SlideShare ist ein Scribd-Unternehmen logo

Presentation

Als PPT, PDF herunterladen
L
Lior Boim

Workshop in Information Security: Building a Firewall within the Linux Kernel 0368-3500-34, Spring 2015 Lecturer: Eran Tromer Teaching assistant: Roei Ben Harush Student: Lior Bomwurzel

Bildung
1 von 32
Workshop in Information Security: Building a Firewall within the Linux Kernel 0368-3500-34, Spring 2015 Lecturer: Eran Tromer Teaching assistant: Roei Ben Harush Student: Lior Bomwurzel
General description • kernel module that inspect packets using Netfilter- each packet that traverses the NF_INET_FORWARD stage will be inspected by the ip headers,TCP flags,and the data. • stateless packet inspection with static rule table for packet that are not part of a open connection • stateful packet inspection for TCP packets we inspect that the TCP flow and the protocols (HTTP and FTP) are ok. • Vulnerability check- each packet of an open connection will be checked for DLP for C code,Webster,Zabbix vulnerabilities
stateless packet inspection • each packet that is not a part of a open connection will be inspect to find if there is a rule that match its headers of ip src/dst port src/dst and protocol and direction. • if there is a matching rule the packet reason will be logged as the rule number and the action accept the packet will be with accordance of the rule. • if the packet match a rule that accept it, and the packet is with protocol TCP, we create a new dynamic connection and we inspect its flow in the stateful packet inspection • if there isn't a matching rule the packet will be dropped with the reason REASON_NO_MATCHING_RULE
stateful packet inspection I define a state machine that follows the protocols of the connection and the state of the protocols. For new connection (first packet of TCP that accepted by the stateless inspection) I open new dynamic connection ,direction of the connection is defined by the first side who started the connection ,first the connection protocol is defined as TCP
• State TCP_SYN (0)-first try to establish tcp connection, (handle in handle_static_inspection) if there is SYN flag and the connection is approved in the static rule table, we open new connection. we open timer of 25 seconds to end of the handshake. • State TCP_SYN_ACK (1)- second send SYN ACK • State OPEN_CONN (2)-first send ACK , we close the timer and by that we treat the connection as finished the handshake and until the end of the session it will stay open. • stateEND_SERVER (3),stage END_CLIENT (5)- if packet comes with FIN flag , and the state of the packet is above OPEN_CONN we forward the state of the connection to one of the stages (3/5 depend from which side the FIN arrived) • state4,6(logical stages) - packet arrived from the other side with the FIN flag, we open the timer again and by that we let the last ACK of the tcp termination to arrive,if its arrived we delete the connection, if it doesn't we delete the connection anyway after 25 second. • state READY_TO_NEW (-1) -when we know that a packet of a new connection is going to come with a SYN flag
• FTP-1)the server need to send from port 21 data with 220 (server waits for open connection) we forward the state to be FTP_READY_TO_CLIENT. And the protocol to be FTP_PROT 2) we validate the connection as successfully established by that the server send 230 in the data ,we forward the state to be FTP_ACCEPT_CLIENT, 3)in that state we parse the data to find PORT command form the client in order to open new connections for the receiving of the data. 4) if we find PORT command we open new dynamic connection on the right ports and ips as the protocol define ,the state of the connection READY_TO_NEW (-1) and the protocol will be FTP_PROT • HTTP-for defining a session as HTTP the client need to send to port 80 data with “GET” string we then forward the connection to be in state HTTP_GET_REQUEST. in that state we parse the data for finding http redirect ( “HTTP/1.1 3”) means we need to open new connection, I preparing place in the dynamic connections in the form of source ip and port are any(to let the fw the ability to defend on several hosts), and the destination is like the port and ip we got in the http redirect,the protocol is HTTP_PROT, the state of the connection is READY_TO_NEW (-1) .after the first match of the rule I replace the port and the ip to be as the source port
General concept • the DLP for C code inspection is measured between ratio of number of words in the packet and the weight defined • if the weight is higher than the number of words, the packet will be dropped, and logged as DLP, and the connection will be deleted • each weight form the weight rules will be multiple by the number of brackets (“ { }”) surround it +1
Weight rules 1. I search for patterns #include and #define in the following manner, #include -have to be with 2 words, and ends with .h or .c at end of the second word #define- have to be with 3 words. I weight each #include and #define as the number of words they have multiply by 5 the code of this rule is found in weight_macros function 2. each line with the pattern print#(#“#”); or scan#(#“#”); will be count as the number of words the pattern took from start to end. If there are inside the pattern %d %s /n I increase the weight by one for each the code of this rule is found in weight_known_pattern function 3. Each line with the pattern if#(#) for#(#;#;#) while#(#) will be count as the number of words the pattern took from start to end. If there are inside the pattern == <&& || > I increase the weight by one for each the code of this rule is found in weight_flow function 4. I weight each “;” I found as 1 and each “->” as 2
DLP inspection example 2*5 #include 2 words and the last with .h 0 no .h or .c at last word 0 #define with more then 3 words 3*5 define with 3 words 0 not in the right pattern 2 -> 5+3 (number of words + special chars) 0 no ; at end 1*2 in{} and one word 0 2*3 in {{ }} and equal 2 0 (4+3)*2 in {} , 4 words+3 special chars 0 Sum=10+15+2+8+2+6+14=57 Number of words=31 The packet will be dropped
DLP inspection example
Reply on normal sized url that not found
Code flow
Vulnerability
Flow in ollydbg
64 size url
Buffer overflow
Vulnerability 2
Code flow ollydbg
Buffer overflow
FW inspectoin if packet came with port 80 and with the GET request ,I inspect the packet that the requested url length is last then 64 chars because of the Webster vulnerability, else I dropped the packet with reason WEBSTER (enum -8) and the connection will be deleted
Fw logs on detect
Zabbix today
previous zabbix
Metasploit code
Metasploit explit
Fw inspection • iftheTCPdatacontainsthefollowingstring: “GET/zabbix/httpmon.php?applications=“ IinspectthenextcharstovalidatethattheyrepresentanumberbecauseofthisiswhatZabbixserver expecttoget, elsethepacketwillbedroppedandloggedasZABBIX(enum-10), andtheconnectionwillbedeleted.
FW log

Empfohlen

Tcp header/IP Header/Authentication header
Tcp header/IP Header/Authentication headerTcp header/IP Header/Authentication header
Tcp header/IP Header/Authentication headerFaizan Shaikh
 
Introduction to TCP
Introduction to TCPIntroduction to TCP
Introduction to TCPPradeep Kumar TS
 
Features of tcp (part 2) .68
Features of tcp (part 2) .68Features of tcp (part 2) .68
Features of tcp (part 2) .68myrajendra
 
Unit III IPV6 UDP
Unit III IPV6 UDPUnit III IPV6 UDP
Unit III IPV6 UDPsangusajjan
 
An overview of TCP (Transmission Control Protocol)
An overview of TCP (Transmission Control Protocol)An overview of TCP (Transmission Control Protocol)
An overview of TCP (Transmission Control Protocol)Ammad Marwat
 
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)k33a
 
An effective RC4 Stream Cipher
An effective RC4 Stream CipherAn effective RC4 Stream Cipher
An effective RC4 Stream CipherTharindu Weerasinghe
 
Wireshark udp solution
Wireshark udp solutionWireshark udp solution
Wireshark udp solutionYasin Abdullah
 

Empfohlen

Tcp header/IP Header/Authentication header
Tcp header/IP Header/Authentication headerTcp header/IP Header/Authentication header
Tcp header/IP Header/Authentication headerFaizan Shaikh
 
Introduction to TCP
Introduction to TCPIntroduction to TCP
Introduction to TCPPradeep Kumar TS
 
Features of tcp (part 2) .68
Features of tcp (part 2) .68Features of tcp (part 2) .68
Features of tcp (part 2) .68myrajendra
 
Unit III IPV6 UDP
Unit III IPV6 UDPUnit III IPV6 UDP
Unit III IPV6 UDPsangusajjan
 
An overview of TCP (Transmission Control Protocol)
An overview of TCP (Transmission Control Protocol)An overview of TCP (Transmission Control Protocol)
An overview of TCP (Transmission Control Protocol)Ammad Marwat
 
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)k33a
 
An effective RC4 Stream Cipher
An effective RC4 Stream CipherAn effective RC4 Stream Cipher
An effective RC4 Stream CipherTharindu Weerasinghe
 
Wireshark udp solution
Wireshark udp solutionWireshark udp solution
Wireshark udp solutionYasin Abdullah
 
Intake 38 11
Intake 38 11Intake 38 11
Intake 38 11Mahmoud Ouf
 
Wireshark lab ssl v7 solution
Wireshark lab ssl v7 solutionWireshark lab ssl v7 solution
Wireshark lab ssl v7 solutionUnited International University
 
Tcp Udp
Tcp UdpTcp Udp
Tcp UdpEri Alam
 
Wireshark Lab HTTP, DNS and ARP v7 solution
Wireshark Lab HTTP, DNS and ARP v7 solutionWireshark Lab HTTP, DNS and ARP v7 solution
Wireshark Lab HTTP, DNS and ARP v7 solutionUnited International University
 
Isola 12 presentation
Isola 12 presentationIsola 12 presentation
Isola 12 presentationIakovos Ouranos
 
Totem
TotemTotem
Totembin liu
 
Tugas komjar 7-yee
Tugas komjar 7-yeeTugas komjar 7-yee
Tugas komjar 7-yeeramasatriaf
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutionsVlad Garbuz
 
TCP sockets
TCP socketsTCP sockets
TCP socketsTanya Srivastava
 
Ip header
Ip headerIp header
Ip headerJohnGorny
 
5. icmp
5. icmp5. icmp
5. icmpSwati Arora
 
Research paper
Research paperResearch paper
Research paperSanchit Rathi
 
Transport layer services
Transport layer servicesTransport layer services
Transport layer servicesMelvin Cabatuan
 
Wireshark tcp
Wireshark tcpWireshark tcp
Wireshark tcpYasin Abdullah
 
Wireshark tcp - 2110165028
Wireshark tcp - 2110165028Wireshark tcp - 2110165028
Wireshark tcp - 2110165028Nanda Afif
 
Chap 12 tcp
Chap 12 tcpChap 12 tcp
Chap 12 tcpSparsh Samir
 
tcpcongest
tcpcongesttcpcongest
tcpcongestBill Bao
 
MPI message passing interface
MPI message passing interfaceMPI message passing interface
MPI message passing interfaceMohit Raghuvanshi
 
Retransmission Tcp
Retransmission TcpRetransmission Tcp
Retransmission TcpRam Dutt Shukla
 
Icmp V4 And Icmp V6
Icmp V4 And Icmp V6Icmp V4 And Icmp V6
Icmp V4 And Icmp V6Ram Dutt Shukla
 
Unit-4 (1).pptx
Unit-4 (1).pptxUnit-4 (1).pptx
Unit-4 (1).pptxpoonamsngr
 
Protocol.ppt
Protocol.pptProtocol.ppt
Protocol.pptamuthadeepa
 

Weitere ähnliche Inhalte

Was ist angesagt?

Tugas komjar 7-yee
Tugas komjar 7-yeeTugas komjar 7-yee
Tugas komjar 7-yeeramasatriaf
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutionsVlad Garbuz
 
Transport layer services
Transport layer servicesTransport layer services
Transport layer servicesMelvin Cabatuan
 
Wireshark tcp - 2110165028
Wireshark tcp - 2110165028Wireshark tcp - 2110165028
Wireshark tcp - 2110165028Nanda Afif
 
tcpcongest
tcpcongesttcpcongest
tcpcongestBill Bao
 
MPI message passing interface
MPI message passing interfaceMPI message passing interface
MPI message passing interfaceMohit Raghuvanshi
 

Was ist angesagt? (20)

Intake 38 11
Intake 38 11Intake 38 11
Intake 38 11
 
Wireshark lab ssl v7 solution
Wireshark lab ssl v7 solutionWireshark lab ssl v7 solution
Wireshark lab ssl v7 solution
 
Tcp Udp
Tcp UdpTcp Udp
Tcp Udp
 
Wireshark Lab HTTP, DNS and ARP v7 solution
Wireshark Lab HTTP, DNS and ARP v7 solutionWireshark Lab HTTP, DNS and ARP v7 solution
Wireshark Lab HTTP, DNS and ARP v7 solution
 
Isola 12 presentation
Isola 12 presentationIsola 12 presentation
Isola 12 presentation
 
Totem
TotemTotem
Totem
 
Tugas komjar 7-yee
Tugas komjar 7-yeeTugas komjar 7-yee
Tugas komjar 7-yee
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions
 
TCP sockets
TCP socketsTCP sockets
TCP sockets
 
Ip header
Ip headerIp header
Ip header
 
5. icmp
5. icmp5. icmp
5. icmp
 
Research paper
Research paperResearch paper
Research paper
 
Transport layer services
Transport layer servicesTransport layer services
Transport layer services
 
Wireshark tcp
Wireshark tcpWireshark tcp
Wireshark tcp
 
Wireshark tcp - 2110165028
Wireshark tcp - 2110165028Wireshark tcp - 2110165028
Wireshark tcp - 2110165028
 
Chap 12 tcp
Chap 12 tcpChap 12 tcp
Chap 12 tcp
 
tcpcongest
tcpcongesttcpcongest
tcpcongest
 
MPI message passing interface
MPI message passing interfaceMPI message passing interface
MPI message passing interface
 
Retransmission Tcp
Retransmission TcpRetransmission Tcp
Retransmission Tcp
 
Icmp V4 And Icmp V6
Icmp V4 And Icmp V6Icmp V4 And Icmp V6
Icmp V4 And Icmp V6
 

Ähnlich wie Presentation

Unit-4 (1).pptx
Unit-4 (1).pptxUnit-4 (1).pptx
Unit-4 (1).pptxpoonamsngr
 
Transport_Layer_Protocols.pptx
Transport_Layer_Protocols.pptxTransport_Layer_Protocols.pptx
Transport_Layer_Protocols.pptxAnkitKumar891632
 
MANET Routing Protocols , a case study
MANET Routing Protocols , a case studyMANET Routing Protocols , a case study
MANET Routing Protocols , a case studyRehan Hattab
 
Analytical Research of TCP Variants in Terms of Maximum Throughput
Analytical Research of TCP Variants in Terms of Maximum ThroughputAnalytical Research of TCP Variants in Terms of Maximum Throughput
Analytical Research of TCP Variants in Terms of Maximum ThroughputIJLT EMAS
 
Computer network (11)
Computer network (11)Computer network (11)
Computer network (11)NYversity
 
iptable casestudy by sans.pdf
iptable casestudy by sans.pdfiptable casestudy by sans.pdf
iptable casestudy by sans.pdfAdmin621695
 
TRANSPORT LAYER ppt.pptx
TRANSPORT LAYER ppt.pptxTRANSPORT LAYER ppt.pptx
TRANSPORT LAYER ppt.pptxutkarshlodhi4
 
Web and internet technology notes for BCA students
Web and internet technology notes for BCA studentsWeb and internet technology notes for BCA students
Web and internet technology notes for BCA studentsnawejakhatar10063
 
Dynamic time warping and PIC 16F676 for control of devices
Dynamic time warping and PIC 16F676 for control of devicesDynamic time warping and PIC 16F676 for control of devices
Dynamic time warping and PIC 16F676 for control of devicesRoger Gomes
 
5-LEC- 5.pptxTransport Layer. Transport Layer Protocols
5-LEC- 5.pptxTransport Layer. Transport Layer Protocols5-LEC- 5.pptxTransport Layer. Transport Layer Protocols
5-LEC- 5.pptxTransport Layer. Transport Layer ProtocolsZahouAmel1
 

Ähnlich wie Presentation (20)

Unit-4 (1).pptx
Unit-4 (1).pptxUnit-4 (1).pptx
Unit-4 (1).pptx
 
Protocol.ppt
Protocol.pptProtocol.ppt
Protocol.ppt
 
Transport_Layer_Protocols.pptx
Transport_Layer_Protocols.pptxTransport_Layer_Protocols.pptx
Transport_Layer_Protocols.pptx
 
MANET Routing Protocols , a case study
MANET Routing Protocols , a case studyMANET Routing Protocols , a case study
MANET Routing Protocols , a case study
 
transport layer
transport layertransport layer
transport layer
 
Analytical Research of TCP Variants in Terms of Maximum Throughput
Analytical Research of TCP Variants in Terms of Maximum ThroughputAnalytical Research of TCP Variants in Terms of Maximum Throughput
Analytical Research of TCP Variants in Terms of Maximum Throughput
 
Computer network (11)
Computer network (11)Computer network (11)
Computer network (11)
 
Pdp12
Pdp12Pdp12
Pdp12
 
iptable casestudy by sans.pdf
iptable casestudy by sans.pdfiptable casestudy by sans.pdf
iptable casestudy by sans.pdf
 
TCP Vs UDP
TCP Vs UDP TCP Vs UDP
TCP Vs UDP
 
TRANSPORT LAYER ppt.pptx
TRANSPORT LAYER ppt.pptxTRANSPORT LAYER ppt.pptx
TRANSPORT LAYER ppt.pptx
 
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENTTCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
 
Week4 lec1-bscs1
Week4 lec1-bscs1Week4 lec1-bscs1
Week4 lec1-bscs1
 
Mit6 02 f12_chap18
Mit6 02 f12_chap18Mit6 02 f12_chap18
Mit6 02 f12_chap18
 
Web and internet technology notes for BCA students
Web and internet technology notes for BCA studentsWeb and internet technology notes for BCA students
Web and internet technology notes for BCA students
 
Dynamic time warping and PIC 16F676 for control of devices
Dynamic time warping and PIC 16F676 for control of devicesDynamic time warping and PIC 16F676 for control of devices
Dynamic time warping and PIC 16F676 for control of devices
 
Mcseminar
McseminarMcseminar
Mcseminar
 
Intake 37 12
Intake 37 12Intake 37 12
Intake 37 12
 
5-LEC- 5.pptxTransport Layer. Transport Layer Protocols
5-LEC- 5.pptxTransport Layer. Transport Layer Protocols5-LEC- 5.pptxTransport Layer. Transport Layer Protocols
5-LEC- 5.pptxTransport Layer. Transport Layer Protocols
 
Transport layer protocol
Transport layer protocolTransport layer protocol
Transport layer protocol
 

Kürzlich hochgeladen

SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxcallscotland1987
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsKarakKing
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 

Kürzlich hochgeladen (20)

SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 

Presentation

  • 1. Workshop in Information Security: Building a Firewall within the Linux Kernel 0368-3500-34, Spring 2015 Lecturer: Eran Tromer Teaching assistant: Roei Ben Harush Student: Lior Bomwurzel
  • 2. General description • kernel module that inspect packets using Netfilter- each packet that traverses the NF_INET_FORWARD stage will be inspected by the ip headers,TCP flags,and the data. • stateless packet inspection with static rule table for packet that are not part of a open connection • stateful packet inspection for TCP packets we inspect that the TCP flow and the protocols (HTTP and FTP) are ok. • Vulnerability check- each packet of an open connection will be checked for DLP for C code,Webster,Zabbix vulnerabilities
  • 3. stateless packet inspection • each packet that is not a part of a open connection will be inspect to find if there is a rule that match its headers of ip src/dst port src/dst and protocol and direction. • if there is a matching rule the packet reason will be logged as the rule number and the action accept the packet will be with accordance of the rule. • if the packet match a rule that accept it, and the packet is with protocol TCP, we create a new dynamic connection and we inspect its flow in the stateful packet inspection • if there isn't a matching rule the packet will be dropped with the reason REASON_NO_MATCHING_RULE
  • 4. stateful packet inspection I define a state machine that follows the protocols of the connection and the state of the protocols. For new connection (first packet of TCP that accepted by the stateless inspection) I open new dynamic connection ,direction of the connection is defined by the first side who started the connection ,first the connection protocol is defined as TCP
  • 5. • State TCP_SYN (0)-first try to establish tcp connection, (handle in handle_static_inspection) if there is SYN flag and the connection is approved in the static rule table, we open new connection. we open timer of 25 seconds to end of the handshake. • State TCP_SYN_ACK (1)- second send SYN ACK • State OPEN_CONN (2)-first send ACK , we close the timer and by that we treat the connection as finished the handshake and until the end of the session it will stay open. • stateEND_SERVER (3),stage END_CLIENT (5)- if packet comes with FIN flag , and the state of the packet is above OPEN_CONN we forward the state of the connection to one of the stages (3/5 depend from which side the FIN arrived) • state4,6(logical stages) - packet arrived from the other side with the FIN flag, we open the timer again and by that we let the last ACK of the tcp termination to arrive,if its arrived we delete the connection, if it doesn't we delete the connection anyway after 25 second. • state READY_TO_NEW (-1) -when we know that a packet of a new connection is going to come with a SYN flag
  • 6. • FTP-1)the server need to send from port 21 data with 220 (server waits for open connection) we forward the state to be FTP_READY_TO_CLIENT. And the protocol to be FTP_PROT 2) we validate the connection as successfully established by that the server send 230 in the data ,we forward the state to be FTP_ACCEPT_CLIENT, 3)in that state we parse the data to find PORT command form the client in order to open new connections for the receiving of the data. 4) if we find PORT command we open new dynamic connection on the right ports and ips as the protocol define ,the state of the connection READY_TO_NEW (-1) and the protocol will be FTP_PROT • HTTP-for defining a session as HTTP the client need to send to port 80 data with “GET” string we then forward the connection to be in state HTTP_GET_REQUEST. in that state we parse the data for finding http redirect ( “HTTP/1.1 3”) means we need to open new connection, I preparing place in the dynamic connections in the form of source ip and port are any(to let the fw the ability to defend on several hosts), and the destination is like the port and ip we got in the http redirect,the protocol is HTTP_PROT, the state of the connection is READY_TO_NEW (-1) .after the first match of the rule I replace the port and the ip to be as the source port
  • 7.
  • 8. General concept • the DLP for C code inspection is measured between ratio of number of words in the packet and the weight defined • if the weight is higher than the number of words, the packet will be dropped, and logged as DLP, and the connection will be deleted • each weight form the weight rules will be multiple by the number of brackets (“ { }”) surround it +1
  • 9. Weight rules 1. I search for patterns #include and #define in the following manner, #include -have to be with 2 words, and ends with .h or .c at end of the second word #define- have to be with 3 words. I weight each #include and #define as the number of words they have multiply by 5 the code of this rule is found in weight_macros function 2. each line with the pattern print#(#“#”); or scan#(#“#”); will be count as the number of words the pattern took from start to end. If there are inside the pattern %d %s /n I increase the weight by one for each the code of this rule is found in weight_known_pattern function 3. Each line with the pattern if#(#) for#(#;#;#) while#(#) will be count as the number of words the pattern took from start to end. If there are inside the pattern == <&& || > I increase the weight by one for each the code of this rule is found in weight_flow function 4. I weight each “;” I found as 1 and each “->” as 2
  • 10. DLP inspection example 2*5 #include 2 words and the last with .h 0 no .h or .c at last word 0 #define with more then 3 words 3*5 define with 3 words 0 not in the right pattern 2 -> 5+3 (number of words + special chars) 0 no ; at end 1*2 in{} and one word 0 2*3 in {{ }} and equal 2 0 (4+3)*2 in {} , 4 words+3 special chars 0 Sum=10+15+2+8+2+6+14=57 Number of words=31 The packet will be dropped
  • 12.
  • 13. Reply on normal sized url that not found
  • 22. FW inspectoin if packet came with port 80 and with the GET request ,I inspect the packet that the requested url length is last then 64 chars because of the Webster vulnerability, else I dropped the packet with reason WEBSTER (enum -8) and the connection will be deleted
  • 23. Fw logs on detect
  • 24.
  • 26.
  • 27.
  • 31. Fw inspection • iftheTCPdatacontainsthefollowingstring: “GET/zabbix/httpmon.php?applications=“ IinspectthenextcharstovalidatethattheyrepresentanumberbecauseofthisiswhatZabbixserver expecttoget, elsethepacketwillbedroppedandloggedasZABBIX(enum-10), andtheconnectionwillbedeleted.

Hinweis der Redaktion

  1. The message to response is: IDS_404_MESSAGE &amp;quot;&amp;lt;HEAD&amp;gt;&amp;lt;TITLE&amp;gt;404 Not Found&amp;lt;/TITLE&amp;gt;&amp;lt;/HEAD&amp;gt;\n&amp;lt;BODY&amp;gt;&amp;lt;H1&amp;gt;404 Not Found&amp;lt;/H1&amp;gt;\nThe requested URL &amp;lt;%s&amp;gt; was not found on this server.&amp;lt;BR&amp;gt;\n&amp;lt;/BODY&amp;gt;\r\n” which size is 136 (without “%s“ include “/0”) When asking url of 64+ chars there is a buffer overflow in buf[200]
  2. Override exception handler
  3. Each url that comes we hit this function. That logs the request. If the request is ~ 200 chars, there is buffer overflow
  4. Return address is overridden
  5. Taken from Corelan team
  6. The code sends Get request and in the application variable inject the sql query. The query is for session id from the zabbix session table where the user is admin (userid=1) and the user is not logged in (status=0)