206-208.html

入侵检测的相关教程

			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=6//-->
<!--PAGES=206-208//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="205-206.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="../ch07/209-211.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H4 ALIGN="LEFT"><A NAME="Heading15"></A><FONT COLOR="#000077">Monitoring Policies</FONT></H4>
<P>One unresolved issue is the difference between the <I>preventative security policy</I> you define and the need for a separate <I>monitoring policy</I>. When you configure an IDS, you can decide which events to monitor and how to respond to them. Unfortunately, you cannot make broad statements such as the following:</P>
<DL>
<DD>P1: Alert me anytime someone reads a file that they should not be accessing.
</DL>
<P>The monitoring policy needs to be more specific, such as the following:
</P>
<DL>
<DD>P2: Alert me anytime someone reads a file for which they do not have explicit read access.
</DL>
<P>Huh? How can someone read a file if they are not explicitly given read permission? The answer lies in that recurring them <I>on behalf of</I> semantics. A user with UID=231 can access a file by running a program that has enough privileges to read the file on behalf of the user. In UNIX this is accomplished via the SUID and SGID bit settings. In NT escalating privileges to SYSTEM or Administrator accomplishes a similar goal.</P>
<P>No good mechanism exists today for specifying a single security policy that different products will read and enforce or monitor. One reason is that no particular vendor provides both a comprehensive preventative tool and an equally strong monitoring tool. If this mechanism were available today, the vendor would immediately realize how much trouble it is to define both a prevention policy <I>and</I> a monitoring policy. Stated somewhat differently, defining a series of access control rules in one product and then configuring events to monitor in another is a problem that only the enduser faces today. Having a single tool in which to enter a comprehensive policy would be useful, even if the prevention and monitoring policies are not identical.</P>
<H3><A NAME="Heading16"></A><FONT COLOR="#000077">Simple or Complex Attacks</FONT></H3>
<P>By far the largest number of attacks detected by IDSs involve a single event. Examples include the following:
</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;A nonprivileged user changes a privileged program by writing to its location on disk.
<DD><B>&#149;</B>&nbsp;&nbsp;A nonprivileged user reads a privileged file.
<DD><B>&#149;</B>&nbsp;&nbsp;A program deletes <I>too many</I> files in successive operations.
<DD><B>&#149;</B>&nbsp;&nbsp;Someone creates a filename with special characters.
<DD><B>&#149;</B>&nbsp;&nbsp;A privileged user runs a program whose full path name is incorrect, such as /home/joe/ls instead of /bin/ls.
<DD><B>&#149;</B>&nbsp;&nbsp;A spoofed IP address packet.
</DL>
<P>After this initial category are thresholds of events:
</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;<I>N</I> failed login attempts
<DD><B>&#149;</B>&nbsp;&nbsp;Port scanning from the same source IP address
<DD><B>&#149;</B>&nbsp;&nbsp;Resource flooding, such as sending too many ping packets
</DL>
<P>Sequences of events form the next level of difficulty in detecting an intruder:
</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;A normal user executing a privileged program, which in turn forks a root shell on a UNIX system (likely evidence of a buffer overflow attack)
<DD><B>&#149;</B>&nbsp;&nbsp;Three failed attempts to su to root followed by success (evidence of a guessed password)
</DL>
<P>If you take the set of attacks defined by a single event and you combine them with each event separated by an OR, you have one large IDS pattern. If you take some single events, like failed login, then combine them with an AND, you have sequences and thresholds. Taking single events and joining them into graphs with many AND and OR operators leads to the next category. Activities represented as complex graphs, possibly requiring metadata, constitute the most difficult category of attacks. An example in this category would be failed login thresholds successively exceeded for each user, with events in the same order as the users listed in the password file or registry. The metadata used in the pattern is knowledge about the order of entries in the password file. The sequence of events is a series of failed logins. If the sequence is followed by a successful login, an intrusion definitely occurred.
</P>
<H3><A NAME="Heading17"></A><FONT COLOR="#000077">Prepare to Scan for Weaknesses</FONT></H3>
<P>In this chapter you have seen how some intruder events are detected easily, and how others are more complicated to uncover. The focus of a particular IDS can be at the network level, system level, or application level. As the IDS industry matures, products are beginning to look for problems at all three levels.
</P>
<P>Regardless of the focus of a product, some data source must be relied upon for catching intruders. The choice of datastream, a technique for capturing data, and the method of analysis all impact the types of problems that the IDS can find. Also affected by IDS design choices are whether the event is captured in real time, detected after the fact, and assigned to the appropriate UID if possible. Tracking hackers across multiple systems was shown to present special challenges, particularly for accountability.</P>
<P>In the next chapter, you will learn about specific attacks against your systems and how you can deploy a vulnerability scanner to start looking for holes before they are exploited.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="205-206.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="../ch07/209-211.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->