257-260.html

入侵检测的相关教程

			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=8//-->
<!--PAGES=257-260//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="254-257.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="260-261.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P><FONT SIZE="+1"><B><I>Writing to a Privileged Resource</I></B></FONT></P>
<P>A number of publicized attacks against SUID root programs take advantage of a race condition that demonstrates abuse of write privileges. If the SUID program creates a world-writable file in /tmp, for example, you can replace the file with a symbolic link to a world-readable resource such as /etc/passwd. This trick can cause the SUID program to write into a resource that it had no intention of altering. The X Windows server on some systems will create temporary world-writable files in the /tmp directory. Even the sticky bit will not prevent someone from creating a link from this file to another. The sticky bit set by default on /tmp prevents someone from deleting the file.
</P>
<P>The creation of world-writable files by privileged programs is an example of poor programming assumptions. Like the PATH problem mentioned before, the programmer made incorrect assumptions about the environment. If the SUID root program inherits its environment from the user&#146;s shell, it should not make any assumptions about PATH, UMASK, or any other environment variable. To avoid these problems, monitor your system for creation of a world-writable file by any user.</P>
<P><FONT SIZE="+1"><B><I>Reading a Privileged Resource</I></B></FONT></P>
<P>If the SUID program consists of only read operations, the goal is to trick the program into reading another privileged file that it had no intention of accessing. For example, if you can somehow trick the program into divulging the contents of the shadow password file, you can copy this output and run <I>crack</I> against it later. Access to other privileged files can reveal credit card numbers, account balances, or other secret information that you can use for destructive purposes, such as blackmail. Low-level access to disk drives is sufficient for reading <I>any</I> of the disk&#146;s contents because the read operations bypass the file-system permissions altogether. Treat read threats with respect.</P>
<P>The trick to detecting when a privileged resource has been compromised is to look for audit events on these resources when the AUID is someone other than the resource&#146;s owner or root. If a normal user&#146;s AUID appears in the read of a privileged resource, you <I>could</I> have problems. Unfortunately, you cannot merely search for any occurrence of a nonroot AUID in an operation on a privileged resource. When you change your password, the passwd program is SUID root, and the event in the audit trail shows a change to the shadow password file with your AUID. You also will need to consider the program name that appears in the event. If you recall, SeOS enables you to define which program paths can be used to access particular system resources. Although not part of commercial IDSs today, this expressibility in a signature would be useful.</P>
<P><FONT SIZE="+1"><B><I>Running a Command</I></B></FONT></P>
<P>If the program does not read any user input into buffers, the chances of executing a buffer overflow attack against it are slim. The only way to possibly sneak in a buffer overflow attack is to somehow modify the name or contents of a resource that the privileged program is accessing in the hopes that a boundary problem will be found. This attack is unlikely because many of the resources are privileged in the first place, and if the hacker could access them, another fruitful hole must exist elsewhere.
</P>
<P>The attack that has been in vogue for quite a while is the buffer overflow attack. This is not surprising because so many privileged programs seem to be vulnerable. In principle, the buffer overflow attack is easy to detect. A SUID root program does something it should not be doing, such as forking or exec of a shell. In practice this pattern is difficult to express in general enough terms to catch <I>all</I> attacks. Privilege escalations occur many times during the day on a system, and in each event record, the user&#146;s AUID and RUID remain the same, but the EUID changes to that of the privileged user. Some individual patterns that work are as follows:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;Detect when a program is run that shows a privilege escalation (EUID becomes 0), and this program next forks or execs /bin/sh, /bin/csh, /bin/tsh, /bin/ksh, or some other shell.
<DD><B>&#149;</B>&nbsp;&nbsp;Detect when a privilege escalation occurs, followed by the copying of a program, followed by setting the program&#146;s owner to be root, followed by setting the execute bit for the file, finally followed by setting the SUID bit for the program.
</DL>
<P>Detecting a large set of buffer overflow attacks requires knowing which SUID programs legitimately fork or exec other programs and then watching for all other cases. In other words, you need to know for every SUID and SGID program what the possible valid transitions are to other programs. Yikes! It&#146;s unlikely a single person anywhere is able to specify these details for an entire operating system.
</P>
<P>Some cases are intuitively obvious. The passwd program should not spawn a shell. SUID or SGID programs that can create a subshell are dangerous anyway. (Sendmail has been attacked this way in the past.) For the time being, you can detect the most common buffer overflow scenarios by watching for the two sequences mentioned previously. By the way, no commercial tools today detect or prevent all buffer overflow attacks. It&#146;s a nontrivial problem to solve.</P>
<P>Another approach is to watch for single events, such as the following:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;When <I>anyone</I> sets the SUID or SGID bit for a program
<DD><B>&#149;</B>&nbsp;&nbsp;When AUID != 0 copies a file from one of the system directories (or tries to copy a file and fails)
</DL>
<P>Creating SUID or SGID programs is something that should not happen very often on your systems, and you probably want to know about it even if it is not an attack.
</P>
<P><FONT SIZE="+1"><B>Other System-Level Attacks to Monitor</B></FONT></P>
<P>You want to monitor several other events on your system, whether the result is successful or not:
</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;Attempts to write, link, or delete in the system directories by a nonprivileged AUID
<DD><B>&#149;</B>&nbsp;&nbsp;Attempts to modify resources such as the system time, /dev/kmem, or /dev/mem
<DD><B>&#149;</B>&nbsp;&nbsp;Attempts to modify the audit subsystem configuration
<DD><B>&#149;</B>&nbsp;&nbsp;Attempts to stop the audit subsystem
<DD><B>&#149;</B>&nbsp;&nbsp;Attempts to run known rogue programs such as zap, crack, SATAN, COPS, and others
<DD><B>&#149;</B>&nbsp;&nbsp;Attempts to enable an adapter for promiscuous mode (for sniffing the network)
<DD><B>&#149;</B>&nbsp;&nbsp;Attempts to run exploratory programs (who, rwho, finger, ps, or find)
<DD><B>&#149;</B>&nbsp;&nbsp;Attempts by unprivileged users to run privileged programs such as mount, exportfs, mknod, and so on
</DL>
<P>A simple principle to follow when defining a monitoring policy is to watch for any attempts by users to access resources that they should not be referencing. Stalker, for example, will report failed access attempts for resources when the event&#146;s AUID and the resource owner ID are not identical.
</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="254-257.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="260-261.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->