェブサイト http://www.topexam.jp 最も新たな国際 IT 認定試験問題集 Exam : EX0-106 Title : SCNS Tactical Perimeter Defense Vendors : EXIN Version : DEMO Get Latest & Valid EX0-106 Exam's Question and
More informationSnort Virtual Network Function with DPI Service
The Interdisciplinary Center, Herzliya Efi Arazi School of Computer Science Snort Virtual Network Function with DPI Service M.Sc. final project submitted in partial fulfillment of the requirements towards
More informationRaghuram Ponnaganti
Raghuram Ponnaganti (rp54@drexel.edu) Abstract: Intrusion detection systems (IDS) are integral part of network security architecture. They provide a layer of defense by looking for intrusions, suspicious
More informationIDS / SNORT. Matsuzaki maz Yoshinobu stole slides from Fakrul Alam
IDS / SNORT Matsuzaki maz Yoshinobu stole slides from Fakrul Alam 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied promptly enough Antivirus signatures not
More informationInstalling Snort on Windows
Installing Snort on Windows There are many sources of guidance on installing and configuring Snort, but few address installing and configuring the program on Windows except for the Winsnort project (Winsnort.com)
More informationPre processors. Detection Engine
Packet Decoder Pre processors Detection Engine Logging and Alerting System Output Modules Filesystem Syslog Database XML Firewall config You should know how the rules are constructed in order to fully
More informationOSSIM data flow. (
OSSIM data flow SIMS Project - Security Intrusion Management System (http://www.fullsecurity.ch/security/sims/) Author : Joël Winteregg (joel.winteregg@eivd.ch) Supervisor : Prof. Stefano Ventura Institute
More informationProject Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio
Project Proposal ECE 526 Spring 2006 Modified Data Structure of Aho-Corasick Benfano Soewito, Ed Flanigan and John Pangrazio 1. Introduction The internet becomes the most important tool in this decade
More informationThe following topics describe how to configure correlation policies and rules.
The following topics describe how to configure correlation policies and rules. Introduction to and Rules, page 1 Configuring, page 2 Configuring Correlation Rules, page 5 Configuring Correlation Response
More informationPacket Header Formats
A P P E N D I X C Packet Header Formats S nort rules use the protocol type field to distinguish among different protocols. Different header parts in packets are used to determine the type of protocol used
More informationImplementation of Signature-based Detection System using Snort in Windows
Implementation of Signature-based Detection System using Snort in Windows Prerika Agarwal Sangita Satapathy Ajay Kumar Garg Engineering College, Ghaziabad Abstract: Threats of attacks are increasing day
More informationNetwork Analyzer :- Introduction to Wireshark
Sungkyunkwan University Network Analyzer :- Introduction to Wireshark Syed M. Raza s.moh.raza@skku.edu H. Choo choo@skku.edu Copyright 2000-2018 Networking Laboratory Networking Laboratory 1/56 An Overview
More informationCertified Snort Professional VS-1148
VS-1148 Certified Snort Professional Certification Code VS-1148 Vskills certification for Snort Professional assesses the candidate as per the company s need for network security and assessment. The certification
More informationRSA NetWitness Logs. Symantec DLP Last Modified: Thursday, April 12, Event Source Log Configuration Guide
RSA NetWitness Logs Event Source Log Configuration Guide Symantec DLP Last Modified: Thursday, April 12, 2018 Event Source Product Information: Vendor: Symantec Event Source: Data Loss Prevention Versions:
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More information<Partner Name> RSA NETWITNESS Intel Feeds Implementation Guide. Kaspersky Threat Feed Service. <Partner Product>
RSA NETWITNESS Intel Feeds Implementation Guide Kaspersky Jeffrey Carlson, RSA Partner Engineering Last Modified: December 19 th, 2017 Solution Summary Kaspersky Lab offers
More informationTexas Tech University Spring 2017 Digital Forensics Network Analysis
Analyzing the Network Capture of WannaCry Ransomware Background: Network analysis can get very detailed. There are several different types of evidence. Full packet captures, logs and netflow information.
More informationPreview Test: HW3. Test Information Description Due:Nov. 3
Preview Test: HW3 Test Information Description Due:Nov. 3 Instructions Multiple Attempts Not allowed. This test can only be taken once. Force Completion This test can be saved and resumed later. Question
More informationwebsnort Documentation
websnort Documentation Release 0.8 Steve Henderson Jul 04, 2018 Contents 1 Features 3 2 Contents 5 3 Issues 15 Python Module Index 17 i ii Websnort is an Open Source web service for analysing pcap files
More informationFIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others
FIREWALLS 1 FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN ooding: attacker
More informationAnomaly Detection in Communication Networks
Anomaly Detection in Communication Networks Prof. D. J. Parish High Speed networks Group Department of Electronic and Electrical Engineering D.J.Parish@lboro.ac.uk Loughborough University Overview u u
More informationImproving the Database Logging Performance of the Snort Network Intrusion Detection Sensor
-0- Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor Lambert Schaelicke, Matthew R. Geiger, Curt J. Freeland Department of Computer Science and Engineering University
More informationSCP SC Network Defense and Countermeasures (NDC) Exam.
SCP SC0-402 Network Defense and Countermeasures (NDC) Exam TYPE: DEMO http://www.examskey.com/sc0-402.html Examskey SCP SC0-402 exam demo product is here for you to test the quality of the product. This
More informationWeek Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development
Weekly Tasks Week 5 Rich Macfarlane 2013 Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development Aim: The aim of these labs are to further investigate the Snort, network IDS, and methods
More informationIPv4 ACLs, identified by ACL numbers, fall into four categories, as shown in Table 1. Table 1 IPv4 ACL categories
Table of Contents ACL Configuration 1 ACL Overview 1 IPv4 ACL Classification 1 IPv4 ACL Rule Order 1 Rule Numbering Step with IPv4 ACLs 3 Effective Time Period of an IPv4 ACL 3 IP Fragments Filtering with
More informationAdvanced. and Security Analysis. Snort Analysis. EC-Council. Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Advanced Penetration ti Testing and Security Analysis Module 8 Snort Analysis Module Objective This module will familiarize you with: Snort Overview Modes of operation Configuring Snort Plug-ins and Pre-processors
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.2 Original Publication: April 21, 2014 Last Updated: April 25, 2016 These release notes are valid for Version 5.3.0.2 of the Sourcefire 3D System. Even
More informationOverview of the Cisco Service Control Value Added Services Feature
CHAPTER 1 Overview of the Cisco Service Control Value Added Services Feature Revised: May 27, 2013, Introduction The VAS feature enables the Cisco SCE platform to access an external expert system for classification
More informationLinux. Sirindhorn International Institute of Technology Thammasat University. Linux. Firewalls with iptables. Concepts. Examples
Linux Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 14 October 2013 Common/Reports/-introduction.tex, r715 1/14 Contents 2/14 Linux, netfilter and netfilter:
More informationXII- COMPUTER SCIENCE VOL-II MODEL TEST I
MODEL TEST I 1. What is the significance of an object? 2. What are Keyword in c++? List a few Keyword in c++?. 3. What is a Pointer? (or) What is a Pointer Variable? 4. What is an assignment operator?
More informationSQL Parsers with Message Analyzer. Eric Bortei-Doku
SQL Parsers with Message Analyzer Eric Bortei-Doku Agenda Message Analyzer Overview Simplified Operation Message Analyzer Parsers Overview Desktop UI Demos Analyzing Local Ping Traffic Analyzing a Capture
More informationProCurve Network Immunity
ProCurve Network Immunity Hans-Jörg Elias Key Account Manager hans-joerg.elias@hp.com 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
More informationEventSentry Quickstart Guide
Contents I Part I About This Guide 2 Part II Overview 3 Part III Installing EventSentry 6 1 Installation with... Setup 7 2 Management Application... 8 3 Configuration... 9 4 Remote Update... 12 5 Heartbeat
More informationRSA NetWitness Logs. DenyAll Web Application Firewall. Event Source Log Configuration Guide. Last Modified: Thursday, November 2, 2017
RSA NetWitness Logs Event Source Log Configuration Guide DenyAll Web Application Firewall Last Modified: Thursday, November 2, 2017 Event Source Product Information: Vendor: DenyAll (formerly Bee Ware)
More informationConfiguring IP TCP MSS
Finding Feature Information, page 1 Feature History for IP TCP MSS, page 2 Information About IP TCP MSS, page 2 Licensing Requirements for IP TCP MSS, page 3 Default Settings for IP TCP MSS, page 3 Guidelines
More informationSecuring IPv6 Networks: ft6 & friends. Oliver Eggert, Simon Kiertscher
Securing IPv6 Networks: ft6 & friends Oliver Eggert, Simon Kiertscher Our Group 2 Outline IPv6 Intrusion Detection System Project IPv6 Basics Firewall Tests FT6 (Firewall test tool for IPv6) 3 IPv6 Intrusion
More informationMichael Rash DEFCON 12 07/31/2004
Advanced Netfilter: Content Replacement (ala Snort_inline) and Combining Port Knocking with p0f Michael Rash DEFCON 12 07/31/2004 http://www.enterasys.com http://www.cipherdyne.org Introduction Port knocking
More informationConfiguring Preferences
Configuring Preferences CHAPTERS 1. Overview 2. IP Group Configuration 3. Time Range Configuration 4. VPN IP Pool Configuration 5. Service Type Configuration This guide applies to: TL-R470T+ v6 or above,
More information(1) Device Management tool: enables you to remotely manage AX220xx RS232-to-WiFi devices.
1 / 11 Quick Start This chapter provides a high level overview of AXR2W installation and configuration. For detailed introduction about this utility you can refer to AX220xx RS232-to-WiFi Reference Design
More informationCSC 126 FINAL EXAMINATION Spring Total Possible TOTAL 100
CSC 126 FINAL EXAMINATION Spring 2011 Version A Name (Last, First) Your Instructor Question # Total Possible 1. 10 Total Received 2. 15 3. 15 4. 10 5. 10 6. 10 7. 10 8. 20 TOTAL 100 Name: Sp 11 Page 2
More informationFundamentals of Linux Platform Security
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 1 Reconnaissance Tools Roadmap Review of generally
More informationFundamentals of Linux Platform Security. Hands-On Network Security. Roadmap. Security Training Course. Module 1 Reconnaissance Tools
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 1 Reconnaissance Tools Roadmap Review of generally
More informationHrs Hrs Hrs Hrs Hrs Marks Marks Marks Marks Marks
Subject Code: CC103-N Subject Title: FUNDAMENTALS OF PROGRAMMING Teaching scheme Total L T P Total Theory Credit Evaluation Scheme Mid Sem Exam CIA Pract. Total Hrs Hrs Hrs Hrs Hrs Marks Marks Marks Marks
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationRef: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on
IP Version 4 (IPv4) Header (Continued) Identification (16 bits): One of the parameters of any network is the maximum transmission unit (MTU) parameter. This parameter specifies the maximum size of the
More informationGibson: 3D Visualization and Modeling of Real Time Security Events. Dan Klinedinst
Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst gibson3d.org @dklinedinst Who Am I? Security Researcher at Carnegie Mellon University Security of enterprise systems Primarily
More informationThe AI Companion for Kids irsp USER MANUAL
The AI Companion for Kids irsp USER MANUAL irsp user manual irsp 1.iRsp introduction The AI Companion for Kids MANUAL Contents 1. irsp Introduction 1.1. What is irsp? 1.2. irsp architecture and features
More informationQuality of Service (QoS): Managing Bandwidth More Effectively
15 Quality of Service (QoS): Managing Bandwidth More Effectively Contents Introduction................................................. 15-2 Terminology............................................... 15-5
More informationDepartment of Computer Science and Engineering. COSC 4213: Computer Networks II (Fall 2005) Instructor: N. Vlajic Date: November 3, 2005
Department of Computer Science and Engineering COSC 4213: Computer Networks II (Fall 2005) Instructor: N. Vlajic Date: November 3, 2005 Midterm Examination Instructions: Examination time: 75 min. Print
More informationConfiguring Inspection of Database and Directory Protocols
CHAPTER 43 Configuring Inspection of Database and Directory Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed
More informationDynamic Protocol Analysis for Network Intrusion Detection Systems
TECHNISCHE UNIVERSITÄT MÜNCHEN INSTITUT FÜR INFORMATIK Diplomarbeit Dynamic Protocol Analysis for Network Intrusion Detection Systems Michael Mai Aufgabensteller: Betreuer: Prof. Anja Feldmann, Ph.D. Dipl.-Inf.
More informationRule Hashing for Efficient Packet Classification in Network Intrusion Detection
Rule Hashing for Efficient Packet Classification in Network Intrusion Detection Atsushi Yoshioka, Shariful Hasan Shaikot, and Min Sik Kim School of Electrical Engineering and Computer Science Washington
More informationMcGraw-Hill The McGraw-Hill Companies, Inc., 2000
!! McGraw-Hill The McGraw-Hill Companies, Inc., 2000 "#$% & '$# )1 ) ) )6 ) )* )- ). )0 )1! )11 )1 )1 )16 )1 3'' 4", ( ( $ ( $ $$+, $$, /+ & 23,4 )/+ &4 $ 53" Network Layer Position of network layer Figure
More informationConfiguring ACLs. ACL overview. ACL categories. ACL numbering and naming
Contents Configuring ACLs 1 ACL overview 1 ACL categories 1 ACL numbering and naming 1 Match order 2 ACL rule numbering 3 Implementing time-based ACL rules 3 IPv4 fragments filtering with ACLs 3 Flow templates
More information<Partner Name> <Partner Product> RSA Ready Implementation Guide for
RSA Ready Implementation Guide for Ixia Net Tool Optimizer 5288 FAL, RSA Partner Engineering Last Modified: 3/17/2016 Solution Summary The 5288 Series delivers performance
More informationZone-Based Firewall Logging Export Using NetFlow
Zone-Based Firewall Logging Export Using NetFlow Zone-based firewalls support the logging of messages to an external collector using NetFlow Version 9 export format. NetFlow Version 9 export format uses
More informationNIDS: Snort. Group 8. Niccolò Bisagno, Francesco Fiorenza, Giulio Carlo Gialanella, Riccardo Isoli
NIDS: Snort Group 8 Niccolò Bisagno, Francesco Fiorenza, Giulio Carlo Gialanella, Riccardo Isoli 1 Summary NIDS Snort Syn Flood Attack Exploit Kit Detection: Bleeding Life Packet Level Evasion Snort as
More informationPort Mirroring in CounterACT. CounterACT Technical Note
Table of Contents About Port Mirroring and the Packet Engine... 3 Information Based on Specific Protocols... 4 ARP... 4 DHCP... 5 HTTP... 6 NetBIOS... 7 TCP/UDP... 7 Endpoint Lifecycle... 8 Active Endpoint
More informationANOMALY DETECTION IN COMMUNICTION NETWORKS
Anomaly Detection Summer School Lecture 2014 ANOMALY DETECTION IN COMMUNICTION NETWORKS Prof. D.J.Parish and Francisco Aparicio-Navarro Loughborough University (School of Electronic, Electrical and Systems
More informationClassBench: A Packet Classification Benchmark. By: Mehdi Sabzevari
ClassBench: A Packet Classification Benchmark By: Mehdi Sabzevari 1 Outline INTRODUCTION ANALYSIS OF REAL FILTER SETS - Understanding Filter Composition - Application Specifications - Address Prefix Pairs
More informationThe Intrusion Rules Editor
The following topics describe how to use the intrusion rules editor: An Introduction to Intrusion Rule Editing, page 1 Rule Anatomy, page 2 Custom Rule Creation, page 14 Searching for Rules, page 20 Rule
More informationThe Intrusion Rules Editor
The following topics describe how to use the intrusion rules editor: An Introduction to Intrusion Rule Editing, on page 1 Rule Anatomy, on page 2 Custom Rule Creation, on page 14 Searching for Rules, on
More informationPass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS
Pass4sure.500-285.42q Number: 500-285 Passing Score: 800 Time Limit: 120 min File Version: 6.1 Cisco 500-285 Securing Cisco Networks with Sourcefire IPS I'm quite happy to announce that I passed 500-285
More informationCommunicating over the Network
Communicating over the Network Network Fundamentals Chapter 2 Version 4.0 1 Network Structure The elements of communication 3 common elements of communication Message source people/electronic devices need
More informationActivating Intrusion Prevention Service
Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers
More informationAn array is a collection of data that holds fixed number of values of same type. It is also known as a set. An array is a data type.
Data Structures Introduction An array is a collection of data that holds fixed number of values of same type. It is also known as a set. An array is a data type. Representation of a large number of homogeneous
More informationSecurity Principles SNORT - IDS
Security Principles SNORT - IDS Intrusion detection What is intrusion detection? Technically, any method that allows you to discover if someone has penetrated or is attempting intrusion into your network,
More informationApplied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.
Applied IT Security System Security Dr. Stephan Spitz Stephan.Spitz@de.gi-de.com Overview & Basics System Security Network Protocols and the Internet Operating Systems and Applications Operating System
More informationThe Intrusion Rules Editor
The following topics describe how to use the intrusion rules editor: An Introduction to Intrusion Rule Editing, page 1 Rule Anatomy, page 2 Custom Rule Creation, page 15 Searching for Rules, page 20 Rule
More informationComputer Network Vulnerabilities
Computer Network Vulnerabilities Objectives Explain how routers are used to protect networks Describe firewall technology Describe intrusion detection systems Describe honeypots Routers Routers are like
More informationForescout. Configuration Guide. Version 8.1
Forescout Version 8.1 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More informationMaster Course Computer Networks IN2097
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Christian Grothoff, Ph.D. Dr. Nils
More informationYahoo Search ATS Plugins. Daniel Morilha and Scott Beardsley
Yahoo Search ATS Plugins Daniel Morilha and Scott Beardsley About Us We have a HUGE team! Serves traffic which generates ~40% of Yahoo s $$$ We run both Search Ingress and Egress Maintain around a dozen
More informationNetfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006
Netfilter Fedora Core 5 setting up firewall for NIS and NFS labs June 2006 Netfilter Features Address Translation S NAT, D NAT IP Accounting and Mangling IP Packet filtering (Firewall) Stateful packet
More informationLab 8: Firewalls & Intrusion Detec6on Systems
Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC Course: Cyber Security Prac6ce 1 Firewall & IDS Firewall A device or applica6on that analyzes packet headers and enforces
More informationConfiguring Traffic Policies
CHAPTER 11 Date: 4/23/09 Cisco Application Networking Manager helps you configure class maps and policy maps to provide a global level of classification for filtering traffic received by or passing through
More informationChapter 11. User Datagram Protocol (UDP)
Chapter 11 User Datagram Protocol (UDP) Outline Process-to-process communication User datagram Checksum UDP operation Use of UDP UDP package Figure 11-1 Position of UDP in the TCP/IP Protocol Suite The
More informationExternal Data Representation (XDR)
External Data Representation (XDR) Prof. Chuan-Ming Liu Computer Science and Information Engineering National Taipei University of Technology Taipei, TAIWAN NTUT, TAIWAN 1 Introduction This chapter examines
More informationCOMPUTER NETWORK. Homework #2. Due Date: April 12, 2017 in class
Computer Network Homework#2 COMPUTER NETWORK Homework #2 Due Date: April 12, 2017 in class Question 1 Suppose a process in Host C has a UDP socket with port number 6789. Suppose both Host A and Host B
More informationIntroduction to OSI model and Network Analyzer :- Introduction to Wireshark
Sungkyunkwan University Introduction to OSI model and Network Analyzer :- Introduction to Wireshark Syed Muhammad Raza s.moh.raza@gmail.com Copyright 2000-2014 Networking Laboratory 1/56 An Overview Internet
More informationMonitoring Network File Systems
Monitoring Network File Systems eg Enterprise v6 Restricted Rights Legend The information contained in this document is confidential and subject to change without notice. No part of this document may be
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, page 1 Remote Management Configuration, page 2 Adding Devices to the Firepower Management Center,
More informationCourse Title: C Programming Full Marks: Course no: CSC110 Pass Marks: Nature of course: Theory + Lab Credit hours: 3
Detailed Syllabus : Course Title: C Programming Full Marks: 60+20+20 Course no: CSC110 Pass Marks: 24+8+8 Nature of course: Theory + Lab Credit hours: 3 Course Description: This course covers the concepts
More information