计算机网络安全技术实验(2):体验入侵检测

实验背景

入侵检测系统(IDS)是一种对网络传输进行即时监视,在发现可疑传输时发出警报或者采取主动反应措施的网络安全设备。

Suricata是一种较为著名的入侵检测系统,本实验的主要内容是使用 Suricata对给出的pcap文件进行检测,并对pcap文件进行分析。

实验环境

VMware上的Ubuntu虚拟机。已经给出了虚拟机的ovf文件,只需在VMware中将ubuntu.ovf导入即可。虚拟机中已经对相关实验环境进行了配置。用户名和密码均为suricata(全部小写字母)。

实验数据

进入虚拟机系统后,在桌面上的pcapfile文件夹中有三个标号为1、2、3的pcap文件,选择自己学号对3取余后的那一个文件进行检测即可。

(我的学号取余为2,不过老师您不觉得自己这句话有什么问题吗?)

实验命令

cd /home/suricata/Desktop/pcapfile
sudo su
密码输入suricata
suricata –r x.pcap –l ./
vim fast.log

实验前的一些准备

pcap文件

pcap 是 packet capture 的缩写,一般是 tcpdump 或者 wireshark 抓包后存盘的文件。我们这次好像不需要详细了解文件的格式,让suricata自己去分析好了。详细介绍参见这里:https://zrj.me/archives/831

对于Suricata的简介

Suricata是一种开源的入侵检测系统,特点包括:

  • 多线程
  • 自动协议检测

(翻译自维基百科)

Suricata的输出

以下内容摘自Suricata的帮助文档:https://suricata.readthedocs.io/en/latest/output/index.html

Eve Json输出

Suricata可以将警告、HTTP事件、DNS事件、TLS事件和文件信息输出到JSON中。通常使用“EVE”(event的缩写)格式将这些信息输出到单独的一个文件中。

输入文件的格式一般如下:

{"timestamp":"2009-11-24T21:27:09.534255","event_type":"TYPE", ...tuple... ,"TYPE":{ ... type specific content ... }}

event_type域表示当前event的类型,分为以下4类:

  • Alert
  • HTTP
  • DNS
  • TLS

下面分别介绍4种event的格式。

Alert
  • alert.action:可能取值为allowed和blocked,默认为allowed,仅当有一条规则的动作为reject,或Suricata处于IPS模式且有一条规则的动作为drop时为blocked。
  • alert.signature:攻击内容
  • alert.source:可选,攻击发起者的信息
  • alert.target:可选,被攻击者的信息

例子:

{
    "timestamp": "2009-11-24T21:27:09.534255",
    "event_type": "alert",
    "src_ip": "192.168.2.7",
    "src_port": 1041,
    "dest_ip": "x.x.250.50",
    "dest_port": 80,
    "proto": "TCP",
    "alert": {
      "action": "allowed",
      "gid": 1,
      "signature_id": 1,
      "rev": 1,
      "app_proto": "http",
      "signature": "HTTP body talking about corruption",
      "severity": 3,
      "source": {
        "ip": "192.168.43.32",
        "port": 36292
      },
      "target": {
        "ip": "179.60.192.3",
        "port": 80
      }
    }
}
HTTP
  • http.hostname:这一HTTP事件对应的主机域名
  • http.url:主机域名被访问的URL
  • http.http_user_agent:被使用的软件的user-agent(没看懂)
  • http.http_content_type:返回的数据类型
  • http.cookie

下面是主要的扩展信息项:

  • http.length:HTTP正文的内容长度
  • http.status:HTTP状态码
  • http.protocol:协议/HTTP版本
  • http.http_method:HTTP请求(例:GET、POST、HEAD)
  • http.http_refer: The referer for this action

除此之外,还可以在suricata.yaml文件中选择打印另外47项信息的日志。

例子(带扩展):

"http": {
    "hostname": "direkte.vg.no",
    "url":".....",
    "http_user_agent": "<User-Agent>",
    "http_content_type": "application\/json",
    "http_refer": "http:\/\/www.vg.no\/",
    "http_method": "GET",
    "protocol": "HTTP\/1.1",
    "status":"200",
    "length":310
}
DNS

在各种不同的DNS事件中,可能包括以下域:

  • dns.type:DNS消息类型,可能取值包括answer和query
  • dns.id:id
  • dns.flags:DNS响应报文标志,16进制(0x是无输出)
  • dns.qr
  • dns.aa
  • dns.tc
  • dns.rd
  • dns.ra
  • dns.rcode
  • dns.rrname
  • dns.rrtype
  • dns.rdata
  • dns.ttl

例子(DNS请求):

"dns": {
    "type": "query",
    "id": 16000,
    "rrname": "twitter.com",
    "rrtype":"A"
}

例子(DNS回复):

"dns": {
    "type": "answer",
    "id":16000,
    "flags":"8180",
    "qr":true,
    "rd":true,
    "ra":true,
    "rcode":"NOERROR"
    "rrname": "twitter.com",
    "rrtype":"A",
    "ttl":8,
    "rdata": "199.16.156.6"
}
TLS

可能包括的域:

  • tls.subject
  • tls.issuer
  • tls.session_resumed

扩展域:

  • tls.serial
  • tls.fingerprint
  • tls.sni
  • tls.version
  • tls.notbefore
  • tls.notafter
  • tls.certificate
  • tls.chain

fast.log输出

这个文件中,每个Alert事件对应一行输出,给出攻击的端口和对攻击可能的分类。见http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html?highlight=fast.log#line-based-alerts-log-fast-log

例子:

10/05/10-10:08:59.667372  [**] [1:2009187:4] ET WEB_CLIENT ACTIVEX iDefense
  COMRaider ActiveX Control Arbitrary File Deletion [**] [Classification: Web
  Application Attack] [Priority: 3] {TCP} xx.xx.232.144:80 -> 192.168.1.4:56068

Wireshark

首先安装Wireshark(https://askubuntu.com/questions/700712/how-to-install-wireshark)。

wireshark.png

然后直接打开pcap文件。(https://www.wireshark.org/docs/wsug_html_chunked/ChIOOpenSection.html

任务

任务1 分析实验结果

任务描述

本实验中给出的pcap文件内容均为DoS攻击的数据包,请根据Suricata的检测结果分析DoS攻击的端口以及服务,并简要描述该服务的内容。

任务结果

1.pcap

命令:

suricata -c /etc/suricata/suricata.yaml -r 1.pcap -l ./1

输出结果:

eve.json
{
   "timestamp":"2017-12-03T01:17:04.267748",
   "pcap_cnt":6,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":59144,
   "dest_ip":"192.168.234.128",
   "dest_port":53,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":2009701,
      "rev":2,
      "signature":"ET DOS DNS BIND 9 Dynamic Update DoS attempt",
      "category":"Attempted Denial of Service",
      "severity":2
   }
}
{
   "timestamp":"2017-12-03T01:17:04.267852",
   "pcap_cnt":8,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":59145,
   "dest_ip":"192.168.234.128",
   "dest_port":53,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":2009701,
      "rev":2,
      "signature":"ET DOS DNS BIND 9 Dynamic Update DoS attempt",
      "category":"Attempted Denial of Service",
      "severity":2
   }
}
{
   "timestamp":"2017-12-03T01:17:04.267967",
   "pcap_cnt":14,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":59147,
   "dest_ip":"192.168.234.128",
   "dest_port":53,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":2009701,
      "rev":2,
      "signature":"ET DOS DNS BIND 9 Dynamic Update DoS attempt",
      "category":"Attempted Denial of Service",
      "severity":2
   }
}
{
   "timestamp":"2017-12-03T01:17:04.268004",
   "pcap_cnt":16,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":59146,
   "dest_ip":"192.168.234.128",
   "dest_port":53,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":2009701,
      "rev":2,
      "signature":"ET DOS DNS BIND 9 Dynamic Update DoS attempt",
      "category":"Attempted Denial of Service",
      "severity":2
   }
}
{
   "timestamp":"2017-12-03T01:17:04.268498",
   "pcap_cnt":24,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":59148,
   "dest_ip":"192.168.234.128",
   "dest_port":53,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":2009701,
      "rev":2,
      "signature":"ET DOS DNS BIND 9 Dynamic Update DoS attempt",
      "category":"Attempted Denial of Service",
      "severity":2
   }
}
{
   "timestamp":"2017-12-03T01:17:04.268534",
   "pcap_cnt":34,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":59149,
   "dest_ip":"192.168.234.128",
   "dest_port":53,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":2009701,
      "rev":2,
      "signature":"ET DOS DNS BIND 9 Dynamic Update DoS attempt",
      "category":"Attempted Denial of Service",
      "severity":2
   }
}
{
   "timestamp":"2017-12-03T01:17:04.268567",
   "pcap_cnt":45,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":59150,
   "dest_ip":"192.168.234.128",
   "dest_port":53,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":2009701,
      "rev":2,
      "signature":"ET DOS DNS BIND 9 Dynamic Update DoS attempt",
      "category":"Attempted Denial of Service",
      "severity":2
   }
}
{
   "timestamp":"2017-12-03T01:17:04.275411",
   "pcap_cnt":162,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":59151,
   "dest_ip":"192.168.234.128",
   "dest_port":53,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":2009701,
      "rev":2,
      "signature":"ET DOS DNS BIND 9 Dynamic Update DoS attempt",
      "category":"Attempted Denial of Service",
      "severity":2
   }
}
fast.log
12/03/2017-01:17:04.267748  [**] [1:2009701:2] ET DOS DNS BIND 9 Dynamic Update DoS attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 192.168.234.1:59144 -> 192.168.234.128:53
12/03/2017-01:17:04.267852  [**] [1:2009701:2] ET DOS DNS BIND 9 Dynamic Update DoS attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 192.168.234.1:59145 -> 192.168.234.128:53
12/03/2017-01:17:04.267967  [**] [1:2009701:2] ET DOS DNS BIND 9 Dynamic Update DoS attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 192.168.234.1:59147 -> 192.168.234.128:53
12/03/2017-01:17:04.268004  [**] [1:2009701:2] ET DOS DNS BIND 9 Dynamic Update DoS attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 192.168.234.1:59146 -> 192.168.234.128:53
12/03/2017-01:17:04.268498  [**] [1:2009701:2] ET DOS DNS BIND 9 Dynamic Update DoS attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 192.168.234.1:59148 -> 192.168.234.128:53
12/03/2017-01:17:04.268534  [**] [1:2009701:2] ET DOS DNS BIND 9 Dynamic Update DoS attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 192.168.234.1:59149 -> 192.168.234.128:53
12/03/2017-01:17:04.268567  [**] [1:2009701:2] ET DOS DNS BIND 9 Dynamic Update DoS attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 192.168.234.1:59150 -> 192.168.234.128:53
12/03/2017-01:17:04.275411  [**] [1:2009701:2] ET DOS DNS BIND 9 Dynamic Update DoS attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 192.168.234.1:59151 -> 192.168.234.128:53
http.log

空文件

stats.log
-------------------------------------------------------------------
Date: 12/29/2017 -- 00:48:22 (uptime: 0d, 00h 00m 00s)
-------------------------------------------------------------------
Counter                   | TM Name                   | Value
-------------------------------------------------------------------
dns.memuse                | ReceivePcapFile           | 0
dns.memcap_state          | ReceivePcapFile           | 0
dns.memcap_global         | ReceivePcapFile           | 0
decoder.pkts              | ReceivePcapFile           | 101800
decoder.bytes             | ReceivePcapFile           | 7228122
decoder.invalid           | ReceivePcapFile           | 0
decoder.ipv4              | ReceivePcapFile           | 101793
decoder.ipv6              | ReceivePcapFile           | 1
decoder.ethernet          | ReceivePcapFile           | 101800
decoder.raw               | ReceivePcapFile           | 0
decoder.sll               | ReceivePcapFile           | 0
decoder.tcp               | ReceivePcapFile           | 0
decoder.udp               | ReceivePcapFile           | 101784
decoder.sctp              | ReceivePcapFile           | 0
decoder.icmpv4            | ReceivePcapFile           | 10
decoder.icmpv6            | ReceivePcapFile           | 0
decoder.ppp               | ReceivePcapFile           | 0
decoder.pppoe             | ReceivePcapFile           | 0
decoder.gre               | ReceivePcapFile           | 0
decoder.vlan              | ReceivePcapFile           | 0
decoder.vlan_qinq         | ReceivePcapFile           | 0
decoder.teredo            | ReceivePcapFile           | 0
decoder.ipv4_in_ipv6      | ReceivePcapFile           | 0
decoder.ipv6_in_ipv6      | ReceivePcapFile           | 0
decoder.avg_pkt_size      | ReceivePcapFile           | 71
decoder.max_pkt_size      | ReceivePcapFile           | 157
defrag.ipv4.fragments     | ReceivePcapFile           | 0
defrag.ipv4.reassembled   | ReceivePcapFile           | 0
defrag.ipv4.timeouts      | ReceivePcapFile           | 0
defrag.ipv6.fragments     | ReceivePcapFile           | 0
defrag.ipv6.reassembled   | ReceivePcapFile           | 0
defrag.ipv6.timeouts      | ReceivePcapFile           | 0
defrag.max_frag_hits      | ReceivePcapFile           | 0
tcp.sessions              | Detect                    | 0
tcp.ssn_memcap_drop       | Detect                    | 0
tcp.pseudo                | Detect                    | 0
tcp.invalid_checksum      | Detect                    | 0
tcp.no_flow               | Detect                    | 0
tcp.reused_ssn            | Detect                    | 0
tcp.memuse                | Detect                    | 0
tcp.syn                   | Detect                    | 0
tcp.synack                | Detect                    | 0
tcp.rst                   | Detect                    | 0
dns.memuse                | Detect                    | 0
dns.memcap_state          | Detect                    | 0
dns.memcap_global         | Detect                    | 0
tcp.segment_memcap_drop   | Detect                    | 0
tcp.stream_depth_reached  | Detect                    | 0
tcp.reassembly_memuse     | Detect                    | 0
tcp.reassembly_gap        | Detect                    | 0
http.memuse               | Detect                    | 0
http.memcap               | Detect                    | 0
detect.alert              | Detect                    | 8
flow_mgr.closed_pruned    | FlowManagerThread         | 0
flow_mgr.new_pruned       | FlowManagerThread         | 1
flow_mgr.est_pruned       | FlowManagerThread         | 0
flow.memuse               | FlowManagerThread         | 6116224
flow.spare                | FlowManagerThread         | 10000
flow.emerg_mode_entered   | FlowManagerThread         | 0
flow.emerg_mode_over      | FlowManagerThread         | 0
分析fast.log

下面我们来分析fast.log。

首先可以看出,攻击的类型是DoS(拒绝服务攻击,https://zh.wikipedia.org/wiki/%E9%98%BB%E6%96%B7%E6%9C%8D%E5%8B%99%E6%94%BB%E6%93%8A;如果是分布式就变成很有名的DDoS了),攻击的端口是53,攻击类型是BIND 9 Dynamic Update DoS Security Update,被攻击的服务是DNS记录更新。

但是BIND 9 Dynamic Update DoS Security Update是什么呢?看起来好像是2009年发现的各种Linux和Windows域名服务器使用的named软件中的一个漏洞。以下内容翻译自https://www.cyberciti.biz/tips/bind-dynamic-update-dos.html

BIND 9是DNS协议的一种实现。和很多其他操作系统一样,UNIX也使用named daemon(一个DNS软件)作为互联网域名服务器。(?)可能会发送动态更新消息来更新域名服务器主区域中的记录,当named程序受到了一个精心构造的动态更新消息时,一个内部断言会被触发,因此程序会退出。因此,一个能够向一个域名服务器发送DNS请求的攻击者可以导致域名服务器退出,进行一次拒绝服务攻击(Denial of Service)。仅仅将named配置为忽略动态更新是不足以保护它免于此类攻击的。

2.pcap

命令:

suricata -c /etc/suricata/suricata.yaml -r 2.pcap -l ./2
eve.json
{
   "timestamp":"2017-12-03T01:12:30.455015",
   "pcap_cnt":1,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":57611,
   "dest_ip":"192.168.234.128",
   "dest_port":69,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":0,
      "rev":0,
      "signature":"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt",
      "category":"",
      "severity":3
   }
}
{
   "timestamp":"2017-12-03T01:12:30.455355",
   "pcap_cnt":3,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":57613,
   "dest_ip":"192.168.234.128",
   "dest_port":69,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":0,
      "rev":0,
      "signature":"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt",
      "category":"",
      "severity":3
   }
}
{
   "timestamp":"2017-12-03T01:12:30.455407",
   "pcap_cnt":5,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":57614,
   "dest_ip":"192.168.234.128",
   "dest_port":69,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":0,
      "rev":0,
      "signature":"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt",
      "category":"",
      "severity":3
   }
}
{
   "timestamp":"2017-12-03T01:12:30.455443",
   "pcap_cnt":7,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":57612,
   "dest_ip":"192.168.234.128",
   "dest_port":69,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":0,
      "rev":0,
      "signature":"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt",
      "category":"",
      "severity":3
   }
}
{
   "timestamp":"2017-12-03T01:12:30.455480",
   "pcap_cnt":9,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":57615,
   "dest_ip":"192.168.234.128",
   "dest_port":69,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":0,
      "rev":0,
      "signature":"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt",
      "category":"",
      "severity":3
   }
}
{
   "timestamp":"2017-12-03T01:12:30.455568",
   "pcap_cnt":17,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":57616,
   "dest_ip":"192.168.234.128",
   "dest_port":69,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":0,
      "rev":0,
      "signature":"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt",
      "category":"",
      "severity":3
   }
}
{
   "timestamp":"2017-12-03T01:12:30.455578",
   "pcap_cnt":21,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":57617,
   "dest_ip":"192.168.234.128",
   "dest_port":69,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":0,
      "rev":0,
      "signature":"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt",
      "category":"",
      "severity":3
   }
}
{
   "timestamp":"2017-12-03T01:12:30.466858",
   "pcap_cnt":253,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":57618,
   "dest_ip":"192.168.234.128",
   "dest_port":69,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":0,
      "rev":0,
      "signature":"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt",
      "category":"",
      "severity":3
   }
}
fast.log
12/03/2017-01:12:30.455015  [**] [1:0:0] ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.234.1:57611 -> 192.168.234.128:69
12/03/2017-01:12:30.455355  [**] [1:0:0] ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.234.1:57613 -> 192.168.234.128:69
12/03/2017-01:12:30.455407  [**] [1:0:0] ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.234.1:57614 -> 192.168.234.128:69
12/03/2017-01:12:30.455443  [**] [1:0:0] ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.234.1:57612 -> 192.168.234.128:69
12/03/2017-01:12:30.455480  [**] [1:0:0] ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.234.1:57615 -> 192.168.234.128:69
12/03/2017-01:12:30.455568  [**] [1:0:0] ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.234.1:57616 -> 192.168.234.128:69
12/03/2017-01:12:30.455578  [**] [1:0:0] ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.234.1:57617 -> 192.168.234.128:69
12/03/2017-01:12:30.466858  [**] [1:0:0] ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.234.1:57618 -> 192.168.234.128:69
http.log

空文件

stats.log
-------------------------------------------------------------------
Date: 12/29/2017 -- 00:48:33 (uptime: 0d, 00h 00m 02s)
-------------------------------------------------------------------
Counter                   | TM Name                   | Value
-------------------------------------------------------------------
dns.memuse                | ReceivePcapFile           | 0
dns.memcap_state          | ReceivePcapFile           | 0
dns.memcap_global         | ReceivePcapFile           | 0
decoder.pkts              | ReceivePcapFile           | 114435
decoder.bytes             | ReceivePcapFile           | 7552930
decoder.invalid           | ReceivePcapFile           | 0
decoder.ipv4              | ReceivePcapFile           | 114431
decoder.ipv6              | ReceivePcapFile           | 0
decoder.ethernet          | ReceivePcapFile           | 114435
decoder.raw               | ReceivePcapFile           | 0
decoder.sll               | ReceivePcapFile           | 0
decoder.tcp               | ReceivePcapFile           | 0
decoder.udp               | ReceivePcapFile           | 114421
decoder.sctp              | ReceivePcapFile           | 0
decoder.icmpv4            | ReceivePcapFile           | 10
decoder.icmpv6            | ReceivePcapFile           | 0
decoder.ppp               | ReceivePcapFile           | 0
decoder.pppoe             | ReceivePcapFile           | 0
decoder.gre               | ReceivePcapFile           | 0
decoder.vlan              | ReceivePcapFile           | 0
decoder.vlan_qinq         | ReceivePcapFile           | 0
decoder.teredo            | ReceivePcapFile           | 0
decoder.ipv4_in_ipv6      | ReceivePcapFile           | 0
decoder.ipv6_in_ipv6      | ReceivePcapFile           | 0
decoder.avg_pkt_size      | ReceivePcapFile           | 66
decoder.max_pkt_size      | ReceivePcapFile           | 94
defrag.ipv4.fragments     | ReceivePcapFile           | 0
defrag.ipv4.reassembled   | ReceivePcapFile           | 0
defrag.ipv4.timeouts      | ReceivePcapFile           | 0
defrag.ipv6.fragments     | ReceivePcapFile           | 0
defrag.ipv6.reassembled   | ReceivePcapFile           | 0
defrag.ipv6.timeouts      | ReceivePcapFile           | 0
defrag.max_frag_hits      | ReceivePcapFile           | 0
tcp.sessions              | Detect                    | 0
tcp.ssn_memcap_drop       | Detect                    | 0
tcp.pseudo                | Detect                    | 0
tcp.invalid_checksum      | Detect                    | 0
tcp.no_flow               | Detect                    | 0
tcp.reused_ssn            | Detect                    | 0
tcp.memuse                | Detect                    | 0
tcp.syn                   | Detect                    | 0
tcp.synack                | Detect                    | 0
tcp.rst                   | Detect                    | 0
dns.memuse                | Detect                    | 0
dns.memcap_state          | Detect                    | 0
dns.memcap_global         | Detect                    | 0
tcp.segment_memcap_drop   | Detect                    | 0
tcp.stream_depth_reached  | Detect                    | 0
tcp.reassembly_memuse     | Detect                    | 0
tcp.reassembly_gap        | Detect                    | 0
http.memuse               | Detect                    | 0
http.memcap               | Detect                    | 0
detect.alert              | Detect                    | 8
flow_mgr.closed_pruned    | FlowManagerThread         | 0
flow_mgr.new_pruned       | FlowManagerThread         | 0
flow_mgr.est_pruned       | FlowManagerThread         | 0
flow.memuse               | FlowManagerThread         | 6115840
flow.spare                | FlowManagerThread         | 10000
flow.emerg_mode_entered   | FlowManagerThread         | 0
flow.emerg_mode_over      | FlowManagerThread         | 0
分析fast.log

下面我们来分析fast.log。

SolarWinds TFTP 服务器10.4.0.10及之前的版本可能会受到拒绝服务攻击。通过发送读请求netascii及一个特殊构造的文件名,远程攻击者可以令服务器的进程崩溃,因而导致拒绝服务攻击。

(参见https://www.rapid7.com/db/modules/auxiliary/dos/windows/tftp/solarwindshttps://www.vulnerabilitycenter.com/#!vul=25904

3.pcap

命令:

suricata -c /etc/suricata/suricata.yaml -r 3.pcap -l ./3
dir3.png

于是打出来了若干个文件。

eve.json
{
   "timestamp":"2017-12-03T01:13:59.506103",
   "pcap_cnt":3,
   "event_type":"alert",
   "src_ip":"192.168.234.1",
   "src_port":52322,
   "dest_ip":"192.168.234.128",
   "dest_port":123,
   "proto":"UDP",
   "alert":{
      "action":"allowed",
      "gid":1,
      "signature_id":2019016,
      "rev":3,
      "signature":"ET DOS Possible NTP DDoS Inbound attack",
      "category":"Attempted Denial of Service",
      "severity":2
   }
}
fast.log
12/03/2017-01:13:59.506103  [**] [1:2019016:3] ET DOS Possible NTP DDoS Inbound attack [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 192.168.234.1:52322 -> 192.168.234.128:123
http.log

空文件

stats.log
-------------------------------------------------------------------
Date: 12/29/2017 -- 00:46:31 (uptime: 0d, 00h 00m 00s)
-------------------------------------------------------------------
Counter                   | TM Name                   | Value
-------------------------------------------------------------------
dns.memuse                | ReceivePcapFile           | 0
dns.memcap_state          | ReceivePcapFile           | 0
dns.memcap_global         | ReceivePcapFile           | 0
decoder.pkts              | ReceivePcapFile           | 104423
decoder.bytes             | ReceivePcapFile           | 6370023
decoder.invalid           | ReceivePcapFile           | 0
decoder.ipv4              | ReceivePcapFile           | 104417
decoder.ipv6              | ReceivePcapFile           | 0
decoder.ethernet          | ReceivePcapFile           | 104423
decoder.raw               | ReceivePcapFile           | 0
decoder.sll               | ReceivePcapFile           | 0
decoder.tcp               | ReceivePcapFile           | 0
decoder.udp               | ReceivePcapFile           | 104407
decoder.sctp              | ReceivePcapFile           | 0
decoder.icmpv4            | ReceivePcapFile           | 10
decoder.icmpv6            | ReceivePcapFile           | 0
decoder.ppp               | ReceivePcapFile           | 0
decoder.pppoe             | ReceivePcapFile           | 0
decoder.gre               | ReceivePcapFile           | 0
decoder.vlan              | ReceivePcapFile           | 0
decoder.vlan_qinq         | ReceivePcapFile           | 0
decoder.teredo            | ReceivePcapFile           | 0
decoder.ipv4_in_ipv6      | ReceivePcapFile           | 0
decoder.ipv6_in_ipv6      | ReceivePcapFile           | 0
decoder.avg_pkt_size      | ReceivePcapFile           | 61
decoder.max_pkt_size      | ReceivePcapFile           | 89
defrag.ipv4.fragments     | ReceivePcapFile           | 0
defrag.ipv4.reassembled   | ReceivePcapFile           | 0
defrag.ipv4.timeouts      | ReceivePcapFile           | 0
defrag.ipv6.fragments     | ReceivePcapFile           | 0
defrag.ipv6.reassembled   | ReceivePcapFile           | 0
defrag.ipv6.timeouts      | ReceivePcapFile           | 0
defrag.max_frag_hits      | ReceivePcapFile           | 0
tcp.sessions              | Detect                    | 0
tcp.ssn_memcap_drop       | Detect                    | 0
tcp.pseudo                | Detect                    | 0
tcp.invalid_checksum      | Detect                    | 0
tcp.no_flow               | Detect                    | 0
tcp.reused_ssn            | Detect                    | 0
tcp.memuse                | Detect                    | 0
tcp.syn                   | Detect                    | 0
tcp.synack                | Detect                    | 0
tcp.rst                   | Detect                    | 0
dns.memuse                | Detect                    | 0
dns.memcap_state          | Detect                    | 0
dns.memcap_global         | Detect                    | 0
tcp.segment_memcap_drop   | Detect                    | 0
tcp.stream_depth_reached  | Detect                    | 0
tcp.reassembly_memuse     | Detect                    | 0
tcp.reassembly_gap        | Detect                    | 0
http.memuse               | Detect                    | 0
http.memcap               | Detect                    | 0
detect.alert              | Detect                    | 1
flow_mgr.closed_pruned    | FlowManagerThread         | 0
flow_mgr.new_pruned       | FlowManagerThread         | 0
flow_mgr.est_pruned       | FlowManagerThread         | 0
flow.memuse               | FlowManagerThread         | 6115840
flow.spare                | FlowManagerThread         | 10000
flow.emerg_mode_entered   | FlowManagerThread         | 0
flow.emerg_mode_over      | FlowManagerThread         | 0
分析fast.log

下面我们来分析fast.log。

很显然,攻击的端口是123,而攻击类型是NTP amplification attack,被攻击的服务是NTP(Network Time Protocol)。

在这类攻击中,攻击者对公开的NTP服务器进行攻击,使对方的UDP流量过大。

NTP是最老的网络协议之一,连接到互联网的电脑用这一协议来同步时钟。除了同步时钟之外,旧版本的NTP支持一种管理服务,使得管理员能够查询某个NTP服务器的流量。这个命令的名称为monlist,会将与被查询的服务器连接的最近的600个主机返回。

在最基础的NTP amplification attack中,攻击者会不断向一个NTP服务器发送get monlist指令,同时将发送者的IP地址伪装成NTP服务器的地址。于是,NTP服务器向伪装过的IP地址发送回复,这一回复的大小比请求大得多,使得指向目标服务器的流量显著增多,最终导致服务器无法及时回应正常请求。

任务2 分析pcap文件内容

任务描述

使用包分析软件(如Wireshark)对你检测的pcap文件进行分析,找出主要的源IP、源端口、目的IP、目的端口、包的内容等。

任务结果

1.pcap

pcap1_1.png
pcap1_2.png

包分成如下几类:

编号 源IP 源端口 目标IP 目标端口 协议类型 包的内容
1 192.188.234.128 58559 91.189.94.4 123 NTP NTP version 4, client
2 Vmware_e9:15:9c - Broadcast - ARP Who has 192.168.234.128? Tell 192.168.234.2
3 Vmware_e6:ee:87 - Vmware_e9:15:9c - ARP 192.168.234.128 is at 00:0c:29:e6:ee:87
4 91.189.94.4 123 192.168.234.128 58559 NTP NTP Version 4, server
5 fe80::1408:b353:892f:9160 546 ff02::1:2 547 DHCPv6 Solicit XID: 0xc2e723 CID: 000100011fbb51bf80fa5b3a01fd
6, 8, 10, 12, 14, 16, 18, 19, …, 101794 192.168.234.1 59144, 59145, 59147, 59146, 59148, … 192.168.234.128 53 DNS Unknown operation (12) 0x5468 Unknown (25953) <Unknown extended label> Unknown (26229) <Unknown extended label> Unknown (28526) <Unknown extended label>[Malformed Packet]
7, 9, 11, 13, 15, 17 192.168.234.128 59144, 59145, 59147, 59146 192.168.234.1 53 ICMP Destination unreachable (Port unreachable)
101795 Vmware_c0:00:08 - Vmware_e6:ee:87 - ARP Who has 192.168.234.128? Tell 192.168.234.1
101796 Vmware_e6:ee:87 - Vmware_c0:00:08 - ARP 192.168.234.128 is at 00:0c:29:e6:ee:87
101797 Vmware_e6:ee:87 - Vmware_c0:00:08 - ARP Who has 192.168.234.1? Tell 192.168.234.128
101798 Vmware_c0:00:08 - Vmware_e6:ee:87 - ARP 192.168.234.1 is at 00:50:56:c0:00:08
101799 192.168.234.128 44533 91.189.94.4 123 NTP NTP Version 4, client
101800 91.189.94.4 123 192.168.234.128 44533 NTP NTP Version 4, server

总之,就是不断向域名服务器发起构造的DNS请求。按理说服务器应该会不断把named重启,但是显然此处根本没有收到请求。

(这里也和3.pcap一样,用到了NTP协议,但这里的协议就是version 4的,3中用到的就是version 2,因为是旧协议所以对3才能进行攻击。)

2.pcap

pcap2_1.png
pcap2_2.png

包分成如下几类:

编号 源IP 源端口 目标IP 目标端口 协议类型 包的内容
1, 3, 5, 7, 9, 11, 13, 14, …, 114431 192.168.234.1 57611, 57613, 57614, … 192.168.234.128 69 TFTP Destination unreachable (Port unreachable)
2, 4, 6, 8, 10, 12 192.168.234.128 57611, 57613, 57614, 57612, 57615 192.168.234.1 69 ICMP Destination unreachable (Port unreachable)
114432 Vmware_e6:ee:87 - Vmware_c0:00:08 - ARP Who has 192.168.234.1? Tell 192.168.234.128
114433 Vmware_c0:00:08 - Vmware_e6:ee:87 - ARP 192.168.234.1 is at 00:50:56:c0:00:08
114434 Vmware_c0:00:08 - Vmware_e6:ee:87 - ARP Who has 192.168.234.128? Tell 192.168.234.1
114435 Vmware_e6:ee:87 - Vmware_c0:00:08 - ARP 192.168.234.128 is at 00:0c:29:e6:ee:87

就是,在不断地发送TFTP请求。

3.pcap

pcap3_1.png
pcap3_2.png

包分成如下几类:

编号 源IP 源端口 目标IP 目标端口 协议类型 包的内容
1, 3, 5, 7, 9, 11, 13, 14, …, 104419 192.168.234.1 52321, 52322, 52324, 52325, 52326, 52327, … 192.168.234.128 123 NTP NTP version 2, server
2, 4, 6, 8, 10, 12 192.168.234.128 52321, 52324, 52325 192.168.234.1 123 ICMP Destination unreachable (Port unreachable)
104420 Vmware_c0:00:08 - Vmware_e6:ee:87 - ARP Who has 192.168.234.128? Tell 192.168.234.1
104421 Vmware_e6:ee:87 - Vmware_c0:00:08 - ARP 192.168.234.128 is at 00:0c:29:e6:ee:87
104422 Vmware_e6:ee:87 - Vmware_c0:00:08 - ARP Who has 192.168.234.1? Tell 192.168.234.128
104423 Vmware_c0:00:08 - Vmware_e6:ee:87 - ARP 192.168.234.1 is at 00:50:56:c0:00:08

可以看出,整个pcap文件主要是192.168.234.1在向192.168.234.128:123发送NTP请求,进行攻击。开始时,192.168.234.128回复了一些ICMP消息(大概是根本就没有连接上?),用来传输出错信息,后来就不回复了。最后有一些ARP表项。

附录

很高兴老师给我们延期到了1月1日。

其实我还是没有搞明白pcap文件是怎么来的(是编程写出来的,还是Wireshark的实际抓包?),以及Suricata怎么分析pcap文件得出这是什么攻击。看来Suricata还是很厉害。

实验中有几个亮点。

a1.png
a2.png
a3.png


新增一则回应

除非特别注明,本页内容采用以下授权方式: Creative Commons Attribution-ShareAlike 3.0 License