Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Betriebsanweisung PDF herunterladen (Seite 68)

risk=HIGH

match=!<HTML>

match=!<html>

match=^root:x:0:0:root:/root:/bin/bash

match=^bin:x:1:1:bin:

match=^daemon:x:2:2:daemon:

The plugin is dependent on PVS ID 1442, which detects web servers. In the match statements, we are attempting to

ignore any traffic that contains valid HTML tags, but also has lines that start with common Unix password file entries.

Example Generic Buffer Overflow Detection on Windows Plugin

One of the PVS’s strongest intrusion detection features is its ability to recognize specific services, and then to look for traffic

occurring on those services that should never occur unless they have been compromised. Since the PVS can keep track of

both sides of a conversation and make decisions based on the content of each, it is ideal to look for Unix and Windows

command shells occurring in services that should not have those command shells in them. Here is an example plugin:

# look for Windows error when a user tries to

# switch to a drive that doesn't exist

id=0201

include=services.inc

trigger-dependency

track-session=10

realtimeonly

name=Successful shell attack detected - Failed cd command

description=The results of an unsuccessful attempt to change drives on a Windows

machine occurred in a TCP session normally used for a standard service. This

may indicate a successful compromise of this service has occurred.

risk=HIGH

pmatch=!>GET

pregexi=cd

match=!>550

match=^The system cannot find the

match=specified.

This plugin uses the “include” keyword that identifies a file that lists several dozen PVS IDs, which identify well known

services such as HTTP, DNS, and NTP. The plugin will not even get evaluated unless the target host is running one of

those services.

The keyword “trigger-dependency” is needed to ensure the plugin is evaluated even if there is only one match in the

services.inc file. Otherwise, the PVS would only evaluate this plugin if the target host was running all PVS IDs present

in the services.inc file. The “trigger-dependency” keyword basically says that at least one PVS ID specified by

one or more dependency or include rules must be present.

Finally, the logic of plugin detection is looking for the following type of response on a Windows system:

1 2 ... 63 64 65 66 67 68 69 70 71 72 73 ... 78 79

Keine Kommentare

Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Betriebsanweisung Seite 68