Saturday, January 06, 2007

How to analyze Shorewall Log?

Do you know how to analyze firewall log??? For those whore are interested in network security field, understanding firewall logs is extremely valuable to them. Before this, I stated in my previous article about Shorewall Firewall. In that article, I discussed how to setup simple firewall using Shorewall.
In this article, i will show you how to analyze firewall log in Shorewall. Shorewall is one of the high-level tools for Netfilter. This is a simple reference for the format used by the netfilter log messages. Below is a Shorewall log message generated by netfilter:

Dec 5 01:21:37 monitoring12 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:e9:f1:9f:85:00:07:e9:f1:a0:85:08:00 src= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4923 DF PROTO=TCP SPT=42368 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

Details in sequence of Shorewall log:
  • Dec 5 01:21:37 monitoring12 kernel: -syslog prefix.
  • Shorewall:net2all:DROP -The Shorewall policy and zones defines in /etc/shorewall/policy. The packet was received from outside Internet (net) to any other network or DMZ zone (all) will dropped.
  • IN=eth0 -Interface where the packet was received from. Empty value means locally generated packets.
  • OUT= -Interface where the packet was sent to. Empty value means locally received packets.
  • MAC=00:07:e9:f1:9f:85:00:07:e9:f1:a0:85:08:00 -Destination MAC: 00:07:e9:f1:9f:85, SourceMAC :00:07:e9:f1:a0:85, Type=08:00 (ethernet frame carried an IPv4 datagram)
  • src= -Source IP address
  • DST= -Destination IP address
  • LEN=60 -Total length of IP packet in bytes
  • TOS=0x00 -Type Of Service, "Type" field. Increasingly being replaced byDS and ECN. Refer to RFC 791 for IP Header info.
  • PREC=0x00 -Type Of Service, "Precedence" field.Increasingly being replaced by DS and ECN. Refer to RFC 791 for IP Header info.
  • TTL=64 -remaining Time To Live (TTL) is 64 hops.
  • ID=4923 -Unique ID for this IP datagram, shared by all fragments if fragmented.
  • DF -"Don't Fragment" flag.
  • PROTO=TCP -Protocol name or number. Netfilter uses names for TCP,UDP,ICMP, AH and ESP. The other protocols are identified by number. List of protocols in /etc/protocols.
  • SPT=42368 -Source port (TCP or UDP port). Refer to /etc/services for port numbers.
  • DPT=22 -Destination port (TCP or UDP port)
  • WINDOW=5840 -The TCP Receive Window size. This may be scaled by bit-shifting left by a number of bits specified in the "Window Scale" TCP option.
  • RES=0x00 -Reserved bits. Refer to RFC 793 for TCP Header Format info.
  • SYN -SYN flag, only exchanged at TCP connection establishment.
  • URGP=0 - The Urgent Pointer allows for urgent, out of band data transfer.
To analyze firewall logs, you must have strong understanding of TCP/IP such as protocol header information. You need to know IP header format (RFC791), TCP header format (RFC793) and UDP header format (RFC768). I think this is simple or quick reference analysis, not details analysis. But this is a good for me to strengthen my knowledge in firewall analysis.

Wednesday, January 03, 2007

Intrusion Detection System (IDS) Evasion Techniques

In this article, i will share with you how an attacker used their technique to evade Intrusion Detection System (IDS). There are many methods to evade or bypass IDS sensors. There are several common techniques that can be used by an attacker to exploit inherent weaknesses in IDS. IDS evasion not only the process of totally concealing an attack but also a technique to disguise an attack to appear less threatening than it really is.
Anomaly-based IDS will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline.
A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS. During that lag time your IDS would be unable to detect the new threat.
While anomaly-based IDS systems might detect an unknown attack, most signature-based IDS will miss a new exploit if there is no rule written for it. IDS systems must receive vendor signature updates. Even if updates are applied, exploits that are unknown to the IDS vendor will not be caught by the signature-based system. Attackers may also try to evade the IDS by using their techniques, exploits or tools. These evasive techniques include flooding, fragmentation, encryption, and obfuscation.
  • Flooding- IDSs depend on resources such as memory and processor power to effectively capture packets, analyze traffic, and report malicious attacks. By flooding a network with noise traffic, an attacker can cause the IDS to exhaust its resources examining harmless traffic. In the meantime, while the IDS is distracted and occupied by the volume of noise traffic, the attacker can target its system with little or no intervention from the IDS.
  • Fragmentation-Because different network media allow variable maximum transmission units (MTUs), you must allow for the fragmentation of these transmission units into differently sized packets or cells. Hackers can take advantage of this fragmentation by dividing attacking packets into smaller and smaller portions that evade the IDS but cause an attack when reassembled by a target host.
  • Encryption-Network-based intrusion detection (covered later in this chapter) relies on the analysis of traffic that is captured as it traverses the network from a source to its destination. If a hacker can establish an encrypted session with its target host using Secure Shell (SSH), Secure Socket Layer (SSL), or a virtual private network (VPN) tunnel, the IDS cannot analyze the packets and the malicious traffic will be allowed to pass. Obviously, this technique requires that the attacker establish a secure encrypted session with its target host.
  • Obfuscation-Obfuscation, an increasingly popular evasive technique, involves concealing an attack with special characters. It can use control characters such as the space, tab, backspace, and Delete. Also, the technique might represent characters in hex format to elude the IDS. Using Unicode representation, where each character has a unique value regardless of the platform, program, or language, is also an effective way to evade IDSs. For example, an attacker might evade an IDS by using the Unicode character c1 to represent a slash for a Web page request.
This article discussed about some of the techniques used by an attacker to evade IDS. There are many other technique used by an attacker to minimize IDS alarm when a given packet or sequence of packets matches the characteristics of known attack. I hope this article will help you understand how an attacker used his technique to attack a system or network without triggered by IDS.

Monday, January 01, 2007

GMail Vulnerable To Contact List Hijacking

The is a vulnerability in GMail contact. By using cross site scripting, it's easy to steal a GMail user’s contact list if you visit a certain type of website. The attack is simple, you have to be logged in to GMail at the time of the attack. Visit this website for more information about this vulnerability:

Firewall Basics

This article is intended to help those newbies to firewalls. It's for people who want to learn and understand about definition of firewall, firewall terminology and types of firewalls. You can read here: