Red Hat NETWORK 3.6 - Podręcznik Użytkownika Pobierz pdf (Strona 48)

match=for HR data regarding Jane Mcintyre

The two example plugins above (IDs 9005 and 9006) would detect files leaving the network

via email. Most corporations have a list of ports that are allowed outbound access. SMTP is

typically one of these ports. Other ports may include FTP, Messenger client ports (e.g., AIM,

Yahoo and ICQ), or Peer2Peer (e.g., GNUTELLA and bittorrent). Depending on your specific

network policy, you may wish to clone plugins 9005 and 9006 to detect these strings on

other outbound protocols.

PASSIVE VULNERABILITY SCANNER OPERATING SYSTEM

FINGERPRINTS

PASSIVE OPERATING SYSTEM FINGERPRINTING

The PVS has the ability to identify the likely operating system of a host by looking at the

packets it generates. Specific combinations of TCP packet entries, such as the window size

and initial time-to-live (TTL) values, allow the PVS to predict the operating system

generating the traffic.

These unique TCP values are present when a server makes or responds to a TCP request. All

TCP traffic is initiated with a “SYN” packet. If the server accepts the connection, it will send

a response that is known as a “SYN-ACK” packet. If the server cannot or will not

communicate, it will send a reset (RST) packet. When a server sends a “SYN” packet, the

PVS will apply the list of operating system fingerprints and attempt to determine the type of

the operating system.

Tenable Network Security has received permission to re-distribute the passive operating

fingerprints from the author of SinFP open source project, which is available at:

http://www.gomor.org/sinfp

UNDERSTANDING THE FINGERPRINT LANGUAGE

The fingerprint language specifies a variety of settings within the TCP and IP header of a

SYN-ACK packet. Below is a plugin for a Linux 2.2.20 server:

S20:64:1:60:M*,S,T,N,W0:.:Linux:2.2.20 and newer

The format of an operating system fingerprint is as follows:

wwww:ttt:D:ss:OOO...:QQ:OS:Details

From left to right, the plugin specifies the initial window size of the TCP communication, the

initial time-to-live value in the IP header, the value of the “don’t fragment” bit, the size of

the SYN packet and a variety of unique TCP options, “quirks” and an operating system

description. The description of the operating system includes both genre and type. For

example, you may have a system that identified a host as “Windows” and of the “95” genre.

When specifying the plugin, TCP options and “quirks” can be specified. These are uniquely

present in certain operating systems and can be used to accurately identify the operating

system passively.

1 2 ... 43 44 45 46 47 48 49 50 51 52 53 ... 60 61

Brak uwag

Red Hat NETWORK 3.6 - Podręcznik Użytkownika Strona 48