Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Guía de usuario descargar pdf (Pagina 65)

In each of these cases, the plugin would not match if the patterns contained in these “not” statements were present. For

example, in the first pmatch statement, if the pattern “pattern” were present, then the plugin would not match. In the

second statement, the binary pattern of “AAA” (the letter “A” in ASCII hex is 0x41) would match only if it were not

presenting the first three characters.

Time Dependent Plugins

The last plugin example shows some more advanced features of the PVS plugin language that allows a plugin to be time

dependent as well as make use of the evaluation of other plugins. The plugin shows how the PVS can detect an

anonymous FTP server. The NEXT keyword is used to separate plugins the plugin file.

id=1018

nooutput

hs_sport=21

name=Anonymous FTP (login: ftp)

pmatch=^USER ftp

match=^331

NEXT #-----------------------------------------------------------

id=1019

dependency=1018

timed-dependency=5

hs_sport=21

name=Anonymous FTP enabled

description=The remote FTP server has anonymous access enabled.

risk=LOW

pmatch=^PASS

match=^230

Since we are trying to detect an anonymous FTP server we are going to be looking for the following traffic pattern:

USER ftp

1) FTP client -----------------------> FTP server

331 Guest login ok, ...

2) FTP client <----------------------- FTP server

PASS [email protected]

3) FTP client -----------------------> FTP server

230 Logged in

4) FTP client <----------------------- FTP server

Here we cannot use a single plugin to detect this entire session. So, instead we use two plugins: the first plugin looks for

packets 1) and 2) and the second plugin looks for packets 3) and 4).

A review of the above plugin shows that plugin 1018 matches 1) and 2) in the session by keying on the patterns “USER ftp”

and the 331 return code. Plugin 1019 matches on 3) and 4) by keying on the patterns “PASS” and the 230 return code.

Notice that plugin 1019 has the following field: dependency=1018. This field indicates the plugin 1018 must first evaluate

successfully before plugin 1019 may be evaluated (i.e., that plugin 1019 depends on plugin 1018’s success before it can

be evaluated).

One more step is needed to complete the plugin for the anonymous FTP session. We need to ensure that both plugins

are actually evaluating the same FTP session. We can do this by attaching a time dependency to plugin 1019. The field

time-dependency=5 indicates that plugin 1018 must have evaluated successfully in the last five seconds for 1019 to be

evaluated. In this way we can ensure that both plugins are evaluating the same FTP session.

1 2 ... 60 61 62 63 64 65 66 67 68 69 70 ... 78 79

Comentarios a estos manuales

Sin comentarios

Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Guía de usuario Pagina 65

Comentarios a estos manuales

Relacionado con productos y manuales para Software Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0