The menace came from below - Hack.lu

More documents

Recommendations

Info

$\H1B%-12345X@PJL JOB “HackingPrinters”$

Protocol detection implementation in Suricata Based on fixed strings currently, e.g. "GET " for HTTP "probing parser" parses protocol to verify then hands off TCP connection to real parser Protocol detection runs on top of TCP stream reasssembly Éric Leblond, Victor Julien (OISF) The menace came from below Hack.lu 2012 52 / 66
Causing recognition mistake Evading classification If the protocol is not recognized, it can’t be decoded Classification evasion lead to undetected traffic Classification made easy Some protocol can be classified with a single message Sending packet with fake content prior to real one Will lead to recognition mistake Éric Leblond, Victor Julien (OISF) The menace came from below Hack.lu 2012 53 / 66
Page 1 and 2:
The menace came from below Éric Le
Page 3 and 4:
Victor Julien a.k.a Inliniac Dutch
Page 5 and 6:
Suricata Features High performance,
Page 7 and 8:
1 Introduction Netfilter and the Co
Page 9 and 10:
Netfilter Definition Packet filteri
Page 11 and 12:
Application Level Gateway Non-linea
Page 13 and 14:
The example of FTP FTP client Logge
Page 15 and 16:
The example of FTP FTP client Logge
Page 17 and 18:
Details of Netfilter implementation
Page 19 and 20:
Do I use helpers? What happens if I
Page 21 and 22:
Do I use helpers? What happens if I
Page 23 and 24:
Global analysis Sane defaults Dange
Page 25 and 26:
FTP analysis If we follow RFC (loos
Page 27 and 28:
IRC analysis The DCC command DCC co
Page 29 and 30:
Using DCC command Client NATed behi
Page 31 and 32:
Using DCC command Client NATed behi
Page 33 and 34:
Demonstration of DCC usage Video Le
Page 35 and 36:
Objective Determine if it is possib
Page 37 and 38:
Attack description Existing attacks
Page 39 and 40:
Attack description Existing attacks
Page 41 and 42:
Attack description for FTP 1 The at
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Demonstration on Netfilter Video É
Page 49 and 50:
Policy violation We’ve manage to
Page 51 and 52:
Policy violation We’ve manage to
Page 53 and 54: Counter-measures Anti-spoofing is s
Page 55 and 56: Counter-measures Anti-spoofing is s
Page 57 and 58: Checkpoint setup Checkpoint absolut
Page 59 and 60: Demonstration setup Éric Leblond,
Page 61 and 62: Demonstration setup Let’s do a fi
Page 63 and 64: Demonstration Video Let’s have a
Page 65 and 66: Policy violation One managed to ope
Page 67 and 68: There is no problem Swift reaction
Page 69 and 70: Others protocols IRC As discussed b
Page 71 and 72: 1 Introduction Netfilter and the Co
Page 73 and 74: Protection for Netfilter We only ha
Page 81 and 82: IPv6 protection for Netfilter Since
Page 83 and 84: IPv6 protection for Netfilter The b
Page 85 and 86: Suricata Rules Largely compatible w
Page 87 and 88: Suricata Rules Largely compatible w
Page 89 and 90: Counter measures on Suricata FTP in
Page 91 and 92: Detecting overlapping data Rule Att
Page 93 and 94: Detect FTP injection - step 1 Rule
Page 95 and 96: Detect FTP injection - step 3 Rule
Page 97 and 98: Detect FTP injection - port Rule In
Page 99 and 100: Luajit script Simplified Script f u
Page 101 and 102: Protocol analysis: a difficult task
Page 103: Example of nDPI History Originally
Page 107 and 108: Don’t mess with the server Issue
Page 109 and 110: Implementing the attack in opensvp
Page 111 and 112: Attack on nDPI Test used Injection
Page 113 and 114: Detecting very low TTL Example TTL
Page 115 and 116: Future changes in Suricata We’re
Page 117 and 118: Using low layer to attack Low layer
Page 119 and 120: SNMP: Security is Not My Problem Ke
Page 121 and 122: Questions Thanks to Do you have any
show all

The menace came from below - Hack.lu

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?