Intrushield NSP Technical White Paper v8 - Li Ming

McAfee IPS technical Brief
McAfee NSP
NSP
1 McAfee IPS
McAfee IPS
>7\SHWH[W@
3DJH
IPS .
2 McAfee IPS
2.1
TCP/IP RFC ( IP/TCP/UDP/SMTP/FTP/HTTP RFC layer 7 layer7 )
edonkey2000 BitTorrent
IM/P2P
P2P
Winny P2P QQLive PPStream
p2p P2P
P2P
P2P
McAfee IPS
QQLive
UDP
>7\SHWH[W@
3DJH
QQLive UDP 0x0 0x01-0x02 0x03McAfee IPS 3d 00 3 0xfe, QQLive PPStream UDP UDP PPStream (big endian) 0x003d , 3 0xfe
0x0-0x01 0x02-0x03 0x0300001404 00001414 00001424 00001434

>7\SHWH[W@
43 00
3d 00 43 00 00 11 00 0a 75 49 96 83 b3 cf 1d 6d
c3 e5 01 4b ed 05 81 96 =.C..... ...K.... 40 c1 f2 3e 28 f3 41 08 uI.....m @..>(.A.
00 00 00 73 65 6c 65 63 74 6f 72 32 2e 73 77 66 ...selec tor2.swf 00 00 2c 00 00 00 04 00 00 01 00 00 00
3DJH
0x0-0x01 0x02-0x03 . layer7
0x003d 43 00
udp PPStream UDP
IP layer7
2.2
McAfee McAfee IPS 2.2.1 McAfee IPS
MS06-012 Excel excel snort
McAfee IPS
http
Excel
Http Rsp Parsing Init
Rsp Header Parsing
>7\SHWH[W@
Msg Body Trunked? No No Genearl Rsp Msg Body Parsing
Yes Yes
3DJH
Trunked Msg Body Parsing
Exc l
rsi
Exc l tr ct r
r I f
rsi
rksh
rsi
c r T p
c r
c r
c r
TY E
http
http
>7\SHWH[W@

c r

3DJH
http http http excel excel
Content-Type
application/vnd.ms-excel excel excel
>7\SHWH[W@
3DJH
McAfee IPS excel excel Name record excel
excel d0 cf 11 e0 a1 b1 1a e1 508 worksheet Name record McAfee McAfeeIPS 80
>7\SHWH[W@
3DJH
2.2.2 Oracle TNS
McAfee IPS
2.2.3 MS08-067 McAfee Conficker Conficker
McAfee IPS McAfee IPS
McAfee
>7\SHWH[W@
3DJH
IPS McAfee
2.3
TCP
UDP
2.4
http UDP IP UDP IP HTTP P2P
2.5
IPS IPS McAfee IPS
DDOS Botnet Botnet DDOS DDOS Botnet
2.6
McAfee IPS McAfee IPS artemis IPS IPS IPS TrustedSource IPS Artemis TrustedSource IPS IPS TrustedSource Artemis McAfee
>7\SHWH[W@
3DJH
2.7
IPS SNORT snort :
alert tcp any any -> 192.168.1.0/24 80 (content:"cgi-bin/phf";offset:3;depth:22;msg:"CGI-PHF access";)
snort
http
cgi-bin/phf
TCP
McAfee IPS P2P
Snort
>7\SHWH[W@
3DJH
3 McAfee IPS
(Network Intrusion Prevention System)
. NIPS
3.1
McAfee IPS Intelligence McAfee Lab: McAfee Lab 350 McAfee Lab
:
GTI Global Threat
30 McAfee Lab McAfee IPS 100
GTI
Global Threat Intelligence (GTI) web message McAfee
McAfee -
GTI ,GTI
sensor
GTI
3.1.1
>7\SHWH[W@
3DJH
0F$IHH,36 166 100M 99.4% 1G McAfee IPS 0F$IHH,36 10G 1 NSS 77.7% IPS McAfee NIPS
3.2
0F$IHH,36 0F$IHH 1,36 0 0F$IHH ,36 [ 166 0F$IHH * ,36 0F$IHH,36 * 1,36
>7\SHWH[W@
3DJH
>7\SHWH[W@
3DJH
4
McAfee IPS IPS
5.3 PASS 5.4 PASS PASS PASS PASS PASS PASS PASS PASS PASS 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.4.6 5.4.7 5.4.8 5.4.9 5.3.1 Evasion Evasion Packet Fragmentation Ordered 8 byte fragments Ordered 24 byte fragments Out of order 8 byte fragments Ordered 8 byte fragments, duplicate last packet Out of order 8 byte fragments, duplicate last packet Ordered 8 byte fragments, reorder fragments in reverse Ordered 16 byte frags, fragment overlap (favor new) Ordered 16 byte frags, fragment overlap (favor old) Out of order 8 byte fragments, interleaved duplicate packets scheduled for later delivery 5.5 PASS 5.5.1 Stream Segmentation Ordered 1 byte segments, interleaved duplicate segments with invalid TCP checksums PASS 5.5.2 Ordered 1 byte segments, interleaved duplicate segments with null TCP control flags PASS 5.5.3 Ordered 1 byte segs, interleaved duplicate segments with requests to resync sequence numbers mid-stream PASS PASS PASS 5.5.4 5.5.5 5.5.6 Ordered 1 byte segments, duplicate last packet Ordered 2 byte segments, segment overlap (favor new) Ordered 1 byte segments, interleaved duplicate segments with out-of-window sequence numbers PASS PASS 5.5.7 5.5.8 Out of order 1 byte segments Out of order 1 byte segments, interleaved duplicate segments with faked retransmits PASS PASS
>7\SHWH[W@
IPS
100%
NSS
McAfee
100%
100% 100% 100% 100% 100% 100% 100% 100% 100%
100%
100%
100%
100% 100% 100%
100% 100%
5.5.9 5.5.10
Ordered 1 byte segments, segment overlap (favor new) Out of order 1 byte segs, PAWS elimination (interleaved dup
100% 100%
3DJH
segs with older TCP timestamp options) PASS 5.6 PASS PASS PASS 5.6.1 5.6.2 5.6.3 5.5.11 Ordered 16 byte segs, seg overlap (favor new (Unix)) RPC Fragmentation One-byte fragmentation (ONC) Two-byte fragmentation (ONC) All fragments, including Last Fragment (LF) will be sent in one TCP segment (ONC) PASS 5.6.4 All frags except Last Fragment (LF) will be sent in one TCP segment. LF will be sent in separate TCP seg (ONC) PASS PASS 5.6.5 5.6.6 One RPC fragment will be sent per TCP segment (ONC) One LF split over more than one TCP segment. In this case no RPC fragmentation is performed (ONC) PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS 5.7 PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS
>7\SHWH[W@
100%
100% 100% 100%
100%
100% 100%
5.6.7 5.6.8 5.6.9 5.6.10 5.6.11 5.6.12 5.6.13 5.6.14 5.6.15 5.6.16
Canvas Reference Implementation Level 1 (MS) Canvas Reference Implementation Level 2 (MS) Canvas Reference Implementation Level 3 (MS) Canvas Reference Implementation Level 4 (MS) Canvas Reference Implementation Level 5 (MS) Canvas Reference Implementation Level 6 (MS) Canvas Reference Implementation Level 7 (MS) Canvas Reference Implementation Level 8 (MS) Canvas Reference Implementation Level 9 (MS) Canvas Reference Implementation Level 10 (MS) URL Obfuscation
100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
5.7.1 5.7.2 5.7.3 5.7.4 5.7.5 5.7.6 5.7.7 5.7.8 5.7.9 5.7.10
URL encoding - Level 1 (minimal) URL encoding - Level 2 URL encoding - Level 3 URL encoding - Level 4 URL encoding - Level 5 URL encoding - Level 6 URL encoding - Level 7 URL encoding - Level 8 (extreme) Premature URL ending Long URL
100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
3DJH
PASS PASS PASS PASS PASS 5.8 PASS PASS PASS PASS PASS PASS PASS PASS PASS
5.7.11 5.7.12 5.7.13 5.7.14 5.7.15
Fake parameter TAB separation Case sensitivity Windows \ delimiter Session splicing FTP Evasion
100% 100% 100% 100% 100%
5.8.1 5.8.2 5.8.3 5.8.4 5.8.5 5.8.6 5.8.7 5.8.8 5.8.9
Inserting spaces in FTP command lines Inserting non-text Telnet opcodes - Level 1 (minimal) Inserting non-text Telnet opcodes - Level 2 Inserting non-text Telnet opcodes - Level 3 Inserting non-text Telnet opcodes - Level 4 Inserting non-text Telnet opcodes - Level 5 Inserting non-text Telnet opcodes - Level 6 Inserting non-text Telnet opcodes - Level 7 Inserting non-text Telnet opcodes - Level 8 (extreme)
100% 100% 100% 100% 100% 100% 100% 100% 100%
>7\SHWH[W@
3DJH

Intrushield NSP Technical White Paper v8 - Li Ming

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Intrushield NSP Technical White Paper v8 - Li Ming

Enviado por

Direitos autorais:

Formatos disponíveis

McAfee IPS technical Brief

Winny P2P QQLive PPStream

0x0-0x01 0x02-0x03 0x0300001404 00001414 00001424 00001434

c3 e5 01 4b ed 05 81 96 =.C..... ...K.... 40 c1 f2 3e 28 f3 41 08 uI.....m @..>(.A.

0x0-0x01 0x02-0x03 . layer7

udp PPStream UDP

MS06-012 Excel excel snort

Http Rsp Parsing Init

Rsp Header Parsing

Msg Body Trunked? No No Genearl Rsp Msg Body Parsing

Trunked Msg Body Parsing

http http http excel excel

application/vnd.ms-excel excel excel

McAfee IPS excel excel Name record excel

excel d0 cf 11 e0 a1 b1 1a e1 508 worksheet Name record McAfee McAfeeIPS 80

2.2.2 Oracle TNS

2.2.3 MS08-067 McAfee Conficker Conficker

McAfee IPS McAfee IPS

DDOS Botnet Botnet DDOS DDOS Botnet

alert tcp any any -> 192.168.1.0/24 80 (content:"cgi-bin/phf";offset:3;depth:22;msg:"CGI-PHF access";)

McAfee IPS P2P

30 McAfee Lab McAfee IPS 100

Global Threat Intelligence (GTI) web message McAfee

100% 100% 100% 100% 100% 100% 100% 100% 100%

100% 100% 100%

100% 100% 100%

5.7.11 5.7.12 5.7.13 5.7.14 5.7.15

100% 100% 100% 100% 100%

5.8.1 5.8.2 5.8.3 5.8.4 5.8.5 5.8.6 5.8.7 5.8.8 5.8.9

100% 100% 100% 100% 100% 100% 100% 100% 100%

Você também pode gostar