View previous topic :: View next topic |
Author |
Message |
Ipsec Espah Just Arrived
Joined: 16 Mar 2003 Posts: 4
|
Posted: Fri Sep 09, 2005 2:32 am Post subject: Data mining techniques? |
|
|
Anyone know of some good data mining techniques? So far I know it takes some creativity to look at data in different ways to find different things. Artificial Ignorance where you filter out all of the things you know are good. Searching for known attack signatures and drilling down. What techniques are you guys using for data mining logs from your network/security devices? Any tips?
|
|
Back to top |
|
|
alt.don SF Boss
Joined: 04 Mar 2003 Posts: 16777079
|
Posted: Fri Sep 09, 2005 2:44 am Post subject: |
|
|
Hi Ipsec,
Well on our networks all packets that trigger an IDS alert are logged and then compressed at the end of the hour. We have a very large network Personally I use BPF filters and bitmasks against this traffic. To whit, I will look for any SYN/ACK's coming out of our network on any port above 1024. If there are any found they are therefore suspect p2p or trojans. Much like I will look for SYN/ACK's from 1024 on down and simply filter out the ports that I don't want ie: 20,21,25,53 and so on. I will also key in certain ports for exploits as they are released. That is pretty much how I do it. HTH.
|
|
Back to top |
|
|
Ipsec Espah Just Arrived
Joined: 16 Mar 2003 Posts: 4
|
Posted: Fri Sep 09, 2005 1:40 pm Post subject: |
|
|
Hey don,
That sounds like a great way to cover all suspect ports, thanks Do you use sguil or ACID to manage IDS alerts? I read you were GCIA certified before, and I've also read the GCIA practicals and no one ever uses an alert manager for some reason. However, they do similar data mining like what you are doing. Just curious if you need an IDS manager after becoming GCIA certified... Thanks for the help.
|
|
Back to top |
|
|
alt.don SF Boss
Joined: 04 Mar 2003 Posts: 16777079
|
Posted: Fri Sep 09, 2005 2:51 pm Post subject: |
|
|
Hi IPsec,
Yes I have my GCIA, and my GCIH. We use NSM from Intellitactics at my work as our correlation manager. Though that being said you still of course have to pull the suspected data from the SAN afterwards if you want to investigate.
That is where I use the aforementioned BPF filters and bitmasks. It makes the task of investigating large scans quite simple. I have used ACID before but again that is just a visualisation tool vice an actual analysis one in my opinion.
In case you were wondering what the syntax is via BPF to look for all syn/acks on ports 1024 on up it is as follows;
Code: |
-s 0 ip and src net 192.168 and 'tcp[0:2] > 1024' and 'tcp[13] = 18' -w bleh
|
The above will log all SYN/ACK's coming from source network 192.168 with a source port higher then 1024 and write it to a binary file called "bleh"
Hope this helps.
|
|
Back to top |
|
|
Ipsec Espah Just Arrived
Joined: 16 Mar 2003 Posts: 4
|
Posted: Mon Sep 12, 2005 2:45 pm Post subject: |
|
|
Thanks man, I've been messing around the BPF and am getting a syntax error. Windump doesn't seem to accept the > sign.
|
|
Back to top |
|
|
alt.don SF Boss
Joined: 04 Mar 2003 Posts: 16777079
|
Posted: Mon Sep 12, 2005 2:51 pm Post subject: |
|
|
Hi IPSec,
Are you trying to use the > sign when writing to a binary log? If so the > only works when you write to ascii like so;
windump.exe -nXvSs 0 ip and host 192.168.1.100 > bleh
The above will write any packet containing a valid IP header with an IP address of 192.168.1.100 in it to an ascii file called bleh. Lemme know if you still have some problems.
|
|
Back to top |
|
|
Ipsec Espah Just Arrived
Joined: 16 Mar 2003 Posts: 4
|
Posted: Mon Sep 12, 2005 3:52 pm Post subject: |
|
|
Yeah that works but I still can't specify anything greater than something else. Not sure why because even specifying 'greater' instead of '>' doesn't work. Maybe it's a problem with windump?
|
|
Back to top |
|
|
alt.don SF Boss
Joined: 04 Mar 2003 Posts: 16777079
|
Posted: Mon Sep 12, 2005 4:04 pm Post subject: |
|
|
I understand what you mean now. You cannot use the > then specifiying the port range. It should work, don't know what to say. Can you paste the bpf string in here?
|
|
Back to top |
|
|
Ipsec Espah Just Arrived
Joined: 16 Mar 2003 Posts: 4
|
Posted: Mon Sep 12, 2005 4:24 pm Post subject: |
|
|
alt.don wrote: |
I understand what you mean now. You cannot use the > then specifiying the port range. It should work, don't know what to say. Can you paste the bpf string in here? |
I can't figure it out either. I've tried a lot of different things and none have worked.
Code: |
windump.exe -nXvSs 0 ip (tcp[0:2] > 1024)
windump.exe -nXvSs 0 ip tcp[0:2] >= 1024
windump.exe -nXvSs 0 ip tcp[0:2] greater 1024 |
|
|
Back to top |
|
|
alt.don SF Boss
Joined: 04 Mar 2003 Posts: 16777079
|
Posted: Mon Sep 12, 2005 4:45 pm Post subject: |
|
|
The one thing I would suggest is to specify to actual host or net you want this bpf/bitmask to apply to;
Code: |
windump.exe -nXvSs 0 ip and src host 192.168.1.100 and 'tcp[0:2] > 1024' and 'tcp[13] = 18' -w bleh
|
The above will log all SYN/ACK's coming from 192.168.1.100 on any port from 1024 upwards. Give it a shot. I will also give this a try later on tonight at home if I don't forget on a win32 VMWare image.
|
|
Back to top |
|
|
Ipsec Espah Just Arrived
Joined: 16 Mar 2003 Posts: 4
|
Posted: Tue Sep 13, 2005 1:15 pm Post subject: |
|
|
I think I got it. Part of the problem was the single quotes, but I can't get it to output any packets.
Code: |
windump.exe -nXvSs 0 src net 192.168 and "tcp[0:2] > 1024" and "tcp[13] = 18" |
|
|
Back to top |
|
|
alt.don SF Boss
Joined: 04 Mar 2003 Posts: 16777079
|
Posted: Tue Sep 13, 2005 1:36 pm Post subject: |
|
|
Hi IPSec,
In the format you have below if there were any packets they would be logged to your screen as you did give a filename to log them to. I would also only use single quotes and not double quotes, as I showed in the earlier example. I will try to remember to do this again tonight.
|
|
Back to top |
|
|
Ipsec Espah Just Arrived
Joined: 16 Mar 2003 Posts: 4
|
Posted: Tue Sep 13, 2005 11:53 pm Post subject: |
|
|
Yeah that's the thing, no packets were logged to the screen and it only works with double quotes. I'm not sure why this isn't working... If you could try it I'd appriciate it, because it might be something messed up on my end.
|
|
Back to top |
|
|
alt.don SF Boss
Joined: 04 Mar 2003 Posts: 16777079
|
Posted: Wed Sep 14, 2005 12:22 am Post subject: |
|
|
Hi IPSec,
Alright, I got it working, but with double quotes as you mentioned. My version of windump found here works with the below noted bpf/bitmask filter. Please give it a shot and let me know how it goes.
Code: |
tcpdump.exe -nXvSs 0 ip and host 192.168.1.100 and "tcp[0:2] > 1024" > bleh
|
What the above does is log all packets with a valid IP header with an IP address of 192.168.1.100 (as either src or dst) with a port number of higher then 1024 (again port as either src or dst) and logs it to an flat ascii file called bleh. Hope this helps.
|
|
Back to top |
|
|
Ipsec Espah Just Arrived
Joined: 16 Mar 2003 Posts: 4
|
Posted: Wed Sep 14, 2005 3:07 am Post subject: |
|
|
That works, thanks
|
|
Back to top |
|
|
slavezer0 Just Arrived
Joined: 25 Aug 2005 Posts: 0 Location: philippines
|
Posted: Wed Sep 21, 2005 11:26 am Post subject: |
|
|
Hi Sirs,
forgive my ignorance.
i just want to clear everything.
what is BPF Filter? what is Bitmask?
is this for free or what?
where i can find this?
thanks
|
|
Back to top |
|
|
|