Red Hat NETWORK 3.6 - Podręcznik Użytkownika Pobierz pdf (Strona 41)

related from causing millions of events. For example, the

plugins for the Sasser worm only generate one event. Output

from plugins with this keyword will show up in the

vulnerability report.

realtimeonly

If a plugin has this keyword, then the PVS will generate a

SYSLOG message or real-time log file entry each time the

plugin evaluates successfully. These plugins never show up in

the report file.

track-session

This keyword will cause the contents of a session to be

reported (via SYSLOG or the real-time log file) a specified

number of times after the plugin containing this keyword was

matched. This is an excellent way to discover what a hacker

“did next” or possibly what the contents of a retrieved file

were.

trigger-dependency

Normally if a plugin has multiple dependencies, then all of

those dependencies must be successful for the current plugin

to evaluate. However, the “trigger-dependency” keyword

allows a plugin to be evaluated as long as at least one of its

dependencies is successful.

Example Failed Telnet Login Plugin

The easiest way to learn about PVS real-time plugins is to evaluate some of those included

by Tenable. Below is a plugin that detects a failed Telnet login to a FreeBSD server.

# Look for failed logins into an FreeBSD telnet server

id=0400

hs_sport=23

dependency=1903

realtimeonly

name=Failed login attempt

description=PVS detected a failed login attempt to a telnet server

risk=LOW

match=Login incorrect

This plugin has many of the same features as a vulnerability plugin. The ID of the plugin is

0400. The high-speed port is 23. We need to be dependent on plugin 1903 (which detects a

Telnet service). The “realtimeonly” keyword tells the PVS that if it observes this pattern,

that it should alert on the activity, but not record any vulnerability.

Under the SecurityCenter, events from the PVS are recorded alongside other IDS tools.

Example Finger User List Enumeration Plugin

The finger daemon is an older Internet protocol that allowed system users to query remote

servers to get information about a user on that box. There have been several security holes

in this protocol that allowed an attacker to elicit user and system information that could be

useful to attackers.

id=0500

1 2 ... 36 37 38 39 40 41 42 43 44 45 46 ... 60 61

Komentarze do niniejszej Instrukcji

Brak uwag

Red Hat NETWORK 3.6 - Podręcznik Użytkownika Strona 41

Komentarze do niniejszej Instrukcji

Powiązane produkty i podręczniki dla Serwery Red Hat NETWORK 3.6 -