Feed Editor 10 Mar 2009 11:04:01 GMT The articles and tutorials from Ax3soft.com, providing professional network security products. http://www.ids-sax2.com/ Copyright (c) Ax3soft Software, All Rights Reserved. af http://ids-sax2.com/images/logo.gif http://www.ids-sax2.com/ This is the second in a series of articles on understanding and developing signatures for network intrusion detection systems. In the first installment we looked at signature basics, the functions that signatures serve, header values, signature components, and choosing signatures. In this article we will continue our discussion of IP protocol header values in signatures by closely examining some signature examples. Although it may be relatively easy to develop a signature that matches a particular type of traffic, it will likely cause unexpected false positives and false negatives. Signatures must be carefully developed and tested in order to create a signature set that is highly accurate, yet is also as efficient as possible. 25 Mar 2009 03:02:20 GMT http://www.ids-sax2.com/articles/NIDSSignatures(2).htm 4384FEA7-1733-4A08-BE97-0193C742F62A This is the first in a series of articles on understanding and developing signatures for network intrusion detection systems. In this article we will discuss the basics of network IDS signatures and then take a closer look at signatures that focus on IP, TCP, UDP and ICMP header values. Such signatures ignore packet payloads and instead look for certain header field values or combinations of values. By learning about network IDS signatures, you’ll have more knowledge of how intrusion detection systems operate, and you’ll have a better foundation to write your own IDS signatures. 25 Mar 2009 03:01:53 GMT http://www.ids-sax2.com/articles/NIDSSignatures(1).htm FEDDFD61-0D46-4C73-9C0F-CC94C5934255 This is the third in a series of articles on understanding and developing signatures for network intrusion detection systems. In Part One and Part Two, we examined the use of IP protocol header values, particularly TCP, UDP and ICMP, in network intrusion detection signatures. In this article, we will continue our discussion of signatures by studying the area of protocol analysis, focusing on the examination of values within TCP and UDP payloads. Network intrusion detection using protocol analysis-based signatures is very effective in detecting both known and unknown attacks involving protocols such as DNS, FTP, HTTP and SMTP. 25 Mar 2009 03:01:23 GMT http://www.ids-sax2.com/articles/NIDSSignatures(3).htm 1AD0274C-D216-4480-976A-4AC87C4CC922 Most computer vulnerabilities can be exploited in a variety of ways. Hacker attacks may use a single specific exploit, several exploits at the same time, a misconfiguration in one of the system components or even a backdoor from an earlier attack. 21 Mar 2009 06:25:54 GMT http://www.ids-sax2.com/articles/DetectHackerAttackWithSax2.htm 17930B4F-C392-47A4-A052-0D23AF05FC9C http://www.ids-sax2.com/articles/DetectHackerAttackWithSax2.htm This article is to discuss how we can monitor network traffic .Sax2 make it easy for us to monitor and analyze network traffic in its intuitive and information-rich window. With Sax2's network traffic monitor feature, we can quickly identify network bottleneck and detect network abnormities. 21 Mar 2009 06:25:08 GMT http://www.ids-sax2.com/articles/MonitorNetworkTraffic.htm E65AC185-5881-4CD4-8A8D-EE68E305FBAC This Trojan logs the user’s keystrokes. It is a Windows PE EXE file. It is written in Visual C++. The packed file is approximately 12KB in size. It is packed using ASPack. The unpacked file is approximately 20KB in size. 10 Mar 2009 11:04:01 GMT http://www.ids-sax2.com/articles/PandaTrojan.htm tag:www.tristana.org,2009:8BE74438-2C9F-4D1D-8F8D-115A529A22AB.39882.4595960069 Trojan different from the virus, usually does not infect documents, Trojans are often used to gain backdoor access, steal passwords and important documents. It can also be used to track and monitor computer, control, view, edit information and other operations. Trojans are highly concealed, sudden and offensive. Because the Trojans are highly concealed, people often aware that they infected with it after passwords stolen, confidential documents missing. The following is the introduction of how to detect whether your machine infected with a Trojan horse, and how to remove and protect Trojan. Tue, 10 Mar 2009 11:03:58 +0800 http://www.ids-sax2.com/articles/GrayPigeonTrojan.htm tag:www.tristana.org,2009:3FF3A6AD-6B32-4FAF-818C-2D8D3703C3A0.39882.4595958912 Address Resolution Protocol (ARP), because of its simpleness, fastness, and effectiveness, is becoming increasingly popular among internet raggers, thus causing severe influence to the internet environment. 10 Mar 2009 11:03:00 GMT http://www.ids-sax2.com/articles/QuickLocateARPAttackSource.htm tag:www.tristana.org,2009:9B84BB50-1C96-4E99-AAE9-F3EA134173CA.39882.4595958912 In Logs Window, besides the three original logs: HTTP Requests, Email and FTP Transfers , we can monitor real-time activities and detailed messages of MSN instant messengers. The following picture 1 is an example of MSN Activities. 21 Mar 2009 06:25:26 GMT http://www.ids-sax2.com/articles/MonitorIMActivity.htm 5D9622F4-12DB-433D-AECF-CD336F7B05D5 Q is a Trojan Horse offering the attacker remote access to the victim host. This event is generated when raw TCP packets are sent to the victim server. 10 Mar 2009 11:03:22 GMT http://www.ids-sax2.com/articles/QTrojan.htm tag:www.tristana.org,2009:402AA80F-E621-4F8B-A050-77E2F33FDEB2.39882.4595958912 Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine. Later versions are capable of launching DDoS attacks. Tue, 10 Mar 2009 11:03:56 +0800 http://www.ids-sax2.com/articles/DolyTrojan.htm tag:www.tristana.org,2009:F0FC8B22-736B-4F30-BE91-43C051278778.39882.4595958912 Backdoor.BackOrifice is a Trojan Horse. Server Port: 31337 although in later versions this port can be changed to a value between 1 and 65535 Protocol: UDP although in later versions TCP can also be used Tue, 10 Mar 2009 11:03:50 +0800 http://www.ids-sax2.com/articles/BackOrificeBackdoor.htm tag:www.tristana.org,2009:0BA203E0-E4D2-42B5-A8EC-5614338CA5F8.39882.4595958912 Possible theft of data via download, upload of files, execution of files and reboot the targeted machine. Tue, 10 Mar 2009 11:03:52 +0800 http://www.ids-sax2.com/articles/InfectorTrojan.htm tag:www.tristana.org,2009:1EB6FBA3-4179-4069-810E-DD0C62F24728.39882.4595958912 Satans Backdoor is a Trojan Horse capable of stealing passwords. This event is generated when an infected machine replies to the attackers connection attempt. Tue, 10 Mar 2009 11:03:54 +0800 http://www.ids-sax2.com/articles/SatansTrojan.htm tag:www.tristana.org,2009:B35B1678-4CE1-4873-BF27-C6BCE067A1D3.39882.4595958912 Possible theft of data and control of the targeted machine. This Trojan also has the ability to scan machines and networks for open ports, it can also redirect legitimate traffic to other destinations. It can turn the infected host into an open proxy server. Tue, 10 Mar 2009 11:03:47 +0800 http://www.ids-sax2.com/articles/NetbusTrojan.htm tag:www.tristana.org,2009:4C5A2657-EA55-431D-AA00-B6614D075E9C.39882.4595958912 Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine. Other versions are capable of launching DDoS attacks. Tue, 10 Mar 2009 11:03:39 +0800 http://www.ids-sax2.com/articles/Subseven22Trojan.htm tag:www.tristana.org,2009:DC853B3D-9BB2-4B82-B340-ABCABDB17A11.39882.4595958912 Backdoor.AckCmd is a Trojan Horse that uses TCP ACK segments to communicate. This Trojan may bypass firewalls that do not keep track of the session state in a TCP transaction. Tue, 10 Mar 2009 11:03:43 +0800 http://www.ids-sax2.com/articles/AckCmdBackdoor.htm tag:www.tristana.org,2009:992E871C-746E-4BD9-8094-A4C1BEA3141E.39882.4595958912 Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. Tue, 10 Mar 2009 11:03:46 +0800 http://www.ids-sax2.com/articles/QAZTrojan.htm tag:www.tristana.org,2009:7F3F0D50-495D-41D7-B259-E6813874FD0E.39882.4595958912 Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine. Tue, 10 Mar 2009 11:03:41 +0800 http://www.ids-sax2.com/articles/DaggerTrojan.htm tag:www.tristana.org,2009:9B49F1E8-E1EC-497C-8C87-419A23A79C1E.39882.4595958912 A trojan is a program that is disguised as legitimate software but is designed to carry out some harmful actions on the infected computer. Unlike viruses and worms, trojans don’t replicate but they can be just as destructive. These days trojans are very common. Trojans are divided into a number different categories based on their function or type of damage. Tue, 10 Mar 2009 11:03:35 +0800 http://www.ids-sax2.com/articles/WinEggDropShellTrojan.htm tag:www.tristana.org,2009:D0D61976-40E9-40E2-BF0B-CC9C945CF5B4.39882.4595958912 CDK is a Trojan Horse offering the attacker control of the victim host. This event is generated when an attacker connects to a victim server. Tue, 10 Mar 2009 11:03:20 +0800 http://www.ids-sax2.com/articles/CDKTrojan.htm tag:www.tristana.org,2009:2ABC3DBF-8FA1-4290-A103-975E6CDF21B8.39882.4595958912 To completely purge Eclypse from your computer, you need to delete the Windows registry keys and registry values associated with Eclypse. These registry keys and values are respectively listed in the Registry Keys and Registry Values sections on this page. 10 Mar 2009 11:03:37 GMT http://www.ids-sax2.com/articles/EclypseTrojan.htm tag:www.tristana.org,2009:86BC7548-2780-44D1-9A0B-C18A99E872B6.39882.4595958912 w00w00 is a Trojan Horse utilizing Telnet. This event is generated when an attacker attempts to connect to a w00w00 server using Telnet. Tue, 10 Mar 2009 11:03:33 +0800 http://www.ids-sax2.com/articles/w00w00Trojan.htm tag:www.tristana.org,2009:D6F34C0F-3A44-4D72-B764-42166099D675.39882.4595958912 Tue, 10 Mar 2009 11:03:25 +0800 http://www.ids-sax2.com/articles/MatrixTrojan.htm tag:www.tristana.org,2009:8B1BDC31-3750-4ACB-8A55-CCABCC87ECFF.39882.4595958912 Possible theft of data via download, upload of files, execution of files and reboot the targeted machine. Tue, 10 Mar 2009 11:03:16 +0800 http://www.ids-sax2.com/articles/hack-a-tackTrojan.htm tag:www.tristana.org,2009:CAE58215-325F-4A6C-8BCD-A476053FCFCF.39882.4595958912 Deepthroat is a Trojan Horse offering the attacker control of the target. Tue, 10 Mar 2009 11:03:19 +0800 http://www.ids-sax2.com/articles/DeepthroatTrojan.htm tag:www.tristana.org,2009:F2F7CC11-23AD-46CC-A0D5-62DDE915F6F5.39882.4595958912 Netsphere is a Trojan Horse offering the attacker access to the victims filesystem, instant messaging clients and some control over peripherals. This event is generated when a Netsphere server responds to an attackers client. 10 Mar 2009 11:03:12 GMT http://www.ids-sax2.com/articles/NetsphereTrojan.htm tag:www.tristana.org,2009:7FE0325E-02A0-4886-92CA-812D889582D8.39882.4595958912 Possible theft of data and passwords. Tue, 10 Mar 2009 11:03:10 +0800 http://www.ids-sax2.com/articles/GatecrasherTrojan.htm tag:www.tristana.org,2009:DAA93C96-6F95-4F66-933F-85A326DB0D0D.39882.4595958912 Possible theft of data via download, upload of files, execution of files and reboot the targeted machine. Tue, 10 Mar 2009 11:03:08 +0800 http://www.ids-sax2.com/articles/BackconstructionTrojan.htm tag:www.tristana.org,2009:EFA9BCDD-1EFA-405E-85EA-11CE334B0DA2.39882.4595958912 Donald Dick is a Trojan Horse allowing the attacker to access various resources on the victim host. This event is generated when the attackers client connects to the Trojan server. Tue, 10 Mar 2009 11:03:06 +0800 http://www.ids-sax2.com/articles/DonaldDickTrojan.htm tag:www.tristana.org,2009:038D6F7A-D25D-47FF-9233-C0B53F4E1E86.39882.4595958912 Phase0 is a Trojan Horse offering the attacker control of the victim host. This event is generated when the victim server replies to an attackers client connection request. Tue, 10 Mar 2009 11:03:04 +0800 http://www.ids-sax2.com/articles/Phase0Trojan.htm tag:www.tristana.org,2009:ABC83864-7BE7-4B53-ADFA-613D79D55EDA.39882.4595958912 Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine. Tue, 10 Mar 2009 11:03:14 +0800 http://www.ids-sax2.com/articles/GirlfriendTrojan.htm tag:www.tristana.org,2009:BF9CE9E2-63F8-4A18-A324-234338E232C3.39882.4595958912 This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. Tue, 10 Mar 2009 11:03:02 +0800 http://www.ids-sax2.com/articles/ErazerLiteBackdoor.htm tag:www.tristana.org,2009:41BC1CA8-6219-439A-97D3-E42C9181BBC4.39882.4595958912 Today backdoors are the most dangerous type of Trojans and the most widespread. These Trojans are remote administration utilities that open infected machines to external control via a LAN or the Internet. They function in the same way as legal remote administration programs used by system administrators. This makes them difficult to detect. 10 Mar 2009 11:02:58 GMT http://www.ids-sax2.com/articles/TrojanPrograms.htm tag:www.tristana.org,2009:374F8C33-99FD-4140-8E1D-D198EA254010.39882.4595958912 The ICMP protocol facilitates the use of important administrator utilities such as ping and traceroute, but it can also be manipulated by hackers to get a snapshot of your network. Learn what ICMP traffic to filter and what to allow. Tue, 10 Mar 2009 11:02:56 +0800 http://www.ids-sax2.com/articles/BlockbadICMPmessages.htm tag:www.tristana.org,2009:D4F10B65-88D6-41BC-89C0-5BB8DE4CC21B.39882.4595958912 Most computer vulnerabilities can be exploited in a variety of ways. Hacker attacks may use a single specific exploit, several exploits at the same time, a misconfiguration in one of the system components or even a backdoor from an earlier attack. 10 Mar 2009 11:02:53 GMT http://www.ids-sax2.com/articles/DetectHackerAttack.htm tag:www.tristana.org,2009:AE5CDE39-2713-420A-A2D8-FD0B22D2F6D9.39882.4595958912 A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic. Tue, 10 Mar 2009 11:02:50 +0800 http://www.ids-sax2.com/articles/NetworkIntrusionDetectionSystem.htm tag:www.tristana.org,2009:BBD99622-63A1-4148-9C7D-B13B1D94525D.39882.4595958912 An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic. 10 Mar 2009 11:02:46 GMT http://www.ids-sax2.com/articles/IntrusionDetectionSystem.htm tag:www.tristana.org,2009:A8D61B08-7580-4509-9EBD-CEF1FD5F6112.39882.4595958912