Escolar Documentos
Profissional Documentos
Cultura Documentos
McAfee NSP
NSP
1 McAfee IPS
McAfee IPS
>7\SHWH[W@
3DJH
IPS .
2 McAfee IPS
2.1
TCP/IP RFC ( IP/TCP/UDP/SMTP/FTP/HTTP RFC layer 7 layer7 )
edonkey2000 BitTorrent
IM/P2P
P2P
p2p P2P
P2P
P2P
McAfee IPS
QQLive
UDP
>7\SHWH[W@
3DJH
QQLive UDP 0x0 0x01-0x02 0x03McAfee IPS 3d 00 3 0xfe, QQLive PPStream UDP UDP PPStream (big endian) 0x003d , 3 0xfe
43 00
3d 00 43 00 00 11 00 0a 75 49 96 83 b3 cf 1d 6d
00 00 00 73 65 6c 65 63 74 6f 72 32 2e 73 77 66 ...selec tor2.swf 00 00 2c 00 00 00 04 00 00 01 00 00 00
3DJH
0x003d 43 00
IP layer7
2.2
McAfee McAfee IPS 2.2.1 McAfee IPS
McAfee IPS
http
Excel
>7\SHWH[W@
Yes Yes
3DJH
Exc l
rsi
Exc l tr ct r
r I f
rsi
rksh
rsi
c r T p
c r
c r
c r
TY E
http
http
>7\SHWH[W@
c r
3DJH
Content-Type
>7\SHWH[W@
3DJH
>7\SHWH[W@
3DJH
McAfee IPS
McAfee
>7\SHWH[W@
3DJH
IPS McAfee
2.3
TCP
UDP
2.4
http UDP IP UDP IP HTTP P2P
2.5
IPS IPS McAfee IPS
2.6
McAfee IPS McAfee IPS artemis IPS IPS IPS TrustedSource IPS Artemis TrustedSource IPS IPS TrustedSource Artemis McAfee
>7\SHWH[W@
3DJH
2.7
IPS SNORT snort :
snort
http
cgi-bin/phf
TCP
Snort
>7\SHWH[W@
3DJH
3 McAfee IPS
(Network Intrusion Prevention System)
. NIPS
3.1
McAfee IPS Intelligence McAfee Lab: McAfee Lab 350 McAfee Lab
:
GTI Global Threat
GTI
McAfee -
GTI ,GTI
sensor
GTI
3.1.1
>7\SHWH[W@
3DJH
0F$IHH,36 166 100M 99.4% 1G McAfee IPS 0F$IHH,36 10G 1 NSS 77.7% IPS McAfee NIPS
3.2
0F$IHH,36 0F$IHH 1,36 0 0F$IHH ,36 [ 166 0F$IHH * ,36 0F$IHH,36 * 1,36
>7\SHWH[W@
3DJH
>7\SHWH[W@
3DJH
4
McAfee IPS IPS
5.3 PASS 5.4 PASS PASS PASS PASS PASS PASS PASS PASS PASS 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.4.6 5.4.7 5.4.8 5.4.9 5.3.1 Evasion Evasion Packet Fragmentation Ordered 8 byte fragments Ordered 24 byte fragments Out of order 8 byte fragments Ordered 8 byte fragments, duplicate last packet Out of order 8 byte fragments, duplicate last packet Ordered 8 byte fragments, reorder fragments in reverse Ordered 16 byte frags, fragment overlap (favor new) Ordered 16 byte frags, fragment overlap (favor old) Out of order 8 byte fragments, interleaved duplicate packets scheduled for later delivery 5.5 PASS 5.5.1 Stream Segmentation Ordered 1 byte segments, interleaved duplicate segments with invalid TCP checksums PASS 5.5.2 Ordered 1 byte segments, interleaved duplicate segments with null TCP control flags PASS 5.5.3 Ordered 1 byte segs, interleaved duplicate segments with requests to resync sequence numbers mid-stream PASS PASS PASS 5.5.4 5.5.5 5.5.6 Ordered 1 byte segments, duplicate last packet Ordered 2 byte segments, segment overlap (favor new) Ordered 1 byte segments, interleaved duplicate segments with out-of-window sequence numbers PASS PASS 5.5.7 5.5.8 Out of order 1 byte segments Out of order 1 byte segments, interleaved duplicate segments with faked retransmits PASS PASS
>7\SHWH[W@
IPS
100%
NSS
McAfee
100%
100%
100%
100%
100% 100%
5.5.9 5.5.10
Ordered 1 byte segments, segment overlap (favor new) Out of order 1 byte segs, PAWS elimination (interleaved dup
100% 100%
3DJH
segs with older TCP timestamp options) PASS 5.6 PASS PASS PASS 5.6.1 5.6.2 5.6.3 5.5.11 Ordered 16 byte segs, seg overlap (favor new (Unix)) RPC Fragmentation One-byte fragmentation (ONC) Two-byte fragmentation (ONC) All fragments, including Last Fragment (LF) will be sent in one TCP segment (ONC) PASS 5.6.4 All frags except Last Fragment (LF) will be sent in one TCP segment. LF will be sent in separate TCP seg (ONC) PASS PASS 5.6.5 5.6.6 One RPC fragment will be sent per TCP segment (ONC) One LF split over more than one TCP segment. In this case no RPC fragmentation is performed (ONC) PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS 5.7 PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS
>7\SHWH[W@
100%
100%
100% 100%
5.6.7 5.6.8 5.6.9 5.6.10 5.6.11 5.6.12 5.6.13 5.6.14 5.6.15 5.6.16
Canvas Reference Implementation Level 1 (MS) Canvas Reference Implementation Level 2 (MS) Canvas Reference Implementation Level 3 (MS) Canvas Reference Implementation Level 4 (MS) Canvas Reference Implementation Level 5 (MS) Canvas Reference Implementation Level 6 (MS) Canvas Reference Implementation Level 7 (MS) Canvas Reference Implementation Level 8 (MS) Canvas Reference Implementation Level 9 (MS) Canvas Reference Implementation Level 10 (MS) URL Obfuscation
100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
5.7.1 5.7.2 5.7.3 5.7.4 5.7.5 5.7.6 5.7.7 5.7.8 5.7.9 5.7.10
URL encoding - Level 1 (minimal) URL encoding - Level 2 URL encoding - Level 3 URL encoding - Level 4 URL encoding - Level 5 URL encoding - Level 6 URL encoding - Level 7 URL encoding - Level 8 (extreme) Premature URL ending Long URL
100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
3DJH
PASS PASS PASS PASS PASS 5.8 PASS PASS PASS PASS PASS PASS PASS PASS PASS
Fake parameter TAB separation Case sensitivity Windows \ delimiter Session splicing FTP Evasion
Inserting spaces in FTP command lines Inserting non-text Telnet opcodes - Level 1 (minimal) Inserting non-text Telnet opcodes - Level 2 Inserting non-text Telnet opcodes - Level 3 Inserting non-text Telnet opcodes - Level 4 Inserting non-text Telnet opcodes - Level 5 Inserting non-text Telnet opcodes - Level 6 Inserting non-text Telnet opcodes - Level 7 Inserting non-text Telnet opcodes - Level 8 (extreme)
>7\SHWH[W@
3DJH