Red Hat NETWORK 3.6 - Guía de usuario Pagina 42

  • Descarga
  • Añadir a mis manuales
  • Imprimir
  • Pagina
    / 61
  • Tabla de contenidos
  • MARCADORES
  • Valorado. / 5. Basado en revisión del cliente
Vista de pagina 41
Copyright © 2002-2012 Tenable Network Security, Inc.
42
dependency=1277
hs_sport=79
track-session=10
realtimeonly
name=App Subversion - Successful finger query to multiple users
description=A response from a known finger daemon was observed which
indicated that the attacker was able to retrieve a list of three or
more valid user names.
risk=HIGH
match=Directory:
match=Directory:
match=Directory:
With this plugin, we are only looking for these patterns on systems where a working finger
daemon has been identified (dependency #1277). In this plugin though, we see the use of
the “track-session” keyword. If this plugin is launched with a value of 10, the session data
from the next 10 packets is tracked and logged in either the SYSLOG or real-time log file.
During a normal finger query, if only one valid user is queried, then only one home directory
will be returned. However, many of the exploits for finger involve querying for users such as
“NULL”, “0”, or “..”. This causes vulnerable finger daemons to return a listing of all users. In
that case, this plugin would be activated because of the multiple “Directory:” matches.
Example Unix Password File Download Web Server Plugin
This plugin below looks for any download from a web server that does not look like HTML
traffic, but does look like the contents of a generic Unix password file.
id=0300
dependency=1442
hs_sport=80
track-session=10
realtimeonly
name=Web Subversion - /etc/passwd file obtained
description=A file which looks like a Linux /etc/passwd file was
downloaded from a web server.
risk=HIGH
match=!<HTML>
match=!<html>
match=^root:x:0:0:root:/root:/bin/bash
match=^bin:x:1:1:bin:
match=^daemon:x:2:2:daemon:
The plugin is dependent on PVS ID 1442, which detects web servers. In the match
statements, we are attempting to ignore any traffic that contains valid HTML tags, but also
has lines that start with common Unix password file entries.
Example Generic Buffer Overflow Detection on Windows Plugin
One of the PVS’s strongest intrusion detection features is its ability to recognize specific
services, and then to look for traffic occurring on those services that should never occur
unless they have been compromised. Since the PVS can keep track of both sides of a
conversation and make decisions based on the content of each, it is ideal to look for Unix
Vista de pagina 41
1 2 ... 37 38 39 40 41 42 43 44 45 46 47 ... 60 61

Comentarios a estos manuales

Sin comentarios