IDS(intrusion detection system,\u5165\u4fb5\u5075\u6e2c\u7cfb\u7d71)
\u662f\u4e00\u7a2e\u76e3\u6e2c\u8207\u8b58\u5225\u672a\u7d93\u6388\u6b0a\u4e4b\u7cfb\u7d71\u5b58\u53d6\u6216\u66f4\u6539\u4f01\u5716\u7684\u7a0b\u5e8f,\u4e3b\u8981\u63d0\u4f9b\u76e3\u8996\u8207\u8b66\u5831\u548c\u8a18\u9304,\u5982\u540c\u6c7d\u8eca\u8b66\u5831\u5668
\u539f\u7406\uff1a\u5927\u90fd\u4ee5\u89e3\u8b80\u7db2\u8def\u5c01\u5305\u8207\u7cfb\u7d71\u65e5\u8a8c\u5167\u5bb9\u3001\u7db2\u8def\u6d41\u91cf\u6216\u6d41\u5411\u7b49\u65b9\u5f0f\u4f86\u5373\u6642\u5075\u6e2c\u3001\u56de\u5831\u8207\u53cd\u61c9\u53ef\u7591\u5165\u4fb5\u60c5\u4e8b\uff0c\u9032\u800c\u9069\u6642\u63d0\u51fa\u8b66\u8a0a
\u5927\u90e8\u4efd\u88ab\u5075\u6e2c\u5230\u7684\u5b89\u5168\u653b\u64ca\u662f\u7b2c\u4e09\u5c64\u5230\u7b2c\u516d\u5c64
IDS\u8a18\u9304\u6a94\u6703\u8a18\u9304\u6240\u6709\u5075\u6e2c\u5230\u7684\u4e8b\u4ef6,\u8a18\u9304\u6703\u63d0\u4f9b\u7c21\u77ed\u63cf\u8ff0,\u53ef\u7528\u65bc\u5206\u6790\u8207\u5831\u544a
\u5c6c\u65bc\u88ab\u52d5\u5f0f\u7684\u9632\u79a6\u884c\u52d5,\u53ea\u80fd\u5075\u6e2c\u5df2\u7d93\u767c\u751f\u7684\u4e8b\u4ef6
\u7f3a\u9ede\uff1a\u7121\u4e3b\u52d5\u9632\u79a6\uff0cLOG\u592a\u591a\u4e5f\u6c92\u7a7a\u770b
\u512a\u9ede\uff1a\u53ef\u505a\u6df1\u5c64\u8cc7\u6599\u5206\u6790\u6216\u6578\u4f4d\u8b49\u64da<\/p>\n\n\n\n
ps:
IDWG(intrusion detection exchange format)
\u5b9a\u7fa9\u4e0d\u540c\u5ee0\u5546ids\u7522\u54c1\u4e4b\u9593\u5171\u901a\u7684\u8a9e\u8a00\u898f\u683c\u8207\u5354\u5b9a,\u63a1xml
\u76ee\u6a19\u662f\u8981\u5728\u591a\u500b\u516c\u53f8\u6216\u7ad9\u53f0\u9593\u641c\u96c6\u4e26\u95dc\u806f\u8cc7\u6599,\u4f86\u5075\u6e2c\u8207\u5c0d\u6297\u5168\u7403\u6027\u7db2\u8def\u5165\u4fb5\u4e8b\u4ef6
ps:
AVDL(application vulnerability description language)
\u5c08\u9580\u91dd\u5c0d\u61c9\u7528\u5c64\u7684\u5f31\u9ede,\u6240\u5efa\u7acb\u7684\u4e00\u500b\u7d71\u4e00\u8a0a\u606f\u50b3\u905e\u6a19\u6e96,\u76ee\u524d\u6709\u591a\u7248\u672c<\/p>\n\n\n\n
IDS placement<\/strong> ………………<\/p>\n\n\n\n ways to detect an intrusion ……………..<\/p>\n\n\n\n Types of IDS:<\/strong> Host-based(\u4e3b\u6a5f\u578b)<\/strong>,\u4e5f\u7a31HIDS ps: Network-based(\u7db2\u8def\u578b)<\/strong>,\u4e5f\u7a31NIDS ps: ps: ……………………………………………………………………………………………………………………….<\/p>\n\n\n\n true,false,positive,negative<\/p>\n\n\n\n condition \u6709\u4ee5\u4e0b<\/strong> \u932f\u8aa4\u60c5\u6cc1\u70ba<\/strong> ……………<\/p>\n\n\n\n indications of intrusions<\/p>\n\n\n\n \u5e38\u898b\u7684system\u5165\u4fb5\u5fb5\u5146<\/strong> \u5e38\u898b\u7684file system\u5165\u4fb5\u5fb5\u5146<\/strong> \u5e38\u898b\u7684network\u5165\u4fb5\u5fb5\u5146<\/strong> ……………<\/p>\n\n\n\n ids tool: ……………<\/p>\n\n\n\n steps to perform after an ids detects an attack<\/strong> ……………………………………………………………………………………………………………………….<\/p>\n\n\n\n evading ids<\/p>\n\n\n\n \u5b57\u4e32\u5339\u914d\u7684\u5f31\u9ede<\/strong> \u653b\u64ca\u8005\u53ef\u5728\u6b64\u57fa\u790e\u4e0a\u518d\u52a0\u4ee5\u8b8a\u5316,\u53ef\u52a0\u5927ids\u7684\u9632\u79a6\u96e3\u5ea6 way to evade ids: insertion(\u5d4c\u5165\u5f0f\u653b\u64ca)<\/strong>:An IDS can accept a packet that an endsystem rejects evasion(\u8ff4\u907f\u653b\u64ca)<\/strong>:An end-system can accept a packet that an IDS rejects. dos<\/strong> complex attacks<\/strong><\/p>\n\n\n\n obfuscation<\/strong>:make code harder to understand or read desynchronizaition<\/strong> fragmentation<\/strong> session splicing(\u6703\u8a71\u62fc\u63a5)<\/strong> other polymorphic shell code(\u591a\u578bshell\u4ee3\u78bc) \u900f\u904e\u641c\u7d22\u7121\u64cd\u4f5c(no-op)\u5b57\u5143\u7684\u4e00\u500b\u7279\u5b9a\u9577\u5ea6\u7684\u6b63\u5247\u904b\u7b97\u5f0f\uff0c\u53ef\u4ee5\u5be6\u73fe\u5c0d\u591a\u578bshell\u4ee3\u78bc\u7684\u7cbe\u78ba\u6aa2\u6e2c\u3002 …………………<\/p>\n\n\n\n tools to evade ids<\/p>\n\n\n\n evade tool\u6709 packet generators tool …..<\/p>\n\n\n\n firewall,ids test tool: ………………………………………………………………………………………………..<\/p>\n\n\n\n IPS(Intrusion Prevention System,\u5165\u4fb5\u9632\u79a6\u7cfb\u7d71) intrusion prevention strategies:<\/strong> ips deployment risks:<\/strong> type of ips<\/strong> information flow in ids and ips:<\/strong> ips products IDS(intrusion detection system …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[10],"tags":[],"class_list":["post-447","post","type-post","status-publish","format-standard","hentry","category-securitysloution"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/447","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=447"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/447\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=447"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=447"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=447"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u901a\u5e38\u67b6\u8a2d\u5728\u7db2\u8def\u91cd\u8981\u7bc0\u9ede\u8207\u4e3b\u6a5f\u7cfb\u7d71\u4e4b\u4e0a\uff0c\u53ef\u76e3\u6e2c\u7db2\u8def\u6d41\u91cf\u8207\u5167\u5bb9\uff0c\u6216\u8005\u662f\u5206\u6790\u4e3b\u6a5f\u5167\u7684\u6a94\u6848\u6d41\u52d5
\u653efirewall\u5916\u9762\u53ef\u770b\u5230\u6700\u591a\u653b\u64ca\u60c5\u5f62
\u653efirewall\u5167\u90e8\u5f88\u591a\u653b\u64ca\u60c5\u5f62\u6703\u88abfilter<\/p>\n\n\n\n
signature recognition(\u7279\u5fb5\u5075\u6e2c)<\/strong>;\u5b9a\u7fa9\u60e1\u610f\u7279\u5fb5,\u4e00\u4f46\u6bd4\u5c0d\u5230\u5c31alarm
\u3000\u6216\u7a31Misuse detection(\u6feb\u7528\u5075\u6e2c),\u9808\u4f7f\u7528\u5df1\u77e5\u60e1\u610f\u884c\u70ba\u8207\u578b\u614b\u8cc7\u6599\u5eab\u4f86\u9032\u884c\u6bd4\u5c0d\u5206\u6790
\u3000\u5927\u90e8\u4efdids\u4f7f\u7528\u6b64\u65b9\u6cd5
\u3000\u512a\u9ede:\u8f03\u4e0d\u5bb9\u6613\u8aa4\u5224,\u4e14\u8b58\u5225\u653b\u64ca\u8f03\u660e\u78ba,\u53ef\u8fa8\u8b58\u5df1\u77e5\u60e1\u610f\u4e8b\u4ef6
\u3000\u7f3a\u9ede:\u9700\u6642\u5e38\u66f4\u65b0\u7279\u5fb5,\u7121\u6cd5\u8fa8\u8b58\u672a\u77e5\u60e1\u610f\u4e8b\u4ef6
\u3000Pattern Matching IDS:\u8fa8\u8b58\u65b9\u5f0f,\u9700\u5e38\u66f4\u65b0\u653b\u64ca\u7279\u5fb5\u8cc7\u6599\u5eab
anomaly detection(\u7570\u5e38\u5075\u6e2c)<\/strong>:\u5b9a\u7fa9\u6b63\u5e38\u60c5\u6cc1,\u82e5\u8d85\u51fa\u6b63\u5e38\u60c5\u6cc1\u7684\u7bc4\u570d\u5c31alarm
\u3000\u4f7f\u7528\u7d71\u8a08\u539f\u7406,\u53ef\u5075\u6e2c\u4e0d\u5c0b\u5e38\u7684\u73fe\u50cf,\u53ea\u80fd\u6307\u51fa\u5927\u6982
\u3000\u512a\u9ede:\u53ef\u6293\u5230\u672a\u77e5\u7279\u5fb5\u4e4b\u653b\u64ca,\u9069\u5408\u8f14\u52a9
\u3000\u7f3a\u9ede:\u8aa4\u5224\u7387\u8f03\u9ad8,\u4e14\u5b9a\u7fa9\u6b63\u5e38\u60c5\u6cc1\u8f03\u8907\u96dc,\u56e0\u6b64\u5fae\u8abf\u9700\u82b1\u8f03\u591a\u6642\u9593
\u3000Behavioral(Statistical) Anomaly Detection\uff1a\u7570\u5e38\u884c\u70ba\u5075\u6e2c,\u4ee5\u884c\u70ba\u70ba\u57fa\u790e,\u53bb\u627e\u5c0b\u504f\u5dee\u884c\u70ba
\u3000Protocol Anomaly Detection:\u7570\u5e38\u901a\u8a0a\u5354\u5b9a\u5075\u6e2c,\u53ea\u5c0b\u627e\u5c01\u5305\u6a19\u982d\u7684\u5dee\u7570 ex:tcp port80\u50b3\u4f86\u7684\u4e0d\u662f\u7db2\u9801,\u800c\u662f\u5947\u602a\u7684data,\u5247alarm
\u3000Traffic Anomaly-Based:\u91dd\u5c0d\u6d41\u91cf\u505a\u5224\u65b7,\u770b\u7db2\u8def\u4e0a\u7684\u6d41\u91cf\u6709\u6c92\u6709\u504f\u96e2\u6b63\u5e38\u7684\u884c\u70ba,ex:\u5927\u91cf\u7684\u5c01\u5305\u6216\u8005\u662f\u51fa\u73fe\u4e0d\u660e\u7684\u5c01\u5305
\u3000Stateful Matching IDS:\u8fa6\u8b58\u65b9\u5f0f,\u662f\u5148\u6536\u96c6\u6578\u500b\u5c01\u5305,\u5728\u4f86\u5224\u65b7\u662f\u5426\u6709\u653b\u64ca\u7684\u884c\u70ba<\/p>\n\n\n\n
host-based
network-based<\/p>\n\n\n\n
\u5206\u6790Logs\u70ba\u4e3b,\u5c6c\u4e8b\u5f8c\u5206\u6790,\u53ef\u88dc\u6551NIDS\u932f\u5931\u5075\u6e2c\u7684\u5165\u4fb5\u4e8b\u4ef6,\u9069\u5408\u6709\u52a0\u5bc6\u7684\u7db2\u8def
\u76f4\u63a5\u76e3\u8996\u8207\u901a\u5831\u767c\u751f\u5728\u61c9\u7528\u5c64\u7684\u4e92\u52d5,\u53ef\u4ee5\u6aa2\u67e5\u6240\u6709\u9032\u5165\u7684\u547d\u4ee4,\u672a\u7d93\u6388\u6b0a\u7684\u6a94\u6848\u8b8a\u66f4
\u7f3a\u9ede\uff1a\u53ef\u80fd\u56e0DOS\u5931\u53bb\u505a\u7528,\u4e0d\u80fd\u7528\u4f86\u505a\u7db2\u8def\u7684\u76e3\u6e2c,\u76e3\u6e2c\u6642\u6d88\u8017\u8a72\u4e3b\u6a5f\u7cfb\u7d71\u8cc7\u6e90
\u901a\u5e38\u4f7f\u7528\u4ee5\u4e0b\u6280\u8853
SIV(system integrity verifiers):\u6216\u7a31file-integrity(\u6a94\u6848\u5b8c\u6574\u6027),snapshot(\u5feb\u7167),checksum(\u6aa2\u67e5\u5408)
\u3000\u5728\u5df1\u77e5\u4e7e\u6de8\u72c0\u614b\u4e0b\u5c0d\u6240\u6709\u91cd\u8981\u6a94\u6848\u7b97\u51fahash\u503c,\u4e26\u5728\u4e8b\u5f8c\u91cd\u8907\u6b64\u52d5\u4f5c\u4e26\u6bd4\u8f03\u5176\u503c,\u82e5\u767c\u73fe\u906d\u8b8a\u66f4\u5373\u901a\u5831
\u3000\u88ab\u52d5\u7684,\u53ea\u80fd\u5831\u544a\u60e1\u610f\u884c\u70ba\u7684\u767c\u751f,\u800c\u4e0d\u80fd\u963b\u6b62\u4ed6
behavior-monitoring(\u884c\u70ba\u76e3\u8996):real-time\u5373\u6642
\u3000\u6703\u5c0d\u60e1\u610f\u7684\u884c\u70ba\u9032\u884c\u5373\u6642\u7684\u76e3\u8996\u6514\u622a,\u63d0\u4f9b\u65e9\u671f\u9810\u8b66\u8207\u9810\u9632
\u3000\u53ef\u5728\u7b2c\u4e00\u6642\u9593\u963b\u6b62\u60e1\u610f\u4e8b\u4ef6\u767c\u751f,\u4f46\u6703\u8017\u8cbb\u5927\u91cfcpu\u6642\u9593host-based tool:
tripwire:siv tool
csa(cisco security agent) <\/p>\n\n\n\n
application-Based(\u61c9\u7528\u578b)
\u4f7f\u7528Application Logs,\u8f03\u6613\u53d7\u653b\u64ca
\u662f\u5728\u8edf\u9ad4\u61c9\u7528\u4e4b\u5167\u5206\u6790\u4e8b\u4ef6\u7684Host-Based IDSs \u7684\u4e00\u7279\u5225\u5b50\u96c6<\/p>\n\n\n\n
\u64f7\u53d6\u8207\u5206\u6790\u7db2\u8def\u4e0a\u6d41\u901a\u7684\u5c01\u5305,\u5c6c\u4e8b\u5148\u9810\u8b66,\u53ef\u4fdd\u8b77\u4e00\u7fa4\u96fb\u8166\u4e3b\u6a5f\u6216\u76e3\u8996\u6574\u500b\u7db2\u8def
\u9700\u5728\u6709\u6df7\u96dc\u6a21\u5f0f\u7684\u7db2\u8def\u4ee5\u53ca\u5c01\u5305\u5c64\u7d1a\u7684\u9a45\u52d5\u7a0b\u5f0f,\u4e26\u5728\u60f3\u76e3\u8996\u7684\u7db2\u8def\u7bc0\u5340\u4e0a\u5b89\u88dd\u4e00\u90e8NIDS,\u4e14\u6d88\u9664\u5165\u4fb5\u8b49\u64da\u8f03\u56f0\u96e3
\u7f3a\u9ede\uff1a\u7db2\u8def\u578b\u614b\u904e\u5927\u6703lost\u8a31\u591a\u5c01\u5305\uff0c\u9700\u63d0\u9ad8\u6548\u80fd\u89e3\u6c7a,\u4e5f\u7121\u6cd5\u8abf\u67e5\u52a0\u5bc6\u904e\u5c01\u5305,\u4ee5\u53ca\u7121\u6cd5\u5224\u65b7\u8ab0\u5728\u63a7\u5236NIDS<\/p>\n\n\n\n
sensor(\u611f\u77e5\u5668):\u53ef\u76e3\u8996\u4e00\u7db2\u8def\u7bc0\u5340\u7684\u5be6\u9ad4\u88dd\u7f6e,\u901a\u5e38\u4e0d\u5177ip\u8207mac,\u53ef\u80fd\u4ee5\u542b\u5728\u5982hub,router,repeater\u7b49\u5167,\u4f46switch\u56e0\u67b6\u69cb\u7121\u652f\u63f4
\u5c01\u5305\u5c64\u7d1a\u9a45\u52d5\u7a0b\u5f0f:\u5c01\u5305\u76e3\u807d\u8edf\u9ad4,ex:tcpdump,windump
promiscuous modes(\u6df7\u96dc\u6a21\u5f0f):\u7db2\u5361\u9808\u5c07\u5c01\u5305\u50b3\u5c01\u5305\u5c64\u7d1a\u9a45\u52d5\u7a0b\u5f0f,\u7db2\u5361\u9810\u8a2d\u975e\u6df7\u96dc\u6a21\u5f0f<\/p>\n\n\n\n
WIDS(\u7121\u7dda\u7db2\u8def\u578b)
\u4e3b\u8981\u5c0d\u6297,MAC\u5047\u5192,\u4e2d\u9593\u4eba\u653b\u64ca, \u672a\u7d93\u6388\u6b0aAP,DOS…\u7b49<\/p>\n\n\n\n
true:alarm right
false:alarm error
positive:\u767c\u73fe\u6709\u7570\u5e38,ids is alarming
negative:\u6c92\u6709\u7570\u5e38\u4e8b\u4ef6,ids is not alarming<\/p>\n\n\n\n
false-positive(\u8aa4\u5224):positive(\u7cfb\u7d71\u767c\u73fe\u7570\u5e38\u767c\u51fa\u8b66\u8a0a),false(\u4f46\u6c92\u72c0\u6cc1\u767c\u751f,\u5224\u65b7\u932f\u8aa4),ids\u4e3b\u8981\u5f31\u9ede\u8aa4\u5224\u904e\u591a
false-negative(\u507d\u9670\u6027):negative(\u7cfb\u7d71\u8a8d\u70ba\u6c92\u7570\u5e38\u4e8b\u4ef6),false(\u4f46\u6c92\u5075\u6e2c\u5230,\u5224\u65b7\u932f\u8aa4),\u6f0f\u5931\u4e00\u500b\u653b\u64ca
\u6b63\u5e38\u60c5\u6cc1\u4e0b\u70ba<\/strong>
true-positive:ids is alarming,the is true
true-negative:ids is not alarming,the is true<\/p>\n\n\n\n
modifications to system software and configuration files
gaps in the system accounting
unusually slow system performance
system crashed or reboots
short or incomplete log
logs containing strange timestamps
logs with incorrect permissions or ownership
missing logs
abnormal system performance
unfamiliar processes
unusual graphic displays or text messages<\/p>\n\n\n\n
the presence of new,unfamiliar files,or programs
changes in file permissions
unexplained changes in the file’s size
rogue file on the system that do not correspond to your master list of signed files
unfamiliar file name in directories
missing files<\/p>\n\n\n\n
repeated probes of the available services on your machines
connections from unusual locations
repeated log in attempts from the remote hosts
arbitrary data in log files,indicating an attempt at creating either a DoS,or a crash service<\/p>\n\n\n\n
snort:opensource,support linux,win
blackICE defender
cybercop monitor
check point realsecure
cisco secure ids
dragon sensor
netprowler
etrust internet defense
hp openview node sentry
lucent realsecure
network flight recorder
realsecure
silentrunner
vanguard enforcer<\/p>\n\n\n\n
1 configure a firewall to filter out the ip address of the intruder
2 alert the user\/admin
3 write an entry in the event log,send an snmp trap datagram to a management console, ex:ibm tivoli
4 save the attack information,ex:timestamp,intruder ip,victim ip,port,portocol information,…
5 save a tracefile of the raw packets for later analysis
6 launch a separate program to handle the event
7 terminate the session<\/p>\n\n\n\n
\u662f\u6700\u65e9\u88ab\u63d0\u51fa\u548c\u5be6\u73fe\u7684
\u9019\u662f\u6700\u57fa\u672c\u7684\u6aa2\u6e2c\u9003\u907f\u6280\u8853
\u8a2d\u8a08\u5f88\u5dee\u7684\u7279\u5fb5\u78bc\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u8f15\u9b06\u5730\u7834\u58de\u5c0d\u5176\u7684\u5b57\u4e32\u5339\u914d<\/p>\n\n\n\n
ex:\u900f\u904e\u628a\u5b57\u4e32\u8655\u7406\u6280\u8853\u548c\u5b57\u5143\u66ff\u63db\u6280\u8853\u7d50\u5408\u5230\u4e00\u8d77\uff0c\u6211\u5011\u53ef\u5be6\u73fe\u66f4\u8907\u96dc\u7684\u5b57\u4e32\u507d\u88dd\u3002
ex:\u5c0d\u65bcWEB\u8acb\u6c42,\u70ba\u4e86\u6514\u622a\u9019\u4e00\u500b\u5b57\u4e32\u7684\u6240\u6709\u8b8a\u5316\uff0c\u4f60\u53ef\u80fd\u9700\u89811000\u500b\u4ee5\u4e0a\u7684\u7279\u5fb5\u78bc\u9032\u884c\u5b57\u4e32\u5339\u914d\uff0c\u9019\u9084\u6c92\u6709\u8003\u616eUNICODE\u3002
\u9632\u79a6\u9019\u7a2e\u653b\u64ca\u56f0\u96e3\uff0c\u56e0\u70ba\u9019\u8981\u6c42ids\u5fc5\u9808\u80fd\u5920\u7406\u89e3\u9019\u7a2e\u89e3\u8b6f\u5668\u5982\u4f55\u6536\u5230\u7684\u547d\u4ee4\uff0cids\u4e5f\u53ef\u4ee5\u5c0d\u4f7f\u7528\u89e3\u8b6f\u5668\u7684\u53ef\u7591\u884c\u70ba\u9032\u884c\u5831\u8b66\uff0c\u4f46\u662f\u5b83\u5f88\u96e3\u5c0d\u653b\u64ca\u884c\u70ba\u9032\u884c\u7cbe\u78ba\u7684\u76e3\u8996\u3002
PS:
\u5b57\u4e32\u5339\u914d\u6f14\u7b97\u6cd5:\u4e00\u4e9b\u57fa\u65bc\u7279\u5fb5\u78bc\u7684ids\u5e7e\u4e4e\u5b8c\u5168\u4f9d\u8cf4\u65bc\u6b64\u6f14\u7b97\u6cd5
\u76ee\u524d\u5927\u591a\u6578\u4e3b\u6d41\u5165\u4fb5\u6aa2\u6e2c\u7cfb\u7d71\u90fd\u6709\u975e\u5e38\u5f37\u5927\u7684\u5b57\u4e32\u5339\u914d\u80fd\u529b\uff0c\u8db3\u4ee5\u6aa2\u6e2c\u6b64\u985e\u653b\u64ca\u7684\u5927\u591a\u6578\u8b8a\u5f62\u3002<\/p>\n\n\n\n
insertion
evasion
dos
complex attacks
obfuscation
desynchronization
fragmentation
session splicing<\/p>\n\n\n\n
\u767c\u751f\u539f\u56e0\u70ba IDS\u63a5\u53d7\u76ee\u6a19\u4e3b\u6a5f\u6240\u4e1f\u68c4\u7684\u5c01\u5305
\u76ee\u5730\u662f\u70ba\u4e86\u8b93ids\u548cendsystem\u770b\u7684\u7684\u72c0\u6cc1\u4e0d\u540c
\u52a0\u5165\u4e00\u500b\u6b3a\u9a19\u6027\u5c01\u5305,\u8b93ids\u53ef\u6293\u4e0b\u4f86\u5206\u6790,\u4f46\u6b64\u5c01\u5305\u6703\u88ab\u76ee\u5730\u7aef\u8a2d\u5099\u4e1f\u68c4,\u8b93ids\u5224\u65b7\u767c\u751f\u5047\u8c61\u800c\u7121\u6cd5\u5075\u6e2c\u51fa\u653b\u64ca\u884c\u70ba<\/p>\n\n\n\n
\u767c\u751f\u539f\u56e0\u5247\u70baIDS\u4e1f\u68c4\u76ee\u6a19\u4e3b\u6a5f\u6240\u80fd\u63a5\u53d7\u7684\u5c01\u5305
\u76ee\u5730\u662f\u70ba\u4e86\u8b93ids\u548cendsystem\u770b\u7684\u7684\u72c0\u6cc1\u4e0d\u540c
\u52a0\u5165\u4e00\u500b\u6b3a\u9a19\u6027\u5c01\u5305,\u8b93ids\u53ef\u6293\u4e0b\u4f86\u5206\u6790,\u4f46\u6b64\u5c01\u5305\u6703\u88abids\u4e1f\u68c4,\u8b93ids\u5224\u65b7\u767c\u751f\u5047\u8c61\u800c\u7121\u6cd5\u5075\u6e2c\u51fa\u653b\u64ca\u884c\u70ba<\/p>\n\n\n\n
\u53ef\u4ee5\u9054\u6210\u5982\u4e0b\u76ee\u6a19:
\u6d88\u8017\u6aa2\u6e2c\u8a2d\u5099\u7684\u8655\u7406\u80fd\u529b\uff0c\u4f7f\u771f\u6b63\u7684\u653b\u64ca\u9003\u904e\u6aa2\u6e2c\u3002
\u585e\u6eff\u786c\u789f\u7a7a\u9593\uff0c\u4f7f\u6aa2\u6e2c\u8a2d\u5099\u7121\u6cd5\u8a18\u9304\u65e5\u8a8c\u3002
\u4f7f\u6aa2\u6e2c\u8a2d\u5099\u7522\u751f\u8d85\u51fa\u5176\u8655\u7406\u80fd\u529b\u7684\u8b66\u5831\u3002
\u4f7f\u7cfb\u7d71\u7ba1\u7406\u4eba\u54e1\u7121\u6cd5\u7814\u7a76\u6240\u6709\u7684\u8b66\u5831\u3002
\u4f7f\u6aa2\u6e2c\u8a2d\u5099\u7576\u6a5f\u3002<\/p>\n\n\n\n
tool:obfuscator
ps:
\u7b2c7\u5c64,HTTP 1.1\u88e1\u652f\u63f4zlib\/gzip\u7b49Content-Encoding\u58d3\u7e2e,\u53ef\u4ee5\u5c07\u6709\u60e1\u610f\u7a0b\u5f0f(\u901a\u5e38\u70ba\u542b\u6709Java Script\/VB Script \u4e4bHTML\u6a94)\u58d3\u7e2e\u800c\u4e0d\u88ab\u767c\u73fe<\/p>\n\n\n\n
\u7528\u5e8f\u5217\u6578\u9003\u907fIDS\u7684\u65b9\u6cd5\u3002\u6709\u4e9bIDS\u53ef\u80fd\u6703\u5c0d\u5b83\u672c\u4f86\u671f\u671b\u5f97\u5230\u7684\u5e8f\u5217\u6578\u611f\u5230\u8ff7\u60d1\uff0c\u5f9e\u800c\u5c0e\u81f4\u7121\u6cd5\u91cd\u65b0\u69cb\u5efa\u8cc7\u6599\u3002
\u9019\u4e00\u6280\u8853\u57281998\u5e74\u5f88\u6d41\u884c\uff0c\u73fe\u5728\u5df2\u7d93\u7531\u6642\u4e86\uff0c\u6709\u4e9b\u6587\u7ae0\u628a desynchronization\u9019\u500b\u8853\u8a9e\u4ee3\u6307\u5176\u5b83IDS\u9003\u907f\u65b9\u6cd5\u3002
\u5206\u70ba:
post connection syn
desynchronization,pre connection<\/p>\n\n\n\n
\u985e\u4f3csession splicing
tool:frateroute
\u788e\u7247\u91cd\u7d44\u7684\u554f\u984c\u662f\u5728\u9032\u884c\u5b57\u4e32\u5339\u914d\u4ee5\u524d\uff0c\u5165\u4fb5\u6aa2\u6e2c\u7cfb\u7d71\u5fc5\u9808\u5728\u8a18\u61b6\u9ad4\u4e2d\u66ab\u5b58\u6240\u6709\u7684\u788e\u7247\uff0c\u7136\u5f8c\u9032\u884c\u91cd\u7d44\u3002\u800c\u4e14\uff0c\u4ed6\u9084\u9700\u8981\u77e5\u9053\u788e\u7247\u5728\u76ee\u7684\u4e3b\u6a5f\u6703\u5982\u4f55\u91cd\u7d44\u3002
\u788e\u7247\u653b\u64ca\u5305\u62ec\uff1a\u788e\u7247\u8986\u84cb,\u788e\u7247\u91cd\u5beb,\u788e\u7247\u903e\u6642,\u91dd\u5c0d\u7db2\u8def\u62d3\u64b2\u7684\u788e\u7247\u6280\u8853(\u4f8b\u5982\u4f7f\u7528 \u5c0f\u7684TTL)\u7b49
\u788e\u7247\u8986\u84cb:\u767c\u9001\u788e\u7247\u8986\u84cb\u5148\u524d\u788e\u7247\u4e2d\u7684\u8cc7\u6599
\u788e\u7247\u903e\u6642:\u4f9d\u8cf4\u65bc\u5165\u4fb5\u6aa2\u6e2c\u7cfb\u7d71\u5728\u4e1f\u68c4\u788e\u7247\u4e4b\u524d\u6703\u4fdd\u5b58\u591a\u5c11\u6642\u9593\u3002\u5927\u591a\u6578\u7cfb\u7d71\u6703\u572860\u79d2\u4e4b\u5f8c\u5c07\u4e1f\u68c4\u4e0d\u5b8c\u6574\u7684\u788e\u7247\u6d41(\u5f9e\u6536\u5230\u7b2c\u4e00\u500b\u788e\u7247\u958b\u59cb\u8a08\u6642)\u3002\u5982\u679c\u5165\u4fb5\u6aa2\u6e2c\u7cfb\u7d71\u4fdd\u5b58\u788e\u7247\u7684\u6642\u9593\u5c0f\u65bc60\u79d2\uff0c\u5c31\u6703\u6f0f\u6389\u67d0\u4e9b\u653b\u64ca\u3002
ps
\u9019\u7a2e\u6280\u8853\u7d50\u5408\u5176\u4ed6\u7684\u7db2\u8def\u6280\u8853(\u4f8b\u5982\uff1aTTL\u503c)\u5c07\u66f4\u6709\u5a01\u8105\u3002\u5982\u679cids\u548c\u88ab\u76e3\u8996\u7684\u7cfb\u7d71\u4e0d\u5728\u540c\u4e00\u500b\u7db2\u6bb5\uff0c\u653b\u64ca\u8005\u5c31\u53ef\u4ee5\u5728TTL\u4e0a\u505a\u624b\u8173\u3002
\u6709\u7684\u55ae\u4f4d\u7531\u65bc\u7d93\u8cbb\u7684\u9650\u5236\uff0c\u4e0d\u80fd\u5728\u81ea\u5df1\u7684\u6bcf\u500b\u5b50\u7db2\u90fd\u90e8\u7f72IDS\u7bc0\u9ede\uff0c\u53ea\u5728\u7db2\u8def\u7684\u51fa\u5165\u53e3\u90e8\u7f72\u4e00\u5957IDS\uff0c\u76e3\u8996\u6240\u6709\u7684\u7db2\u8def\u6d41\u91cf\u3002
\u9019\u7a2e\u60c5\u6cc1\u4e0b\uff0c\u5982\u679c\u88ab\u653b\u64ca\u7684\u4e3b\u6a5f\u5728\u5176\u4ed6\u7684 \u5b50\u7db2\uff0c\u653b\u64ca\u8cc7\u6599\u5305\u5230\u76ee\u6a19\u7cfb\u7d71\u7684Hop\u6578\u5c31\u5927\u65bc\u5230IDS\u7684Hop\u6578\u3002\u653b\u64ca\u8005\u53ef\u4ee5\u507d\u9020\u788e\u7247\u7684TTL\uff0c\u4f7f\u67d0\u4e9b\u788e\u7247\u525b\u597d\u80fd\u5920\u5230\u9054\uff0c\u800c\u7121\u6cd5\u5230\u9054\u76ee\u6a19\u7cfb\u7d71\uff0c
ps:
\u7b2c3\u5c64,\u5728IP\u5c64\u53ef\u4ee5\u4f7f\u7528IP Fragment\u5c07\u542b\u6709\u60e1\u610f\u7a0b\u5f0f\u4e4b\u5c01\u5305\u5207\u5272\u70ba\u591a\u500b\u5c01\u5305,\u4ee5\u907f\u514d\u88abNetwork IDS\u6293\u5230Pattern<\/p>\n\n\n\n
\u628a\u6703\u8a71\u8cc7\u6599\u653e\u5230\u591a\u500b\u8cc7\u6599\u5305\u4e2d\u767c\u51fa,\u6bcf\u6b21\u53ea\u50b3\u9001\u5e7e\u500b\u5b57\u5143\u7684\u8cc7\u6599,\u5c31\u53ef\u80fd\u907f\u958b\u5b57\u4e32\u5339\u914d\u5165\u4fb5\u6aa2\u6e2c\u7cfb\u7d71\u7684\u76e3\u8996\u3002
\u8981\u76e3\u8996\u9019\u7a2e\u653b\u64ca\uff0c\u9700\u8981\u5165\u4fb5\u6aa2\u6e2c\u7cfb\u7d71\u6216\u8005\u80fd\u5920\u7406\u89e3\u3001\u76e3\u8996\u7db2\u8def\u6703\u8a71 (\u5373\u4f7fIDS\u6709\u9019\u7a2e\u80fd\u529b\uff0c\u653b\u64ca\u8005\u4e5f\u53ef\u4ee5\u900f\u904e\u5176\u4ed6\u7684\u65b9\u5f0f\u907f\u958b\u76e3\u8996)\uff0c\u6216\u8005\u63a1\u7528\u5176\u4ed6\u7684\u6280\u8853\u76e3\u8996\u9019\u7a2e\u653b\u64ca\u3002
\u70ba\u4e86\u771f\u6b63\u6709\u6548\u5730\u6aa2\u6e2c\u9019\u7a2e\u653b\u64ca\uff0c\u9700\u8981\u5165\u4fb5\u6aa2\u6e2c\u7cfb\u7d71\u80fd\u5920\u5b8c\u6574\u5730\u7406\u89e3\u7db2\u8def\u6703\u8a71\uff0c\u4e0d\u904e\u9019\u662f\u975e\u5e38\u56f0\u96e3\u7684\u3002
\u61c9\u8a72\u6ce8\u610f\u7684\u662f\u76ee\u524d\u5927\u591a\u6578\u7cfb\u7d71\u80fd\u5920\u91cd\u7d44\u6703\u8a71\uff0c\u5728\u6240\u6709\u7684\u6703\u8a71\u8cc7\u6599\u5230\u9054\u4e4b\u524d\uff0c\u5b83\u5011\u6703\u7b49\u5f85\u4e00\u4e9b\u6642\u9593\u3002\u800c\u7b49\u5f85\u6642\u9593\u7684\u9577\u77ed\u8207\u7a0b\u5f0f\u6709\u95dc\u3002
ps:
Apache\/RedHat\u7684\u6703\u8a71\u8d85\u6642\u6642\u9593\u662f6\u5206\u9418\uff0cIIS \/Win2K\u7b49\u5f85\u7684\u6642\u9593\u975e\u5e38\u9577\u3002\u56e0\u6b64\uff0c\u653b\u64ca\u8005\u5b8c\u5168\u53ef\u4ee5\u6bcf15\u5206\u9418\u767c\u9001\u4e00\u500b\u5b57\u5143\u7684\u6703\u8a71\u8cc7\u6599\uff0c \u800cIIS\u9084\u6703\u8a8d\u70ba\u662f\u6709\u6548\u7684\u6703\u8a71\u3002
\u6700\u65b0\u7248\u672c\u7684snort\u80fd\u5920\u76e3\u8996\u9577\u671f\u7684\u6703\u8a71\u548c\u7db2\u8def\u5c64\u6b3a\u9a19\uff0c\u4f8b\u5982\uff1a\u5c0fTTL\u503c\u3002<\/p>\n\n\n\n
\u7b2c4\u5c64,\u5c07\u542b\u6709\u60e1\u610f\u7a0b\u5f0f\u4e4bTCP\u9023\u7dda\u5207\u6210\u591a\u500bTCP Segments,\u4ee5\u907f\u514d\u88ab Network IDS\u6293\u5230Pattern
\u7b2c7\u5c64,HTTP\/1.1\u88e1\u652f\u63f4\u4e86Transfer-Encoding \u53ef\u4ee5\u5728\u50b3\u8f38\u6642\u52a0\u4e0a\u985e\u4f3cunix\u88e1split\u80fd\u5c07\u4e00\u4efd\u8981\u50b3\u9001\u7684message\u5207\u5272\u6210\u591a\u4efd<\/p>\n\n\n\n
\u9019\u7a2e\u6280\u8853\u53ea\u7528\u65bc\u7de9\u885d\u5340\u6ea2\u4f4d\u653b\u64ca\uff0c\u5c0d\u4ed8\u57fa\u65bc\u7279\u5fb5\u78bc\u7684\u6aa2\u6e2c\u7cfb\u7d71\u975e\u5e38\u6709\u6548\uff0c\u800c\u5c0d\u65bc\u667a\u6167\u5316\u7684\u6216\u8005\u57fa\u65bc\u5354\u5b9a\u5206\u6790\u7684\u6aa2\u6e2c\u7cfb\u7d71\u7684\u6548\u679c\u8981\u5dee\u5f88\u591a\u3002
polymorphic shell code\u4f7f\u7528\u5f88\u591a\u65b9\u6cd5\u9003\u907f\u5b57\u4e32\u5339\u914d\u7cfb\u7d71\u7684\u6aa2\u6e2c\u3002
\u9996\u5148(\u4ee5x86\u67b6\u69cb\u70ba\u4f8b)\uff0c\u4f7f\u7528\u5176\u4ed6\u7684\u5b57\u5143\u4ee3\u66ff0x90\u57f7\u884c\u7121\u64cd\u4f5c(no-op)\u6307\u4ee4\u3002\u5c0d\u65bcX86\u67b6\u69cb\uff0c \u670955\u7a2e\u66ff\u4ee3\u65b9\u5f0f\uff0c\u5176\u4ed6\u7684\u8981\u5c11\u4e00\u4e9b\u3002\u9019\u4e9b\u66ff\u4ee3\u65b9\u5f0f\u4ee5\u4e00\u7a2e\u507d\u96a8\u6a5f\u7684\u65b9\u5f0f\u7d50\u5408\u5728\u4e00\u8d77\uff0c\u5efa\u7acb\u7de9\u885d\u5340\u6ea2\u4f4dshell\u4ee3\u78bc\u5305\u542b\u7121\u64cd\u4f5c(no-op)\u6307\u4ee4\u7684\u90e8\u5206\u3002\u9664\u6b64 \u4e4b\u5916\uff0cshell\u4ee3\u78bc\u672c\u8eab\u4e5f\u63a1\u7528XOR\u6a5f\u5236\u7de8\u78bc\u3002\u900f\u904e\u9019\u7a2e\u65b9\u5f0f\u5efa\u7acb\u7684\u7de9\u885d\u5340\u6ea2\u4f4dshell\u4ee3\u78bc\u88ab\u91cd\u7d44\u5f8c\u4e0d\u6703\u5305\u542b\u4ee5\u4e0a\u7684\u7279\u5fb5\u78bc\uff0c\u5f9e\u800c\u80fd\u5920\u9003\u904e\u5b57\u4e32\u5339\u914d\u6aa2\u6e2c\u3002
ps:\u4f7f\u7528\u9019\u7a2e\u6280\u8853\u91cd\u65b0\u69cb\u9020\u7684shell\u4ee3\u78bc\u66f4\u70ba\u5371\u96aa\uff0c\u5165\u4fb5\u6aa2\u6e2c\u8a2d\u5099\u975e\u5e38\u96e3\u4ee5\u6aa2\u6e2c\u5230,\u5c0d\u57fa\u65bc\u7279\u5fb5\u78bc\u6aa2\u6e2c\u7684IDS\u662f\u4e00\u500b\u5f88\u5927\u7684\u6311\u6230\u3002
ps:\u8a2d\u8a08\u69cb\u60f3\u4f86\u81ea\u65bc\u75c5\u6bd2\u9003\u907f(virus evasion)\u6280\u8853\u3002<\/p>\n\n\n\n
spp_fnord:\u7528\u65bc\u6aa2\u6e2c\u591a\u578bshell\u4ee3\u78bc\u7684 snort\u9810\u8655\u7406\u5916\u639b\uff0c\u9019\u500b\u5916\u639b\u63a1\u7528\u4e86\u548c\u4e0a\u9762\u76f8\u4f3c\u7684\u6aa2\u6e2c\u6280\u8853\u3002\u9019\u500b\u9810\u8655\u7406\u5916\u639b\u6709Port\u548c\u9577\u5ea6\u5169\u500b\u914d\u7f6e\u9078\u9805\u3002
ex:\u5982\u679c\u67d0\u500b\u4eba\u5728\u914d\u7f6e\u6642\u8a2d\u7f6e\u4e8680\u300121\u300123\u548c53\u7b49Port\uff0c\u5b83\u5c31\u53ea\u5c0d\u9019\u5e7e\u500bPort\u7684\u8cc7\u6599\u6d41\u91cf\u9032\u884c\u591a\u578bshell\u4ee3 \u78bc\u7684\u6aa2\u6e2c\uff0c\u800c\u4e0d\u6703\u5c0d\u5176\u4ed6Port(\u4f8b\u5982\uff1a22)\u9032\u884c\u6aa2\u6e2c\u3002<\/p>\n\n\n\n
sidestep
admutate:use polymorphic shell code
\u3000accept a buffer overflow exploit as input,and randomly creates a functionally equivalent version which bypasses ids
mendax
stick
fragrouter
anzen nidsbench<\/p>\n\n\n\n
aicmpsend
blast:\u53ef\u7522\u751f\u4e00\u4e9b\u5c01\u5305\u6e2c ids
cybercop scanner’s casl
ethercap:
hping2 beta 54
icmpush
ipsend
libnet
mgen toolset
net::rawip
sing<\/p>\n\n\n\n
firewall tester
traffic iq professional
nides(next-generation intrusion detection expert system),\u7b2c\u4e00\u500bperl\u5beb\u7684
secure host
snare
tcpopera: \u53ef\u4ee5\u5c0d\u8a2d\u5099\u6e2cpayload
firewall informer<\/p>\n\n\n\n
=IDS+\u4e3b\u52d5\u9632\u79a6
\u80fd\u5920\u4e3b\u52d5\u5730\u5c07\u7b26\u5408\u8cc7\u683c\u7684\u653b\u64ca\u884c\u70ba\u7acb\u5373\u5207\u65b7,\u8b93\u653b\u64ca\u5c1a\u672a\u9054\u6210\u524d\u5c31\u7acb\u5373\u963b\u64cb<\/p>\n\n\n\n
host-based memory and process protection
session interception
gateway intrusion detection<\/p>\n\n\n\n
session interception and ids identification
exploit defeat the attempted block
self-inflicted Dos
blocking legitmate traffic<\/p>\n\n\n\n
host based ips
network based ips
content based ips
rate based ips<\/p>\n\n\n\n
raw packet capture
filtering
packet decoding
storage
fragment reassembly
stream assembly
stateful inspection of tcp sessions
firewalling<\/p>\n\n\n\n
ibm:proventia network ips
cisco:ios ips,ips4200series sensors
mcafee:host intrusion prevention
checkpoint:ips-1,interspect
sourcefire:ips
3com:airprotect sentry 5850 wireless ips
radware:defensepro
securitymetrics:appliance
codeplex:wehntrust
lan secure:security center
privacyware:threatsentry
untangle:intrusion prevention
infoprocess:antihook
tippingpoint:intrusion prevention systems<\/p>\n","protected":false},"excerpt":{"rendered":"