Table of Contents...2 Abstract...3 Protocol Flow Analyzer...3

Similar documents
Application Protocol Breakdown

4. The transport layer

Internet Security: Firewall

Transport Layer TCP & UDP Week 7. Module : Computer Networks Lecturers : Lucy White Office : 324

Activating Intrusion Prevention Service

CSC Network Security

Chapter 4. TCP / UDP Transport Protocol Overview

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Networking interview questions

The OSI Model. Open Systems Interconnection (OSI). Developed by the International Organization for Standardization (ISO).

OSI Transport Layer. objectives

1. Arista 7124s Switch Report

Introduction to Networks and the Internet

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

Performance Tuning Snort. Steve Sturges SANS Incident Detection Summit 9 December

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

CS 3516: Computer Networks

3. (a) What is bridge? Explain the operation of a LAN bridge from to (b) Explain the operation of transparent bridge.

CS 3516: Advanced Computer Networks

Configuring attack detection and prevention 1

Networks: Access Management

CSE 565 Computer Security Fall 2018

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

CSCD 433/533 Advanced Networks

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Managing SonicWall Gateway Anti Virus Service

Supra-linear Packet Processing Performance with Intel Multi-core Processors

Lab 4: Network Packet Capture and Analysis using Wireshark

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. Managing a HTTP request. transport session. Step 1 - opening transport

TSIN02 - Internetworking

Avaya Port Matrix: Avaya Proprietary Use pursuant to the terms of your signed agreement or Avaya policy.

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

CN1047 INTRODUCTION TO COMPUTER NETWORKING CHAPTER 6 OSI MODEL TRANSPORT LAYER

Network Model: Each layer has a specific function.

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Configuring attack detection and prevention 1

QUIZ: Longest Matching Prefix

CEN445 Network Protocols & Algorithms. Network Layer. Prepared by Dr. Mohammed Amer Arafah Summer 2008

NETWORK PACKET ANALYSIS PROGRAM

Avaya Port Matrix: Avaya Aura Appliance Virtualization Platform 7.0

CSE 461 Midterm Winter 2018

Transport Layer. Gursharan Singh Tatla. Upendra Sharma. 1

TSIN02 - Internetworking

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

EITF25 Internet Techniques and Applications L7: Internet. Stefan Höst

OSI Transport Layer. Network Fundamentals Chapter 4. Version Cisco Systems, Inc. All rights reserved. Cisco Public 1

L6: OSI Reference Model

UNIVERSITY OF TORONTO ELECTRICAL AND COMPUTER ENGINEERING ECE 361 Test February 2, 2012

B.Sc. (Hons.) Computer Science with Network Security B.Eng. (Hons) Telecommunications B.Sc. (Hons) Business Information Systems

Avaya Port Matrix: Avaya Communicator for Microsoft Lync 6.4. Avaya Proprietary Use pursuant to the terms of your signed agreement or Avaya policy.

The trace file is here:

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Chapter 3 Transport Layer

Avaya Proprietary Use pursuant to the terms of your signed agreement or Avaya policy.

Communicating over the Network. Network Fundamentals. ITE PC v4.0 Chapter Cisco Systems, Inc. All rights reserved.

Position of IP and other network-layer protocols in TCP/IP protocol suite

precise rules that govern communication between two parties TCP/IP: the basic Internet protocols IP: Internet protocol (bottom level)

TSIN02 - Internetworking

Configuring Traffic Policies

Lecture 12. Application Layer. Application Layer 1

QoS on Low Bandwidth High Delay Links. Prakash Shende Planning & Engg. Team Data Network Reliance Infocomm

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

EE-311 Data Communication & Networks

How to Configure IPS Policies

CS 716: Introduction to communication networks th class; 7 th Oct Instructor: Sridhar Iyer IIT Bombay

AN exam March

Firewalls, Tunnels, and Network Intrusion Detection

Using Ethereal As A Tool For Network Security Mentor: Mr. Christopher Edwards Team Members: Jerome Mitchell, Anthony Anderson, and Napoleon Paxton

Lab 2. All datagrams related to favicon.ico had been ignored. Diagram 1. Diagram 2

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

TECHNICAL NOTE. Oracle Protocol Agent Overview. Version 2.5 TECN04_SG2.5_

WHITE PAPER HIGH-FIDELITY THREAT INTELLIGENCE: UNDERSTANDING FALSE POSITIVES IN A MULTI-LAYER SECURITY STRATEGY

Cisco Service Control Online Advertising Solution Guide: Behavioral. Profile Creation Using Traffic Mirroring, Release 4.0.x

Design and Performance of the OpenBSD Stateful Packet Filter (pf)

1. (a) With a neat diagram, explain the functionality of layers, protocols and interfaces.

DYNAMIC SERVICE CHAINING DYSCO WITH. forcing packets through middleboxes for security, optimizing performance, enhancing reachability, etc.

Network Intrusion Detection Systems. Beyond packet filtering

Statistical based Approach for Packet Classification

Network Traffic Exploration Application. Presented By Grant Vandenberghe. (613)

NIDS: Snort. Group 8. Niccolò Bisagno, Francesco Fiorenza, Giulio Carlo Gialanella, Riccardo Isoli

In addition to this there are hundreds of new and useful commands in the following areas:

CSc 466/566. Computer Security. 18 : Network Security Introduction

Need For Protocol Architecture

IP Network Troubleshooting Part 3. Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services - KAMU

Getting Started with Access Control Policies

Need For Protocol Architecture

Transport Layer. Chapter 3: Transport Layer

Introduction. IP Datagrams. Internet Service Paradigm. Routers and Routing Tables. Datagram Forwarding. Example Internet and Conceptual Routing Table

CNIT 50: Network Security Monitoring. 6 Command Line Packet Analysis Tools

TSIN02 - Internetworking

Avaya Port Matrix: Avaya Diagnostic Server 3.0

Part VI. Appendixes. Appendix A OSI Model and Internet Protocols Appendix B About the CD

20-CS Cyber Defense Overview Fall, Network Basics

CSE 565 Computer Security Fall 2018

COMPUTER NETWORK. Homework #2. Due Date: April 12, 2017 in class

CS 4390 Computer Networks. Transport Services and Protocols

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

Introduction to TCP/IP networking

The Internet. 9.1 Introduction. The Internet is a global network that supports a variety of interpersonal and interactive multimedia applications.

Reference Models. 7.3 A Comparison of the OSI and TCP/IP Reference Models

Transcription:

TABLE OF CONTENTS Table of Contents...2 Abstract...3 Protocol Flow Analyzer...3 What is a Protocol Flow?...3 Protocol Flow Analysis...3 Benefits of Protocol Flow Analysis...4 HTTP Flow Analyzer Overview...4 HTTP Traffic Profile...4 Work Flow Analysis...5 HTTP Flow Analyzer Processing Methods...5 Packet-Based Processing...5 Session-based Processing...5 HTTP Connection: Keepalive...6 Bibliography...6 Authors: Marc Norton, Sourcefire, Inc. Daniel Roelker, Sourcefire, Inc.

ABSTRACT The Snort 2.0 Protocol Flow Analyzer classifies network application protocols into client and server data flows. Indepth analysis of these protocol data flows allows the Fusion Detection Engine to make intelligent decisions about protocol inspection, greatly enhances performance and efficiency, and helps to reduce false positives. Currently, the Fusion Detection Engine has an HTTP flow analyzer that is user-configurable and significantly reduces the Fusion Detection Engine s HTTP processing time. PROTOCOL FLOW ANALYZER What is a Protocol Flow? A protocol flow refers to the client or server communication in an application protocol. For example, HTTP clientto-server communication is considered a flow and HTTP server-to-client communication is considered a separate flow. This allows the Fusion Detection Engine to break down a particular application protocol into two distinct flows, a client flow and a server flow. Protocol Flow Analysis Protocol flow analysis is performed at a high level and is usually only concerned with a few important aspects of a particular protocol flow, such as a server response code or a client request type. Flow analysis does not replace other Snort 2.0 protocol inspection technologies; instead it compliments them. It is rather a generic analysis that allows an application protocol to be classified as a client or server flow. Once an application protocol is classified into a client flow and a server flow, it gives the Fusion Detection Engine useful knowledge as to the type of inspection and the regions of the protocol flow to inspect. White Paper - 3 Sourcefire, Inc. 6/2002

Benefits of Protocol Flow Analysis Protocol flow analysis gives the Fusion Detection Engine rudimentary knowledge of a particular application protocol. With this knowledge Fusion Detection Engine decides what part of a protocol to inspect, if any part at all. This significantly reduces processing time, since the Fusion Detection Engine would usually inspect the ignored protocol data with all the applicable rules. Flow analysis also reduces false positives by limiting the amount of inspection that the Fusion Detection Engine does, so it is less likely to alert on unrelated rule content matches. HTTP FLOW ANALYZER OVERVIEW The HTTP flow analyzer, now available in the Fusion Detection Engine, illustrates the benefits of flow analysis. It attempts to reduce the amount of network traffic analyzed by the Fusion Detection Engine at both the packet level and within the TCP stream reassembler. This technique reduces the amount of data the must be inspected for content matches. The idea for the HTTP flow analyzer was adapted from Web Protocols and Practice [1]. The following assumptions about HTTP traffic and the Fusion State Engine are made: 1. Due to the request-response model of HTTP, 95+% of HTTP traffic for a given web transfer is the response header and data, of which only a fraction (typically 3% - 5% or a few hundred bytes) is the response header. 2. Traffic from a protected server is usually trusted traffic and generally well conditioned. 3. The Fusion TCP State Engine knows which side of a connection is server-side based in the TCP 3-way handshake. So even if both source and destination ports are port 80, it is known whether a packet is from the server or client. 4. IP fragment reassembly is transparent to the HTTP Flow Analyzer, and is handled prior to flow analysis. Also, only fully reassembled IP packets are passed down to flow analyzer. The essence of the HTTP Flow Analyzer is to know what part of HTTP traffic should be inspected and what part should not be inspected. This eliminates a lot of useless pattern matching, as this paper will show. HTTP Traffic Profile In the HTTP protocol, the client request usually consists of a few hundred bytes on average. Fusion Detection Engine has 500+ rules, which it applies to client-side HTTP requests. This is a case where lots of rules are matched against a small amount of text. However, the HTTP server response contains much more data, about 5,000 to 15,000 bytes on average. But the server response header only constitutes about 300 bytes of the total server response. The rest of the server response is the response payload, and is generally not considered malicious traffic. This is due to the fact that servers in the protected network are trusted. The HTTP server response flow makes up 95% of the total HTTP traffic. And the response header is typically less than 5% of the total HTTP traffic. It is this 5% that needs to be inspected. The server response payload, which is 95% or more of the server response, can be eliminated. In total, this means that only 10% (5% client-side data and 5% server-side data) of all web traffic needs to be inspected. For instance, in an enterprise network, HTTP traffic can amount to ~75% of all network traffic, of which only 10% of HTTP traffic need be processed by the detection engine. This reduces the HTTP processing from 75% of total network traffic to 7.5%. White Paper - 4 Sourcefire, Inc. 6/2002

Work Flow Analysis The total rule processing work of an application protocol consists of both the server protocol flow and the client protocol flow. This can be defined as: Total Work = Server Flow Work + Client Flow Work Using this definition, the processing time that the detection engine saves from protocol flow analysis can be determined. This is accomplished by finding the Work Flow Ratio. The Work Flow Ratio is computed by comparing the Total Work it takes for the detection engine to process server and client flows without using flow analysis, and the Total Work it takes for the detection engine to process server and client flows using flow analysis. In Appendix A, we calculate that after protocol flow analysis, the Work Flow Ratio reduces rule processing time for HTTP traffic by 89%. Reducing the rule processing time by 89% reduces the total Snort processing time by 44%. This is because the rule processing time for HTTP traffic is about 50% of the total Snort processing. Appendix A shows the breakdown of total Snort processing and an in-depth look at the Work Flow Ratio. HTTP FLOW ANALYZER PROCESSING METHODS There are two methods of processing HTTP packets for performance purposes: packet-based and session-based. Packet-Based Processing When processing HTTP requests and responses by packet, the only processing information available is that which is available in the packet. The only required information is a user-defined variable, called HTTP Maximum Response Bytes. This variable specifies the number of HTTP response bytes to process. The process is as follows: 1. Check transport protocol for TCP. 2. Check source port = web ports and destination port!= web ports. 3. Check that the first four bytes of payload are HTTP, if this is the case then the packet is an HTTP response header and we process up to the HTTP Maximum Response Bytes limit, if not then it is an HTTP response payload, which is not processed. Arguably, this method is naive and the HTTP response header inspection could be evaded through breaking up the header from the initial HTTP response, but the HTTP Flow Analyzer assumes that server flows from the protected net are trusted. This is a primitive inspection, but it is still very effective for enhancing performance. Session-based Processing In session-based processing, HTTP requests and responses can be intelligently handled since TCP state is handled before sessions are processed. The session-based processing assumes that the client flow of a session will be rebuilt and that the server flow also be rebuilt. These characteristics are defined as: The session-based processing flow follows: 1. Check for a known HTTP session. If there isn t a known HTTP session, then this payload is not processed since the TCP state has not been verified. 2. If this is a known HTTP session and has been verified by TCP state, then the first four bytes of the incoming payload are inspected for HTTP. If HTTP is found in this packet, a new HTTP server response header inspection is performed, until it is terminated by the standard HTTP end-of-header delimiter (\r\n\r\n). White Paper - 5 Sourcefire, Inc. 6/2002

HTTP Connection: Keepalive Both packet-based and session-based processing approach deal with the problem of the HTTP Connection: Keepalive command. In practice, the HTTP responses are fragmented at the application level and not the byte level, so new HTTP responses will begin in a new packet that begins with HTTP. Both packet-based and sessionbased procedures handle these responses without any tweak to the current procedures. However, the theoretical scenario allows multiple HTTP responses to be embedded in the same packet. While multiple HTTP responses in a single packet will confuse the current packet-based procedure, it will not confuse the session-based procedure. Session-based processing can deal with multiple HTTP responses in a single packet by implementing a quick protocol scanner or decoding the protocol fully. This technique is possible since it is session oriented and TCP payloads are reconstructed. In practice, multiple HTTP responses in the same packet are unlikely to occur from a trusted server. In conclusion, the HTTP performance technique that has been discussed here is essential for high-performance inspection. It is just another example of how protocol analysis is incorporated into the Fusion Detection Engine. By using this technique, the detection engine effectively drops about 90% of HTTP traffic. In a typical 100 Mbits/sec link, this eliminates ~67.5 Mbits/sec per link, given that HTTP traffic constitutes ~75 Mbits/sec in a 100 Mbits/sec link. This is a significant speed up for such a simple modification. BIBLIOGRAPHY 1. [1] B. Krishnamurthy and J. Rexford. Web Protocols and Practice. Addison-Wesley: 2001, AT&T Corp. Page 520. White Paper - 6 Sourcefire, Inc. 6/2002

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback