Đang chuẩn bị liên kết để tải về tài liệu:
Indications and Warnings Correlation

Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ

Welcome to the second half of the network based intrusion detection tutorial, where we will discuss more advanced analysis techniques based on Indications and Warnings as well as correlation. For every attack that really gets our attention, there are twenty or thirty probes or mapping attempts. Some of the common efforts are DNS zone transfers, DNS queries, SNMP queries, portmapper access attempts, and NetBIOS name lookups. | Network Based Intrusion Detection Tutorial 2 Indications and Warnings Correlation IDIC - SANS GIAC LevelTwo 2000 2001 1 In planning never a useless move in strategy no step taken in vain. Chen Hao Welcome to the second half of the network based intrusion detection tutorial where we will discuss more advanced analysis techniques based on Indications and Warnings as well as correlation. For every attack that really gets our attention there are twenty or thirty probes or mapping attempts. Some of the common efforts are DNS zone transfers DNS queries SNMP queries portmapper access attempts and NetBIOS name lookups. In this section we will be examining indications and warnings signs of reconnaissance activity and of a likely impending attack. By paying proper attention to indications and warnings we can take proactive steps toward reducing the chances of a successful attack. 1 I W Schematic Warnings Information includes computing non-computing based Interaction is adaptive feedback loop Not all indications produce warnings many many IDIC - SANS GIAC LevelTwo 2000 2001 2 In this diagram we see a method for categorizing information both computing and noncomputing based. The outermost oval includes all information the middle oval shows that we can only collect some of the relevant information. The innermost oval shows the indications that have been identified from the collected information. One or more indications may produce a warning. So what are indications and warnings Mapping attempts are clearly warnings of what will follow. Very often they are simply used to create shopping lists the list of internet addresses fed to exploit scripts. Again the pattern of these lists has meaning and is an indication. Every once in a while our adversaries select a specific target a system that has information they want. This is an indication we are giving away vital tactical information. 2 I W Semantic Models Adversary Reconnaissance Pre-Attack Attack and Planning Post-Attack .