Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Betriebsanweisung PDF herunterladen (Seite 69)

In this case, a user has attempted to use the “cd” command to change directories within a file system and the attempt

was not allowed. This is a very common event that occurs once a remote hacker has compromised a Windows 2000 or

Windows 2003 server with a buffer overflow. What the PVS plugin is looking for in this specific event is a network session

that should not be there.

Looking at the plugin logic, there are “pmatch” and “pregexi” statements that attempt to ensure that the session is not

an HTTP session, and that the previous side of the session contains the string “cd”.

One could argue that the “pregexi” statement could be expanded to include the trailing space after the “d”

character and also the first character.

The plugin then looks for the expected results of the failed “cd” command. The first match statement makes sure this

pattern is not part of the FTP protocol. It turns out that looking for “cd” in one side of a session and the error of attempting

to change to a directory in an FTP session would cause false positives for this plugin. Adding a rule to ignore if a line

starts with “550” avoids this. While writing and testing this plugin, Tenable considered having a different set of plugins just

for FTP, but the additional filter statement took care of any false positives we had been seeing. Finally, the last two match

statements look for the results of the failed change directory attempt. They are spread across two match statements and

could have been combined into one regular expression statement, but there was enough content in the basic message to

have them split into higher-speed matching.

Passive Vulnerability Scanner Corporate Policy Plugins

Most companies have an “Acceptable Use Policy” that defines appropriate use of the company’s IT facilities. Often, this

policy is abused to some extent since detecting abuse can be difficult.

The PVS can help in this regard through use of PVS Corporate Policy plugins. These plugins can be used to look for

policy violations and items such as credit card numbers, Social Security numbers, and other sensitive content in motion.

Tenable ships PVS with a large number of plugins that are frequently updated. The primary focus of these plugins is to

discover hosts, applications and their related client/server vulnerabilities. The list of built-in PVS checks is available at the

following location:

http://static.tenable.com/dev/tenable_plugins.pdf

Many of the available plugins already detect activities that would fall into the “Inappropriate Use” category in most

companies. Some of the activities that are detected through these plugins include (but are not limited to):

 game server detection

 botnet client and server detection

 peer to peer file serving

 IRC server/client

 chat clients

1 2 ... 64 65 66 67 68 69 70 71 72 73 74 ... 78 79

Keine Kommentare

Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Betriebsanweisung Seite 69