Red Hat NETWORK 3.6 - Guía de usuario descargar pdf (Pagina 42)

dependency=1277

hs_sport=79

track-session=10

realtimeonly

name=App Subversion - Successful finger query to multiple users

description=A response from a known finger daemon was observed which

indicated that the attacker was able to retrieve a list of three or

more valid user names.

risk=HIGH

match=Directory:

With this plugin, we are only looking for these patterns on systems where a working finger

daemon has been identified (dependency #1277). In this plugin though, we see the use of

the “track-session” keyword. If this plugin is launched with a value of 10, the session data

from the next 10 packets is tracked and logged in either the SYSLOG or real-time log file.

During a normal finger query, if only one valid user is queried, then only one home directory

will be returned. However, many of the exploits for finger involve querying for users such as

“NULL”, “0”, or “..”. This causes vulnerable finger daemons to return a listing of all users. In

that case, this plugin would be activated because of the multiple “Directory:” matches.

Example Unix Password File Download Web Server Plugin

This plugin below looks for any download from a web server that does not look like HTML

traffic, but does look like the contents of a generic Unix password file.

id=0300

dependency=1442

hs_sport=80

track-session=10

realtimeonly

name=Web Subversion - /etc/passwd file obtained

description=A file which looks like a Linux /etc/passwd file was

downloaded from a web server.

risk=HIGH

match=!<HTML>

match=!<html>

match=^root:x:0:0:root:/root:/bin/bash

match=^bin:x:1:1:bin:

match=^daemon:x:2:2:daemon:

The plugin is dependent on PVS ID 1442, which detects web servers. In the match

statements, we are attempting to ignore any traffic that contains valid HTML tags, but also

has lines that start with common Unix password file entries.

Example Generic Buffer Overflow Detection on Windows Plugin

One of the PVS’s strongest intrusion detection features is its ability to recognize specific

services, and then to look for traffic occurring on those services that should never occur

unless they have been compromised. Since the PVS can keep track of both sides of a

conversation and make decisions based on the content of each, it is ideal to look for Unix

1 2 ... 37 38 39 40 41 42 43 44 45 46 47 ... 60 61

Comentarios a estos manuales

Sin comentarios

Red Hat NETWORK 3.6 - Guía de usuario Pagina 42

Comentarios a estos manuales

Relacionado con productos y manuales para Servidores Red Hat NETWORK 3.6 -