Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Guida Utente Scaricare il pdf (Pagina 67)

# Look for failed logins into an FreeBSD telnet server

id=0400

hs_sport=23

dependency=1903

realtimeonly

name=Failed login attempt

description=PVS detected a failed login attempt to a telnet server

risk=LOW

match=Login incorrect

This plugin has many of the same features as a vulnerability plugin. The ID of the plugin is 0400. The high-speed port is

23. We need to be dependent on plugin 1903 (which detects a Telnet service). The “realtimeonly” keyword tells the

PVS that if it observes this pattern, that it should alert on the activity, but not record any vulnerability.

Under the SecurityCenter, events from the PVS are recorded alongside other IDS tools.

Example Finger User List Enumeration Plugin

The finger daemon is an older Internet protocol that allowed system users to query remote servers to get information

about a user on that box. There have been several security holes in this protocol that allowed an attacker to elicit user and

system information that could be useful to attackers.

id=0500

dependency=1277

hs_sport=79

track-session=10

realtimeonly

name=App Subversion - Successful finger query to multiple users

description=A response from a known finger daemon was observed which indicated that

the attacker was able to retrieve a list of three or more valid user names.

risk=HIGH

match=Directory:

With this plugin, we are only looking for these patterns on systems where a working finger daemon has been identified

(dependency #1277). In this plugin though, we see the use of the “track-session” keyword. If this plugin is launched with

a value of 10, the session data from the next 10 packets is tracked and logged in either the SYSLOG or real-time log file.

During a normal finger query, if only one valid user is queried, then only one home directory will be returned. However, many

of the exploits for finger involve querying for users such as “NULL”, “0”, or “..”. This causes vulnerable finger daemons to

return a listing of all users. In that case, this plugin would be activated because of the multiple “Directory:” matches.

Example Unix Password File Download Web Server Plugin

This plugin below looks for any download from a web server that does not look like HTML traffic, but does look like the

contents of a generic Unix password file.

id=0300

dependency=1442

hs_sport=80

track-session=10

realtimeonly

name=Web Subversion - /etc/passwd file obtained

description=A file which looks like a Linux /etc/passwd file was downloaded from a web

server.

1 2 ... 62 63 64 65 66 67 68 69 70 71 72 ... 78 79

Commenti su questo manuale

Nessun commento

Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Guida Utente Pagina 67

Commenti su questo manuale

Prodotti e manuali riguardandi Software Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0