Вопрос: Где взять описание событий, генерируемых системой IDS в межсетевых экранах D-Link (например, DFL-200, DFL-700, DFL-1100 и т.д.)?
Ответ:
Ответ:
Так как база атак постоянно изменяется и добавляются новые сигнатуры, то ведение подробной документации по описанием атак не представляется возможным. Для получения информации по конкретной атаке можно воспользоваться поиском на сайтах, посвященных безопасности, например http://www.snort.org
Пример:
В логе межсетевого экрана появилась запись:
The following IDS events have occurred:
Count Log message
----- -----------
2 WEB-IIS _vti_inf access
1 WEB-IIS view source via translate header
Поиск по www.snort.org дает следующие результаты:
GEN:SID | 1:990 |
Message | WEB-FRONTPAGE _vti_inf.html access |
Rule | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_inf.html access"; flow:to_server,established; uricontent:"/_vti_inf.html"; nocase; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:9;) |
Summary | This event is generated when an attempt is made to access a file with '_vti_inf' in the name. |
Impact | Information gathering. This attack can leak the version number and scripting paths of Microsoft FrontPage. |
Detailed Information | Microsoft FrontPage provides software for web designers to generate and administer web pages. The file '_vti_inf.html' contains FrontPage configuration information of version number and scripting paths that is normally used by a FrontPage client to communicate with the server. An attacker can craft a URL to access this file to disclose the version number and scripting paths. |
Affected Systems | ??? |
Attack Scenarios | An attacker can craft a URL to access the '_vti_inf' file to learn the version and scripting paths of FrontPage. |
Ease of Attack | Simple. |
False Positives | None Known. If you think this rule has a false positives, please help fill it out. |
False Negatives | None Known. If you think this rule has a false negatives, please help fill it out. |
Corrective Action | Apply patches and upgrade to most current version of FrontPage. |
Contributors | Original rule writer unknown Modified by Brian Caswell Sourcefire Research Team Judy Novak |
Additional References | |
Rule References | nessus: 11455 |