Вы находитесь на странице: 1из 16

McAfee IPS technical Brief

McAfee NSP

NSP

1 McAfee IPS
McAfee IPS

>7\SHWH[W@ 

3DJH

IPS .

2 McAfee IPS
2.1
TCP/IP RFC ( IP/TCP/UDP/SMTP/FTP/HTTP RFC layer 7 layer7 )

edonkey2000 BitTorrent

IM/P2P

P2P

Winny P2P QQLive PPStream

p2p P2P

P2P

P2P

McAfee IPS

QQLive

UDP

>7\SHWH[W@ 

3DJH

QQLive UDP 0x0 0x01-0x02 0x03McAfee IPS 3d 00 3 0xfe, QQLive PPStream UDP UDP PPStream (big endian) 0x003d , 3 0xfe

0x0-0x01 0x02-0x03 0x0300001404 00001414 00001424 00001434


>7\SHWH[W@ 

43 00

3d 00 43 00 00 11 00 0a 75 49 96 83 b3 cf 1d 6d

c3 e5 01 4b ed 05 81 96 =.C..... ...K.... 40 c1 f2 3e 28 f3 41 08 uI.....m @..>(.A.

00 00 00 73 65 6c 65 63 74 6f 72 32 2e 73 77 66 ...selec tor2.swf 00 00 2c 00 00 00 04 00 00 01 00 00 00
3DJH

0x0-0x01 0x02-0x03 . layer7

0x003d 43 00

udp PPStream UDP

IP layer7

2.2
McAfee McAfee IPS 2.2.1 McAfee IPS

MS06-012 Excel excel snort

McAfee IPS

http

Excel

Http Rsp Parsing Init

Rsp Header Parsing

>7\SHWH[W@ 

Msg Body Trunked? No No Genearl Rsp Msg Body Parsing

Yes Yes

3DJH

Trunked Msg Body Parsing

Exc l

rsi

Exc l tr ct r

r I f

rsi

rksh

rsi

c r T p

c r

c r

c r

TY E

http

http

>7\SHWH[W@ 

  

    

  

c r



    

    

3DJH

http http http excel excel

Content-Type

application/vnd.ms-excel excel excel

>7\SHWH[W@ 

3DJH

McAfee IPS excel excel Name record excel

excel d0 cf 11 e0 a1 b1 1a e1 508 worksheet Name record McAfee McAfeeIPS 80

>7\SHWH[W@ 

3DJH

2.2.2 Oracle TNS

McAfee IPS

2.2.3 MS08-067 McAfee Conficker Conficker

McAfee IPS McAfee IPS

McAfee

>7\SHWH[W@ 

3DJH

IPS McAfee

2.3

TCP

UDP

2.4
http UDP IP UDP IP HTTP P2P

2.5
IPS IPS McAfee IPS

DDOS Botnet Botnet DDOS DDOS Botnet

2.6
McAfee IPS McAfee IPS artemis IPS IPS IPS TrustedSource IPS Artemis TrustedSource IPS IPS TrustedSource Artemis McAfee

>7\SHWH[W@ 

3DJH

2.7
IPS SNORT snort :

alert tcp any any -> 192.168.1.0/24 80 (content:"cgi-bin/phf";offset:3;depth:22;msg:"CGI-PHF access";)

snort

http

cgi-bin/phf

TCP

McAfee IPS P2P

Snort

>7\SHWH[W@ 

3DJH

3 McAfee IPS
(Network Intrusion Prevention System)

. NIPS

3.1
McAfee IPS Intelligence McAfee Lab: McAfee Lab 350 McAfee Lab

:
GTI Global Threat

30 McAfee Lab McAfee IPS 100

GTI

Global Threat Intelligence (GTI) web message McAfee

McAfee -

GTI ,GTI

sensor

GTI

3.1.1

>7\SHWH[W@ 

3DJH

0F$IHH,36 166 100M 99.4% 1G McAfee IPS 0F$IHH,36 10G 1 NSS 77.7% IPS McAfee NIPS

3.2
0F$IHH,36  0F$IHH 1,36 0 0F$IHH ,36 [ 166 0F$IHH * ,36 0F$IHH,36   * 1,36

>7\SHWH[W@ 

3DJH

>7\SHWH[W@ 

3DJH

4
McAfee IPS IPS
5.3 PASS 5.4 PASS PASS PASS PASS PASS PASS PASS PASS PASS 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.4.6 5.4.7 5.4.8 5.4.9 5.3.1 Evasion Evasion Packet Fragmentation Ordered 8 byte fragments Ordered 24 byte fragments Out of order 8 byte fragments Ordered 8 byte fragments, duplicate last packet Out of order 8 byte fragments, duplicate last packet Ordered 8 byte fragments, reorder fragments in reverse Ordered 16 byte frags, fragment overlap (favor new) Ordered 16 byte frags, fragment overlap (favor old) Out of order 8 byte fragments, interleaved duplicate packets scheduled for later delivery 5.5 PASS 5.5.1 Stream Segmentation Ordered 1 byte segments, interleaved duplicate segments with invalid TCP checksums PASS 5.5.2 Ordered 1 byte segments, interleaved duplicate segments with null TCP control flags PASS 5.5.3 Ordered 1 byte segs, interleaved duplicate segments with requests to resync sequence numbers mid-stream PASS PASS PASS 5.5.4 5.5.5 5.5.6 Ordered 1 byte segments, duplicate last packet Ordered 2 byte segments, segment overlap (favor new) Ordered 1 byte segments, interleaved duplicate segments with out-of-window sequence numbers PASS PASS 5.5.7 5.5.8 Out of order 1 byte segments Out of order 1 byte segments, interleaved duplicate segments with faked retransmits PASS PASS
>7\SHWH[W@ 

IPS

100%

NSS

McAfee

100%

100% 100% 100% 100% 100% 100% 100% 100% 100%

100%

100%

100%

100% 100% 100%

100% 100%

5.5.9 5.5.10

Ordered 1 byte segments, segment overlap (favor new) Out of order 1 byte segs, PAWS elimination (interleaved dup

100% 100%
3DJH

segs with older TCP timestamp options) PASS 5.6 PASS PASS PASS 5.6.1 5.6.2 5.6.3 5.5.11 Ordered 16 byte segs, seg overlap (favor new (Unix)) RPC Fragmentation One-byte fragmentation (ONC) Two-byte fragmentation (ONC) All fragments, including Last Fragment (LF) will be sent in one TCP segment (ONC) PASS 5.6.4 All frags except Last Fragment (LF) will be sent in one TCP segment. LF will be sent in separate TCP seg (ONC) PASS PASS 5.6.5 5.6.6 One RPC fragment will be sent per TCP segment (ONC) One LF split over more than one TCP segment. In this case no RPC fragmentation is performed (ONC) PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS 5.7 PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS
>7\SHWH[W@ 

100%

100% 100% 100%

100%

100% 100%

5.6.7 5.6.8 5.6.9 5.6.10 5.6.11 5.6.12 5.6.13 5.6.14 5.6.15 5.6.16

Canvas Reference Implementation Level 1 (MS) Canvas Reference Implementation Level 2 (MS) Canvas Reference Implementation Level 3 (MS) Canvas Reference Implementation Level 4 (MS) Canvas Reference Implementation Level 5 (MS) Canvas Reference Implementation Level 6 (MS) Canvas Reference Implementation Level 7 (MS) Canvas Reference Implementation Level 8 (MS) Canvas Reference Implementation Level 9 (MS) Canvas Reference Implementation Level 10 (MS) URL Obfuscation

100% 100% 100% 100% 100% 100% 100% 100% 100% 100%

5.7.1 5.7.2 5.7.3 5.7.4 5.7.5 5.7.6 5.7.7 5.7.8 5.7.9 5.7.10

URL encoding - Level 1 (minimal) URL encoding - Level 2 URL encoding - Level 3 URL encoding - Level 4 URL encoding - Level 5 URL encoding - Level 6 URL encoding - Level 7 URL encoding - Level 8 (extreme) Premature URL ending Long URL

100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
3DJH

PASS PASS PASS PASS PASS 5.8 PASS PASS PASS PASS PASS PASS PASS PASS PASS

5.7.11 5.7.12 5.7.13 5.7.14 5.7.15

Fake parameter TAB separation Case sensitivity Windows \ delimiter Session splicing FTP Evasion

100% 100% 100% 100% 100%

5.8.1 5.8.2 5.8.3 5.8.4 5.8.5 5.8.6 5.8.7 5.8.8 5.8.9

Inserting spaces in FTP command lines Inserting non-text Telnet opcodes - Level 1 (minimal) Inserting non-text Telnet opcodes - Level 2 Inserting non-text Telnet opcodes - Level 3 Inserting non-text Telnet opcodes - Level 4 Inserting non-text Telnet opcodes - Level 5 Inserting non-text Telnet opcodes - Level 6 Inserting non-text Telnet opcodes - Level 7 Inserting non-text Telnet opcodes - Level 8 (extreme)

100% 100% 100% 100% 100% 100% 100% 100% 100%

>7\SHWH[W@ 

3DJH