List of Code Examples

Chapter 1: Introduction to Intrusion Detection

Example 1.1. Transmission of the Password File as a Part of LOK12 Attack

Example 1.2. Detecting LOK12 Attack (TCPdump Log-File Fragment)

Example 1.3. Providing Remote Clients Access to Local Servers by the Telnet

Example 1.4. Remote Attack with the FTP Protocol (for the IPCHAINS Firewall)

Chapter 4: The Three Basic Principles of Intrusion Detection

Example 4.1. Port Scanning Implemented Using Haktek (TCPdump Log File)

Example 4.2. Port Scanning (-sT) Using Nmap (a Fragment of the TCPdump Log File)

Example 4.3. Port Scanning (-sS) Using Nmap (a Fragment of the TCPdump Log File)

Example 4.4. Port Scanning (-sU) Using Nmap (a Fragment of the TCPdump Log File)

Example 4.5. Detecting Host Scanning (a Fragment of the Check Point Firewall-1 Log File)

Example 4.6. Host Scanning (a Fragment of the TCPdump Log File)

Example 4.7. Detection of the SMURF and Fraggle Attacks (a Fragment of the Cisco Router Log File)

Example 4.8. Detecting Scanning for Vulnerable CGI Scripts (a Fragment of the WWW Server Log File)

Example 4.9. Detecting Requests to Vulnerable CGI Scripts Such as Test-cgi and Aglimpse (a Fragment of the Snort Log File)

Example 4.10. Detecting the Usage of Reserved Addresses

Example 4.11. Detecting the Usage of Reserved Addresses

Example 4.12. Land Attack (TCPdump Log File Fragment)

Example 4.13. Stealth Scanning Using SYN/ACK (Fragment of the TCPdump Log File)

Example 4.14. FIN Scanning (-sF) Using Nmap

Example 4.15. Xmas Scanning (-sX) Using Nmap (a Fragment of the TCPdump Log File)

Example 4.16. Null Scanning (-sN) Using Nmap

Example 4.17. Null Scanning Using Nmap

Example 4.18. FIN Scanning Using Nmap

Example 4.19. The "Christmas Tree Pattern" (Fragment from a Snort Log File)

Example 4.20. Detecting a Suspicious Situation (a Fragment of the Dragon Log File)

Example 4.21. OS Fingerprinting Using QueSO

Example 4.22. OS Fingerprinting Using QueSO (a Fragment of the TCPdump Log File)

Example 4.23. Using Reserved ECN Flags in the TCP Packet Header (a Fragment of the TCPdump Log File)

Example 4.24. Using Reserved ECN Flags in the TCP Header

Example 4.25. Detecting Suspicious Activity (a Fragment of the TCPdump Log File)

Example 4.26. Detecting a Ping of Death attack (a fragment of the TCPdump log file)

Example 4.27. The Tiny Fragment Attack (a Fragment of the TCPdump Log File)

Example 4.28. Detecting the SubSeven Trojan (a Fragment of the Snort Log File)

Example 4.29. Detecting the SubSeven Trojan (a Fragment of the IPCHAINS Log File)

Example 4.30. Detecting the SubSeven Trojan (a Fragment of the Ascend SecureConnect 3.03 Log File)

Example 4.31. Detecting the SubSeven Trojan (a Fragment of the ZoneAlarm Log File)

Example 4.32. Detecting the SubSeven Trojan

Example 4.33. Detecting the SubSeven Trojan

Example 4.34. Detecting of the SubSeven Trojan

Example 4.35. Detecting the Satans Trojan (a Fragment of the Snort Log File)

Example 4.36. Detecting the BackOrifice Trojan (a Fragment of the SHADOW Log File)

Example 4.37. Detecting the BackOrifice Trojan (a Fragment of the IPCHAINS Log File)

Example 4.38. Detecting the BackOrifice Trojan (a fragment of the TCPdump log file)

Example 4.39. Detecting the WinTrin00 Trojan (a Fragment of the Cisco Router Log File)

Example 4.40. Detecting the mstream Trojan

Example 4.41. Detecting the NetBus Trojan (the Output Produced by the Netstat -a Command)

Example 4.42. Detecting the NetBus Trojan

Example 4.43. Analysis of the Header Returned by the IMAP Service

Example 4.44. Examples of Security Messages Produced by Cisco Equipment

Example 4.45. A Fragment of the Check Point Firewall-1 Log File

Example 4.46. A Fragment of the Apache Log File (access_log)

Example 4.47. A Fragment of the Apache Log File (error_log)

Chapter 5: Detecting Attack Traces

Example 5.1. Exploiting the expn Vulnerability in Sendmail Implementation

Example 5.2. Failed Attempts to Logon to Windows Nt 4.0 (Fragments of the Security Log File)

Chapter 9: Selecting an Intrusion Detection System

Listing 9.1. An Example of a Rule in P-BEST for Detecting Failed Logon Attempts

Listing 9.2. An Example of a Rule for Detecting a WinNuke Attack Written in N-Code

Listing 9.3. An Example of a Rule for Detecting a Land Attack Written in N-Code

Listing 9.4. An Example of a Rule for Detecting Attempts of Xmas Scanning Written in N-Code

Listing 9.5. Fragment of the Rule DESCRIBING the Land Attack Using Predefined Variables

Listing 9.6. An Example of a Rule Created Using the RUSSEL Language for Detection of Failed Login Attempts During the Specified Time Period

Listing 9.7. An Example of a SecureLogic Script

Listing 9.8. An Example of a Description of Hidden TCP Scanning Written in CASL

Listing 9.9. A Fragment of an NASL Script Describing a Check for Detecting Web Server Vulnerability

Listing 9.10. A Fragment of the NASL Script Describing the Check to Detect FTP-Server Vulnerability

Listing 9.11. An Example of a Rule Written in VDL That Detects the Presence of the Telnet Service

Listing 9.12. An Example of a Rule Written in VDL That Detects the Presence of the SuperApp Application

Listing 9.13. A Fragment of the TCPdump Log File

Listing 9.14. A Fragment of the Apache Web Server Log File Named access_log

Listing 9.15. A Fragment of the SecurityEvent Log File of a Windows NT-Based Operating System

Listing 9.16. A Fragment of the Cisco IDS 4200 Log File

Listing 9.17. A Fragment of the Snort Log File

Listing 9.18. An Example of Script Written Using the Expect Language to Reconfigure Cisco Routers

Chapter 11: Using Intrusion Detection Systems

Example 11.1. Automation of the Security Scanning Process and Report Creation (in Internet Scanner for Windows NT)

Example 11.2. Using the AT Scheduler (Windows NT)

Chapter 12: Common IDS Problems

Example 12.1. An Example Illustrating the Malicious Usage of JavaScript

Chapter 13: Standardization in the Field of Intrusion Detection

Example 13.1. An Example Illustrating the Use of CISL for Describing Rules for Deleting the/etc/passwd File