D

E

-e parameter

Snort command-line switch, 253–254

early warning system (EWS) honeypot

for your network, 301–302

ECMAScript

international scripting standard JScript is based on, 170

Edit menu options

using in Ethereal protocol analyzer utility, 244

Edit Sim Banner dialog box

in KFSensor honeypot, 200

Editcap.exe

command-line capturing utility, 250

EditPlus text editor

website address, 357

eEye Digital Security

website address, 27

EFS. See Encrypting File System (EFS)

EFS data recovery agent

website address for information about, 107

Electronic Evidence Information Center

website address, 335

E-Mail Detective

for viewing and recovering AOL deleted or cached mail, 315

e-mail messages

tools for recovering after hacker attack, 315

emulated honeypot systems

benefits to deploying, 19

disadvantages of, 19–20

what you need to know, 63–65

emulation services

in KFSensor honeypot, 198–208

in PatriotBox honeypot, 212–214

emulation service scripts

feature in Honeyd, 132

website address for downloading, 132

EnCase software

website address, 308

Encrypting File System (EFS)

for encrypting and protecting files, 107–108

encryption

used by malware to hide infection, 358

endpoint mapper

Windows port 135 known as, 73

Engage Security

website address, 296

Ethereal Capture Options dialog box

setting options in, 245–246

Ethereal protocol analyzer utility

Analyze menu, 246–248

columns in top pane, 242

command-line version (Tethereal.exe), 250

data payload information in the bottom pane, 242

downloading and installing, 147–148

example of main screen with packet-capture data, 241

features of, 240–250

getting a quick distribution screen report with, 310

information in the middle pane, 242–243

Microsoft-specific display filters in latest version, 238

screen showing HTTP traffic on a port other than 80, 243

screen showing packets of a captured hacker session, 247

screen showing the TCP stream feature for a packet, 248

starting, 241

TCP Conversation screen, 246

TCP Stream feature in, 247–248

using all of the features together, 248

using Tcpdump or WinDump with, 249

using the built-in command-line tools, 249–250

using the features of, 244–248

viewing packet information in, 241–243

website address, 43

Ethernet cable

methods for constructing receive only, 44–45

Ethernet cards

WinPcap conflicts with some, 142

Ethernet switches

as honeypot network system devices, 46–47

Ethernet tap (sensor)

for hiding honeynet monitoring devices, 44–45

event ID528

example of, 320

event IDs

list of interesting for logon events, 322–323

website address for information about, 323

Event Properties dialog box

event description information in, 321

Event Viewer

example showing filtering successful logins, 291

Event Viewer Microsoft Management console

for collecting and prioritizing Windows log files, 288

EventCombMT application

for remotely collecting multiple security log files, 288–289

website address, 288

Eventlog to Syslog Utility

for copying Windows event log messages to remote Syslog servers, 290

EVENTTRIGGERS command

syntax for, 298

table of /Create options, 298

Eventtriggers.exe program

for creating, deleting, listing, and querying trigger events, 298–299

EWS honeypot. See early warning system (EWS) honeypot

Exchange Server

banner text received from various Exchange Server Services, 83

Exchange Server ports, 83

lists of common and complex, 71–72

Exchange Server SMTP banner text

vs. IIS virtual SMTP server banner text, 83

Exchange Server template

example code listing for, 161

Exchange sim server

for KFSensor honeypot, 203–204

executable code pathway

example of, 338

executable files

list of potentially dangerous, 107

Exploiting Software: How to Break Code (Greg Hoglund and Gary McGraw)

book about disassembly, 359

external placement

of honeypots, 55–56

EXTERNAL_NET variable

syntax for using in Snort, 258