Red Hat NETWORK 3.6 - Betriebsanweisung PDF herunterladen (Seite 43)

and Windows command shells occurring in services that should not have those command

shells in them. Here is an example plugin:

# look for Windows error when a user tries to

# switch to a drive that doesn't exist

id=0201

include=services.inc

trigger-dependency

track-session=10

realtimeonly

name=Successful shell attack detected - Failed cd command

description=The results of an unsuccessful attempt to change drives on a

Windows machine occurred in a TCP session normally used for a

standard service. This may indicate a successful compromise of this

service has occurred.

risk=HIGH

pmatch=!>GET

pregexi=cd

match=!>550

match=^The system cannot find the

match=specified.

This plugin uses the “include” keyword that identifies a file that lists several dozen PVS

IDs, which identify well known services such as HTTP, DNS, and NTP. The plugin will not

even get evaluated unless the target host is running one of those services.

The keyword “trigger-dependency” is needed to ensure the plugin is evaluated even if

there is only one match in the services.inc file. Otherwise, the PVS would only evaluate

this plugin if the target host was running all PVS IDs present in the services.inc file. The

“trigger-dependency” keyword basically says that at least one PVS ID specified by one or

more dependency or include rules must be present.

And finally, the logic of plugin detection is looking for the following type of response on a

Windows system:

In this case, a user has attempted to use the “cd” command to change directories within a

file system and the attempt was not allowed. This is a very common event that occurs once

a remote hacker has compromised a Windows 2000 or Windows 2003 server with a buffer

overflow. What the PVS plugin is looking for in this specific event is a network session that

should not be there.

Looking at the plugin logic, there are “pmatch” and “pregexi” statements that attempt to

ensure that the session is not an HTTP session, and that the previous side of the session

contains the string “cd”.

1 2 ... 38 39 40 41 42 43 44 45 46 47 48 ... 60 61

Keine Kommentare

Red Hat NETWORK 3.6 - Betriebsanweisung Seite 43