44.417554 B.HTTP A.1833

Question

01:25:44.417554 B.http > A.1833: S 5450:5450(0) ack 96247896 win 4096

So what was the user looking for at oh_dark_thirty?

$ egrep A access_log

A- - [19/Jun/1998:01:25:42 -0400] "GET /Docs/how.to.hack.unix.html HTTP

IDIC - SANS GIAC LevelTwo

³¹

The example above is truncated so it will fit on the slide. This is far from conclusive, but check it out. At the top of the slide we imply a connection. Then the fragmented ping. Then data access from a web server. What did they get? A web page on “how to hack unix”.Does this prove anything? No, of course not, but over the years we have seen this fragmentation pattern associated with known hostile IP addresses, to watch out for the ol 552 and then 156.A final comment on fragmentation; you can often afford to personally examine all fragmentation coming to your site. Since so much of the world runs on ethernet, you will not actually see much fragmentation unless your site has an unusually small MTU for some reason, and then you will see tons of it. This means that a good percent of the fragmentation that you do see was intentionally done to either hide from intrusion detection systems or to attempt a denial of service.

Answer

01:25:44.417554 B.http > A.1833: S 5450:5450(0) ack 96247896 win 4096

So what was the user looking for at oh_dark_thirty?

$ egrep A access_log

A- - [19/Jun/1998:01:25:42 -0400] "GET /Docs/how.to.hack.unix.html HTTP

IDIC - SANS GIAC LevelTwo

³¹

The example above is truncated so it will fit on the slide. This is far from conclusive, but check it out. At the top of the slide we imply a connection. Then the fragmented ping. Then data access from a web server. What did they get? A web page on “how to hack unix”.Does this prove anything? No, of course not, but over the years we have seen this fragmentation pattern associated with known hostile IP addresses, to watch out for the ol 552 and then 156.A final comment on fragmentation; you can often afford to personally examine all fragmentation coming to your site. Since so much of the world runs on ethernet, you will not actually see much fragmentation unless your site has an unusually small MTU for some reason, and then you will see tons of it. This means that a good percent of the fragmentation that you do see was intentionally done to either hide from intrusion detection systems or to attempt a denial of service.

44.417554 B.HTTP > A.1833

IDIC - SANS GIAC LevelTwo

Bạn đang xem 01: - Intrusion Detection Patterns