Intrusion detection system FAQ (all)

xiaoxiao2021-03-06  106

Intrusion detection system FAQ (all)

Create time: 2002-08-24

Article attribute: finishing

Article Source:

Www.cnsafe.net

Article submission:

Mayi (Mayi99_at_263.net)

- How do invaders enter the system?

- Why should invaders invade the system?

- How do intruders get passwords?

- Typical intrusion process?

- What are the types of general intrusion?

- What is an exploits?

- What is reconnaisance [Translation: Original, suspected to reconnaissance?]

- What is a refusal service (DOS)?

- How dangerous attack now?

- Where can I find the statistics of the current attack behavior?

Schema

- How does intrusion are detected?

-Nid how to distinguish into inflow data?

- What did NIDS have been detected after being attacked?

- What is similar to NIDS?

- should I install NIDS in the network?

- How to make IDS suitable for other parts of the security architecture?

- How do I detect if I have running IDS?

3. Countermeasures

How to improve intrusion detection and prevention under WinNT?

How to improve intrusion detection and prevention under WIN95 / 98?

- How to improve intrusion detection and prevention under UNIX?

How to improve intrusion detection and prevention under Macintosh?

- How to improve corporate intrusion detection and prevention?

- How to achieve intrusion detection within the company?

- What should I do after being attacked?

- Some people say that they are attacked from me, how should I do?

- How to collect enough to invade people's evidence?

4. Product

- What free software (freeware) or shared software (Shareware) intrusion detection system?

- What are the commercial intrusion detection systems?

- What is the "Network GREP" system?

- What tools do you use to enter my system?

- Do I should care about other intrusion detection systems?

6. Resources

- Where can I find new system vulnerabilities?

- Other resources related to security and intrusion detection?

- What are the worthless sites?

7.IDS and firewall (Firewall)

- Why do I need IDS with firewall?

- With intrusion detection, do you need a firewall?

-IDS where to get information? Is the firewall?

8. Implementation Guide

- should I ask about IDS providers?

- How do I maintain the system based on on-going?

- How do I stop inappropriate web browsing?

- How do I build my own IDS (write code)?

-Nids legal? Since this is an eavesdrophor?

- How to protect the log file is not tamper with evidence?

9.NIDS limitations

- Switching network (inherent limitations)

- Resource limitations

-NIDS attack

- Simple reason

- Complex cause

-tool

10. Miscellaneous

- What standards / interoperability efforts

11. honeypot and fraudulent system

- What is a honeypot?

What are the advantages of honeypot?

What are the disadvantages of honeypots?

- How to set my own honeypot?

What types of honeypots do?

- Building a positive and opposite effect of a system that can be attacked?

- Is there any example of people using honeypots?

What honeypot products do you have?

- What is deception?

1 Introduction

1.1 What is the network intrusion detection system (NIDS)?

Intrusion refers to some people (called 'hacker', 'hacker') attempt to enter or abuse your system. Word

The range of 'Abuse' is very broad, can include severe stealing confidential data to some of the second

Things, such as abuse your email system spam (although many people in us,

This is the main).

The intrusion detection system (IDS) is used to detect these intrusion systems. According to this FAQ, IDS

Can have the following categories:

Network Intrusion Detection System (NIDS) Monitoring the data package of the network cable and trying to have a hacker / hacker attempt

Enter the system (or reject the service attack DOS). A typical example is a system observation

To a large number of TCP connection requests (SYN) of many different ports of a target host, find that someone

The port scan of TCP is being performed. A NIDS can run on the target host to observe his own

Traffic (usually integrated in the protocol stack or service itself), can also be operated on the independent host

Network traffic (hub, router, detector [probe]). Note that a "network" IDS monitors many hosts, but other other monitors a host (they installed).

System Complete Inspection (SIV) Monitoring System File Attempts to find if there is invasive to change the file (possibly

Leave a back door). This is the most famous of this system is TripWire. A SIV should also be able to monitor other

Components, such as Windows registry and Chron configuration, the purpose is to discover signs of well-known names.

He should also detect a general user who caught Root / Administrator level permissions.

More products in this area should be considered tools rather than a system: such as TripWire

Similar tools detect changes to critical system components, but cannot produce real-time alarms.

Log File Monitor (LFM) Monitoring the log file generated by the network device. Similar to NIDS, these

The system is proposed to have a suggestion for intruder attacks by matching the pattern of log files. a typical

The example is to analyze the HTTP log file to find that the invader tries some well-known vulnerabilities (such as PHF attack)

Example has swatch.

Successful system (including Decoys, Lures, Fly-Traps, Honeypots) also have some pseudo-service,

It is to simulate some well-known caves to embrace hackers. See example in the palm clan toolkit:

http://www.all.net/dtk/. You can also simply rename the NT system administrator

Account, and then create a wide audit for a unsolvened prominent account. About this document

More descriptions of the deception system. See also see

http://www.enteract.com/~lspitz/honeypot.html

other

See: For more information:

http://www.icsa.net/idswhite/.

1.2 Who is abused (MISUSING) system?

There are two words to describe attackers: hackers and hackers. Hacker is a general term: I like to enter things.

People. Beneficial hackers are those who like to enter him / her own computer.

Malicious hackers are those who like to enter others. Beneficial hacker hopes that the media can stop

All hacking criticisms use hackers to do alternatives. Unfortunately, this idea is not accepted.

In any case, the words used in this FAQ are 'intruder', which generally said those who want to enter it.

People in others.

Invasants can be divided into two categories:

External: Invasive in your network, or may attack your externally (messy web

Server, spam through the E-mail server). External invasants may come from

Internet, dial line, physical intervention, or partner network connected to your network (seller,

Customers, middlemen, etc.).

Internal: legal uses your interconnect network invasive network. People including abuse of power (such as society

Safety employees because someone does not like someone to die) and mimic changes to people (such as use

Others' terminals). A commonly cited statistics are 80% of security issues related to internal people.

There are several types of invasive people: 'Happy Riders (Joy Riders) is black;' cultural destroyer '

(VANDALS) is intended to destroy or change the web page; profiters are intended, such as control

The system is lying or stealing data.

1.3 How do the intruder enters the system?

The main way for intruders enter the system:

Physical invasion: If an invasator has physical entry permissions to the host. (Such as they can use keyboard

Or participate in the system), you should enter. Method includes console privileges until the physical participation system

And remove the disk (in additional machine read / write). Even BIOS protection is also easy to pass: facts

All BIOS has a back door password.

System invasion: This type of invasion is a more authority in the system user. Belong

Do not hit the latest vulnerability patch, will provide an invasant to obtain a well-known vulnerability

An opportunity for administrator privileges.

Remote intrusion: This type of intrusion refers to the system from the system through the network. Invasants from no privilege

This invasive manner includes a variety of forms. For example, if there is a firewall between his / her and the victim host

The invasive is much more complicated.

It should be noted that the network invasion detection system mainly cares about remote intrusion.

1.4 Why can the invaders invade the system? The software always exists. System administrators and developers can never find and solve all possible

Vulnerability. Invasive, as long as you find a vulnerability, you can invade the system.

1.4.1 software bug

Software bug exists in server background, client, operating system, network

Agreement stack. The software bug can be divided into the following:

Buffer overflow: Almost all security vulnerabilities we read are attributed to this. a typical

An example is a developer set a 256-character long buffer to store username.

Developers think about that no one is longer than this. But hacker thinks if I

What happens when entering a wrong user name? Where will the attached character go?

If hackers happen to be correct, they send 300 characters, including executable by the server.

Code, and they enter the system. The hackers found these bugs through several ways.

First, many service source code is open on the network. Hackers often read these code

Looking for a program with a buffer overflow problem. Second, hackers can read the program itself to see if

There is a problem, although it is really difficult to read the code code output. Third, the hackers will check the program

All inputs and attempt to overflow with random data. If the program crashes, it will exist.

Let hackers construct input and allow opportunities to enter. Should pay attention to this problem in C / C

The prepared program is generally existed, but rarely appears in the Java program.

Accidental combination: The program is usually combined into a lot of layer code, including potential as the bottom

Operating system layer. Invasive people can often send some inputs for a layer of meaning, but

Other layers are meaningful. The most commonly controlled user input in the web is Perl. Perl written

The program often sends these inputs to other programs to further process. A common

Hacker technology is to enter strings "| mail

It is because the operating system starts an additional program for this input. However, the operating system explains

Pipes "|" and launch the "Mail" program according to the semantic, the result is sent to the password file.

Invasive.

Unprocessed input: Many programs are written into a valid input, and many programmers don't know

When some people's input does not meet the consequences of specifications.

Competition (RACE): Many systems now are multitasking / multi-threaded. This means him

We can run multiple programs at the same time. If two programs accesses the same data at the same time,

Danger. Imagine two programs of A and B, you need to modify the same file. For modification, each

The program reads the file into the memory, change the content in the memory, and then copy the memory to the file.

When the program A reads the file into memory and modifies, it produces a competitive condition.

Program B performs and obtains read and write permissions before the A write file. Now program A copies memory to

Document. Because the program A starts before B modification, all B modifications are lost. Because you have to

Get the correct execution order, so competition conditions are very rare. Invasants often have to

Try thousands of times, then get permissions, enter the system.

1.4.2 System configuration

System configuration bug can be divided into the following categories:

Default configuration: Many default easy-to-use configurations employed when the system is delivered to customers. unfortunately

Yes, "easy to use" means "easy to invade". Almost all delivered to your UNIX and Winnt

The system can be easily attacked.

Lazy System Administrator: Amazing digital host is configured to have no system administrator password.

This is because the system administrator is too lazy to lazy to configure one immediately, they just

I hope that the system can start running as soon as possible. Unfortunately, they never return to set up one.

Let the invasant come in easily. The easiest thing that invasive is to first scan all machines

Look for a host without a password.

Generated Vulnerabilities: In fact, all programs may be configured as a non-secure mode. some

When the system administrator will open a vulnerability on the host. Many system administrators

The manual is recommended that the system administrator turns off all the programs and services that are absolutely necessary to avoid accidents.

Vulnerability. It should be noted that security audit packs can usually find these vulnerabilities and remind system administrators' trust in trust: invaders often use the "Island jumping" method to use trust relationship attack network. One

The network trusted each other is as safe as they are the most vulnerable link.

1.4.3 password decryption

This is a special part.

True fragile password: Many people use their own name, the name of the child, the name of the spouse

Word, pet name, or model of the train is password. Some users use "password"

Or simply don't have anything. This gives the invasive who can typing themselves with 30

Possible list.

Dictionary Attack: After the above attack fails, invasants began trying to "Dictionary Attack". This method,

The invasive uses the program to try each possibility of the word in the dictionary. Dictionary attacks can be used to repeat

Landing or collecting encrypted passwords and attempts to match words in the encrypted dictionary. Invade

People usually use a dictionary in an English dictionary or other languages. They also use additional class dictionaries

Database, such as names and common passwords.

Brute Force Attacks: Similar to Dictionary attacks, invasive may try

All characters combination. A 4 password consisting of lowercase letters can be within a few minutes

Crack. (About 500,000 possible combinations) a long written letter composition

The password, including numbers and punctuation (100 trillion possible combinations) can be cracked within one month.

If you can try 1 million combinations per second. (In fact, a single machine can count thousands per second

Time. )

1.4.4 Monitor insecure communication

Shared Media: In the traditional Ethernet, you can see the Sniffer on the line.

All communication of a network segment. Now this method is sleepy because more companies use Exchange Ethernet.

difficult.

Server monitors: however, in an exchanged network, if you can be in one server (special

Don't do router) Installing a Sniffer program, you can use the information obtained.

Attack customer host and trust host. For example, you may not know the password of a user, pass

Monitor the Telnet session when he logged in, you can get his password.

Remote monitor: A large number of hosts can RMON, with a public community string. When the bandwidth is very low

At the time (you can't listen to all communications), you will show interesting possibilities.

1.4.5 Disadvantages

Even when a software is fully implemented, it is still because of design

BUG brought a invaded.

TCP / IP protocol Disadvantages: TCP / IP protocol is designed before we have many black experience. result

There are many design shortcomings that may cause security issues. Some examples such as Smurf attacks, ICMP

Unreparable link, ip kid, and syn floods. The biggest problem is that the IP protocol is very

Trust: hacking free forged and changing IP data. IPsec is designed to solve many

Disadvantages, but there is no extensive application.

Unix Design Disadvantages: There are many UNIX inherent shortcomings that make the UNIX system frequently invaded.

The main problem is the authority control system, only "root" is the system administrator privilege. result:

1.5 How do you get a password?

The invader uses the following method to obtain a password:

Bettereon listens: Some agreements (Telnet, FTP, basic http) use clear textwords, meaning

They are not encrypted during the customer / server transmission. Intrusioners can use an agreement

Analyzer observes such passwords on the cable. Don't need more efforts; invaders can use

These passwords are logged in.

Ciphertext monitor: Many protocols use encrypted passwords. In this case, the intruder needs to be executed.

Dictionary or powerful attack password to try to decrypt. It should be noted that you can't find the existence of intruders.

Because he / she is completely passive and does not deliver anything to the cable. Password crack in invader

When you use your own machine to authenticate, you must not send people and things to the cable.

Replay Attack: Many cases, intruders do not have to decode password. They can use encryption

The format is replaced by the landing system. This usually needs to re-encode client software to use encrypted passwords.

Password files: All user databases are typically stored on a single file on the disk. This file under UNIX is / etc / passwd (or other mirror of this file), Winnt, is a SAM file

Each method, once the invader gets this file, he / she can run the decryption program (as above

This is described to discover some fragile passwords in the file.

Observe: A traditional password security issue is that the password must be long and difficult to guess (make the dictionary and strong attack

The difficulty of hitting unreasonable). However, such a password is often difficult to remember, so the user is written in a certain manner.

Down. Intruders can often search for a personal desk to find a password written on a small note (general

Under the keyboard). Intruders can also trained their own way of viewing the password back.

Communicative Engineering: A ordinary (and successful) skill is a simple call to users and say "Hi,

I am a Bob of the MIS group, we are tracking some questions on the network and appear in your machine.

What password do you use? "Many users will give up their password in this case. (Many public

The division policy allows users to give their passwords, even their own MIS departments, but

This trick is still successful. A simple solution is the MIS group to call 6 months of employees

Ask them a password, then criticize their mistakes, so they will not forget :-)

1.6 Typical intrusion process?

A typical intrusion process may be as follows:

Step 1. External investigation -

Intrusioners will find as much as possible, do not directly give them information.

They often use public information or camouflage as normal users.

In this way, the invaders will make you really feel. Such as your

The network is registered with your Domain Name (for example, foobar.com), the invader can

Use the 'WHOIS' this check table (Lookup) to try to find your network information.

Intruders may via your DNS table (using 'nslookup', 'Dig', or

Other tool programs are used as Domain's conversion) to find the name of your machine.

Intruders will browse other public information, such as your public site and

Anonymous FTP site. Intruders may look for your company's

News files and newspapers in newspapers.

Step 2. Internal investigation -

Intruders use more aggressive technologies to scan information, but will not destroy

Anything. They will find CGI Scripts by you all of your pages (CGI)

Scripts is often easily invaded). They may be in order to try the host

Use 'ping'. They may use udp / tcp scan / strob (scanning)

Find the availability of the target host. They may execute one

Toolproof like 'RPCINFO', 'ShowMount', 'SNMPWalk', etc.

To find information available. About this, intruders only make "normal"

Online behavior, and no movement that is classified as intrusion.

In response to this, NIDS will tell you "Someone is checking your door grip", but no one

I really tried to open the door.

Step 3. Invasion -

The invaders violated the rules and began to make possible vulnerabilities for the target host.

The invader tried to pass a shell command in one input material, so

Endangering CGI script. Intrusioners trying to pass a lot of information,

A known buffer-overrun vulnerability. Intruder starts checking

There is a simple guess (or even) password account. A hacker, will

Several phases of invasion. For example, if hackers get a user's account,

He will try to make a further intrusion to get root / admin.

Step 4. Based on -

At this stage, intruders have been infected by the machine, successfully in your network.

The main purpose of intruders is to hide invasive evidence (Audit TRAIL and LOG)

And confirm that he can invade again. They may install 'Toolkits' that allows them to perform.

Use them to replace the original service with a backdoor password.

Or create a user account. System Integrityverifiers (SIVS) can notice the changes of files to use these means

Make a test. Since most of the network is difficult to defend against the internal infringement, the invaders will use

This machine is used as the hopping island of other machines.

Step 5. Interests -

Intruders use their advantages to steal confidential information, abuse system resources (stage sex by other machines)

Invading your machine) or destroy your webpage.

Other plots may be different. Whether it is invading a specific site or randomly

Scan specific vulnerabilities in the network world. For example, intruders may try to scan

Sendmail Debug Vulnerability The entire network of the machine. They can easily invade the robots with vulnerabilities.

They will not directly target you, don't even know who you are. (Just like 'birthdayattack ",

List known system vulnerabilities and IP positions, find a machine with a vulnerability by luck)

1.7 What are the general intrusion types?

There are three ways of attack:

Scout - including ping scan, DNS ZONE conversion, E-mail reconnaissance,

TCP or UDP Port (Port) Scan (SCAN), servo with public webpage

Possible indexing to discover CGI vulnerabilities.

Vulnerabilities - intruders will use a hidden feature or defect (BUGS) to access the system.

Denial-of-Service (DOS) attack - invader tries

Destroy the service (or machine), make the network link overload, CPU overload, fill the hard disk.

Intruders don't want to get information, but only if destroyed

Behavior without letting you use the machine.

1.8 What are the common vulnerabilities?

1.8.1 CGI Scripts (Scripts)

The CGI program is unsafe. Typical security vulnerability

Including special fl cells via shell (Metacharacters)

Utilization, directly transfer the metamorphic input in the command shell.

Use hidden variables, specify file names in the system (filename)

Or reveal the penetration of more systems. The most well-known CGI flaw is

Loaded in the 'PHF' database (library) of NCSA HTTPTD.

'pHf'Library assumes to allow servo parsed HTML,

Causes the vulnerability of any file. Other intruders tried to use

Well-known CGI script vulnerabilities are: TextCounter, Guestbook, EWS,

Info2www, count.cgi, handler, webdist.cgi,

PHP.CGI, FILES.PL, NPH-TEST-CGI, NPH-PUBLISH,

Anyform, Formmail. If you find someone trying to access the above

CGI script (but you didn't use them), this clearly shows one

Intrusion intent (assuming you didn't put the CGI script you want to use

Install with that defect version).

1.8.2 WEB Server (Server) attack

After the CGI program is executed, the web server may have other vulnerabilities.

Very large Self-Written web server (including IIS 1.0 and NetWare2.x)

Will be named in a file

Among them, you can write a series of "../" in the path (PATH) name,

Thus, you jump to other places of the system file to get any files.

Other general vulnerabilities are in the request (Field),

Or the buffer overflow of other HTTP data.

Web server often because of Operating System with its underlying

There is an interactive relationship, and a loophole. In Microsoft IIS

There is an old vulnerability to be used, and there are two file names due to the file -

A long-term name and a short corresponding 8.3 form name, sometimes

Get access. NTFS (The New File System) bypass the allowed mechanism

There is a featured name - "Alternate Data streams" is similar to

Macintosh system data with resources forks. You can pass stream

When Name, add ":: $ data" (this is to see his script instead of doing what)

To access his files.

The server has a problem for a long time because of URLs. For example,

"Death By A Thousand Slashes" problem, causing Apache to produce a lot of

CPU load, because it tries to handle each directory in thousands of "/" URL.

1.8.3 Web browser attack

Microsoft and Netscape's web browsers have security vulnerabilities (of course, though

In the latest version, we haven't found it yet), including URL, HTTP, HTML,

JavaScript, Frames, Java, attack with ActiveX.

The URL data segment will have a buffer spill, when it is http header (header)

When you are already asked, it is displayed on the screen or in some form (such as

Stored by Cache History). Moreover, with ancient Internet

Explorer vulnerability is accompanied by the browser, when performing the LNK or URL command

Vulnerabilities that can affect internal.

HTTP headers may generate a vulnerability because of the functions transmitted to only a particular value

HTML often has a vulnerability, such as MIME-TYPE buffer overlying

Netscape Communicator's command.

JavaScript has been very popular for a long time, and often tries to pass through

Generate a file name and automatically hide "Submit" Button

To violate the "File Upload" card. There are many different this

The vulnerability is corrected, but there will be new discovery methods to bypass the correction.

Frames is often a part of JavaScript, or Java Hack

To use the screen via a pixel size, hide the web page)

But they present a special problem. If I can contain a link to

A trusted user Frames site, then use my own station

Point web page replacement part of the frames, so they will

One of the remote sites appear in front of you.

Java

There is a sound security model (Model), but it has confirmed that model has

Special vulnerability (although compared to anything else, it is confirmed to be the entire system

One of the most secure components). Furthermore, its sound security, perhaps

Its undoing: Normal Java Applets cannot access local

(Local) System, but sometimes, if they can really access the local system,

They will be more useful. So, "Trust" model is completed, it is easier to invade.

ActiveX is even more dangerous than Java, when it is a trust model

Pure operation

And implement the original (NATIVE) program code. You will even accidentally

Infected to virus (Virus) (accident in the manufacturer's program code)

Imbeded).

1.8.4 SMTP (Sendmail) attack

Sendmail is an extremely complex and widely used procedure,

It is a source of security vulnerabilities. In the past (the period of '88 Morris Worm),

Hackers will use the vulnerability of the debug command or hide the feature of Wiz,

To break into SMTP. Recently, they often try to use buffer segments.

SMTP is also used to attack reconnaissance, such as using

The vrfy command finds the username.

1.8.5 Access

Failed Login attempted, failed files, Password

CRACKING,

The abuse of managers power.

1.8.6 IMAP

The user receives Email from the server via the IMAP protocol (under comparison, SMTP is between

Transfer E-mail between servers). Hack

Vulnerabilities have been found in some popular IMAP servers.

1.8.7 IP Spoofing

Some types of attacks use technology to fake (or 'spoof') your IP address.

An original address is accompanied by each IP package (Packet) is transmitted,

In fact it can not be used for routing. This means that when

When talking (talkin), an intruder can be loaded into you. Intruder

Will not receive a response package (although your machine is seen,

But discard them because they do not meet any of your previous

Request). The intruder does not obtain data via this manner.

Instead, it is still equipped with you, transfer commands to the server. IP spoof often uses part of the other attacks:

Smurf

Broadcasting ways in a forged source address, resulting in a large number of machines

Respond, via the address, replying to the victim, making it (or its link) load.

TCP serial number

At the beginning of the TCP connection, you must choose a serial number at this end, and

The server must also choose a serial number. Older TCP

Stack Choose a predictable contuite to make intruders by a forged

IP addresses (they should not see answering packages) must bypass the safety mechanism.

DNS is poisoned by presenced serial number

The DNS server will "recursively" to parse the DNS name.

Therefore, when it meets a user-end request (Request), it itself

Become a customer who is recursive next

It is predictable.

Therefore, an intruder can transfer a request to the DNS server and

Transfer a response to the server to camouflage into a link

Next server. It will believe in camouflage and use it

Meet other users.

1.8.8 buffer severity

Some other buffer spill attacks are:

DNS seating.

Excessive DNS name, transferred to the server. DNS name is limited

Subcomponent is 64-Bytes and is generally 256-bytes.

Statd sewage

When submitted too long file name.

1.8.9 DNS attack

DNS is a primary goal. Because if you can violate (CORRUPT)

DNS server, you can use trust relationship.

DNS buffer poisoning

Each DNS package, including a "question" section

With the "Answer" section. Defective server will

I believe (and cache) an answer when sending a problem

Most, but not

All DNS servers have been patch (PATCHED) in 1998.

DNS Poisoning Through sequence prediction

Above

DNS spill

Above

1.10 What is a refusal service? (DOS)?

1.10.1 ping-of-death

Pass one start at the end of the package (packet), but

An invalid fragment (Fragment) extends to the end of the package.

1.10.2 SYN flood (FLOOD)

TCP SYN package quickly quickly (Connection) is turned on)

, Let the victim are waiting to complete a large number of connections, causing him

The depletion of the source and the legal connection. A new

Preventive measures - "Syn cookies". Each end

His own order (sequence-number). For a SYN reaction,

The attacked machine produces a special order (a linkable "cookie")

Then forget everything about the connection. Then when a legal connection is coming

When it can create omissions about the connection.

1.10.3 land / latierra

Transfer and source / destination address / 号

Forgery SYN package, the victim system tries to complete the TCP connection

Infinite loop.

1.10.4 WinNuke

Transfer OOB / URG data when TCP connection

On the NETBIOS Session / SMB,

Resulting in a Windows system (crash) HANG.

Collection: Mayi

Www.cnsafe.net

转载请注明原文地址:https://www.9cbs.com/read-124678.html

New Post(0)