Fastnetmon use /var/run/exabgp.cmd to transfer control commands to Exabgp;
Exabgp use "run /usr/bin/socat stdout pipe:/var/run/exabgp.cmd" to pipe the command;
by default, Exabgp will fail with ERR " Too many respawn for dynamic terminating program"
you must run command:
rm /var/run/exabgp.cmd
mkfifo /var/run/exabgp.cmd
to make the "/var/run/exabgp.cmd" into fifo type file
2015年8月5日星期三
2009年4月30日星期四
php中intval()函数的安全应用的思考
看了php内置函数intval()使用不当导致安全漏洞的分析
我感觉一般情况下:intval()是用在对用户提交的信息进行过滤,去掉非数字,来防止sql注入。很少会有程序,用来if判断。而在if判断的情况下,加不加intval()并不影响任何黑盒测试的结果。无法进一步的扩展。
我感觉一般情况下:intval()是用在对用户提交的信息进行过滤,去掉非数字,来防止sql注入。很少会有程序,用来if判断。而在if判断的情况下,加不加intval()并不影响任何黑盒测试的结果。无法进一步的扩展。
2009年4月9日星期四
怎样在windows xp(32bit)系统上的vmware中安装64位操作系统
由于ossim-1.2的ios是只支持64bit的,因此在vm上安装过程中出现了些问题,解决方法如下:
在www.vmware.com/info?id=152中讲的比较清楚,AMD64必须是在revison D之后的才能支持,Intel的需要EM64T and VT support。通过cpu-z可以知道我的T7500是支持EM64T的,这就需要第二步
2.开启VT support
在BIOS的设置中,找到VT的开关,使其Enable。然后重要的一点是,主机必须“冷启动”,即按power键启动,该设置才能生效。
2009年4月2日星期四
What is a Snort Preprocessor?
Preprocessors are pluggable components of Snort, introduced since version 1.5. They're "located" just after the module of protocol analysis and before the detection engine and do not depend of rules. They are called whenever a packet arrives, but JUST ONCE, the detection plugins, in the other hand, do depend of rules and may be applied many times for a single packet. SPP's can be used in different ways: They can look for an specific behavior(portscan, flowportscan), to be support for further analysis like flow, or just collect certain information, like perfmonitor.
2009年3月30日星期一
A tip of cooking OSSEC rules
How to config OSSEC rules to ignore something?
I have the logs like this
Mar 30 17:50:20 192.168.x.201 192.168.xx.104 - - [30/Mar/2009:17:50:43 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:21 192.168.x.201 192.168.xx.104 - root [30/Mar/2009:17:50:44 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:22 192.168.x.201 192.168.xx.104 - svn [30/Mar/2009:17:50:45 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:24 192.168.x.201 192.168.xx.104 - user [30/Mar/2009:17:50:46 +0800] "OPTIONS /svn HTTP/1.1" 401 401
I just want alert,when somebody make 4xx errors in a short time. but I want to ignore the "-",in the user field.
first, I add the user field in etc/decoder.xml
web-log ^\d+.\d+.\d+.\d+ ^(\d+.\d+.\d+.\d+) \S+ (\S+) [\S+ \S\d+] "\w+ (\S+) HTTP\S+ (\d+) srcip, user, url, id the add new rules 31101 ^- 31101 Multiple web server 4XX error code. from same source ip. alert_by_email attack,
You can ignore the user field is "-",by let the level=0,in front rule 31166.
I have the logs like this
Mar 30 17:50:20 192.168.x.201 192.168.xx.104 - - [30/Mar/2009:17:50:43 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:21 192.168.x.201 192.168.xx.104 - root [30/Mar/2009:17:50:44 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:22 192.168.x.201 192.168.xx.104 - svn [30/Mar/2009:17:50:45 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:24 192.168.x.201 192.168.xx.104 - user [30/Mar/2009:17:50:46 +0800] "OPTIONS /svn HTTP/1.1" 401 401
I just want alert,when somebody make 4xx errors in a short time. but I want to ignore the "-",in the user field.
first, I add the user field in etc/decoder.xml
You can ignore the user field is "-",by let the level=0,in front rule 31166.
2009年3月29日星期日
the frag3 preprocess in snort
why need the frag3 preprocessor?
frag3 preprocessor is a target-based analysis.
The term “target-based” is to identify an intelligent IDS that is informed about hosts residing on the network and is capable of analyzing traffic sent to those hosts as the host itself analyzes the traffic.
It improve the accuracy of the IDS.
for example:
How to use frag3 preprocessor in snort.conf?
like:
preprocessor frag3_engine: policy first, bind_to 10.4.10.0/24
Now any overlapping fragments that Snort sees destined for subnet 10.4.1.x are reassembled using the “first”
fragmentation policy, so that Snort reassembles fragments destined to those hosts in precisely the same way as the
Windows hosts themselves.
frag3 preprocessor is a target-based analysis.
The term “target-based” is to identify an intelligent IDS that is informed about hosts residing on the network and is capable of analyzing traffic sent to those hosts as the host itself analyzes the traffic.
It improve the accuracy of the IDS.
for example:
How to use frag3 preprocessor in snort.conf?
like:
preprocessor frag3_engine: policy first, bind_to 10.4.10.0/24
Now any overlapping fragments that Snort sees destined for subnet 10.4.1.x are reassembled using the “first”
fragmentation policy, so that Snort reassembles fragments destined to those hosts in precisely the same way as the
Windows hosts themselves.
2009年3月27日星期五
snort rule for MS08-067
alert tcp any any -> any 445 (msg:"MS08067 RPC exploit"; content:"|2e 00 5c 00 5c|";offset:140; content:"|00 5c 00 2e 00 2e 00 5c 00 2e 00 2e 00 5c 00|"; within:20;metadata:service RPC; classtype:bad-unknown; sid:9000015; rev:1;)
it works!
it works!
订阅:
博文 (Atom)