Red Hat NETWORK 3.6 - Guía de usuario descargar pdf (Pagina 37)

regex=^User-Agent: Mozilla/.* \(.*rv:(1\.3|1\.4a)

Match patterns that begin with the “^” symbol mean that at least one line in the packet

payload must begin with the following pattern. Match patterns that begin with the “!”

symbol indicate that the string must NOT match anything in the packet payload. In this

case, the “!” and “^” symbols are combined to indicate that we should not evaluate any

packet whose payload contains a line starting with the pattern “Received:”.

The “^” is more expensive to evaluate than the “>” symbol. So, while both match patterns

“^<pattern>” and “><pattern>” would find “<pattern>” at the beginning of a packet

payload, the use of “>” is more desirable as it is less costly. Use “^” when looking for the

occurrence of a string at the beginning of a line, but not at the beginning of the packet

payload. In the latter case, use the “>” character instead.

The Passive Vulnerability Scanner can Match “Previous” Packets

The PVS allows matching on patterns in the current packet as well as patterns in the

previous packet in the current session. This plugin shows how we can make use of this

feature to determine if a Unix password file is sent by a web server:

id=1001

name=Password file obtained by HTTP (GET)

family=Generic

sport=80

description=It seems that a Unix password file was sent by the remote web

server when the following request was made :<br>%P<br>We saw :

pmatch=>GET /

pmatch=HTTP/1.

match=root

match=daemon

match=bin

regex=root:.*:0:0:.*:.*

Here we see match patterns for a root entry in a Unix password file. We also see pmatch

patterns that would match against a packet that makes an HTTP GET request to a web

server. The match patterns apply the current packet in a session and the pmatch patterns

apply to the packet that was captured immediately before the current one in the current

session. To explain this visually, we are looking for occurrences of the following:

GET / HTTP/1.*

1) client -------------------------> server:port 80

Contents of password file:

root:.*:0:0:.*:.*

2) client <------------------------- server:port 80

Our match pattern would key on the contents in packet 2) and our pmatch pattern would

key on packet 1) payload contents.

1 2 ... 32 33 34 35 36 37 38 39 40 41 42 ... 60 61

Sin comentarios

Red Hat NETWORK 3.6 - Guía de usuario Pagina 37