用snort检测nmap和Metasploit入侵技术

整理文档很辛苦,赏杯茶钱您下走!

免费阅读已结束,点击下载阅读编辑剩下 ...

阅读已结束,您可以下载文档离线阅读编辑

资源描述

AdvancesinCommunications,Computing,NetworksandSecurity10104SnortIDSAbilitytoDetectNmapandMetasploitFrameworkEvasionTechniquesZ.JammesandM.PapadakiCentreforSecurity,CommunicationsandNetworkResearchPlymouthUniversity,UnitedKingdome-mail:info@cscan.orgAbstractDetectingexploitandportscandisguisedbyevasiontechniqueisachallengeforIDS.ThisresearchexaminestheevasiontechniqueprovidedbyNmap,aportscannerandMetasploitFramework,anexploitlauncheragainstafamousIDSnamedSnort.TheresulttendstoprovethatSnorthastheabilitytodetectportscanandexploitonconditiontohaveagoodconfigurationofSnortandsignaturefortheexploit.KeywordsIDS,Snort,Nmap,MetasploitFramework,evasiontechniques,resilience1IntroductionNowadays,informationsystemsareincreasinglyopenInternet.Thisopeningisbeneficialbutisposesneverthelessamajorproblem:itbringsanumberofnewattacksandrequirement.Thefirsteffectistheimplementationofasecuritypolicyaroundthesesystems.Inadditiontotheimplementationoffirewallsandauthenticationsystemsarealsonecessary.Tocompletethissecuritypolicy,itisalsoimportanttohavemonitoringtoolstodetectpossibleintrusionsinthesystem.Thesolutionisintrusiondetectionsystembutlikeeachsoftware,theIDShavealsosomeweaknessnamed:evasiontechniques.Hopefully,overthetime,theIDSareimprovedbringingnewfunctionalitiesbuttherefore,theyarebecomepowerfulbutalsodifficulttoconfigure.Today,theslightesterrorinconfigurationcanthenletgoofthousandsofintrusionwithoutbeingalerted.2EvasiontechniquesTheevasiontechniqueswerefirstlyintroducedbyPtacekandNewham(1998).Theyexplainedthattheydescribedthreeevasionswhicharethefoundations:theinsertion,theevasionandthedenialofservice.TheinsertionattackisanattackwhereIDSdoesnotdetectanythingalthoughonthetargetsystem,theattackdoesoccurandthetargetsystemignoredthepackets.TheevasionattackisanattackwherethetargetsystemacceptsthepacketsalthoughtheIDSrefusedthepackets.TheaimoftheseevasiontechniquesarethepacketcontentinthetrafficwasdifferentlyinterpretedbetweentheIDSandtheendsystem;thisSection2–ComputerandInformationSecurity105beingduetothedifferentsystemimplementation.Finally,thedenialofserviceattackisanattackisanattackwiththeaimofmakesunavailabletheIDS.ThisknownevasionstechniquestargetspecificlayersoftheTCP/IPprotocolstackandusetheirweakness(forinstancefragmentation).Nowadays,thesetechniqueshavealsospreadtootherdifferentprotocolasSMB,DCERPCandHTTP.In2010,Stonesoft(Boltz,Jalava,&Walsh,2010)sharedfindingsonanewevasionthreat.Indeed,theydiscoverthisyearnewtechniquestoevadeIDSnamedAdvancedEvasionsTechniques(AET).TheAETstargetmultiplelayersoftheprotocolTCP/IPstackandcombinemultipleevasionmethods.Furthermore,theycanbechangedormodifiedduringtheexploit.TheproblemisthattheydonotconformtotherulesusedbyIDStoday.Nowadays,manytoolsusedtotestthesecurityimplementsdifferenttechnicalevasion.Forinstance,Nmap(2012)isdesignedtodetectopenports,identifyhostedservicesandinformationabouttheoperatingsystemofaremotecomputerbutprovidedsomeevasiontechniques.MetasploitFramework(Maynor,2007)isatoolthatallowslaunchingdifferentexploitagainstaremotehostwhilealsoprovidingdifferentevasiontechniques.Anexploitisacomputerprogramto“exploit”asecurityflaworvulnerabilities.Snort(2012)isasignature-basedIDSe.g.itusessignaturesofknownattacktodetecttheattackinthenetworktraffic.Itisverydependentsignaturesandthereforerequiredtobeupdatedregularly.Snortisalsoconsideredlikeanomaly-basedIDS.Itisabletodetectsomeanomaliesinthedifferentprotocol.Snortisthereforebasedonthepreprocessorstonormalizetrafficanddetectinganomaliesandontherulestodetectinthisstudyexploits.preprocessorsandruleswillbeputtothetest.3SnortconfigurationagainstNmap’sevasiontechniquesTheexperiencesmadewithNmapcanbeeasilyredobecauseitdoesnotnecessaryhavespecificequipment.Theonlyrequirementistohave2computerorvirtualmachine.Themostimportantistohaveonehostwhichlaunchesthescanandanotherwhichisscanned.ItcouldbeusefultoprefertotargetaLinuxdistributionratherthanawindowssystem.NmapoffersdifferentscantechniquesbasedontheTCPandUDPprotocol.ThesfPortscanisthepreprocessorthatisabletodetectdifferentportscaninfunctionofitsconfiguration.MostoftheevasionsarebasedonchangestotheUDP,TCPandIPprotocol.Forthispart,theexperienceusesdifferentscansprovidebyNmap.ThemostefficientevasiontechniqueprovidedbyNmaptoevadethismoduleisthefragmentation.Usually,fragmentationoccurswhendatagramsarelargerthantheallowablesize,thislimitationiscalledMTU(MaximumTransmissionUnit).EachfragmentedpackethasanIPheaderforlinkingfragmentstogetherduringthereconstruction.AdvancesinCommunications,Computing,NetworksandSecurity10106TypeofscanWithFrag3WithoutFrag3Synscan/regularscanOKNOFinscanNONONullscanNONOMaimonscanNONOXmasscanNONOConnectscanOKNOAckscanNONOIPprotocolscanNONOIntensivescanOKNOIntensivescanplusUDPOKNOIntensivescanalltcpOKNOSlowcomprehensivescanOKNOTable1-PortscandetectionwithfragmentationInthiscase,despitethatthesfPortscanisenabled,Snortisunabletodetectanyportscan.Snortneedsthefrag3preprocessorwhichperformsthedefragmentationofIPpacketsinordertopreventattackpacketsintentionallyfragmentedcane

1 / 8
下载文档,编辑使用

©2015-2020 m.777doc.com 三七文档.

备案号:鲁ICP备2024069028号-1 客服联系 QQ:2149211541

×
保存成功