www.syngress.com/solutions

A: 
As mentioned in the previous chapter, L3D means the number of unique
IP destinations associated with a host during ourmon’s 30-second sample
period.This statistic is a Layer 3 (IP layer) statistic and it could never be
hidden with encryption.
Q: 
I tried to use ngrep with an IRC channel name and it didn’t work. Why?
A: 
Besides obvious problems like the channel is suddenly quiet, you need to
know that an IRC channel name is case-insensitive. So, for example, if the
channel was LSASS445, we use the 
–i
parameter to do case-insensitive
packet matching. We are also looking for PRIVMSG messages only sent
to and from a particular host.You could try something like the following:
# ngrep -q –i "PRIVMSG.*#lsass445 tcp and host 192.168.2.3
Q: 
A 30-second report for IRC exists, but you don’t mention it much here.
Why?
A: 
It might be of some use for debugging or if there is a very active botnet,
but in general IRC is a slow communications medium. We have to look
for patterns across hours or days.
Q: 
What happens if the hackers switch to port 666 and use some other pro-
tocol for command and control, say ROT 13 (a variation of the Caesar
Cipher, in this case rotating the letters 13 times) in a new protocol?
A: 
This is why we discussed anomaly detection in the previous chapter.
Sooner or later they will attack; otherwise owning a box is useless. When
they do, the anomaly detection meters will go off.Then you could choose
to watch the attacked box with a sniffer and see who is talking to it. If
two boxes behave badly, and they are both talking to an outsider, then
watch the outsider. Forensics on the attacked host could indicate an IP
address for an attacker.These clues might provide you with an address for
a bot server. All we have done with the IRC module is automate this task.

Download 6,98 Mb.

Do'stlaringiz bilan baham: