?? 227-228.html
字號:
<option value="/reference/dir.multimediaandgraphicdesign1.html">Multimedia
<option value="/reference/dir.networkservices1.html">Networks
<option value="/reference/dir.operatingsystems.html">OS
<option value="/reference/dir.productivityapplications1.html">Prod Apps
<option value="/reference/dir.programminglanguages.html">Programming
<option value="/reference/dir.security1.html">Security
<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
<option value="/reference/dir.userinterfaces.html">UI
<option value="/reference/dir.webservices.html">Web Services
<option value="/reference/dir.webmasterskills1.html">Webmaster
<option value="/reference/dir.y2k1.html">Y2K
<option value="">-----------
<option value="/reference/whatsnew.html">New Titles
<option value="">-----------
<option value="/reference/dir.archive1.html">Free Archive
</SELECT>
</font></td>
</tr>
</table>
</form>
<!-- LEFT NAV SEARCH END -->
</td>
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->
<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->
<!-- begin main content -->
<td width="100%" valign="top" align="left">
<!-- END SUB HEADER -->
<!--Begin Content Column -->
<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">
<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">
<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE=""> <input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">
</form>
<!-- Empty Reference Subhead -->
<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=8//-->
<!--PAGES=227-228//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="../ch07/225-226.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="229-231.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H2><A NAME="Heading1"></A><FONT COLOR="#000077">Chapter 8<BR>UNIX System-Level IDSs
</FONT></H2>
<P>In the last chapter, you saw how scanning a system for flaws can reveal security weaknesses. The scanner periodically runs directly on the target to look at the contents of configuration files, for back-level programs with security holes, for known rogue programs, or for hacker tracks. Alternatively, you can run a network scan against a target node looking for vulnerabilities. In this chapter, you’ll examine IDSs that run at the system level. These tools run directly on the target system and look for evidence of misuse or intrusions.
</P>
<P>Stalker is traditionally a tool that runs on an interval basis from one minute to daily. However, by the time this book is published, Stalker should be available as a real-time monitor to catch intrusions or misuses <I>as they happen</I>. The Computer Misuse Detection System runs in real time, and, thus, also catches intruders in the act. Real-time detection and response are valuable features beyond those provided by scanners.</P>
<P>Stalker and CMDS differ because Stalker is marketed as a pattern-matching tool, and the strength of CMDS is in its statistical capabilities. After reading this chapter, you will see that both pattern matching and statistical anomaly detection have advantages. You will be glad to know that neither CMDS nor Stalker introduce new security models. That is, no new subjects, objects, reference monitors, or access control lists are added to your environment when you install CMDS or Stalker. Also, both of these tools are known for analyzing audit logs, although their core architectures support analysis of other data sources, such as firewall or Web server log files.</P>
<P>To truly understand the strengths and limitations of system-level IDSs, you begin by learning example UNIX hacks that they can detect. After this, several sections describe Stalker and CMDS. After you know what system level tools are capable of finding, you will explore their shortcomings.</P>
<H3><A NAME="Heading2"></A><FONT COLOR="#000077">Detecting Hacks with Stalker</FONT></H3>
<P>Stalker is a client-server, heterogeneous IDS for UNIX systems. In addition to providing intrusion and misuse detection, Stalker also can be used for <I>audit reduction</I> to whittle down a collection of audit records into meaningful information.</P>
<P>Stalker employs a client-server model for distributed, heterogeneous UNIX systems. The Stalker Manager software is installed on a central server from which clients are administered and monitored. Each node in the network watched by the Manager is called an Agent. The purpose of the agent code is to format the audit logs generated by the operating system into a common form. The intrusion detection engine thus is insulated as much as possible from subtle differences in the audit record layouts from different systems. From the Manager station, an administrator can configure the audit subsystems or analyze different client nodes. Today, only one node at a time can be the target of an operation, whether the operation involves configuration or analysis.</P>
<P>Stalker was originally intended for misuse and intrusion detection through reporting. Analysis would be scheduled by the administrator to run during the evening so that reports would be available in the morning. If an alert appeared in one of the reports, the administrator would see who did it, what happened, and how the perpetrator committed the crime. Because the audit logs show the AUID for the event, and the path to an event can be tracked by Stalker’s engine, the sequence of events leading up to the problem would be shown in the report.</P>
<P>Several variations of Stalker have appeared in the marketplace including WebStalker, RT Stalker, and ProxyStalker for NT. These products use the same intrusion detection engine but run in real time and provide automated responses. Combining one of these real-time IDSs with the traditional investigative capabilities of Stalker gives you a powerful suite for monitoring your security policy.</P>
<P>The four main components in Stalker include the following:</P>
<DL>
<DD><B>•</B> Audit Management
<DD><B>•</B> Trace/Browser (TB)
<DD><B>•</B> Misuse Detector (MD)
<DD><B>•</B> Storage Manager
</DL>
<P>The Storage Manager is a set of shell scripts that can be used to migrate audit logs through a storage hierarchy. Many companies rely on home-grown or commercial storage management products to perform this task today. Therefore, this component is not discussed in detail here.
</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="../ch07/225-226.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="229-231.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- BEGIN SUB FOOTER -->
<br><br>
</TD>
</TR>
</TABLE>
<table width="640" border=0 cellpadding=0 cellspacing=0>
<tr>
<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
<!-- END SUB FOOTER -->
<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- FOOTER -->
<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a> | <a href="/contactus.html"><font color="#006666">Contact Us</font></a> | <a href="/aboutus.html"><font color="#006666">About Us</font></a> | <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> | <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> | <a href="/"><font color="#006666">Home</font></a></b>
<br><br>
Use of this site is subject to certain <a href="/agreement.html">Terms & Conditions</a>, <a href="/copyright.html">Copyright © 1996-1999 EarthWeb Inc.</a><br>
All rights reserved. Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
</tr>
</table>
</BODY>
</HTML>
<!-- END FOOTER -->
?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -