Third, on behalf of the Chief features: header value (Header Values)
Header value is relatively simple structure, and can clearly identify abnormal header information, so characteristic of data is its chief candidate. A classic example is: set forth in clear violation of RFC793 TCP standard, set TCP SYN and FIN packets marked. This packet used by many intrusion software to firewalls, routers, and IDS systems to attack. The source of abnormal header value of the following:
Because most operating systems and application software is the assumption that RFC is strictly prepared in compliance with the case, did not add the data for the exception error handler, many of the loopholes that contains header value will Guyi use the standard definition of violation of RFC, brazenly discovered attack targets the jerry-building actions. Many of the imperfections of the software contains the error code will also have violated the value of RFC-defined header data. Not all operating systems and applications can fully support the RFC definition, at least there is a lack of coordination with the RFC. Over time, implementation of the new features of the agreement may not be included in the current RFC.
As to the above circumstances, strictly based on the RFC's IDS feature data is likely to produce incomplete or inaccurate results. This, RFC also as new and ongoing violations of the updated information, we need to regularly review or update existing data definition features.
Illegal header value is the feature data of a very basic part of legal but suspicious header values are equally important. For example, if the port 31337 or 27374 of the suspected connection, you can police say may have Trojan horse in the activities; then added a more detailed exploration of other information, we can further judge the true or false Ma Ma.
Fourth, determine the characteristics of "candidate"
To better understand how to develop value based on the special header data, following an example by analyzing the whole process in detail.
Synscan is a popular system for scanning and detection tool, because its code is used to create the beginning of the Ramen worm fragments and steal the show in early 2001. Synscan with the implementation of behavior is typical, it sends packets with a variety of distinguished features, including:
IP address information from different sources
TCP source port 21, destination port 21
Service Type 0
IP identification number 39426 (IP identification number)
SYN and FIN flag set
Different set of serial numbers (sequence numbers set)
Confirmation number of different collections (acknowledgment numbers set)
TCP window size 1028
Here we screened the data above, to see which features more suitable to do data. We are looking for is illegal, unusual or suspicious data, the majority of cases, this all reflects the loopholes exploited by attackers or they use special technology. The following are characteristics of the data candidates:
Only with the SYN and FIN flag set of data packets, which is recognized as signs of malicious behavior.
ACK flag not set, but with different values of the data packet confirmation number, but normally should be 0.
Source port and destination port are set to 21 packets, often associated with the FTP server. Port the same situation that are generally known as "reflexive" (reflexive), in addition to some particular individual, such as NetBIOS when the newsletter, under normal circumstances should not have this phenomenon. "Reflexivity" TCP port itself does not violate the standard, but in most cases they are not expected values. For example, in a normal FTP dialogue, the destination port is usually 21, but the source port is usually higher than 1023.
TCP window size to 1028, IP identification numbers of all packets for 39,426. According to IP RFC's definition, two class rooms in the data value should be different, so, if sustained, would show that the suspicious.
-
Recommended links:
.dvd File
TOP Religion
New accounting standards: fair value is bright spot
About Groovy And Grails
Convert .flac to mp3
.mkv files
Illegal financing secured wore the coat of "wolf"
Antarctic issues of common concern, Kaspersky act as pioneers
Video format
Recruitment of the five categories of behavior can be REPORTED
Middle Figure Painting
AUDIO And Multimedia Specialist
How to make VB do not Echo in the text box
Brief Science Education
For you Games Arcade
How to Ubuntu equipment Chinese character library
