Buffer Overflows, Viruses, and Worms
Evading Firewalls, IDS, and Honeypots
- Pattern matching and anomaly detection are the two distinct types of IDS systems used.
- Snort is a freeware IDS.
|
Keyword |
Detail |
|---|---|
|
content |
Used to match a defined payload value. |
|
ack |
Used to match TCP ack settings. |
|
flags |
Used to match TCP flags. |
|
id |
Matches IP header fragment. |
|
ttl |
Used to match the IP header TTL. |
|
msg |
Prints a message. |
|
Rule |
Description |
|---|---|
|
Alert tcp any any -> 192,168.13.0/24 (msg: "O/S Fingerprint detected"; flags: S12;) |
OS fingerprint |
|
Alert tcp any any -> 192,168.13.0/24 (msg: "NULL scan detected"; flags: 0;) |
Null scan |
|
Alert tcp any any -> 192,168.13.0/24 (msg: "SYN-FIN scan detected"; flags: SF;) |
SYN/FIN scan |
|
Alert udp any any -> any 69 (msg "TFTP Connection Attempt)";) |
TFTP attempt |
|
Alert tcp any any -> 192,168.13.0/24 (content: "Password"; msg: "Password Transfer Possible!";) |
Password transfer |
- Attackers can use a range of techniques to attempt to prevent IDS detection, including flooding, evasion, and session splicing.
Buffer Overflows
|