I want to classify the type of attack related to the fields in the packets. i,e one or more may be associated with some type of vulnerability that is responsible for the attack. please tell me how to check which fields are associated with the attacks. means how can i find if field is changed or modified is there any effect of such attacks. asked 14 Jan '11, 23:25 TINA |
2 Answers:
I think what you want to do is to manually look for attack patterns in network packets. This is actually something that only makes sense in one particular scenario: you know there is an ongoing attack, and you have a pattern to look for. Scanning for attacks that may or may not be there proactively is not going to work with Wireshark, simply because there are too many attacks and it is too much work / too slow. This is the reason why there are specialized devices like Intrusion Detection/Intrusion Prevention systems on the market. They have attack pattern databases that get updated frequently with new vulnerabilities to scan for, and inspect network traffic automatically based on filter sets. You may want to take a look at Snort if that is what you want: www.snort.org answered 15 Jan '11, 08:57 Jasper ♦♦ |
That's a tough one. There are a lot of possibilities. I would say look for things that are impossible. For example the same source and destination address on the wire. Incompatible TCP flags are also a sign. You could get some direction by going through Fyodor's book on NMAP scannning. http://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717 I just don't think you can get a conclusive answer to your question in a discussion forum, but you can absolutely bet some direction I suppose. answered 15 Jan '11, 06:26 Paul Stewart |