217-221.html

入侵检测的相关教程

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=7//-->
<!--PAGES=217-221//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="214-217.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="221-225.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P><FONT SIZE="+1"><B><I>File Integrity Checker</I></B></FONT></P>
<P>Like many other security products, S3 includes a facility for computing cryptographic signatures for selected files. The database of signature-file pairs is stored and examined at future intervals to detect possible Trojan Horses. An MD5 signature is computed from various file attributes. Stored in the database with the file name are its MD5 signature, permissions, owner, group, and size. If any of these parameters change, the next file integrity scan will generate an alert. Shipped with each installation is an OS-specific baseline file containing a predefined set of file names to monitor with the integrity checker.
</P>
<P><FONT SIZE="+1"><B><I>Results and Reporting</I></B></FONT></P>
<P>Scan outcomes are stored on the local node if the scan is local and in separate per-node subdirectories on the central engine for distributed scans. Results files are not in human readable format and must be analyzed with either the GUI, CLI, or an HTML browser. The first level detail output indicates the number of high-, medium- and low-risk vulnerabilities found along with informational and error messages. Failing to complete a scan due to network faults would generate an error condition.
</P>
<P>In the GUI, results can be examined by node, by group, or by vulnerability type. Users familiar with file system browsers such as NT Explorer easily will adapt to the hierarchical reporting user interface shown in Figure 7.2. In addition to sending output to the screen, S3 optionally generates ASCII, comma-separated, and HTML reports.</P>
<P><A NAME="Fig2"></A><A HREF="javascript:displayWindow('images/07-02.jpg',814,522 )"><IMG SRC="images/07-02t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/07-02.jpg',814,522)"><FONT COLOR="#000077"><B>Figure 7.2</B></FONT></A>&nbsp;&nbsp;Example output from an S3 scan.</P>
<P><FONT SIZE="+1"><B><I>Vulnerabilities Scanned</I></B></FONT></P>
<P>S3 organizes its vulnerability database hierarchically within several different categories, including:
</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;Files
<DD><B>&#149;</B>&nbsp;&nbsp;Users
<DD><B>&#149;</B>&nbsp;&nbsp;Groups
<DD><B>&#149;</B>&nbsp;&nbsp;Passwords
<DD><B>&#149;</B>&nbsp;&nbsp;Hacker signatures
</DL>
<P>The entire set of scanned items is too long to list and describe in detail here. A summary of scanned weaknesses is given in Table 7.1. You should consult the ISS Web site <A HREF="www.iss.net">www.iss.net</A> for the most current list.</P>
<TABLE WIDTH="100%"><CAPTION ALIGN=LEFT><B>Table 7.1</B> Vulnerabilities Scanned by S3
<TR>
<TH COLSPAN="2"><HR>
<TR>
<TH WIDTH="30%" ALIGN="LEFT">Vulnerability Scanned
<TH WIDTH="70%" ALIGN="LEFT">Description
<TR>
<TD COLSPAN="2"><HR>
<TR>
<TD>Password File
<TD>Blank lines in password file; Improper characters in password file
<TR>
<TD VALIGN="TOP">Trusted hosts
<TD>hosts.equiv and .rhosts for system or users; .shosts files for ssh, and.netrc files
<TR>
<TD VALIGN="TOP">RC files, crontab, user-owned files, and printcap
<TD>Improper ownership and permissions for files; Bogus path names in entries; Improper settings for programs invoked by cron, RC scripts, printcap, and user profiles; Improper symbolic links
<TR>
<TD VALIGN="TOP">External and local file system
<TD>World-readable and world-writable file system exports; Wrong owner or permissions on critical system files and programs; SUID and SGID programs; Unusual file names; Hidden files and directories;
<TR>
<TD VALIGN="TOP">Internet services
<TD>HTTP daemon user and group account security (no root or Administrator access); Incorrect permissions on directories in the Web virtual file tree; Unrestricted FTP access; Unsecure services enabled&#151;tftp, chargen, fingerd, FSP, and others; Ownership and permission problems for programs; Bogus path names in configuration files
<TR>
<TD VALIGN="TOP">Sendmail
<TD>Old version checks; VRFY and EXPN enabled; Mail aliased programs; Authentication warnings; Permissions and ownership of mail spool directories
<TR>
<TD VALIGN="TOP">Software bugs
<TD>Checks for known vulnerable programs to see whether patches have been applied; extensive checks for buffer overflow attacks
<TR>
<TD VALIGN="TOP">Users and groups
<TD>Invalid UIDs and GIDs; Accounts with root privileges; Duplicate UIDs and GIDs; Invalid home directories or initial programs; Dormant accounts; Unused accounts; Weak, missing, or easily cracked passwords;
<TR>
<TD>Netscape browser settings
<TD>Java and JavaScript enabled; POP mail password
<TR>
<TD>Network adapter enabled for promiscuous mode
<TD VALIGN="BOTTOM">Checks for sniffer activated
<TR>
<TD COLSPAN="2"><HR>
</TABLE>
<P><FONT SIZE="+1"><B>Internet Scanner</B></FONT></P>
<P>The ISS Internet Scanner looks for a number of system and network weaknesses in your nodes. The model is remote scan from a central node, and all results are centrally captured because the scan is only running on one node. Depending on the options purchased, Internet Scanner will look for Web, firewall, common, and system weaknesses. The possibilities are controlled by an electronic license key. The initial Internet Scanner screen is displayed in Figure 7.3.
</P>
<P><A NAME="Fig3"></A><A HREF="javascript:displayWindow('images/07-03.jpg',656,492 )"><IMG SRC="images/07-03t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/07-03.jpg',656,492)"><FONT COLOR="#000077"><B>Figure 7.3</B></FONT></A>&nbsp;&nbsp;Main screen for Internet Scanner.</P>
<P><FONT SIZE="+1"><B><I>Vulnerabilities Checked by Internet Scanner</I></B></FONT></P>
<P>Some of the same problems that S3 reports also are discovered by Internet Scanner, although in a different way. For example, a world-writable NFS exported file system is a potential security vulnerability (depending on the security policy at your site). S3 detects this vulnerability by looking at the currently exported file systems or by examining the NFS exports configuration file in case the file is not currently exported for mounting. Internet Scanner checks for this same vulnerability by either attempting to mount exported file systems with read-write access or by querying the list of exported file systems on a node using the showmount command.
</P>
<P>Telling Internet Scanner which vulnerabilities to probe is straightforward. Figure 7.4 shows a screen image for IP spoofing scan options for the Internet Scanner. As you can see, the interface is slightly different from S3. Choices are indicated by setting radio buttons and entering optional data in fields. In Figure 7.5 you see some of the possibilities when the target of the scan is a Web server. Note the inclusion of the phf.cgi attack. The List CGI button causes ISS to check for the test.cgi hack. You can select different scan intensities-full, heavy, medium, and lite. A custom configuration is easily defined as shown.</P>
<P><A NAME="Fig4"></A><A HREF="javascript:displayWindow('images/07-04.jpg',455,457 )"><IMG SRC="images/07-04t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/07-04.jpg',455,457)"><FONT COLOR="#000077"><B>Figure 7.4</B></FONT></A>&nbsp;&nbsp;Configuring IP spoofing options in Internet Scanner.</P>
<P><A NAME="Fig5"></A><A HREF="javascript:displayWindow('images/07-05.jpg',455,457 )"><IMG SRC="images/07-05t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/07-05.jpg',455,457)"><FONT COLOR="#000077"><B>Figure 7.5</B></FONT></A>&nbsp;&nbsp;Web server scan options in Internet Scanner.</P>
<P>Following is a list of the vulnerabilities that are potentially scanned. Not all options are always available. Firewall and Web specific items are supported only if you have purchased the appropriate license. See the ISS Web site for the most current list.
</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="214-217.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="221-225.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->