Scenario Cisco Secure IDS Database Event

Figure 5-18 displays a typical network under attack from an intruder trying to destabilize the network host with the IP address 131.108.1.1/24.

Figure 5-18 Sample IDS Event

End User Male

End User Male

131.108.1.1/24

Cisco IOS Router

IP Address 181.1.1.100/32

IDS 1

Public Network

IP Address 181.1.1.100/32

IDS 1

Cisco IOS Router

The security manager has e-mailed to you several files. The first is TCPDUMP output details. TCPDUMP is a powerful tool that allows you to sniff network packets and make some statistical analysis out of those dumps. (The written exam has a few questions based on the output from this program.) The manager also e-mailed to you log files taken from an IDS Sensor database and the logging entries from the Cisco IOS router.

You receive these files from IDS 1 in Figure 5-18 and the Cisco WAN router and you are required to provide details on what kind of attack this is and on what TCP/UDP ports are opened to the outside world.

Example 5-1 displays the captured entries the security manager would like identified and what ports are currently opened. Note that Example 5-1 only displays traffic from the Internet host 181.1.1.100 to the inside host 141.108.1.1 to simplify the display.

NOTE The signature is not shown but you can assume a customized signature ID. Also note that Cisco IDS provides similar exported formats for viewing by security managers and administrators.

Example 5-1 TCPDUMP Output

Time Source/Destination TCP port Destination/Source TCP port TCP fields

>10

39

01 18

¡1.1.1

100/53

>

131.108.

1.1/41000

ACK

1

Win

0

(May

Defragment)

>10

39

02 18

¡1.1.1

100/53

>

131.108.

1.1/41001

ACK

1

Win

0

(May

Defragment)

>10

39

03 18

¡1.1.1

100/53

>

131.108.

1.1/41002

ACK

1

Win

0

(May

Defragment)

>10

39

04 18

¡1.1.1

100/53

>

131.108.

1.1/41003

ACK

1

Win

0

(May

Defragment)

>10

39

05 18

¡1.1.1

100/53

>

131.108.

1.1/41004

ACK

1

Win

0

(May

Defragment)

>10

39

06 18

¡1.1.1

100/53

>

131.108.

1.1/51001

ACK

1

Win

0

(May

Defragment)

>10

39

06 18

¡1.1.1

100/53

>

131.108.

1.1/51002

ACK

1

Win

0

(May

Defragment)

>10

39

06 18

¡1.1.1

100/53

>

131.108.

1.1/51003

ACK

1

Win

0

(May

Defragment)

>10

39

07 18

¡1.1.1

100/53

>

131.108.

1.1/51003

ACK

1

Win

0

(May

Defragment)

>10

39

02 18

¡1.1.1

100/80

>

131.108.

1.1/21001

ACK

34000

Win 2048

>10

39

03 18

¡1.1.1

100/3176

> 131.10

3.1.1/31002 ACK

10000

Win 4096

>10

39

04 18

¡1.1.1

100/3279

> 131.10

3.1.1/51001 ACK

11235

Win 4096

Example 5-2 displays the suspicious activity requiring immediate forensic analysis for the host with the IP address 131.108.1.1. The logging entries on the router are displayed in Example 5-2.

Example 5-2 Log File Entry

%IDS-4-TCP_FRAG_SYN_FIN_SIG: Sig:3043:Fragmented SYN/FIN

Packet

from

[181.108.1.100] to [131.108.1.1]

%IDS-4-TCP_SYN_ATTACK_SIG: Sig:3050:Half-Open Syn Flood

- from

[181.1.1.100] to [131.108.1.1]

0 0

Post a comment