欢迎来到天天文库
浏览记录
ID:11536911
大小:1020.00 KB
页数:107页
时间:2018-07-12
《sans giac level two ; intrusion detection in depth - whitehats.ca》由会员上传分享,免费在线阅读,更多相关内容在教育资源-天天文库。
1、SANSGIACLevelTwo–IntrusionDetectionInDepthGCIAPracticalAssignment–SANS2001BaltimorePracticalAssignmentVersion2.9–May22,2001JeffreyA.Holland,GCIA/GCIH/GSEC107TableofContentsINTRODUCTION3ASSIGNMENT1–NETWORKDETECTS3ASSIGNMENT2–DESCRIBETHESTATEOFINTRUSIONDETE
2、CTION36ASSIGNMENT3–“ANALYZETHIS”SCENARIO51REFERENCES101APPENDIXA102APPENDIXB105107INTRODUCTIONNetworkTopologyandHardwareSpecifics:ThefollowingimagedepictsthetopologyofthenetworkusedtocapturethedetectsinAssignment1.ThelaptoprunningSnortversion1.7wasstarted
3、inNIDSmodeusingthesnort.orgrulesetdated4/4/01,thevision.confruleslocatedathttp://www.whitehats.com/ids/vision.conf.gz,customruleswrittenformynetworkbasedthepriorattacksmynetworkhadreceived.SnortSnarfversionv052101.1wasusedtoanalyzethealertsthatSnortreport
4、ed.TheSunUltra60runningSnortversion1.7wasconfiguredwitha6GBvarpartitionandstartedwiththefollowingcommand:./snort–dve–l/var/log/snort.Theboxhada400Mhzprocessorand384MBRAM,andhandledthefullT1trafficwithoutanyapparentpacketloss.Anyinterestingalertsfromthelap
5、toprunningSnortorfromthefirewalllogswerecorrelatedagainstthedataontheUltra60runningSnortinsniffermode.AllSnortpackettracesweretakenfromtheUltra60forinclusioninthepractical.WhiletheISSIDSsensorlogswerenotincludedinthispractical,thealertswerecorrelatedagain
6、stwhatSnortdetected.Inallcases,theinformationloggedbyRealsecurewaslessdetailedthanSnort,soonlytheSnortIDSloggedwereincludedinthepractical.Gauntletfirewalllogs,whenavailable,wereincludedaswell.Theswitchoutsidethefirewallportmirrorsalltrafficto/fromtheinter
7、nalnetworktotheswitchportsthattheIDSsensorsarepluggedinto.GauntletFirewallLogMessages:GauntletfirewalllogmessagesaredefinedasfollowsaccordingtoNAI/PGP107(http://www.pgp.com/support/technical-support/faq.asp?pCode=GNTUX):ØThe“nomatchinlocalscreen”messageoc
8、curswhensomeoneontheoutsidenetworkpointsdirectlytoaninsideinterfaceofthefirewall.ØThe“onunservedport”messageoccurswhensomeonetriestoaccessthefirewallonaportthatthefirewallisnotallowingconnectionson.ØThe“packetdenied
此文档下载收益归作者所有