260-261.html

入侵检测的相关教程

			<option value="/reference/dir.middleware.html">Middleware
			<option value="/reference/dir.multimediaandgraphicdesign1.html">Multimedia
			<option value="/reference/dir.networkservices1.html">Networks 
			<option value="/reference/dir.operatingsystems.html">OS
			<option value="/reference/dir.productivityapplications1.html">Prod Apps
			<option value="/reference/dir.programminglanguages.html">Programming
			<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=8//-->
<!--PAGES=260-261//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="257-260.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="../ch09/263-265.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P><FONT SIZE="+1"><B>Exceptions for Recommended Patterns</B></FONT></P>
<P>When you configure your monitoring policy, one problem will be alerts generated with an RUID=0 from the root user. If the root user logs into a system and deletes files, the RUID is 0 in the audit records. When a program is a server process that listens for input from other programs and is started automatically by the system at boot time, the RUID also will be 0. If, by sending this server program a message, the hacker can trick it into writing to another user&#146;s files, the audit event will seem to have originated from the root user. <I>The only way to detect this type of attack is by tracing the path of activities through interprocess communication</I>. Today, no commercial IDSs drill down this far into the audit stream, tracking socket or message queue transfers between processes to assign accountability.</P>
<P>If you want to avoid receiving notifications when the root user deletes or writes to files owned by other users, you could miss some types of attacks. On the other hand, watching every action of the root user can generate quite a bit of data that is not indicative of attacks. Unfortunately, the tradeoff is yours to make.</P>
<P><FONT SIZE="+1"><B>Pure and Simple Bugs</B></FONT></P>
<P>Often the hacker is lucky enough to have a crack handed to them. Buffer overflow attacks require some dedicated work to create, although after the details for a particular SUID program are known, a reusable hack spreads rapidly on the net. Once in a while an exploit is so simple that it is amazing that the problem could have been missed in code reviews. One such example is the <I>rlogin -froot</I> problem in AIX. Although rlogin is a remote-connection program, a local user can run the command. By typing the following a user could gain root access to the system:</P>
<!-- CODE SNIP //-->
<PRE>
rlogin <I>remotehostname</I> -froot
</PRE>
<!-- END CODE SNIP //-->
<P>No special programming skills were needed. The user would be delivered into a root shell with complete control over the system.
</P>
<P>Detecting this attack on a local system is easy. When a program is run out of a shell, a fork event is followed by an exec event in the audit log. The parameters used in the program are part of the audit record. Scanning specifically for the pattern &#147;rlogin * -froot&#148; where * matches any characters would detect the hack. What you would have discovered is a local user trying to launch this attack from the current system, possibly directed right back to the same system.</P>
<P>If your system is the target of such an attack from a remote user on another system, knowing what to look for in the audit logs is important for detecting this attack. Because the audit records emitted are different for the server that catches the rlogin request, you cannot use the same pattern as you would to catch the attack when it is launched from your system.</P>
<H3><A NAME="Heading24"></A><FONT COLOR="#000077">Why You&#146;re Not Finished Yet</FONT></H3>
<P>You have now taken a close look at Stalker and CMDS&#151;two well-known system level UNIX IDSs. Both tools provide audit reduction but differ in primary focus. CMDS provides some attack pattern analysis, but its strength lies in the statistical anomaly detection techniques for which it is well known. Stalker also provides some statistical threshold notifications but boasts a wide range of attack patterns for catching intruders.
</P>
<P>You also have seen how local users can hack a system for denial-of-service attacks and how to look for these attacks in the audit logs. An IDS will be able to detect these attacks if they are launched from your system because audit records contain detailed information about programs and their parameters. The audit system also assigns accountability in most cases when local users are the initiators of activities.</P>
<P>By far the greatest risk is not from denial-of-service attacks but from successful attempts by users to gain privileges. Sometimes privilege escalation can occur by tricking a user into running a command on your behalf. Other times, you can gain privilege by guessing someone&#146;s password. The most frequently occurring hack announced on the Internet today is the buffer overflow attack against privileged programs. With a little digging, a cracker can gain access to a superuser shell via one of these attacks. Luckily, the most common cases surface in the audit logs with predictable patterns. Unfortunately, a general-purpose buffer overflow pattern is very difficult to build.</P>
<P>Although the audit logs provide a large amount of information about what&#146;s happening on the system, they do not record all of the network activities for a system. Many of the network attacks on systems are thus not seen by system-level monitoring tools like Stalker and CMDS. Therefore, to complete your IDS solution, you need to deploy network tools as well. Turn to the next chapter to see how network sniffers catch problems that system IDSs and scanners miss.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="257-260.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="../ch09/263-265.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->