The Network Security. Org

Network Intrusion Detection Signatures, Part Three

This is the third in a series of articles on understanding and developing signatures for network intrusion detection systems. In Part One and Part Two, we examined the use of IP protocol header values, particularly TCP, UDP and ICMP, in network intrusion detection signatures. In this article, we will continue our discussion of signatures by studying the area of protocol analysis, focusing on the examination of values within TCP and UDP payloads. Network intrusion detection using protocol analysis-based signatures is very effective in detecting both known and unknown attacks involving protocols such as DNS, FTP, HTTP and SMTP.

The Basics of Protocol Analysis

The first two articles in this series focused on developing network intrusion detection signatures using values in IP, TCP, UDP and ICMP headers. Now we want to look at signatures that examine the payloads within TCP and UDP packets, which contain other protocols. It?s important to understand that a protocol such as DNS is contained within TCP or UDP, which itself is contained within IP. So we first decode a packet?s IP header information, which will tell us whether its payload contains TCP, UDP or another protocol. If the payload is TCP, for example, we then need to process some of the TCP header information within the IP payload before we can access the TCP payload. DNS data is contained within UDP and TCP payloads. Network Intrusion Detection Signatures, Part Three

More News

• NetWitness releases free version of security software
  



• Three Reasons Why Users Won’t Buy Into Security
  



• Automated security testing & its limitations
  



• How to Use Network Behavior Analysis Tools
  



• The insider security threat in IT and financial services
  



• Top 10 Network Security Threats
  



• Big leap in malicious Web sites
  



• Network security makes a quantum leap
  



• Microsoft Preps 11 Security Bulletins for Patch Tuesday
  



• Practical Defense in Depth
  



• Apple releases another mega-patch for Mac OS X
  



• Security flaw in smart cards poses risk for transit, building access
  



• Free TrojanProof Password Tool Released for Windows
  



• Security scans with OpenVAS
  



• Do ISPs pose a bigger online privacy threat than Google
  



• HTTPS Cookie-Hijacking Tool CookieMonster Gobbles Personal Data
  



• Anatomy of a botnet
  



• Microsoft patches 8 critical bugs in Windows, Office
  



• Virtualization users should expect more attacks
  



• Threat From DNS Bug Is not Over, Experts Say