透過您的圖書館登入 IP:3.12.102.204
透過您的圖書館登入
IP:3.12.102.204
  • 精確檢索 : 冠狀病毒
  • 模糊檢索 : 冠狀病毒
  • 冠狀病毒感染
    冠狀病毒疾病
  • 查詢出版品: 冠狀病毒
進階查詢
查詢歷史
主題瀏覽
  • 學位論文

以Snort入侵偵測器防護MSRPC協定攻擊的應用與研究

Research and Application on MSRPC Protocol Attack Prevention Base On Snort IDS

黃德丞(Der-Chen Hwang)
指導教授 : 王永鐘
國立臺北科技大學/機電學院/電機工程系所/碩士(2006年)
https://doi.org/10.6841/NTUT.2006.00286
全文下載

摘要

微軟遠端程序呼叫(Microsoft Remote Procedure call, MSRPC)目前已經被廣泛地利用在分散式處理的環境下,做為主機和主機間相互通信的協定。而且目前也已經可以在不同的傳輸層(Transport Layer)協定下實現執行MSRPC的呼叫功能,如具名通道(Named Pipe)或是傳輸控制協定(Transport Control Protocol, TCP)等。但是在這兩個傳輸協定下,存在有不少的安全隱憂。例如在具名管道下,任何具有檔案或是列印存取權的遠端使用者,同時也將具有向伺服器要求起動RPC呼叫的功能。在此種情況下防火牆已經無法中斷這個會談,因為這個經連接埠(Port)139或是埠445的鏈結,已經在先前就通過防火牆的許可了。另外RPC直接使用TCP(RPC over TCP)的協定,也同樣遇到不同的安全威脅。因為在這種狀況下RPC使用大於1024的動態連接埠,使得防火牆無法確定RPC服務型態以及執行的特定服務埠, 因此造成防火牆難以控管這些RPC連線。 本研究首先提出一個有效的RPC需求管理方法,即以介面識別碼(Interface Identifer, IFID)的全球唯一識別碼(Universal Unique Identifier, UUID)格式內容,來控管MSRPC的呼叫,並基於「思諾」(Snort)入線(Inline)的功能,實作一個入侵防護系統,並設計一個Snort的預處理器插件(Plug-in),來實現這種MSRPC控管的理念。它可以監督RPC使用具名管道協定,以及RPC over TCP或是使用者資料段協定(User Datagram Protocol, UDP),並且提供以人性化的UUID字串格式,以便可以適當的過濾RPC呼叫。

關鍵字

入侵偵測 入侵防護 遠端程序呼叫 網路攻擊

並列摘要

Microsoft Remote Procedure Calls(MSRPC) is used for host-to-host communication that supports the distributed application environments. It can run over many transport layer protocols such as “Named Pipe” or TCP. However there are several security problems. Any remote user who has files or printer access rights can also ask server for RPC calls. The firewall is not programmed to stop the session, since the firewall has already allowed the user's access through the server's port 139 or port 445. RPC over TCP involves the firewall and faces an additional threat .Under the condition, RPCs use ephemeral endpoints above service port 1024. The firewall can not identify the RPC process as well as the specific ports used. So it is difficult for the firewall to manage these RPC connections. In this paper, we propose an efficient method to manage RPC requests by picking the RPC interface identifier, which was formed in UUID format. We also implement a mechanism using the Snort Intrusion System with Netfilter. This mechanism is a preprocessor based on an inline function of Snort. It can monitor RPCs over Named Pipe and RPC over TCP/UDP and send the UUID to the Snort detection engine with a humanized string format to let the intrusion prevention system filter the RPC calls properly.

並列關鍵字

Snort MSRPC IDS Intrusion Prevention

參考文獻

[1] K.M. Kaplan, C. Duran and J. J. Kaplan, "BO (Buffer Overflow): Bad for everyone," ASEE Annual Conference Proceedings, 2004, pp. 1233-1243
[2] E.E. Schultz, "RPC in Windows systems: What you don't know could hurt you," Network Security 2004, vol. 6, 2004, pp. 5-8
[3] J. M. Myerson, "Identifying enterprise network vulnerabilities," International Journal of Network Management, vol. 12, no. 3, 2002, pp. 135-144
[4] A. H. Sung and S. Mukkamala, "Principles and challenges in network defense," ICCC 2004 - Second IEEE International Conference on Computational Cybernetics, Proceedings 2004, pp. 15
[5] J. S. Broderick, "Firewalls - Are they enough protection for current networks?" Information Security Technical Report, vol. 10, no. 4, 2005, pp. 204-212

被引用紀錄

黃保太(2015)。一種整合OpenID與校園網路芳鄰服務之新單一登入機制〔碩士論文,國立交通大學〕。華藝線上圖書館。https://doi.org/10.6842/NCTU.2015.00289

延伸閱讀

全文下載