Chapter 4 - Sniffing and Evasion (Evading IDS, Firewalls and Honeypots) Flashcards
Two types of IDS
signature
anomaly (aka behavior)
false positives
false negatives
signature
IDS compares packets against list of known traffic patterns
anomaly
makes decisions based on learned behavior and ‘normal’ patterns. known for false positives
false positives - alarm over normal traffic
false negatives - no alarm over malicious traffic
Exam Tip
libwhisker
perl library used for HTTP related functions
vulnerability scanning
exploitation
IDS evasion
HIDS
Host-based IDS
runs on host itself. Typically signature based but not always. Only concerned with that host
NIDS
Network-based IDS
sits on the network perimeter. Signature or anomaly based
Can place one outside the firewall, one in the DMZ, one inside the network
Snort
Open source IDS
sniffer, traffic logger, protocol analyzer
Can detect buffer overflows, port scans, OS fingerprinting and most any type of attack or probe that can be imagined
signature files updated constantly
Network Tap
any connection that lets you see all traffic passing by
Can be as simple as a hub, or complex as an appliance
Must be able to keep up with the data flow
Firewalls
types of rules
explicitly stating what is allowed from one side to other
implicitly denying. If there isn’t a rule for the traffic, it gets blocked.
List of rules read in order from top to bottom
NAT
PAT (aka NAT overload)
one to one mapping of internal to external addresses. Too expensive for most people
PAT uses port numbers to allow many internal addresses to use a single external IP address
ECC Firewall terms
Screened Subnet (aka Public Zone
Bastion Hosts
Private Zone
Multi-home
Screened Subnet (aka Public Zone) connected to internet, hosts all public facing servers and services
Bastion Hosts
sit outside the firewall, designed to protect internal resources from attacks
Private Zone
holds all internal devices that internet hosts have no business interacting with
Multi-home
Means the firewall has > 2 interfaces
packet filtering firewalls
stateful packet inspection firewalls
aka stateful multilayer inspection firewalls
packet filters look at headers of packets and base decisions on that. Unfortunately doesn’t know what’s in the payload of the packet and doesn’t know the state of the packet
SPI - tracks entire status of a connection. If a packet arrives with ACK flag set, but firewall has no record of the original SYN packet, it’s seen as a malicious attempt
Work in the layers up to Application layer but focus on layers 3 and 4 (Network, Transport)
circuit-level gateway firewall
application-level firewall
circuit-level - works at Session layer (5) and allows/prevents data streams, not necessarily concerned with individual packets
Application-Level - filters traffic like a proxy, allowing specific applications in and out of the network based on a rule set
2 common implant technologies for getting data out of a network
HTTP beacons
HTTP tunneling
circuit-level gateway firewall *
application-level firewall
circuit-level - works at Session layer (5) and allows/prevents data streams, not necessarily concerned with individual packets
Application-Level - filters traffic like a proxy, allowing specific applications in and out of the network based on a rule set
Why use unicode during evasion?
many web and IDS filters don’t check for it
use Unicode characters instead of text to confuse signature based IDS.
Sometimes it works, but unicode signature files are available to look for this
Tools for IDS evasion
Nessus ADMmutate NIDSbench Inundator IDSInformer Packet Generator and PacketETH
