The menace came from below - Hack.lu

More documents

Recommendations

Info

$\H1B%-12345X@PJL JOB “HackingPrinters”$

Application Level Gateway Non-linear protocol One can find protocols such as FTP or SIP: They rely on a signalling channel. It is used to setup dynamic connections. Application Level Gateway (ALG) ALGs search the traffic for command messages. They extract information on the expected connections. Each expectation: includes information on a potential connection. is associated to a timeout. New connection matching an expectation can be accepted. Éric Leblond, Victor Julien (OISF) The menace came from below Hack.lu 2012 9 / 66
The example of FTP FTP client Logged i n to f t p . l i p 6 . f r . n c f t p / > l s etc / j u s s i e u / l i p 6 / Tcpdump 195.83.118.1.21 > 10.62.101.203.52994 195.83.118.1.21 > 10.62.101.203.52994 10.62.101.203.57636 > 195.83.118.1.51155 10.62.101.203.52994 > 195.83.118.1.21 195.83.118.1.51155 > 10.62.101.203.57636 Éric Leblond, Victor Julien (OISF) The menace came from below Hack.lu 2012 10 / 66
Page 1 and 2: The menace came from below Éric Le
Page 3 and 4: Victor Julien a.k.a Inliniac Dutch
Page 5 and 6: Suricata Features High performance,
Page 7 and 8: 1 Introduction Netfilter and the Co
Page 9 and 10: Netfilter Definition Packet filteri
Page 11: Application Level Gateway Non-linea
Page 15 and 16: The example of FTP FTP client Logge
Page 17 and 18: Details of Netfilter implementation
Page 19 and 20: Do I use helpers? What happens if I
Page 21 and 22: Do I use helpers? What happens if I
Page 23 and 24: Global analysis Sane defaults Dange
Page 25 and 26: FTP analysis If we follow RFC (loos
Page 27 and 28: IRC analysis The DCC command DCC co
Page 29 and 30: Using DCC command Client NATed behi
Page 31 and 32: Using DCC command Client NATed behi
Page 33 and 34: Demonstration of DCC usage Video Le
Page 35 and 36: Objective Determine if it is possib
Page 37 and 38: Attack description Existing attacks
Page 39 and 40: Attack description Existing attacks
Page 41 and 42: Attack description for FTP 1 The at
Page 47 and 48: Demonstration on Netfilter Video É
Page 49 and 50: Policy violation We’ve manage to
Page 51 and 52: Policy violation We’ve manage to
Page 53 and 54: Counter-measures Anti-spoofing is s
Page 55 and 56: Counter-measures Anti-spoofing is s
Page 57 and 58: Checkpoint setup Checkpoint absolut
Page 59 and 60: Demonstration setup Éric Leblond,
Page 61 and 62: Demonstration setup Let’s do a fi
Page 63 and 64:
Demonstration Video Let’s have a
Page 65 and 66:
Policy violation One managed to ope
Page 67 and 68:
There is no problem Swift reaction
Page 69 and 70:
Others protocols IRC As discussed b
Page 71 and 72:
1 Introduction Netfilter and the Co
Page 73 and 74:
Protection for Netfilter We only ha
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
IPv6 protection for Netfilter Since
Page 83 and 84:
IPv6 protection for Netfilter The b
Page 85 and 86:
Suricata Rules Largely compatible w
Page 87 and 88:
Suricata Rules Largely compatible w
Page 89 and 90:
Counter measures on Suricata FTP in
Page 91 and 92:
Detecting overlapping data Rule Att
Page 93 and 94:
Detect FTP injection - step 1 Rule
Page 95 and 96:
Detect FTP injection - step 3 Rule
Page 97 and 98:
Detect FTP injection - port Rule In
Page 99 and 100:
Luajit script Simplified Script f u
Page 101 and 102:
Protocol analysis: a difficult task
Page 103 and 104:
Example of nDPI History Originally
Page 105 and 106:
Causing recognition mistake Evading
Page 107 and 108:
Don’t mess with the server Issue
Page 109 and 110:
Implementing the attack in opensvp
Page 111 and 112:
Attack on nDPI Test used Injection
Page 113 and 114:
Detecting very low TTL Example TTL
Page 115 and 116:
Future changes in Suricata We’re
Page 117 and 118:
Using low layer to attack Low layer
Page 119 and 120:
SNMP: Security is Not My Problem Ke
Page 121 and 122:
Questions Thanks to Do you have any
show all

The menace came from below - Hack.lu

Create successful ePaper yourself

Delete template?

Save as template?