Introduction Network Traffic Analysis Using tcpdump Intrusion Detection

  • Slides: 8
Download presentation
Introduction Network Traffic Analysis Using tcpdump Intrusion Detection Course – Karol Bonenberg

Introduction Network Traffic Analysis Using tcpdump Intrusion Detection Course – Karol Bonenberg

Problem? • Many IDS systems do not show packets or allow to do a

Problem? • Many IDS systems do not show packets or allow to do a session reconstruction • We are at the mercy of IDS to correctly interpret the traffic • Are we supposed to take the IDS’s word that it was a legitimate attack? • Sometimes the IDS is just plain wrong.

Solution • The only way to mitigate the problem is to give the analyst

Solution • The only way to mitigate the problem is to give the analyst access to both the packet and the signature that caused the alarm • There are some IDS and IPS products available today that give such access • But the more common trend is to hide them from scrutiny • The solution is using tcpdump which is a standard that you should understand

tcpdump • Is more primitive in packet display than graphical tools • But it

tcpdump • Is more primitive in packet display than graphical tools • But it gives you a succinct view of the vital details of the traffic • The software package is still maintained and updated with new features and protocol analysis • It is a standard you should understand

IDS and IPS is not “Plug and Play” • You cannot deploy an IDS/IPS

IDS and IPS is not “Plug and Play” • You cannot deploy an IDS/IPS that has not been customized by a savvy analyst • They are not yet intelligent devices that can deliver coherent output straight from the box • It seems that the authors are comparable to poor workmen who blame their tools for poor outcomes • We need to have a trained and competent analyst tuning, updating, and examining the output from the IDS

Table of Contents • Introduction to tcpdump (Lecture 2) • Writing tcpdump Filters (Lecture

Table of Contents • Introduction to tcpdump (Lecture 2) • Writing tcpdump Filters (Lecture 3) • Examination of Datagram Fields (Lecture 4) • Beginning Analysis (Lecture 5) • Application Protocols and Detection (Lecture 6)

• In the course, we will start with the most basic analysis/interpretation of

• In the course, we will start with the most basic analysis/interpretation of the datagram. This is at the bit level. This seems a bit raw, yet this is necessary to begin the most basic interpretation. • Most packet sniffers will analyse normal traffic correctly, but they may not be so accurate when anomalous or crafted traffic is analysed. • Next, we will step back and analyse the packet as a whole in its relationship to other packets. We will learn to interpret patterns of traffic with unique signatures.

Course Objectives • Learn to do datagram interpretation • Learn to write tcpdump filters

Course Objectives • Learn to do datagram interpretation • Learn to write tcpdump filters • Examine and interpret datagram fields for uses/misuses • Interpret traffic by placing it in categories • Demonstrate real world analysis/interpretation

Intrusion Detection System 1 Intrusion Detection Intrusion detectionIntrusion Detection System 1 Intrusion Detection Intrusion detection
Intrusion Detection Arun Hodigere Intrusion and Intrusion DetectionIntrusion Detection Arun Hodigere Intrusion and Intrusion Detection
Intrusion Detection Arun Hodigere Intrusion and Intrusion DetectionIntrusion Detection Arun Hodigere Intrusion and Intrusion Detection
SHADOW StepbyStep Intrusion Detection using TCPdump Objective TheSHADOW StepbyStep Intrusion Detection using TCPdump Objective The
SHADOW StepbyStep Intrusion Detection using TCPdump Objective TheSHADOW StepbyStep Intrusion Detection using TCPdump Objective The
tcpdump tcpdump UDP UDP Checksum 1 0 0tcpdump tcpdump UDP UDP Checksum 1 0 0
Intrusion Detection Systems Network Intrusion Detection System NIDSIntrusion Detection Systems Network Intrusion Detection System NIDS