• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Data mining techniques?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Fri Sep 09, 2005 2:32 am    Post subject: Data mining techniques? Reply with quote

Anyone know of some good data mining techniques? So far I know it takes some creativity to look at data in different ways to find different things. Artificial Ignorance where you filter out all of the things you know are good. Searching for known attack signatures and drilling down. What techniques are you guys using for data mining logs from your network/security devices? Any tips?
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Fri Sep 09, 2005 2:44 am    Post subject: Reply with quote

Hi Ipsec,

Well on our networks all packets that trigger an IDS alert are logged and then compressed at the end of the hour. We have a very large network Very Happy Personally I use BPF filters and bitmasks against this traffic. To whit, I will look for any SYN/ACK's coming out of our network on any port above 1024. If there are any found they are therefore suspect p2p or trojans. Much like I will look for SYN/ACK's from 1024 on down and simply filter out the ports that I don't want ie: 20,21,25,53 and so on. I will also key in certain ports for exploits as they are released. That is pretty much how I do it. HTH.
Back to top
View user's profile Send private message Visit poster's website
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Fri Sep 09, 2005 1:40 pm    Post subject: Reply with quote

Hey don,

That sounds like a great way to cover all suspect ports, thanks Smile Do you use sguil or ACID to manage IDS alerts? I read you were GCIA certified before, and I've also read the GCIA practicals and no one ever uses an alert manager for some reason. However, they do similar data mining like what you are doing. Just curious if you need an IDS manager after becoming GCIA certified... Thanks for the help.
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Fri Sep 09, 2005 2:51 pm    Post subject: Reply with quote

Hi IPsec,

Yes I have my GCIA, and my GCIH. We use NSM from Intellitactics at my work as our correlation manager. Though that being said you still of course have to pull the suspected data from the SAN afterwards if you want to investigate.

That is where I use the aforementioned BPF filters and bitmasks. It makes the task of investigating large scans quite simple. I have used ACID before but again that is just a visualisation tool vice an actual analysis one in my opinion.

In case you were wondering what the syntax is via BPF to look for all syn/acks on ports 1024 on up it is as follows;

Code:

-s 0 ip and src net 192.168 and 'tcp[0:2] > 1024' and 'tcp[13] = 18' -w bleh


The above will log all SYN/ACK's coming from source network 192.168 with a source port higher then 1024 and write it to a binary file called "bleh"

Hope this helps.
Back to top
View user's profile Send private message Visit poster's website
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Mon Sep 12, 2005 2:45 pm    Post subject: Reply with quote

Thanks man, I've been messing around the BPF and am getting a syntax error. Windump doesn't seem to accept the > sign. Sad
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Mon Sep 12, 2005 2:51 pm    Post subject: Reply with quote

Hi IPSec,

Are you trying to use the > sign when writing to a binary log? If so the > only works when you write to ascii like so;

windump.exe -nXvSs 0 ip and host 192.168.1.100 > bleh

The above will write any packet containing a valid IP header with an IP address of 192.168.1.100 in it to an ascii file called bleh. Lemme know if you still have some problems.
Back to top
View user's profile Send private message Visit poster's website
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Mon Sep 12, 2005 3:52 pm    Post subject: Reply with quote

Yeah that works but I still can't specify anything greater than something else. Not sure why because even specifying 'greater' instead of '>' doesn't work. Maybe it's a problem with windump?
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Mon Sep 12, 2005 4:04 pm    Post subject: Reply with quote

I understand what you mean now. You cannot use the > then specifiying the port range. It should work, don't know what to say. Can you paste the bpf string in here?
Back to top
View user's profile Send private message Visit poster's website
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Mon Sep 12, 2005 4:24 pm    Post subject: Reply with quote

alt.don wrote:
I understand what you mean now. You cannot use the > then specifiying the port range. It should work, don't know what to say. Can you paste the bpf string in here?


I can't figure it out either. I've tried a lot of different things and none have worked.

Code:
windump.exe -nXvSs 0 ip (tcp[0:2] > 1024)
windump.exe -nXvSs 0 ip tcp[0:2] >= 1024
windump.exe -nXvSs 0 ip tcp[0:2] greater 1024
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Mon Sep 12, 2005 4:45 pm    Post subject: Reply with quote

The one thing I would suggest is to specify to actual host or net you want this bpf/bitmask to apply to;

Code:

windump.exe -nXvSs 0 ip and src host 192.168.1.100 and 'tcp[0:2] > 1024' and 'tcp[13] = 18' -w bleh


The above will log all SYN/ACK's coming from 192.168.1.100 on any port from 1024 upwards. Give it a shot. I will also give this a try later on tonight at home if I don't forget on a win32 VMWare image.
Back to top
View user's profile Send private message Visit poster's website
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Tue Sep 13, 2005 1:15 pm    Post subject: Reply with quote

I think I got it. Part of the problem was the single quotes, but I can't get it to output any packets.

Code:
windump.exe -nXvSs 0 src net 192.168 and "tcp[0:2] > 1024" and "tcp[13] = 18"
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Tue Sep 13, 2005 1:36 pm    Post subject: Reply with quote

Hi IPSec,

In the format you have below if there were any packets they would be logged to your screen as you did give a filename to log them to. I would also only use single quotes and not double quotes, as I showed in the earlier example. I will try to remember to do this again tonight.
Back to top
View user's profile Send private message Visit poster's website
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Tue Sep 13, 2005 11:53 pm    Post subject: Reply with quote

Yeah that's the thing, no packets were logged to the screen and it only works with double quotes. I'm not sure why this isn't working... If you could try it I'd appriciate it, because it might be something messed up on my end. Embarassed
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Wed Sep 14, 2005 12:22 am    Post subject: Reply with quote

Hi IPSec,

Alright, I got it working, but with double quotes as you mentioned. My version of windump found here works with the below noted bpf/bitmask filter. Please give it a shot and let me know how it goes.

Code:

tcpdump.exe -nXvSs 0 ip and host 192.168.1.100 and "tcp[0:2] > 1024" > bleh


What the above does is log all packets with a valid IP header with an IP address of 192.168.1.100 (as either src or dst) with a port number of higher then 1024 (again port as either src or dst) and logs it to an flat ascii file called bleh. Hope this helps.
Back to top
View user's profile Send private message Visit poster's website
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Wed Sep 14, 2005 3:07 am    Post subject: Reply with quote

That works, thanks Smile
Back to top
View user's profile Send private message
slavezer0
Just Arrived
Just Arrived


Joined: 25 Aug 2005
Posts: 0
Location: philippines

Offline

PostPosted: Wed Sep 21, 2005 11:26 am    Post subject: Reply with quote

Hi Sirs,

forgive my ignorance.
i just want to clear everything.

what is BPF Filter? what is Bitmask?
is this for free or what?
where i can find this?

thanks
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register