Question: Где взять описание событий, генерируемых системой IDS в межсетевых экранах D-Link (например, DFL-200, DFL-700, DFL-1100 и т.д.)?
Answer:
Answer:
Так как база атак постоянно изменяется и добавляются новые сигнатуры, то ведение подробной документации по описанием атак не представляется возможным. Для получения информации по конкретной атаке можно воспользоваться поиском на сайтах, посвященных безопасности, например http://www.snort.org
Пример:
В логе межсетевого экрана появилась запись:
The following IDS events have occurred:
Count Log message
----- -----------
2 WEB-IIS _vti_inf access
1 WEB-IIS view source via translate header
Поиск по www.snort.org дает следующие результаты:
| GEN:SID | 1:990 |
| Message | WEB-FRONTPAGE _vti_inf.html access |
| Rule | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_inf.html access"; flow:to_server,established; uricontent:"/_vti_inf.html"; nocase; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:9;) |
| Summary | This event is generated when an attempt is made to access a file with '_vti_inf' in the name. |
| Impact | Information gathering. This attack can leak the version number and scripting paths of Microsoft FrontPage. |
| Detailed Information | Microsoft FrontPage provides software for web designers to generate and administer web pages. The file '_vti_inf.html' contains FrontPage configuration information of version number and scripting paths that is normally used by a FrontPage client to communicate with the server. An attacker can craft a URL to access this file to disclose the version number and scripting paths. |
| Affected Systems | ??? |
| Attack Scenarios | An attacker can craft a URL to access the '_vti_inf' file to learn the version and scripting paths of FrontPage. |
| Ease of Attack | Simple. |
| False Positives | None Known. If you think this rule has a false positives, please help fill it out. |
| False Negatives | None Known. If you think this rule has a false negatives, please help fill it out. |
| Corrective Action | Apply patches and upgrade to most current version of FrontPage. |
| Contributors | Original rule writer unknown Modified by Brian Caswell Sourcefire Research Team Judy Novak |
| Additional References | |
| Rule References | nessus: 11455 |