Malformed HTR Request （侵入）

2 テストショット２

2.17 Malformed HTR Request （侵入）

2.17.1 RealSecure Network Engine 1 ログ検出なし

2.17.2 RealSecure Network Engine 2 ログ検出なし

2.17.3 FireWall-1 ログ

2.17.4 RealSecure System Agent ログ

“No” “Date” “Time” “Inter.” “Origin” “Type” Action” “Service” “Source” “Destination” “Proto.” “Rule” “S_Port” “User” “SrcKeyID” “DstKeyID” “XlateSrc”

XlateDst” “XLateSPort” “XlateDPort” “Info.”

"1438" "21Apr2000" "16:15:55" "nei0" "fw" "log" "accept" "99" "attack1" "dmz-www" "tcp" "6" "2732" "" "" "" "" "" "" "" " len 60"

ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType

63,2000/04/21 16:18:39,Changes_to_important_files,254,65535,65535,65535,65535,16777343,51685568,127.0.0.1,192.168.20.3,,,,1,FALSE,00:00:00:00:00:00,,0 0:00:00:00:00:00,,0,,9,192.168.20.3,FALSE,1

64,2000/04/21 16:20:19,Program_execution_started,254,65535,65535,65535,65535,16777343,51685568,127.0.0.1,192.168.20.3,,,,3,FALSE,00:00:00:00:00:00,,0 0:00:00:00:00:00,,0,,7,192.168.20.3,FALSE,1

65,2000/04/21 16:20:24,Program_exited,254,65535,65535,65535,65535,16777343,51685568,127.0.0.1,192.168.20.3,,,,3,FALSE,00:00:00:00:00:00,,00:00:00:00:0 0:00,,0,,6,192.168.20.3,FALSE,1

66,2000/04/21 16:21:09,Program_execution_started,254,65535,65535,65535,65535,16777343,51685568,127.0.0.1,192.168.20.3,,,,3,FALSE,00:00:00:00:00:00,,0 0:00:00:00:00:00,,0,,7,192.168.20.3,FALSE,1

67,2000/04/21 16:21:14,Program_exited,254,65535,65535,65535,65535,16777343,51685568,127.0.0.1,192.168.20.3,,,,3,FALSE,00:00:00:00:00:00,,00:00:00:00:0 0:00,,0,,6,192.168.20.3,FALSE,1

68,2000/04/21 16:21:25,Program_execution_started,254,65535,65535,65535,65535,16777343,51685568,127.0.0.1,192.168.20.3,,,,3,FALSE,00:00:00:00:00:00,,0 0:00:00:00:00:00,,0,,7,192.168.20.3,FALSE,1

69,2000/04/21 16:21:30,Program_exited,254,65535,65535,65535,65535,16777343,51685568,127.0.0.1,192.168.20.3,,,,3,FALSE,00:00:00:00:00:00,,00:00:00:00:0 0:00,,0,,6,192.168.20.3,FALSE,1

70,2000/04/21 16:23:41,Program_exited,254,65535,65535,65535,65535,16777343,51685568,127.0.0.1,192.168.20.3,,,,3,FALSE,00:00:00:00:00:00,,00:00:00:00:0 0:00,,0,,6,192.168.20.3,FALSE,1

71,2000/04/21 16:23:41,Program_exited,254,65535,65535,65535,65535,16777343,51685568,127.0.0.1,192.168.20.3,,,,3,FALSE,00:00:00:00:00:00,,00:00:00:00:0 0:00,,0,,6,192.168.20.3,FALSE,1

2.17.5 イベントログ（セキュリティ）

2000/04/21,16:23:41,Security,成功の監査,詳細追跡 ,593,NT AUTHORITY¥SYSTEM,WWW,"ﾌﾟﾛｾｽの終了:

ﾌﾟﾛｾｽ ID: 4238147616

ﾕｰｻﾞｰ名: SYSTEM

ﾄﾞﾒｲﾝ: NT AUTHORITY

ﾛｸﾞｵﾝ ID: (0x0,0x3E7) "

2000/04/21,16:23:41,Security,成功の監査,詳細追跡 ,593,NT AUTHORITY¥SYSTEM,WWW,"ﾌﾟﾛｾｽの終了:

ﾌﾟﾛｾｽ ID: 4238834400

ﾕｰｻﾞｰ名: SYSTEM

ﾄﾞﾒｲﾝ: NT AUTHORITY

ﾛｸﾞｵﾝ ID: (0x0,0x3E7) "

2000/04/21,16:21:25,Security,成功の監査,詳細追跡 ,593,NT AUTHORITY¥SYSTEM,WWW,"ﾌﾟﾛｾｽの終了:

ﾌﾟﾛｾｽ ID: 4238517888

ﾕｰｻﾞｰ名: SYSTEM

ﾄﾞﾒｲﾝ: NT AUTHORITY

ﾛｸﾞｵﾝ ID: (0x0,0x3E7) "

2000/04/21,16:21:25,Security,成功の監査,詳細追跡 ,592,NT AUTHORITY¥SYSTEM,WWW,"新しいﾌﾟﾛｾｽの作成:

新しいﾌﾟﾛｾｽ ID: 4238517888 ｲﾒｰｼﾞﾌｧｲﾙ名: attrib.exe

ｸﾘｴｰﾀﾌﾟﾛｾｽ ID: 4238834400

ﾕｰｻﾞｰ名: SYSTEM

ﾄﾞﾒｲﾝ: NT AUTHORITY

ﾛｸﾞｵﾝ ID: (0x0,0x3E7) "

2000/04/21,16:21:09,Security,成功の監査,詳細追跡 ,593,NT AUTHORITY¥SYSTEM,WWW,"ﾌﾟﾛｾｽの終了:

ﾌﾟﾛｾｽ ID: 4238595936

ﾕｰｻﾞｰ名: SYSTEM

ﾄﾞﾒｲﾝ: NT AUTHORITY

ﾛｸﾞｵﾝ ID: (0x0,0x3E7) "

2000/04/21,16:21:09,Security,成功の監査,詳細追跡 ,592,NT AUTHORITY¥SYSTEM,WWW,"新しいﾌﾟﾛｾｽの作成:

新しいﾌﾟﾛｾｽ ID: 4238595936 ｲﾒｰｼﾞﾌｧｲﾙ名: attrib.exe

ｸﾘｴｰﾀﾌﾟﾛｾｽ ID: 4238834400

ﾕｰｻﾞｰ名: SYSTEM

ﾄﾞﾒｲﾝ: NT AUTHORITY

ﾛｸﾞｵﾝ ID: (0x0,0x3E7) "

2000/04/21,16:20:19,Security,成功の監査,詳細追跡 ,593,NT AUTHORITY¥SYSTEM,WWW,"ﾌﾟﾛｾｽの終了:

ﾌﾟﾛｾｽ ID: 4238772512

ﾕｰｻﾞｰ名: SYSTEM

ﾄﾞﾒｲﾝ: NT AUTHORITY

ﾛｸﾞｵﾝ ID: (0x0,0x3E7) "

2000/04/21,16:20:19,Security,成功の監査,詳細追跡 ,592,NT AUTHORITY¥SYSTEM,WWW,"新しいﾌﾟﾛｾｽの作成:

新しいﾌﾟﾛｾｽ ID: 4238772512 ｲﾒｰｼﾞﾌｧｲﾙ名: attrib.exe

ｸﾘｴｰﾀﾌﾟﾛｾｽ ID: 4238834400

ﾕｰｻﾞｰ名: SYSTEM

ﾄﾞﾒｲﾝ: NT AUTHORITY

ﾛｸﾞｵﾝ ID: (0x0,0x3E7)

2000/04/21,16:18:39,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄｱｸｾｽ ,562,NT AUTHORITY¥SYSTEM,WWW,ﾊﾝﾄﾞﾙのｸﾛｰｽﾞ:

ｵﾌﾞｼﾞｪｸﾄｻｰﾊﾞｰ: Security

ﾊﾝﾄﾞﾙ ID: 16

ﾌﾟﾛｾｽ ID: 4238834400

2000/04/21,16:18:39,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄｱｸｾｽ ,564,NT AUTHORITY¥SYSTEM,WWW,削除されたｵﾌﾞｼﾞｪｸﾄ:

ｵﾌﾞｼﾞｪｸﾄｻｰﾊﾞｰ: Security ﾊﾝﾄﾞﾙ ID: 16

ﾌﾟﾛｾｽ ID: 4238834400

2000/04/21,16:18:39,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄｱｸｾｽ ,560,NT AUTHORITY¥SYSTEM,WWW,"ｵﾌﾞｼﾞｪｸﾄのｵｰﾌﾟﾝ:

ｵﾌﾞｼﾞｪｸﾄｻｰﾊﾞｰ: Security ｵﾌﾞｼﾞｪｸﾄの種類: File

ｵﾌﾞｼﾞｪｸﾄ名: C:¥WINNT¥system32¥rasadmin.exe 新しいﾊﾝﾄﾞﾙ ID: 16

操作 ID: {0,258081}

ﾌﾟﾛｾｽ ID: 4238834400 ﾌﾟﾗｲﾏﾘﾕｰｻﾞｰ名: SYSTEM ﾌﾟﾗｲﾏﾘﾄﾞﾒｲﾝ: NT AUTHORITY ﾌﾟﾗｲﾏﾘﾛｸﾞｵﾝ ID: (0x0,0x3E7) ｸﾗｲｱﾝﾄﾕｰｻﾞｰ名: ｸﾗｲｱﾝﾄﾄﾞﾒｲﾝ:

-ｸﾗｲｱﾝﾄﾛｸﾞｵﾝ ID:

-ｱｸｾｽ DELETE

特権

2000/04/21,16:18:32,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄｱｸｾｽ ,562,NT AUTHORITY¥SYSTEM,WWW,ﾊﾝﾄﾞﾙのｸﾛｰｽﾞ:

ｵﾌﾞｼﾞｪｸﾄｻｰﾊﾞｰ: Security

ﾊﾝﾄﾞﾙ ID: 48

ﾌﾟﾛｾｽ ID: 4238834400

2000/04/21,16:18:32,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄｱｸｾｽ ,562,NT AUTHORITY¥SYSTEM,WWW,ﾊﾝﾄﾞﾙのｸﾛｰｽﾞ:

ｵﾌﾞｼﾞｪｸﾄｻｰﾊﾞｰ: Security

ﾊﾝﾄﾞﾙ ID: 56

ﾌﾟﾛｾｽ ID: 4238834400

2000/04/21,16:18:32,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄｱｸｾｽ ,560,NT AUTHORITY¥SYSTEM,WWW,"ｵﾌﾞｼﾞｪｸﾄのｵｰﾌﾟﾝ:

ｵﾌﾞｼﾞｪｸﾄｻｰﾊﾞｰ: Security ｵﾌﾞｼﾞｪｸﾄの種類: File

ｵﾌﾞｼﾞｪｸﾄ名: C:¥WINNT¥system32¥rasadmin.exe 新しいﾊﾝﾄﾞﾙ ID: 56

操作 ID: {0,258071}

-ｸﾗｲｱﾝﾄﾛｸﾞｵﾝ ID:

-ｱｸｾｽ READ_CONTROL

SYNCHRONIZE

ReadData (または ListDirectory) ReadEA

ReadAttributes

特権

2000/04/21,16:18:32,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄｱｸｾｽ ,560,NT AUTHORITY¥SYSTEM,WWW,"ｵﾌﾞｼﾞｪｸﾄのｵｰﾌﾟﾝ:

ｵﾌﾞｼﾞｪｸﾄｻｰﾊﾞｰ: Security ｵﾌﾞｼﾞｪｸﾄの種類: File

ｵﾌﾞｼﾞｪｸﾄ名: C:¥WINNT¥system32¥rasadmin.exe 新しいﾊﾝﾄﾞﾙ ID: 48

操作 ID: {0,258068}

-ｸﾗｲｱﾝﾄﾛｸﾞｵﾝ ID:

-ｱｸｾｽ READ_CONTROL

SYNCHRONIZE

ReadData (または ListDirectory) ReadEA

ReadAttributes

特権

2000/04/21,16:15:55,Security,成功の監査,詳細追跡 ,592,NT AUTHORITY¥SYSTEM,WWW,"新しいﾌﾟﾛｾｽの作成:

新しいﾌﾟﾛｾｽ ID: 4238834400 ｲﾒｰｼﾞﾌｧｲﾙ名: CMD.EXE

ｸﾘｴｰﾀﾌﾟﾛｾｽ ID: 4238147616

ﾕｰｻﾞｰ名: SYSTEM

ﾄﾞﾒｲﾝ: NT AUTHORITY

ﾛｸﾞｵﾝ ID: (0x0,0x3E7) "

2000/04/21,16:15:25,Security,成功の監査,詳細追跡 ,592,NT AUTHORITY¥SYSTEM,WWW,"新しいﾌﾟﾛｾｽの作成:

新しいﾌﾟﾛｾｽ ID: 4238147616 ｲﾒｰｼﾞﾌｧｲﾙ名: own.exe

ｸﾘｴｰﾀﾌﾟﾛｾｽ ID: 4240443680

ﾕｰｻﾞｰ名: SYSTEM

ﾄﾞﾒｲﾝ: NT AUTHORITY

ﾛｸﾞｵﾝ ID: (0x0,0x3E7) "

2000/04/21,16:15:11,Security,成功の監査,特権の使用 ,576,S-1-5-21-1496415201-442381914-165283079-1000,WWW,"新しいﾛｸﾞｵﾝへの特権の割り当て:

ﾕｰｻﾞｰ名: IUSR_WWW

ﾄﾞﾒｲﾝ: WWW

ﾛｸﾞｵﾝ ID: (0x0,0x3EA47)

割り当て: SeChangeNotifyPrivilege "

2000/04/21,16:15:11,Security,成功の監査,ﾛｸﾞｵﾝ/ﾛｸﾞｵﾌ ,528,S-1-5-21-1496415201-442381914-165283079-1000,WWW,"ﾛｸﾞｵﾝの成功:

ﾕｰｻﾞｰ名: IUSR_WWW

ﾄﾞﾒｲﾝ: WWW

2 ﾛｸﾞｵﾝ ID: (0x0,0x3EA47)

ﾛｸﾞｵﾝの種類: 3

ﾛｸﾞｵﾝﾌﾟﾛｾｽ: IIS

認証ﾊﾟｯｹｰｼﾞ: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ﾜｰｸｽﾃｰｼｮﾝ名: WWW "

ドキュメント内 TCP TCP TCP fin TCP NULL UDP ICMP Unreachable finger phf nph-test-cgi php ftp 18 1 (ページ 99-103)

2 テストショット２

2.17 Malformed HTR Request （侵入）

2.17.1 RealSecure Network Engine 1 ログ 検出なし

2.17.2 RealSecure Network Engine 2 ログ 検出なし

2.17.3 FireWall-1 ログ

2.17.4 RealSecure System Agent ログ

2.17.5 イベントログ（セキュリティ）

2.17.1 RealSecure Network Engine 1 ログ検出なし

2.17.2 RealSecure Network Engine 2 ログ検出なし