The ATOMIC Micro-Engines
The ATOMIC engine is used to create or tune existing
signatures for simple, single packet conditions that cause alarms to be
triggered. Every packet's conditions have specialized parameters that deal with
each of the protocol-specific inspections within the scope of the engine. Table
7.3 shows the different ATOMIC micro-engines. These engines do not store any
persistent data whatsoever. The ATOMIC micro-engines have parameters that are
set for their specific protocol.
Table 7.3: ATOMIC Micro-Engines
|
Engine |
Description |
|
ATOMIC.ARP |
ARP simple and cross-packet signatures. |
|
ATOMIC.ICMP |
Simple ICMP alarms based on the following parameters: Type,
Code, Sequence, and ID. See Figure 7.1. |
|
ATOMIC.IPOPTIONS |
Simple alarms based on the decoding of layer-3 options. See
Figure
7.2. |
|
ATOMIC.L3.IP |
Simple layer-3 IP alarms. See Figure 7.3. |
|
ATOMIC.TCP |
Simple TCP packet alarms based on the following parameters:
Port, Destination, Flags, and single-packet Regex. Use SummaryKey to define the
address view for MinHits and Summarize counting. For best performance, use a
StorageKey. See Figure 7.4. |
|
ATOMIC.UDP |
Simple UDP packet alarms based on the following parameters:
Port, Direction, and DataLength. See Figure 7.5. |
|
OTHER |
This engine is used to group generic signatures so common
parameters can be changed. It defines an interface into common signature
parameters. |
SigWizMenu option 1 ATOMIC.ICMP (as seen in Figure 7.3) and SigWizMenu
option 5 ATOMIC.UDP (shown in Figure 7.4) work specifically on layer 4. None of
the parameters are required even though there are several parameters that can be
manually configured. You can use all the single parameters together in a
signature or configure specific ones.
The SigWizMenu option 2 ATOMIC.IPOPTIONS decodes layer-3 options
as shown in Figure 7.5.
The SigWizMenu option 3 ATOMIC.L3.IP inspects the traffic at layer
3 (as we can see in Figure 7.6). It handles fragment, partial ICMP
packets, DataLength, and Protocol Number comparisons. Again, these parameters
are optional.
ATOMIC.TCP looks at layer-4 TCP packets. This menu option does
comparisons on TcpFlags/Mask in conjunction with port filters and the
SinglePacketRegex. TcpFlags/Mask compares packets against the configured
parameters to determine packets of interest. The SinglePacketRegex provides a
simple Regex match capability to combine ports, flags, and Regex matches in
single signatures. Refer to Figure 7.7. Figure 7.8 shows the
SigWizMenu option 5 ATOMIC.UDP.
|
Note |
Figure 7.7 only shows a portion of the signatures
within the ATOMIC.TCP micro-engine. There are approximately 60 total signatures
in this engine. |
ATOMIC.ARP is for basic layer-2 ARP signatures and also for more
advanced detection of the ARP spoof tools dsniff and ettercap. Refer to Table
7.4 for the ATOMIC.ARP parameters.
|
Note |
ettercap supports active and passive
dissection of several protocols. It features network and host analysis tools. In
essence, it acts as a sniffer, interceptor, and logger for switched LANs. dsniff is a collection of tools used for penetration testing
and auditing networks. |
Table 7.4: ATOMIC.ARP Parameters
|
Name |
Data Type |
Protected |
Required |
Description |
|
ArpOperation |
Number 0–255 |
No |
No |
The ARP operation code the signature is interested
in. |
|
MacFlip |
Number 0–65535 |
No |
No |
If the MAC address changes this many times for the same IP
address, an alarm will fire |
|
RequestInBalance |
Number 0–65535 |
No |
No |
If there is this many more requests than there are replies
on a particular IP address, an alarm will fire. |
|
WantDstBroadcast |
Boolean True/False |
No |
No |
If the sensor detects an ARP destination address of
255.255.255.255, an alarm will fire. |
|
WantBroadcast |
Boolean True/False |
No |
No |
If the sensor detects an ARP source address of
255.255.255.255, an alarm will fire. |
Sections
Comments (0 posted)
Syndication
