The first part: A - H
by A. Cliff last updated July 3, 2001
Translated by Mad, last updated July 9, 2001
Although the invasion examination technology is not very mature, but its development is actually very rapid. Also changes with each new day with the IDS related new term. Here has displayed the related terminology according to the alphabetical order, some have been very possibly common, but some are very actually rare, or the definition is not explicit. The IDS rapidly expand as well as some IDS production manufacturer's market influence causes some nouns the meaning to be chaotic: The identical noun, the different manufacturer actually uses it to express the different significance.
The terminology increases or needs to explain, Pls mailto:talisker@networkintrusion.co.uk
Chinese explanation question, Pls mailto:mad@email.com.cn
Warning (Alerts)
The warning is IDS sends out to the sysop has the invasion to have or the news which attempts. Once detects the invasion, IDS will sound the warning by each way to the analyst. If control bench in local, the IDS warning will usually demonstrate on the monitoring device. IDS may also through the sound warning (, but on busy IDS, suggestion closure sound). The warning may also transmit through the manufacturer means of communication to the long-distance control bench, in addition, but also has using the SNMP agreement (security waits for consideration), email, SMS/Pager or these way combination carries on the warning.
Exceptionally (Anomaly)
Mostly IDS will be examining will sound the warning with the known attack characteristic match event, but will use period of time based on unusual IDS to establish a main engine or the network activity outline. Will cause the IDS warning outside this outline's event, i.e., when some people carried on before from has not had the activity, IDS will sound the warning. For instance a user obtains the manager jurisdiction suddenly (or the root jurisdiction). Some manufacturers are called this method heuristic IDS, but true heuristic IDS has a higher intelligence compared to this method.
Hardware IDS (Appliance)
Present's IDS makes the hardware to put to the rack on, but is not installs in the existing operating system, is like this very easy to be possible the IDS inserting network. Such IDS product like CaptIO, Cisco Secure IDS, OpenSnort, Dragon and SecureNetPro.
Network invasion characteristic database (ArachNIDS - Advanced Reference Archive of Current Heuristics for Network Intrusion Detection Systems)
By white hat Abbot/Abbess Max Vision development maintenance's ArachNIDS is a dynamic updating attack characteristic database, is suitable in many kinds of based on the network invasion examination system. (white hat member is put in prison one after another, Max Butler has not left prison, Max Vision is sentenced 18 months to imprison, hopes white hat to be able well maintenance)
URL: http://www.whitehats.com/ids/
Attack registration and information service (ARIS - Attack Registry & Intelligence Service)
ARIS is a security information service which SecurityFocus promotes, the permission user to the SecurityFocus anonymous report network security event. SecurityFocus reorganizes these data, and with other information integration, forms the detailed network security statistical analysis and the tendency forecast.
Attack (Attacks)
The attack may define to attempt to seep the system or to bypass the system safety strategy gain information, changes the information or the interrupt goal network or system's normal operation activity. Below is the common attack tabulation which some IDS may examine and explained:
Attacks 1: Refuses to serve the attack (Attacks: DOS - Denial Of Service attack)
The DOS attack is only causes the system to be unable to provide the service to its user, but is not through the hacker method seepage system. Refuses to serve the attack the method to overflow from the buffer to exhausts the system resources through the mighty current, to mention just a few. Along with to refuses to serve the attack the understanding and the guard strengthens unceasingly, also appeared distributional has refused to serve the attack.
Attacks 2: Distributional refuses to serve the attack (Attacks: DDOS - Distributed Denial of Service)
Distributional refuses to serve the attack is one kind standard rejects the service attack, through controls many distributed long-distance main engines to the sole main engine transmission mass data, therefore and acquires fame.
Attacks the 3:Smurf attack (Attacks: Smurf)
The Smurf attack is by starts this kind of attack procedure name Smurf to name at first. This method of attack through deceit method to " the Smurf amplifier " network transmission cast address's ping, the amplifier network to the deceit address - - target system returns massive ICMP reply news, causes the target system to reject the service.
Here has every 5 minutes to renew one time available " the amplifier ": http://www.powertech.no/smurf/ (hopes your network not in this row…)
Attacks 4: Trojan horse (Attacks: Trojans)
The Troy password from attacks Teluoyicheng story in the ancient Greece famous wooden horse. Refers to at first what in the computer terminology is apparents legitimately, but contains the malicious software's procedure. When legal program execution, the malicious software in the user did not realize in the situation is installed. Afterward the majority this kind of malicious softwares were the remote control tool, the Trojan horse also specially refer to this kind of tool, like BackOrifice, SubSeven, NetBus and so on.
Automatic response (Automated Response)
If to attacks sounds the warning, some IDS can attack automatically makes the defense to respond, may realize through the below way:
1 redeploys the router or the firewall, rejects from the same address current capacity;
2 transmit the reset package of cut-off connection.
These two methods have the question. The aggressor may implement the attack through the trust address deceit, causes the equipment to redeploy, causes the equipment to reject these trust address, serves purpose which refuses to serve. The contract award needs to have an active network interface, also causes itself vulnerable. The solution is may move the network card to place in the firewall, or the use special contract award procedure, avoids the standard IP stack's demand.
CERT computer emergency response group (CERT - Computer Emergency Response Team)
CERT from is established responds the troop in the Carnegie Mellon University first computer security event the name. Today many organizations have their CERT (computer security event processing troop). (Computer event responds group) with CIRT to distinguish, CERT stresses on emergencies's rapid reaction, but is not the long-term surveillance.
General invasion examination frame: (CIDF - Common Intrusion Detection Framework)
CIDF is to carry on the standardization to a certain extent to the invasion examination, has developed some agreements and the application program interface, enables the invasion examination research project the software to be able to share the information and the resources, similarly the invasion examination system module may also by other system application.
The computer event responds the group (CIRT - Computer Incident Response Team)
Comes from CERT, CIRT lies in differently to security incident's processing mode. The CERT goal is the special computer emergencies. But in the CIRT event not is the emergencies, but also includes other security incidents.
General invasion description language (CISL - Common Intrusion Specification Language)
CISL is for carries on the correspondence between the CIDF module to describe the invasion general purpose language. Is the same with the CIDF standardized work, CISL is also attempts to invade the examination research the description language to carry on the standardization.
General crack disclosure (CVE - Common Vulnerabilities and Exposures)
About a crack question is when the design crack scans or adopts the dealing with strategy, the different manufacturer to crack's name is completely different. In addition some manufacturers describe a crack with several kind of characteristics, and explained that for may examine more attacks. MITRE has constructed CVE, has carried on the standardization to the crack name, joins CVE the manufacturer to use the standardized crack to describe.
URL: www.CVE.mitre.org.
Structoral data package (Crafting Packets)
Does not follow the usual data packet structure, through constructs own data packet, can carry on the data packet deceit, or causes the receive to be unable to process such data packet. Nemesis is this kind of tool, the newest edition 1.32 (you may certainly write with libnet). URL: http://jeff.chi.wwti.com/nemesis/
The synchronization expires (sees " avoidance ") (Desyncronization (see also Evasion))
At first, the synchronized actual effect is refers to the use series number the avoidance IDS method. Some IDS is unable to determine the expectation the series number, thus is helpless to this kind of data packet, is unable to restructure the data packet. This kind of technical 98 year production, already was now obsolete. Some articles use for to refer to the generation of other IDS avoidance method.
Eleet
The hackers when write the crack develops the procedure, will frequently leave behind the mark, most common is " elite " (essence, sharp), usually is elite = eleet, transforms is 31337. 31337 is served as frequently for the digit the port number or the series number and so on. Now the popular word is " skillz ".
Enumerates (Enumeration)
After undergoing the passive detection and the social engineering work, the aggressor starts to enumerate the network resource. Enumerates is when an aggressor active detection network discovered that which cracks has to be possible to use. Because this activity is initiative, and may survey, but aggressor's activity as far as possible will still hide, avoided surveying.
The avoidance (sees " synchronization to expire ") (Evasion (see also Desynchronization))
The avoidance implements the attack plan, avoids the IDS examination the process. The avoidance skill is causes IDS only to see the attack one side, but goal actually in other. One kind of avoidance's form is for the different data packet establishment different TTL value. Therefore seems does not have after the IDS information what question, however, these do not affect the attack to arrive at the goal. Once arrives at the goal, only then useful attack. Here simplified the actual avoidance complexity greatly. The Ptacek and Nesham article "inserting, evades and refuses to serve: How to avoid the network invasion examination" (insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection) narrated the implementation avoidance basic principle and the method.
http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html
The crack uses (Exploits)
Regarding each crack, has uses this crack to carry on the attack the mechanism. In order to attack the system, the aggressor compiles the crack to use the code or the manual.
Crack use: Zero time use (Exploits: Zero Day Exploit)
What zero time crack uses refers to has not been announced or the dissemination crack use. Once a security discovery crack, the manufacturer will issue the patch, the IDS system will join the corresponding attack feature detection. Speaking of the aggressor, zero time crack use's value is biggest.
Fails to report (False Negatives)
Failing to report: The attack has not been examined by IDS or escapes analyst's eye.
Misinformation (False Positives)
Reported mistakenly: IDS distinguishes to the normal event to attack and carry on the warning.
Firewall (Firewalls)
The firewall as the network security's first strobe, it is different with the IDS function, but its diary may be IDS supplies the useful information. Firewall basis to the IP address or port's rule rejection illegal connection.
FIRST - Forum of Incident Response and Security Teams
FIRST is one alliance which establishes by internationally the government or the Civil society organization, carries on the security exchange of information and the coordinated security incident responds. The FIRST annual meeting always receives the very big attention.
URL: http://www.first.org
Lamination (Fragmentation)
If the data packet is oversized, by the lamination transmission. The lamination basis is the network biggest transmission unit (MTU). For example the ancestral tablet ring net is 4464, but the ethernet is 1500. When a data packet from the token ring net to the ethernet transmission, it will defer to ethernet's MTU to carry on the lamination. Under the limited network condition, the lamination transmission is very normal. But the hackers use the lamination to evade the IDS examination, several kind of notorious DOS attack has also used the lamination technology.
Hacker standard: (Hacker Ethics)
Although each person's understanding is different, speaking of the majority mature hackers, the hacker standard is sacred, should receive respects and obtains observes. For example the information sharing, do not unconditionally the larceny, the revision and divulging is attacked system's data message and so on.
URL: http://www.tuxedo.org/~esr/jargon/html/entry/hacker-ethic.html
Hacker standard 1: Black hat (Hacker Ethics: Black Hat)
Despises the law, works reverse side hacker who does not consider any restraint. Once the discovery crack they in private will often disseminate the use, but will not be announces to the society.
Hacker standard 2: White hat (Hacker Ethics: White Hat)
Positive hacker: Once the discovery crack, they first inform the manufacturer, before issue patching patch, they will not announce the crack. About Bai Mao to the hacker standard's viewpoint and some free IDS tool, sees Jude Thaddeus article Confessions of a white hat hacker.
URL: http://www.idg.net/english/crd_network_480552.html
Hacker standard 3: Ash hat (Hacker Ethics: Grey Hat)
Before the ash hat hacker is situated, between both, once the discovery crack, they will issue to the hacker community, simultaneously will inform the manufacturer, then observation development. They have followed the hacker rules two moral rule. Many people thought that the manufacturer should obtain the notice first, many manufacturers use these information. Rain Forest Puppy issued a strategy both to be able to guarantee the manufacturer benefit, and did not affect the safe research.
URL: http://www.wiretrip.net/rfp/policy.html
Inspiration (Heuristics)
“the inspiration " contained has applied in IDS the artificial intelligence thought. Heuristic IDS already proposed in the recent ten years, however still the progress is not until now big, but the hacker actually may " the training " IDS cause its neglect malicious attack. Some IDS uses the unusual model to survey the invasion attack, however IDS requires the massive time to come " the study " to distinguish the normal event. The manufacturer is called in the market this heuristic IDS, but this kind of IDS has not applied the artificial intelligence to carry on the analysis at least to the data-.
Honeynet project (Honeynet Project)
According to Honeynet project definition: Honeynet is a study tool, is one is designed includes the flaw network system. Once the system safety is threaten, the related information will be caught, and by group personnel analysis and study. Therefore Honeynet is one is useful, the perspective attacks the entire process the resources. The Honeynet group is composed of 30 security experts, each person established a series of " the honey jar " to tempt the aggressor, through observational study strategy, tool and hacker behavior.
URL: http://project.honeynet.org/project.html
Honey jar (Honeypot)
The honey jar simulates the existence crack's system, provides the target for the aggressor. Honey jar in network not any use, therefore any connection is the possible attack. Honey jar another goal is entices the aggressor to waste the time in above, delays to the true goal attack. Although the honey jar initial project objective is to sue the aggressor to provide the evidence collection, but about makes the trap using the honey jar the discussion to be many. If the honey jar in the network, the aggressor must capture a network equipment at least. Some country legal rule, the honey jar collection's evidence cannot most sue the evidence.
|
| |
| |
|
You are here: hacking technology
> invades the examination
> Content
Category: Home
> invades the examination