Shulou(Shulou.com)06/01 Report--

Discovering network scanning with OSSIM

Network scanning was originally used for network resource management. Important technologies by obtaining key information such as active hosts, open services, operating systems, and so on. Scanning techniques include Ping scanning (determining which hosts are active), port scanning (determining which open services are available), and operating system identification (determining the operating system type of the target host). For more information, please see "detailed explanation of vulnerability scanning based on OSSIM platform" and "combined Application of active and passive Detection tool (arpwatch+p0f+pads) in OSSIM".

Most of these scanners use packets when scanning, so it is not easy to find the scanning behavior through the traffic monitoring system (Zabbix, etc.). You need to use a * detection system to detect this abnormal behavior.

Note: you may be able to obtain the corresponding relationship between the IP and the MAC address of the host in this network segment through the scanning tool, but it cannot be obtained across the gateway, because the ARP packet cannot be transmitted across the network segment.

In the enterprise network environment, you can obtain IP and MAC addresses through the SNMP protocol enabled in the network management software, but if a host does not send packets through the layer 3 switching device, or if the layer 3 device does not turn on the layer 3 switching function, you cannot obtain this information.

Bag grabbing tool discovers scanning behavior

Let's look at a screenshot of a normal network communication.

Scanned network traffic appears

See the difference? now we can find scans with nmap as an example through packet grabbing tools such as Tcpdump or Wireshark.

Here is the case of scanning the Windows host port using the nmap tool on the Linux host.

If you switch to Sniffer Pro, there is a similar interface.

How much time do network managers have to do this boring work every day? It is clear that using these tools to discover scanning behavior is not a good solution.

two。 Scan is found through the detection system.

Snort is integrated into the Sensor of the OSSIM platform, and all alarms are completed automatically without human hands. Here is only an example of nmap scanning to detect snort rules.

"alert tcp $EXTERNAL_NET any-> $HOME_NET any"

The above alarms are automatically completed by the system.

OSSIM course:

OSSIM typical application case video course (installation, configuration, and development)

Http://edu.51cto.com/course/course_id-7616.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.