Đang chuẩn bị liên kết để tải về tài liệu:
Intrusion Detection Utilizing Ethereal phần 2

Kể từ web lưu lượng truy cập có lẽ là quen thuộc với phần lớn người sử dụng Internet, tôi sẽ bắt đầu bằng cách xem lại các tiêu đề HTTP và các lỗ hổng Unicode (Directory Traversal). Tiếp theo, lỗi tràn bộ đệm sẽ được phân tích. Trong chủ đề thứ ba, chúng tôi sẽ xem xét ICMP và HTTP backdoor để hiển thị, một hacker lặng lẽ có thể truy cập vào một hộp trước đó bị tổn hại mà không có sự nghi ngờ của các quản trị viên mạng. . | Areas that are of primary interest to me are the server response fields. ertext Transfer Protocol HTTP 1.1 200 OK r n Date sat 02 Mar 2002 15 42 08 GMT r n server Apache 1.3.12 Unix PHP 4.0.o r n Last-Modified Mon 02 Jul 2001 10 01 00 GMT r n ETag 3b981-19aa4-3b40465c r n Accept-Ranges bytes r n Content-Length 105124 r n Keep-Alive timeout 2o r n Connection Keep-Aljve r n content-Type text html r n r n Data 1169 bytes Figure 12. HTTP Server Response Shown above is a positive server response 200 OK. It gives the date the time the resource was last modified entity tag keep-alive parameters and other server information. Of particular interest to a Hacker would be the server version. The example above shows poor server configuration as it gives away just a little too much information. Isn t there a root exploit for PHP is what the latest script-kiddie is thinking right now. Of course a system administrator could fake some of this information too. One last important item is HTTP authentication. From an Intrusion Detection standpoint it is important to be able to distinguish if someone is attempting to access resources they shouldn t. Also being able to see what passwords they used basic authentication only lets an analyst know if users are following good security practices. Really the best practice would be to use SSL Secure Sockets Layer but I won t cover that in this paper. Since it is normally running on a different port default TCP port 443 and data must be encrypted worms and most script-kiddies probably won t hit your server. However be aware that most hacks that work against HTTP like RDS Unicode and Buffer Overflows can work against sites running SSL. SSL doesn t magically protect your server from attack it just encrypts your data. Since there is already an excellent document on HTTP authentication I wont review it here. The white paper can be found at http www.owasp.org downloads http authentication.txt. Lets move on to a few web exploits. Unicode Directory .